From a0c8e86ac878ec1f6dd802b3d3b0489c05f45b49 Mon Sep 17 00:00:00 2001 From: "ci.datadog-api-spec" Date: Thu, 7 Mar 2024 18:32:13 +0000 Subject: [PATCH] Regenerate client from commit eddc6169 of spec repo --- .apigentools-info | 8 +- .generator/schemas/v2/openapi.yaml | 185 ++ docs/datadog_api_client.v2.model.rst | 14 + .../CreateCSMThreatsAgentRule.py | 35 + .../DeleteCSMThreatsAgentRule.py | 17 + .../DownloadCSMThreatsPolicy.py | 13 + .../GetCSMThreatsAgentRule.py | 19 + .../ListCSMThreatsAgentRules.py | 13 + .../UpdateCSMThreatsAgentRule.py | 39 + .../v2/api/cloud_workload_security_api.py | 224 ++ ...oud_workload_security_agent_rule_action.py | 56 + ...workload_security_agent_rule_attributes.py | 21 +- ...cloud_workload_security_agent_rule_kill.py | 36 + ...orkload_security_agent_rule_update_data.py | 12 +- src/datadog_api_client/v2/models/__init__.py | 4 + ...t_rule_returns_bad_request_response.frozen | 2 +- ...ent_rule_returns_bad_request_response.yaml | 8 +- ...rity_agent_rule_returns_ok_response.frozen | 2 +- ...curity_agent_rule_returns_ok_response.yaml | 20 +- ...t_rule_returns_bad_request_response.frozen | 1 + ...ent_rule_returns_bad_request_response.yaml | 22 + ...gent_rule_returns_conflict_response.frozen | 1 + ..._agent_rule_returns_conflict_response.yaml | 40 + ...eats_agent_rule_returns_ok_response.frozen | 1 + ...hreats_agent_rule_returns_ok_response.yaml | 40 + ...ent_rule_returns_not_found_response.frozen | 2 +- ...agent_rule_returns_not_found_response.yaml | 4 +- ...rity_agent_rule_returns_ok_response.frozen | 2 +- ...curity_agent_rule_returns_ok_response.yaml | 26 +- ...ent_rule_returns_not_found_response.frozen | 1 + ...agent_rule_returns_not_found_response.yaml | 20 + ...eats_agent_rule_returns_ok_response.frozen | 1 + ...hreats_agent_rule_returns_ok_response.yaml | 58 + ...ent_rule_returns_not_found_response.frozen | 2 +- ...agent_rule_returns_not_found_response.yaml | 4 +- ...rity_agent_rule_returns_ok_response.frozen | 2 +- ...curity_agent_rule_returns_ok_response.yaml | 34 +- ...ent_rule_returns_not_found_response.frozen | 1 + ...agent_rule_returns_not_found_response.yaml | 20 + ...eats_agent_rule_returns_ok_response.frozen | 1 + ...hreats_agent_rule_returns_ok_response.yaml | 59 + ...ity_agent_rules_returns_ok_response.frozen | 2 +- ...urity_agent_rules_returns_ok_response.yaml | 1810 ++++++++------- ...ats_agent_rules_returns_ok_response.frozen | 1 + ...reats_agent_rules_returns_ok_response.yaml | 1418 ++++++++++++ ...security_policy_returns_ok_response.frozen | 2 +- ...d_security_policy_returns_ok_response.yaml | 1975 ++++++++++------- ..._threats_policy_returns_ok_response.frozen | 1 + ...sm_threats_policy_returns_ok_response.yaml | 18 + ...t_rule_returns_bad_request_response.frozen | 2 +- ...ent_rule_returns_bad_request_response.yaml | 28 +- ...ent_rule_returns_not_found_response.frozen | 2 +- ...agent_rule_returns_not_found_response.yaml | 4 +- ...rity_agent_rule_returns_ok_response.frozen | 2 +- ...curity_agent_rule_returns_ok_response.yaml | 34 +- ...t_rule_returns_bad_request_response.frozen | 1 + ...ent_rule_returns_bad_request_response.yaml | 61 + ...ent_rule_returns_not_found_response.frozen | 1 + ...agent_rule_returns_not_found_response.yaml | 23 + ...eats_agent_rule_returns_ok_response.frozen | 1 + ...hreats_agent_rule_returns_ok_response.yaml | 62 + .../features/cloud_workload_security.feature | 101 + tests/v2/features/given.json | 12 + tests/v2/features/undo.json | 43 + 64 files changed, 5021 insertions(+), 1653 deletions(-) create mode 100644 examples/v2/cloud-workload-security/CreateCSMThreatsAgentRule.py create mode 100644 examples/v2/cloud-workload-security/DeleteCSMThreatsAgentRule.py create mode 100644 examples/v2/cloud-workload-security/DownloadCSMThreatsPolicy.py create mode 100644 examples/v2/cloud-workload-security/GetCSMThreatsAgentRule.py create mode 100644 examples/v2/cloud-workload-security/ListCSMThreatsAgentRules.py create mode 100644 examples/v2/cloud-workload-security/UpdateCSMThreatsAgentRule.py create mode 100644 src/datadog_api_client/v2/model/cloud_workload_security_agent_rule_action.py create mode 100644 src/datadog_api_client/v2/model/cloud_workload_security_agent_rule_kill.py create mode 100644 tests/v2/cassettes/test_scenarios/test_create_a_csm_threats_agent_rule_returns_bad_request_response.frozen create mode 100644 tests/v2/cassettes/test_scenarios/test_create_a_csm_threats_agent_rule_returns_bad_request_response.yaml create mode 100644 tests/v2/cassettes/test_scenarios/test_create_a_csm_threats_agent_rule_returns_conflict_response.frozen create mode 100644 tests/v2/cassettes/test_scenarios/test_create_a_csm_threats_agent_rule_returns_conflict_response.yaml create mode 100644 tests/v2/cassettes/test_scenarios/test_create_a_csm_threats_agent_rule_returns_ok_response.frozen create mode 100644 tests/v2/cassettes/test_scenarios/test_create_a_csm_threats_agent_rule_returns_ok_response.yaml create mode 100644 tests/v2/cassettes/test_scenarios/test_delete_a_csm_threats_agent_rule_returns_not_found_response.frozen create mode 100644 tests/v2/cassettes/test_scenarios/test_delete_a_csm_threats_agent_rule_returns_not_found_response.yaml create mode 100644 tests/v2/cassettes/test_scenarios/test_delete_a_csm_threats_agent_rule_returns_ok_response.frozen create mode 100644 tests/v2/cassettes/test_scenarios/test_delete_a_csm_threats_agent_rule_returns_ok_response.yaml create mode 100644 tests/v2/cassettes/test_scenarios/test_get_a_csm_threats_agent_rule_returns_not_found_response.frozen create mode 100644 tests/v2/cassettes/test_scenarios/test_get_a_csm_threats_agent_rule_returns_not_found_response.yaml create mode 100644 tests/v2/cassettes/test_scenarios/test_get_a_csm_threats_agent_rule_returns_ok_response.frozen create mode 100644 tests/v2/cassettes/test_scenarios/test_get_a_csm_threats_agent_rule_returns_ok_response.yaml create mode 100644 tests/v2/cassettes/test_scenarios/test_get_all_csm_threats_agent_rules_returns_ok_response.frozen create mode 100644 tests/v2/cassettes/test_scenarios/test_get_all_csm_threats_agent_rules_returns_ok_response.yaml create mode 100644 tests/v2/cassettes/test_scenarios/test_get_the_latest_csm_threats_policy_returns_ok_response.frozen create mode 100644 tests/v2/cassettes/test_scenarios/test_get_the_latest_csm_threats_policy_returns_ok_response.yaml create mode 100644 tests/v2/cassettes/test_scenarios/test_update_a_csm_threats_agent_rule_returns_bad_request_response.frozen create mode 100644 tests/v2/cassettes/test_scenarios/test_update_a_csm_threats_agent_rule_returns_bad_request_response.yaml create mode 100644 tests/v2/cassettes/test_scenarios/test_update_a_csm_threats_agent_rule_returns_not_found_response.frozen create mode 100644 tests/v2/cassettes/test_scenarios/test_update_a_csm_threats_agent_rule_returns_not_found_response.yaml create mode 100644 tests/v2/cassettes/test_scenarios/test_update_a_csm_threats_agent_rule_returns_ok_response.frozen create mode 100644 tests/v2/cassettes/test_scenarios/test_update_a_csm_threats_agent_rule_returns_ok_response.yaml diff --git a/.apigentools-info b/.apigentools-info index 4f71fad68b..88c9d65cf3 100644 --- a/.apigentools-info +++ b/.apigentools-info @@ -4,13 +4,13 @@ "spec_versions": { "v1": { "apigentools_version": "1.6.6", - "regenerated": "2024-03-07 16:40:15.725956", - "spec_repo_commit": "ba5b230c" + "regenerated": "2024-03-07 18:31:43.564144", + "spec_repo_commit": "eddc6169" }, "v2": { "apigentools_version": "1.6.6", - "regenerated": "2024-03-07 16:40:15.743321", - "spec_repo_commit": "ba5b230c" + "regenerated": "2024-03-07 18:31:43.581639", + "spec_repo_commit": "eddc6169" } } } \ No newline at end of file diff --git a/.generator/schemas/v2/openapi.yaml b/.generator/schemas/v2/openapi.yaml index 9201083ceb..2fe3dc91d1 100644 --- a/.generator/schemas/v2/openapi.yaml +++ b/.generator/schemas/v2/openapi.yaml @@ -3919,9 +3919,27 @@ components: type: string x-enum-varnames: - CLOUD_COST_ACTIVITY + CloudWorkloadSecurityAgentRuleAction: + description: The action the rule can perform if triggered. + properties: + filter: + description: The selector to target the container on which the action is + performed + type: string + kill: + $ref: '#/components/schemas/CloudWorkloadSecurityAgentRuleKill' + type: object + CloudWorkloadSecurityAgentRuleActions: + description: The array of actions the rule can perform if triggered. + items: + $ref: '#/components/schemas/CloudWorkloadSecurityAgentRuleAction' + nullable: true + type: array CloudWorkloadSecurityAgentRuleAttributes: description: A Cloud Workload Security Agent rule returned by the API. properties: + actions: + $ref: '#/components/schemas/CloudWorkloadSecurityAgentRuleActions' agentConstraint: description: The version of the agent. type: string @@ -3960,6 +3978,7 @@ components: description: The platforms the Agent rule is supported on. items: type: string + nullable: true type: array name: description: The name of the Agent rule. @@ -4054,6 +4073,17 @@ components: type: $ref: '#/components/schemas/CloudWorkloadSecurityAgentRuleType' type: object + CloudWorkloadSecurityAgentRuleID: + description: The ID of the agent rule. + example: 3dd-0uc-h1s + type: string + CloudWorkloadSecurityAgentRuleKill: + description: The kill signal of the agent rule + properties: + signal: + description: The scope of the kill action + type: string + type: object CloudWorkloadSecurityAgentRuleResponse: description: Response object that includes an Agent rule. properties: @@ -4090,6 +4120,8 @@ components: properties: attributes: $ref: '#/components/schemas/CloudWorkloadSecurityAgentRuleUpdateAttributes' + id: + $ref: '#/components/schemas/CloudWorkloadSecurityAgentRuleID' type: $ref: '#/components/schemas/CloudWorkloadSecurityAgentRuleType' required: @@ -29582,6 +29614,154 @@ paths: We are gradually onboarding support for more sources. If you have any feedback, contact [Datadog Support](https://docs.datadoghq.com/help/).' + /api/v2/remote_config/products/cws/agent_rules: + get: + description: Get the list of Cloud Security Management Threats Agent rules. + operationId: ListCSMThreatsAgentRules + responses: + '200': + content: + application/json: + schema: + $ref: '#/components/schemas/CloudWorkloadSecurityAgentRulesListResponse' + description: OK + '403': + $ref: '#/components/responses/NotAuthorizedResponse' + '429': + $ref: '#/components/responses/TooManyRequestsResponse' + summary: Get all CSM Threats Agent rules + tags: + - Cloud Workload Security + post: + description: Create a new Cloud Security Management Threats Agent rule with + the given parameters. + operationId: CreateCSMThreatsAgentRule + requestBody: + content: + application/json: + schema: + $ref: '#/components/schemas/CloudWorkloadSecurityAgentRuleCreateRequest' + description: The definition of the new Agent rule. + required: true + responses: + '200': + content: + application/json: + schema: + $ref: '#/components/schemas/CloudWorkloadSecurityAgentRuleResponse' + description: OK + '400': + $ref: '#/components/responses/BadRequestResponse' + '403': + $ref: '#/components/responses/NotAuthorizedResponse' + '409': + $ref: '#/components/responses/ConflictResponse' + '429': + $ref: '#/components/responses/TooManyRequestsResponse' + summary: Create a CSM Threats Agent rule + tags: + - Cloud Workload Security + x-codegen-request-body-name: body + /api/v2/remote_config/products/cws/agent_rules/{agent_rule_id}: + delete: + description: Delete a specific Cloud Security Management Threats Agent rule. + operationId: DeleteCSMThreatsAgentRule + parameters: + - $ref: '#/components/parameters/CloudWorkloadSecurityAgentRuleID' + responses: + '204': + description: OK + '403': + $ref: '#/components/responses/NotAuthorizedResponse' + '404': + $ref: '#/components/responses/NotFoundResponse' + '429': + $ref: '#/components/responses/TooManyRequestsResponse' + summary: Delete a CSM Threats Agent rule + tags: + - Cloud Workload Security + get: + description: Get the details of a specific Cloud Security Management Threats + Agent rule. + operationId: GetCSMThreatsAgentRule + parameters: + - $ref: '#/components/parameters/CloudWorkloadSecurityAgentRuleID' + responses: + '200': + content: + application/json: + schema: + $ref: '#/components/schemas/CloudWorkloadSecurityAgentRuleResponse' + description: OK + '403': + $ref: '#/components/responses/NotAuthorizedResponse' + '404': + $ref: '#/components/responses/NotFoundResponse' + '429': + $ref: '#/components/responses/TooManyRequestsResponse' + summary: Get a CSM Threats Agent rule + tags: + - Cloud Workload Security + patch: + description: 'Update a specific Cloud Security Management Threats Agent rule. + + Returns the Agent rule object when the request is successful.' + operationId: UpdateCSMThreatsAgentRule + parameters: + - $ref: '#/components/parameters/CloudWorkloadSecurityAgentRuleID' + requestBody: + content: + application/json: + schema: + $ref: '#/components/schemas/CloudWorkloadSecurityAgentRuleUpdateRequest' + description: New definition of the Agent rule. + required: true + responses: + '200': + content: + application/json: + schema: + $ref: '#/components/schemas/CloudWorkloadSecurityAgentRuleResponse' + description: OK + '400': + $ref: '#/components/responses/BadRequestResponse' + '403': + $ref: '#/components/responses/NotAuthorizedResponse' + '404': + $ref: '#/components/responses/NotFoundResponse' + '409': + $ref: '#/components/responses/ConcurrentModificationResponse' + '429': + $ref: '#/components/responses/TooManyRequestsResponse' + summary: Update a CSM Threats Agent rule + tags: + - Cloud Workload Security + x-codegen-request-body-name: body + /api/v2/remote_config/products/cws/policy/download: + get: + description: 'The download endpoint generates a CSM Threats policy file from + your currently active + + CSM Threats rules, and downloads them as a `.policy` file. This file can then + be deployed to + + your Agents to update the policy running in your environment.' + operationId: DownloadCSMThreatsPolicy + responses: + '200': + content: + application/zip: + schema: + format: binary + type: string + description: OK + '403': + $ref: '#/components/responses/NotAuthorizedResponse' + '429': + $ref: '#/components/responses/TooManyRequestsResponse' + summary: Get the latest CSM Threats policy + tags: + - Cloud Workload Security /api/v2/restriction_policy/{resource_id}: delete: description: Deletes the restriction policy associated with a specified resource. @@ -34821,6 +35001,11 @@ tags: [Test Visibility in Datadog page](https://docs.datadoghq.com/tests/) for more information. name: CI Visibility Tests +- description: Cloud Security Management Threats (CSM Threats) monitors file, network, + and process activity across your environment to detect real-time threats to your + infrastructure. See [Cloud Security Management Threats](https://docs.datadoghq.com/security/threats/) + for more information on setting up CSM Threats. + name: CSM Threats - description: View and manage cases and projects within Case Management. See the [Case Management page](https://docs.datadoghq.com/service_management/case_management/) for more information. diff --git a/docs/datadog_api_client.v2.model.rst b/docs/datadog_api_client.v2.model.rst index ec22867196..d00c99e95e 100644 --- a/docs/datadog_api_client.v2.model.rst +++ b/docs/datadog_api_client.v2.model.rst @@ -1492,6 +1492,13 @@ cloud\_cost\_activity\_type :members: :show-inheritance: +cloud\_workload\_security\_agent\_rule\_action +---------------------------------------------- + +.. automodule:: datadog_api_client.v2.model.cloud_workload_security_agent_rule_action + :members: + :show-inheritance: + cloud\_workload\_security\_agent\_rule\_attributes -------------------------------------------------- @@ -1534,6 +1541,13 @@ cloud\_workload\_security\_agent\_rule\_data :members: :show-inheritance: +cloud\_workload\_security\_agent\_rule\_kill +-------------------------------------------- + +.. automodule:: datadog_api_client.v2.model.cloud_workload_security_agent_rule_kill + :members: + :show-inheritance: + cloud\_workload\_security\_agent\_rule\_response ------------------------------------------------ diff --git a/examples/v2/cloud-workload-security/CreateCSMThreatsAgentRule.py b/examples/v2/cloud-workload-security/CreateCSMThreatsAgentRule.py new file mode 100644 index 0000000000..7005a8011c --- /dev/null +++ b/examples/v2/cloud-workload-security/CreateCSMThreatsAgentRule.py @@ -0,0 +1,35 @@ +""" +Create a CSM Threats Agent rule returns "OK" response +""" + +from datadog_api_client import ApiClient, Configuration +from datadog_api_client.v2.api.cloud_workload_security_api import CloudWorkloadSecurityApi +from datadog_api_client.v2.model.cloud_workload_security_agent_rule_create_attributes import ( + CloudWorkloadSecurityAgentRuleCreateAttributes, +) +from datadog_api_client.v2.model.cloud_workload_security_agent_rule_create_data import ( + CloudWorkloadSecurityAgentRuleCreateData, +) +from datadog_api_client.v2.model.cloud_workload_security_agent_rule_create_request import ( + CloudWorkloadSecurityAgentRuleCreateRequest, +) +from datadog_api_client.v2.model.cloud_workload_security_agent_rule_type import CloudWorkloadSecurityAgentRuleType + +body = CloudWorkloadSecurityAgentRuleCreateRequest( + data=CloudWorkloadSecurityAgentRuleCreateData( + attributes=CloudWorkloadSecurityAgentRuleCreateAttributes( + description="My Agent rule", + enabled=True, + expression='exec.file.name == "sh"', + name="my_agent_rule", + ), + type=CloudWorkloadSecurityAgentRuleType.AGENT_RULE, + ), +) + +configuration = Configuration() +with ApiClient(configuration) as api_client: + api_instance = CloudWorkloadSecurityApi(api_client) + response = api_instance.create_csm_threats_agent_rule(body=body) + + print(response) diff --git a/examples/v2/cloud-workload-security/DeleteCSMThreatsAgentRule.py b/examples/v2/cloud-workload-security/DeleteCSMThreatsAgentRule.py new file mode 100644 index 0000000000..b35c467711 --- /dev/null +++ b/examples/v2/cloud-workload-security/DeleteCSMThreatsAgentRule.py @@ -0,0 +1,17 @@ +""" +Delete a CSM Threats Agent rule returns "OK" response +""" + +from os import environ +from datadog_api_client import ApiClient, Configuration +from datadog_api_client.v2.api.cloud_workload_security_api import CloudWorkloadSecurityApi + +# there is a valid "agent_rule_rc" in the system +AGENT_RULE_DATA_ID = environ["AGENT_RULE_DATA_ID"] + +configuration = Configuration() +with ApiClient(configuration) as api_client: + api_instance = CloudWorkloadSecurityApi(api_client) + api_instance.delete_csm_threats_agent_rule( + agent_rule_id=AGENT_RULE_DATA_ID, + ) diff --git a/examples/v2/cloud-workload-security/DownloadCSMThreatsPolicy.py b/examples/v2/cloud-workload-security/DownloadCSMThreatsPolicy.py new file mode 100644 index 0000000000..527667af41 --- /dev/null +++ b/examples/v2/cloud-workload-security/DownloadCSMThreatsPolicy.py @@ -0,0 +1,13 @@ +""" +Get the latest CSM Threats policy returns "OK" response +""" + +from datadog_api_client import ApiClient, Configuration +from datadog_api_client.v2.api.cloud_workload_security_api import CloudWorkloadSecurityApi + +configuration = Configuration() +with ApiClient(configuration) as api_client: + api_instance = CloudWorkloadSecurityApi(api_client) + response = api_instance.download_csm_threats_policy() + + print(response.read()) diff --git a/examples/v2/cloud-workload-security/GetCSMThreatsAgentRule.py b/examples/v2/cloud-workload-security/GetCSMThreatsAgentRule.py new file mode 100644 index 0000000000..91d981606b --- /dev/null +++ b/examples/v2/cloud-workload-security/GetCSMThreatsAgentRule.py @@ -0,0 +1,19 @@ +""" +Get a CSM Threats Agent rule returns "OK" response +""" + +from os import environ +from datadog_api_client import ApiClient, Configuration +from datadog_api_client.v2.api.cloud_workload_security_api import CloudWorkloadSecurityApi + +# there is a valid "agent_rule_rc" in the system +AGENT_RULE_DATA_ID = environ["AGENT_RULE_DATA_ID"] + +configuration = Configuration() +with ApiClient(configuration) as api_client: + api_instance = CloudWorkloadSecurityApi(api_client) + response = api_instance.get_csm_threats_agent_rule( + agent_rule_id=AGENT_RULE_DATA_ID, + ) + + print(response) diff --git a/examples/v2/cloud-workload-security/ListCSMThreatsAgentRules.py b/examples/v2/cloud-workload-security/ListCSMThreatsAgentRules.py new file mode 100644 index 0000000000..17cf023af3 --- /dev/null +++ b/examples/v2/cloud-workload-security/ListCSMThreatsAgentRules.py @@ -0,0 +1,13 @@ +""" +Get all CSM Threats Agent rules returns "OK" response +""" + +from datadog_api_client import ApiClient, Configuration +from datadog_api_client.v2.api.cloud_workload_security_api import CloudWorkloadSecurityApi + +configuration = Configuration() +with ApiClient(configuration) as api_client: + api_instance = CloudWorkloadSecurityApi(api_client) + response = api_instance.list_csm_threats_agent_rules() + + print(response) diff --git a/examples/v2/cloud-workload-security/UpdateCSMThreatsAgentRule.py b/examples/v2/cloud-workload-security/UpdateCSMThreatsAgentRule.py new file mode 100644 index 0000000000..1fce0e0ec9 --- /dev/null +++ b/examples/v2/cloud-workload-security/UpdateCSMThreatsAgentRule.py @@ -0,0 +1,39 @@ +""" +Update a CSM Threats Agent rule returns "OK" response +""" + +from os import environ +from datadog_api_client import ApiClient, Configuration +from datadog_api_client.v2.api.cloud_workload_security_api import CloudWorkloadSecurityApi +from datadog_api_client.v2.model.cloud_workload_security_agent_rule_type import CloudWorkloadSecurityAgentRuleType +from datadog_api_client.v2.model.cloud_workload_security_agent_rule_update_attributes import ( + CloudWorkloadSecurityAgentRuleUpdateAttributes, +) +from datadog_api_client.v2.model.cloud_workload_security_agent_rule_update_data import ( + CloudWorkloadSecurityAgentRuleUpdateData, +) +from datadog_api_client.v2.model.cloud_workload_security_agent_rule_update_request import ( + CloudWorkloadSecurityAgentRuleUpdateRequest, +) + +# there is a valid "agent_rule_rc" in the system +AGENT_RULE_DATA_ID = environ["AGENT_RULE_DATA_ID"] + +body = CloudWorkloadSecurityAgentRuleUpdateRequest( + data=CloudWorkloadSecurityAgentRuleUpdateData( + attributes=CloudWorkloadSecurityAgentRuleUpdateAttributes( + description="Test Agent rule", + enabled=True, + expression='exec.file.name == "sh"', + ), + type=CloudWorkloadSecurityAgentRuleType.AGENT_RULE, + id=AGENT_RULE_DATA_ID, + ), +) + +configuration = Configuration() +with ApiClient(configuration) as api_client: + api_instance = CloudWorkloadSecurityApi(api_client) + response = api_instance.update_csm_threats_agent_rule(agent_rule_id=AGENT_RULE_DATA_ID, body=body) + + print(response) diff --git a/src/datadog_api_client/v2/api/cloud_workload_security_api.py b/src/datadog_api_client/v2/api/cloud_workload_security_api.py index 28ec794c50..b27bff533a 100644 --- a/src/datadog_api_client/v2/api/cloud_workload_security_api.py +++ b/src/datadog_api_client/v2/api/cloud_workload_security_api.py @@ -54,6 +54,26 @@ def __init__(self, api_client=None): api_client=api_client, ) + self._create_csm_threats_agent_rule_endpoint = _Endpoint( + settings={ + "response_type": (CloudWorkloadSecurityAgentRuleResponse,), + "auth": ["apiKeyAuth", "appKeyAuth"], + "endpoint_path": "/api/v2/remote_config/products/cws/agent_rules", + "operation_id": "create_csm_threats_agent_rule", + "http_method": "POST", + "version": "v2", + }, + params_map={ + "body": { + "required": True, + "openapi_types": (CloudWorkloadSecurityAgentRuleCreateRequest,), + "location": "body", + }, + }, + headers_map={"accept": ["application/json"], "content_type": ["application/json"]}, + api_client=api_client, + ) + self._delete_cloud_workload_security_agent_rule_endpoint = _Endpoint( settings={ "response_type": None, @@ -77,6 +97,29 @@ def __init__(self, api_client=None): api_client=api_client, ) + self._delete_csm_threats_agent_rule_endpoint = _Endpoint( + settings={ + "response_type": None, + "auth": ["apiKeyAuth", "appKeyAuth"], + "endpoint_path": "/api/v2/remote_config/products/cws/agent_rules/{agent_rule_id}", + "operation_id": "delete_csm_threats_agent_rule", + "http_method": "DELETE", + "version": "v2", + }, + params_map={ + "agent_rule_id": { + "required": True, + "openapi_types": (str,), + "attribute": "agent_rule_id", + "location": "path", + }, + }, + headers_map={ + "accept": ["*/*"], + }, + api_client=api_client, + ) + self._download_cloud_workload_policy_file_endpoint = _Endpoint( settings={ "response_type": (file_type,), @@ -93,6 +136,22 @@ def __init__(self, api_client=None): api_client=api_client, ) + self._download_csm_threats_policy_endpoint = _Endpoint( + settings={ + "response_type": (file_type,), + "auth": ["apiKeyAuth", "appKeyAuth"], + "endpoint_path": "/api/v2/remote_config/products/cws/policy/download", + "operation_id": "download_csm_threats_policy", + "http_method": "GET", + "version": "v2", + }, + params_map={}, + headers_map={ + "accept": ["application/zip", "application/json"], + }, + api_client=api_client, + ) + self._get_cloud_workload_security_agent_rule_endpoint = _Endpoint( settings={ "response_type": (CloudWorkloadSecurityAgentRuleResponse,), @@ -116,6 +175,29 @@ def __init__(self, api_client=None): api_client=api_client, ) + self._get_csm_threats_agent_rule_endpoint = _Endpoint( + settings={ + "response_type": (CloudWorkloadSecurityAgentRuleResponse,), + "auth": ["apiKeyAuth", "appKeyAuth"], + "endpoint_path": "/api/v2/remote_config/products/cws/agent_rules/{agent_rule_id}", + "operation_id": "get_csm_threats_agent_rule", + "http_method": "GET", + "version": "v2", + }, + params_map={ + "agent_rule_id": { + "required": True, + "openapi_types": (str,), + "attribute": "agent_rule_id", + "location": "path", + }, + }, + headers_map={ + "accept": ["application/json"], + }, + api_client=api_client, + ) + self._list_cloud_workload_security_agent_rules_endpoint = _Endpoint( settings={ "response_type": (CloudWorkloadSecurityAgentRulesListResponse,), @@ -132,6 +214,22 @@ def __init__(self, api_client=None): api_client=api_client, ) + self._list_csm_threats_agent_rules_endpoint = _Endpoint( + settings={ + "response_type": (CloudWorkloadSecurityAgentRulesListResponse,), + "auth": ["apiKeyAuth", "appKeyAuth"], + "endpoint_path": "/api/v2/remote_config/products/cws/agent_rules", + "operation_id": "list_csm_threats_agent_rules", + "http_method": "GET", + "version": "v2", + }, + params_map={}, + headers_map={ + "accept": ["application/json"], + }, + api_client=api_client, + ) + self._update_cloud_workload_security_agent_rule_endpoint = _Endpoint( settings={ "response_type": (CloudWorkloadSecurityAgentRuleResponse,), @@ -158,6 +256,32 @@ def __init__(self, api_client=None): api_client=api_client, ) + self._update_csm_threats_agent_rule_endpoint = _Endpoint( + settings={ + "response_type": (CloudWorkloadSecurityAgentRuleResponse,), + "auth": ["apiKeyAuth", "appKeyAuth"], + "endpoint_path": "/api/v2/remote_config/products/cws/agent_rules/{agent_rule_id}", + "operation_id": "update_csm_threats_agent_rule", + "http_method": "PATCH", + "version": "v2", + }, + params_map={ + "agent_rule_id": { + "required": True, + "openapi_types": (str,), + "attribute": "agent_rule_id", + "location": "path", + }, + "body": { + "required": True, + "openapi_types": (CloudWorkloadSecurityAgentRuleUpdateRequest,), + "location": "body", + }, + }, + headers_map={"accept": ["application/json"], "content_type": ["application/json"]}, + api_client=api_client, + ) + def create_cloud_workload_security_agent_rule( self, body: CloudWorkloadSecurityAgentRuleCreateRequest, @@ -175,6 +299,23 @@ def create_cloud_workload_security_agent_rule( return self._create_cloud_workload_security_agent_rule_endpoint.call_with_http_info(**kwargs) + def create_csm_threats_agent_rule( + self, + body: CloudWorkloadSecurityAgentRuleCreateRequest, + ) -> CloudWorkloadSecurityAgentRuleResponse: + """Create a CSM Threats Agent rule. + + Create a new Cloud Security Management Threats Agent rule with the given parameters. + + :param body: The definition of the new Agent rule. + :type body: CloudWorkloadSecurityAgentRuleCreateRequest + :rtype: CloudWorkloadSecurityAgentRuleResponse + """ + kwargs: Dict[str, Any] = {} + kwargs["body"] = body + + return self._create_csm_threats_agent_rule_endpoint.call_with_http_info(**kwargs) + def delete_cloud_workload_security_agent_rule( self, agent_rule_id: str, @@ -192,6 +333,23 @@ def delete_cloud_workload_security_agent_rule( return self._delete_cloud_workload_security_agent_rule_endpoint.call_with_http_info(**kwargs) + def delete_csm_threats_agent_rule( + self, + agent_rule_id: str, + ) -> None: + """Delete a CSM Threats Agent rule. + + Delete a specific Cloud Security Management Threats Agent rule. + + :param agent_rule_id: The ID of the Agent rule. + :type agent_rule_id: str + :rtype: None + """ + kwargs: Dict[str, Any] = {} + kwargs["agent_rule_id"] = agent_rule_id + + return self._delete_csm_threats_agent_rule_endpoint.call_with_http_info(**kwargs) + def download_cloud_workload_policy_file( self, ) -> file_type: @@ -206,6 +364,20 @@ def download_cloud_workload_policy_file( kwargs: Dict[str, Any] = {} return self._download_cloud_workload_policy_file_endpoint.call_with_http_info(**kwargs) + def download_csm_threats_policy( + self, + ) -> file_type: + """Get the latest CSM Threats policy. + + The download endpoint generates a CSM Threats policy file from your currently active + CSM Threats rules, and downloads them as a ``.policy`` file. This file can then be deployed to + your Agents to update the policy running in your environment. + + :rtype: file_type + """ + kwargs: Dict[str, Any] = {} + return self._download_csm_threats_policy_endpoint.call_with_http_info(**kwargs) + def get_cloud_workload_security_agent_rule( self, agent_rule_id: str, @@ -223,6 +395,23 @@ def get_cloud_workload_security_agent_rule( return self._get_cloud_workload_security_agent_rule_endpoint.call_with_http_info(**kwargs) + def get_csm_threats_agent_rule( + self, + agent_rule_id: str, + ) -> CloudWorkloadSecurityAgentRuleResponse: + """Get a CSM Threats Agent rule. + + Get the details of a specific Cloud Security Management Threats Agent rule. + + :param agent_rule_id: The ID of the Agent rule. + :type agent_rule_id: str + :rtype: CloudWorkloadSecurityAgentRuleResponse + """ + kwargs: Dict[str, Any] = {} + kwargs["agent_rule_id"] = agent_rule_id + + return self._get_csm_threats_agent_rule_endpoint.call_with_http_info(**kwargs) + def list_cloud_workload_security_agent_rules( self, ) -> CloudWorkloadSecurityAgentRulesListResponse: @@ -235,6 +424,18 @@ def list_cloud_workload_security_agent_rules( kwargs: Dict[str, Any] = {} return self._list_cloud_workload_security_agent_rules_endpoint.call_with_http_info(**kwargs) + def list_csm_threats_agent_rules( + self, + ) -> CloudWorkloadSecurityAgentRulesListResponse: + """Get all CSM Threats Agent rules. + + Get the list of Cloud Security Management Threats Agent rules. + + :rtype: CloudWorkloadSecurityAgentRulesListResponse + """ + kwargs: Dict[str, Any] = {} + return self._list_csm_threats_agent_rules_endpoint.call_with_http_info(**kwargs) + def update_cloud_workload_security_agent_rule( self, agent_rule_id: str, @@ -257,3 +458,26 @@ def update_cloud_workload_security_agent_rule( kwargs["body"] = body return self._update_cloud_workload_security_agent_rule_endpoint.call_with_http_info(**kwargs) + + def update_csm_threats_agent_rule( + self, + agent_rule_id: str, + body: CloudWorkloadSecurityAgentRuleUpdateRequest, + ) -> CloudWorkloadSecurityAgentRuleResponse: + """Update a CSM Threats Agent rule. + + Update a specific Cloud Security Management Threats Agent rule. + Returns the Agent rule object when the request is successful. + + :param agent_rule_id: The ID of the Agent rule. + :type agent_rule_id: str + :param body: New definition of the Agent rule. + :type body: CloudWorkloadSecurityAgentRuleUpdateRequest + :rtype: CloudWorkloadSecurityAgentRuleResponse + """ + kwargs: Dict[str, Any] = {} + kwargs["agent_rule_id"] = agent_rule_id + + kwargs["body"] = body + + return self._update_csm_threats_agent_rule_endpoint.call_with_http_info(**kwargs) diff --git a/src/datadog_api_client/v2/model/cloud_workload_security_agent_rule_action.py b/src/datadog_api_client/v2/model/cloud_workload_security_agent_rule_action.py new file mode 100644 index 0000000000..4852cde060 --- /dev/null +++ b/src/datadog_api_client/v2/model/cloud_workload_security_agent_rule_action.py @@ -0,0 +1,56 @@ +# Unless explicitly stated otherwise all files in this repository are licensed under the Apache-2.0 License. +# This product includes software developed at Datadog (https://www.datadoghq.com/). +# Copyright 2019-Present Datadog, Inc. +from __future__ import annotations + +from typing import Union, TYPE_CHECKING + +from datadog_api_client.model_utils import ( + ModelNormal, + cached_property, + unset, + UnsetType, +) + + +if TYPE_CHECKING: + from datadog_api_client.v2.model.cloud_workload_security_agent_rule_kill import CloudWorkloadSecurityAgentRuleKill + + +class CloudWorkloadSecurityAgentRuleAction(ModelNormal): + @cached_property + def openapi_types(_): + from datadog_api_client.v2.model.cloud_workload_security_agent_rule_kill import ( + CloudWorkloadSecurityAgentRuleKill, + ) + + return { + "filter": (str,), + "kill": (CloudWorkloadSecurityAgentRuleKill,), + } + + attribute_map = { + "filter": "filter", + "kill": "kill", + } + + def __init__( + self_, + filter: Union[str, UnsetType] = unset, + kill: Union[CloudWorkloadSecurityAgentRuleKill, UnsetType] = unset, + **kwargs, + ): + """ + The action the rule can perform if triggered. + + :param filter: The selector to target the container on which the action is performed + :type filter: str, optional + + :param kill: The kill signal of the agent rule + :type kill: CloudWorkloadSecurityAgentRuleKill, optional + """ + if filter is not unset: + kwargs["filter"] = filter + if kill is not unset: + kwargs["kill"] = kill + super().__init__(kwargs) diff --git a/src/datadog_api_client/v2/model/cloud_workload_security_agent_rule_attributes.py b/src/datadog_api_client/v2/model/cloud_workload_security_agent_rule_attributes.py index b7e72fd693..e46ac1a4b3 100644 --- a/src/datadog_api_client/v2/model/cloud_workload_security_agent_rule_attributes.py +++ b/src/datadog_api_client/v2/model/cloud_workload_security_agent_rule_attributes.py @@ -8,12 +8,16 @@ from datadog_api_client.model_utils import ( ModelNormal, cached_property, + none_type, unset, UnsetType, ) if TYPE_CHECKING: + from datadog_api_client.v2.model.cloud_workload_security_agent_rule_action import ( + CloudWorkloadSecurityAgentRuleAction, + ) from datadog_api_client.v2.model.cloud_workload_security_agent_rule_creator_attributes import ( CloudWorkloadSecurityAgentRuleCreatorAttributes, ) @@ -25,6 +29,9 @@ class CloudWorkloadSecurityAgentRuleAttributes(ModelNormal): @cached_property def openapi_types(_): + from datadog_api_client.v2.model.cloud_workload_security_agent_rule_action import ( + CloudWorkloadSecurityAgentRuleAction, + ) from datadog_api_client.v2.model.cloud_workload_security_agent_rule_creator_attributes import ( CloudWorkloadSecurityAgentRuleCreatorAttributes, ) @@ -33,6 +40,7 @@ def openapi_types(_): ) return { + "actions": ([CloudWorkloadSecurityAgentRuleAction],), "agent_constraint": (str,), "category": (str,), "creation_author_uu_id": (str,), @@ -42,7 +50,7 @@ def openapi_types(_): "description": (str,), "enabled": (bool,), "expression": (str,), - "filters": ([str],), + "filters": ([str], none_type), "name": (str,), "update_author_uu_id": (str,), "update_date": (int,), @@ -52,6 +60,7 @@ def openapi_types(_): } attribute_map = { + "actions": "actions", "agent_constraint": "agentConstraint", "category": "category", "creation_author_uu_id": "creationAuthorUuId", @@ -72,6 +81,7 @@ def openapi_types(_): def __init__( self_, + actions: Union[List[CloudWorkloadSecurityAgentRuleAction], none_type, UnsetType] = unset, agent_constraint: Union[str, UnsetType] = unset, category: Union[str, UnsetType] = unset, creation_author_uu_id: Union[str, UnsetType] = unset, @@ -81,7 +91,7 @@ def __init__( description: Union[str, UnsetType] = unset, enabled: Union[bool, UnsetType] = unset, expression: Union[str, UnsetType] = unset, - filters: Union[List[str], UnsetType] = unset, + filters: Union[List[str], none_type, UnsetType] = unset, name: Union[str, UnsetType] = unset, update_author_uu_id: Union[str, UnsetType] = unset, update_date: Union[int, UnsetType] = unset, @@ -93,6 +103,9 @@ def __init__( """ A Cloud Workload Security Agent rule returned by the API. + :param actions: The array of actions the rule can perform if triggered. + :type actions: [CloudWorkloadSecurityAgentRuleAction], none_type, optional + :param agent_constraint: The version of the agent. :type agent_constraint: str, optional @@ -121,7 +134,7 @@ def __init__( :type expression: str, optional :param filters: The platforms the Agent rule is supported on. - :type filters: [str], optional + :type filters: [str], none_type, optional :param name: The name of the Agent rule. :type name: str, optional @@ -141,6 +154,8 @@ def __init__( :param version: The version of the Agent rule. :type version: int, optional """ + if actions is not unset: + kwargs["actions"] = actions if agent_constraint is not unset: kwargs["agent_constraint"] = agent_constraint if category is not unset: diff --git a/src/datadog_api_client/v2/model/cloud_workload_security_agent_rule_kill.py b/src/datadog_api_client/v2/model/cloud_workload_security_agent_rule_kill.py new file mode 100644 index 0000000000..415737293c --- /dev/null +++ b/src/datadog_api_client/v2/model/cloud_workload_security_agent_rule_kill.py @@ -0,0 +1,36 @@ +# Unless explicitly stated otherwise all files in this repository are licensed under the Apache-2.0 License. +# This product includes software developed at Datadog (https://www.datadoghq.com/). +# Copyright 2019-Present Datadog, Inc. +from __future__ import annotations + +from typing import Union + +from datadog_api_client.model_utils import ( + ModelNormal, + cached_property, + unset, + UnsetType, +) + + +class CloudWorkloadSecurityAgentRuleKill(ModelNormal): + @cached_property + def openapi_types(_): + return { + "signal": (str,), + } + + attribute_map = { + "signal": "signal", + } + + def __init__(self_, signal: Union[str, UnsetType] = unset, **kwargs): + """ + The kill signal of the agent rule + + :param signal: The scope of the kill action + :type signal: str, optional + """ + if signal is not unset: + kwargs["signal"] = signal + super().__init__(kwargs) diff --git a/src/datadog_api_client/v2/model/cloud_workload_security_agent_rule_update_data.py b/src/datadog_api_client/v2/model/cloud_workload_security_agent_rule_update_data.py index 90d2f24a42..c288bbe03c 100644 --- a/src/datadog_api_client/v2/model/cloud_workload_security_agent_rule_update_data.py +++ b/src/datadog_api_client/v2/model/cloud_workload_security_agent_rule_update_data.py @@ -3,11 +3,13 @@ # Copyright 2019-Present Datadog, Inc. from __future__ import annotations -from typing import TYPE_CHECKING +from typing import Union, TYPE_CHECKING from datadog_api_client.model_utils import ( ModelNormal, cached_property, + unset, + UnsetType, ) @@ -30,11 +32,13 @@ def openapi_types(_): return { "attributes": (CloudWorkloadSecurityAgentRuleUpdateAttributes,), + "id": (str,), "type": (CloudWorkloadSecurityAgentRuleType,), } attribute_map = { "attributes": "attributes", + "id": "id", "type": "type", } @@ -42,6 +46,7 @@ def __init__( self_, attributes: CloudWorkloadSecurityAgentRuleUpdateAttributes, type: CloudWorkloadSecurityAgentRuleType, + id: Union[str, UnsetType] = unset, **kwargs, ): """ @@ -50,9 +55,14 @@ def __init__( :param attributes: Update an existing Cloud Workload Security Agent rule. :type attributes: CloudWorkloadSecurityAgentRuleUpdateAttributes + :param id: The ID of the agent rule. + :type id: str, optional + :param type: The type of the resource. The value should always be ``agent_rule``. :type type: CloudWorkloadSecurityAgentRuleType """ + if id is not unset: + kwargs["id"] = id super().__init__(kwargs) self_.attributes = attributes diff --git a/src/datadog_api_client/v2/models/__init__.py b/src/datadog_api_client/v2/models/__init__.py index dd155848f8..e45c5284e6 100644 --- a/src/datadog_api_client/v2/models/__init__.py +++ b/src/datadog_api_client/v2/models/__init__.py @@ -227,6 +227,7 @@ from datadog_api_client.v2.model.cloud_cost_activity_attributes import CloudCostActivityAttributes from datadog_api_client.v2.model.cloud_cost_activity_response import CloudCostActivityResponse from datadog_api_client.v2.model.cloud_cost_activity_type import CloudCostActivityType +from datadog_api_client.v2.model.cloud_workload_security_agent_rule_action import CloudWorkloadSecurityAgentRuleAction from datadog_api_client.v2.model.cloud_workload_security_agent_rule_attributes import ( CloudWorkloadSecurityAgentRuleAttributes, ) @@ -243,6 +244,7 @@ CloudWorkloadSecurityAgentRuleCreatorAttributes, ) from datadog_api_client.v2.model.cloud_workload_security_agent_rule_data import CloudWorkloadSecurityAgentRuleData +from datadog_api_client.v2.model.cloud_workload_security_agent_rule_kill import CloudWorkloadSecurityAgentRuleKill from datadog_api_client.v2.model.cloud_workload_security_agent_rule_response import ( CloudWorkloadSecurityAgentRuleResponse, ) @@ -1891,12 +1893,14 @@ "CloudCostActivityAttributes", "CloudCostActivityResponse", "CloudCostActivityType", + "CloudWorkloadSecurityAgentRuleAction", "CloudWorkloadSecurityAgentRuleAttributes", "CloudWorkloadSecurityAgentRuleCreateAttributes", "CloudWorkloadSecurityAgentRuleCreateData", "CloudWorkloadSecurityAgentRuleCreateRequest", "CloudWorkloadSecurityAgentRuleCreatorAttributes", "CloudWorkloadSecurityAgentRuleData", + "CloudWorkloadSecurityAgentRuleKill", "CloudWorkloadSecurityAgentRuleResponse", "CloudWorkloadSecurityAgentRuleType", "CloudWorkloadSecurityAgentRuleUpdateAttributes", diff --git a/tests/v2/cassettes/test_scenarios/test_create_a_cloud_workload_security_agent_rule_returns_bad_request_response.frozen b/tests/v2/cassettes/test_scenarios/test_create_a_cloud_workload_security_agent_rule_returns_bad_request_response.frozen index d297615830..4e81d8aafe 100644 --- a/tests/v2/cassettes/test_scenarios/test_create_a_cloud_workload_security_agent_rule_returns_bad_request_response.frozen +++ b/tests/v2/cassettes/test_scenarios/test_create_a_cloud_workload_security_agent_rule_returns_bad_request_response.frozen @@ -1 +1 @@ -2022-01-11T18:11:35.118Z \ No newline at end of file +2024-03-07T18:00:09.670Z \ No newline at end of file diff --git a/tests/v2/cassettes/test_scenarios/test_create_a_cloud_workload_security_agent_rule_returns_bad_request_response.yaml b/tests/v2/cassettes/test_scenarios/test_create_a_cloud_workload_security_agent_rule_returns_bad_request_response.yaml index 0930248d33..8b07fdfa12 100644 --- a/tests/v2/cassettes/test_scenarios/test_create_a_cloud_workload_security_agent_rule_returns_bad_request_response.yaml +++ b/tests/v2/cassettes/test_scenarios/test_create_a_cloud_workload_security_agent_rule_returns_bad_request_response.yaml @@ -1,7 +1,7 @@ interactions: - request: body: '{"data":{"attributes":{"description":"Test Agent rule","enabled":true,"expression":"open.file.path - = sh","name":"testcreateacloudworkloadsecurityagentrulereturnsbadrequestresponse1641924695"},"type":"agent_rule"}}' + = sh","name":"testcreateacloudworkloadsecurityagentrulereturnsbadrequestresponse1709834409"},"type":"agent_rule"}}' headers: accept: - application/json @@ -12,8 +12,10 @@ interactions: response: body: string: '{"errors":["input_validation_error(Field ''expression'' is invalid: - rule `testcreateacloudworkloadsecurityagentrulereturnsbadrequestresponse1641924695` - definition error: syntax error: 1:18: unexpected token \"sh\" (expected \"~\"))"]}' + rule `testcreateacloudworkloadsecurityagentrulereturnsbadrequestresponse1709834409` + error: syntax error `1:18: unexpected token \"sh\" (expected \"~\")`)"]} + + ' headers: content-type: - application/json diff --git a/tests/v2/cassettes/test_scenarios/test_create_a_cloud_workload_security_agent_rule_returns_ok_response.frozen b/tests/v2/cassettes/test_scenarios/test_create_a_cloud_workload_security_agent_rule_returns_ok_response.frozen index 9c7c5b6295..56933e5837 100644 --- a/tests/v2/cassettes/test_scenarios/test_create_a_cloud_workload_security_agent_rule_returns_ok_response.frozen +++ b/tests/v2/cassettes/test_scenarios/test_create_a_cloud_workload_security_agent_rule_returns_ok_response.frozen @@ -1 +1 @@ -2022-05-12T09:51:20.359Z \ No newline at end of file +2024-03-07T18:00:10.035Z \ No newline at end of file diff --git a/tests/v2/cassettes/test_scenarios/test_create_a_cloud_workload_security_agent_rule_returns_ok_response.yaml b/tests/v2/cassettes/test_scenarios/test_create_a_cloud_workload_security_agent_rule_returns_ok_response.yaml index 668ecbba4c..faaeb9d688 100644 --- a/tests/v2/cassettes/test_scenarios/test_create_a_cloud_workload_security_agent_rule_returns_ok_response.yaml +++ b/tests/v2/cassettes/test_scenarios/test_create_a_cloud_workload_security_agent_rule_returns_ok_response.yaml @@ -1,7 +1,7 @@ interactions: - request: body: '{"data":{"attributes":{"description":"Test Agent rule","enabled":true,"expression":"exec.file.name - == \"sh\"","name":"testcreateacloudworkloadsecurityagentrulereturnsokresponse1652349080"},"type":"agent_rule"}}' + == \"sh\"","name":"testcreateacloudworkloadsecurityagentrulereturnsokresponse1709834410"},"type":"agent_rule"}}' headers: accept: - application/json @@ -11,12 +11,16 @@ interactions: uri: https://api.datadoghq.com/api/v2/security_monitoring/cloud_workload_security/agent_rules response: body: - string: '{"data":{"attributes":{"category":"Process Activity","name":"testcreateacloudworkloadsecurityagentrulereturnsokresponse1652349080","creator":{"handle":"frog@datadoghq.com","name":null},"description":"Test - Agent rule","enabled":true,"defaultRule":false,"version":1,"updater":{"handle":"frog@datadoghq.com","name":null},"updateDate":1652349080821,"creationDate":1652349080821,"expression":"exec.file.name - == \"sh\""},"type":"agent_rule","id":"qb1-cn9-jwq"}}' + string: '{"data":{"id":"l6x-tnf-sav","attributes":{"version":1,"name":"testcreateacloudworkloadsecurityagentrulereturnsokresponse1709834410","description":"Test + Agent rule","expression":"exec.file.name == \"sh\"","category":"Process Activity","creationAuthorUuId":"cc32ddea-b5e4-11ec-93be-da7ad0900002","creationDate":1709834410468,"updateAuthorUuId":"cc32ddea-b5e4-11ec-93be-da7ad0900002","updateDate":1709834410468,"filters":["os + == \"linux\""],"actions":[],"agentConstraint":"","enabled":true,"defaultRule":false,"creator":{"name":"Malo + Le Goff","handle":"malo.legoff@datadoghq.com"},"updater":{"name":"Malo Le + Goff","handle":"malo.legoff@datadoghq.com"}},"type":"agent_rule"}} + + ' headers: content-type: - - application/json;charset=utf-8 + - application/json status: code: 200 message: OK @@ -26,13 +30,11 @@ interactions: accept: - '*/*' method: DELETE - uri: https://api.datadoghq.com/api/v2/security_monitoring/cloud_workload_security/agent_rules/qb1-cn9-jwq + uri: https://api.datadoghq.com/api/v2/security_monitoring/cloud_workload_security/agent_rules/l6x-tnf-sav response: body: string: '' - headers: - content-type: - - application/json;charset=utf-8 + headers: {} status: code: 204 message: No Content diff --git a/tests/v2/cassettes/test_scenarios/test_create_a_csm_threats_agent_rule_returns_bad_request_response.frozen b/tests/v2/cassettes/test_scenarios/test_create_a_csm_threats_agent_rule_returns_bad_request_response.frozen new file mode 100644 index 0000000000..5f576c331f --- /dev/null +++ b/tests/v2/cassettes/test_scenarios/test_create_a_csm_threats_agent_rule_returns_bad_request_response.frozen @@ -0,0 +1 @@ +2024-03-07T18:00:07.544Z \ No newline at end of file diff --git a/tests/v2/cassettes/test_scenarios/test_create_a_csm_threats_agent_rule_returns_bad_request_response.yaml b/tests/v2/cassettes/test_scenarios/test_create_a_csm_threats_agent_rule_returns_bad_request_response.yaml new file mode 100644 index 0000000000..2ebcc11fe5 --- /dev/null +++ b/tests/v2/cassettes/test_scenarios/test_create_a_csm_threats_agent_rule_returns_bad_request_response.yaml @@ -0,0 +1,22 @@ +interactions: +- request: + body: '{"data":{"attributes":{"description":"My Agent rule","enabled":true,"expression":"exec.file.name + == sh","name":"my_agent_rule"},"type":"agent_rule"}}' + headers: + accept: + - application/json + content-type: + - application/json + method: POST + uri: https://api.datadoghq.com/api/v2/remote_config/products/cws/agent_rules + response: + body: + string: '{"errors":["input_validation_error(Field ''expression'' is invalid: + rule `my_agent_rule` error: rule compilation error: field `sh` not found)"]}' + headers: + content-type: + - application/json + status: + code: 400 + message: Bad Request +version: 1 diff --git a/tests/v2/cassettes/test_scenarios/test_create_a_csm_threats_agent_rule_returns_conflict_response.frozen b/tests/v2/cassettes/test_scenarios/test_create_a_csm_threats_agent_rule_returns_conflict_response.frozen new file mode 100644 index 0000000000..2dccd862e9 --- /dev/null +++ b/tests/v2/cassettes/test_scenarios/test_create_a_csm_threats_agent_rule_returns_conflict_response.frozen @@ -0,0 +1 @@ +2024-03-06T09:58:37.695Z \ No newline at end of file diff --git a/tests/v2/cassettes/test_scenarios/test_create_a_csm_threats_agent_rule_returns_conflict_response.yaml b/tests/v2/cassettes/test_scenarios/test_create_a_csm_threats_agent_rule_returns_conflict_response.yaml new file mode 100644 index 0000000000..32fb9fe835 --- /dev/null +++ b/tests/v2/cassettes/test_scenarios/test_create_a_csm_threats_agent_rule_returns_conflict_response.yaml @@ -0,0 +1,40 @@ +interactions: +- request: + body: '{"data":{"attributes":{"description":"My Agent rule","enabled":true,"expression":"exec.file.name + == \"sh\"","name":"my_agent_rule"},"type":"agent_rule"}}' + headers: + accept: + - application/json + content-type: + - application/json + method: POST + uri: https://api.datadoghq.com/api/v2/remote_config/products/cws/agent_rules + response: + body: + string: '{"data":{"id":"8r4-bdz-7ma","type":"agent_rule","attributes":{"category":"Process + Activity","creationDate":1709719118032,"creator":{"name":"Malo Le Goff","handle":"malo.legoff@datadoghq.com"},"defaultRule":false,"description":"My + Agent rule","enabled":true,"expression":"exec.file.name == \"sh\"","filters":null,"name":"my_agent_rule","updateDate":1709719118032,"updater":{"name":"Malo + Le Goff","handle":"malo.legoff@datadoghq.com"}}}}' + headers: + content-type: + - application/json + status: + code: 200 + message: OK +- request: + body: null + headers: + accept: + - '*/*' + method: DELETE + uri: https://api.datadoghq.com/api/v2/remote_config/products/cws/agent_rules/8r4-bdz-7ma + response: + body: + string: '' + headers: + content-type: + - application/json + status: + code: 200 + message: OK +version: 1 diff --git a/tests/v2/cassettes/test_scenarios/test_create_a_csm_threats_agent_rule_returns_ok_response.frozen b/tests/v2/cassettes/test_scenarios/test_create_a_csm_threats_agent_rule_returns_ok_response.frozen new file mode 100644 index 0000000000..bc79b1934e --- /dev/null +++ b/tests/v2/cassettes/test_scenarios/test_create_a_csm_threats_agent_rule_returns_ok_response.frozen @@ -0,0 +1 @@ +2024-03-07T18:00:08.148Z \ No newline at end of file diff --git a/tests/v2/cassettes/test_scenarios/test_create_a_csm_threats_agent_rule_returns_ok_response.yaml b/tests/v2/cassettes/test_scenarios/test_create_a_csm_threats_agent_rule_returns_ok_response.yaml new file mode 100644 index 0000000000..bae45313a9 --- /dev/null +++ b/tests/v2/cassettes/test_scenarios/test_create_a_csm_threats_agent_rule_returns_ok_response.yaml @@ -0,0 +1,40 @@ +interactions: +- request: + body: '{"data":{"attributes":{"description":"My Agent rule","enabled":true,"expression":"exec.file.name + == \"sh\"","name":"my_agent_rule"},"type":"agent_rule"}}' + headers: + accept: + - application/json + content-type: + - application/json + method: POST + uri: https://api.datadoghq.com/api/v2/remote_config/products/cws/agent_rules + response: + body: + string: '{"data":{"id":"c4k-iay-32y","type":"agent_rule","attributes":{"category":"Process + Activity","creationDate":1709834408570,"creator":{"name":"Malo Le Goff","handle":"malo.legoff@datadoghq.com"},"defaultRule":false,"description":"My + Agent rule","enabled":true,"expression":"exec.file.name == \"sh\"","filters":null,"name":"my_agent_rule","updateDate":1709834408570,"updater":{"name":"Malo + Le Goff","handle":"malo.legoff@datadoghq.com"}}}}' + headers: + content-type: + - application/json + status: + code: 200 + message: OK +- request: + body: null + headers: + accept: + - '*/*' + method: DELETE + uri: https://api.datadoghq.com/api/v2/remote_config/products/cws/agent_rules/c4k-iay-32y + response: + body: + string: '' + headers: + content-type: + - application/json + status: + code: 204 + message: No Content +version: 1 diff --git a/tests/v2/cassettes/test_scenarios/test_delete_a_cloud_workload_security_agent_rule_returns_not_found_response.frozen b/tests/v2/cassettes/test_scenarios/test_delete_a_cloud_workload_security_agent_rule_returns_not_found_response.frozen index 9f8ca51b7a..7df357c3b1 100644 --- a/tests/v2/cassettes/test_scenarios/test_delete_a_cloud_workload_security_agent_rule_returns_not_found_response.frozen +++ b/tests/v2/cassettes/test_scenarios/test_delete_a_cloud_workload_security_agent_rule_returns_not_found_response.frozen @@ -1 +1 @@ -2022-05-12T09:51:21.337Z \ No newline at end of file +2024-03-07T18:00:13.299Z \ No newline at end of file diff --git a/tests/v2/cassettes/test_scenarios/test_delete_a_cloud_workload_security_agent_rule_returns_not_found_response.yaml b/tests/v2/cassettes/test_scenarios/test_delete_a_cloud_workload_security_agent_rule_returns_not_found_response.yaml index cc184bbfae..07adec3842 100644 --- a/tests/v2/cassettes/test_scenarios/test_delete_a_cloud_workload_security_agent_rule_returns_not_found_response.yaml +++ b/tests/v2/cassettes/test_scenarios/test_delete_a_cloud_workload_security_agent_rule_returns_not_found_response.yaml @@ -8,7 +8,9 @@ interactions: uri: https://api.datadoghq.com/api/v2/security_monitoring/cloud_workload_security/agent_rules/abc-123-xyz response: body: - string: '{"errors":["not_found(Agent rule not found: agentRuleId=abc-123-xyz)"]}' + string: '{"errors":["not_found(Agent rule not found: agentRuleId=abc-123-xyz)"]} + + ' headers: content-type: - application/json diff --git a/tests/v2/cassettes/test_scenarios/test_delete_a_cloud_workload_security_agent_rule_returns_ok_response.frozen b/tests/v2/cassettes/test_scenarios/test_delete_a_cloud_workload_security_agent_rule_returns_ok_response.frozen index c0bf1eb515..78c167aa14 100644 --- a/tests/v2/cassettes/test_scenarios/test_delete_a_cloud_workload_security_agent_rule_returns_ok_response.frozen +++ b/tests/v2/cassettes/test_scenarios/test_delete_a_cloud_workload_security_agent_rule_returns_ok_response.frozen @@ -1 +1 @@ -2022-05-12T09:51:21.769Z \ No newline at end of file +2024-03-07T18:00:13.772Z \ No newline at end of file diff --git a/tests/v2/cassettes/test_scenarios/test_delete_a_cloud_workload_security_agent_rule_returns_ok_response.yaml b/tests/v2/cassettes/test_scenarios/test_delete_a_cloud_workload_security_agent_rule_returns_ok_response.yaml index 01da6a5a41..473195c662 100644 --- a/tests/v2/cassettes/test_scenarios/test_delete_a_cloud_workload_security_agent_rule_returns_ok_response.yaml +++ b/tests/v2/cassettes/test_scenarios/test_delete_a_cloud_workload_security_agent_rule_returns_ok_response.yaml @@ -1,7 +1,7 @@ interactions: - request: body: '{"data":{"attributes":{"description":"My Agent rule","enabled":true,"expression":"exec.file.name - == \"sh\"","name":"testdeleteacloudworkloadsecurityagentrulereturnsokresponse1652349081"},"type":"agent_rule"}}' + == \"sh\"","name":"testdeleteacloudworkloadsecurityagentrulereturnsokresponse1709834413"},"type":"agent_rule"}}' headers: accept: - application/json @@ -11,12 +11,16 @@ interactions: uri: https://api.datadoghq.com/api/v2/security_monitoring/cloud_workload_security/agent_rules response: body: - string: '{"data":{"attributes":{"category":"Process Activity","name":"testdeleteacloudworkloadsecurityagentrulereturnsokresponse1652349081","creator":{"handle":"frog@datadoghq.com","name":null},"description":"My - Agent rule","enabled":true,"defaultRule":false,"version":1,"updater":{"handle":"frog@datadoghq.com","name":null},"updateDate":1652349082186,"creationDate":1652349082186,"expression":"exec.file.name - == \"sh\""},"type":"agent_rule","id":"hqy-ez4-nci"}}' + string: '{"data":{"id":"1cf-qhl-b7m","attributes":{"version":1,"name":"testdeleteacloudworkloadsecurityagentrulereturnsokresponse1709834413","description":"My + Agent rule","expression":"exec.file.name == \"sh\"","category":"Process Activity","creationAuthorUuId":"cc32ddea-b5e4-11ec-93be-da7ad0900002","creationDate":1709834414174,"updateAuthorUuId":"cc32ddea-b5e4-11ec-93be-da7ad0900002","updateDate":1709834414174,"filters":["os + == \"linux\""],"actions":[],"agentConstraint":"","enabled":true,"defaultRule":false,"creator":{"name":"Malo + Le Goff","handle":"malo.legoff@datadoghq.com"},"updater":{"name":"Malo Le + Goff","handle":"malo.legoff@datadoghq.com"}},"type":"agent_rule"}} + + ' headers: content-type: - - application/json;charset=utf-8 + - application/json status: code: 200 message: OK @@ -26,13 +30,11 @@ interactions: accept: - '*/*' method: DELETE - uri: https://api.datadoghq.com/api/v2/security_monitoring/cloud_workload_security/agent_rules/hqy-ez4-nci + uri: https://api.datadoghq.com/api/v2/security_monitoring/cloud_workload_security/agent_rules/1cf-qhl-b7m response: body: string: '' - headers: - content-type: - - application/json;charset=utf-8 + headers: {} status: code: 204 message: No Content @@ -42,10 +44,12 @@ interactions: accept: - '*/*' method: DELETE - uri: https://api.datadoghq.com/api/v2/security_monitoring/cloud_workload_security/agent_rules/hqy-ez4-nci + uri: https://api.datadoghq.com/api/v2/security_monitoring/cloud_workload_security/agent_rules/1cf-qhl-b7m response: body: - string: '{"errors":["not_found(Agent rule not found: agentRuleId=hqy-ez4-nci)"]}' + string: '{"errors":["not_found(Agent rule not found: agentRuleId=1cf-qhl-b7m)"]} + + ' headers: content-type: - application/json diff --git a/tests/v2/cassettes/test_scenarios/test_delete_a_csm_threats_agent_rule_returns_not_found_response.frozen b/tests/v2/cassettes/test_scenarios/test_delete_a_csm_threats_agent_rule_returns_not_found_response.frozen new file mode 100644 index 0000000000..e1289bb74d --- /dev/null +++ b/tests/v2/cassettes/test_scenarios/test_delete_a_csm_threats_agent_rule_returns_not_found_response.frozen @@ -0,0 +1 @@ +2024-03-07T18:00:10.960Z \ No newline at end of file diff --git a/tests/v2/cassettes/test_scenarios/test_delete_a_csm_threats_agent_rule_returns_not_found_response.yaml b/tests/v2/cassettes/test_scenarios/test_delete_a_csm_threats_agent_rule_returns_not_found_response.yaml new file mode 100644 index 0000000000..6271d24327 --- /dev/null +++ b/tests/v2/cassettes/test_scenarios/test_delete_a_csm_threats_agent_rule_returns_not_found_response.yaml @@ -0,0 +1,20 @@ +interactions: +- request: + body: null + headers: + accept: + - '*/*' + method: DELETE + uri: https://api.datadoghq.com/api/v2/remote_config/products/cws/agent_rules/abc-123-xyz + response: + body: + string: '{"errors":[{"title":"failed to delete rule"}]} + + ' + headers: + content-type: + - application/json + status: + code: 404 + message: Not Found +version: 1 diff --git a/tests/v2/cassettes/test_scenarios/test_delete_a_csm_threats_agent_rule_returns_ok_response.frozen b/tests/v2/cassettes/test_scenarios/test_delete_a_csm_threats_agent_rule_returns_ok_response.frozen new file mode 100644 index 0000000000..a0718353e7 --- /dev/null +++ b/tests/v2/cassettes/test_scenarios/test_delete_a_csm_threats_agent_rule_returns_ok_response.frozen @@ -0,0 +1 @@ +2024-03-07T18:00:11.316Z \ No newline at end of file diff --git a/tests/v2/cassettes/test_scenarios/test_delete_a_csm_threats_agent_rule_returns_ok_response.yaml b/tests/v2/cassettes/test_scenarios/test_delete_a_csm_threats_agent_rule_returns_ok_response.yaml new file mode 100644 index 0000000000..13b31bd947 --- /dev/null +++ b/tests/v2/cassettes/test_scenarios/test_delete_a_csm_threats_agent_rule_returns_ok_response.yaml @@ -0,0 +1,58 @@ +interactions: +- request: + body: '{"data":{"attributes":{"description":"My Agent rule","enabled":true,"expression":"exec.file.name + == \"sh\"","name":"testdeleteacsmthreatsagentrulereturnsokresponse1709834411"},"type":"agent_rule"}}' + headers: + accept: + - application/json + content-type: + - application/json + method: POST + uri: https://api.datadoghq.com/api/v2/remote_config/products/cws/agent_rules + response: + body: + string: '{"data":{"id":"vf3-tgf-8rd","type":"agent_rule","attributes":{"category":"Process + Activity","creationDate":1709834411719,"creator":{"name":"Malo Le Goff","handle":"malo.legoff@datadoghq.com"},"defaultRule":false,"description":"My + Agent rule","enabled":true,"expression":"exec.file.name == \"sh\"","filters":null,"name":"testdeleteacsmthreatsagentrulereturnsokresponse1709834411","updateDate":1709834411719,"updater":{"name":"Malo + Le Goff","handle":"malo.legoff@datadoghq.com"}}}}' + headers: + content-type: + - application/json + status: + code: 200 + message: OK +- request: + body: null + headers: + accept: + - '*/*' + method: DELETE + uri: https://api.datadoghq.com/api/v2/remote_config/products/cws/agent_rules/vf3-tgf-8rd + response: + body: + string: '' + headers: + content-type: + - application/json + status: + code: 204 + message: No Content +- request: + body: null + headers: + accept: + - '*/*' + method: DELETE + uri: https://api.datadoghq.com/api/v2/remote_config/products/cws/agent_rules/vf3-tgf-8rd + response: + body: + string: '{"errors":[{"title":"failed to delete rule"}]} + + ' + headers: + content-type: + - application/json + status: + code: 404 + message: Not Found +version: 1 diff --git a/tests/v2/cassettes/test_scenarios/test_get_a_cloud_workload_security_agent_rule_returns_not_found_response.frozen b/tests/v2/cassettes/test_scenarios/test_get_a_cloud_workload_security_agent_rule_returns_not_found_response.frozen index 712680a66f..b86c8244d6 100644 --- a/tests/v2/cassettes/test_scenarios/test_get_a_cloud_workload_security_agent_rule_returns_not_found_response.frozen +++ b/tests/v2/cassettes/test_scenarios/test_get_a_cloud_workload_security_agent_rule_returns_not_found_response.frozen @@ -1 +1 @@ -2022-01-11T18:11:38.248Z \ No newline at end of file +2024-03-07T18:00:17.534Z \ No newline at end of file diff --git a/tests/v2/cassettes/test_scenarios/test_get_a_cloud_workload_security_agent_rule_returns_not_found_response.yaml b/tests/v2/cassettes/test_scenarios/test_get_a_cloud_workload_security_agent_rule_returns_not_found_response.yaml index 7ac587ed9f..adb30d74c2 100644 --- a/tests/v2/cassettes/test_scenarios/test_get_a_cloud_workload_security_agent_rule_returns_not_found_response.yaml +++ b/tests/v2/cassettes/test_scenarios/test_get_a_cloud_workload_security_agent_rule_returns_not_found_response.yaml @@ -8,7 +8,9 @@ interactions: uri: https://api.datadoghq.com/api/v2/security_monitoring/cloud_workload_security/agent_rules/abc-123-xyz response: body: - string: '{"errors":["not_found(Agent rule not found: agentRuleId=abc-123-xyz)"]}' + string: '{"errors":["not_found(Agent rule not found: agentRuleId=abc-123-xyz)"]} + + ' headers: content-type: - application/json diff --git a/tests/v2/cassettes/test_scenarios/test_get_a_cloud_workload_security_agent_rule_returns_ok_response.frozen b/tests/v2/cassettes/test_scenarios/test_get_a_cloud_workload_security_agent_rule_returns_ok_response.frozen index e73f1c14f7..88ce4dc9b0 100644 --- a/tests/v2/cassettes/test_scenarios/test_get_a_cloud_workload_security_agent_rule_returns_ok_response.frozen +++ b/tests/v2/cassettes/test_scenarios/test_get_a_cloud_workload_security_agent_rule_returns_ok_response.frozen @@ -1 +1 @@ -2022-05-12T09:51:23.120Z \ No newline at end of file +2024-03-07T18:00:18.020Z \ No newline at end of file diff --git a/tests/v2/cassettes/test_scenarios/test_get_a_cloud_workload_security_agent_rule_returns_ok_response.yaml b/tests/v2/cassettes/test_scenarios/test_get_a_cloud_workload_security_agent_rule_returns_ok_response.yaml index 7164aeac98..526642c87c 100644 --- a/tests/v2/cassettes/test_scenarios/test_get_a_cloud_workload_security_agent_rule_returns_ok_response.yaml +++ b/tests/v2/cassettes/test_scenarios/test_get_a_cloud_workload_security_agent_rule_returns_ok_response.yaml @@ -1,7 +1,7 @@ interactions: - request: body: '{"data":{"attributes":{"description":"My Agent rule","enabled":true,"expression":"exec.file.name - == \"sh\"","name":"testgetacloudworkloadsecurityagentrulereturnsokresponse1652349083"},"type":"agent_rule"}}' + == \"sh\"","name":"testgetacloudworkloadsecurityagentrulereturnsokresponse1709834418"},"type":"agent_rule"}}' headers: accept: - application/json @@ -11,12 +11,16 @@ interactions: uri: https://api.datadoghq.com/api/v2/security_monitoring/cloud_workload_security/agent_rules response: body: - string: '{"data":{"attributes":{"category":"Process Activity","name":"testgetacloudworkloadsecurityagentrulereturnsokresponse1652349083","creator":{"handle":"frog@datadoghq.com","name":null},"description":"My - Agent rule","enabled":true,"defaultRule":false,"version":1,"updater":{"handle":"frog@datadoghq.com","name":null},"updateDate":1652349083546,"creationDate":1652349083546,"expression":"exec.file.name - == \"sh\""},"type":"agent_rule","id":"xnm-bjf-tfb"}}' + string: '{"data":{"id":"u6d-o9l-cog","attributes":{"version":1,"name":"testgetacloudworkloadsecurityagentrulereturnsokresponse1709834418","description":"My + Agent rule","expression":"exec.file.name == \"sh\"","category":"Process Activity","creationAuthorUuId":"cc32ddea-b5e4-11ec-93be-da7ad0900002","creationDate":1709834418491,"updateAuthorUuId":"cc32ddea-b5e4-11ec-93be-da7ad0900002","updateDate":1709834418491,"filters":["os + == \"linux\""],"actions":[],"agentConstraint":"","enabled":true,"defaultRule":false,"creator":{"name":"Malo + Le Goff","handle":"malo.legoff@datadoghq.com"},"updater":{"name":"Malo Le + Goff","handle":"malo.legoff@datadoghq.com"}},"type":"agent_rule"}} + + ' headers: content-type: - - application/json;charset=utf-8 + - application/json status: code: 200 message: OK @@ -26,15 +30,19 @@ interactions: accept: - application/json method: GET - uri: https://api.datadoghq.com/api/v2/security_monitoring/cloud_workload_security/agent_rules/xnm-bjf-tfb + uri: https://api.datadoghq.com/api/v2/security_monitoring/cloud_workload_security/agent_rules/u6d-o9l-cog response: body: - string: '{"data":{"attributes":{"category":"Process Activity","name":"testgetacloudworkloadsecurityagentrulereturnsokresponse1652349083","creator":{"handle":"frog@datadoghq.com","name":null},"description":"My - Agent rule","enabled":true,"defaultRule":false,"version":1,"updater":{"handle":"frog@datadoghq.com","name":null},"updateDate":1652349083546,"creationDate":1652349083546,"expression":"exec.file.name - == \"sh\""},"type":"agent_rule","id":"xnm-bjf-tfb"}}' + string: '{"data":{"id":"u6d-o9l-cog","attributes":{"version":1,"name":"testgetacloudworkloadsecurityagentrulereturnsokresponse1709834418","description":"My + Agent rule","expression":"exec.file.name == \"sh\"","category":"Process Activity","creationAuthorUuId":"cc32ddea-b5e4-11ec-93be-da7ad0900002","creationDate":1709834418491,"updateAuthorUuId":"cc32ddea-b5e4-11ec-93be-da7ad0900002","updateDate":1709834418491,"filters":["os + == \"linux\""],"actions":[],"agentConstraint":"","enabled":true,"defaultRule":false,"creator":{"name":"Malo + Le Goff","handle":"malo.legoff@datadoghq.com"},"updater":{"name":"Malo Le + Goff","handle":"malo.legoff@datadoghq.com"}},"type":"agent_rule"}} + + ' headers: content-type: - - application/json;charset=utf-8 + - application/json status: code: 200 message: OK @@ -44,13 +52,11 @@ interactions: accept: - '*/*' method: DELETE - uri: https://api.datadoghq.com/api/v2/security_monitoring/cloud_workload_security/agent_rules/xnm-bjf-tfb + uri: https://api.datadoghq.com/api/v2/security_monitoring/cloud_workload_security/agent_rules/u6d-o9l-cog response: body: string: '' - headers: - content-type: - - application/json;charset=utf-8 + headers: {} status: code: 204 message: No Content diff --git a/tests/v2/cassettes/test_scenarios/test_get_a_csm_threats_agent_rule_returns_not_found_response.frozen b/tests/v2/cassettes/test_scenarios/test_get_a_csm_threats_agent_rule_returns_not_found_response.frozen new file mode 100644 index 0000000000..171f053bbc --- /dev/null +++ b/tests/v2/cassettes/test_scenarios/test_get_a_csm_threats_agent_rule_returns_not_found_response.frozen @@ -0,0 +1 @@ +2024-03-07T18:00:15.130Z \ No newline at end of file diff --git a/tests/v2/cassettes/test_scenarios/test_get_a_csm_threats_agent_rule_returns_not_found_response.yaml b/tests/v2/cassettes/test_scenarios/test_get_a_csm_threats_agent_rule_returns_not_found_response.yaml new file mode 100644 index 0000000000..362ff446b6 --- /dev/null +++ b/tests/v2/cassettes/test_scenarios/test_get_a_csm_threats_agent_rule_returns_not_found_response.yaml @@ -0,0 +1,20 @@ +interactions: +- request: + body: null + headers: + accept: + - application/json + method: GET + uri: https://api.datadoghq.com/api/v2/remote_config/products/cws/agent_rules/abc-123-xyz + response: + body: + string: '{"errors":[{"title":"failed to get rule"}]} + + ' + headers: + content-type: + - application/json + status: + code: 404 + message: Not Found +version: 1 diff --git a/tests/v2/cassettes/test_scenarios/test_get_a_csm_threats_agent_rule_returns_ok_response.frozen b/tests/v2/cassettes/test_scenarios/test_get_a_csm_threats_agent_rule_returns_ok_response.frozen new file mode 100644 index 0000000000..751318e533 --- /dev/null +++ b/tests/v2/cassettes/test_scenarios/test_get_a_csm_threats_agent_rule_returns_ok_response.frozen @@ -0,0 +1 @@ +2024-03-07T18:00:15.535Z \ No newline at end of file diff --git a/tests/v2/cassettes/test_scenarios/test_get_a_csm_threats_agent_rule_returns_ok_response.yaml b/tests/v2/cassettes/test_scenarios/test_get_a_csm_threats_agent_rule_returns_ok_response.yaml new file mode 100644 index 0000000000..0b1ea8688e --- /dev/null +++ b/tests/v2/cassettes/test_scenarios/test_get_a_csm_threats_agent_rule_returns_ok_response.yaml @@ -0,0 +1,59 @@ +interactions: +- request: + body: '{"data":{"attributes":{"description":"My Agent rule","enabled":true,"expression":"exec.file.name + == \"sh\"","name":"testgetacsmthreatsagentrulereturnsokresponse1709834415"},"type":"agent_rule"}}' + headers: + accept: + - application/json + content-type: + - application/json + method: POST + uri: https://api.datadoghq.com/api/v2/remote_config/products/cws/agent_rules + response: + body: + string: '{"data":{"id":"kyj-ggc-mwg","type":"agent_rule","attributes":{"category":"Process + Activity","creationDate":1709834415959,"creator":{"name":"Malo Le Goff","handle":"malo.legoff@datadoghq.com"},"defaultRule":false,"description":"My + Agent rule","enabled":true,"expression":"exec.file.name == \"sh\"","filters":null,"name":"testgetacsmthreatsagentrulereturnsokresponse1709834415","updateDate":1709834415959,"updater":{"name":"Malo + Le Goff","handle":"malo.legoff@datadoghq.com"}}}}' + headers: + content-type: + - application/json + status: + code: 200 + message: OK +- request: + body: null + headers: + accept: + - application/json + method: GET + uri: https://api.datadoghq.com/api/v2/remote_config/products/cws/agent_rules/kyj-ggc-mwg + response: + body: + string: '{"data":{"id":"kyj-ggc-mwg","type":"agent_rule","attributes":{"category":"Process + Activity","creationDate":1709834415000,"creator":{"name":"Malo Le Goff","handle":"malo.legoff@datadoghq.com"},"defaultRule":false,"description":"My + Agent rule","enabled":true,"expression":"exec.file.name == \"sh\"","filters":null,"name":"testgetacsmthreatsagentrulereturnsokresponse1709834415","updateDate":1709834415000,"updater":{"name":"Malo + Le Goff","handle":"malo.legoff@datadoghq.com"}}}}' + headers: + content-type: + - application/json + status: + code: 200 + message: OK +- request: + body: null + headers: + accept: + - '*/*' + method: DELETE + uri: https://api.datadoghq.com/api/v2/remote_config/products/cws/agent_rules/kyj-ggc-mwg + response: + body: + string: '' + headers: + content-type: + - application/json + status: + code: 204 + message: No Content +version: 1 diff --git a/tests/v2/cassettes/test_scenarios/test_get_all_cloud_workload_security_agent_rules_returns_ok_response.frozen b/tests/v2/cassettes/test_scenarios/test_get_all_cloud_workload_security_agent_rules_returns_ok_response.frozen index c9a383b559..6d3b465fe5 100644 --- a/tests/v2/cassettes/test_scenarios/test_get_all_cloud_workload_security_agent_rules_returns_ok_response.frozen +++ b/tests/v2/cassettes/test_scenarios/test_get_all_cloud_workload_security_agent_rules_returns_ok_response.frozen @@ -1 +1 @@ -2022-05-12T09:51:24.499Z \ No newline at end of file +2024-03-07T18:00:20.206Z \ No newline at end of file diff --git a/tests/v2/cassettes/test_scenarios/test_get_all_cloud_workload_security_agent_rules_returns_ok_response.yaml b/tests/v2/cassettes/test_scenarios/test_get_all_cloud_workload_security_agent_rules_returns_ok_response.yaml index c1064fb470..f2e5a4b158 100644 --- a/tests/v2/cassettes/test_scenarios/test_get_all_cloud_workload_security_agent_rules_returns_ok_response.yaml +++ b/tests/v2/cassettes/test_scenarios/test_get_all_cloud_workload_security_agent_rules_returns_ok_response.yaml @@ -1,7 +1,7 @@ interactions: - request: body: '{"data":{"attributes":{"description":"My Agent rule","enabled":true,"expression":"exec.file.name - == \"sh\"","name":"testgetallcloudworkloadsecurityagentrulesreturnsokresponse1652349084"},"type":"agent_rule"}}' + == \"sh\"","name":"testgetallcloudworkloadsecurityagentrulesreturnsokresponse1709834420"},"type":"agent_rule"}}' headers: accept: - application/json @@ -11,12 +11,16 @@ interactions: uri: https://api.datadoghq.com/api/v2/security_monitoring/cloud_workload_security/agent_rules response: body: - string: '{"data":{"attributes":{"category":"Process Activity","name":"testgetallcloudworkloadsecurityagentrulesreturnsokresponse1652349084","creator":{"handle":"frog@datadoghq.com","name":null},"description":"My - Agent rule","enabled":true,"defaultRule":false,"version":1,"updater":{"handle":"frog@datadoghq.com","name":null},"updateDate":1652349084949,"creationDate":1652349084949,"expression":"exec.file.name - == \"sh\""},"type":"agent_rule","id":"w3n-qy8-qud"}}' + string: '{"data":{"id":"7ob-i7p-lcg","attributes":{"version":1,"name":"testgetallcloudworkloadsecurityagentrulesreturnsokresponse1709834420","description":"My + Agent rule","expression":"exec.file.name == \"sh\"","category":"Process Activity","creationAuthorUuId":"cc32ddea-b5e4-11ec-93be-da7ad0900002","creationDate":1709834420641,"updateAuthorUuId":"cc32ddea-b5e4-11ec-93be-da7ad0900002","updateDate":1709834420641,"filters":["os + == \"linux\""],"actions":[],"agentConstraint":"","enabled":true,"defaultRule":false,"creator":{"name":"Malo + Le Goff","handle":"malo.legoff@datadoghq.com"},"updater":{"name":"Malo Le + Goff","handle":"malo.legoff@datadoghq.com"}},"type":"agent_rule"}} + + ' headers: content-type: - - application/json;charset=utf-8 + - application/json status: code: 200 message: OK @@ -29,781 +33,1053 @@ interactions: uri: https://api.datadoghq.com/api/v2/security_monitoring/cloud_workload_security/agent_rules response: body: - string: '{"data":[{"attributes":{"category":"Process Activity","name":"testgetallcloudworkloadsecurityagentrulesreturnsokresponse1652349084","creator":{"handle":"frog@datadoghq.com","name":null},"description":"My - Agent rule","enabled":true,"defaultRule":false,"version":1,"updater":{"handle":"frog@datadoghq.com","name":null},"updateDate":1652349084949,"creationDate":1652349084949,"expression":"exec.file.name - == \"sh\""},"type":"agent_rule","id":"w3n-qy8-qud"},{"attributes":{"category":"Process - Activity","name":"new_binary_execution_in_container","creator":{"handle":"","name":""},"description":"A - container executed a new a binary not found in the container image","enabled":true,"defaultRule":true,"version":1,"updater":{"handle":"","name":""},"updateDate":1652129913862,"creationDate":1652129906455,"expression":"container.id - !=\"\" && !process.file.in_upper_layer && process.file.modification_time < - 30s && exec.file.name !=\"\""},"type":"agent_rule","id":"pwh-omk-qrr"},{"attributes":{"category":"Process - Activity","name":"testtypescriptgetallcloudworkloadsecurityagentrulesreturnsokresponse1652008845","creator":{"handle":"frog@datadoghq.com","name":null},"description":"My - Agent rule","enabled":true,"defaultRule":false,"version":1,"updater":{"handle":"frog@datadoghq.com","name":null},"updateDate":1652008845797,"creationDate":1652008845797,"expression":"exec.file.name - == \"sh\""},"type":"agent_rule","id":"ntj-rfs-mw3"},{"attributes":{"category":"Process - Activity","name":"testtypescriptupdateacloudworkloadsecurityagentrulereturnsokresponse1651997887","creator":{"handle":"frog@datadoghq.com","name":null},"description":"Test - Agent rule","enabled":true,"defaultRule":false,"version":2,"updater":{"handle":"frog@datadoghq.com","name":null},"updateDate":1651997888544,"creationDate":1651997888388,"expression":"exec.file.name - == \"sh\""},"type":"agent_rule","id":"dyn-u7u-v86"},{"attributes":{"category":"Process - Activity","name":"testtypescriptupdateacloudworkloadsecurityagentrulereturnsbadrequestresponse1651997886","creator":{"handle":"frog@datadoghq.com","name":null},"description":"My - Agent rule","enabled":true,"defaultRule":false,"version":1,"updater":{"handle":"frog@datadoghq.com","name":null},"updateDate":1651997887223,"creationDate":1651997887223,"expression":"exec.file.name - == \"sh\""},"type":"agent_rule","id":"mlg-yxw-uig"},{"attributes":{"category":"Process - Activity","name":"testtypescriptgetallcloudworkloadsecurityagentrulesreturnsokresponse1651997885","creator":{"handle":"frog@datadoghq.com","name":null},"description":"My - Agent rule","enabled":true,"defaultRule":false,"version":1,"updater":{"handle":"frog@datadoghq.com","name":null},"updateDate":1651997886363,"creationDate":1651997886363,"expression":"exec.file.name - == \"sh\""},"type":"agent_rule","id":"lq3-t6t-xng"},{"attributes":{"category":"Process - Activity","name":"testtypescriptgetacloudworkloadsecurityagentrulereturnsokresponse1651997885","creator":{"handle":"frog@datadoghq.com","name":null},"description":"My - Agent rule","enabled":true,"defaultRule":false,"version":1,"updater":{"handle":"frog@datadoghq.com","name":null},"updateDate":1651997885869,"creationDate":1651997885869,"expression":"exec.file.name - == \"sh\""},"type":"agent_rule","id":"1hp-hpr-4ez"},{"attributes":{"category":"Process - Activity","name":"testtypescriptdeleteacloudworkloadsecurityagentrulereturnsokresponse1651997884","creator":{"handle":"frog@datadoghq.com","name":null},"description":"My - Agent rule","enabled":true,"defaultRule":false,"version":1,"updater":{"handle":"frog@datadoghq.com","name":null},"updateDate":1651997884985,"creationDate":1651997884985,"expression":"exec.file.name - == \"sh\""},"type":"agent_rule","id":"mt3-pks-n5s"},{"attributes":{"category":"Process - Activity","name":"testtypescriptcreateacloudworkloadsecurityagentrulereturnsokresponse1651997883","creator":{"handle":"frog@datadoghq.com","name":null},"description":"Test - Agent rule","enabled":true,"defaultRule":false,"version":1,"updater":{"handle":"frog@datadoghq.com","name":null},"updateDate":1651997884150,"creationDate":1651997884150,"expression":"exec.file.name - == \"sh\""},"type":"agent_rule","id":"r4a-yvz-rj7"},{"attributes":{"category":"Process - Activity","name":"testtypescriptgetallcloudworkloadsecurityagentrulesreturnsokresponse1651943471","creator":{"handle":"frog@datadoghq.com","name":null},"description":"My - Agent rule","enabled":true,"defaultRule":false,"version":1,"updater":{"handle":"frog@datadoghq.com","name":null},"updateDate":1651943472022,"creationDate":1651943472022,"expression":"exec.file.name - == \"sh\""},"type":"agent_rule","id":"5k1-gwi-0aq"},{"attributes":{"category":"Process - Activity","name":"testtypescriptgetallcloudworkloadsecurityagentrulesreturnsokresponse1651915814","creator":{"handle":"frog@datadoghq.com","name":null},"description":"My - Agent rule","enabled":true,"defaultRule":false,"version":1,"updater":{"handle":"frog@datadoghq.com","name":null},"updateDate":1651915815493,"creationDate":1651915815493,"expression":"exec.file.name - == \"sh\""},"type":"agent_rule","id":"lkj-jnq-r6s"},{"attributes":{"category":"Process - Activity","name":"testtypescriptgetallcloudworkloadsecurityagentrulesreturnsokresponse1651912469","creator":{"handle":"frog@datadoghq.com","name":null},"description":"My - Agent rule","enabled":true,"defaultRule":false,"version":1,"updater":{"handle":"frog@datadoghq.com","name":null},"updateDate":1651912470539,"creationDate":1651912470539,"expression":"exec.file.name - == \"sh\""},"type":"agent_rule","id":"mbc-iwk-zpb"},{"attributes":{"category":"Process - Activity","name":"testtypescriptgetallcloudworkloadsecurityagentrulesreturnsokresponse1651867149","creator":{"handle":"frog@datadoghq.com","name":null},"description":"My - Agent rule","enabled":true,"defaultRule":false,"version":1,"updater":{"handle":"frog@datadoghq.com","name":null},"updateDate":1651867150336,"creationDate":1651867150336,"expression":"exec.file.name - == \"sh\""},"type":"agent_rule","id":"fzb-lli-m26"},{"attributes":{"category":"Process - Activity","name":"suspicious_container_client","creator":{"handle":"","name":""},"description":"A - container management utility was executed in a container","enabled":true,"defaultRule":true,"version":2,"updater":{"handle":"","name":""},"updateDate":1651671394200,"creationDate":1617722068555,"expression":"exec.file.name - in [\"docker\", \"kubectl\"] && container.id != \"\""},"type":"agent_rule","id":"9mk-xxe-lpw"},{"attributes":{"category":"Kernel - Activity","name":"kernel_module_load","creator":{"handle":"","name":""},"description":"A - kernel module was loaded","enabled":true,"defaultRule":true,"version":2,"updater":{"handle":"","name":""},"updateDate":1650371511244,"creationDate":1650293718458,"expression":"load_module.name - != \"\""},"type":"agent_rule","id":"f5y-pdn-pnj"},{"attributes":{"category":"Kernel - Activity","name":"new_kernel_module_audit","creator":{"handle":"","name":""},"description":"A - kernel module was loaded","enabled":true,"defaultRule":true,"version":2,"updater":{"handle":"","name":""},"updateDate":1650371511243,"creationDate":1650293718502,"expression":"load_module.name - != \"\""},"type":"agent_rule","id":"0dt-ev3-tgr"},{"attributes":{"category":"Kernel - Activity","name":"kernel_module_load_container","creator":{"handle":"","name":""},"description":"A - container loaded a new kernel module","enabled":true,"defaultRule":true,"version":2,"updater":{"handle":"","name":""},"updateDate":1650371511241,"creationDate":1650293718705,"expression":"load_module.name - != \"\" && container.id !=\"\""},"type":"agent_rule","id":"ieg-lmk-cgo"},{"attributes":{"category":"Kernel - Activity","name":"new_kernel_module_audit_container","creator":{"handle":"","name":""},"description":"A - kernel module was loaded","enabled":true,"defaultRule":true,"version":2,"updater":{"handle":"","name":""},"updateDate":1650371511240,"creationDate":1650293718457,"expression":"load_module.name - != \"\" && container.id !=\"\""},"type":"agent_rule","id":"rbg-5fp-tm8"},{"attributes":{"category":"Kernel - Activity","name":"ptrace_injection","creator":{"handle":"","name":""},"description":"A - process attempted to inject code into another process","enabled":true,"defaultRule":true,"version":1,"updater":{"handle":"","name":""},"updateDate":1650293789265,"creationDate":1650293718540,"expression":"ptrace.request - == PTRACE_POKETEXT || ptrace.request == PTRACE_POKEDATA || ptrace.request - == PTRACE_POKEUSR"},"type":"agent_rule","id":"lzx-kkv-at3"},{"attributes":{"category":"Kernel - Activity","name":"ptrace_antidebug","creator":{"handle":"","name":""},"description":"A - process uses an anti-debugging technique to block debuggers","enabled":true,"defaultRule":true,"version":1,"updater":{"handle":"","name":""},"updateDate":1650293789216,"creationDate":1650293718435,"expression":"ptrace.request - == PTRACE_TRACEME"},"type":"agent_rule","id":"hnh-eio-mow"},{"attributes":{"category":"Kernel - Activity","name":"kernel_module_load_from_memory","creator":{"handle":"","name":""},"description":"A - kernel module was loaded from memory","enabled":true,"defaultRule":true,"version":1,"updater":{"handle":"","name":""},"updateDate":1650293788996,"creationDate":1650293718630,"expression":"load_module.loaded_from_memory - == true"},"type":"agent_rule","id":"j3f-cie-47b"},{"attributes":{"category":"Kernel - Activity","name":"kernel_module_load_from_memory_container","creator":{"handle":"","name":""},"description":"A - kernel module was loaded from memory inside a container","enabled":true,"defaultRule":true,"version":1,"updater":{"handle":"","name":""},"updateDate":1650293788418,"creationDate":1650293718365,"expression":"load_module.loaded_from_memory - == true && container.id !=\"\""},"type":"agent_rule","id":"foo-pve-qbq"},{"attributes":{"category":"Process - Activity","name":"database_shell_execution","creator":{"handle":"","name":""},"description":"A - database application spawned a shell, shell utility, or HTTP utility","enabled":true,"defaultRule":true,"version":2,"updater":{"handle":"","name":""},"updateDate":1649256369233,"creationDate":1617722069155,"expression":"(exec.file.path - in [ \"/bin/dash\", \"/usr/bin/dash\",\n \"/bin/sh\", \"/bin/static-sh\", - \"/usr/bin/sh\",\n \"/usr/bin/bash\",\n \"/bin/bash-static\",\n \"/usr/bin/zsh\",\n \"/usr/bin/ash\",\n \"/usr/bin/csh\",\n \"/usr/bin/ksh\",\n \"/usr/bin/tcsh\",\n \"/usr/lib/initramfs-tools/bin/busybox\",\n \"/bin/busybox\",\n \"/usr/bin/fish\",\n \"/bin/ksh93\",\n \"/bin/rksh\", - \"/bin/rksh93\",\n \"/bin/lksh\",\n \"/bin/mksh\", \"/bin/mksh-static\",\n \"/usr/bin/csharp\",\n \"/bin/posh\",\n \"/usr/bin/rc\",\n \"/bin/sash\",\n \"/usr/bin/yash\",\n \"/bin/zsh5\", - \"/bin/zsh5-static\" ] ||\n exec.file.path in [\"/usr/bin/wget\", \"/usr/bin/curl\"] - ||\n exec.file.path in [\"/bin/cat\",\"/bin/chgrp\",\"/bin/chmod\",\"/bin/chown\",\"/bin/cp\",\"/bin/date\",\"/bin/dd\",\"/bin/df\",\"/bin/dir\",\"/bin/echo\",\"/bin/ln\",\"/bin/ls\",\"/bin/mkdir\",\"/bin/mknod\",\"/bin/mktemp\",\"/bin/mv\",\"/bin/pwd\",\"/bin/readlink\",\"/bin/rm\",\"/bin/rmdir\",\"/bin/sleep\",\"/bin/stty\",\"/bin/sync\",\"/bin/touch\",\"/bin/uname\",\"/bin/vdir\",\"/usr/bin/arch\",\"/usr/bin/b2sum\",\"/usr/bin/base32\",\"/usr/bin/base64\",\"/usr/bin/basename\",\"/usr/bin/chcon\",\"/usr/bin/cksum\",\"/usr/bin/comm\",\"/usr/bin/csplit\",\"/usr/bin/cut\",\"/usr/bin/dircolors\",\"/usr/bin/dirname\",\"/usr/bin/du\",\"/usr/bin/env\",\"/usr/bin/expand\",\"/usr/bin/expr\",\"/usr/bin/factor\",\"/usr/bin/fmt\",\"/usr/bin/fold\",\"/usr/bin/groups\",\"/usr/bin/head\",\"/usr/bin/hostid\",\"/usr/bin/id\",\"/usr/bin/install\",\"/usr/bin/join\",\"/usr/bin/link\",\"/usr/bin/logname\",\"/usr/bin/md5sum\",\"/usr/bin/md5sum.textutils\",\"/usr/bin/mkfifo\",\"/usr/bin/nice\",\"/usr/bin/nl\",\"/usr/bin/nohup\",\"/usr/bin/nproc\",\"/usr/bin/numfmt\",\"/usr/bin/od\",\"/usr/bin/paste\",\"/usr/bin/pathchk\",\"/usr/bin/pinky\",\"/usr/bin/pr\",\"/usr/bin/printenv\",\"/usr/bin/printf\",\"/usr/bin/ptx\",\"/usr/bin/realpath\",\"/usr/bin/runcon\",\"/usr/bin/seq\",\"/usr/bin/sha1sum\",\"/usr/bin/sha224sum\",\"/usr/bin/sha256sum\",\"/usr/bin/sha384sum\",\"/usr/bin/sha512sum\",\"/usr/bin/shred\",\"/usr/bin/shuf\",\"/usr/bin/sort\",\"/usr/bin/split\",\"/usr/bin/stat\",\"/usr/bin/stdbuf\",\"/usr/bin/sum\",\"/usr/bin/tac\",\"/usr/bin/tail\",\"/usr/bin/tee\",\"/usr/bin/test\",\"/usr/bin/timeout\",\"/usr/bin/tr\",\"/usr/bin/truncate\",\"/usr/bin/tsort\",\"/usr/bin/tty\",\"/usr/bin/unexpand\",\"/usr/bin/uniq\",\"/usr/bin/unlink\",\"/usr/bin/users\",\"/usr/bin/wc\",\"/usr/bin/who\",\"/usr/bin/whoami\",\"/usr/sbin/chroot\"]) - &&\nprocess.ancestors.file.name in [\"mysqld\", \"mongod\", \"postgres\"] - &&\n!(process.ancestors.file.name == \"initdb\" &&\nexec.args == ~\"*locale - -a*\")"},"type":"agent_rule","id":"phy-tco-k7w"},{"attributes":{"category":"Process - Activity","name":"potential_web_shell","creator":{"handle":"","name":""},"description":"A - webapp process (language engine or webserver) spawned a shell, shell utility, - or HTTP utility","enabled":true,"defaultRule":true,"version":5,"updater":{"handle":"","name":""},"updateDate":1648752302471,"creationDate":1642158535124,"expression":"(exec.file.path - in [ \"/bin/dash\", \"/usr/bin/dash\",\n \"/bin/sh\", \"/bin/static-sh\", - \"/usr/bin/sh\",\n \"/usr/bin/bash\",\n \"/bin/bash-static\",\n \"/usr/bin/zsh\",\n \"/usr/bin/ash\",\n \"/usr/bin/csh\",\n \"/usr/bin/ksh\",\n \"/usr/bin/tcsh\",\n \"/usr/lib/initramfs-tools/bin/busybox\",\n \"/bin/busybox\",\n \"/usr/bin/fish\",\n \"/bin/ksh93\",\n \"/bin/rksh\", - \"/bin/rksh93\",\n \"/bin/lksh\",\n \"/bin/mksh\", \"/bin/mksh-static\",\n \"/usr/bin/csharp\",\n \"/bin/posh\",\n \"/usr/bin/rc\",\n \"/bin/sash\",\n \"/usr/bin/yash\",\n \"/bin/zsh5\", - \"/bin/zsh5-static\" ] || exec.file.path in [\"/usr/bin/wget\", \"/usr/bin/curl\"] - || exec.file.path in [\"/bin/cat\",\"/bin/chgrp\",\"/bin/chmod\",\"/bin/chown\",\"/bin/cp\",\"/bin/date\",\"/bin/dd\",\"/bin/df\",\"/bin/dir\",\"/bin/echo\",\"/bin/ln\",\"/bin/ls\",\"/bin/mkdir\",\"/bin/mknod\",\"/bin/mktemp\",\"/bin/mv\",\"/bin/pwd\",\"/bin/readlink\",\"/bin/rm\",\"/bin/rmdir\",\"/bin/sleep\",\"/bin/stty\",\"/bin/sync\",\"/bin/touch\",\"/bin/uname\",\"/bin/vdir\",\"/usr/bin/arch\",\"/usr/bin/b2sum\",\"/usr/bin/base32\",\"/usr/bin/base64\",\"/usr/bin/basename\",\"/usr/bin/chcon\",\"/usr/bin/cksum\",\"/usr/bin/comm\",\"/usr/bin/csplit\",\"/usr/bin/cut\",\"/usr/bin/dircolors\",\"/usr/bin/dirname\",\"/usr/bin/du\",\"/usr/bin/env\",\"/usr/bin/expand\",\"/usr/bin/expr\",\"/usr/bin/factor\",\"/usr/bin/fmt\",\"/usr/bin/fold\",\"/usr/bin/groups\",\"/usr/bin/head\",\"/usr/bin/hostid\",\"/usr/bin/id\",\"/usr/bin/install\",\"/usr/bin/join\",\"/usr/bin/link\",\"/usr/bin/logname\",\"/usr/bin/md5sum\",\"/usr/bin/md5sum.textutils\",\"/usr/bin/mkfifo\",\"/usr/bin/nice\",\"/usr/bin/nl\",\"/usr/bin/nohup\",\"/usr/bin/nproc\",\"/usr/bin/numfmt\",\"/usr/bin/od\",\"/usr/bin/paste\",\"/usr/bin/pathchk\",\"/usr/bin/pinky\",\"/usr/bin/pr\",\"/usr/bin/printenv\",\"/usr/bin/printf\",\"/usr/bin/ptx\",\"/usr/bin/realpath\",\"/usr/bin/runcon\",\"/usr/bin/seq\",\"/usr/bin/sha1sum\",\"/usr/bin/sha224sum\",\"/usr/bin/sha256sum\",\"/usr/bin/sha384sum\",\"/usr/bin/sha512sum\",\"/usr/bin/shred\",\"/usr/bin/shuf\",\"/usr/bin/sort\",\"/usr/bin/split\",\"/usr/bin/stat\",\"/usr/bin/stdbuf\",\"/usr/bin/sum\",\"/usr/bin/tac\",\"/usr/bin/tail\",\"/usr/bin/tee\",\"/usr/bin/test\",\"/usr/bin/timeout\",\"/usr/bin/tr\",\"/usr/bin/truncate\",\"/usr/bin/tsort\",\"/usr/bin/tty\",\"/usr/bin/unexpand\",\"/usr/bin/uniq\",\"/usr/bin/unlink\",\"/usr/bin/users\",\"/usr/bin/wc\",\"/usr/bin/who\",\"/usr/bin/whoami\",\"/usr/sbin/chroot\"]) - &&\n(process.ancestors.file.name in [~\"python2*\", ~\"python3*\", \"node\", - \"apache2\", \"nginx\", ~\"tomcat*\"] || process.ancestors.file.name =~ \"php*\") - &&\nprocess.ancestors.comm not in [\"pip3\", \"pip\", \"npm\"]"},"type":"agent_rule","id":"wmi-qbh-yyj"},{"attributes":{"category":"File - Activity","name":"dirty_pipe_attempt","creator":{"handle":"","name":""},"description":"Potential - Dirty pipe exploitation attempt","enabled":true,"defaultRule":true,"version":1,"updater":{"handle":"","name":""},"updateDate":1648564169932,"creationDate":1648564123603,"expression":"(splice.pipe_entry_flag - & PIPE_BUF_FLAG_CAN_MERGE) != 0 && (splice.pipe_exit_flag & PIPE_BUF_FLAG_CAN_MERGE) - == 0"},"type":"agent_rule","id":"jx4-pkv-247"},{"attributes":{"category":"File - Activity","name":"dirty_pipe_exploitation","creator":{"handle":"","name":""},"description":"Potential - Dirty pipe exploitation","enabled":true,"defaultRule":true,"version":1,"updater":{"handle":"","name":""},"updateDate":1648564169488,"creationDate":1648564123563,"expression":"(splice.pipe_exit_flag - & PIPE_BUF_FLAG_CAN_MERGE) > 0"},"type":"agent_rule","id":"aux-r7v-odv"},{"attributes":{"category":"Process - Activity","name":"example_agent_rule","creator":{"handle":"frog@datadoghq.com","name":null},"description":"An - example agent rule generated in terraform","enabled":true,"defaultRule":false,"version":3,"updater":{"handle":"frog@datadoghq.com","name":null},"updateDate":1647036377676,"creationDate":1647036168203,"expression":"exec.file.name - == \"java\""},"type":"agent_rule","id":"irg-o45-pxz"},{"attributes":{"category":"Process - Activity","name":"net_util_in_container","creator":{"handle":"","name":""},"description":"A - network utility was executed from a suspicious location in a container","enabled":true,"defaultRule":true,"version":3,"updater":{"handle":"","name":""},"updateDate":1646838764572,"creationDate":1617722068439,"expression":"(exec.file.path - in [\"/usr/bin/socat\", \"/usr/bin/dig\", \"/usr/bin/nslookup\", \"/usr/bin/netcat\", - \"/usr/bin/nc\"] ||\n exec.file.path in [\"/usr/bin/wget\", \"/usr/bin/curl\"]) - &&\ncontainer.id != \"\" && (exec.args not in [ ~\"*localhost*\", ~\"*127.0.0.1*\", - ~\"*motd.ubuntu.com*\" ] || process.ancestors.comm != \"50-motd-news\") && - process.ancestors.file.path in [ ~\"/tmp/**\", ~\"/var/tmp/**\", ~\"/home/**\", - ~\"/run/user/**\" ]"},"type":"agent_rule","id":"ifl-wfe-sch"},{"attributes":{"category":"Process - Activity","name":"net_util","creator":{"handle":"","name":""},"description":"A - network utility was executed from a suspicious location","enabled":true,"defaultRule":true,"version":1,"updater":{"handle":"","name":""},"updateDate":1645196276088,"creationDate":1642158534952,"expression":"(exec.file.path - in [\"/usr/bin/socat\", \"/usr/bin/dig\", \"/usr/bin/nslookup\", \"/usr/bin/netcat\", - \"/usr/bin/nc\"] ||\n exec.file.path in [\"/usr/bin/wget\", \"/usr/bin/curl\"]) - &&\ncontainer.id == \"\" && (exec.args not in [ ~\"*localhost*\", ~\"*127.0.0.1*\", - ~\"*motd.ubuntu.com*\" ] || process.ancestors.comm != \"50-motd-news\") && - process.ancestors.file.path in [ ~\"/tmp/**\", ~\"/var/tmp/**\", ~\"/home/**\", - ~\"/run/user/**\" ]"},"type":"agent_rule","id":"3lt-gov-2yu"},{"attributes":{"category":"Process - Activity","name":"pwnkit_privilege_escalation","creator":{"handle":"","name":""},"description":"A - process was spawned with indicators of exploitation of CVE-2021-4034","enabled":true,"defaultRule":true,"version":1,"updater":{"handle":"","name":""},"updateDate":1643639115768,"creationDate":1643639113864,"expression":"(exec.file.path - == \"/usr/bin/pkexec\" && exec.envs in [~\"*SHELL*\", ~\"*PATH*\"] && exec.uid - != 0)"},"type":"agent_rule","id":"vri-cjo-ywh"},{"attributes":{"category":"Process - Activity","name":"tf_TestAccDatadogCloudWorkloadSecurityAgentRule_local_1643392923","creator":{"handle":"frog@datadoghq.com","name":null},"description":"an - agent rule","enabled":true,"defaultRule":false,"version":1,"updater":{"handle":"frog@datadoghq.com","name":null},"updateDate":1643392938634,"creationDate":1643392938634,"expression":"exec.file.name - == \"java\""},"type":"agent_rule","id":"rsy-7jg-hqm"},{"attributes":{"category":"Process - Activity","name":"tf_TestAccDatadogCloudWorkloadSecurityAgentRule_local_1643392903","creator":{"handle":"frog@datadoghq.com","name":null},"description":"an - agent rule","enabled":true,"defaultRule":false,"version":1,"updater":{"handle":"frog@datadoghq.com","name":null},"updateDate":1643392919175,"creationDate":1643392919175,"expression":"exec.file.name - == \"java\""},"type":"agent_rule","id":"m39-rre-anw"},{"attributes":{"category":"Process - Activity","name":"tf_TestAccDatadogCloudWorkloadSecurityAgentRule_local_1643392885","creator":{"handle":"frog@datadoghq.com","name":null},"description":"an - agent rule","enabled":true,"defaultRule":false,"version":1,"updater":{"handle":"frog@datadoghq.com","name":null},"updateDate":1643392899126,"creationDate":1643392899126,"expression":"exec.file.name - == \"java\""},"type":"agent_rule","id":"4wd-unc-xof"},{"attributes":{"category":"Process - Activity","name":"tf_TestAccDatadogCloudWorkloadSecurityAgentRule_local_1643392458","creator":{"handle":"frog@datadoghq.com","name":null},"description":"an - agent rule","enabled":true,"defaultRule":false,"version":1,"updater":{"handle":"frog@datadoghq.com","name":null},"updateDate":1643392475857,"creationDate":1643392475857,"expression":"exec.file.name - == \"java\""},"type":"agent_rule","id":"jhk-qpj-jlt"},{"attributes":{"category":"Process - Activity","name":"tf_TestAccDatadogCloudWorkloadSecurityAgentRule_local_1643392438","creator":{"handle":"frog@datadoghq.com","name":null},"description":"an - agent rule","enabled":true,"defaultRule":false,"version":1,"updater":{"handle":"frog@datadoghq.com","name":null},"updateDate":1643392453588,"creationDate":1643392453588,"expression":"exec.file.name - == \"java\""},"type":"agent_rule","id":"ruf-aic-d4j"},{"attributes":{"category":"Process - Activity","name":"tf_TestAccDatadogCloudWorkloadSecurityAgentRule_local_1643392419","creator":{"handle":"frog@datadoghq.com","name":null},"description":"an - agent rule","enabled":true,"defaultRule":false,"version":1,"updater":{"handle":"frog@datadoghq.com","name":null},"updateDate":1643392434263,"creationDate":1643392434263,"expression":"exec.file.name - == \"java\""},"type":"agent_rule","id":"jtf-zrn-0ph"},{"attributes":{"category":"Process - Activity","name":"tf_TestAccDatadogCloudWorkloadSecurityAgentRule_local_1643392026","creator":{"handle":"frog@datadoghq.com","name":null},"description":"an - agent rule","enabled":true,"defaultRule":false,"version":1,"updater":{"handle":"frog@datadoghq.com","name":null},"updateDate":1643392042558,"creationDate":1643392042558,"expression":"exec.file.name - == \"java\""},"type":"agent_rule","id":"ijz-1cz-bms"},{"attributes":{"category":"Process - Activity","name":"tf_TestAccDatadogCloudWorkloadSecurityAgentRule_local_1643392003","creator":{"handle":"frog@datadoghq.com","name":null},"description":"an - agent rule","enabled":true,"defaultRule":false,"version":1,"updater":{"handle":"frog@datadoghq.com","name":null},"updateDate":1643392021741,"creationDate":1643392021741,"expression":"exec.file.name - == \"java\""},"type":"agent_rule","id":"21m-gs8-p43"},{"attributes":{"category":"Process - Activity","name":"tf_TestAccDatadogCloudWorkloadSecurityAgentRule_local_1643391983","creator":{"handle":"frog@datadoghq.com","name":null},"description":"an - agent rule","enabled":true,"defaultRule":false,"version":1,"updater":{"handle":"frog@datadoghq.com","name":null},"updateDate":1643391998597,"creationDate":1643391998597,"expression":"exec.file.name - == \"java\""},"type":"agent_rule","id":"in7-ydq-pbw"},{"attributes":{"category":"Process - Activity","name":"tf_TestAccDatadogCloudWorkloadSecurityAgentRule_local_1643391729","creator":{"handle":"frog@datadoghq.com","name":null},"description":"an - agent rule","enabled":true,"defaultRule":false,"version":1,"updater":{"handle":"frog@datadoghq.com","name":null},"updateDate":1643391745920,"creationDate":1643391745920,"expression":"exec.file.name - == \"java\""},"type":"agent_rule","id":"v8v-sem-rmg"},{"attributes":{"category":"Process - Activity","name":"tf_TestAccDatadogCloudWorkloadSecurityAgentRule_local_1643391707","creator":{"handle":"frog@datadoghq.com","name":null},"description":"an - agent rule","enabled":true,"defaultRule":false,"version":1,"updater":{"handle":"frog@datadoghq.com","name":null},"updateDate":1643391725233,"creationDate":1643391725233,"expression":"exec.file.name - == \"java\""},"type":"agent_rule","id":"kox-qtp-cbn"},{"attributes":{"category":"Process - Activity","name":"tf_TestAccDatadogCloudWorkloadSecurityAgentRule_local_1643391687","creator":{"handle":"frog@datadoghq.com","name":null},"description":"an - agent rule","enabled":true,"defaultRule":false,"version":1,"updater":{"handle":"frog@datadoghq.com","name":null},"updateDate":1643391702920,"creationDate":1643391702920,"expression":"exec.file.name - == \"java\""},"type":"agent_rule","id":"thp-evn-3gr"},{"attributes":{"category":"Process - Activity","name":"tf_TestAccDatadogCloudWorkloadSecurityAgentRulesDatasource_local_1643390432","creator":{"handle":"frog@datadoghq.com","name":null},"description":"an - agent rule","enabled":true,"defaultRule":false,"version":1,"updater":{"handle":"frog@datadoghq.com","name":null},"updateDate":1643390450706,"creationDate":1643390450706,"expression":"exec.file.name - == \"go\""},"type":"agent_rule","id":"hx6-v0z-9gk"},{"attributes":{"category":"Process - Activity","name":"tf_TestAccDatadogCloudWorkloadSecurityAgentRulesDatasource_local_1643390410","creator":{"handle":"frog@datadoghq.com","name":null},"description":"an - agent rule","enabled":true,"defaultRule":false,"version":1,"updater":{"handle":"frog@datadoghq.com","name":null},"updateDate":1643390427444,"creationDate":1643390427444,"expression":"exec.file.name - == \"go\""},"type":"agent_rule","id":"n8j-9n3-urm"},{"attributes":{"category":"Process - Activity","name":"tf_TestAccDatadogCloudWorkloadSecurityAgentRulesDatasource_local_1643390389","creator":{"handle":"frog@datadoghq.com","name":null},"description":"an - agent rule","enabled":true,"defaultRule":false,"version":1,"updater":{"handle":"frog@datadoghq.com","name":null},"updateDate":1643390405807,"creationDate":1643390405807,"expression":"exec.file.name - == \"go\""},"type":"agent_rule","id":"tkl-mjf-is5"},{"attributes":{"category":"Process - Activity","name":"tf_TestAccDatadogCloudWorkloadSecurityAgentRule_local_1643390151","creator":{"handle":"frog@datadoghq.com","name":null},"description":"an - agent rule","enabled":true,"defaultRule":false,"version":1,"updater":{"handle":"frog@datadoghq.com","name":null},"updateDate":1643390171673,"creationDate":1643390171673,"expression":"exec.file.name - == \"java\""},"type":"agent_rule","id":"up2-fhh-bc8"},{"attributes":{"category":"Process - Activity","name":"tf_TestAccDatadogCloudWorkloadSecurityAgentRule_local_1643390130","creator":{"handle":"frog@datadoghq.com","name":null},"description":"an - agent rule","enabled":true,"defaultRule":false,"version":1,"updater":{"handle":"frog@datadoghq.com","name":null},"updateDate":1643390147278,"creationDate":1643390147278,"expression":"exec.file.name - == \"java\""},"type":"agent_rule","id":"vdu-0rd-lnj"},{"attributes":{"category":"Process - Activity","name":"tf_TestAccDatadogCloudWorkloadSecurityAgentRule_local_1643390108","creator":{"handle":"frog@datadoghq.com","name":null},"description":"an - agent rule","enabled":true,"defaultRule":false,"version":1,"updater":{"handle":"frog@datadoghq.com","name":null},"updateDate":1643390124588,"creationDate":1643390124588,"expression":"exec.file.name - == \"java\""},"type":"agent_rule","id":"dfb-wz2-0ka"},{"attributes":{"category":"Process - Activity","name":"tf_TestAccDatadogCloudWorkloadSecurityAgentRule_local_1643389977","creator":{"handle":"frog@datadoghq.com","name":null},"description":"an - agent rule","enabled":true,"defaultRule":false,"version":1,"updater":{"handle":"frog@datadoghq.com","name":null},"updateDate":1643389998703,"creationDate":1643389998703,"expression":"exec.file.name - == \"java\""},"type":"agent_rule","id":"7vz-wdj-vwc"},{"attributes":{"category":"Process - Activity","name":"tf_TestAccDatadogCloudWorkloadSecurityAgentRulesDatasource_local_1643389955","creator":{"handle":"frog@datadoghq.com","name":null},"description":"an - agent rule","enabled":true,"defaultRule":false,"version":1,"updater":{"handle":"frog@datadoghq.com","name":null},"updateDate":1643389972825,"creationDate":1643389972825,"expression":"exec.file.name - == \"go\""},"type":"agent_rule","id":"qls-upn-1vc"},{"attributes":{"category":"Process - Activity","name":"tf_TestAccDatadogCloudWorkloadSecurityAgentRule_local_1643389931","creator":{"handle":"frog@datadoghq.com","name":null},"description":"an - agent rule","enabled":true,"defaultRule":false,"version":1,"updater":{"handle":"frog@datadoghq.com","name":null},"updateDate":1643389950224,"creationDate":1643389950224,"expression":"exec.file.name - == \"java\""},"type":"agent_rule","id":"rxo-lya-bqu"},{"attributes":{"category":"Process - Activity","name":"tf_TestAccDatadogCloudWorkloadSecurityAgentRulesDatasource_local_1643389911","creator":{"handle":"frog@datadoghq.com","name":null},"description":"an - agent rule","enabled":true,"defaultRule":false,"version":1,"updater":{"handle":"frog@datadoghq.com","name":null},"updateDate":1643389929035,"creationDate":1643389929035,"expression":"exec.file.name - == \"go\""},"type":"agent_rule","id":"dm3-ip4-rza"},{"attributes":{"category":"Process - Activity","name":"tf_TestAccDatadogCloudWorkloadSecurityAgentRule_local_1643389756","creator":{"handle":"frog@datadoghq.com","name":null},"description":"an - agent rule","enabled":true,"defaultRule":false,"version":1,"updater":{"handle":"frog@datadoghq.com","name":null},"updateDate":1643389773436,"creationDate":1643389773436,"expression":"exec.file.name - == \"java\""},"type":"agent_rule","id":"rzs-ccq-4qm"},{"attributes":{"category":"Process - Activity","name":"tf_TestAccDatadogCloudWorkloadSecurityAgentRule_local_1643389685","creator":{"handle":"frog@datadoghq.com","name":null},"description":"an - agent rule","enabled":true,"defaultRule":false,"version":1,"updater":{"handle":"frog@datadoghq.com","name":null},"updateDate":1643389706550,"creationDate":1643389706550,"expression":"exec.file.name - == \"java\""},"type":"agent_rule","id":"wa9-zm8-8ds"},{"attributes":{"category":"Process - Activity","name":"tf_TestAccDatadogCloudWorkloadSecurityAgentRule_local_1643389627","creator":{"handle":"frog@datadoghq.com","name":null},"description":"an - agent rule","enabled":true,"defaultRule":false,"version":1,"updater":{"handle":"frog@datadoghq.com","name":null},"updateDate":1643389645597,"creationDate":1643389645597,"expression":"exec.file.name - == \"java\""},"type":"agent_rule","id":"alm-sgy-vz3"},{"attributes":{"category":"Process - Activity","name":"tf_TestAccDatadogCloudWorkloadSecurityAgentRulesDatasource_local_1643389553","creator":{"handle":"frog@datadoghq.com","name":null},"description":"an - agent rule","enabled":true,"defaultRule":false,"version":1,"updater":{"handle":"frog@datadoghq.com","name":null},"updateDate":1643389575084,"creationDate":1643389575084,"expression":"exec.file.name - == \"go\""},"type":"agent_rule","id":"dls-vo9-rqx"},{"attributes":{"category":"Process - Activity","name":"tf_TestAccDatadogCloudWorkloadSecurityAgentRule_local_1643389530","creator":{"handle":"frog@datadoghq.com","name":null},"description":"an - agent rule","enabled":true,"defaultRule":false,"version":1,"updater":{"handle":"frog@datadoghq.com","name":null},"updateDate":1643389549031,"creationDate":1643389549031,"expression":"exec.file.name - == \"java\""},"type":"agent_rule","id":"fyz-u20-nvn"},{"attributes":{"category":"Process - Activity","name":"tf_TestAccDatadogCloudWorkloadSecurityAgentRulesDatasource_local_1643389507","creator":{"handle":"frog@datadoghq.com","name":null},"description":"an - agent rule","enabled":true,"defaultRule":false,"version":1,"updater":{"handle":"frog@datadoghq.com","name":null},"updateDate":1643389523942,"creationDate":1643389523942,"expression":"exec.file.name - == \"go\""},"type":"agent_rule","id":"nqv-0et-fcj"},{"attributes":{"category":"Process - Activity","name":"tf_TestAccDatadogCloudWorkloadSecurityAgentRule_local_1643389484","creator":{"handle":"frog@datadoghq.com","name":null},"description":"an - agent rule","enabled":true,"defaultRule":false,"version":1,"updater":{"handle":"frog@datadoghq.com","name":null},"updateDate":1643389502800,"creationDate":1643389502800,"expression":"exec.file.name - == \"java\""},"type":"agent_rule","id":"u7v-36z-wue"},{"attributes":{"category":"Process - Activity","name":"tf_TestAccDatadogCloudWorkloadSecurityAgentRulesDatasource_local_1643389460","creator":{"handle":"frog@datadoghq.com","name":null},"description":"an - agent rule","enabled":true,"defaultRule":false,"version":1,"updater":{"handle":"frog@datadoghq.com","name":null},"updateDate":1643389479547,"creationDate":1643389479547,"expression":"exec.file.name - == \"go\""},"type":"agent_rule","id":"y2z-ffa-zys"},{"attributes":{"category":"Process - Activity","name":"tf_TestAccDatadogCloudWorkloadSecurityAgentRulesDatasource_local_1643389411","creator":{"handle":"frog@datadoghq.com","name":null},"description":"an - agent rule","enabled":true,"defaultRule":false,"version":1,"updater":{"handle":"frog@datadoghq.com","name":null},"updateDate":1643389428402,"creationDate":1643389428402,"expression":"exec.file.name - == \"go\""},"type":"agent_rule","id":"cym-1zi-nnd"},{"attributes":{"category":"Process - Activity","name":"tf_TestAccDatadogCloudWorkloadSecurityAgentRule_local_1643389389","creator":{"handle":"frog@datadoghq.com","name":null},"description":"an - agent rule","enabled":true,"defaultRule":false,"version":1,"updater":{"handle":"frog@datadoghq.com","name":null},"updateDate":1643389406698,"creationDate":1643389406698,"expression":"exec.file.name - == \"java\""},"type":"agent_rule","id":"ip9-wgt-q3k"},{"attributes":{"category":"Process - Activity","name":"tf_TestAccDatadogCloudWorkloadSecurityAgentRulesDatasource_local_1643389363","creator":{"handle":"frog@datadoghq.com","name":null},"description":"an - agent rule","enabled":true,"defaultRule":false,"version":1,"updater":{"handle":"frog@datadoghq.com","name":null},"updateDate":1643389381751,"creationDate":1643389381751,"expression":"exec.file.name - == \"go\""},"type":"agent_rule","id":"t9d-zbo-2nw"},{"attributes":{"category":"Process - Activity","name":"tf_TestAccDatadogCloudWorkloadSecurityAgentRule_local_1643389339","creator":{"handle":"frog@datadoghq.com","name":null},"description":"an - agent rule","enabled":true,"defaultRule":false,"version":1,"updater":{"handle":"frog@datadoghq.com","name":null},"updateDate":1643389356453,"creationDate":1643389356453,"expression":"exec.file.name - == \"java\""},"type":"agent_rule","id":"kaw-0h7-dji"},{"attributes":{"category":"Process - Activity","name":"tf_TestAccDatadogCloudWorkloadSecurityAgentRulesDatasource_local_1643389317","creator":{"handle":"frog@datadoghq.com","name":null},"description":"an - agent rule","enabled":true,"defaultRule":false,"version":1,"updater":{"handle":"frog@datadoghq.com","name":null},"updateDate":1643389335243,"creationDate":1643389335243,"expression":"exec.file.name - == \"go\""},"type":"agent_rule","id":"m4i-otg-jnj"},{"attributes":{"category":"Process - Activity","name":"tf_TestAccDatadogCloudWorkloadSecurityAgentRule_local_1643389210","creator":{"handle":"frog@datadoghq.com","name":null},"description":"an - agent rule","enabled":true,"defaultRule":false,"version":1,"updater":{"handle":"frog@datadoghq.com","name":null},"updateDate":1643389226802,"creationDate":1643389226802,"expression":"exec.file.name - == \"java\""},"type":"agent_rule","id":"heh-lnh-xwm"},{"attributes":{"category":"Process - Activity","name":"tf_TestAccDatadogCloudWorkloadSecurityAgentRulesDatasource_local_1643389186","creator":{"handle":"frog@datadoghq.com","name":null},"description":"an - agent rule","enabled":true,"defaultRule":false,"version":1,"updater":{"handle":"frog@datadoghq.com","name":null},"updateDate":1643389204108,"creationDate":1643389204108,"expression":"exec.file.name - == \"go\""},"type":"agent_rule","id":"cwa-5rh-qtd"},{"attributes":{"category":"Process - Activity","name":"tf_TestAccDatadogCloudWorkloadSecurityAgentRule_local_1643389165","creator":{"handle":"frog@datadoghq.com","name":null},"description":"an - agent rule","enabled":true,"defaultRule":false,"version":1,"updater":{"handle":"frog@datadoghq.com","name":null},"updateDate":1643389181761,"creationDate":1643389181761,"expression":"exec.file.name - == \"java\""},"type":"agent_rule","id":"e5l-xtx-hmi"},{"attributes":{"category":"Process - Activity","name":"tf_TestAccDatadogCloudWorkloadSecurityAgentRulesDatasource_local_1643389136","creator":{"handle":"frog@datadoghq.com","name":null},"description":"an - agent rule","enabled":true,"defaultRule":false,"version":1,"updater":{"handle":"frog@datadoghq.com","name":null},"updateDate":1643389155207,"creationDate":1643389155207,"expression":"exec.file.name - == \"go\""},"type":"agent_rule","id":"ebx-lyj-r3a"},{"attributes":{"category":"Process - Activity","name":"tf_TestAccDatadogCloudWorkloadSecurityAgentRule_local_1643389111","creator":{"handle":"frog@datadoghq.com","name":null},"description":"an - agent rule","enabled":true,"defaultRule":false,"version":1,"updater":{"handle":"frog@datadoghq.com","name":null},"updateDate":1643389130549,"creationDate":1643389130549,"expression":"exec.file.name - == \"java\""},"type":"agent_rule","id":"xac-4if-49b"},{"attributes":{"category":"Process - Activity","name":"tf_TestAccDatadogCloudWorkloadSecurityAgentRulesDatasource_local_1643389088","creator":{"handle":"frog@datadoghq.com","name":null},"description":"an - agent rule","enabled":true,"defaultRule":false,"version":1,"updater":{"handle":"frog@datadoghq.com","name":null},"updateDate":1643389106392,"creationDate":1643389106392,"expression":"exec.file.name - == \"go\""},"type":"agent_rule","id":"dh6-bdu-8v0"},{"attributes":{"category":"Process - Activity","name":"tf_TestAccDatadogCloudWorkloadSecurityAgentRule_local_1643388939","creator":{"handle":"frog@datadoghq.com","name":null},"description":"an - agent rule","enabled":true,"defaultRule":false,"version":1,"updater":{"handle":"frog@datadoghq.com","name":null},"updateDate":1643388960762,"creationDate":1643388960762,"expression":"exec.file.name - == \"java\""},"type":"agent_rule","id":"hkd-6dr-ify"},{"attributes":{"category":"Process - Activity","name":"tf_TestAccDatadogCloudWorkloadSecurityAgentRulesDatasource_local_1643388912","creator":{"handle":"frog@datadoghq.com","name":null},"description":"an - agent rule","enabled":true,"defaultRule":false,"version":1,"updater":{"handle":"frog@datadoghq.com","name":null},"updateDate":1643388931383,"creationDate":1643388931383,"expression":"exec.file.name - == \"go\""},"type":"agent_rule","id":"bsx-fod-0xj"},{"attributes":{"category":"Process - Activity","name":"tf_TestAccDatadogCloudWorkloadSecurityAgentRule_local_1643388890","creator":{"handle":"frog@datadoghq.com","name":null},"description":"an - agent rule","enabled":true,"defaultRule":false,"version":1,"updater":{"handle":"frog@datadoghq.com","name":null},"updateDate":1643388907818,"creationDate":1643388907818,"expression":"exec.file.name - == \"java\""},"type":"agent_rule","id":"8jt-x9p-yoy"},{"attributes":{"category":"Process - Activity","name":"tf_TestAccDatadogCloudWorkloadSecurityAgentRulesDatasource_local_1643388866","creator":{"handle":"frog@datadoghq.com","name":null},"description":"an - agent rule","enabled":true,"defaultRule":false,"version":1,"updater":{"handle":"frog@datadoghq.com","name":null},"updateDate":1643388883010,"creationDate":1643388883010,"expression":"exec.file.name - == \"go\""},"type":"agent_rule","id":"rhd-qao-dub"},{"attributes":{"category":"Process - Activity","name":"tf_TestAccDatadogCloudWorkloadSecurityAgentRule_local_1643388847","creator":{"handle":"frog@datadoghq.com","name":null},"description":"an - agent rule","enabled":true,"defaultRule":false,"version":1,"updater":{"handle":"frog@datadoghq.com","name":null},"updateDate":1643388862340,"creationDate":1643388862340,"expression":"exec.file.name - == \"java\""},"type":"agent_rule","id":"j0f-fhi-ab7"},{"attributes":{"category":"Process - Activity","name":"tf_TestAccDatadogCloudWorkloadSecurityAgentRulesDatasource_local_1643388825","creator":{"handle":"frog@datadoghq.com","name":null},"description":"an - agent rule","enabled":true,"defaultRule":false,"version":1,"updater":{"handle":"frog@datadoghq.com","name":null},"updateDate":1643388843151,"creationDate":1643388843151,"expression":"exec.file.name - == \"go\""},"type":"agent_rule","id":"rvn-u2c-xm4"},{"attributes":{"category":"Process - Activity","name":"tf_TestAccDatadogCloudWorkloadSecurityAgentRule_local_1643388726","creator":{"handle":"frog@datadoghq.com","name":null},"description":"an - agent rule","enabled":true,"defaultRule":false,"version":1,"updater":{"handle":"frog@datadoghq.com","name":null},"updateDate":1643388744863,"creationDate":1643388744863,"expression":"exec.file.name - == \"java\""},"type":"agent_rule","id":"ldn-agb-3fl"},{"attributes":{"category":"Process - Activity","name":"tf_TestAccDatadogCloudWorkloadSecurityAgentRulesDatasource_local_1643388700","creator":{"handle":"frog@datadoghq.com","name":null},"description":"an - agent rule","enabled":true,"defaultRule":false,"version":1,"updater":{"handle":"frog@datadoghq.com","name":null},"updateDate":1643388719895,"creationDate":1643388719895,"expression":"exec.file.name - == \"go\""},"type":"agent_rule","id":"cyr-g7t-to0"},{"attributes":{"category":"Process - Activity","name":"tf_TestAccDatadogCloudWorkloadSecurityAgentRule_local_1643388666","creator":{"handle":"frog@datadoghq.com","name":null},"description":"an - agent rule","enabled":true,"defaultRule":false,"version":1,"updater":{"handle":"frog@datadoghq.com","name":null},"updateDate":1643388693095,"creationDate":1643388693095,"expression":"exec.file.name - == \"java\""},"type":"agent_rule","id":"wnm-xkk-mat"},{"attributes":{"category":"Process - Activity","name":"tf_TestAccDatadogCloudWorkloadSecurityAgentRule_local_1643388257","creator":{"handle":"frog@datadoghq.com","name":null},"description":"an - agent rule","enabled":true,"defaultRule":false,"version":1,"updater":{"handle":"frog@datadoghq.com","name":null},"updateDate":1643388275282,"creationDate":1643388275282,"expression":"exec.file.name - == \"java\""},"type":"agent_rule","id":"moo-kuq-zbt"},{"attributes":{"category":"Process - Activity","name":"tf_TestAccDatadogCloudWorkloadSecurityAgentRulesDatasource_local_1643388230","creator":{"handle":"frog@datadoghq.com","name":null},"description":"an - agent rule","enabled":true,"defaultRule":false,"version":1,"updater":{"handle":"frog@datadoghq.com","name":null},"updateDate":1643388250051,"creationDate":1643388250051,"expression":"exec.file.name - == \"go\""},"type":"agent_rule","id":"wzs-moc-ji9"},{"attributes":{"category":"Process - Activity","name":"tf_TestAccDatadogCloudWorkloadSecurityAgentRule_local_1643388208","creator":{"handle":"frog@datadoghq.com","name":null},"description":"an - agent rule","enabled":true,"defaultRule":false,"version":1,"updater":{"handle":"frog@datadoghq.com","name":null},"updateDate":1643388226579,"creationDate":1643388226579,"expression":"exec.file.name - == \"java\""},"type":"agent_rule","id":"uw2-d3y-5h6"},{"attributes":{"category":"Process - Activity","name":"tf_TestAccDatadogCloudWorkloadSecurityAgentRulesDatasource_local_1643388182","creator":{"handle":"frog@datadoghq.com","name":null},"description":"an - agent rule","enabled":true,"defaultRule":false,"version":1,"updater":{"handle":"frog@datadoghq.com","name":null},"updateDate":1643388201323,"creationDate":1643388201323,"expression":"exec.file.name - == \"go\""},"type":"agent_rule","id":"fez-txs-qf9"},{"attributes":{"category":"Process - Activity","name":"tf_TestAccDatadogCloudWorkloadSecurityAgentRule_local_1643388161","creator":{"handle":"frog@datadoghq.com","name":null},"description":"an - agent rule","enabled":true,"defaultRule":false,"version":1,"updater":{"handle":"frog@datadoghq.com","name":null},"updateDate":1643388177724,"creationDate":1643388177724,"expression":"exec.file.name - == \"java\""},"type":"agent_rule","id":"fga-mna-xej"},{"attributes":{"category":"Process - Activity","name":"tf_TestAccDatadogCloudWorkloadSecurityAgentRulesDatasource_local_1643388137","creator":{"handle":"frog@datadoghq.com","name":null},"description":"an - agent rule","enabled":true,"defaultRule":false,"version":1,"updater":{"handle":"frog@datadoghq.com","name":null},"updateDate":1643388157048,"creationDate":1643388157048,"expression":"exec.file.name - == \"go\""},"type":"agent_rule","id":"iyn-7sl-swn"},{"attributes":{"category":"Process - Activity","name":"tf_TestAccDatadogCloudWorkloadSecurityAgentRulesDatasource_local_1643387992","creator":{"handle":"frog@datadoghq.com","name":null},"description":"an - agent rule","enabled":true,"defaultRule":false,"version":1,"updater":{"handle":"frog@datadoghq.com","name":null},"updateDate":1643388010676,"creationDate":1643388010676,"expression":"exec.file.name - == \"java\""},"type":"agent_rule","id":"p3w-qyi-pbo"},{"attributes":{"category":"Process - Activity","name":"tf_TestAccDatadogCloudWorkloadSecurityAgentRule_local_1643387579","creator":{"handle":"frog@datadoghq.com","name":null},"description":"an - agent rule","enabled":true,"defaultRule":false,"version":1,"updater":{"handle":"frog@datadoghq.com","name":null},"updateDate":1643387597089,"creationDate":1643387597089,"expression":"exec.file.name - == \"java\""},"type":"agent_rule","id":"yyt-sfa-fck"},{"attributes":{"category":"Process - Activity","name":"tf_TestAccDatadogCloudWorkloadSecurityAgentRulesDatasource_local_1643387554","creator":{"handle":"frog@datadoghq.com","name":null},"description":"an - agent rule","enabled":true,"defaultRule":false,"version":1,"updater":{"handle":"frog@datadoghq.com","name":null},"updateDate":1643387573023,"creationDate":1643387573023,"expression":"exec.file.name - == \"java\""},"type":"agent_rule","id":"5z7-fqq-siu"},{"attributes":{"category":"Process - Activity","name":"tf_TestAccDatadogCloudWorkloadSecurityAgentRule_local_1643387531","creator":{"handle":"frog@datadoghq.com","name":null},"description":"an - agent rule","enabled":true,"defaultRule":false,"version":1,"updater":{"handle":"frog@datadoghq.com","name":null},"updateDate":1643387549793,"creationDate":1643387549793,"expression":"exec.file.name - == \"java\""},"type":"agent_rule","id":"ivz-amj-yl7"},{"attributes":{"category":"Process - Activity","name":"tf_TestAccDatadogCloudWorkloadSecurityAgentRulesDatasource_local_1643387505","creator":{"handle":"frog@datadoghq.com","name":null},"description":"an - agent rule","enabled":true,"defaultRule":false,"version":1,"updater":{"handle":"frog@datadoghq.com","name":null},"updateDate":1643387524178,"creationDate":1643387524178,"expression":"exec.file.name - == \"java\""},"type":"agent_rule","id":"lyv-3xn-qch"},{"attributes":{"category":"Process - Activity","name":"tf_TestAccDatadogCloudWorkloadSecurityAgentRule_local_1643387484","creator":{"handle":"frog@datadoghq.com","name":null},"description":"an - agent rule","enabled":true,"defaultRule":false,"version":1,"updater":{"handle":"frog@datadoghq.com","name":null},"updateDate":1643387500298,"creationDate":1643387500298,"expression":"exec.file.name - == \"java\""},"type":"agent_rule","id":"fpt-c7o-ipx"},{"attributes":{"category":"Process - Activity","name":"tf_TestAccDatadogCloudWorkloadSecurityAgentRulesDatasource_local_1643387461","creator":{"handle":"frog@datadoghq.com","name":null},"description":"an - agent rule","enabled":true,"defaultRule":false,"version":1,"updater":{"handle":"frog@datadoghq.com","name":null},"updateDate":1643387480011,"creationDate":1643387480011,"expression":"exec.file.name - == \"java\""},"type":"agent_rule","id":"tap-fek-5kw"},{"attributes":{"category":"Process - Activity","name":"tf_TestAccDatadogCloudWorkloadSecurityAgentRule_local_1643387148","creator":{"handle":"frog@datadoghq.com","name":null},"description":"an - agent rule","enabled":true,"defaultRule":false,"version":1,"updater":{"handle":"frog@datadoghq.com","name":null},"updateDate":1643387165931,"creationDate":1643387165931,"expression":"exec.file.name - == \"java\""},"type":"agent_rule","id":"u7b-x0z-cbe"},{"attributes":{"category":"Process - Activity","name":"tf_TestAccDatadogCloudWorkloadSecurityAgentRulesDatasource_local_1643387120","creator":{"handle":"frog@datadoghq.com","name":null},"description":"an - agent rule","enabled":true,"defaultRule":false,"version":1,"updater":{"handle":"frog@datadoghq.com","name":null},"updateDate":1643387141298,"creationDate":1643387141298,"expression":"exec.file.name - == \"java\""},"type":"agent_rule","id":"hhe-gcm-vjl"},{"attributes":{"category":"Process - Activity","name":"tf_TestAccDatadogCloudWorkloadSecurityAgentRule_local_1643387090","creator":{"handle":"frog@datadoghq.com","name":null},"description":"an - agent rule","enabled":true,"defaultRule":false,"version":1,"updater":{"handle":"frog@datadoghq.com","name":null},"updateDate":1643387114912,"creationDate":1643387114912,"expression":"exec.file.name - == \"java\""},"type":"agent_rule","id":"nt9-5fe-de1"},{"attributes":{"category":"Process - Activity","name":"tf_TestAccDatadogCloudWorkloadSecurityAgentRulesDatasource_local_1643387063","creator":{"handle":"frog@datadoghq.com","name":null},"description":"an - agent rule","enabled":true,"defaultRule":false,"version":1,"updater":{"handle":"frog@datadoghq.com","name":null},"updateDate":1643387082695,"creationDate":1643387082695,"expression":"exec.file.name - == \"java\""},"type":"agent_rule","id":"pj0-bcy-euh"},{"attributes":{"category":"Process - Activity","name":"tf_TestAccDatadogCloudWorkloadSecurityAgentRule_local_1643387039","creator":{"handle":"frog@datadoghq.com","name":null},"description":"an - agent rule","enabled":true,"defaultRule":false,"version":1,"updater":{"handle":"frog@datadoghq.com","name":null},"updateDate":1643387057879,"creationDate":1643387057879,"expression":"exec.file.name - == \"java\""},"type":"agent_rule","id":"rm5-px4-iua"},{"attributes":{"category":"Process - Activity","name":"tf_TestAccDatadogCloudWorkloadSecurityAgentRulesDatasource_local_1643387014","creator":{"handle":"frog@datadoghq.com","name":null},"description":"an - agent rule","enabled":true,"defaultRule":false,"version":1,"updater":{"handle":"frog@datadoghq.com","name":null},"updateDate":1643387032689,"creationDate":1643387032689,"expression":"exec.file.name - == \"java\""},"type":"agent_rule","id":"cqz-7pc-ajz"},{"attributes":{"category":"Process - Activity","name":"tf_TestAccDatadogCloudWorkloadSecurityAgentRule_local_1643386909","creator":{"handle":"frog@datadoghq.com","name":null},"description":"an - agent rule","enabled":true,"defaultRule":false,"version":1,"updater":{"handle":"frog@datadoghq.com","name":null},"updateDate":1643386926682,"creationDate":1643386926682,"expression":"exec.file.name - == \"java\""},"type":"agent_rule","id":"hot-prj-df5"},{"attributes":{"category":"Process - Activity","name":"tf_TestAccDatadogCloudWorkloadSecurityAgentRulesDatasource_local_1643386882","creator":{"handle":"frog@datadoghq.com","name":null},"description":"an - agent rule","enabled":true,"defaultRule":false,"version":1,"updater":{"handle":"frog@datadoghq.com","name":null},"updateDate":1643386901939,"creationDate":1643386901939,"expression":"exec.file.name - == \"java\""},"type":"agent_rule","id":"q7n-lvv-4au"},{"attributes":{"category":"Process - Activity","name":"tf_TestAccDatadogCloudWorkloadSecurityAgentRule_local_1643386858","creator":{"handle":"frog@datadoghq.com","name":null},"description":"an - agent rule","enabled":true,"defaultRule":false,"version":1,"updater":{"handle":"frog@datadoghq.com","name":null},"updateDate":1643386877222,"creationDate":1643386877222,"expression":"exec.file.name - == \"java\""},"type":"agent_rule","id":"gly-5wu-uny"},{"attributes":{"category":"Process - Activity","name":"tf_TestAccDatadogCloudWorkloadSecurityAgentRulesDatasource_local_1643386831","creator":{"handle":"frog@datadoghq.com","name":null},"description":"an - agent rule","enabled":true,"defaultRule":false,"version":1,"updater":{"handle":"frog@datadoghq.com","name":null},"updateDate":1643386850558,"creationDate":1643386850558,"expression":"exec.file.name - == \"java\""},"type":"agent_rule","id":"umz-fjl-7qq"},{"attributes":{"category":"Process - Activity","name":"tf_TestAccDatadogCloudWorkloadSecurityAgentRule_local_1643386809","creator":{"handle":"frog@datadoghq.com","name":null},"description":"an - agent rule","enabled":true,"defaultRule":false,"version":1,"updater":{"handle":"frog@datadoghq.com","name":null},"updateDate":1643386826170,"creationDate":1643386826170,"expression":"exec.file.name - == \"java\""},"type":"agent_rule","id":"spq-5f8-isw"},{"attributes":{"category":"Process - Activity","name":"tf_TestAccDatadogCloudWorkloadSecurityAgentRulesDatasource_local_1643386786","creator":{"handle":"frog@datadoghq.com","name":null},"description":"an - agent rule","enabled":true,"defaultRule":false,"version":1,"updater":{"handle":"frog@datadoghq.com","name":null},"updateDate":1643386804704,"creationDate":1643386804704,"expression":"exec.file.name - == \"java\""},"type":"agent_rule","id":"dul-hdz-xmo"},{"attributes":{"category":"Process - Activity","name":"tf_TestAccDatadogCloudWorkloadSecurityAgentRule_local_1643386742","creator":{"handle":"frog@datadoghq.com","name":null},"description":"an - agent rule","enabled":true,"defaultRule":false,"version":1,"updater":{"handle":"frog@datadoghq.com","name":null},"updateDate":1643386762229,"creationDate":1643386762229,"expression":"exec.file.name - == \"java\""},"type":"agent_rule","id":"n94-q2a-co9"},{"attributes":{"category":"Process - Activity","name":"tf_TestAccDatadogCloudWorkloadSecurityAgentRulesDatasource_local_1643386718","creator":{"handle":"frog@datadoghq.com","name":null},"description":"an - agent rule","enabled":true,"defaultRule":false,"version":1,"updater":{"handle":"frog@datadoghq.com","name":null},"updateDate":1643386735946,"creationDate":1643386735946,"expression":"exec.file.name - == \"java\""},"type":"agent_rule","id":"x1n-wra-hdt"},{"attributes":{"category":"Process - Activity","name":"tf_TestAccDatadogCloudWorkloadSecurityAgentRule_local_1643386695","creator":{"handle":"frog@datadoghq.com","name":null},"description":"an - agent rule","enabled":true,"defaultRule":false,"version":1,"updater":{"handle":"frog@datadoghq.com","name":null},"updateDate":1643386713348,"creationDate":1643386713348,"expression":"exec.file.name - == \"java\""},"type":"agent_rule","id":"kgt-kcc-tnu"},{"attributes":{"category":"Process - Activity","name":"tf_TestAccDatadogCloudWorkloadSecurityAgentRule_local_1643386657","creator":{"handle":"frog@datadoghq.com","name":null},"description":"an - agent rule","enabled":true,"defaultRule":false,"version":1,"updater":{"handle":"frog@datadoghq.com","name":null},"updateDate":1643386674573,"creationDate":1643386674573,"expression":"exec.file.name - == \"java\""},"type":"agent_rule","id":"znp-dul-gcj"},{"attributes":{"category":"Process - Activity","name":"apparmor_modified_tty","creator":{"handle":"","name":""},"description":"AppArmor - Profile Modified","enabled":true,"defaultRule":true,"version":1,"updater":{"handle":"","name":""},"updateDate":1636729678630,"creationDate":1627392836162,"expression":"exec.file.name - in [\"aa-disable\", \"aa-complain\", \"aa-audit\"] && exec.tty_name !=\"\""},"type":"agent_rule","id":"ki7-koc-icf"},{"attributes":{"category":"File - Activity","name":"pci_11_5_critical_binaries_chmod","creator":{"handle":"","name":""},"description":"Critical - System Binaries","enabled":true,"defaultRule":true,"version":4,"updater":{"handle":"","name":""},"updateDate":1636729678212,"creationDate":1606142933669,"expression":"(\n (chmod.file.path + string: '{"data":[{"id":"7ob-i7p-lcg","attributes":{"version":1,"name":"testgetallcloudworkloadsecurityagentrulesreturnsokresponse1709834420","description":"My + Agent rule","expression":"exec.file.name == \"sh\"","category":"Process Activity","creationAuthorUuId":"cc32ddea-b5e4-11ec-93be-da7ad0900002","creationDate":1709834420641,"updateAuthorUuId":"cc32ddea-b5e4-11ec-93be-da7ad0900002","updateDate":1709834420641,"filters":["os + == \"linux\""],"actions":[],"agentConstraint":"","enabled":true,"defaultRule":false,"creator":{"name":"Malo + Le Goff","handle":"malo.legoff@datadoghq.com"},"updater":{"name":"Malo Le + Goff","handle":"malo.legoff@datadoghq.com"}},"type":"agent_rule"},{"id":"g5j-9l5-phu","attributes":{"version":11,"name":"cryptominer_args","description":"A + process launched with arguments associated with cryptominers","expression":"exec.args_flags + in [\"cpu-priority\", \"donate-level\", ~\"randomx-1gb-pages\"] || exec.args + in [~\"*stratum+tcp*\", ~\"*stratum+ssl*\", ~\"*stratum1+tcp*\", ~\"*stratum1+ssl*\", + ~\"*stratum2+tcp*\", ~\"*stratum2+ssl*\", ~\"*nicehash*\", ~\"*yespower*\"]","category":"Process + Activity","creationDate":0,"updateAuthorUuId":"3c3ddadd-9ceb-11ed-b5f9-b6e96f801924","updateDate":1709241156082,"filters":["os + == \"linux\""],"actions":[],"agentConstraint":"","enabled":false,"defaultRule":true,"creator":{"name":"","handle":""},"updater":{"name":"Daniel + Zhou","handle":"daniel.zhou@datadoghq.com"}},"type":"agent_rule"},{"id":"ya1-tzs-p2g","attributes":{"version":2,"name":"tde_malware_ransomware_notes_written","description":"A + possible ransomware note created under common user directories","expression":"open.file.path + in [~\"/home/**\", ~\"/root/**\", ~\"/bin/**\", ~\"/usr/bin/**\", ~\"/opt/**\", + ~\"/etc/**\", ~\"/var/log/**\", ~\"/var/lib/log/**\", ~\"/var/backup/**\", + ~\"/var/www/**\"] && open.file.name in [r\".*(restore|recovery|readme|instruction|how_to|ransom).*\", + r\".*(your_|crypt|lock|important).*\\.txt$\"]","category":"File Activity","creationAuthorUuId":"9b3398f3-af79-49aa-b643-8a607ee6f848","creationDate":1703167436145,"updateAuthorUuId":"9b3398f3-af79-49aa-b643-8a607ee6f848","updateDate":1708536266340,"filters":["os + == \"linux\""],"actions":[],"agentConstraint":"","enabled":true,"defaultRule":false,"creator":{"name":"Threat + Detection Engineering CI/CD","handle":"9b3398f3-af79-49aa-b643-8a607ee6f848"},"updater":{"name":"Threat + Detection Engineering CI/CD","handle":"9b3398f3-af79-49aa-b643-8a607ee6f848"}},"type":"agent_rule"},{"id":"xn0-ede-cwo","attributes":{"version":1,"name":"tde_nsenter_pid1_detection","description":"nsenter + used in container to execute code on the OS PID1","expression":"exec.file.name + == \"nsenter\" && exec.args_options in [\"target=1\", \"t=1\"] && container.id + !=\"\"","category":"Process Activity","creationAuthorUuId":"9b3398f3-af79-49aa-b643-8a607ee6f848","creationDate":1707329054174,"updateAuthorUuId":"9b3398f3-af79-49aa-b643-8a607ee6f848","updateDate":1707329054174,"filters":["os + == \"linux\""],"actions":[],"agentConstraint":"","enabled":true,"defaultRule":false,"creator":{"name":"Threat + Detection Engineering CI/CD","handle":"9b3398f3-af79-49aa-b643-8a607ee6f848"},"updater":{"name":"Threat + Detection Engineering CI/CD","handle":"9b3398f3-af79-49aa-b643-8a607ee6f848"}},"type":"agent_rule"},{"id":"wyh-nt8-y0o","attributes":{"version":1,"name":"tde_red_team_domains_used","description":"Connection + to red team domain","expression":"dns.question.name in [~\"*.interact.sh\" + , ~\"*.oast.pro\" , ~\"*.oast.live\" , ~\"*.oast.site\" , ~\"*.oast.online\" + , ~\"*.oast.fun\" , ~\"*.oast.me\" , ~\"*.burpcollaborator.net\" , ~\"*.oastify.com\" + , ~\"*canarytokens.com\" , ~\"*.requestbin.net\" , ~\"*.dnslog.cn\"]","category":"Network + Activity","creationAuthorUuId":"9b3398f3-af79-49aa-b643-8a607ee6f848","creationDate":1705421116371,"updateAuthorUuId":"9b3398f3-af79-49aa-b643-8a607ee6f848","updateDate":1705421116371,"filters":["os + == \"linux\""],"actions":[],"agentConstraint":"","enabled":true,"defaultRule":false,"creator":{"name":"Threat + Detection Engineering CI/CD","handle":"9b3398f3-af79-49aa-b643-8a607ee6f848"},"updater":{"name":"Threat + Detection Engineering CI/CD","handle":"9b3398f3-af79-49aa-b643-8a607ee6f848"}},"type":"agent_rule"},{"id":"mua-npg-7n2","attributes":{"version":1,"name":"looney_tunables_exploit","description":"Looney + Tunables (CVE-2023-4911) exploit attempted","expression":"exec.file.mode & + S_ISUID > 0 && exec.file.uid == 0 && exec.uid != 0 && exec.envs in [~\"*GLIBC_TUNABLES*\"]","category":"Process + Activity","creationDate":0,"updateDate":1704404434303,"filters":["os == \"linux\""],"actions":[],"agentConstraint":"","enabled":true,"defaultRule":true,"creator":{"name":"","handle":""},"updater":{"name":"","handle":""}},"type":"agent_rule"},{"id":"afy-gnp-rfp","attributes":{"version":1,"name":"kernel_msr_write","description":"A + process attempted to enable writing to model-specific registers","expression":"exec.comm + == \"modprobe\" && process.args =~ \"*msr*allow_writes*\"","category":"Process + Activity","creationDate":0,"updateDate":1704404434302,"filters":["os == \"linux\""],"actions":[],"agentConstraint":"","enabled":true,"defaultRule":true,"creator":{"name":"","handle":""},"updater":{"name":"","handle":""}},"type":"agent_rule"},{"id":"qew-m41-jfc","attributes":{"version":1,"name":"ransomware_note","description":"Possible + ransomware note created under common user directories","expression":"open.flags + & O_CREAT > 0 && open.file.path in [~\"/home/**\", ~\"/root/**\", ~\"/bin/**\", + ~\"/usr/bin/**\", ~\"/opt/**\", ~\"/etc/**\", ~\"/var/log/**\", ~\"/var/lib/log/**\", + ~\"/var/backup/**\", ~\"/var/www/**\"] && open.file.name in [r\"(?i).*(restore|recovery|readme|instruction|how_to|ransom).*|.*(your_|crypt|lock|important).*\\.txt$\"] + && open.file.name != \"README.md\"","category":"File Activity","creationDate":0,"updateDate":1704404434302,"filters":["os + == \"linux\""],"actions":[],"agentConstraint":"","enabled":true,"defaultRule":true,"creator":{"name":"","handle":""},"updater":{"name":"","handle":""}},"type":"agent_rule"},{"id":"mwt-r43-san","attributes":{"version":1,"name":"sensitive_tracing","description":"A + process is tracing privileged processes or sshd for possible credential dumping","expression":"(ptrace.request + == PTRACE_PEEKTEXT || ptrace.request == PTRACE_PEEKDATA || ptrace.request + == PTRACE_PEEKUSR) && ptrace.tracee.euid == 0 && process.comm not in [\"dlv\", + \"dlv-linux-amd64\", \"strace\", \"gdb\", \"lldb-server\"]","category":"Kernel + Activity","creationDate":0,"updateDate":1704404434302,"filters":["os == \"linux\""],"actions":[],"agentConstraint":"","enabled":true,"defaultRule":true,"creator":{"name":"","handle":""},"updater":{"name":"","handle":""}},"type":"agent_rule"},{"id":"ul7-jol-1bw","attributes":{"version":1,"name":"cryptominer_envs","description":"Process + environment variables match cryptocurrency miner","expression":"exec.envs + in [~\"*POOL_USER*\", ~\"*POOL_URL*\", ~\"*POOL_PASS*\", ~\"*DONATE_LEVEL*\"]","category":"Process + Activity","creationDate":0,"updateDate":1704404426851,"filters":["os == \"linux\""],"actions":[],"agentConstraint":"","enabled":true,"defaultRule":true,"creator":{"name":"","handle":""},"updater":{"name":"","handle":""}},"type":"agent_rule"},{"id":"dqg-wa2-0oi","attributes":{"version":1,"name":"procdump_execution","description":"A + tool used to dump process memory has been executed","expression":"exec.file.name + in [\"procmon.exe\",\"procdump.exe\"]","category":"Process Activity","creationDate":0,"updateDate":1704404425515,"filters":["os + == \"windows\""],"actions":[],"agentConstraint":"","enabled":true,"defaultRule":true,"creator":{"name":"","handle":""},"updater":{"name":"","handle":""}},"type":"agent_rule"},{"id":"csf-k3c-qka","attributes":{"version":1,"name":"minidump_usage","description":"Process + memory was dumped using the minidump function from comsvcs.dll","expression":"exec.cmdline + =~ \"*MiniDump*\"","category":"Process Activity","creationDate":0,"updateDate":1704404425504,"filters":["os + == \"windows\""],"actions":[],"agentConstraint":"","enabled":true,"defaultRule":true,"creator":{"name":"","handle":""},"updater":{"name":"","handle":""}},"type":"agent_rule"},{"id":"ghp-mfr-1qz","attributes":{"version":1,"name":"tunnel_traffic","description":"Tunneling + or port forwarding tool used","expression":"((exec.comm == \"pivotnacci\" + || exec.comm == \"gost\") && process.args in [r\".*(-L|-C|-R).*\"]) || (exec.comm + in [\"ssh\", \"sshd\"] && process.args in [r\".*(-R|-L|-D|w).*\"] && process.args + in [r\"((25[0-5]|(2[0-4]|1\\d|[1-9])\\d)\\.?\\b){4}\"] ) || (exec.comm == + \"sshuttle\" && process.args in [r\".*(-r|--remote|-l|--listen).*\"]) || (exec.comm + == \"socat\" && process.args in [r\".*(TCP4-LISTEN:|SOCKS).*\"]) || (exec.comm + in [\"iodine\", \"iodined\", \"dnscat\", \"hans\", \"hans-ubuntu\", \"ptunnel-ng\", + \"ssf\", \"3proxy\", \"ngrok\"] && process.parent.comm in [\"bash\", \"dash\", + \"ash\", \"sh\", \"tcsh\", \"csh\", \"zsh\", \"ksh\", \"fish\"])","category":"Process + Activity","creationDate":0,"updateDate":1704404425504,"filters":["os == \"linux\""],"actions":[],"agentConstraint":"","enabled":true,"defaultRule":true,"creator":{"name":"","handle":""},"updater":{"name":"","handle":""}},"type":"agent_rule"},{"id":"uhr-n6q-lvh","attributes":{"version":1,"name":"iptables_egress_allowed","description":"Egress + traffic allowed using iptables","expression":"exec.comm == \"iptables\" && + process.args in [r\".*OUTPUT.*((25[0-5]|(2[0-4]|1\\d|[1-9]|)\\d)\\.?\\b){4}.*ACCEPT\"] + && process.args not in [r\"(127\\.)|(10\\.)|(172\\.1[6-9]\\.)|(172\\.2[0-9]\\.)|(^172\\.3[0-1]\\.)|(192\\.168\\.)|(169\\.254\\.)\"]","category":"Process + Activity","creationDate":0,"updateDate":1704404424741,"filters":["os == \"linux\""],"actions":[],"agentConstraint":"","enabled":true,"defaultRule":true,"creator":{"name":"","handle":""},"updater":{"name":"","handle":""}},"type":"agent_rule"},{"id":"642-j0s-psf","attributes":{"version":1,"name":"libpam_ebpf_hook","description":"Library + libpam.so hooked using eBPF","expression":"bpf.cmd == BPF_MAP_CREATE && process.args + in [r\".*libpam.so.*\"]","category":"Kernel Activity","creationDate":0,"updateDate":1704404424739,"filters":["os + == \"linux\""],"actions":[],"agentConstraint":"","enabled":true,"defaultRule":true,"creator":{"name":"","handle":""},"updater":{"name":"","handle":""}},"type":"agent_rule"},{"id":"u8d-fot-gin","attributes":{"version":1,"name":"wmi_spawning_shell","description":"Command + executed via WMI","expression":"exec.file.name in [~\"powershell*\",\"cmd.exe\"] + && process.parent.file.name == \"WmiPrvSE.exe\"","category":"Process Activity","creationDate":0,"updateDate":1704404424705,"filters":["os + == \"windows\""],"actions":[],"agentConstraint":"","enabled":true,"defaultRule":true,"creator":{"name":"","handle":""},"updater":{"name":"","handle":""}},"type":"agent_rule"},{"id":"17k-2xh-ie2","attributes":{"version":1,"name":"crackmap_exec_executed","description":"Known + offensive tool crackmap exec executed","expression":"exec.cmdline in [~\"*crackmapexec*\", + ~\"*cme*\"]","category":"Process Activity","creationDate":0,"updateDate":1704404424475,"filters":["os + == \"windows\""],"actions":[],"agentConstraint":"","enabled":true,"defaultRule":true,"creator":{"name":"","handle":""},"updater":{"name":"","handle":""}},"type":"agent_rule"},{"id":"45j-2y7-vyd","attributes":{"version":1,"name":"chatroom_request","description":"A + newly created file contacted a chatroom domain","expression":"dns.question.name + in [\"discord.com\", \"api.telegram.org\", \"cdn.discordapp.com\"] && process.file.in_upper_layer + && process.file.change_time < 60s","category":"Network Activity","creationDate":0,"updateDate":1704404424472,"filters":["os + == \"linux\""],"actions":[],"agentConstraint":"","enabled":true,"defaultRule":true,"creator":{"name":"","handle":""},"updater":{"name":"","handle":""}},"type":"agent_rule"},{"id":"ecn-u6p-nqz","attributes":{"version":1,"name":"suspicious_bitsadmin_usage","description":"A + suspicious bitsadmin command has been executed","expression":"exec.file.name + == \"bitsadmin.exe\" && exec.cmdline in [~\"*addfile*\", ~\"*create*\", ~\"*resume*\"]","category":"Process + Activity","creationDate":0,"updateDate":1704404424472,"filters":["os == \"windows\""],"actions":[],"agentConstraint":"","enabled":true,"defaultRule":true,"creator":{"name":"","handle":""},"updater":{"name":"","handle":""}},"type":"agent_rule"},{"id":"xcs-z8z-hx3","attributes":{"version":1,"name":"ntds_in_commandline","description":"NTDS + file referenced in commandline","expression":"exec.cmdline =~ \"*ntds.dit*\"","category":"Process + Activity","creationDate":0,"updateDate":1704404424468,"filters":["os == \"windows\""],"actions":[],"agentConstraint":"","enabled":true,"defaultRule":true,"creator":{"name":"","handle":""},"updater":{"name":"","handle":""}},"type":"agent_rule"},{"id":"l7e-zmy-5pd","attributes":{"version":1,"name":"scheduled_task_creation","description":"A + scheduled task was created","expression":"exec.file.name in [\"at.exe\",\"schtasks.exe\"]","category":"Process + Activity","creationDate":0,"updateDate":1704404424467,"filters":["os == \"windows\""],"actions":[],"agentConstraint":"","enabled":true,"defaultRule":true,"creator":{"name":"","handle":""},"updater":{"name":"","handle":""}},"type":"agent_rule"},{"id":"i8x-ujp-ueg","attributes":{"version":1,"name":"delete_system_log","description":"A + process deleted common system log files","expression":"unlink.file.path in + [\"/var/run/utmp\", \"/var/log/wtmp\", \"/var/log/btmp\", \"/var/log/lastlog\", + \"/var/log/faillog\", \"/var/log/syslog\", \"/var/log/messages\", \"/var/log/secure\", + \"/var/log/auth.log\", \"/var/log/boot.log\", \"/var/log/kern.log\"] && process.comm + not in [\"dockerd\", \"containerd\"]","category":"File Activity","creationDate":0,"updateDate":1704404424465,"filters":["os + == \"linux\""],"actions":[],"agentConstraint":"","enabled":true,"defaultRule":true,"creator":{"name":"","handle":""},"updater":{"name":"","handle":""}},"type":"agent_rule"},{"id":"xns-u7l-cxs","attributes":{"version":1,"name":"certutil_usage","description":"Certutil + was executed to transmit or decode a potentially malicious file","expression":"exec.file.name + == \"certutil.exe\" && ((exec.cmdline =~ \"*urlcache*\" && exec.cmdline =~ + \"*split*\") || exec.cmdline =~ \"*decode*\")","category":"Process Activity","creationDate":0,"updateDate":1704404424457,"filters":["os + == \"windows\""],"actions":[],"agentConstraint":"","enabled":true,"defaultRule":true,"creator":{"name":"","handle":""},"updater":{"name":"","handle":""}},"type":"agent_rule"},{"id":"hxr-rjo-6am","attributes":{"version":1,"name":"open_msr_writes","description":"A + process opened a model-specific register (MSR) configuration file","expression":"open.file.path + == \"/sys/module/msr/parameters/allow_writes\" && open.flags & O_CREAT|O_TRUNC|O_RDWR|O_WRONLY + > 0","category":"File Activity","creationDate":0,"updateDate":1704404424453,"filters":["os + == \"linux\""],"actions":[],"agentConstraint":"","enabled":true,"defaultRule":true,"creator":{"name":"","handle":""},"updater":{"name":"","handle":""}},"type":"agent_rule"},{"id":"jzh-eac-blf","attributes":{"version":1,"name":"exec_wrmsr","description":"The + wrmsr program executed","expression":"exec.comm == \"wrmsr\"","category":"Process + Activity","creationDate":0,"updateDate":1704404424444,"filters":["os == \"linux\""],"actions":[],"agentConstraint":"","enabled":true,"defaultRule":true,"creator":{"name":"","handle":""},"updater":{"name":"","handle":""}},"type":"agent_rule"},{"id":"mdd-iec-z0k","attributes":{"version":14,"name":"database_shell_execution","description":"A + database application spawned a shell, shell utility, or HTTP utility","expression":"(exec.file.path + in [ \"/bin/dash\",\n \"/usr/bin/dash\",\n \"/bin/sh\",\n \"/bin/static-sh\",\n \"/usr/bin/sh\",\n \"/bin/bash\",\n \"/usr/bin/bash\",\n \"/bin/bash-static\",\n \"/usr/bin/zsh\",\n \"/usr/bin/ash\",\n \"/usr/bin/csh\",\n \"/usr/bin/ksh\",\n \"/usr/bin/tcsh\",\n \"/usr/lib/initramfs-tools/bin/busybox\",\n \"/bin/busybox\",\n \"/usr/bin/fish\",\n \"/bin/ksh93\",\n \"/bin/rksh\",\n \"/bin/rksh93\",\n \"/bin/lksh\",\n \"/bin/mksh\",\n \"/bin/mksh-static\",\n \"/usr/bin/csharp\",\n \"/bin/posh\",\n \"/usr/bin/rc\",\n \"/bin/sash\",\n \"/usr/bin/yash\",\n \"/bin/zsh5\",\n \"/bin/zsh5-static\" + ] ||\n exec.comm in [\"wget\", \"curl\", \"lwp-download\"] ||\n exec.file.path + in [\"/bin/cat\",\"/bin/chgrp\",\"/bin/chmod\",\"/bin/chown\",\"/bin/cp\",\"/bin/date\",\"/bin/dd\",\"/bin/df\",\"/bin/dir\",\"/bin/echo\",\"/bin/ln\",\"/bin/ls\",\"/bin/mkdir\",\"/bin/mknod\",\"/bin/mktemp\",\"/bin/mv\",\"/bin/pwd\",\"/bin/readlink\",\"/bin/rm\",\"/bin/rmdir\",\"/bin/sleep\",\"/bin/stty\",\"/bin/sync\",\"/bin/touch\",\"/bin/uname\",\"/bin/vdir\",\"/usr/bin/arch\",\"/usr/bin/b2sum\",\"/usr/bin/base32\",\"/usr/bin/base64\",\"/usr/bin/basename\",\"/usr/bin/chcon\",\"/usr/bin/cksum\",\"/usr/bin/comm\",\"/usr/bin/csplit\",\"/usr/bin/cut\",\"/usr/bin/dircolors\",\"/usr/bin/dirname\",\"/usr/bin/du\",\"/usr/bin/env\",\"/usr/bin/expand\",\"/usr/bin/expr\",\"/usr/bin/factor\",\"/usr/bin/fmt\",\"/usr/bin/fold\",\"/usr/bin/groups\",\"/usr/bin/head\",\"/usr/bin/hostid\",\"/usr/bin/id\",\"/usr/bin/install\",\"/usr/bin/join\",\"/usr/bin/link\",\"/usr/bin/logname\",\"/usr/bin/md5sum\",\"/usr/bin/md5sum.textutils\",\"/usr/bin/mkfifo\",\"/usr/bin/nice\",\"/usr/bin/nl\",\"/usr/bin/nohup\",\"/usr/bin/nproc\",\"/usr/bin/numfmt\",\"/usr/bin/od\",\"/usr/bin/paste\",\"/usr/bin/pathchk\",\"/usr/bin/pinky\",\"/usr/bin/pr\",\"/usr/bin/printenv\",\"/usr/bin/printf\",\"/usr/bin/ptx\",\"/usr/bin/realpath\",\"/usr/bin/runcon\",\"/usr/bin/seq\",\"/usr/bin/sha1sum\",\"/usr/bin/sha224sum\",\"/usr/bin/sha256sum\",\"/usr/bin/sha384sum\",\"/usr/bin/sha512sum\",\"/usr/bin/shred\",\"/usr/bin/shuf\",\"/usr/bin/sort\",\"/usr/bin/split\",\"/usr/bin/stat\",\"/usr/bin/stdbuf\",\"/usr/bin/sum\",\"/usr/bin/tac\",\"/usr/bin/tail\",\"/usr/bin/tee\",\"/usr/bin/test\",\"/usr/bin/timeout\",\"/usr/bin/tr\",\"/usr/bin/truncate\",\"/usr/bin/tsort\",\"/usr/bin/tty\",\"/usr/bin/unexpand\",\"/usr/bin/uniq\",\"/usr/bin/unlink\",\"/usr/bin/users\",\"/usr/bin/wc\",\"/usr/bin/who\",\"/usr/bin/whoami\",\"/usr/sbin/chroot\"]) + &&\nprocess.parent.file.name in [\"mysqld\", \"mongod\", \"postgres\"] &&\n!(process.parent.file.name + == \"initdb\" &&\nexec.args == \"-c locale -a\") &&\n!(process.parent.file.name + == \"postgres\" &&\nexec.args == ~\"*pg_wal*\")","category":"Process Activity","creationDate":1617722069155,"updateDate":1704404408433,"filters":["os + == \"linux\""],"actions":[],"agentConstraint":"","enabled":true,"defaultRule":true,"creator":{"name":"","handle":""},"updater":{"name":"","handle":""}},"type":"agent_rule"},{"id":"wic-due-xxn","attributes":{"version":2,"name":"pci_11_5_critical_binaries_open_v2","description":"Critical + system binaries may have been modified","expression":"(\n open.flags & + (O_CREAT|O_TRUNC|O_RDWR|O_WRONLY) > 0 &&\n open.file.path in [ ~\"/bin/*\", + ~\"/sbin/*\", ~\"/usr/bin/*\", ~\"/usr/sbin/*\", ~\"/usr/local/bin/*\", ~\"/usr/local/sbin/*\", + ~\"/boot/**\" ]\n && process.file.path not in [~\"/usr/bin/apt*\", \"/usr/bin/dpkg\", + \"/usr/bin/rpm\", \"/usr/bin/unattended-upgrade\", \"/usr/bin/containerd\", + \"/usr/local/bin/containerd\", \"/usr/bin/dockerd\", \"/usr/bin/npm\", ~\"/usr/bin/pip*\"]\n && + process.ancestors.file.path not in [~\"/usr/bin/apt*\", \"/usr/bin/dpkg\", + \"/usr/bin/rpm\", \"/usr/bin/unattended-upgrade\", \"/usr/bin/npm\", ~\"/usr/bin/pip*\", + \"/usr/bin/yum\", \"/sbin/apk\", \"/usr/lib/snapd/snapd\"]\n) && container.created_at + > 90s","category":"File Activity","creationDate":0,"updateDate":1704404408077,"filters":["os + == \"linux\""],"actions":[],"agentConstraint":"","enabled":true,"defaultRule":true,"creator":{"name":"","handle":""},"updater":{"name":"","handle":""}},"type":"agent_rule"},{"id":"ie9-9ii-vjx","attributes":{"version":18,"name":"nsswitch_conf_mod_chmod","description":"nsswitch + may have been modified without authorization","expression":"(\n (chmod.file.path + in [ \"/etc/nsswitch.conf\" ])\n) && chmod.file.destination.mode != chmod.file.mode + && process.file.path not in [~\"/usr/bin/apt*\", \"/usr/bin/dpkg\", \"/usr/bin/rpm\", + \"/usr/bin/unattended-upgrade\", \"/usr/bin/containerd\", \"/usr/local/bin/containerd\", + \"/usr/bin/dockerd\", \"/usr/bin/npm\", ~\"/usr/bin/pip*\"]","category":"File + Activity","creationDate":1606142958657,"updateDate":1704404407750,"filters":["os + == \"linux\""],"actions":[],"agentConstraint":"","enabled":true,"defaultRule":true,"creator":{"name":"","handle":""},"updater":{"name":"","handle":""}},"type":"agent_rule"},{"id":"1ez-rlj-tiq","attributes":{"version":2,"name":"nsswitch_conf_mod_open_v2","description":"nsswitch + may have been modified without authorization","expression":"(\n open.flags + & ((O_RDWR|O_WRONLY|O_CREAT)) > 0 &&\n (open.file.path in [ \"/etc/nsswitch.conf\" + ])\n) && container.created_at > 90s && process.file.path not in [~\"/usr/bin/apt*\", + \"/usr/bin/dpkg\", \"/usr/bin/rpm\", \"/usr/bin/unattended-upgrade\", \"/usr/bin/containerd\", + \"/usr/local/bin/containerd\", \"/usr/bin/dockerd\", \"/usr/bin/npm\", ~\"/usr/bin/pip*\"]","category":"File + Activity","creationDate":0,"updateDate":1704404407660,"filters":["os == \"linux\""],"actions":[],"agentConstraint":"","enabled":true,"defaultRule":true,"creator":{"name":"","handle":""},"updater":{"name":"","handle":""}},"type":"agent_rule"},{"id":"oi0-rk3-alq","attributes":{"version":2,"name":"ssl_certificate_tampering_open_v2","description":"SSL + certificates may have been tampered with","expression":"(\n open.flags + & (O_CREAT|O_RDWR|O_WRONLY) > 0 &&\n (open.file.path in [ ~\"/etc/ssl/certs/**\", + ~\"/etc/pki/**\" ])\n)\n&& process.file.path != \"/usr/sbin/update-ca-certificates\"\n&& + process.ancestors.file.path != \"/usr/sbin/update-ca-certificates\"\n&& process.ancestors.file.path + not in [~\"/usr/bin/apt*\", \"/usr/bin/dpkg\", \"/usr/bin/rpm\", \"/usr/bin/unattended-upgrade\", + \"/usr/bin/npm\", ~\"/usr/bin/pip*\", \"/usr/bin/yum\", \"/sbin/apk\", \"/usr/lib/snapd/snapd\"]\n&& + process.file.name !~ \"runc*\"\n&& container.created_at > 90s","category":"File + Activity","creationDate":0,"updateDate":1704404407651,"filters":["os == \"linux\""],"actions":[],"agentConstraint":"","enabled":true,"defaultRule":true,"creator":{"name":"","handle":""},"updater":{"name":"","handle":""}},"type":"agent_rule"},{"id":"vzp-pj6-nlx","attributes":{"version":19,"name":"nsswitch_conf_mod_chown","description":"nsswitch + may have been modified without authorization","expression":"(\n (chown.file.path + in [ \"/etc/nsswitch.conf\" ])\n) && (chown.file.destination.uid != chown.file.uid + || chown.file.destination.gid != chown.file.gid) && process.file.path not + in [~\"/usr/bin/apt*\", \"/usr/bin/dpkg\", \"/usr/bin/rpm\", \"/usr/bin/unattended-upgrade\", + \"/usr/bin/containerd\", \"/usr/local/bin/containerd\", \"/usr/bin/dockerd\", + \"/usr/bin/npm\", ~\"/usr/bin/pip*\"]","category":"File Activity","creationDate":1606142958657,"updateDate":1704404407506,"filters":["os + == \"linux\""],"actions":[],"agentConstraint":"","enabled":true,"defaultRule":true,"creator":{"name":"","handle":""},"updater":{"name":"","handle":""}},"type":"agent_rule"},{"id":"wbw-rqf-s3a","attributes":{"version":18,"name":"nsswitch_conf_mod_open","description":"nsswitch + may have been modified without authorization","expression":"(\n open.flags + & ((O_RDWR|O_WRONLY|O_CREAT)) > 0 &&\n (open.file.path in [ \"/etc/nsswitch.conf\" + ])\n) && process.file.path not in [~\"/usr/bin/apt*\", \"/usr/bin/dpkg\", + \"/usr/bin/rpm\", \"/usr/bin/unattended-upgrade\", \"/usr/bin/containerd\", + \"/usr/local/bin/containerd\", \"/usr/bin/dockerd\", \"/usr/bin/npm\", ~\"/usr/bin/pip*\"]","category":"File + Activity","creationDate":1606142958657,"updateDate":1704404407503,"filters":["os + == \"linux\""],"actions":[],"agentConstraint":"","enabled":true,"defaultRule":true,"creator":{"name":"","handle":""},"updater":{"name":"","handle":""}},"type":"agent_rule"},{"id":"vkp-n2c-4el","attributes":{"version":3,"name":"credential_modified_open_v2","description":"Sensitive + credential files were modified using a non-standard tool","expression":"(\n open.flags + & ((O_CREAT|O_RDWR|O_WRONLY|O_TRUNC)) > 0 &&\n (open.file.path in [ \"/etc/shadow\", + \"/etc/gshadow\" ])\n && process.file.path not in [ \"/sbin/vipw\", \"/usr/sbin/vipw\", + \"/sbin/vigr\", \"/usr/sbin/vigr\", \"/usr/bin/containerd\", \"/usr/local/bin/containerd\", + \"/usr/bin/dockerd\", \"/usr/local/bin/dockerd\", \"/usr/sbin/groupadd\", + \"/usr/sbin/useradd\", \"/usr/sbin/usermod\", \"/usr/sbin/userdel\", \"/usr/bin/gpasswd\", + \"/usr/bin/chage\", \"/usr/sbin/chpasswd\", \"/usr/bin/passwd\" ]\n && + process.ancestors.file.path not in [~\"/usr/bin/apt*\", \"/usr/bin/dpkg\", + \"/usr/bin/rpm\", \"/usr/bin/unattended-upgrade\", \"/usr/bin/npm\", ~\"/usr/bin/pip*\", + \"/usr/bin/yum\", \"/sbin/apk\", \"/usr/lib/snapd/snapd\"]\n) && container.created_at + > 90s","category":"File Activity","creationDate":0,"updateDate":1704404407503,"filters":["os + == \"linux\""],"actions":[],"agentConstraint":"","enabled":true,"defaultRule":true,"creator":{"name":"","handle":""},"updater":{"name":"","handle":""}},"type":"agent_rule"},{"id":"ir2-b4s-gfn","attributes":{"version":3,"name":"ssh_authorized_keys_open_v2","description":"SSH + modified keys may have been modified","expression":"(\n open.flags & (O_CREAT|O_TRUNC|O_RDWR|O_WRONLY) + > 0 &&\n open.file.name in [ \"authorized_keys\", \"authorized_keys2\" + ] && (open.file.path in [ ~\"/root/.ssh/*\", ~\"/home/*/.ssh/*\", ~\"/var/lib/*/.ssh/*\" + ])\n) && container.created_at > 90s","category":"File Activity","creationDate":0,"updateDate":1704404407501,"filters":["os + == \"linux\""],"actions":[],"agentConstraint":"","enabled":true,"defaultRule":true,"creator":{"name":"","handle":""},"updater":{"name":"","handle":""}},"type":"agent_rule"},{"id":"c2x-vcd-5b4","attributes":{"version":3,"name":"package_management_in_container_v2","description":"Package + management was detected in a conatiner outside of container start_up","expression":"exec.file.path + in [~\"/usr/bin/apt*\", \"/usr/bin/dpkg\", \"/usr/bin/rpm\", \"/usr/bin/unattended-upgrade\", + \"/usr/bin/npm\", ~\"/usr/bin/pip*\", \"/usr/bin/yum\", \"/sbin/apk\", \"/usr/lib/snapd/snapd\"] + && container.id != \"\" && container.created_at > 90s","category":"Process + Activity","creationDate":0,"updateDate":1704404407500,"filters":["os == \"linux\""],"actions":[],"agentConstraint":"","enabled":true,"defaultRule":true,"creator":{"name":"","handle":""},"updater":{"name":"","handle":""}},"type":"agent_rule"},{"id":"nmo-zeb-pga","attributes":{"version":3,"name":"suspicious_suid_execution","description":"Recently + written or modified suid file has been executed","expression":"((process.file.mode + & S_ISUID > 0) && process.file.modification_time < 30s) && exec.file.name + != \"\" && process.ancestors.file.path not in [\"/opt/datadog-agent/embedded/bin/agent\", + \"/opt/datadog-agent/embedded/bin/system-probe\", \"/opt/datadog-agent/embedded/bin/security-agent\", + \"/opt/datadog-agent/embedded/bin/process-agent\", \"/opt/datadog-agent/bin/agent/agent\", + \"/opt/datadog/apm/inject/auto_inject_runc\", \"/usr/bin/dd-host-install\", + \"/usr/bin/dd-host-container-install\", \"/usr/bin/dd-container-install\", + \"/opt/datadog-agent/bin/datadog-cluster-agent\"]","category":"Process Activity","creationDate":0,"updateDate":1704404407500,"filters":["os + == \"linux\""],"actions":[],"agentConstraint":"","enabled":true,"defaultRule":true,"creator":{"name":"","handle":""},"updater":{"name":"","handle":""}},"type":"agent_rule"},{"id":"crl-kkv-3cm","attributes":{"version":3,"name":"tde_testing_tampering","description":"testing + only","expression":"exec.comm == \"abcdefgh\"","category":"Process Activity","creationAuthorUuId":"9b3398f3-af79-49aa-b643-8a607ee6f848","creationDate":1703684038882,"updateAuthorUuId":"9b3398f3-af79-49aa-b643-8a607ee6f848","updateDate":1704280473848,"filters":["os + == \"linux\""],"actions":[],"agentConstraint":"","enabled":true,"defaultRule":false,"creator":{"name":"Threat + Detection Engineering CI/CD","handle":"9b3398f3-af79-49aa-b643-8a607ee6f848"},"updater":{"name":"Threat + Detection Engineering CI/CD","handle":"9b3398f3-af79-49aa-b643-8a607ee6f848"}},"type":"agent_rule"},{"id":"s6d-kk2-xoh","attributes":{"version":1,"name":"tde_malware_tunneling_and_port_forwarding_technique_used","description":"Tunneling + and port forwarding tool used","expression":"((exec.comm == \"pivotnacci\" + || exec.comm == \"gost\") && process.args in [r\".*(-L|-C|-R).*\"])||(exec.comm + in [\"ssh\", \"sshd\"] && process.args in [r\".*(-R|-L|-D|w).*\"] && process.args + in [r\"((25[0-5]|(2[0-4]|1\\d|[1-9])\\d)\\.?\\b){4}\"] ) || (exec.comm == + \"sshuttle\" && process.args in [r\".*(-r|--remote|-l|--listen).*\"]) || (exec.comm + == \"socat\" && process.args in [r\".*(TCP4-LISTEN:|SOCKS).*\"]) || (exec.comm + in [\"iodine\", \"iodined\", \"dnscat\", \"hans\", \"hans-ubuntu\", \"ptunnel-ng\", + \"ssf\", \"3proxy\", \"ngrok\"] && process.parent.comm in [\"bash\", \"dash\", + \"ash\", \"sh\", \"tcsh\", \"csh\", \"zsh\", \"ksh\", \"fish\"])","category":"Process + Activity","creationAuthorUuId":"9b3398f3-af79-49aa-b643-8a607ee6f848","creationDate":1703183027074,"updateAuthorUuId":"9b3398f3-af79-49aa-b643-8a607ee6f848","updateDate":1703183027074,"filters":["os + == \"linux\""],"actions":[],"agentConstraint":"","enabled":true,"defaultRule":false,"creator":{"name":"Threat + Detection Engineering CI/CD","handle":"9b3398f3-af79-49aa-b643-8a607ee6f848"},"updater":{"name":"Threat + Detection Engineering CI/CD","handle":"9b3398f3-af79-49aa-b643-8a607ee6f848"}},"type":"agent_rule"},{"id":"iqa-7wg-rxt","attributes":{"version":1,"name":"tde_malware_privileged_processes_or_sshd_traced","description":"A + process is tracing privileged processes or sshd for possible credential dumping","expression":"((ptrace.tracee.euid==0 + && ptrace.tracee.uid ==0)||ptrace.tracee.comm in [~\"*sshd*\"]) && process.comm + not in [\"dlv\"]","category":"Kernel Activity","creationAuthorUuId":"9b3398f3-af79-49aa-b643-8a607ee6f848","creationDate":1703180056299,"updateAuthorUuId":"9b3398f3-af79-49aa-b643-8a607ee6f848","updateDate":1703180056299,"filters":["os + == \"linux\""],"actions":[],"agentConstraint":"","enabled":true,"defaultRule":false,"creator":{"name":"Threat + Detection Engineering CI/CD","handle":"9b3398f3-af79-49aa-b643-8a607ee6f848"},"updater":{"name":"Threat + Detection Engineering CI/CD","handle":"9b3398f3-af79-49aa-b643-8a607ee6f848"}},"type":"agent_rule"},{"id":"w8h-hbp-12m","attributes":{"version":1,"name":"tde_malware_system_logs_deleted","description":"A + process deleted common system log files","expression":"unlink.file.path in + [\"/var/run/utmp\", \"/var/log/wtmp\", \"/var/log/btmp\", \"/var/log/lastlog\", + \"/var/log/faillog\", \"/var/log/syslog\", \"/var/log/messages\", \"/var/log/secure\", + \"/var/log/auth.log\", \"/var/log/boot.log\", \"/var/log/kern.log\"] && process.comm + !=\"dockerd\"","category":"File Activity","creationAuthorUuId":"9b3398f3-af79-49aa-b643-8a607ee6f848","creationDate":1703178864120,"updateAuthorUuId":"9b3398f3-af79-49aa-b643-8a607ee6f848","updateDate":1703178864120,"filters":["os + == \"linux\""],"actions":[],"agentConstraint":"","enabled":true,"defaultRule":false,"creator":{"name":"Threat + Detection Engineering CI/CD","handle":"9b3398f3-af79-49aa-b643-8a607ee6f848"},"updater":{"name":"Threat + Detection Engineering CI/CD","handle":"9b3398f3-af79-49aa-b643-8a607ee6f848"}},"type":"agent_rule"},{"id":"wxv-xlp-34y","attributes":{"version":1,"name":"tde_malware_files_with_extensions_created","description":"Multiple + files with extensions created under common user directories","expression":"rename.file.path + in [~\"/home/**\", ~\"/root/**\", ~\"/bin/**\", ~\"/usr/bin/**\", ~\"/var/log/**\", + ~\"/var/lib/log/**\", ~\"/var/backup/*\", ~\"/var/www/**\"] && rename.file.destination.name + in [r\"\\.[0-9a-z]+$\"] && rename.file.destination.name not in [r\".*\\.(lock|dbtmp|log|journal|ini|sh|json|yml|tmp|snap|txt|pyc|stat|hcl|[0-9])+$\"] + && process.comm not in [\"python\",\"python3\",\"agent\",\"security-agent\",\"kubectl\",\"kubelet\",\"datadog-cluster\"]","category":"File + Activity","creationAuthorUuId":"9b3398f3-af79-49aa-b643-8a607ee6f848","creationDate":1703174626572,"updateAuthorUuId":"9b3398f3-af79-49aa-b643-8a607ee6f848","updateDate":1703174626572,"filters":["os + == \"linux\""],"actions":[],"agentConstraint":"","enabled":true,"defaultRule":false,"creator":{"name":"Threat + Detection Engineering CI/CD","handle":"9b3398f3-af79-49aa-b643-8a607ee6f848"},"updater":{"name":"Threat + Detection Engineering CI/CD","handle":"9b3398f3-af79-49aa-b643-8a607ee6f848"}},"type":"agent_rule"},{"id":"3fl-m83-qqt","attributes":{"version":1,"name":"tde_malware_proxychains_executed","description":"Proxychaining + technique used","expression":"exec.comm == \"proxychains\"","category":"Process + Activity","creationAuthorUuId":"9b3398f3-af79-49aa-b643-8a607ee6f848","creationDate":1703171141223,"updateAuthorUuId":"9b3398f3-af79-49aa-b643-8a607ee6f848","updateDate":1703171141223,"filters":["os + == \"linux\""],"actions":[],"agentConstraint":"","enabled":true,"defaultRule":false,"creator":{"name":"Threat + Detection Engineering CI/CD","handle":"9b3398f3-af79-49aa-b643-8a607ee6f848"},"updater":{"name":"Threat + Detection Engineering CI/CD","handle":"9b3398f3-af79-49aa-b643-8a607ee6f848"}},"type":"agent_rule"},{"id":"gha-zgq-l5p","attributes":{"version":1,"name":"tde_malware_egress_traffic_allowed_iptables","description":"iptables + used to allow egress traffic","expression":"exec.comm == \"iptables\" && process.args + in [r\".*OUTPUT.*((25[0-5]|(2[0-4]|1\\d|[1-9]|)\\d)\\.?\\b){4}.*ACCEPT\"] + && process.args not in [r\"(127\\.)|(10\\.)|(172\\.1[6-9]\\.)|(172\\.2[0-9]\\.)|(172\\.3[0-1]|\\.)|(192\\.168\\.)|(169\\.254\\.)\"]","category":"Process + Activity","creationAuthorUuId":"9b3398f3-af79-49aa-b643-8a607ee6f848","creationDate":1703167436195,"updateAuthorUuId":"9b3398f3-af79-49aa-b643-8a607ee6f848","updateDate":1703167436195,"filters":["os + == \"linux\""],"actions":[],"agentConstraint":"","enabled":true,"defaultRule":false,"creator":{"name":"Threat + Detection Engineering CI/CD","handle":"9b3398f3-af79-49aa-b643-8a607ee6f848"},"updater":{"name":"Threat + Detection Engineering CI/CD","handle":"9b3398f3-af79-49aa-b643-8a607ee6f848"}},"type":"agent_rule"},{"id":"n9z-ini-wrv","attributes":{"version":1,"name":"tde_malware_kernel_module_loaded_from_tmp","description":"Kernel + module loaded from common tmp directories","expression":"load_module.file.path + in [ ~\"/tmp/**\", ~\"/var/tmp/**\" ]","category":"Kernel Activity","creationAuthorUuId":"9b3398f3-af79-49aa-b643-8a607ee6f848","creationDate":1703167436172,"updateAuthorUuId":"9b3398f3-af79-49aa-b643-8a607ee6f848","updateDate":1703167436172,"filters":["os + == \"linux\""],"actions":[],"agentConstraint":"","enabled":true,"defaultRule":false,"creator":{"name":"Threat + Detection Engineering CI/CD","handle":"9b3398f3-af79-49aa-b643-8a607ee6f848"},"updater":{"name":"Threat + Detection Engineering CI/CD","handle":"9b3398f3-af79-49aa-b643-8a607ee6f848"}},"type":"agent_rule"},{"id":"4jr-tig-mue","attributes":{"version":1,"name":"tde_malware_libpam_hooked_using_ebpf","description":"Libpam.so + library hooked using ebpf","expression":"bpf.cmd == BPF_MAP_CREATE && process.args + in [r\".*libpam.so.*\"]","category":"Kernel Activity","creationAuthorUuId":"9b3398f3-af79-49aa-b643-8a607ee6f848","creationDate":1703160289438,"updateAuthorUuId":"9b3398f3-af79-49aa-b643-8a607ee6f848","updateDate":1703160289438,"filters":["os + == \"linux\""],"actions":[],"agentConstraint":"","enabled":true,"defaultRule":false,"creator":{"name":"Threat + Detection Engineering CI/CD","handle":"9b3398f3-af79-49aa-b643-8a607ee6f848"},"updater":{"name":"Threat + Detection Engineering CI/CD","handle":"9b3398f3-af79-49aa-b643-8a607ee6f848"}},"type":"agent_rule"},{"id":"f24-lwh-8pz","attributes":{"version":3,"name":"ps_discovery","description":"Processes + were listed using the ps command","expression":"exec.comm == \"ps\" && exec.argv + not in [\"-p\", \"--pid\"] && process.ancestors.file.name not in [\"qualys-cloud-agent\", + \"amazon-ssm-agent\"]","category":"Process Activity","creationDate":0,"updateAuthorUuId":"309c6bc6-6e68-11ec-b3fe-da7ad0900002","updateDate":1702489222385,"filters":[],"actions":[],"agentConstraint":"","enabled":false,"defaultRule":true,"creator":{"name":"","handle":""},"updater":{"name":"Matt + Mills","handle":"matt.mills@datadoghq.com"}},"type":"agent_rule"},{"id":"esa-kku-q4m","attributes":{"version":8,"name":"common_net_intrusion_util","description":"A + network utility (nmap) commonly used in intrusion attacks was executed","expression":"exec.file.name + in [\"nmap\", \"masscan\", \"fping\", \"zgrab\", \"zgrab2\", \"rustscan\", + \"pnscan\"] && exec.args_flags not in [\"V\", \"version\"]","category":"Process + Activity","creationDate":0,"updateAuthorUuId":"de54768c-eb9f-11e9-a77a-cb84d47a0c16","updateDate":1700488339815,"filters":["os + == \"linux\""],"actions":[],"agentConstraint":"","enabled":false,"defaultRule":true,"creator":{"name":"","handle":""},"updater":{"name":"C\u00e9cile + Guyon","handle":"cecile.guyon@datadoghq.com"}},"type":"agent_rule"},{"id":"ll4-n4d-zsq","attributes":{"version":8,"name":"k8s_pod_service_account_token_accessed","description":"The + Kubernetes pod service account token was accessed","expression":"open.file.path + in [~\"/var/run/secrets/kubernetes.io/serviceaccount/**\", ~\"/run/secrets/kubernetes.io/serviceaccount/**\"] + && open.file.name == \"token\" && process.file.path not in [\"/opt/datadog-agent/embedded/bin/agent\", + \"/opt/datadog-agent/embedded/bin/system-probe\", \"/opt/datadog-agent/embedded/bin/security-agent\", + \"/opt/datadog-agent/embedded/bin/process-agent\", \"/opt/datadog-agent/bin/agent/agent\", + \"/opt/datadog/apm/inject/auto_inject_runc\", \"/usr/bin/dd-host-install\", + \"/usr/bin/dd-host-container-install\", \"/usr/bin/dd-container-install\", + \"/opt/datadog-agent/bin/datadog-cluster-agent\"] && process.file.path not + in [\"/usr/bin/cilium-agent\", \"/coredns\", \"/usr/bin/cilium-operator\", + \"/manager\", \"/fluent-bit/bin/fluent-bit\", \"/usr/local/bin/cloud-node-manager\", + \"/secrets-store-csi\", \"/bin/secrets-store-csi-driver-provider-aws\", \"/usr/bin/calico-node\", + \"/opt/aws/amazon-cloudwatch-agent/bin/amazon-cloudwatch-agent\", \"/nginx-ingress-controller\", + \"/cluster-autoscaler\", \"/cluster-proportional-autoscaler\", \"/haproxy-ingress-controller\", + \"/kube-state-metrics\", \"/fluent-bit-gke-exporter\", \"/bin/external-secrets\", + \"/node-termination-handler\", \"/fluent-bit-gke-exporter\"] && process.ancestors.file.path + not in [\"/opt/datadog-agent/embedded/bin/agent\", \"/opt/datadog-agent/embedded/bin/system-probe\", + \"/opt/datadog-agent/embedded/bin/security-agent\", \"/opt/datadog-agent/embedded/bin/process-agent\", + \"/opt/datadog-agent/bin/agent/agent\", \"/opt/datadog/apm/inject/auto_inject_runc\", + \"/usr/bin/dd-host-install\", \"/usr/bin/dd-host-container-install\", \"/usr/bin/dd-container-install\", + \"/opt/datadog-agent/bin/datadog-cluster-agent\"]","category":"File Activity","creationDate":0,"updateDate":1699614647574,"filters":["os + == \"linux\""],"actions":[],"agentConstraint":"","enabled":true,"defaultRule":true,"creator":{"name":"","handle":""},"updater":{"name":"","handle":""}},"type":"agent_rule"},{"id":"o5b-3eb-em5","attributes":{"version":4,"name":"interactive_shell_in_container","description":"An + interactive shell was started inside of a container","expression":"exec.file.path + in [ \"/bin/dash\",\n \"/usr/bin/dash\",\n \"/bin/sh\",\n \"/bin/static-sh\",\n \"/usr/bin/sh\",\n \"/bin/bash\",\n \"/usr/bin/bash\",\n \"/bin/bash-static\",\n \"/usr/bin/zsh\",\n \"/usr/bin/ash\",\n \"/usr/bin/csh\",\n \"/usr/bin/ksh\",\n \"/usr/bin/tcsh\",\n \"/usr/lib/initramfs-tools/bin/busybox\",\n \"/bin/busybox\",\n \"/usr/bin/fish\",\n \"/bin/ksh93\",\n \"/bin/rksh\",\n \"/bin/rksh93\",\n \"/bin/lksh\",\n \"/bin/mksh\",\n \"/bin/mksh-static\",\n \"/usr/bin/csharp\",\n \"/bin/posh\",\n \"/usr/bin/rc\",\n \"/bin/sash\",\n \"/usr/bin/yash\",\n \"/bin/zsh5\",\n \"/bin/zsh5-static\" + ] && exec.args_flags in [\"i\"] && container.id !=\"\"","category":"Process + Activity","creationDate":1627392835654,"updateDate":1699614634532,"filters":["os + == \"linux\""],"actions":[],"agentConstraint":"","enabled":true,"defaultRule":true,"creator":{"name":"","handle":""},"updater":{"name":"","handle":""}},"type":"agent_rule"},{"id":"pm7-0bt-lbp","attributes":{"version":19,"name":"ssh_authorized_keys_unlink","description":"SSH + modified keys may have been modified","expression":"(\n unlink.file.name + in [ \"authorized_keys\", \"authorized_keys2\" ] && (unlink.file.path in [ + ~\"/root/.ssh/*\", ~\"/home/*/.ssh/*\", ~\"/var/lib/*/.ssh/*\" ])\n)","category":"File + Activity","creationDate":1642158535302,"updateDate":1699614632218,"filters":["os + == \"linux\""],"actions":[],"agentConstraint":"","enabled":true,"defaultRule":true,"creator":{"name":"","handle":""},"updater":{"name":"","handle":""}},"type":"agent_rule"},{"id":"6ss-gx0-o0l","attributes":{"version":2,"name":"exec_lsmod","description":"Kernel + modules were listed using the lsmod command","expression":"exec.comm == \"lsmod\"","category":"Process + Activity","creationDate":0,"updateDate":1699614632049,"filters":["os == \"linux\""],"actions":[],"agentConstraint":"","enabled":true,"defaultRule":true,"creator":{"name":"","handle":""},"updater":{"name":"","handle":""}},"type":"agent_rule"},{"id":"bay-wrp-htk","attributes":{"version":2,"name":"omigod","description":"Omiagent + spawns a privileged child process","expression":"exec.uid >= 0 && process.ancestors.file.name + == \"omiagent\"","category":"Process Activity","creationDate":1636729662305,"updateDate":1699614629763,"filters":["os + == \"linux\""],"actions":[],"agentConstraint":"","enabled":true,"defaultRule":true,"creator":{"name":"","handle":""},"updater":{"name":"","handle":""}},"type":"agent_rule"},{"id":"5vv-6pw-c3z","attributes":{"version":2,"name":"exec_whoami","description":"The + whoami command was executed","expression":"exec.comm == \"whoami\"","category":"Process + Activity","creationDate":0,"updateDate":1699614622203,"filters":["os == \"linux\""],"actions":[],"agentConstraint":"","enabled":true,"defaultRule":true,"creator":{"name":"","handle":""},"updater":{"name":"","handle":""}},"type":"agent_rule"},{"id":"lb9-6hv-6k2","attributes":{"version":22,"name":"systemd_modification_utimes","description":"A + service may have been modified without authorization","expression":"(\n (utimes.file.path + in [ ~\"/lib/systemd/system/**\", ~\"/usr/lib/systemd/system/**\", ~\"/etc/systemd/system/**\" + ])\n && process.file.path not in [~\"/usr/bin/apt*\", \"/usr/bin/dpkg\", + \"/usr/bin/rpm\", \"/usr/bin/unattended-upgrade\", \"/usr/bin/npm\", ~\"/usr/bin/pip*\", + \"/usr/bin/yum\", \"/sbin/apk\", \"/usr/lib/snapd/snapd\"]\n)","category":"File + Activity","creationDate":0,"updateDate":1699614620744,"filters":["os == \"linux\""],"actions":[],"agentConstraint":"","enabled":true,"defaultRule":true,"creator":{"name":"","handle":""},"updater":{"name":"","handle":""}},"type":"agent_rule"},{"id":"u8t-ums-bdn","attributes":{"version":9,"name":"suspicious_container_client","description":"A + container management utility was executed in a container","expression":"exec.file.name + in [\"docker\", \"kubectl\"] && container.id != \"\"","category":"Process + Activity","creationDate":1617722068555,"updateDate":1699614618370,"filters":["os + == \"linux\""],"actions":[],"agentConstraint":"","enabled":true,"defaultRule":true,"creator":{"name":"","handle":""},"updater":{"name":"","handle":""}},"type":"agent_rule"},{"id":"3kb-bma-rya","attributes":{"version":4,"name":"auditd_config_modified","description":"The + auditd configuration file was modified without using auditctl","expression":"open.file.path + == \"/etc/audit/auditd.conf\" && open.flags & (O_CREAT|O_TRUNC|O_RDWR|O_WRONLY) + > 0 && process.file.name != \"auditctl\"","category":"File Activity","creationDate":0,"updateDate":1699614615388,"filters":["os + == \"linux\""],"actions":[],"agentConstraint":"","enabled":true,"defaultRule":true,"creator":{"name":"","handle":""},"updater":{"name":"","handle":""}},"type":"agent_rule"},{"id":"lag-ggh-k1o","attributes":{"version":2,"name":"network_sniffing_tool","description":"Local + account groups were enumerated after container start up","expression":"exec.file.name + in [\"tcpdump\", \"tshark\"]","category":"Process Activity","creationDate":0,"updateDate":1699614614908,"filters":["os + == \"linux\""],"actions":[],"agentConstraint":"","enabled":true,"defaultRule":true,"creator":{"name":"","handle":""},"updater":{"name":"","handle":""}},"type":"agent_rule"},{"id":"o4t-6hb-gsb","attributes":{"version":22,"name":"systemd_modification_unlink","description":"A + service may have been modified without authorization","expression":"(\n (unlink.file.path + in [ ~\"/lib/systemd/system/**\", ~\"/usr/lib/systemd/system/**\", ~\"/etc/systemd/system/**\" + ])\n && process.file.path not in [~\"/usr/bin/apt*\", \"/usr/bin/dpkg\", + \"/usr/bin/rpm\", \"/usr/bin/unattended-upgrade\", \"/usr/bin/npm\", ~\"/usr/bin/pip*\", + \"/usr/bin/yum\", \"/sbin/apk\", \"/usr/lib/snapd/snapd\"]\n)","category":"File + Activity","creationDate":0,"updateDate":1699614614159,"filters":["os == \"linux\""],"actions":[],"agentConstraint":"","enabled":true,"defaultRule":true,"creator":{"name":"","handle":""},"updater":{"name":"","handle":""}},"type":"agent_rule"},{"id":"cp9-wqy-ie5","attributes":{"version":19,"name":"ssh_authorized_keys_rename","description":"SSH + modified keys may have been modified","expression":"(\n rename.file.name + in [ \"authorized_keys\", \"authorized_keys2\" ] && (rename.file.path in [ + ~\"/root/.ssh/*\", ~\"/home/*/.ssh/*\", ~\"/var/lib/*/.ssh/*\" ]\n || rename.file.destination.path + in [ ~\"/root/.ssh/*\", ~\"/home/*/.ssh/*\", ~\"/var/lib/*/.ssh/*\" ])\n)","category":"File + Activity","creationDate":1642158535225,"updateDate":1699614610736,"filters":["os + == \"linux\""],"actions":[],"agentConstraint":"","enabled":true,"defaultRule":true,"creator":{"name":"","handle":""},"updater":{"name":"","handle":""}},"type":"agent_rule"},{"id":"mmd-hm9-nul","attributes":{"version":28,"name":"pci_11_5_critical_binaries_unlink","description":"Critical + system binaries may have been modified","expression":"(\n (unlink.file.path in [ ~\"/bin/*\", ~\"/sbin/*\", ~\"/usr/bin/*\", ~\"/usr/sbin/*\", ~\"/usr/local/bin/*\", - ~\"/usr/local/sbin/*\", ~\"/boot/*\" ])\n && process.file.path not in [\"/usr/bin/apt\", - \"/usr/bin/apt-get\", \"/usr/bin/apt-config\", \"/usr/bin/dpkg\", \"/usr/bin/aptitude-curses\", - \"/usr/bin/rpm\", \"/usr/bin/unattended-upgrade\"]\n && process.ancestors.file.path - not in [\"/usr/bin/apt\", \"/usr/bin/apt-get\", \"/usr/bin/apt-config\", \"/usr/bin/dpkg\", - \"/usr/bin/aptitude-curses\", \"/usr/bin/rpm\", \"/usr/bin/unattended-upgrade\"]\n) - && chmod.mode != chmod.file.mode"},"type":"agent_rule","id":"kzh-5hn-edg"},{"attributes":{"category":"File - Activity","name":"pci_11_5_critical_binaries_chown","creator":{"handle":"","name":""},"description":"Critical - System Binaries","enabled":true,"defaultRule":true,"version":4,"updater":{"handle":"","name":""},"updateDate":1636729678212,"creationDate":1606142933669,"expression":"(\n (chown.file.path + ~\"/usr/local/sbin/*\", ~\"/boot/**\" ])\n && process.file.path not in + [~\"/usr/bin/apt*\", \"/usr/bin/dpkg\", \"/usr/bin/rpm\", \"/usr/bin/unattended-upgrade\", + \"/usr/bin/containerd\", \"/usr/local/bin/containerd\", \"/usr/bin/dockerd\", + \"/usr/bin/npm\", ~\"/usr/bin/pip*\"]\n && process.ancestors.file.path + not in [~\"/usr/bin/apt*\", \"/usr/bin/dpkg\", \"/usr/bin/rpm\", \"/usr/bin/unattended-upgrade\", + \"/usr/bin/npm\", ~\"/usr/bin/pip*\", \"/usr/bin/yum\", \"/sbin/apk\", \"/usr/lib/snapd/snapd\"]\n)","category":"File + Activity","creationDate":1642158535384,"updateDate":1699614610678,"filters":["os + == \"linux\""],"actions":[],"agentConstraint":"","enabled":true,"defaultRule":true,"creator":{"name":"","handle":""},"updater":{"name":"","handle":""}},"type":"agent_rule"},{"id":"sjc-t7h-y3g","attributes":{"version":2,"name":"sudoers_policy_modified_open","description":"Sudoers + policy file may have been modified without authorization","expression":"\n(open.flags + & (O_CREAT|O_TRUNC|O_RDWR|O_WRONLY) > 0 &&\n(open.file.path == \"/etc/sudoers\")) + && process.file.path not in [~\"/usr/bin/apt*\", \"/usr/bin/dpkg\", \"/usr/bin/rpm\", + \"/usr/bin/unattended-upgrade\", \"/usr/bin/npm\", ~\"/usr/bin/pip*\", \"/usr/bin/yum\", + \"/sbin/apk\", \"/usr/lib/snapd/snapd\"]","category":"File Activity","creationDate":0,"updateDate":1699614610658,"filters":["os + == \"linux\""],"actions":[],"agentConstraint":"","enabled":true,"defaultRule":true,"creator":{"name":"","handle":""},"updater":{"name":"","handle":""}},"type":"agent_rule"},{"id":"wty-l8v-uum","attributes":{"version":22,"name":"systemd_modification_open","description":"A + service may have been modified without authorization","expression":"(\n open.flags + & (O_CREAT|O_RDWR|O_WRONLY) > 0 &&\n (open.file.path in [ ~\"/lib/systemd/system/**\", + ~\"/usr/lib/systemd/system/**\", ~\"/etc/systemd/system/**\" ])\n && process.file.path + not in [~\"/usr/bin/apt*\", \"/usr/bin/dpkg\", \"/usr/bin/rpm\", \"/usr/bin/unattended-upgrade\", + \"/usr/bin/npm\", ~\"/usr/bin/pip*\", \"/usr/bin/yum\", \"/sbin/apk\", \"/usr/lib/snapd/snapd\"]\n)","category":"File + Activity","creationDate":1642158534936,"updateDate":1699614610639,"filters":["os + == \"linux\""],"actions":[],"agentConstraint":"","enabled":true,"defaultRule":true,"creator":{"name":"","handle":""},"updater":{"name":"","handle":""}},"type":"agent_rule"},{"id":"1fj-fmh-6kw","attributes":{"version":4,"name":"compile_after_delivery","description":"A + compiler wrote a suspicious file in a container","expression":"open.flags + & O_CREAT > 0\n&& (\n (open.file.path =~ \"/tmp/**\" && open.file.name in + [~\"*.ko\", ~\".*\"])\n || open.file.path in [~\"/var/tmp/**\", ~\"/dev/shm/**\", + ~\"/root/**\", ~\"*/bin/*\", ~\"/usr/local/lib/**\"]\n)\n&& (process.comm + in [\"javac\", \"clang\", \"gcc\",\"bcc\"] || process.ancestors.comm in [\"javac\", + \"clang\", \"gcc\",\"bcc\"])\n&& process.file.name not in [\"pip\", ~\"python*\"]\n&& + container.id != \"\"","category":"File Activity","creationDate":0,"updateAuthorUuId":"82ba1758-696c-11ea-828d-fb376ef71e70","updateDate":1699614610524,"filters":["os + == \"linux\""],"actions":[],"agentConstraint":"","enabled":true,"defaultRule":true,"creator":{"name":"","handle":""},"updater":{"name":"","handle":""}},"type":"agent_rule"},{"id":"qox-gue-mq8","attributes":{"version":3,"name":"pwnkit_privilege_escalation","description":"A + process was spawned with indicators of exploitation of CVE-2021-4034","expression":"(exec.file.path + == \"/usr/bin/pkexec\" && exec.envs in [~\"*SHELL*\", ~\"*PATH*\"] && exec.envs + not in [~\"*DISPLAY*\", ~\"*DESKTOP_SESSION*\"] && exec.uid != 0)","category":"Process + Activity","creationDate":1643639113864,"updateDate":1699614610455,"filters":["os + == \"linux\""],"actions":[],"agentConstraint":"","enabled":true,"defaultRule":true,"creator":{"name":"","handle":""},"updater":{"name":"","handle":""}},"type":"agent_rule"},{"id":"dlp-tcr-jju","attributes":{"version":2,"name":"kmod_list","description":"Kernel + modules were listed using the kmod command","expression":"exec.comm == \"kmod\" + && exec.args in [~\"*list*\"]","category":"Process Activity","creationDate":0,"updateDate":1699614610436,"filters":["os + == \"linux\""],"actions":[],"agentConstraint":"","enabled":true,"defaultRule":true,"creator":{"name":"","handle":""},"updater":{"name":"","handle":""}},"type":"agent_rule"},{"id":"knr-3tx-cl8","attributes":{"version":2,"name":"java_shell_execution_parent","description":"A + java process spawned a shell, shell utility, or HTTP utility","expression":"(exec.file.path + in [ \"/bin/dash\",\n \"/usr/bin/dash\",\n \"/bin/sh\",\n \"/bin/static-sh\",\n \"/usr/bin/sh\",\n \"/bin/bash\",\n \"/usr/bin/bash\",\n \"/bin/bash-static\",\n \"/usr/bin/zsh\",\n \"/usr/bin/ash\",\n \"/usr/bin/csh\",\n \"/usr/bin/ksh\",\n \"/usr/bin/tcsh\",\n \"/usr/lib/initramfs-tools/bin/busybox\",\n \"/bin/busybox\",\n \"/usr/bin/fish\",\n \"/bin/ksh93\",\n \"/bin/rksh\",\n \"/bin/rksh93\",\n \"/bin/lksh\",\n \"/bin/mksh\",\n \"/bin/mksh-static\",\n \"/usr/bin/csharp\",\n \"/bin/posh\",\n \"/usr/bin/rc\",\n \"/bin/sash\",\n \"/usr/bin/yash\",\n \"/bin/zsh5\",\n \"/bin/zsh5-static\" + ] ||\n exec.comm in [\"wget\", \"curl\", \"lwp-download\"] ||\n exec.file.path + in [\"/bin/cat\",\"/bin/chgrp\",\"/bin/chmod\",\"/bin/chown\",\"/bin/cp\",\"/bin/date\",\"/bin/dd\",\"/bin/df\",\"/bin/dir\",\"/bin/echo\",\"/bin/ln\",\"/bin/ls\",\"/bin/mkdir\",\"/bin/mknod\",\"/bin/mktemp\",\"/bin/mv\",\"/bin/pwd\",\"/bin/readlink\",\"/bin/rm\",\"/bin/rmdir\",\"/bin/sleep\",\"/bin/stty\",\"/bin/sync\",\"/bin/touch\",\"/bin/uname\",\"/bin/vdir\",\"/usr/bin/arch\",\"/usr/bin/b2sum\",\"/usr/bin/base32\",\"/usr/bin/base64\",\"/usr/bin/basename\",\"/usr/bin/chcon\",\"/usr/bin/cksum\",\"/usr/bin/comm\",\"/usr/bin/csplit\",\"/usr/bin/cut\",\"/usr/bin/dircolors\",\"/usr/bin/dirname\",\"/usr/bin/du\",\"/usr/bin/env\",\"/usr/bin/expand\",\"/usr/bin/expr\",\"/usr/bin/factor\",\"/usr/bin/fmt\",\"/usr/bin/fold\",\"/usr/bin/groups\",\"/usr/bin/head\",\"/usr/bin/hostid\",\"/usr/bin/id\",\"/usr/bin/install\",\"/usr/bin/join\",\"/usr/bin/link\",\"/usr/bin/logname\",\"/usr/bin/md5sum\",\"/usr/bin/md5sum.textutils\",\"/usr/bin/mkfifo\",\"/usr/bin/nice\",\"/usr/bin/nl\",\"/usr/bin/nohup\",\"/usr/bin/nproc\",\"/usr/bin/numfmt\",\"/usr/bin/od\",\"/usr/bin/paste\",\"/usr/bin/pathchk\",\"/usr/bin/pinky\",\"/usr/bin/pr\",\"/usr/bin/printenv\",\"/usr/bin/printf\",\"/usr/bin/ptx\",\"/usr/bin/realpath\",\"/usr/bin/runcon\",\"/usr/bin/seq\",\"/usr/bin/sha1sum\",\"/usr/bin/sha224sum\",\"/usr/bin/sha256sum\",\"/usr/bin/sha384sum\",\"/usr/bin/sha512sum\",\"/usr/bin/shred\",\"/usr/bin/shuf\",\"/usr/bin/sort\",\"/usr/bin/split\",\"/usr/bin/stat\",\"/usr/bin/stdbuf\",\"/usr/bin/sum\",\"/usr/bin/tac\",\"/usr/bin/tail\",\"/usr/bin/tee\",\"/usr/bin/test\",\"/usr/bin/timeout\",\"/usr/bin/tr\",\"/usr/bin/truncate\",\"/usr/bin/tsort\",\"/usr/bin/tty\",\"/usr/bin/unexpand\",\"/usr/bin/uniq\",\"/usr/bin/unlink\",\"/usr/bin/users\",\"/usr/bin/wc\",\"/usr/bin/who\",\"/usr/bin/whoami\",\"/usr/sbin/chroot\"])\n&& + process.parent.file.name == \"java\"","category":"Process Activity","creationDate":0,"updateDate":1699614610329,"filters":["os + == \"linux\""],"actions":[],"agentConstraint":"","enabled":true,"defaultRule":true,"creator":{"name":"","handle":""},"updater":{"name":"","handle":""}},"type":"agent_rule"},{"id":"r8w-red-u4k","attributes":{"version":2,"name":"kernel_module_load_from_memory","description":"A + kernel module was loaded from memory","expression":"load_module.loaded_from_memory + == true","category":"Kernel Activity","creationDate":1650293718630,"updateDate":1699614610258,"filters":["os + == \"linux\""],"actions":[],"agentConstraint":"","enabled":true,"defaultRule":true,"creator":{"name":"","handle":""},"updater":{"name":"","handle":""}},"type":"agent_rule"},{"id":"jnv-fq4-f23","attributes":{"version":2,"name":"sudoers_policy_modified_chmod","description":"Sudoers + policy file may have been modified without authorization","expression":"(\n (chmod.file.path + == \"/etc/sudoers\") \n) && chmod.file.destination.mode != chmod.file.mode + && process.ancestors.file.path not in [~\"/usr/bin/apt*\", \"/usr/bin/dpkg\", + \"/usr/bin/rpm\", \"/usr/bin/unattended-upgrade\", \"/usr/bin/npm\", ~\"/usr/bin/pip*\", + \"/usr/bin/yum\", \"/sbin/apk\", \"/usr/lib/snapd/snapd\"]","category":"File + Activity","creationDate":0,"updateDate":1699614610235,"filters":["os == \"linux\""],"actions":[],"agentConstraint":"","enabled":true,"defaultRule":true,"creator":{"name":"","handle":""},"updater":{"name":"","handle":""}},"type":"agent_rule"},{"id":"ji5-8o4-btp","attributes":{"version":2,"name":"kubernetes_dns_enumeration","description":"Kubernetes + DNS enumeration","expression":"dns.question.name == \"any.any.svc.cluster.local\" + && dns.question.type == SRV && container.id != \"\"","category":"Network Activity","creationDate":0,"updateDate":1699614610050,"filters":["os + == \"linux\""],"actions":[],"agentConstraint":"","enabled":true,"defaultRule":true,"creator":{"name":"","handle":""},"updater":{"name":"","handle":""}},"type":"agent_rule"},{"id":"3j1-wdg-qsg","attributes":{"version":28,"name":"pci_11_5_critical_binaries_open","description":"Critical + system binaries may have been modified","expression":"(\n open.flags & + (O_CREAT|O_TRUNC|O_RDWR|O_WRONLY) > 0 &&\n open.file.path in [ ~\"/bin/*\", + ~\"/sbin/*\", ~\"/usr/bin/*\", ~\"/usr/sbin/*\", ~\"/usr/local/bin/*\", ~\"/usr/local/sbin/*\", + ~\"/boot/**\" ]\n && process.file.path not in [~\"/usr/bin/apt*\", \"/usr/bin/dpkg\", + \"/usr/bin/rpm\", \"/usr/bin/unattended-upgrade\", \"/usr/bin/containerd\", + \"/usr/local/bin/containerd\", \"/usr/bin/dockerd\", \"/usr/bin/npm\", ~\"/usr/bin/pip*\"]\n && + process.ancestors.file.path not in [~\"/usr/bin/apt*\", \"/usr/bin/dpkg\", + \"/usr/bin/rpm\", \"/usr/bin/unattended-upgrade\", \"/usr/bin/npm\", ~\"/usr/bin/pip*\", + \"/usr/bin/yum\", \"/sbin/apk\", \"/usr/lib/snapd/snapd\"]\n)","category":"File + Activity","creationDate":1642158535263,"updateDate":1699614610036,"filters":["os + == \"linux\""],"actions":[],"agentConstraint":"","enabled":true,"defaultRule":true,"creator":{"name":"","handle":""},"updater":{"name":"","handle":""}},"type":"agent_rule"},{"id":"vaz-icd-nel","attributes":{"version":2,"name":"net_file_download","description":"A + suspicious file was written by a network utility","expression":"open.flags + & O_CREAT > 0 && process.comm in [\"wget\", \"curl\", \"lwp-download\"]\n&& + (\n (open.file.path =~ \"/tmp/**\" && open.file.name in [~\"*.sh\", ~\"*.c\", + ~\"*.so\", ~\"*.ko\"])\n || open.file.path in [~\"/usr/**\", ~\"/lib/**\", + ~\"/etc/**\", ~\"/var/tmp/**\", ~\"/dev/shm/**\"]\n)","category":"File Activity","creationDate":0,"updateDate":1699614609925,"filters":["os + == \"linux\""],"actions":[],"agentConstraint":"","enabled":true,"defaultRule":true,"creator":{"name":"","handle":""},"updater":{"name":"","handle":""}},"type":"agent_rule"},{"id":"hir-1j3-tsx","attributes":{"version":20,"name":"ssh_authorized_keys_chown","description":"SSH + modified keys may have been modified","expression":"(\n chown.file.name + in [ \"authorized_keys\", \"authorized_keys2\" ] && (chown.file.path in [ + ~\"/root/.ssh/*\", ~\"/home/*/.ssh/*\", ~\"/var/lib/*/.ssh/*\" ])\n) && (chown.file.destination.uid + != chown.file.uid || chown.file.destination.gid != chown.file.gid)","category":"File + Activity","creationDate":1642158534934,"updateDate":1699614609845,"filters":["os + == \"linux\""],"actions":[],"agentConstraint":"","enabled":true,"defaultRule":true,"creator":{"name":"","handle":""},"updater":{"name":"","handle":""}},"type":"agent_rule"},{"id":"mag-ijd-ucx","attributes":{"version":2,"name":"sudoers_policy_modified_utimes","description":"Sudoers + policy file may have been modified without authorization","expression":"(\n (utimes.file.path + == \"/etc/sudoers\")\n) && process.file.path not in [~\"/usr/bin/apt*\", \"/usr/bin/dpkg\", + \"/usr/bin/rpm\", \"/usr/bin/unattended-upgrade\", \"/usr/bin/containerd\", + \"/usr/local/bin/containerd\", \"/usr/bin/dockerd\", \"/usr/bin/npm\", ~\"/usr/bin/pip*\"]","category":"File + Activity","creationDate":0,"updateDate":1699614609831,"filters":["os == \"linux\""],"actions":[],"agentConstraint":"","enabled":true,"defaultRule":true,"creator":{"name":"","handle":""},"updater":{"name":"","handle":""}},"type":"agent_rule"},{"id":"yq3-x9w-n3j","attributes":{"version":2,"name":"tar_execution","description":"Tar + archive created","expression":"exec.file.path == \"/usr/bin/tar\" && exec.args_flags + in [\"create\",\"c\"]","category":"Process Activity","creationDate":0,"updateDate":1699614609831,"filters":["os + == \"linux\""],"actions":[],"agentConstraint":"","enabled":true,"defaultRule":true,"creator":{"name":"","handle":""},"updater":{"name":"","handle":""}},"type":"agent_rule"},{"id":"sfh-mqa-shl","attributes":{"version":24,"name":"ssl_certificate_tampering_chown","description":"SSL + certificates may have been tampered with","expression":"(\n (chown.file.path + in [ ~\"/etc/ssl/certs/**\", ~\"/etc/pki/**\" ])\n && process.file.path + not in [~\"/usr/bin/apt*\", \"/usr/bin/dpkg\", \"/usr/bin/rpm\", \"/usr/bin/unattended-upgrade\", + \"/usr/bin/npm\", ~\"/usr/bin/pip*\", \"/usr/bin/yum\", \"/sbin/apk\", \"/usr/lib/snapd/snapd\"]\n) + && (chown.file.destination.uid != chown.file.uid || chown.file.destination.gid + != chown.file.gid)\n&& process.file.path != \"/usr/sbin/update-ca-certificates\"\n&& + process.ancestors.file.path != \"/usr/sbin/update-ca-certificates\"\n&& process.ancestors.file.path + not in [~\"/usr/bin/apt*\", \"/usr/bin/dpkg\", \"/usr/bin/rpm\", \"/usr/bin/unattended-upgrade\", + \"/usr/bin/npm\", ~\"/usr/bin/pip*\", \"/usr/bin/yum\", \"/sbin/apk\", \"/usr/lib/snapd/snapd\"]\n&& + process.file.name !~ \"runc*\"","category":"File Activity","creationDate":1642158535153,"updateDate":1699614609662,"filters":["os + == \"linux\""],"actions":[],"agentConstraint":"","enabled":true,"defaultRule":true,"creator":{"name":"","handle":""},"updater":{"name":"","handle":""}},"type":"agent_rule"},{"id":"f6g-gbx-9l6","attributes":{"version":4,"name":"auditd_rule_file_modified","description":"The + auditd rules file was modified without using auditctl","expression":"open.file.path + in [\"/etc/audit/rules.d/audit.rules\", \"/etc/audit/audit.rules\"] && open.flags + & (O_CREAT|O_TRUNC|O_RDWR|O_WRONLY) > 0 && process.file.name != \"auditctl\"","category":"File + Activity","creationDate":0,"updateDate":1699614609625,"filters":["os == \"linux\""],"actions":[],"agentConstraint":"","enabled":true,"defaultRule":true,"creator":{"name":"","handle":""},"updater":{"name":"","handle":""}},"type":"agent_rule"},{"id":"ysi-0bm-8tc","attributes":{"version":34,"name":"kernel_module_chmod","description":"A + new kernel module was added","expression":"(\n (chmod.file.path in [ ~\"/lib/modules/**\", + ~\"/usr/lib/modules/**\" ])\n && process.file.path not in [~\"/usr/bin/apt*\", + \"/usr/bin/dpkg\", \"/usr/bin/rpm\", \"/usr/bin/unattended-upgrade\", \"/usr/bin/npm\", + ~\"/usr/bin/pip*\", \"/usr/bin/yum\", \"/sbin/apk\", \"/usr/lib/snapd/snapd\"]\n && + process.ancestors.file.path not in [~\"/usr/bin/apt*\", \"/usr/bin/dpkg\", + \"/usr/bin/rpm\", \"/usr/bin/unattended-upgrade\", \"/usr/bin/npm\", ~\"/usr/bin/pip*\", + \"/usr/bin/yum\", \"/sbin/apk\", \"/usr/lib/snapd/snapd\"] && process.ancestors.file.path + != \"/usr/bin/kmod\"\n) && chmod.file.destination.mode != chmod.file.mode","category":"File + Activity","creationDate":1642158535040,"updateDate":1699614609526,"filters":["os + == \"linux\""],"actions":[],"agentConstraint":"","enabled":true,"defaultRule":true,"creator":{"name":"","handle":""},"updater":{"name":"","handle":""}},"type":"agent_rule"},{"id":"0sl-ako-4w6","attributes":{"version":24,"name":"ssl_certificate_tampering_utimes","description":"SSL + certificates may have been tampered with","expression":"(\n (utimes.file.path + in [ ~\"/etc/ssl/certs/**\" ])\n && process.file.path not in [~\"/usr/bin/apt*\", + \"/usr/bin/dpkg\", \"/usr/bin/rpm\", \"/usr/bin/unattended-upgrade\", \"/usr/bin/npm\", + ~\"/usr/bin/pip*\", \"/usr/bin/yum\", \"/sbin/apk\", \"/usr/lib/snapd/snapd\"]\n)\n&& + process.file.path != \"/usr/sbin/update-ca-certificates\"\n&& process.ancestors.file.path + != \"/usr/sbin/update-ca-certificates\"\n&& process.ancestors.file.path not + in [~\"/usr/bin/apt*\", \"/usr/bin/dpkg\", \"/usr/bin/rpm\", \"/usr/bin/unattended-upgrade\", + \"/usr/bin/npm\", ~\"/usr/bin/pip*\", \"/usr/bin/yum\", \"/sbin/apk\", \"/usr/lib/snapd/snapd\"]\n&& + process.file.name !~ \"runc*\"","category":"File Activity","creationDate":0,"updateDate":1699614609522,"filters":["os + == \"linux\""],"actions":[],"agentConstraint":"","enabled":true,"defaultRule":true,"creator":{"name":"","handle":""},"updater":{"name":"","handle":""}},"type":"agent_rule"},{"id":"4ec-mzv-u5g","attributes":{"version":5,"name":"kernel_module_load","description":"A + kernel module was loaded","expression":"load_module.name not in [\"nf_tables\", + \"iptable_filter\", \"ip6table_filter\", \"bpfilter\", \"ip6_tables\", \"ip6table_nat\", + \"nf_reject_ipv4\", \"ipt_REJECT\", \"iptable_raw\"] && process.ancestors.file.name + not in [~\"falcon*\", \"unattended-upgrade\", \"apt.systemd.daily\", \"xtables-legacy-multi\", + \"ssm-agent-worker\"]","category":"Kernel Activity","creationDate":1650293718458,"updateDate":1699614609521,"filters":["os + == \"linux\""],"actions":[],"agentConstraint":"","enabled":true,"defaultRule":true,"creator":{"name":"","handle":""},"updater":{"name":"","handle":""}},"type":"agent_rule"},{"id":"kik-wm5-my4","attributes":{"version":5,"name":"dynamic_linker_config_unlink","description":"A + process unlinked a dynamic linker config file","expression":"unlink.file.path + in [\"/etc/ld.so.preload\", \"/etc/ld.so.conf\", ~\"/etc/ld.so.conf.d/*.conf\"] + && process.file.path not in [~\"/usr/bin/apt*\", \"/usr/bin/dpkg\", \"/usr/bin/rpm\", + \"/usr/bin/unattended-upgrade\", \"/usr/bin/npm\", ~\"/usr/bin/pip*\", \"/usr/bin/yum\", + \"/sbin/apk\", \"/usr/lib/snapd/snapd\"]","category":"File Activity","creationDate":0,"updateDate":1699614609521,"filters":["os + == \"linux\""],"actions":[],"agentConstraint":"","enabled":true,"defaultRule":true,"creator":{"name":"","handle":""},"updater":{"name":"","handle":""}},"type":"agent_rule"},{"id":"tji-eua-ery","attributes":{"version":2,"name":"sudoers_policy_modified_rename","description":"Sudoers + policy file may have been modified without authorization","expression":"(\n (rename.file.path + == \"/etc/sudoers\"\n || rename.file.destination.path == \"/etc/sudoers\")\n)","category":"File + Activity","creationDate":0,"updateDate":1699614609520,"filters":["os == \"linux\""],"actions":[],"agentConstraint":"","enabled":true,"defaultRule":true,"creator":{"name":"","handle":""},"updater":{"name":"","handle":""}},"type":"agent_rule"},{"id":"bpi-apd-1ad","attributes":{"version":1,"name":"offensive_k8s_tool","description":"A + known kubernetes pentesting tool has been executed","expression":"(exec.file.name + in [ ~\"python*\" ] && (\"KubiScan.py\" in exec.argv || \"kubestriker\" in + exec.argv ) ) || exec.file.name in [ \"kubiscan\",\"kdigger\",\"kube-hunter\",\"rakkess\",\"peirates\",\"kubescape\",\"kubeaudit\",\"kube-linter\",\"stratus\",~\"botb-*\"]","category":"Process + Activity","creationDate":0,"updateDate":1699605542656,"filters":[],"actions":[],"agentConstraint":"","enabled":true,"defaultRule":true,"creator":{"name":"","handle":""},"updater":{"name":"","handle":""}},"type":"agent_rule"},{"id":"rcz-xwn-5lq","attributes":{"version":1,"name":"redis_save_module","description":"Redis + module has been created","expression":"(open.flags & (O_CREAT|O_TRUNC|O_RDWR|O_WRONLY) + > 0 && open.file.path =~ \"/tmp/**\" && open.file.name in [~\"*.rdb\", ~\"*.aof\", + ~\"*.so\"]) && process.file.name in [\"redis-check-rdb\", \"redis-server\"]","category":"File + Activity","creationDate":0,"updateDate":1699605540650,"filters":[],"actions":[],"agentConstraint":"","enabled":true,"defaultRule":true,"creator":{"name":"","handle":""},"updater":{"name":"","handle":""}},"type":"agent_rule"},{"id":"oit-dq6-jtz","attributes":{"version":4,"name":"net_util_exfiltration","description":"Exfiltration + attempt via network utility","expression":"exec.comm in [\"wget\", \"curl\", + \"lwp-download\"] && \nexec.args_options in [ ~\"post-file=*\", ~\"post-data=*\", + ~\"T=*\", ~\"d=@*\", ~\"upload-file=*\", ~\"F=file*\"] &&\nexec.args not in + [~\"*localhost*\", ~\"*127.0.0.1*\"]","category":"Process Activity","creationDate":0,"updateDate":1699605533426,"filters":["os + == \"linux\""],"actions":[],"agentConstraint":"","enabled":true,"defaultRule":true,"creator":{"name":"","handle":""},"updater":{"name":"","handle":""}},"type":"agent_rule"},{"id":"wos-cqg-alj","attributes":{"version":27,"name":"pci_11_5_critical_binaries_rename","description":"Critical + system binaries may have been modified","expression":"(\n (rename.file.path in [ ~\"/bin/*\", ~\"/sbin/*\", ~\"/usr/bin/*\", ~\"/usr/sbin/*\", ~\"/usr/local/bin/*\", - ~\"/usr/local/sbin/*\", ~\"/boot/*\" ])\n && process.file.path not in [\"/usr/bin/apt\", - \"/usr/bin/apt-get\", \"/usr/bin/apt-config\", \"/usr/bin/dpkg\", \"/usr/bin/aptitude-curses\", - \"/usr/bin/rpm\", \"/usr/bin/unattended-upgrade\"]\n && process.ancestors.file.path - not in [\"/usr/bin/apt\", \"/usr/bin/apt-get\", \"/usr/bin/apt-config\", \"/usr/bin/dpkg\", - \"/usr/bin/aptitude-curses\", \"/usr/bin/rpm\", \"/usr/bin/unattended-upgrade\"]\n) - && (chown.uid != chown.file.uid || chown.gid != chown.file.gid)"},"type":"agent_rule","id":"yly-big-wfq"},{"attributes":{"category":"File - Activity","name":"pci_11_5_critical_binaries_link","creator":{"handle":"","name":""},"description":"Critical - System Binaries","enabled":true,"defaultRule":true,"version":4,"updater":{"handle":"","name":""},"updateDate":1636729678212,"creationDate":1606142933669,"expression":"(\n (link.file.path + ~\"/usr/local/sbin/*\", ~\"/boot/**\" ]\n || rename.file.destination.path in [ ~\"/bin/*\", ~\"/sbin/*\", ~\"/usr/bin/*\", ~\"/usr/sbin/*\", ~\"/usr/local/bin/*\", - ~\"/usr/local/sbin/*\", ~\"/boot/*\" ]\n || link.file.destination.path + ~\"/usr/local/sbin/*\", ~\"/boot/**\" ])\n && process.file.path not in + [~\"/usr/bin/apt*\", \"/usr/bin/dpkg\", \"/usr/bin/rpm\", \"/usr/bin/unattended-upgrade\", + \"/usr/bin/containerd\", \"/usr/local/bin/containerd\", \"/usr/bin/dockerd\", + \"/usr/bin/npm\", ~\"/usr/bin/pip*\"]\n && process.ancestors.file.path + not in [~\"/usr/bin/apt*\", \"/usr/bin/dpkg\", \"/usr/bin/rpm\", \"/usr/bin/unattended-upgrade\", + \"/usr/bin/npm\", ~\"/usr/bin/pip*\", \"/usr/bin/yum\", \"/sbin/apk\", \"/usr/lib/snapd/snapd\"]\n)","category":"File + Activity","creationDate":1642158535169,"updateDate":1699605533116,"filters":[],"actions":[],"agentConstraint":"","enabled":true,"defaultRule":true,"creator":{"name":"","handle":""},"updater":{"name":"","handle":""}},"type":"agent_rule"},{"id":"1bt-oqb-nhw","attributes":{"version":27,"name":"pci_11_5_critical_binaries_link","description":"Critical + system binaries may have been modified","expression":"(\n (link.file.path in [ ~\"/bin/*\", ~\"/sbin/*\", ~\"/usr/bin/*\", ~\"/usr/sbin/*\", ~\"/usr/local/bin/*\", - ~\"/usr/local/sbin/*\", ~\"/boot/*\" ])\n && process.file.path not in [\"/usr/bin/apt\", - \"/usr/bin/apt-get\", \"/usr/bin/apt-config\", \"/usr/bin/dpkg\", \"/usr/bin/aptitude-curses\", - \"/usr/bin/rpm\", \"/usr/bin/unattended-upgrade\"]\n && process.ancestors.file.path - not in [\"/usr/bin/apt\", \"/usr/bin/apt-get\", \"/usr/bin/apt-config\", \"/usr/bin/dpkg\", - \"/usr/bin/aptitude-curses\", \"/usr/bin/rpm\", \"/usr/bin/unattended-upgrade\"]\n)"},"type":"agent_rule","id":"rm1-b8h-cec"},{"attributes":{"category":"File - Activity","name":"pci_11_5_critical_binaries_rename","creator":{"handle":"","name":""},"description":"Critical - System Binaries","enabled":true,"defaultRule":true,"version":4,"updater":{"handle":"","name":""},"updateDate":1636729678212,"creationDate":1606142933669,"expression":"(\n (rename.file.path + ~\"/usr/local/sbin/*\", ~\"/boot/**\" ]\n || link.file.destination.path in [ ~\"/bin/*\", ~\"/sbin/*\", ~\"/usr/bin/*\", ~\"/usr/sbin/*\", ~\"/usr/local/bin/*\", - ~\"/usr/local/sbin/*\", ~\"/boot/*\" ]\n || rename.file.destination.path + ~\"/usr/local/sbin/*\", ~\"/boot/**\" ])\n && process.file.path not in + [~\"/usr/bin/apt*\", \"/usr/bin/dpkg\", \"/usr/bin/rpm\", \"/usr/bin/unattended-upgrade\", + \"/usr/bin/containerd\", \"/usr/local/bin/containerd\", \"/usr/bin/dockerd\", + \"/usr/bin/npm\", ~\"/usr/bin/pip*\"]\n && process.ancestors.file.path + not in [~\"/usr/bin/apt*\", \"/usr/bin/dpkg\", \"/usr/bin/rpm\", \"/usr/bin/unattended-upgrade\", + \"/usr/bin/npm\", ~\"/usr/bin/pip*\", \"/usr/bin/yum\", \"/sbin/apk\", \"/usr/lib/snapd/snapd\"]\n)","category":"File + Activity","creationDate":1642158535044,"updateDate":1699605533055,"filters":[],"actions":[],"agentConstraint":"","enabled":true,"defaultRule":true,"creator":{"name":"","handle":""},"updater":{"name":"","handle":""}},"type":"agent_rule"},{"id":"f1p-4uk-ji9","attributes":{"version":2,"name":"selinux_disable_enforcement","description":"SELinux + enforcement status was disabled","expression":"selinux.enforce.status in [\"permissive\", + \"disabled\"] && process.ancestors.args != ~\"*BECOME-SUCCESS*\"","category":"Kernel + Activity","creationDate":1635332067172,"updateDate":1699605533031,"filters":[],"actions":[],"agentConstraint":"","enabled":true,"defaultRule":true,"creator":{"name":"","handle":""},"updater":{"name":"","handle":""}},"type":"agent_rule"},{"id":"ewk-kr1-m8w","attributes":{"version":6,"name":"runc_modification","description":"The + runc binary was modified in a non-standard way","expression":"open.file.path + in [\"/usr/bin/runc\", \"/usr/sbin/runc\", \"/usr/bin/docker-runc\"]\n&& open.flags + & O_CREAT|O_TRUNC|O_RDWR|O_WRONLY > 0\n&& process.file.path not in [~\"/usr/bin/apt*\", + \"/usr/bin/dpkg\", \"/usr/bin/rpm\", \"/usr/bin/unattended-upgrade\", \"/usr/bin/containerd\", + \"/usr/local/bin/containerd\", \"/usr/bin/dockerd\", \"/usr/bin/npm\", ~\"/usr/bin/pip*\"]\n&& + process.ancestors.file.path not in [~\"/usr/bin/apt*\", \"/usr/bin/dpkg\", + \"/usr/bin/rpm\", \"/usr/bin/unattended-upgrade\", \"/usr/bin/npm\", ~\"/usr/bin/pip*\", + \"/usr/bin/yum\", \"/sbin/apk\", \"/usr/lib/snapd/snapd\"]","category":"File + Activity","creationDate":1627392837049,"updateDate":1699605532961,"filters":[],"actions":[],"agentConstraint":"","enabled":true,"defaultRule":true,"creator":{"name":"","handle":""},"updater":{"name":"","handle":""}},"type":"agent_rule"},{"id":"4ym-hxb-nfc","attributes":{"version":27,"name":"pci_11_5_critical_binaries_utimes","description":"Critical + system binaries may have been modified","expression":"(\n (utimes.file.path in [ ~\"/bin/*\", ~\"/sbin/*\", ~\"/usr/bin/*\", ~\"/usr/sbin/*\", ~\"/usr/local/bin/*\", - ~\"/usr/local/sbin/*\", ~\"/boot/*\" ])\n && process.file.path not in [\"/usr/bin/apt\", - \"/usr/bin/apt-get\", \"/usr/bin/apt-config\", \"/usr/bin/dpkg\", \"/usr/bin/aptitude-curses\", - \"/usr/bin/rpm\", \"/usr/bin/unattended-upgrade\"]\n && process.ancestors.file.path - not in [\"/usr/bin/apt\", \"/usr/bin/apt-get\", \"/usr/bin/apt-config\", \"/usr/bin/dpkg\", - \"/usr/bin/aptitude-curses\", \"/usr/bin/rpm\", \"/usr/bin/unattended-upgrade\"]\n)"},"type":"agent_rule","id":"1vg-wvn-jeo"},{"attributes":{"category":"File - Activity","name":"pci_11_5_critical_binaries_open","creator":{"handle":"","name":""},"description":"Critical - System Binaries","enabled":true,"defaultRule":true,"version":4,"updater":{"handle":"","name":""},"updateDate":1636729678212,"creationDate":1606142933669,"expression":"(\n open.flags - & (O_CREAT|O_TRUNC|O_RDWR|O_WRONLY) > 0 &&\n (open.file.path in [ ~\"/bin/*\", - ~\"/sbin/*\", ~\"/usr/bin/*\", ~\"/usr/sbin/*\", ~\"/usr/local/bin/*\", ~\"/usr/local/sbin/*\", - ~\"/boot/*\" ])\n && process.file.path not in [\"/usr/bin/apt\", \"/usr/bin/apt-get\", - \"/usr/bin/apt-config\", \"/usr/bin/dpkg\", \"/usr/bin/aptitude-curses\", - \"/usr/bin/rpm\", \"/usr/bin/unattended-upgrade\"]\n && process.ancestors.file.path - not in [\"/usr/bin/apt\", \"/usr/bin/apt-get\", \"/usr/bin/apt-config\", \"/usr/bin/dpkg\", - \"/usr/bin/aptitude-curses\", \"/usr/bin/rpm\", \"/usr/bin/unattended-upgrade\"]\n)"},"type":"agent_rule","id":"tmh-now-e61"},{"attributes":{"category":"File - Activity","name":"pci_11_5_critical_binaries_unlink","creator":{"handle":"","name":""},"description":"Critical - System Binaries","enabled":true,"defaultRule":true,"version":4,"updater":{"handle":"","name":""},"updateDate":1636729678212,"creationDate":1606142933669,"expression":"(\n (unlink.file.path + ~\"/usr/local/sbin/*\", ~\"/boot/**\" ])\n && process.file.path not in + [~\"/usr/bin/apt*\", \"/usr/bin/dpkg\", \"/usr/bin/rpm\", \"/usr/bin/unattended-upgrade\", + \"/usr/bin/containerd\", \"/usr/local/bin/containerd\", \"/usr/bin/dockerd\", + \"/usr/bin/npm\", ~\"/usr/bin/pip*\"]\n && process.ancestors.file.path + not in [~\"/usr/bin/apt*\", \"/usr/bin/dpkg\", \"/usr/bin/rpm\", \"/usr/bin/unattended-upgrade\", + \"/usr/bin/npm\", ~\"/usr/bin/pip*\", \"/usr/bin/yum\", \"/sbin/apk\", \"/usr/lib/snapd/snapd\"]\n)","category":"File + Activity","creationDate":1642158535079,"updateDate":1699605532927,"filters":[],"actions":[],"agentConstraint":"","enabled":true,"defaultRule":true,"creator":{"name":"","handle":""},"updater":{"name":"","handle":""}},"type":"agent_rule"},{"id":"39x-fmc-9sw","attributes":{"version":27,"name":"pci_11_5_critical_binaries_chown","description":"Critical + system binaries may have been modified","expression":"(\n (chown.file.path in [ ~\"/bin/*\", ~\"/sbin/*\", ~\"/usr/bin/*\", ~\"/usr/sbin/*\", ~\"/usr/local/bin/*\", - ~\"/usr/local/sbin/*\", ~\"/boot/*\" ])\n && process.file.path not in [\"/usr/bin/apt\", - \"/usr/bin/apt-get\", \"/usr/bin/apt-config\", \"/usr/bin/dpkg\", \"/usr/bin/aptitude-curses\", - \"/usr/bin/rpm\", \"/usr/bin/unattended-upgrade\"]\n && process.ancestors.file.path - not in [\"/usr/bin/apt\", \"/usr/bin/apt-get\", \"/usr/bin/apt-config\", \"/usr/bin/dpkg\", - \"/usr/bin/aptitude-curses\", \"/usr/bin/rpm\", \"/usr/bin/unattended-upgrade\"]\n)"},"type":"agent_rule","id":"mhl-gkn-bun"},{"attributes":{"category":"File - Activity","name":"pci_11_5_critical_binaries_utimes","creator":{"handle":"","name":""},"description":"Critical - System Binaries","enabled":true,"defaultRule":true,"version":4,"updater":{"handle":"","name":""},"updateDate":1636729678212,"creationDate":1606142933669,"expression":"(\n (utimes.file.path + ~\"/usr/local/sbin/*\", ~\"/boot/**\" ])\n && process.file.path not in + [~\"/usr/bin/apt*\", \"/usr/bin/dpkg\", \"/usr/bin/rpm\", \"/usr/bin/unattended-upgrade\", + \"/usr/bin/containerd\", \"/usr/local/bin/containerd\", \"/usr/bin/dockerd\", + \"/usr/bin/npm\", ~\"/usr/bin/pip*\"]\n && process.ancestors.file.path + not in [~\"/usr/bin/apt*\", \"/usr/bin/dpkg\", \"/usr/bin/rpm\", \"/usr/bin/unattended-upgrade\", + \"/usr/bin/npm\", ~\"/usr/bin/pip*\", \"/usr/bin/yum\", \"/sbin/apk\", \"/usr/lib/snapd/snapd\"]\n) + && (chown.file.destination.uid != chown.file.uid || chown.file.destination.gid + != chown.file.gid)","category":"File Activity","creationDate":1642158535097,"updateDate":1699605532862,"filters":[],"actions":[],"agentConstraint":"","enabled":true,"defaultRule":true,"creator":{"name":"","handle":""},"updater":{"name":"","handle":""}},"type":"agent_rule"},{"id":"3xp-uvx-hxk","attributes":{"version":13,"name":"apparmor_modified_tty","description":"An + AppArmor profile was modified in an interactive session","expression":"exec.file.name + in [\"aa-disable\", \"aa-complain\", \"aa-audit\"] && exec.tty_name !=\"\"","category":"Process + Activity","creationDate":1627392836162,"updateAuthorUuId":"f4183a42-8a64-11ea-93df-c318904b3ca4","updateDate":1699605532856,"filters":["os + == \"linux\""],"actions":[],"agentConstraint":"","enabled":true,"defaultRule":true,"creator":{"name":"","handle":""},"updater":{"name":"","handle":""}},"type":"agent_rule"},{"id":"v4a-bat-ppk","attributes":{"version":27,"name":"pci_11_5_critical_binaries_chmod","description":"Critical + system binaries may have been modified","expression":"(\n (chmod.file.path in [ ~\"/bin/*\", ~\"/sbin/*\", ~\"/usr/bin/*\", ~\"/usr/sbin/*\", ~\"/usr/local/bin/*\", - ~\"/usr/local/sbin/*\", ~\"/boot/*\" ])\n && process.file.path not in [\"/usr/bin/apt\", - \"/usr/bin/apt-get\", \"/usr/bin/apt-config\", \"/usr/bin/dpkg\", \"/usr/bin/aptitude-curses\", - \"/usr/bin/rpm\", \"/usr/bin/unattended-upgrade\"]\n && process.ancestors.file.path - not in [\"/usr/bin/apt\", \"/usr/bin/apt-get\", \"/usr/bin/apt-config\", \"/usr/bin/dpkg\", - \"/usr/bin/aptitude-curses\", \"/usr/bin/rpm\", \"/usr/bin/unattended-upgrade\"]\n)"},"type":"agent_rule","id":"6ef-efv-07c"},{"attributes":{"category":"File - Activity","name":"systemd_modification_chmod","creator":{"handle":"","name":""},"description":"Systemd - Modification","enabled":true,"defaultRule":true,"version":4,"updater":{"handle":"","name":""},"updateDate":1636729678140,"creationDate":1606142929241,"expression":"(\n (chmod.file.path - in [ ~\"/lib/systemd/system/*\", ~\"/usr/lib/systemd/system/*\", ~\"/etc/systemd/system/*\" - ])\n && process.file.path not in [\"/usr/bin/apt\", \"/usr/bin/apt-get\", - \"/usr/bin/apt-config\", \"/usr/bin/dpkg\", \"/usr/bin/aptitude-curses\", - \"/usr/bin/rpm\", \"/usr/bin/unattended-upgrade\"]\n) && chmod.mode != chmod.file.mode"},"type":"agent_rule","id":"kuu-k1s-gqz"},{"attributes":{"category":"File - Activity","name":"systemd_modification_chown","creator":{"handle":"","name":""},"description":"Systemd - Modification","enabled":true,"defaultRule":true,"version":4,"updater":{"handle":"","name":""},"updateDate":1636729678140,"creationDate":1606142929241,"expression":"(\n (chown.file.path - in [ ~\"/lib/systemd/system/*\", ~\"/usr/lib/systemd/system/*\", ~\"/etc/systemd/system/*\" - ])\n && process.file.path not in [\"/usr/bin/apt\", \"/usr/bin/apt-get\", - \"/usr/bin/apt-config\", \"/usr/bin/dpkg\", \"/usr/bin/aptitude-curses\", - \"/usr/bin/rpm\", \"/usr/bin/unattended-upgrade\"]\n) && (chown.uid != chown.file.uid - || chown.gid != chown.file.gid)"},"type":"agent_rule","id":"qdc-oqx-zsx"},{"attributes":{"category":"File - Activity","name":"systemd_modification_link","creator":{"handle":"","name":""},"description":"Systemd - Modification","enabled":true,"defaultRule":true,"version":4,"updater":{"handle":"","name":""},"updateDate":1636729678140,"creationDate":1606142929241,"expression":"(\n (link.file.path - in [ ~\"/lib/systemd/system/*\", ~\"/usr/lib/systemd/system/*\", ~\"/etc/systemd/system/*\" - ]\n || link.file.destination.path in [ ~\"/lib/systemd/system/*\", ~\"/usr/lib/systemd/system/*\", - ~\"/etc/systemd/system/*\" ])\n && process.file.path not in [\"/usr/bin/apt\", - \"/usr/bin/apt-get\", \"/usr/bin/apt-config\", \"/usr/bin/dpkg\", \"/usr/bin/aptitude-curses\", - \"/usr/bin/rpm\", \"/usr/bin/unattended-upgrade\"]\n)"},"type":"agent_rule","id":"bgs-kbk-xkh"},{"attributes":{"category":"File - Activity","name":"systemd_modification_rename","creator":{"handle":"","name":""},"description":"Systemd - Modification","enabled":true,"defaultRule":true,"version":4,"updater":{"handle":"","name":""},"updateDate":1636729678140,"creationDate":1606142929241,"expression":"(\n (rename.file.path - in [ ~\"/lib/systemd/system/*\", ~\"/usr/lib/systemd/system/*\", ~\"/etc/systemd/system/*\" - ]\n || rename.file.destination.path in [ ~\"/lib/systemd/system/*\", ~\"/usr/lib/systemd/system/*\", - ~\"/etc/systemd/system/*\" ])\n && process.file.path not in [\"/usr/bin/apt\", - \"/usr/bin/apt-get\", \"/usr/bin/apt-config\", \"/usr/bin/dpkg\", \"/usr/bin/aptitude-curses\", - \"/usr/bin/rpm\", \"/usr/bin/unattended-upgrade\"]\n)"},"type":"agent_rule","id":"rek-wb4-s7y"},{"attributes":{"category":"File - Activity","name":"systemd_modification_open","creator":{"handle":"","name":""},"description":"Systemd - Modification","enabled":true,"defaultRule":true,"version":4,"updater":{"handle":"","name":""},"updateDate":1636729678140,"creationDate":1606142929241,"expression":"(\n open.flags - & (O_CREAT|O_RDWR|O_WRONLY) > 0 &&\n (open.file.path in [ ~\"/lib/systemd/system/*\", - ~\"/usr/lib/systemd/system/*\", ~\"/etc/systemd/system/*\" ])\n && process.file.path - not in [\"/usr/bin/apt\", \"/usr/bin/apt-get\", \"/usr/bin/apt-config\", \"/usr/bin/dpkg\", - \"/usr/bin/aptitude-curses\", \"/usr/bin/rpm\", \"/usr/bin/unattended-upgrade\"]\n)"},"type":"agent_rule","id":"nlp-lzc-rcf"},{"attributes":{"category":"File - Activity","name":"systemd_modification_unlink","creator":{"handle":"","name":""},"description":"Systemd - Modification","enabled":true,"defaultRule":true,"version":4,"updater":{"handle":"","name":""},"updateDate":1636729678140,"creationDate":1606142929241,"expression":"(\n (unlink.file.path - in [ ~\"/lib/systemd/system/*\", ~\"/usr/lib/systemd/system/*\", ~\"/etc/systemd/system/*\" - ])\n && process.file.path not in [\"/usr/bin/apt\", \"/usr/bin/apt-get\", - \"/usr/bin/apt-config\", \"/usr/bin/dpkg\", \"/usr/bin/aptitude-curses\", - \"/usr/bin/rpm\", \"/usr/bin/unattended-upgrade\"]\n)"},"type":"agent_rule","id":"kxs-kt6-5gt"},{"attributes":{"category":"File - Activity","name":"systemd_modification_utimes","creator":{"handle":"","name":""},"description":"Systemd - Modification","enabled":true,"defaultRule":true,"version":4,"updater":{"handle":"","name":""},"updateDate":1636729678140,"creationDate":1606142929241,"expression":"(\n (utimes.file.path - in [ ~\"/lib/systemd/system/*\", ~\"/usr/lib/systemd/system/*\", ~\"/etc/systemd/system/*\" - ])\n && process.file.path not in [\"/usr/bin/apt\", \"/usr/bin/apt-get\", - \"/usr/bin/apt-config\", \"/usr/bin/dpkg\", \"/usr/bin/aptitude-curses\", - \"/usr/bin/rpm\", \"/usr/bin/unattended-upgrade\"]\n)"},"type":"agent_rule","id":"t8w-eul-chf"},{"attributes":{"category":"File - Activity","name":"credential_modified_chmod","creator":{"handle":"","name":""},"description":"Either - /etc/shadow/ or /etc/gshadow was modified by a non-standard tool","enabled":true,"defaultRule":true,"version":7,"updater":{"handle":"","name":""},"updateDate":1636729662623,"creationDate":1598516746271,"expression":"(\n (chmod.file.path - in [ \"/etc/shadow\", \"/etc/gshadow\" ])\n && process.file.path not in - [ \"/sbin/vipw\", \"/usr/sbin/vipw\", \"/sbin/vigr\", \"/usr/sbin/vigr\" ]\n && - process.ancestors.file.path not in [\"/usr/bin/apt\", \"/usr/bin/apt-get\", - \"/usr/bin/apt-config\", \"/usr/bin/dpkg\", \"/usr/bin/aptitude-curses\", - \"/usr/bin/rpm\", \"/usr/bin/unattended-upgrade\"]\n) && chmod.mode != chmod.file.mode"},"type":"agent_rule","id":"4fh-bb7-747"},{"attributes":{"category":"File - Activity","name":"credential_modified_chown","creator":{"handle":"","name":""},"description":"Either - /etc/shadow/ or /etc/gshadow was modified by a non-standard tool","enabled":true,"defaultRule":true,"version":7,"updater":{"handle":"","name":""},"updateDate":1636729662623,"creationDate":1598516746271,"expression":"(\n (chown.file.path + ~\"/usr/local/sbin/*\", ~\"/boot/**\" ])\n && process.file.path not in + [~\"/usr/bin/apt*\", \"/usr/bin/dpkg\", \"/usr/bin/rpm\", \"/usr/bin/unattended-upgrade\", + \"/usr/bin/containerd\", \"/usr/local/bin/containerd\", \"/usr/bin/dockerd\", + \"/usr/bin/npm\", ~\"/usr/bin/pip*\"]\n && process.ancestors.file.path + not in [~\"/usr/bin/apt*\", \"/usr/bin/dpkg\", \"/usr/bin/rpm\", \"/usr/bin/unattended-upgrade\", + \"/usr/bin/npm\", ~\"/usr/bin/pip*\", \"/usr/bin/yum\", \"/sbin/apk\", \"/usr/lib/snapd/snapd\"]\n) + && chmod.file.destination.mode != chmod.file.mode","category":"File Activity","creationDate":1642158535079,"updateDate":1699605532822,"filters":[],"actions":[],"agentConstraint":"","enabled":true,"defaultRule":true,"creator":{"name":"","handle":""},"updater":{"name":"","handle":""}},"type":"agent_rule"},{"id":"ylg-dxo-yuk","attributes":{"version":2,"name":"rc_scripts_modified","description":"RC + scripts modified","expression":"(open.flags & (O_CREAT|O_TRUNC|O_RDWR|O_WRONLY) + > 0 && (open.file.path in [\"/etc/rc.common\", \"/etc/rc.local\"])) && process.ancestors.file.path + not in [~\"/usr/bin/apt*\", \"/usr/bin/dpkg\", \"/usr/bin/rpm\", \"/usr/bin/unattended-upgrade\", + \"/usr/bin/npm\", ~\"/usr/bin/pip*\", \"/usr/bin/yum\", \"/sbin/apk\", \"/usr/lib/snapd/snapd\"]","category":"File + Activity","creationDate":0,"updateDate":1699605532814,"filters":[],"actions":[],"agentConstraint":"","enabled":true,"defaultRule":true,"creator":{"name":"","handle":""},"updater":{"name":"","handle":""}},"type":"agent_rule"},{"id":"mal-nic-u3y","attributes":{"version":3,"name":"Deno_unauthorized_subprocess_created","description":"Unauthorized + subprocess created by deno runtime","expression":"exec.comm !=\"\" && process.ancestors.comm==\"deno\" + && process.ancestors.args not in [r\".*(allow-run|-A|allow-all).*\"]","category":"Process + Activity","creationAuthorUuId":"9b3398f3-af79-49aa-b643-8a607ee6f848","creationDate":1691743022082,"updateAuthorUuId":"9b3398f3-af79-49aa-b643-8a607ee6f848","updateDate":1692012153553,"filters":[],"actions":[],"agentConstraint":"","enabled":true,"defaultRule":false,"creator":{"name":"Threat + Detection Engineering CI/CD","handle":"9b3398f3-af79-49aa-b643-8a607ee6f848"},"updater":{"name":"Threat + Detection Engineering CI/CD","handle":"9b3398f3-af79-49aa-b643-8a607ee6f848"}},"type":"agent_rule"},{"id":"cwq-z6j-igp","attributes":{"version":2,"name":"Deno_unauthorized_network_access_performed","description":"Unauthorized + network access by deno runtime","expression":"bind.addr.family>=0 && process.comm==\"deno\" + && process.args not in [r\".*(allow-net|allow-ffi|-A|allow-all).*\"]","category":"Kernel + Activity","creationAuthorUuId":"9b3398f3-af79-49aa-b643-8a607ee6f848","creationDate":1691743022106,"updateAuthorUuId":"9b3398f3-af79-49aa-b643-8a607ee6f848","updateDate":1692012153529,"filters":[],"actions":[],"agentConstraint":"","enabled":true,"defaultRule":false,"creator":{"name":"Threat + Detection Engineering CI/CD","handle":"9b3398f3-af79-49aa-b643-8a607ee6f848"},"updater":{"name":"Threat + Detection Engineering CI/CD","handle":"9b3398f3-af79-49aa-b643-8a607ee6f848"}},"type":"agent_rule"},{"id":"hfc-a0c-8yl","attributes":{"version":1,"name":"executable_bit_added","description":"The + executable bit was added to a newly created file","expression":"chmod.file.in_upper_layer + &&\nchmod.file.change_time < 30s &&\ncontainer.id != \"\" &&\nchmod.file.destination.mode + != chmod.file.mode &&\nchmod.file.destination.mode & S_IXUSR|S_IXGRP|S_IXOTH + > 0 &&\nprocess.argv in [\"+x\"]","category":"File Activity","creationDate":0,"updateDate":1690311003102,"filters":[],"actions":[],"agentConstraint":"","enabled":true,"defaultRule":true,"creator":{"name":"","handle":""},"updater":{"name":"","handle":""}},"type":"agent_rule"},{"id":"osi-fya-a5p","attributes":{"version":19,"name":"ssh_authorized_keys_link","description":"SSH + modified keys may have been modified","expression":"(\n link.file.name + in [ \"authorized_keys\", \"authorized_keys2\" ] && (link.file.path in [ ~\"/root/.ssh/*\", + ~\"/home/*/.ssh/*\", ~\"/var/lib/*/.ssh/*\" ]\n || link.file.destination.path + in [ ~\"/root/.ssh/*\", ~\"/home/*/.ssh/*\", ~\"/var/lib/*/.ssh/*\" ])\n)","category":"File + Activity","creationDate":1642158535286,"updateDate":1690311003028,"filters":[],"actions":[],"agentConstraint":"","enabled":true,"defaultRule":true,"creator":{"name":"","handle":""},"updater":{"name":"","handle":""}},"type":"agent_rule"},{"id":"o5j-dvu-sdy","attributes":{"version":19,"name":"ssh_authorized_keys_utimes","description":"SSH + modified keys may have been modified","expression":"(\n utimes.file.name + in [ \"authorized_keys\", \"authorized_keys2\" ] && (utimes.file.path in [ + ~\"/root/.ssh/*\", ~\"/home/*/.ssh/*\", ~\"/var/lib/*/.ssh/*\" ])\n)","category":"File + Activity","creationDate":1642158535278,"updateDate":1690311003028,"filters":[],"actions":[],"agentConstraint":"","enabled":true,"defaultRule":true,"creator":{"name":"","handle":""},"updater":{"name":"","handle":""}},"type":"agent_rule"},{"id":"rut-8bg-ycb","attributes":{"version":31,"name":"credential_modified_utimes","description":"Sensitive + credential files were modified using a non-standard tool","expression":"(\n (utimes.file.path in [ \"/etc/shadow\", \"/etc/gshadow\" ])\n && process.file.path not in - [ \"/sbin/vipw\", \"/usr/sbin/vipw\", \"/sbin/vigr\", \"/usr/sbin/vigr\" ]\n && - process.ancestors.file.path not in [\"/usr/bin/apt\", \"/usr/bin/apt-get\", - \"/usr/bin/apt-config\", \"/usr/bin/dpkg\", \"/usr/bin/aptitude-curses\", - \"/usr/bin/rpm\", \"/usr/bin/unattended-upgrade\"]\n) && (chown.uid != chown.file.uid - || chown.gid != chown.file.gid)"},"type":"agent_rule","id":"eoy-4fe-q7q"},{"attributes":{"category":"File - Activity","name":"credential_modified_link","creator":{"handle":"","name":""},"description":"Either - /etc/shadow/ or /etc/gshadow was modified by a non-standard tool","enabled":true,"defaultRule":true,"version":7,"updater":{"handle":"","name":""},"updateDate":1636729662623,"creationDate":1598516746271,"expression":"(\n (link.file.path - in [ \"/etc/shadow\", \"/etc/gshadow\" ]\n || link.file.destination.path + [ \"/sbin/vipw\", \"/usr/sbin/vipw\", \"/sbin/vigr\", \"/usr/sbin/vigr\", + \"/usr/bin/containerd\", \"/usr/local/bin/containerd\", \"/usr/bin/dockerd\", + \"/usr/local/bin/dockerd\", \"/usr/sbin/groupadd\", \"/usr/sbin/useradd\", + \"/usr/sbin/usermod\", \"/usr/sbin/userdel\", \"/usr/bin/gpasswd\", \"/usr/bin/chage\", + \"/usr/sbin/chpasswd\", \"/usr/bin/passwd\" ]\n && process.ancestors.file.path + not in [~\"/usr/bin/apt*\", \"/usr/bin/dpkg\", \"/usr/bin/rpm\", \"/usr/bin/unattended-upgrade\", + \"/usr/bin/npm\", ~\"/usr/bin/pip*\", \"/usr/bin/yum\", \"/sbin/apk\", \"/usr/lib/snapd/snapd\"]\n)","category":"File + Activity","creationDate":1642158535200,"updateDate":1690311003028,"filters":[],"actions":[],"agentConstraint":"","enabled":true,"defaultRule":true,"creator":{"name":"","handle":""},"updater":{"name":"","handle":""}},"type":"agent_rule"},{"id":"qka-g4s-khh","attributes":{"version":19,"name":"ssh_authorized_keys_open","description":"SSH + modified keys may have been modified","expression":"(\n open.flags & (O_CREAT|O_TRUNC|O_RDWR|O_WRONLY) + > 0 &&\n open.file.name in [ \"authorized_keys\", \"authorized_keys2\" + ] && (open.file.path in [ ~\"/root/.ssh/*\", ~\"/home/*/.ssh/*\", ~\"/var/lib/*/.ssh/*\" + ])\n)","category":"File Activity","creationDate":1642158534864,"updateDate":1690311003028,"filters":[],"actions":[],"agentConstraint":"","enabled":true,"defaultRule":true,"creator":{"name":"","handle":""},"updater":{"name":"","handle":""}},"type":"agent_rule"},{"id":"g5n-jhl-zge","attributes":{"version":17,"name":"pam_modification_rename","description":"PAM + may have been modified without authorization","expression":"(\n (rename.file.path + in [ ~\"/etc/pam.d/**\", \"/etc/pam.conf\" ]\n || rename.file.destination.path + in [ ~\"/etc/pam.d/**\", \"/etc/pam.conf\" ])\n)","category":"File Activity","creationDate":1606142936138,"updateDate":1690311003028,"filters":[],"actions":[],"agentConstraint":"","enabled":true,"defaultRule":true,"creator":{"name":"","handle":""},"updater":{"name":"","handle":""}},"type":"agent_rule"},{"id":"xrg-evq-ka5","attributes":{"version":17,"name":"pam_modification_unlink","description":"PAM + may have been modified without authorization","expression":"(\n (unlink.file.path + in [ ~\"/etc/pam.d/**\", \"/etc/pam.conf\" ])\n)","category":"File Activity","creationDate":1606142936138,"updateDate":1690311003028,"filters":[],"actions":[],"agentConstraint":"","enabled":true,"defaultRule":true,"creator":{"name":"","handle":""},"updater":{"name":"","handle":""}},"type":"agent_rule"},{"id":"nnu-ch5-3gm","attributes":{"version":1,"name":"deploy_priv_container","description":"A + privileged container was created","expression":"exec.file.name != \"\" && + container.created_at < 1s && process.cap_permitted & CAP_SYS_ADMIN > 0","category":"Process + Activity","creationDate":0,"updateDate":1688748464067,"filters":[],"actions":[],"agentConstraint":"","enabled":true,"defaultRule":true,"creator":{"name":"","handle":""},"updater":{"name":"","handle":""}},"type":"agent_rule"},{"id":"6ln-wqy-y8b","attributes":{"version":1,"name":"net_util_in_container_v2","description":"A + network utility was executed in a container","expression":"(exec.comm in [\"socat\", + \"dig\", \"nslookup\", \"host\", ~\"netcat*\", ~\"nc*\", \"ncat\"] ||\n exec.comm + in [\"wget\", \"curl\", \"lwp-download\"]) &&\ncontainer.id != \"\" && exec.args + not in [ ~\"*localhost*\", ~\"*127.0.0.1*\", ~\"*motd.ubuntu.com*\" ] && container.created_at + > 180s","category":"Process Activity","creationDate":0,"updateDate":1688748463994,"filters":[],"actions":[],"agentConstraint":"","enabled":true,"defaultRule":true,"creator":{"name":"","handle":""},"updater":{"name":"","handle":""}},"type":"agent_rule"},{"id":"hmy-il6-bk5","attributes":{"version":1,"name":"hidden_file_executed","description":"A + hidden file was executed in a suspicious folder","expression":"exec.file.name + =~ \".*\" && exec.file.path in [~\"/home/**\", ~\"/tmp/**\", ~\"/var/tmp/**\", + ~\"/dev/shm/**\"]","category":"Process Activity","creationDate":0,"updateDate":1688748463951,"filters":[],"actions":[],"agentConstraint":"","enabled":true,"defaultRule":true,"creator":{"name":"","handle":""},"updater":{"name":"","handle":""}},"type":"agent_rule"},{"id":"iwa-79s-pb3","attributes":{"version":1,"name":"shell_profile_modification","description":"Shell + profile was modified","expression":"open.file.path in [~\"/home/*/*profile\", + ~\"/home/*/*rc\"] && open.flags & ((O_CREAT|O_TRUNC|O_RDWR|O_WRONLY)) > 0","category":"File + Activity","creationDate":0,"updateDate":1688748463951,"filters":[],"actions":[],"agentConstraint":"","enabled":true,"defaultRule":true,"creator":{"name":"","handle":""},"updater":{"name":"","handle":""}},"type":"agent_rule"},{"id":"mr2-bwg-0jr","attributes":{"version":1,"name":"suid_file_execution","description":"a + SUID file was executed","expression":"(setuid.euid == 0 || setuid.uid == + 0) && process.file.mode & S_ISUID > 0 && process.file.uid == 0 && process.uid + != 0 && process.file.path != \"/usr/bin/sudo\"","category":"File Activity","creationDate":0,"updateDate":1688748463947,"filters":[],"actions":[],"agentConstraint":"","enabled":true,"defaultRule":true,"creator":{"name":"","handle":""},"updater":{"name":"","handle":""}},"type":"agent_rule"},{"id":"zdz-pje-kbg","attributes":{"version":4,"name":"python_cli_code","description":"Python + code was provided on the command line","expression":"exec.file.name == ~\"python*\" + && exec.args_flags in [\"c\"] && exec.args in [~\"*-c*SOCK_STREAM*\", ~\"*-c*subprocess*\", + \"*-c*/bash*\", \"*-c*/bin/sh*\", \"*-c*pty.spawn*\"] && exec.args !~ \"*setuptools*\"","category":"Process + Activity","creationDate":0,"updateDate":1688748460425,"filters":[],"actions":[],"agentConstraint":"","enabled":true,"defaultRule":true,"creator":{"name":"","handle":""},"updater":{"name":"","handle":""}},"type":"agent_rule"},{"id":"doi-13m-kzx","attributes":{"version":1,"name":"kubernetes_offensive_tool_executed","description":"Kubernetes + offensive tool executed","expression":"(exec.file.name in [ ~\"python*\" ] + && (\"KubiScan.py\" in exec.argv || \"kubestriker\" in exec.argv )) || exec.file.name + in [\"kubiscan\",\"kdigger\",\"kube-hunter\",\"rakkess\",\"peirates\",\"kubescape\",\"kubeaudit\",\"kube-linter\",\"stratus\",~\"botb-*\"]","category":"Process + Activity","creationAuthorUuId":"9b3398f3-af79-49aa-b643-8a607ee6f848","creationDate":1688462439963,"updateAuthorUuId":"9b3398f3-af79-49aa-b643-8a607ee6f848","updateDate":1688462439963,"filters":[],"actions":[],"agentConstraint":"","enabled":true,"defaultRule":false,"creator":{"name":"Threat + Detection Engineering CI/CD","handle":"9b3398f3-af79-49aa-b643-8a607ee6f848"},"updater":{"name":"Threat + Detection Engineering CI/CD","handle":"9b3398f3-af79-49aa-b643-8a607ee6f848"}},"type":"agent_rule"},{"id":"nrd-9be-wnm","attributes":{"version":9,"name":"compiler_in_container","description":"Compiler + Executed in Container","expression":"(exec.file.name in [\"javac\", \"clang\", + \"gcc\",\"bcc\"] || (exec.file.name == \"go\" && exec.args in [~\"*build*\", + ~\"*run*\"])) && container.id !=\"\" && process.ancestors.file.path != \"/usr/bin/cilium-agent\"","category":"Process + Activity","creationDate":1627392836759,"updateAuthorUuId":"9d3a4eb0-1e67-11ed-b20c-da7ad0900002","updateDate":1685978095211,"filters":[],"actions":[],"agentConstraint":"","enabled":true,"defaultRule":true,"creator":{"name":"","handle":""},"updater":{"name":"John + Murray","handle":"john.murray@datadoghq.com"}},"type":"agent_rule"},{"id":"jea-2m4-kyy","attributes":{"version":1,"name":"curl_docker_socket","description":"The + Docker socket was referenced in a cURL command","expression":"exec.file.name + == \"curl\" && exec.args_flags in [\"unix-socket\"] && exec.args in [\"*docker.sock*\"] + && container.id != \"\"","category":"Process Activity","creationDate":0,"updateDate":1684184973805,"filters":[],"actions":[],"agentConstraint":"","enabled":true,"defaultRule":true,"creator":{"name":"","handle":""},"updater":{"name":"","handle":""}},"type":"agent_rule"},{"id":"i1f-7yg-x6s","attributes":{"version":1,"name":"sudoers_policy_modified_link","description":"Sudoers + policy file may have been modified without authorization","expression":"(\n (link.file.path + == \"/etc/sudoers\"\n || link.file.destination.path == \"/etc/sudoers\")\n)","category":"File + Activity","creationDate":0,"updateDate":1684184973412,"filters":[],"actions":[],"agentConstraint":"","enabled":true,"defaultRule":true,"creator":{"name":"","handle":""},"updater":{"name":"","handle":""}},"type":"agent_rule"},{"id":"r5j-bb3-dmf","attributes":{"version":1,"name":"read_release_info","description":"OS + information was read from the /etc/lsb-release file","expression":"open.file.path + == \"/etc/lsb-release\" && open.flags & O_RDONLY > 0","category":"File Activity","creationDate":0,"updateDate":1684184973295,"filters":[],"actions":[],"agentConstraint":"","enabled":true,"defaultRule":true,"creator":{"name":"","handle":""},"updater":{"name":"","handle":""}},"type":"agent_rule"},{"id":"98m-cex-egg","attributes":{"version":1,"name":"user_deleted_tty","description":"A + user was deleted via an interactive session","expression":"exec.file.name + in [\"userdel\", \"deluser\"] && exec.tty_name !=\"\" && process.ancestors.file.path + not in [~\"/usr/bin/apt*\", \"/usr/bin/dpkg\", \"/usr/bin/rpm\", \"/usr/bin/unattended-upgrade\", + \"/usr/bin/npm\", ~\"/usr/bin/pip*\", \"/usr/bin/yum\", \"/sbin/apk\", \"/usr/lib/snapd/snapd\"]","category":"Process + Activity","creationDate":0,"updateDate":1684184973238,"filters":[],"actions":[],"agentConstraint":"","enabled":true,"defaultRule":true,"creator":{"name":"","handle":""},"updater":{"name":"","handle":""}},"type":"agent_rule"},{"id":"luc-at7-mvw","attributes":{"version":1,"name":"sudoers_policy_modified_chown","description":"Sudoers + policy file may have been modified without authorization","expression":"(\n (chown.file.path + == \"/etc/sudoers\")\n) && (chown.file.destination.uid != chown.file.uid || + chown.file.destination.gid != chown.file.gid)","category":"File Activity","creationDate":0,"updateDate":1684184973211,"filters":[],"actions":[],"agentConstraint":"","enabled":true,"defaultRule":true,"creator":{"name":"","handle":""},"updater":{"name":"","handle":""}},"type":"agent_rule"},{"id":"8qc-61h-epb","attributes":{"version":1,"name":"sudoers_policy_modified_unlink","description":"Sudoers + policy file may have been modified without authorization","expression":"(\n (unlink.file.path + == \"/etc/sudoers\")\n)","category":"File Activity","creationDate":0,"updateDate":1684184973209,"filters":[],"actions":[],"agentConstraint":"","enabled":true,"defaultRule":true,"creator":{"name":"","handle":""},"updater":{"name":"","handle":""}},"type":"agent_rule"},{"id":"2np-cy4-jad","attributes":{"version":1,"name":"service_stop","description":"systemctl + used to stop a service","expression":"exec.file.name == \"systemctl\" && exec.args + in [~\"*stop*\"]","category":"Process Activity","creationDate":0,"updateDate":1684184973206,"filters":[],"actions":[],"agentConstraint":"","enabled":true,"defaultRule":true,"creator":{"name":"","handle":""},"updater":{"name":"","handle":""}},"type":"agent_rule"},{"id":"azw-asm-uwe","attributes":{"version":1,"name":"read_kubeconfig","description":"The + kubeconfig file was accessed","expression":"open.file.path in [~\"/home/*/.kube/config\", + \"/root/.kube/config\"]","category":"File Activity","creationDate":0,"updateDate":1684184973196,"filters":[],"actions":[],"agentConstraint":"","enabled":true,"defaultRule":true,"creator":{"name":"","handle":""},"updater":{"name":"","handle":""}},"type":"agent_rule"},{"id":"qp4-oog-vwu","attributes":{"version":1,"name":"jupyterhub_shell","description":"A + shell command was executed from a JupyterHub code cell","expression":"exec.file.path + == \"/usr/bin/bash\" && process.ancestors.comm == \"jupyterhub-sing\"","category":"Process + Activity","creationAuthorUuId":"9b3398f3-af79-49aa-b643-8a607ee6f848","creationDate":1682687626099,"updateAuthorUuId":"9b3398f3-af79-49aa-b643-8a607ee6f848","updateDate":1682687626099,"filters":[],"actions":[],"agentConstraint":"","enabled":true,"defaultRule":false,"creator":{"name":"Threat + Detection Engineering CI/CD","handle":"9b3398f3-af79-49aa-b643-8a607ee6f848"},"updater":{"name":"Threat + Detection Engineering CI/CD","handle":"9b3398f3-af79-49aa-b643-8a607ee6f848"}},"type":"agent_rule"},{"id":"k2h-ntz-zno","attributes":{"version":3,"name":"auditctl_usage","description":"The + auditctl command was used to modify auditd","expression":"exec.file.name == + \"auditctl\"","category":"Process Activity","creationDate":0,"updateDate":1681806567456,"filters":[],"actions":[],"agentConstraint":"","enabled":true,"defaultRule":true,"creator":{"name":"","handle":""},"updater":{"name":"Cl\u00e9ment + Kuzniewycz","handle":"clement.kuzniewycz@datadoghq.com"}},"type":"agent_rule"},{"id":"fft-hfp-fuu","attributes":{"version":7,"name":"aws_eks_service_account_token_accessed","description":"The + AWS EKS service account token was accessed","expression":"open.file.path =~ + \"/var/run/secrets/eks.amazonaws.com/serviceaccount/**\" && open.file.name + == \"token\" && process.file.path not in [\"/opt/datadog-agent/embedded/bin/agent\", + \"/opt/datadog-agent/embedded/bin/system-probe\", \"/opt/datadog-agent/embedded/bin/security-agent\", + \"/opt/datadog-agent/embedded/bin/process-agent\", \"/opt/datadog-agent/bin/agent/agent\", + \"/opt/datadog/apm/inject/auto_inject_runc\", \"/usr/bin/dd-host-install\", + \"/usr/bin/dd-host-container-install\", \"/usr/bin/dd-container-install\", + \"/opt/datadog-agent/bin/datadog-cluster-agent\"]","category":"File Activity","creationDate":0,"updateDate":1681806564733,"filters":[],"actions":[],"agentConstraint":"","enabled":true,"defaultRule":true,"creator":{"name":"","handle":""},"updater":{"name":"Cl\u00e9ment + Kuzniewycz","handle":"clement.kuzniewycz@datadoghq.com"}},"type":"agent_rule"},{"id":"ucr-akl-jgo","attributes":{"version":3,"name":"aws_imds","description":"An + AWS IMDS was called via a network utility","expression":"exec.comm in [\"wget\", + \"curl\", \"lwp-download\"] && exec.args in [~\"*169.254.169.254/latest/meta-data/iam/security-credentials/*\", + \"*169.254.170.2$AWS_CONTAINER_CREDENTIALS_RELATIVE_URI\", ~\"*169.254.170.2/*/credentials?id=*\"]","category":"Process + Activity","creationDate":0,"updateDate":1681806563896,"filters":[],"actions":[],"agentConstraint":"","enabled":true,"defaultRule":true,"creator":{"name":"","handle":""},"updater":{"name":"Cl\u00e9ment + Kuzniewycz","handle":"clement.kuzniewycz@datadoghq.com"}},"type":"agent_rule"},{"id":"p6d-hln-r9c","attributes":{"version":23,"name":"ssl_certificate_tampering_chmod","description":"SSL + certificates may have been tampered with","expression":"(\n (chmod.file.path + in [ ~\"/etc/ssl/certs/**\", ~\"/etc/pki/**\" ])\n && process.file.path + not in [~\"/usr/bin/apt*\", \"/usr/bin/dpkg\", \"/usr/bin/rpm\", \"/usr/bin/unattended-upgrade\", + \"/usr/bin/npm\", ~\"/usr/bin/pip*\", \"/usr/bin/yum\", \"/sbin/apk\", \"/usr/lib/snapd/snapd\"]\n) + && chmod.file.mode != chmod.file.destination.mode\n&& process.file.path != + \"/usr/sbin/update-ca-certificates\"\n&& process.ancestors.file.path != \"/usr/sbin/update-ca-certificates\"\n&& + process.ancestors.file.path not in [~\"/usr/bin/apt*\", \"/usr/bin/dpkg\", + \"/usr/bin/rpm\", \"/usr/bin/unattended-upgrade\", \"/usr/bin/npm\", ~\"/usr/bin/pip*\", + \"/usr/bin/yum\", \"/sbin/apk\", \"/usr/lib/snapd/snapd\"]\n&& process.file.name + !~ \"runc*\"","category":"File Activity","creationDate":1642158535314,"updateDate":1681490426484,"filters":[],"actions":[],"agentConstraint":"","enabled":true,"defaultRule":true,"creator":{"name":"","handle":""},"updater":{"name":"","handle":""}},"type":"agent_rule"},{"id":"9e8-rvn-6hv","attributes":{"version":23,"name":"ssl_certificate_tampering_unlink","description":"SSL + certificates may have been tampered with","expression":"(\n (unlink.file.path + in [ ~\"/etc/ssl/certs/**\" ])\n && process.file.path not in [~\"/usr/bin/apt*\", + \"/usr/bin/dpkg\", \"/usr/bin/rpm\", \"/usr/bin/unattended-upgrade\", \"/usr/bin/npm\", + ~\"/usr/bin/pip*\", \"/usr/bin/yum\", \"/sbin/apk\", \"/usr/lib/snapd/snapd\"]\n)\n&& + process.file.path != \"/usr/sbin/update-ca-certificates\"\n&& process.ancestors.file.path + != \"/usr/sbin/update-ca-certificates\"\n&& process.ancestors.file.path not + in [~\"/usr/bin/apt*\", \"/usr/bin/dpkg\", \"/usr/bin/rpm\", \"/usr/bin/unattended-upgrade\", + \"/usr/bin/npm\", ~\"/usr/bin/pip*\", \"/usr/bin/yum\", \"/sbin/apk\", \"/usr/lib/snapd/snapd\"]\n&& + process.file.name !~ \"runc*\"","category":"File Activity","creationDate":1642158535055,"updateDate":1681490425998,"filters":[],"actions":[],"agentConstraint":"","enabled":true,"defaultRule":true,"creator":{"name":"","handle":""},"updater":{"name":"","handle":""}},"type":"agent_rule"},{"id":"rim-3ys-upw","attributes":{"version":3,"name":"dynamic_linker_config_write","description":"A + process wrote to a dynamic linker config file","expression":"open.file.path + in [\"/etc/ld.so.preload\", \"/etc/ld.so.conf\", \"/etc/ld.so.conf.d/*.conf\"] + && open.flags & (O_CREAT|O_TRUNC|O_RDWR|O_WRONLY) > 0 && process.file.path + not in [~\"/usr/bin/apt*\", \"/usr/bin/dpkg\", \"/usr/bin/rpm\", \"/usr/bin/unattended-upgrade\", + \"/usr/bin/containerd\", \"/usr/local/bin/containerd\", \"/usr/bin/dockerd\", + \"/usr/bin/npm\", ~\"/usr/bin/pip*\"] && process.ancestors.file.path not in + [\"/opt/datadog-agent/embedded/bin/agent\", \"/opt/datadog-agent/embedded/bin/system-probe\", + \"/opt/datadog-agent/embedded/bin/security-agent\", \"/opt/datadog-agent/embedded/bin/process-agent\", + \"/opt/datadog-agent/bin/agent/agent\", \"/opt/datadog/apm/inject/auto_inject_runc\", + \"/usr/bin/dd-host-install\", \"/usr/bin/dd-host-container-install\", \"/usr/bin/dd-container-install\", + \"/opt/datadog-agent/bin/datadog-cluster-agent\"]","category":"File Activity","creationDate":0,"updateDate":1681490425873,"filters":[],"actions":[],"agentConstraint":"","enabled":true,"defaultRule":true,"creator":{"name":"","handle":""},"updater":{"name":"","handle":""}},"type":"agent_rule"},{"id":"twt-qsc-twv","attributes":{"version":23,"name":"ssl_certificate_tampering_link","description":"SSL + certificates may have been tampered with","expression":"(\n (link.file.path + in [ ~\"/etc/ssl/certs/**\", ~\"/etc/pki/**\" ]\n || link.file.destination.path + in [ ~\"/etc/ssl/certs/**\", ~\"/etc/pki/**\" ])\n && process.file.path + not in [~\"/usr/bin/apt*\", \"/usr/bin/dpkg\", \"/usr/bin/rpm\", \"/usr/bin/unattended-upgrade\", + \"/usr/bin/npm\", ~\"/usr/bin/pip*\", \"/usr/bin/yum\", \"/sbin/apk\", \"/usr/lib/snapd/snapd\"]\n && + process.file.path != \"/usr/sbin/update-ca-certificates\"\n && process.ancestors.file.path + != \"/usr/sbin/update-ca-certificates\"\n && process.ancestors.file.path + not in [~\"/usr/bin/apt*\", \"/usr/bin/dpkg\", \"/usr/bin/rpm\", \"/usr/bin/unattended-upgrade\", + \"/usr/bin/npm\", ~\"/usr/bin/pip*\", \"/usr/bin/yum\", \"/sbin/apk\", \"/usr/lib/snapd/snapd\"]\n && + process.file.name !~ \"runc*\"\n)","category":"File Activity","creationDate":1642158535139,"updateDate":1681490425573,"filters":[],"actions":[],"agentConstraint":"","enabled":true,"defaultRule":true,"creator":{"name":"","handle":""},"updater":{"name":"","handle":""}},"type":"agent_rule"},{"id":"1n2-xpg-6nx","attributes":{"version":23,"name":"ssl_certificate_tampering_open","description":"SSL + certificates may have been tampered with","expression":"(\n open.flags + & (O_CREAT|O_RDWR|O_WRONLY) > 0 &&\n (open.file.path in [ ~\"/etc/ssl/certs/**\", + ~\"/etc/pki/**\" ])\n)\n&& process.file.path != \"/usr/sbin/update-ca-certificates\"\n&& + process.ancestors.file.path != \"/usr/sbin/update-ca-certificates\"\n&& process.ancestors.file.path + not in [~\"/usr/bin/apt*\", \"/usr/bin/dpkg\", \"/usr/bin/rpm\", \"/usr/bin/unattended-upgrade\", + \"/usr/bin/npm\", ~\"/usr/bin/pip*\", \"/usr/bin/yum\", \"/sbin/apk\", \"/usr/lib/snapd/snapd\"]\n&& + process.file.name !~ \"runc*\"","category":"File Activity","creationDate":0,"updateDate":1681490425289,"filters":[],"actions":[],"agentConstraint":"","enabled":true,"defaultRule":true,"creator":{"name":"","handle":""},"updater":{"name":"","handle":""}},"type":"agent_rule"},{"id":"uot-9ro-hpp","attributes":{"version":2,"name":"shell_history_deleted","description":"Shell + History was Deleted","expression":"(unlink.file.name =~ r\".([dbazfi]*sh)(_history)$\") + && process.comm not in [\"dockerd\", \"containerd\"]","category":"File Activity","creationDate":0,"updateDate":1681490425280,"filters":[],"actions":[],"agentConstraint":"","enabled":true,"defaultRule":true,"creator":{"name":"","handle":""},"updater":{"name":"","handle":""}},"type":"agent_rule"},{"id":"jxj-xnb-lua","attributes":{"version":3,"name":"shell_history_truncated","description":"Shell + History was Deleted","expression":"open.flags & (O_CREAT|O_TRUNC|O_RDWR|O_WRONLY) + > 0 && open.file.name =~ r\".([dbazfi]*sh)(_history)$\" && open.file.path + in [~\"/root/*\", ~\"/home/**\"] && process.file.name == \"truncate\"","category":"File + Activity","creationDate":0,"updateDate":1681490425220,"filters":[],"actions":[],"agentConstraint":"","enabled":true,"defaultRule":true,"creator":{"name":"","handle":""},"updater":{"name":"","handle":""}},"type":"agent_rule"},{"id":"gur-w5f-2kn","attributes":{"version":23,"name":"ssl_certificate_tampering_rename","description":"SSL + certificates may have been tampered with","expression":"(\n (rename.file.path + in [ ~\"/etc/ssl/certs/**\", ~\"/etc/pki/**\" ]\n || rename.file.destination.path + in [ ~\"/etc/ssl/certs/**\", ~\"/etc/pki/**\" ])\n && process.file.path + not in [~\"/usr/bin/apt*\", \"/usr/bin/dpkg\", \"/usr/bin/rpm\", \"/usr/bin/unattended-upgrade\", + \"/usr/bin/npm\", ~\"/usr/bin/pip*\", \"/usr/bin/yum\", \"/sbin/apk\", \"/usr/lib/snapd/snapd\"]\n)\n&& + process.file.path != \"/usr/sbin/update-ca-certificates\"\n&& process.ancestors.file.path + != \"/usr/sbin/update-ca-certificates\"\n&& process.ancestors.file.path not + in [~\"/usr/bin/apt*\", \"/usr/bin/dpkg\", \"/usr/bin/rpm\", \"/usr/bin/unattended-upgrade\", + \"/usr/bin/npm\", ~\"/usr/bin/pip*\", \"/usr/bin/yum\", \"/sbin/apk\", \"/usr/lib/snapd/snapd\"]\n&& + process.file.name !~ \"runc*\"","category":"File Activity","creationDate":1642158535082,"updateDate":1681490425217,"filters":[],"actions":[],"agentConstraint":"","enabled":true,"defaultRule":true,"creator":{"name":"","handle":""},"updater":{"name":"","handle":""}},"type":"agent_rule"},{"id":"jiu-wmv-ig0","attributes":{"version":35,"name":"credential_modified_chmod","description":"Sensitive + credential files were modified using a non-standard tool","expression":"(\n (chmod.file.path in [ \"/etc/shadow\", \"/etc/gshadow\" ])\n && process.file.path not in - [ \"/sbin/vipw\", \"/usr/sbin/vipw\", \"/sbin/vigr\", \"/usr/sbin/vigr\" ]\n && - process.ancestors.file.path not in [\"/usr/bin/apt\", \"/usr/bin/apt-get\", - \"/usr/bin/apt-config\", \"/usr/bin/dpkg\", \"/usr/bin/aptitude-curses\", - \"/usr/bin/rpm\", \"/usr/bin/unattended-upgrade\"]\n)"},"type":"agent_rule","id":"r5z-tke-sjm"},{"attributes":{"category":"File - Activity","name":"credential_modified_rename","creator":{"handle":"","name":""},"description":"Either - /etc/shadow/ or /etc/gshadow was modified by a non-standard tool","enabled":true,"defaultRule":true,"version":7,"updater":{"handle":"","name":""},"updateDate":1636729662623,"creationDate":1598516746271,"expression":"(\n (rename.file.path + [ \"/sbin/vipw\", \"/usr/sbin/vipw\", \"/sbin/vigr\", \"/usr/sbin/vigr\", + \"/usr/bin/containerd\", \"/usr/local/bin/containerd\", \"/usr/bin/dockerd\", + \"/usr/local/bin/dockerd\", \"/usr/sbin/groupadd\", \"/usr/sbin/useradd\", + \"/usr/sbin/usermod\", \"/usr/sbin/userdel\", \"/usr/bin/gpasswd\", \"/usr/bin/chage\", + \"/usr/sbin/chpasswd\", \"/usr/bin/passwd\" ]\n && process.ancestors.file.path + not in [~\"/usr/bin/apt*\", \"/usr/bin/dpkg\", \"/usr/bin/rpm\", \"/usr/bin/unattended-upgrade\", + \"/usr/bin/npm\", ~\"/usr/bin/pip*\", \"/usr/bin/yum\", \"/sbin/apk\", \"/usr/lib/snapd/snapd\"]\n) + && chmod.file.destination.mode != chmod.file.mode","category":"File Activity","creationDate":1642158535177,"updateDate":1678909084442,"filters":[],"actions":[],"agentConstraint":"","enabled":false,"defaultRule":true,"creator":{"name":"","handle":""},"updater":{"name":"Nick + Allen","handle":"nick.allen@datadoghq.com"}},"type":"agent_rule"},{"id":"bg2-noz-ouf","attributes":{"version":6,"name":"dirty_pipe_attempt","description":"Potential + Dirty pipe exploitation attempt","expression":"(splice.pipe_entry_flag & PIPE_BUF_FLAG_CAN_MERGE) + != 0 && (splice.pipe_exit_flag & PIPE_BUF_FLAG_CAN_MERGE) == 0 && (process.uid + != 0 && process.gid != 0)","category":"File Activity","creationDate":1648564123603,"updateDate":1678308032425,"filters":[],"actions":[],"agentConstraint":"","enabled":true,"defaultRule":true,"creator":{"name":"","handle":""},"updater":{"name":"Alexander + Daskalov","handle":"alexander.daskalov@datadoghq.com"}},"type":"agent_rule"},{"id":"ydj-k3d-kh3","attributes":{"version":4,"name":"ip_check_domain","description":"A + DNS lookup was done for a IP check service","expression":"dns.question.name + in [\"icanhazip.com\", \"ip-api.com\", \"myip.opendns.com\", \"checkip.amazonaws.com\", + \"whatismyip.akamai.com\"] && process.file.name != \"\"","category":"Network + Activity","creationDate":1648643213312,"updateDate":1678307295173,"filters":[],"actions":[],"agentConstraint":"","enabled":true,"defaultRule":true,"creator":{"name":"","handle":""},"updater":{"name":"Alexander + Daskalov","handle":"alexander.daskalov@datadoghq.com"}},"type":"agent_rule"},{"id":"i64-vlz-y6u","attributes":{"version":22,"name":"systemd_modification_chmod","description":"A + service may have been modified without authorization","expression":"(\n (chmod.file.path + in [ ~\"/lib/systemd/system/**\", ~\"/usr/lib/systemd/system/**\", ~\"/etc/systemd/system/**\" + ])\n && process.file.path not in [~\"/usr/bin/apt*\", \"/usr/bin/dpkg\", + \"/usr/bin/rpm\", \"/usr/bin/unattended-upgrade\", \"/usr/bin/npm\", ~\"/usr/bin/pip*\", + \"/usr/bin/yum\", \"/sbin/apk\", \"/usr/lib/snapd/snapd\"]\n) && chmod.file.destination.mode + != chmod.file.mode","category":"File Activity","creationDate":1642158535224,"updateDate":1677793411681,"filters":[],"actions":[],"agentConstraint":"","enabled":true,"defaultRule":true,"creator":{"name":"","handle":""},"updater":{"name":"","handle":""}},"type":"agent_rule"},{"id":"69h-fh3-8gd","attributes":{"version":1,"name":"tty_shell_in_container","description":"A + shell with a TTY was executed in a container","expression":"exec.file.path + in [ \"/bin/dash\",\n \"/usr/bin/dash\",\n \"/bin/sh\",\n \"/bin/static-sh\",\n \"/usr/bin/sh\",\n \"/bin/bash\",\n \"/usr/bin/bash\",\n \"/bin/bash-static\",\n \"/usr/bin/zsh\",\n \"/usr/bin/ash\",\n \"/usr/bin/csh\",\n \"/usr/bin/ksh\",\n \"/usr/bin/tcsh\",\n \"/usr/lib/initramfs-tools/bin/busybox\",\n \"/bin/busybox\",\n \"/usr/bin/fish\",\n \"/bin/ksh93\",\n \"/bin/rksh\",\n \"/bin/rksh93\",\n \"/bin/lksh\",\n \"/bin/mksh\",\n \"/bin/mksh-static\",\n \"/usr/bin/csharp\",\n \"/bin/posh\",\n \"/usr/bin/rc\",\n \"/bin/sash\",\n \"/usr/bin/yash\",\n \"/bin/zsh5\",\n \"/bin/zsh5-static\" + ] && process.tty_name != \"\" && process.container.id != \"\"","category":"Process + Activity","creationDate":0,"updateDate":1677793400846,"filters":[],"actions":[],"agentConstraint":"","enabled":true,"defaultRule":true,"creator":{"name":"","handle":""},"updater":{"name":"","handle":""}},"type":"agent_rule"},{"id":"ygs-aya-gxb","attributes":{"version":1,"name":"redis_sandbox_escape","description":"Detects + CVE-2022-0543","expression":"(open.file.path =~ \"/usr/lib/x86_64-linux-gnu/*\" + && open.file.name in [\"libc-2.29.so\", \"libc-2.30.so\", \"libc-2.31.so\", + \"libc-2.32.so\", \"libc-2.33.so\", \"libc-2.34.so\", \"libc-2.35.so\", \"libc-2.36.so\", + \"libc-2.37.so\"]) && process.ancestors.comm in [\"redis-check-rdb\", \"redis-server\"]","category":"File + Activity","creationDate":0,"updateDate":1677793399338,"filters":[],"actions":[],"agentConstraint":"","enabled":true,"defaultRule":true,"creator":{"name":"","handle":""},"updater":{"name":"","handle":""}},"type":"agent_rule"},{"id":"h2l-v6b-akf","attributes":{"version":1,"name":"base64_decode","description":"The + base64 command was used to decode information","expression":"exec.file.name + == \"base64\" && exec.args_flags in [\"d\"]","category":"Process Activity","creationDate":0,"updateDate":1677793399280,"filters":[],"actions":[],"agentConstraint":"","enabled":true,"defaultRule":true,"creator":{"name":"","handle":""},"updater":{"name":"","handle":""}},"type":"agent_rule"},{"id":"jvq-pxe-ygn","attributes":{"version":21,"name":"systemd_modification_rename","description":"A + service may have been modified without authorization","expression":"(\n (rename.file.path + in [ ~\"/lib/systemd/system/**\", ~\"/usr/lib/systemd/system/**\", ~\"/etc/systemd/system/**\" + ]\n || rename.file.destination.path in [ ~\"/lib/systemd/system/**\", ~\"/usr/lib/systemd/system/**\", + ~\"/etc/systemd/system/**\" ])\n && process.file.path not in [~\"/usr/bin/apt*\", + \"/usr/bin/dpkg\", \"/usr/bin/rpm\", \"/usr/bin/unattended-upgrade\", \"/usr/bin/npm\", + ~\"/usr/bin/pip*\", \"/usr/bin/yum\", \"/sbin/apk\", \"/usr/lib/snapd/snapd\"]\n)","category":"File + Activity","creationDate":0,"updateDate":1677793384295,"filters":[],"actions":[],"agentConstraint":"","enabled":true,"defaultRule":true,"creator":{"name":"","handle":""},"updater":{"name":"","handle":""}},"type":"agent_rule"},{"id":"esw-xou-pwg","attributes":{"version":11,"name":"package_management_in_container","description":"Package + management was detected in a container","expression":"exec.file.path in [~\"/usr/bin/apt*\", + \"/usr/bin/dpkg\", \"/usr/bin/rpm\", \"/usr/bin/unattended-upgrade\", \"/usr/bin/npm\", + ~\"/usr/bin/pip*\", \"/usr/bin/yum\", \"/sbin/apk\", \"/usr/lib/snapd/snapd\"] + && container.id != \"\"","category":"Process Activity","creationDate":1617722067648,"updateDate":1677793383505,"filters":[],"actions":[],"agentConstraint":"","enabled":true,"defaultRule":true,"creator":{"name":"","handle":""},"updater":{"name":"","handle":""}},"type":"agent_rule"},{"id":"0yf-x4j-zbg","attributes":{"version":6,"name":"user_created_tty","description":"A + user was created via an interactive session","expression":"exec.file.name + in [\"useradd\", \"newusers\", \"adduser\"] && exec.tty_name !=\"\" && process.ancestors.file.path + not in [~\"/usr/bin/apt*\", \"/usr/bin/dpkg\", \"/usr/bin/rpm\", \"/usr/bin/unattended-upgrade\", + \"/usr/bin/npm\", ~\"/usr/bin/pip*\", \"/usr/bin/yum\", \"/sbin/apk\", \"/usr/lib/snapd/snapd\"] + && exec.args_flags not in [\"D\"]","category":"Process Activity","creationDate":1627392836979,"updateDate":1677793382984,"filters":[],"actions":[],"agentConstraint":"","enabled":true,"defaultRule":true,"creator":{"name":"","handle":""},"updater":{"name":"","handle":""}},"type":"agent_rule"},{"id":"7nm-5gf-ghj","attributes":{"version":3,"name":"new_binary_execution_in_container","description":"A + container executed a new binary not found in the container image","expression":"container.id + != \"\" && process.file.in_upper_layer && process.file.modification_time < + 30s && exec.file.name != \"\"","category":"Process Activity","creationDate":1652129906455,"updateDate":1677793380182,"filters":[],"actions":[],"agentConstraint":"","enabled":true,"defaultRule":true,"creator":{"name":"","handle":""},"updater":{"name":"","handle":""}},"type":"agent_rule"},{"id":"wib-i2s-0eb","attributes":{"version":17,"name":"pam_modification_utimes","description":"PAM + may have been modified without authorization","expression":"(\n (utimes.file.path + in [ ~\"/etc/pam.d/**\", \"/etc/pam.conf\" ])\n) && process.file.path not + in [~\"/usr/bin/apt*\", \"/usr/bin/dpkg\", \"/usr/bin/rpm\", \"/usr/bin/unattended-upgrade\", + \"/usr/bin/containerd\", \"/usr/local/bin/containerd\", \"/usr/bin/dockerd\", + \"/usr/bin/npm\", ~\"/usr/bin/pip*\"]","category":"File Activity","creationDate":1606142936138,"updateDate":1677793376369,"filters":[],"actions":[],"agentConstraint":"","enabled":true,"defaultRule":true,"creator":{"name":"","handle":""},"updater":{"name":"","handle":""}},"type":"agent_rule"},{"id":"d1p-2un-5ay","attributes":{"version":21,"name":"systemd_modification_link","description":"A + service may have been modified without authorization","expression":"(\n (link.file.path + in [ ~\"/lib/systemd/system/**\", ~\"/usr/lib/systemd/system/**\", ~\"/etc/systemd/system/**\" + ]\n || link.file.destination.path in [ ~\"/lib/systemd/system/**\", ~\"/usr/lib/systemd/system/**\", + ~\"/etc/systemd/system/**\" ])\n && process.file.path not in [~\"/usr/bin/apt*\", + \"/usr/bin/dpkg\", \"/usr/bin/rpm\", \"/usr/bin/unattended-upgrade\", \"/usr/bin/npm\", + ~\"/usr/bin/pip*\", \"/usr/bin/yum\", \"/sbin/apk\", \"/usr/lib/snapd/snapd\"]\n)","category":"File + Activity","creationDate":0,"updateDate":1677793376080,"filters":[],"actions":[],"agentConstraint":"","enabled":true,"defaultRule":true,"creator":{"name":"","handle":""},"updater":{"name":"","handle":""}},"type":"agent_rule"},{"id":"aic-m2b-kbp","attributes":{"version":22,"name":"systemd_modification_chown","description":"A + service may have been modified without authorization","expression":"(\n (chown.file.path + in [ ~\"/lib/systemd/system/**\", ~\"/usr/lib/systemd/system/**\", ~\"/etc/systemd/system/**\" + ])\n && process.file.path not in [~\"/usr/bin/apt*\", \"/usr/bin/dpkg\", + \"/usr/bin/rpm\", \"/usr/bin/unattended-upgrade\", \"/usr/bin/npm\", ~\"/usr/bin/pip*\", + \"/usr/bin/yum\", \"/sbin/apk\", \"/usr/lib/snapd/snapd\"]\n) && (chown.file.destination.uid + != chown.file.uid || chown.file.destination.gid != chown.file.gid)","category":"File + Activity","creationDate":0,"updateDate":1677793375206,"filters":[],"actions":[],"agentConstraint":"","enabled":true,"defaultRule":true,"creator":{"name":"","handle":""},"updater":{"name":"","handle":""}},"type":"agent_rule"},{"id":"rxa-v6v-oyz","attributes":{"version":31,"name":"credential_modified_rename","description":"Sensitive + credential files were modified using a non-standard tool","expression":"(\n (rename.file.path in [ \"/etc/shadow\", \"/etc/gshadow\" ]\n || rename.file.destination.path in [ \"/etc/shadow\", \"/etc/gshadow\" ])\n && process.file.path not in - [ \"/sbin/vipw\", \"/usr/sbin/vipw\", \"/sbin/vigr\", \"/usr/sbin/vigr\" ]\n && - process.ancestors.file.path not in [\"/usr/bin/apt\", \"/usr/bin/apt-get\", - \"/usr/bin/apt-config\", \"/usr/bin/dpkg\", \"/usr/bin/aptitude-curses\", - \"/usr/bin/rpm\", \"/usr/bin/unattended-upgrade\"]\n)"},"type":"agent_rule","id":"ac4-asc-qi4"},{"attributes":{"category":"File - Activity","name":"credential_modified_open","creator":{"handle":"","name":""},"description":"Either - /etc/shadow/ or /etc/gshadow was modified by a non-standard tool","enabled":true,"defaultRule":true,"version":7,"updater":{"handle":"","name":""},"updateDate":1636729662623,"creationDate":1598516746271,"expression":"(\n open.flags - & ((O_CREAT|O_RDWR|O_WRONLY|O_TRUNC)) > 0 &&\n (open.file.path in [ \"/etc/shadow\", - \"/etc/gshadow\" ])\n && process.file.path not in [ \"/sbin/vipw\", \"/usr/sbin/vipw\", - \"/sbin/vigr\", \"/usr/sbin/vigr\" ]\n && process.ancestors.file.path not - in [\"/usr/bin/apt\", \"/usr/bin/apt-get\", \"/usr/bin/apt-config\", \"/usr/bin/dpkg\", - \"/usr/bin/aptitude-curses\", \"/usr/bin/rpm\", \"/usr/bin/unattended-upgrade\"]\n)"},"type":"agent_rule","id":"cne-1ft-bei"},{"attributes":{"category":"File - Activity","name":"credential_modified_unlink","creator":{"handle":"","name":""},"description":"Either - /etc/shadow/ or /etc/gshadow was modified by a non-standard tool","enabled":true,"defaultRule":true,"version":7,"updater":{"handle":"","name":""},"updateDate":1636729662623,"creationDate":1598516746271,"expression":"(\n (unlink.file.path + [ \"/sbin/vipw\", \"/usr/sbin/vipw\", \"/sbin/vigr\", \"/usr/sbin/vigr\", + \"/usr/bin/containerd\", \"/usr/local/bin/containerd\", \"/usr/bin/dockerd\", + \"/usr/local/bin/dockerd\", \"/usr/sbin/groupadd\", \"/usr/sbin/useradd\", + \"/usr/sbin/usermod\", \"/usr/sbin/userdel\", \"/usr/bin/gpasswd\", \"/usr/bin/chage\", + \"/usr/sbin/chpasswd\", \"/usr/bin/passwd\" ]\n && process.ancestors.file.path + not in [~\"/usr/bin/apt*\", \"/usr/bin/dpkg\", \"/usr/bin/rpm\", \"/usr/bin/unattended-upgrade\", + \"/usr/bin/npm\", ~\"/usr/bin/pip*\", \"/usr/bin/yum\", \"/sbin/apk\", \"/usr/lib/snapd/snapd\"]\n)","category":"File + Activity","creationDate":1642158535356,"updateDate":1677793375033,"filters":[],"actions":[],"agentConstraint":"","enabled":true,"defaultRule":true,"creator":{"name":"","handle":""},"updater":{"name":"","handle":""}},"type":"agent_rule"},{"id":"tys-u1m-rgt","attributes":{"version":33,"name":"kernel_module_chown","description":"A + new kernel module was added","expression":"(\n (chown.file.path in [ ~\"/lib/modules/**\", + ~\"/usr/lib/modules/**\" ])\n && process.file.path not in [~\"/usr/bin/apt*\", + \"/usr/bin/dpkg\", \"/usr/bin/rpm\", \"/usr/bin/unattended-upgrade\", \"/usr/bin/npm\", + ~\"/usr/bin/pip*\", \"/usr/bin/yum\", \"/sbin/apk\", \"/usr/lib/snapd/snapd\"]\n && + process.ancestors.file.path not in [~\"/usr/bin/apt*\", \"/usr/bin/dpkg\", + \"/usr/bin/rpm\", \"/usr/bin/unattended-upgrade\", \"/usr/bin/npm\", ~\"/usr/bin/pip*\", + \"/usr/bin/yum\", \"/sbin/apk\", \"/usr/lib/snapd/snapd\"] && process.ancestors.file.path + != \"/usr/bin/kmod\"\n) && (chown.file.destination.uid != chown.file.uid || + chown.file.destination.gid != chown.file.gid)","category":"File Activity","creationDate":1598516746168,"updateDate":1677793374885,"filters":[],"actions":[],"agentConstraint":"","enabled":true,"defaultRule":true,"creator":{"name":"","handle":""},"updater":{"name":"","handle":""}},"type":"agent_rule"},{"id":"hzz-0oh-mji","attributes":{"version":32,"name":"kernel_module_utimes","description":"A + new kernel module was added","expression":"(\n (utimes.file.path in [ ~\"/lib/modules/**\", + ~\"/usr/lib/modules/**\" ])\n && process.file.path not in [~\"/usr/bin/apt*\", + \"/usr/bin/dpkg\", \"/usr/bin/rpm\", \"/usr/bin/unattended-upgrade\", \"/usr/bin/npm\", + ~\"/usr/bin/pip*\", \"/usr/bin/yum\", \"/sbin/apk\", \"/usr/lib/snapd/snapd\"]\n && + process.ancestors.file.path not in [~\"/usr/bin/apt*\", \"/usr/bin/dpkg\", + \"/usr/bin/rpm\", \"/usr/bin/unattended-upgrade\", \"/usr/bin/npm\", ~\"/usr/bin/pip*\", + \"/usr/bin/yum\", \"/sbin/apk\", \"/usr/lib/snapd/snapd\"] && process.ancestors.file.path + != \"/usr/bin/kmod\"\n)","category":"File Activity","creationDate":1598516746168,"updateDate":1677793374395,"filters":[],"actions":[],"agentConstraint":"","enabled":true,"defaultRule":true,"creator":{"name":"","handle":""},"updater":{"name":"","handle":""}},"type":"agent_rule"},{"id":"om1-5ch-5sf","attributes":{"version":32,"name":"kernel_module_unlink","description":"A + new kernel module was added","expression":"(\n (unlink.file.path in [ ~\"/lib/modules/**\", + ~\"/usr/lib/modules/**\" ])\n && process.file.path not in [~\"/usr/bin/apt*\", + \"/usr/bin/dpkg\", \"/usr/bin/rpm\", \"/usr/bin/unattended-upgrade\", \"/usr/bin/npm\", + ~\"/usr/bin/pip*\", \"/usr/bin/yum\", \"/sbin/apk\", \"/usr/lib/snapd/snapd\"]\n && + process.ancestors.file.path not in [~\"/usr/bin/apt*\", \"/usr/bin/dpkg\", + \"/usr/bin/rpm\", \"/usr/bin/unattended-upgrade\", \"/usr/bin/npm\", ~\"/usr/bin/pip*\", + \"/usr/bin/yum\", \"/sbin/apk\", \"/usr/lib/snapd/snapd\"] && process.ancestors.file.path + != \"/usr/bin/kmod\"\n)","category":"File Activity","creationDate":1598516746168,"updateDate":1677793372622,"filters":[],"actions":[],"agentConstraint":"","enabled":true,"defaultRule":true,"creator":{"name":"","handle":""},"updater":{"name":"","handle":""}},"type":"agent_rule"},{"id":"wwu-ysx-rm7","attributes":{"version":32,"name":"kernel_module_rename","description":"A + new kernel module was added","expression":"(\n (rename.file.path in [ ~\"/lib/modules/**\", + ~\"/usr/lib/modules/**\" ]\n || rename.file.destination.path in [ ~\"/lib/modules/**\", + ~\"/usr/lib/modules/**\" ])\n && process.file.path not in [~\"/usr/bin/apt*\", + \"/usr/bin/dpkg\", \"/usr/bin/rpm\", \"/usr/bin/unattended-upgrade\", \"/usr/bin/npm\", + ~\"/usr/bin/pip*\", \"/usr/bin/yum\", \"/sbin/apk\", \"/usr/lib/snapd/snapd\"]\n && + process.ancestors.file.path not in [~\"/usr/bin/apt*\", \"/usr/bin/dpkg\", + \"/usr/bin/rpm\", \"/usr/bin/unattended-upgrade\", \"/usr/bin/npm\", ~\"/usr/bin/pip*\", + \"/usr/bin/yum\", \"/sbin/apk\", \"/usr/lib/snapd/snapd\"] && process.ancestors.file.path + != \"/usr/bin/kmod\"\n)","category":"File Activity","creationDate":1642158535229,"updateDate":1677793372373,"filters":[],"actions":[],"agentConstraint":"","enabled":true,"defaultRule":true,"creator":{"name":"","handle":""},"updater":{"name":"","handle":""}},"type":"agent_rule"},{"id":"rza-8h3-4lj","attributes":{"version":32,"name":"credential_modified_chown","description":"Sensitive + credential files were modified using a non-standard tool","expression":"(\n (chown.file.path in [ \"/etc/shadow\", \"/etc/gshadow\" ])\n && process.file.path not in - [ \"/sbin/vipw\", \"/usr/sbin/vipw\", \"/sbin/vigr\", \"/usr/sbin/vigr\" ]\n && - process.ancestors.file.path not in [\"/usr/bin/apt\", \"/usr/bin/apt-get\", - \"/usr/bin/apt-config\", \"/usr/bin/dpkg\", \"/usr/bin/aptitude-curses\", - \"/usr/bin/rpm\", \"/usr/bin/unattended-upgrade\"]\n)"},"type":"agent_rule","id":"ay7-jkz-rda"},{"attributes":{"category":"File - Activity","name":"credential_modified_utimes","creator":{"handle":"","name":""},"description":"Either - /etc/shadow/ or /etc/gshadow was modified by a non-standard tool","enabled":true,"defaultRule":true,"version":7,"updater":{"handle":"","name":""},"updateDate":1636729662623,"creationDate":1598516746271,"expression":"(\n (utimes.file.path + [ \"/sbin/vipw\", \"/usr/sbin/vipw\", \"/sbin/vigr\", \"/usr/sbin/vigr\", + \"/usr/bin/containerd\", \"/usr/local/bin/containerd\", \"/usr/bin/dockerd\", + \"/usr/local/bin/dockerd\", \"/usr/sbin/groupadd\", \"/usr/sbin/useradd\", + \"/usr/sbin/usermod\", \"/usr/sbin/userdel\", \"/usr/bin/gpasswd\", \"/usr/bin/chage\", + \"/usr/sbin/chpasswd\", \"/usr/bin/passwd\" ]\n && process.ancestors.file.path + not in [~\"/usr/bin/apt*\", \"/usr/bin/dpkg\", \"/usr/bin/rpm\", \"/usr/bin/unattended-upgrade\", + \"/usr/bin/npm\", ~\"/usr/bin/pip*\", \"/usr/bin/yum\", \"/sbin/apk\", \"/usr/lib/snapd/snapd\"]\n) + && (chown.file.destination.uid != chown.file.uid || chown.file.destination.gid + != chown.file.gid)","category":"File Activity","creationDate":1642158534952,"updateDate":1677793372165,"filters":[],"actions":[],"agentConstraint":"","enabled":true,"defaultRule":true,"creator":{"name":"","handle":""},"updater":{"name":"","handle":""}},"type":"agent_rule"},{"id":"s17-cle-cuf","attributes":{"version":31,"name":"credential_modified_link","description":"Sensitive + credential files were modified using a non-standard tool","expression":"(\n (link.file.path + in [ \"/etc/shadow\", \"/etc/gshadow\" ]\n || link.file.destination.path in [ \"/etc/shadow\", \"/etc/gshadow\" ])\n && process.file.path not in - [ \"/sbin/vipw\", \"/usr/sbin/vipw\", \"/sbin/vigr\", \"/usr/sbin/vigr\" ]\n && - process.ancestors.file.path not in [\"/usr/bin/apt\", \"/usr/bin/apt-get\", - \"/usr/bin/apt-config\", \"/usr/bin/dpkg\", \"/usr/bin/aptitude-curses\", - \"/usr/bin/rpm\", \"/usr/bin/unattended-upgrade\"]\n)"},"type":"agent_rule","id":"psd-3el-h33"},{"attributes":{"category":"File - Activity","name":"runc_modification","creator":{"handle":"","name":""},"description":"Runc - Binary Modified","enabled":true,"defaultRule":true,"version":1,"updater":{"handle":"","name":""},"updateDate":1636729662517,"creationDate":1627392837049,"expression":"open.file.path - in [\"/usr/bin/runc\", \"/usr/sbin/runc\", \"/usr/bin/docker-runc\"]\n&& open.flags - & O_CREAT|O_TRUNC|O_RDWR|O_WRONLY > 0\n&& process.file.path not in [\"/usr/bin/apt\", - \"/usr/bin/apt-get\", \"/usr/bin/apt-config\", \"/usr/bin/dpkg\", \"/usr/bin/aptitude-curses\", - \"/usr/bin/rpm\", \"/usr/bin/unattended-upgrade\"]\n&& process.ancestors.file.path - not in [\"/usr/bin/apt\", \"/usr/bin/apt-get\", \"/usr/bin/apt-config\", \"/usr/bin/dpkg\", - \"/usr/bin/aptitude-curses\", \"/usr/bin/rpm\", \"/usr/bin/unattended-upgrade\"]"},"type":"agent_rule","id":"qng-psi-j15"},{"attributes":{"category":"Process - Activity","name":"user_created_tty","creator":{"handle":"","name":""},"description":"User - Created Interactively","enabled":true,"defaultRule":true,"version":1,"updater":{"handle":"","name":""},"updateDate":1636729662452,"creationDate":1627392836979,"expression":"exec.file.name - in [\"useradd\", \"newusers\"] && exec.tty_name !=\"\""},"type":"agent_rule","id":"asy-mod-zmt"},{"attributes":{"category":"File - Activity","name":"ssl_certificate_tampering_chmod","creator":{"handle":"","name":""},"description":"SSL - Certificate Tampering","enabled":true,"defaultRule":true,"version":4,"updater":{"handle":"","name":""},"updateDate":1636729662415,"creationDate":1606142980369,"expression":"(\n (chmod.file.path - in [ ~\"/etc/ssl/certs/*\" ])\n && process.file.path not in [\"/usr/bin/apt\", - \"/usr/bin/apt-get\", \"/usr/bin/apt-config\", \"/usr/bin/dpkg\", \"/usr/bin/aptitude-curses\", - \"/usr/bin/rpm\", \"/usr/bin/unattended-upgrade\"]\n) && chmod.mode != chmod.file.mode"},"type":"agent_rule","id":"ybu-yya-acz"},{"attributes":{"category":"File - Activity","name":"ssl_certificate_tampering_chown","creator":{"handle":"","name":""},"description":"SSL - Certificate Tampering","enabled":true,"defaultRule":true,"version":4,"updater":{"handle":"","name":""},"updateDate":1636729662415,"creationDate":1606142980369,"expression":"(\n (chown.file.path - in [ ~\"/etc/ssl/certs/*\" ])\n && process.file.path not in [\"/usr/bin/apt\", - \"/usr/bin/apt-get\", \"/usr/bin/apt-config\", \"/usr/bin/dpkg\", \"/usr/bin/aptitude-curses\", - \"/usr/bin/rpm\", \"/usr/bin/unattended-upgrade\"]\n) && (chown.uid != chown.file.uid - || chown.gid != chown.file.gid)"},"type":"agent_rule","id":"ohe-vlf-t2h"},{"attributes":{"category":"File - Activity","name":"ssl_certificate_tampering_link","creator":{"handle":"","name":""},"description":"SSL - Certificate Tampering","enabled":true,"defaultRule":true,"version":4,"updater":{"handle":"","name":""},"updateDate":1636729662415,"creationDate":1606142980369,"expression":"(\n (link.file.path - in [ ~\"/etc/ssl/certs/*\" ]\n || link.file.destination.path in [ ~\"/etc/ssl/certs/*\" - ])\n && process.file.path not in [\"/usr/bin/apt\", \"/usr/bin/apt-get\", - \"/usr/bin/apt-config\", \"/usr/bin/dpkg\", \"/usr/bin/aptitude-curses\", - \"/usr/bin/rpm\", \"/usr/bin/unattended-upgrade\"]\n)"},"type":"agent_rule","id":"7nq-ugi-gu1"},{"attributes":{"category":"File - Activity","name":"ssl_certificate_tampering_rename","creator":{"handle":"","name":""},"description":"SSL - Certificate Tampering","enabled":true,"defaultRule":true,"version":4,"updater":{"handle":"","name":""},"updateDate":1636729662415,"creationDate":1606142980369,"expression":"(\n (rename.file.path - in [ ~\"/etc/ssl/certs/*\" ]\n || rename.file.destination.path in [ ~\"/etc/ssl/certs/*\" - ])\n && process.file.path not in [\"/usr/bin/apt\", \"/usr/bin/apt-get\", - \"/usr/bin/apt-config\", \"/usr/bin/dpkg\", \"/usr/bin/aptitude-curses\", - \"/usr/bin/rpm\", \"/usr/bin/unattended-upgrade\"]\n)"},"type":"agent_rule","id":"qzs-yvl-f4t"},{"attributes":{"category":"File - Activity","name":"ssl_certificate_tampering_open","creator":{"handle":"","name":""},"description":"SSL - Certificate Tampering","enabled":true,"defaultRule":true,"version":4,"updater":{"handle":"","name":""},"updateDate":1636729662415,"creationDate":1606142980369,"expression":"(\n open.flags - & (O_CREAT|O_RDWR|O_WRONLY) > 0 &&\n (open.file.path in [ ~\"/etc/ssl/certs/*\" - ])\n && process.file.path not in [\"/usr/bin/apt\", \"/usr/bin/apt-get\", - \"/usr/bin/apt-config\", \"/usr/bin/dpkg\", \"/usr/bin/aptitude-curses\", - \"/usr/bin/rpm\", \"/usr/bin/unattended-upgrade\"]\n)"},"type":"agent_rule","id":"2p0-3i2-b4y"},{"attributes":{"category":"File - Activity","name":"ssl_certificate_tampering_unlink","creator":{"handle":"","name":""},"description":"SSL - Certificate Tampering","enabled":true,"defaultRule":true,"version":4,"updater":{"handle":"","name":""},"updateDate":1636729662415,"creationDate":1606142980369,"expression":"(\n (unlink.file.path - in [ ~\"/etc/ssl/certs/*\" ])\n && process.file.path not in [\"/usr/bin/apt\", - \"/usr/bin/apt-get\", \"/usr/bin/apt-config\", \"/usr/bin/dpkg\", \"/usr/bin/aptitude-curses\", - \"/usr/bin/rpm\", \"/usr/bin/unattended-upgrade\"]\n)"},"type":"agent_rule","id":"jin-icc-lpi"},{"attributes":{"category":"File - Activity","name":"ssl_certificate_tampering_utimes","creator":{"handle":"","name":""},"description":"SSL - Certificate Tampering","enabled":true,"defaultRule":true,"version":4,"updater":{"handle":"","name":""},"updateDate":1636729662415,"creationDate":1606142980369,"expression":"(\n (utimes.file.path - in [ ~\"/etc/ssl/certs/*\" ])\n && process.file.path not in [\"/usr/bin/apt\", - \"/usr/bin/apt-get\", \"/usr/bin/apt-config\", \"/usr/bin/dpkg\", \"/usr/bin/aptitude-curses\", - \"/usr/bin/rpm\", \"/usr/bin/unattended-upgrade\"]\n)"},"type":"agent_rule","id":"w07-amm-bxr"},{"attributes":{"category":"File - Activity","name":"kernel_module_chmod","creator":{"handle":"","name":""},"description":"A - kernel module was added to /lib/modules/","enabled":true,"defaultRule":true,"version":7,"updater":{"handle":"","name":""},"updateDate":1636729662391,"creationDate":1598516746168,"expression":"(\n (chmod.file.path - in [ ~\"/lib/modules/*\", ~\"/usr/lib/modules/*\" ])\n && process.file.path - not in [\"/usr/bin/apt\", \"/usr/bin/apt-get\", \"/usr/bin/apt-config\", \"/usr/bin/dpkg\", - \"/usr/bin/aptitude-curses\", \"/usr/bin/rpm\", \"/usr/bin/unattended-upgrade\"]\n && - process.ancestors.file.path not in [\"/usr/bin/apt\", \"/usr/bin/apt-get\", - \"/usr/bin/apt-config\", \"/usr/bin/dpkg\", \"/usr/bin/aptitude-curses\", - \"/usr/bin/rpm\", \"/usr/bin/unattended-upgrade\"] && process.ancestors.file.path - != \"/usr/bin/kmod\"\n) && chmod.mode != chmod.file.mode"},"type":"agent_rule","id":"avt-p2e-fyc"},{"attributes":{"category":"File - Activity","name":"kernel_module_chown","creator":{"handle":"","name":""},"description":"A - kernel module was added to /lib/modules/","enabled":true,"defaultRule":true,"version":7,"updater":{"handle":"","name":""},"updateDate":1636729662391,"creationDate":1598516746168,"expression":"(\n (chown.file.path - in [ ~\"/lib/modules/*\", ~\"/usr/lib/modules/*\" ])\n && process.file.path - not in [\"/usr/bin/apt\", \"/usr/bin/apt-get\", \"/usr/bin/apt-config\", \"/usr/bin/dpkg\", - \"/usr/bin/aptitude-curses\", \"/usr/bin/rpm\", \"/usr/bin/unattended-upgrade\"]\n && - process.ancestors.file.path not in [\"/usr/bin/apt\", \"/usr/bin/apt-get\", - \"/usr/bin/apt-config\", \"/usr/bin/dpkg\", \"/usr/bin/aptitude-curses\", - \"/usr/bin/rpm\", \"/usr/bin/unattended-upgrade\"] && process.ancestors.file.path - != \"/usr/bin/kmod\"\n) && (chown.uid != chown.file.uid || chown.gid != chown.file.gid)"},"type":"agent_rule","id":"cd0-w8q-vl4"},{"attributes":{"category":"File - Activity","name":"kernel_module_link","creator":{"handle":"","name":""},"description":"A - kernel module was added to /lib/modules/","enabled":true,"defaultRule":true,"version":7,"updater":{"handle":"","name":""},"updateDate":1636729662391,"creationDate":1598516746168,"expression":"(\n (link.file.path - in [ ~\"/lib/modules/*\", ~\"/usr/lib/modules/*\" ]\n || link.file.destination.path - in [ ~\"/lib/modules/*\", ~\"/usr/lib/modules/*\" ])\n && process.file.path - not in [\"/usr/bin/apt\", \"/usr/bin/apt-get\", \"/usr/bin/apt-config\", \"/usr/bin/dpkg\", - \"/usr/bin/aptitude-curses\", \"/usr/bin/rpm\", \"/usr/bin/unattended-upgrade\"]\n && - process.ancestors.file.path not in [\"/usr/bin/apt\", \"/usr/bin/apt-get\", - \"/usr/bin/apt-config\", \"/usr/bin/dpkg\", \"/usr/bin/aptitude-curses\", - \"/usr/bin/rpm\", \"/usr/bin/unattended-upgrade\"] && process.ancestors.file.path - != \"/usr/bin/kmod\"\n)"},"type":"agent_rule","id":"ec9-vff-7ni"},{"attributes":{"category":"File - Activity","name":"kernel_module_rename","creator":{"handle":"","name":""},"description":"A - kernel module was added to /lib/modules/","enabled":true,"defaultRule":true,"version":7,"updater":{"handle":"","name":""},"updateDate":1636729662391,"creationDate":1598516746168,"expression":"(\n (rename.file.path - in [ ~\"/lib/modules/*\", ~\"/usr/lib/modules/*\" ]\n || rename.file.destination.path - in [ ~\"/lib/modules/*\", ~\"/usr/lib/modules/*\" ])\n && process.file.path - not in [\"/usr/bin/apt\", \"/usr/bin/apt-get\", \"/usr/bin/apt-config\", \"/usr/bin/dpkg\", - \"/usr/bin/aptitude-curses\", \"/usr/bin/rpm\", \"/usr/bin/unattended-upgrade\"]\n && - process.ancestors.file.path not in [\"/usr/bin/apt\", \"/usr/bin/apt-get\", - \"/usr/bin/apt-config\", \"/usr/bin/dpkg\", \"/usr/bin/aptitude-curses\", - \"/usr/bin/rpm\", \"/usr/bin/unattended-upgrade\"] && process.ancestors.file.path - != \"/usr/bin/kmod\"\n)"},"type":"agent_rule","id":"mpb-1rj-dv6"},{"attributes":{"category":"File - Activity","name":"kernel_module_open","creator":{"handle":"","name":""},"description":"A - kernel module was added to /lib/modules/","enabled":true,"defaultRule":true,"version":7,"updater":{"handle":"","name":""},"updateDate":1636729662391,"creationDate":1598516746168,"expression":"(\n open.flags - & (O_CREAT|O_TRUNC|O_RDWR|O_WRONLY) > 0 &&\n (open.file.path in [ ~\"/lib/modules/*\", - ~\"/usr/lib/modules/*\" ])\n && process.file.path not in [\"/usr/bin/apt\", - \"/usr/bin/apt-get\", \"/usr/bin/apt-config\", \"/usr/bin/dpkg\", \"/usr/bin/aptitude-curses\", - \"/usr/bin/rpm\", \"/usr/bin/unattended-upgrade\"]\n && process.ancestors.file.path - not in [\"/usr/bin/apt\", \"/usr/bin/apt-get\", \"/usr/bin/apt-config\", \"/usr/bin/dpkg\", - \"/usr/bin/aptitude-curses\", \"/usr/bin/rpm\", \"/usr/bin/unattended-upgrade\"] - && process.ancestors.file.path != \"/usr/bin/kmod\"\n)"},"type":"agent_rule","id":"xye-pfo-y0r"},{"attributes":{"category":"File - Activity","name":"kernel_module_unlink","creator":{"handle":"","name":""},"description":"A - kernel module was added to /lib/modules/","enabled":true,"defaultRule":true,"version":7,"updater":{"handle":"","name":""},"updateDate":1636729662391,"creationDate":1598516746168,"expression":"(\n (unlink.file.path - in [ ~\"/lib/modules/*\", ~\"/usr/lib/modules/*\" ])\n && process.file.path - not in [\"/usr/bin/apt\", \"/usr/bin/apt-get\", \"/usr/bin/apt-config\", \"/usr/bin/dpkg\", - \"/usr/bin/aptitude-curses\", \"/usr/bin/rpm\", \"/usr/bin/unattended-upgrade\"]\n && - process.ancestors.file.path not in [\"/usr/bin/apt\", \"/usr/bin/apt-get\", - \"/usr/bin/apt-config\", \"/usr/bin/dpkg\", \"/usr/bin/aptitude-curses\", - \"/usr/bin/rpm\", \"/usr/bin/unattended-upgrade\"] && process.ancestors.file.path - != \"/usr/bin/kmod\"\n)"},"type":"agent_rule","id":"c4t-pxu-ixk"},{"attributes":{"category":"File - Activity","name":"kernel_module_utimes","creator":{"handle":"","name":""},"description":"A - kernel module was added to /lib/modules/","enabled":true,"defaultRule":true,"version":7,"updater":{"handle":"","name":""},"updateDate":1636729662391,"creationDate":1598516746168,"expression":"(\n (utimes.file.path - in [ ~\"/lib/modules/*\", ~\"/usr/lib/modules/*\" ])\n && process.file.path - not in [\"/usr/bin/apt\", \"/usr/bin/apt-get\", \"/usr/bin/apt-config\", \"/usr/bin/dpkg\", - \"/usr/bin/aptitude-curses\", \"/usr/bin/rpm\", \"/usr/bin/unattended-upgrade\"]\n && - process.ancestors.file.path not in [\"/usr/bin/apt\", \"/usr/bin/apt-get\", - \"/usr/bin/apt-config\", \"/usr/bin/dpkg\", \"/usr/bin/aptitude-curses\", - \"/usr/bin/rpm\", \"/usr/bin/unattended-upgrade\"] && process.ancestors.file.path - != \"/usr/bin/kmod\"\n)"},"type":"agent_rule","id":"fpw-paa-smb"},{"attributes":{"category":"Process - Activity","name":"compiler_in_container","creator":{"handle":"","name":""},"description":"Compiler - Executed in Container","enabled":true,"defaultRule":true,"version":1,"updater":{"handle":"","name":""},"updateDate":1636729662344,"creationDate":1627392836759,"expression":"(exec.file.name - in [\"javac\", \"clang\", \"gcc\",\"bcc\"] || (exec.file.name == \"go\" && - exec.args in [~\"*build*\", ~\"*run*\"])) && container.id !=\"\" && process.ancestors.file.path - != \"/usr/bin/cilium-agent\""},"type":"agent_rule","id":"ily-tsr-dtj"},{"attributes":{"category":"Process - Activity","name":"package_management_in_container","creator":{"handle":"","name":""},"description":"Package - management in container","enabled":true,"defaultRule":true,"version":2,"updater":{"handle":"","name":""},"updateDate":1636729662123,"creationDate":1617722067648,"expression":"exec.file.path - in [\"/usr/bin/apt\", \"/usr/bin/apt-get\", \"/usr/bin/apt-config\", \"/usr/bin/dpkg\", - \"/usr/bin/aptitude-curses\", \"/usr/bin/rpm\", \"/usr/bin/unattended-upgrade\"] - && container.id != \"\""},"type":"agent_rule","id":"3tj-btx-kvo"},{"attributes":{"category":"Kernel - Activity","name":"selinux_disable_enforcement","creator":{"handle":"","name":""},"description":"SELinux - enforcement status was disabled","enabled":true,"defaultRule":true,"version":1,"updater":{"handle":"","name":""},"updateDate":1635332067172,"creationDate":1635332067172,"expression":"selinux.enforce.status - in [\"permissive\", \"disabled\"]"},"type":"agent_rule","id":"je9-er4-njy"},{"attributes":{"category":"Process - Activity","name":"aws_metadata_service","creator":{"handle":"","name":""},"description":"EC2 - Instance Metadata Service Accessed via Network Utility","enabled":true,"defaultRule":true,"version":1,"updater":{"handle":"","name":""},"updateDate":1629226276630,"creationDate":1627392836096,"expression":"exec.file.path - in [\"/usr/bin/wget\", \"/usr/bin/curl\"] && exec.args in [~\"*169.254.169.254*\"]"},"type":"agent_rule","id":"jl5-wjt-58e"},{"attributes":{"category":"File - Activity","name":"cron_at_job_creation_chmod","creator":{"handle":"","name":""},"description":"Cron - AT Job Creation","enabled":true,"defaultRule":true,"version":4,"updater":{"handle":"","name":""},"updateDate":1628512222418,"creationDate":1606142961130,"expression":"(\n (chmod.file.path - in [ ~\"/var/spool/cron/*\" ])\n && process.file.path not in [ \"/usr/bin/at\", - \"/usr/bin/crontab\" ]\n) && chmod.mode != chmod.file.mode"},"type":"agent_rule","id":"ipa-v3l-kt6"},{"attributes":{"category":"File - Activity","name":"cron_at_job_creation_chown","creator":{"handle":"","name":""},"description":"Cron - AT Job Creation","enabled":true,"defaultRule":true,"version":4,"updater":{"handle":"","name":""},"updateDate":1628512222418,"creationDate":1606142961130,"expression":"(\n (chown.file.path - in [ ~\"/var/spool/cron/*\" ])\n && process.file.path not in [ \"/usr/bin/at\", - \"/usr/bin/crontab\" ]\n) && (chown.uid != chown.file.uid || chown.gid != - chown.file.gid)"},"type":"agent_rule","id":"3xl-qds-f0e"},{"attributes":{"category":"File - Activity","name":"cron_at_job_creation_link","creator":{"handle":"","name":""},"description":"Cron - AT Job Creation","enabled":true,"defaultRule":true,"version":4,"updater":{"handle":"","name":""},"updateDate":1628512222418,"creationDate":1606142961130,"expression":"(\n (link.file.path - in [ ~\"/var/spool/cron/*\" ]\n || link.file.destination.path in [ ~\"/var/spool/cron/*\" - ])\n && process.file.path not in [ \"/usr/bin/at\", \"/usr/bin/crontab\" - ]\n)"},"type":"agent_rule","id":"0gu-pqy-o1a"},{"attributes":{"category":"File - Activity","name":"cron_at_job_creation_rename","creator":{"handle":"","name":""},"description":"Cron - AT Job Creation","enabled":true,"defaultRule":true,"version":4,"updater":{"handle":"","name":""},"updateDate":1628512222418,"creationDate":1606142961130,"expression":"(\n (rename.file.path - in [ ~\"/var/spool/cron/*\" ]\n || rename.file.destination.path in [ ~\"/var/spool/cron/*\" - ])\n && process.file.path not in [ \"/usr/bin/at\", \"/usr/bin/crontab\" - ]\n)"},"type":"agent_rule","id":"cmu-g58-cau"},{"attributes":{"category":"File - Activity","name":"cron_at_job_creation_open","creator":{"handle":"","name":""},"description":"Cron - AT Job Creation","enabled":true,"defaultRule":true,"version":4,"updater":{"handle":"","name":""},"updateDate":1628512222418,"creationDate":1606142961130,"expression":"(\n open.flags - & (O_CREAT|O_RDWR|O_WRONLY) > 0 &&\n (open.file.path in [ ~\"/var/spool/cron/*\" - ])\n && process.file.path not in [ \"/usr/bin/at\", \"/usr/bin/crontab\" - ]\n)"},"type":"agent_rule","id":"onm-dqu-jly"},{"attributes":{"category":"File - Activity","name":"cron_at_job_creation_unlink","creator":{"handle":"","name":""},"description":"Cron - AT Job Creation","enabled":true,"defaultRule":true,"version":4,"updater":{"handle":"","name":""},"updateDate":1628512222418,"creationDate":1606142961130,"expression":"(\n (unlink.file.path - in [ ~\"/var/spool/cron/*\" ])\n && process.file.path not in [ \"/usr/bin/at\", - \"/usr/bin/crontab\" ]\n)"},"type":"agent_rule","id":"atu-tci-bjn"},{"attributes":{"category":"File - Activity","name":"cron_at_job_creation_utimes","creator":{"handle":"","name":""},"description":"Cron - AT Job Creation","enabled":true,"defaultRule":true,"version":4,"updater":{"handle":"","name":""},"updateDate":1628512222418,"creationDate":1606142961130,"expression":"(\n (utimes.file.path - in [ ~\"/var/spool/cron/*\" ])\n && process.file.path not in [ \"/usr/bin/at\", - \"/usr/bin/crontab\" ]\n)"},"type":"agent_rule","id":"ygn-d8o-ncr"},{"attributes":{"category":"File - Activity","name":"nsswitch_conf_mod_chmod","creator":{"handle":"","name":""},"description":"Nsswitch - Configuration Modified","enabled":true,"defaultRule":true,"version":3,"updater":{"handle":"","name":""},"updateDate":1628512222322,"creationDate":1606142958657,"expression":"(\n (chmod.file.path - in [ \"/etc/nsswitch.conf\" ])\n) && chmod.mode != chmod.file.mode"},"type":"agent_rule","id":"ki2-nwj-sot"},{"attributes":{"category":"File - Activity","name":"nsswitch_conf_mod_chown","creator":{"handle":"","name":""},"description":"Nsswitch - Configuration Modified","enabled":true,"defaultRule":true,"version":3,"updater":{"handle":"","name":""},"updateDate":1628512222322,"creationDate":1606142958657,"expression":"(\n (chown.file.path - in [ \"/etc/nsswitch.conf\" ])\n) && (chown.uid != chown.file.uid || chown.gid - != chown.file.gid)"},"type":"agent_rule","id":"nyc-gfz-yr5"},{"attributes":{"category":"File - Activity","name":"nsswitch_conf_mod_link","creator":{"handle":"","name":""},"description":"Nsswitch - Configuration Modified","enabled":true,"defaultRule":true,"version":3,"updater":{"handle":"","name":""},"updateDate":1628512222322,"creationDate":1606142958657,"expression":"(\n (link.file.path - in [ \"/etc/nsswitch.conf\" ]\n || link.file.destination.path in [ \"/etc/nsswitch.conf\" - ])\n)"},"type":"agent_rule","id":"8ol-dkr-aml"},{"attributes":{"category":"File - Activity","name":"nsswitch_conf_mod_rename","creator":{"handle":"","name":""},"description":"Nsswitch - Configuration Modified","enabled":true,"defaultRule":true,"version":3,"updater":{"handle":"","name":""},"updateDate":1628512222322,"creationDate":1606142958657,"expression":"(\n (rename.file.path - in [ \"/etc/nsswitch.conf\" ]\n || rename.file.destination.path in [ \"/etc/nsswitch.conf\" - ])\n)"},"type":"agent_rule","id":"pkn-azw-qia"},{"attributes":{"category":"File - Activity","name":"nsswitch_conf_mod_open","creator":{"handle":"","name":""},"description":"Nsswitch - Configuration Modified","enabled":true,"defaultRule":true,"version":3,"updater":{"handle":"","name":""},"updateDate":1628512222322,"creationDate":1606142958657,"expression":"(\n open.flags - & ((O_RDWR|O_WRONLY|O_CREAT)) > 0 &&\n (open.file.path in [ \"/etc/nsswitch.conf\" - ])\n)"},"type":"agent_rule","id":"fdf-wvb-c3k"},{"attributes":{"category":"File - Activity","name":"nsswitch_conf_mod_unlink","creator":{"handle":"","name":""},"description":"Nsswitch - Configuration Modified","enabled":true,"defaultRule":true,"version":3,"updater":{"handle":"","name":""},"updateDate":1628512222322,"creationDate":1606142958657,"expression":"(\n (unlink.file.path - in [ \"/etc/nsswitch.conf\" ])\n)"},"type":"agent_rule","id":"wpt-ba8-mpd"},{"attributes":{"category":"File - Activity","name":"nsswitch_conf_mod_utimes","creator":{"handle":"","name":""},"description":"Nsswitch - Configuration Modified","enabled":true,"defaultRule":true,"version":3,"updater":{"handle":"","name":""},"updateDate":1628512222322,"creationDate":1606142958657,"expression":"(\n (utimes.file.path - in [ \"/etc/nsswitch.conf\" ])\n)"},"type":"agent_rule","id":"7ud-d2o-qgo"},{"attributes":{"category":"File - Activity","name":"ssh_authorized_keys_chmod","creator":{"handle":"","name":""},"description":"SSH - Authorized Keys Modified","enabled":true,"defaultRule":true,"version":3,"updater":{"handle":"","name":""},"updateDate":1628512221784,"creationDate":1606142954844,"expression":"(\n chmod.file.name - == \"authorized_keys\" && (chmod.file.path in [ ~\"*/.ssh/*\" ])\n) && chmod.mode - != chmod.file.mode"},"type":"agent_rule","id":"vqc-lta-u8c"},{"attributes":{"category":"File - Activity","name":"ssh_authorized_keys_chown","creator":{"handle":"","name":""},"description":"SSH - Authorized Keys Modified","enabled":true,"defaultRule":true,"version":3,"updater":{"handle":"","name":""},"updateDate":1628512221784,"creationDate":1606142954844,"expression":"(\n chown.file.name - == \"authorized_keys\" && (chown.file.path in [ ~\"*/.ssh/*\" ])\n) && (chown.uid - != chown.file.uid || chown.gid != chown.file.gid)"},"type":"agent_rule","id":"ien-7aw-blw"},{"attributes":{"category":"File - Activity","name":"ssh_authorized_keys_link","creator":{"handle":"","name":""},"description":"SSH - Authorized Keys Modified","enabled":true,"defaultRule":true,"version":3,"updater":{"handle":"","name":""},"updateDate":1628512221784,"creationDate":1606142954844,"expression":"(\n link.file.name - == \"authorized_keys\" && (link.file.path in [ ~\"*/.ssh/*\" ]\n || link.file.destination.path - in [ ~\"*/.ssh/*\" ])\n)"},"type":"agent_rule","id":"za8-uxc-jxk"},{"attributes":{"category":"File - Activity","name":"ssh_authorized_keys_rename","creator":{"handle":"","name":""},"description":"SSH - Authorized Keys Modified","enabled":true,"defaultRule":true,"version":3,"updater":{"handle":"","name":""},"updateDate":1628512221784,"creationDate":1606142954844,"expression":"(\n rename.file.name - == \"authorized_keys\" && (rename.file.path in [ ~\"*/.ssh/*\" ]\n || rename.file.destination.path - in [ ~\"*/.ssh/*\" ])\n)"},"type":"agent_rule","id":"tiz-yss-zhq"},{"attributes":{"category":"File - Activity","name":"ssh_authorized_keys_open","creator":{"handle":"","name":""},"description":"SSH - Authorized Keys Modified","enabled":true,"defaultRule":true,"version":3,"updater":{"handle":"","name":""},"updateDate":1628512221784,"creationDate":1606142954844,"expression":"(\n open.flags - & (O_CREAT|O_TRUNC|O_RDWR|O_WRONLY) > 0 &&\n open.file.name == \"authorized_keys\" - && (open.file.path in [ ~\"*/.ssh/*\" ])\n)"},"type":"agent_rule","id":"nej-iw4-adk"},{"attributes":{"category":"File - Activity","name":"ssh_authorized_keys_unlink","creator":{"handle":"","name":""},"description":"SSH - Authorized Keys Modified","enabled":true,"defaultRule":true,"version":3,"updater":{"handle":"","name":""},"updateDate":1628512221784,"creationDate":1606142954844,"expression":"(\n unlink.file.name - == \"authorized_keys\" && (unlink.file.path in [ ~\"*/.ssh/*\" ])\n)"},"type":"agent_rule","id":"apr-zj4-ee1"},{"attributes":{"category":"File - Activity","name":"ssh_authorized_keys_utimes","creator":{"handle":"","name":""},"description":"SSH - Authorized Keys Modified","enabled":true,"defaultRule":true,"version":3,"updater":{"handle":"","name":""},"updateDate":1628512221784,"creationDate":1606142954844,"expression":"(\n utimes.file.name - == \"authorized_keys\" && (utimes.file.path in [ ~\"*/.ssh/*\" ])\n)"},"type":"agent_rule","id":"yhq-etl-wr6"},{"attributes":{"category":"File - Activity","name":"pam_modification_chmod","creator":{"handle":"","name":""},"description":"PAM - Configuration Files Modification","enabled":true,"defaultRule":true,"version":3,"updater":{"handle":"","name":""},"updateDate":1628512221276,"creationDate":1606142936138,"expression":"(\n (chmod.file.path - in [ ~\"/etc/pam.d/*\", \"/etc/pam.conf\" ])\n) && chmod.mode != chmod.file.mode"},"type":"agent_rule","id":"12k-ui3-z4h"},{"attributes":{"category":"File - Activity","name":"pam_modification_chown","creator":{"handle":"","name":""},"description":"PAM - Configuration Files Modification","enabled":true,"defaultRule":true,"version":3,"updater":{"handle":"","name":""},"updateDate":1628512221276,"creationDate":1606142936138,"expression":"(\n (chown.file.path - in [ ~\"/etc/pam.d/*\", \"/etc/pam.conf\" ])\n) && (chown.uid != chown.file.uid - || chown.gid != chown.file.gid)"},"type":"agent_rule","id":"fak-u9s-pac"},{"attributes":{"category":"File - Activity","name":"pam_modification_link","creator":{"handle":"","name":""},"description":"PAM - Configuration Files Modification","enabled":true,"defaultRule":true,"version":3,"updater":{"handle":"","name":""},"updateDate":1628512221276,"creationDate":1606142936138,"expression":"(\n (link.file.path - in [ ~\"/etc/pam.d/*\", \"/etc/pam.conf\" ]\n || link.file.destination.path - in [ ~\"/etc/pam.d/*\", \"/etc/pam.conf\" ])\n)"},"type":"agent_rule","id":"m8i-uhr-aoq"},{"attributes":{"category":"File - Activity","name":"pam_modification_rename","creator":{"handle":"","name":""},"description":"PAM - Configuration Files Modification","enabled":true,"defaultRule":true,"version":3,"updater":{"handle":"","name":""},"updateDate":1628512221276,"creationDate":1606142936138,"expression":"(\n (rename.file.path - in [ ~\"/etc/pam.d/*\", \"/etc/pam.conf\" ]\n || rename.file.destination.path - in [ ~\"/etc/pam.d/*\", \"/etc/pam.conf\" ])\n)"},"type":"agent_rule","id":"2fy-aqt-8mz"},{"attributes":{"category":"File - Activity","name":"pam_modification_open","creator":{"handle":"","name":""},"description":"PAM - Configuration Files Modification","enabled":true,"defaultRule":true,"version":3,"updater":{"handle":"","name":""},"updateDate":1628512221276,"creationDate":1606142936138,"expression":"(\n open.flags - & (O_CREAT|O_TRUNC|O_RDWR|O_WRONLY) > 0 &&\n (open.file.path in [ ~\"/etc/pam.d/*\", - \"/etc/pam.conf\" ])\n)"},"type":"agent_rule","id":"adl-qjr-lyg"},{"attributes":{"category":"File - Activity","name":"pam_modification_unlink","creator":{"handle":"","name":""},"description":"PAM - Configuration Files Modification","enabled":true,"defaultRule":true,"version":3,"updater":{"handle":"","name":""},"updateDate":1628512221276,"creationDate":1606142936138,"expression":"(\n (unlink.file.path - in [ ~\"/etc/pam.d/*\", \"/etc/pam.conf\" ])\n)"},"type":"agent_rule","id":"ei7-n5e-rvv"},{"attributes":{"category":"File - Activity","name":"pam_modification_utimes","creator":{"handle":"","name":""},"description":"PAM - Configuration Files Modification","enabled":true,"defaultRule":true,"version":3,"updater":{"handle":"","name":""},"updateDate":1628512221276,"creationDate":1606142936138,"expression":"(\n (utimes.file.path - in [ ~\"/etc/pam.d/*\", \"/etc/pam.conf\" ])\n)"},"type":"agent_rule","id":"ohp-ags-xpk"},{"attributes":{"category":"Process - Activity","name":"passwd_execution","creator":{"handle":"","name":""},"description":"Passwd - utility executed","enabled":true,"defaultRule":true,"version":1,"updater":{"handle":"","name":""},"updateDate":1627913197013,"creationDate":1617722068383,"expression":"exec.file.path - == \"/usr/bin/passwd\""},"type":"agent_rule","id":"ejk-rbu-v9x"},{"attributes":{"category":"Process - Activity","name":"java_shell_execution","creator":{"handle":"","name":""},"description":"Java - process spawned shell/utility","enabled":true,"defaultRule":true,"version":1,"updater":{"handle":"","name":""},"updateDate":1627913196085,"creationDate":1617722069224,"expression":"(exec.file.path - in [ \"/bin/dash\", \"/usr/bin/dash\",\n \"/bin/sh\", \"/bin/static-sh\", - \"/usr/bin/sh\",\n \"/usr/bin/bash\",\n \"/bin/bash-static\",\n \"/usr/bin/zsh\",\n \"/usr/bin/ash\",\n \"/usr/bin/csh\",\n \"/usr/bin/ksh\",\n \"/usr/bin/tcsh\",\n \"/usr/lib/initramfs-tools/bin/busybox\",\n \"/bin/busybox\",\n \"/usr/bin/fish\",\n \"/bin/ksh93\",\n \"/bin/rksh\", - \"/bin/rksh93\",\n \"/bin/lksh\",\n \"/bin/mksh\", \"/bin/mksh-static\",\n \"/usr/bin/csharp\",\n \"/bin/posh\",\n \"/usr/bin/rc\",\n \"/bin/sash\",\n \"/usr/bin/yash\",\n \"/bin/zsh5\", - \"/bin/zsh5-static\" ] ||\n exec.file.path in [\"/usr/bin/wget\", \"/usr/bin/curl\"] - ||\n exec.file.path in [\"/bin/cat\",\"/bin/chgrp\",\"/bin/chmod\",\"/bin/chown\",\"/bin/cp\",\"/bin/date\",\"/bin/dd\",\"/bin/df\",\"/bin/dir\",\"/bin/echo\",\"/bin/ln\",\"/bin/ls\",\"/bin/mkdir\",\"/bin/mknod\",\"/bin/mktemp\",\"/bin/mv\",\"/bin/pwd\",\"/bin/readlink\",\"/bin/rm\",\"/bin/rmdir\",\"/bin/sleep\",\"/bin/stty\",\"/bin/sync\",\"/bin/touch\",\"/bin/uname\",\"/bin/vdir\",\"/usr/bin/arch\",\"/usr/bin/b2sum\",\"/usr/bin/base32\",\"/usr/bin/base64\",\"/usr/bin/basename\",\"/usr/bin/chcon\",\"/usr/bin/cksum\",\"/usr/bin/comm\",\"/usr/bin/csplit\",\"/usr/bin/cut\",\"/usr/bin/dircolors\",\"/usr/bin/dirname\",\"/usr/bin/du\",\"/usr/bin/env\",\"/usr/bin/expand\",\"/usr/bin/expr\",\"/usr/bin/factor\",\"/usr/bin/fmt\",\"/usr/bin/fold\",\"/usr/bin/groups\",\"/usr/bin/head\",\"/usr/bin/hostid\",\"/usr/bin/id\",\"/usr/bin/install\",\"/usr/bin/join\",\"/usr/bin/link\",\"/usr/bin/logname\",\"/usr/bin/md5sum\",\"/usr/bin/md5sum.textutils\",\"/usr/bin/mkfifo\",\"/usr/bin/nice\",\"/usr/bin/nl\",\"/usr/bin/nohup\",\"/usr/bin/nproc\",\"/usr/bin/numfmt\",\"/usr/bin/od\",\"/usr/bin/paste\",\"/usr/bin/pathchk\",\"/usr/bin/pinky\",\"/usr/bin/pr\",\"/usr/bin/printenv\",\"/usr/bin/printf\",\"/usr/bin/ptx\",\"/usr/bin/realpath\",\"/usr/bin/runcon\",\"/usr/bin/seq\",\"/usr/bin/sha1sum\",\"/usr/bin/sha224sum\",\"/usr/bin/sha256sum\",\"/usr/bin/sha384sum\",\"/usr/bin/sha512sum\",\"/usr/bin/shred\",\"/usr/bin/shuf\",\"/usr/bin/sort\",\"/usr/bin/split\",\"/usr/bin/stat\",\"/usr/bin/stdbuf\",\"/usr/bin/sum\",\"/usr/bin/tac\",\"/usr/bin/tail\",\"/usr/bin/tee\",\"/usr/bin/test\",\"/usr/bin/timeout\",\"/usr/bin/tr\",\"/usr/bin/truncate\",\"/usr/bin/tsort\",\"/usr/bin/tty\",\"/usr/bin/unexpand\",\"/usr/bin/uniq\",\"/usr/bin/unlink\",\"/usr/bin/users\",\"/usr/bin/wc\",\"/usr/bin/who\",\"/usr/bin/whoami\",\"/usr/sbin/chroot\"])\n&& - process.ancestors.file.name == \"java\""},"type":"agent_rule","id":"pej-frv-8lb"},{"attributes":{"category":"Process - Activity","name":"common_net_intrusion_util","creator":{"handle":"","name":""},"description":"Nmap - Execution Detected","enabled":true,"defaultRule":true,"version":1,"updater":{"handle":"","name":""},"updateDate":1627913195813,"creationDate":1617722067554,"expression":"exec.file.path - == \"/usr/bin/nmap\""},"type":"agent_rule","id":"yiy-mba-pny"}]}' + [ \"/sbin/vipw\", \"/usr/sbin/vipw\", \"/sbin/vigr\", \"/usr/sbin/vigr\", + \"/usr/bin/containerd\", \"/usr/local/bin/containerd\", \"/usr/bin/dockerd\", + \"/usr/local/bin/dockerd\", \"/usr/sbin/groupadd\", \"/usr/sbin/useradd\", + \"/usr/sbin/usermod\", \"/usr/sbin/userdel\", \"/usr/bin/gpasswd\", \"/usr/bin/chage\", + \"/usr/sbin/chpasswd\", \"/usr/bin/passwd\" ]\n && process.ancestors.file.path + not in [~\"/usr/bin/apt*\", \"/usr/bin/dpkg\", \"/usr/bin/rpm\", \"/usr/bin/unattended-upgrade\", + \"/usr/bin/npm\", ~\"/usr/bin/pip*\", \"/usr/bin/yum\", \"/sbin/apk\", \"/usr/lib/snapd/snapd\"]\n)","category":"File + Activity","creationDate":1642158535271,"updateDate":1677793372149,"filters":[],"actions":[],"agentConstraint":"","enabled":true,"defaultRule":true,"creator":{"name":"","handle":""},"updater":{"name":"","handle":""}},"type":"agent_rule"},{"id":"ty2-qc4-drd","attributes":{"version":32,"name":"kernel_module_link","description":"A + new kernel module was added","expression":"(\n (link.file.path in [ ~\"/lib/modules/**\", + ~\"/usr/lib/modules/**\" ]\n || link.file.destination.path in [ ~\"/lib/modules/**\", + ~\"/usr/lib/modules/**\" ])\n && process.file.path not in [~\"/usr/bin/apt*\", + \"/usr/bin/dpkg\", \"/usr/bin/rpm\", \"/usr/bin/unattended-upgrade\", \"/usr/bin/npm\", + ~\"/usr/bin/pip*\", \"/usr/bin/yum\", \"/sbin/apk\", \"/usr/lib/snapd/snapd\"]\n && + process.ancestors.file.path not in [~\"/usr/bin/apt*\", \"/usr/bin/dpkg\", + \"/usr/bin/rpm\", \"/usr/bin/unattended-upgrade\", \"/usr/bin/npm\", ~\"/usr/bin/pip*\", + \"/usr/bin/yum\", \"/sbin/apk\", \"/usr/lib/snapd/snapd\"] && process.ancestors.file.path + != \"/usr/bin/kmod\"\n)","category":"File Activity","creationDate":1642158535200,"updateDate":1677793372103,"filters":[],"actions":[],"agentConstraint":"","enabled":true,"defaultRule":true,"creator":{"name":"","handle":""},"updater":{"name":"","handle":""}},"type":"agent_rule"},{"id":"hsk-ug8-fu7","attributes":{"version":32,"name":"kernel_module_open","description":"A + new kernel module was added","expression":"(\n open.flags & (O_CREAT|O_TRUNC|O_RDWR|O_WRONLY) + > 0 &&\n (open.file.path in [ ~\"/lib/modules/**\", ~\"/usr/lib/modules/**\" + ])\n && process.file.path not in [~\"/usr/bin/apt*\", \"/usr/bin/dpkg\", + \"/usr/bin/rpm\", \"/usr/bin/unattended-upgrade\", \"/usr/bin/npm\", ~\"/usr/bin/pip*\", + \"/usr/bin/yum\", \"/sbin/apk\", \"/usr/lib/snapd/snapd\"]\n && process.ancestors.file.path + not in [~\"/usr/bin/apt*\", \"/usr/bin/dpkg\", \"/usr/bin/rpm\", \"/usr/bin/unattended-upgrade\", + \"/usr/bin/npm\", ~\"/usr/bin/pip*\", \"/usr/bin/yum\", \"/sbin/apk\", \"/usr/lib/snapd/snapd\"] + && process.ancestors.file.path != \"/usr/bin/kmod\"\n)","category":"File Activity","creationDate":1598516746168,"updateDate":1677793371891,"filters":[],"actions":[],"agentConstraint":"","enabled":true,"defaultRule":true,"creator":{"name":"","handle":""},"updater":{"name":"","handle":""}},"type":"agent_rule"},{"id":"rme-dmd-trz","attributes":{"version":31,"name":"credential_modified_unlink","description":"Sensitive + credential files were modified using a non-standard tool","expression":"(\n (unlink.file.path + in [ \"/etc/shadow\", \"/etc/gshadow\" ])\n && process.file.path not in + [ \"/sbin/vipw\", \"/usr/sbin/vipw\", \"/sbin/vigr\", \"/usr/sbin/vigr\", + \"/usr/bin/containerd\", \"/usr/local/bin/containerd\", \"/usr/bin/dockerd\", + \"/usr/local/bin/dockerd\", \"/usr/sbin/groupadd\", \"/usr/sbin/useradd\", + \"/usr/sbin/usermod\", \"/usr/sbin/userdel\", \"/usr/bin/gpasswd\", \"/usr/bin/chage\", + \"/usr/sbin/chpasswd\", \"/usr/bin/passwd\" ]\n && process.ancestors.file.path + not in [~\"/usr/bin/apt*\", \"/usr/bin/dpkg\", \"/usr/bin/rpm\", \"/usr/bin/unattended-upgrade\", + \"/usr/bin/npm\", ~\"/usr/bin/pip*\", \"/usr/bin/yum\", \"/sbin/apk\", \"/usr/lib/snapd/snapd\"]\n)","category":"File + Activity","creationDate":1642158535113,"updateDate":1677793371890,"filters":[],"actions":[],"agentConstraint":"","enabled":true,"defaultRule":true,"creator":{"name":"","handle":""},"updater":{"name":"","handle":""}},"type":"agent_rule"},{"id":"bya-q5x-vjt","attributes":{"version":24,"name":"cron_at_job_creation_rename","description":"An + unauthorized job was added to cron scheduling","expression":"(\n (rename.file.path + in [ ~\"/var/spool/cron/**\", ~\"/etc/cron.*/**\", ~\"/etc/crontab\" ]\n || + rename.file.destination.path in [ ~\"/var/spool/cron/**\", ~\"/etc/cron.*/**\", + ~\"/etc/crontab\" ])\n && process.file.path not in [ \"/usr/bin/at\", \"/usr/bin/crontab\" + ]\n)\n&& process.file.path not in [~\"/usr/bin/apt*\", \"/usr/bin/dpkg\", + \"/usr/bin/rpm\", \"/usr/bin/unattended-upgrade\", \"/usr/bin/containerd\", + \"/usr/local/bin/containerd\", \"/usr/bin/dockerd\", \"/usr/bin/npm\", ~\"/usr/bin/pip*\"]","category":"File + Activity","creationDate":1606142961130,"updateDate":1674486419017,"filters":[],"actions":[],"agentConstraint":"","enabled":false,"defaultRule":true,"creator":{"name":"","handle":""},"updater":{"name":"","handle":""}},"type":"agent_rule"},{"id":"6p8-mws-jmo","attributes":{"version":1,"name":"potential_web_shell_parent","description":"A + web application spawned a shell or shell utility","expression":"(exec.file.path + in [ \"/bin/dash\",\n \"/usr/bin/dash\",\n \"/bin/sh\",\n \"/bin/static-sh\",\n \"/usr/bin/sh\",\n \"/bin/bash\",\n \"/usr/bin/bash\",\n \"/bin/bash-static\",\n \"/usr/bin/zsh\",\n \"/usr/bin/ash\",\n \"/usr/bin/csh\",\n \"/usr/bin/ksh\",\n \"/usr/bin/tcsh\",\n \"/usr/lib/initramfs-tools/bin/busybox\",\n \"/bin/busybox\",\n \"/usr/bin/fish\",\n \"/bin/ksh93\",\n \"/bin/rksh\",\n \"/bin/rksh93\",\n \"/bin/lksh\",\n \"/bin/mksh\",\n \"/bin/mksh-static\",\n \"/usr/bin/csharp\",\n \"/bin/posh\",\n \"/usr/bin/rc\",\n \"/bin/sash\",\n \"/usr/bin/yash\",\n \"/bin/zsh5\",\n \"/bin/zsh5-static\" + ] || exec.comm in [\"wget\", \"curl\", \"lwp-download\"] || exec.file.path + in [\"/bin/cat\",\"/bin/chgrp\",\"/bin/chmod\",\"/bin/chown\",\"/bin/cp\",\"/bin/date\",\"/bin/dd\",\"/bin/df\",\"/bin/dir\",\"/bin/echo\",\"/bin/ln\",\"/bin/ls\",\"/bin/mkdir\",\"/bin/mknod\",\"/bin/mktemp\",\"/bin/mv\",\"/bin/pwd\",\"/bin/readlink\",\"/bin/rm\",\"/bin/rmdir\",\"/bin/sleep\",\"/bin/stty\",\"/bin/sync\",\"/bin/touch\",\"/bin/uname\",\"/bin/vdir\",\"/usr/bin/arch\",\"/usr/bin/b2sum\",\"/usr/bin/base32\",\"/usr/bin/base64\",\"/usr/bin/basename\",\"/usr/bin/chcon\",\"/usr/bin/cksum\",\"/usr/bin/comm\",\"/usr/bin/csplit\",\"/usr/bin/cut\",\"/usr/bin/dircolors\",\"/usr/bin/dirname\",\"/usr/bin/du\",\"/usr/bin/env\",\"/usr/bin/expand\",\"/usr/bin/expr\",\"/usr/bin/factor\",\"/usr/bin/fmt\",\"/usr/bin/fold\",\"/usr/bin/groups\",\"/usr/bin/head\",\"/usr/bin/hostid\",\"/usr/bin/id\",\"/usr/bin/install\",\"/usr/bin/join\",\"/usr/bin/link\",\"/usr/bin/logname\",\"/usr/bin/md5sum\",\"/usr/bin/md5sum.textutils\",\"/usr/bin/mkfifo\",\"/usr/bin/nice\",\"/usr/bin/nl\",\"/usr/bin/nohup\",\"/usr/bin/nproc\",\"/usr/bin/numfmt\",\"/usr/bin/od\",\"/usr/bin/paste\",\"/usr/bin/pathchk\",\"/usr/bin/pinky\",\"/usr/bin/pr\",\"/usr/bin/printenv\",\"/usr/bin/printf\",\"/usr/bin/ptx\",\"/usr/bin/realpath\",\"/usr/bin/runcon\",\"/usr/bin/seq\",\"/usr/bin/sha1sum\",\"/usr/bin/sha224sum\",\"/usr/bin/sha256sum\",\"/usr/bin/sha384sum\",\"/usr/bin/sha512sum\",\"/usr/bin/shred\",\"/usr/bin/shuf\",\"/usr/bin/sort\",\"/usr/bin/split\",\"/usr/bin/stat\",\"/usr/bin/stdbuf\",\"/usr/bin/sum\",\"/usr/bin/tac\",\"/usr/bin/tail\",\"/usr/bin/tee\",\"/usr/bin/test\",\"/usr/bin/timeout\",\"/usr/bin/tr\",\"/usr/bin/truncate\",\"/usr/bin/tsort\",\"/usr/bin/tty\",\"/usr/bin/unexpand\",\"/usr/bin/uniq\",\"/usr/bin/unlink\",\"/usr/bin/users\",\"/usr/bin/wc\",\"/usr/bin/who\",\"/usr/bin/whoami\",\"/usr/sbin/chroot\"]) + &&\n(process.parent.file.name in [\"apache2\", \"nginx\", ~\"tomcat*\", \"httpd\"] + || process.parent.file.name =~ \"php*\")","category":"Process Activity","creationDate":0,"updateDate":1674486410462,"filters":[],"actions":[],"agentConstraint":"","enabled":true,"defaultRule":true,"creator":{"name":"","handle":""},"updater":{"name":"","handle":""}},"type":"agent_rule"},{"id":"c3b-qwh-lwy","attributes":{"version":1,"name":"mount_host_fs","description":"The + host file system was mounted in a container","expression":"mount.source.path + == \"/\" && mount.fs_type != \"overlay\" && container.id != \"\"","category":"File + Activity","creationDate":0,"updateDate":1674486409763,"filters":[],"actions":[],"agentConstraint":"","enabled":true,"defaultRule":true,"creator":{"name":"","handle":""},"updater":{"name":"","handle":""}},"type":"agent_rule"},{"id":"mfw-adh-mba","attributes":{"version":1,"name":"memfd_create","description":"memfd + object created","expression":"exec.file.name =~ \"memfd*\" && exec.file.path + == \"\"","category":"Process Activity","creationDate":0,"updateDate":1674486409582,"filters":[],"actions":[],"agentConstraint":"","enabled":true,"defaultRule":true,"creator":{"name":"","handle":""},"updater":{"name":"","handle":""}},"type":"agent_rule"},{"id":"ylo-d9p-7e2","attributes":{"version":25,"name":"cron_at_job_creation_chmod","description":"An + unauthorized job was added to cron scheduling","expression":"(\n (chmod.file.path + in [ ~\"/var/spool/cron/**\", ~\"/etc/cron.*/**\", ~\"/etc/crontab\" ])\n && + process.file.path not in [ \"/usr/bin/at\", \"/usr/bin/crontab\" ]\n) && chmod.file.destination.mode + != chmod.file.mode\n&& process.file.path not in [~\"/usr/bin/apt*\", \"/usr/bin/dpkg\", + \"/usr/bin/rpm\", \"/usr/bin/unattended-upgrade\", \"/usr/bin/containerd\", + \"/usr/local/bin/containerd\", \"/usr/bin/dockerd\", \"/usr/bin/npm\", ~\"/usr/bin/pip*\"]","category":"File + Activity","creationDate":1606142961130,"updateDate":1674486392555,"filters":[],"actions":[],"agentConstraint":"","enabled":false,"defaultRule":true,"creator":{"name":"","handle":""},"updater":{"name":"","handle":""}},"type":"agent_rule"},{"id":"zwi-z69-wxv","attributes":{"version":25,"name":"cron_at_job_creation_chown","description":"An + unauthorized job was added to cron scheduling","expression":"(\n (chown.file.path + in [ ~\"/var/spool/cron/**\", ~\"/etc/cron.*/**\", ~\"/etc/crontab\" ])\n && + process.file.path not in [ \"/usr/bin/at\", \"/usr/bin/crontab\" ]\n) && (chown.file.destination.uid + != chown.file.uid || chown.file.destination.gid != chown.file.gid)\n&& process.file.path + not in [~\"/usr/bin/apt*\", \"/usr/bin/dpkg\", \"/usr/bin/rpm\", \"/usr/bin/unattended-upgrade\", + \"/usr/bin/containerd\", \"/usr/local/bin/containerd\", \"/usr/bin/dockerd\", + \"/usr/bin/npm\", ~\"/usr/bin/pip*\"]","category":"File Activity","creationDate":1606142961130,"updateDate":1674486392076,"filters":[],"actions":[],"agentConstraint":"","enabled":false,"defaultRule":true,"creator":{"name":"","handle":""},"updater":{"name":"","handle":""}},"type":"agent_rule"},{"id":"abd-4hy-aep","attributes":{"version":25,"name":"cron_at_job_creation_utimes","description":"An + unauthorized job was added to cron scheduling","expression":"(\n (utimes.file.path + in [ ~\"/var/spool/cron/**\", ~\"/etc/cron.*/**\", ~\"/etc/crontab\" ])\n && + process.file.path not in [ \"/usr/bin/at\", \"/usr/bin/crontab\" ]\n)\n&& + process.file.path not in [~\"/usr/bin/apt*\", \"/usr/bin/dpkg\", \"/usr/bin/rpm\", + \"/usr/bin/unattended-upgrade\", \"/usr/bin/containerd\", \"/usr/local/bin/containerd\", + \"/usr/bin/dockerd\", \"/usr/bin/npm\", ~\"/usr/bin/pip*\"]","category":"File + Activity","creationDate":1606142961130,"updateDate":1674486391087,"filters":[],"actions":[],"agentConstraint":"","enabled":false,"defaultRule":true,"creator":{"name":"","handle":""},"updater":{"name":"","handle":""}},"type":"agent_rule"},{"id":"kft-h30-mqm","attributes":{"version":25,"name":"cron_at_job_creation_unlink","description":"An + unauthorized job was added to cron scheduling","expression":"(\n (unlink.file.path + in [ ~\"/var/spool/cron/**\", ~\"/etc/cron.*/**\", ~\"/etc/crontab\" ])\n && + process.file.path not in [ \"/usr/bin/at\", \"/usr/bin/crontab\" ]\n)\n&& + process.file.path not in [~\"/usr/bin/apt*\", \"/usr/bin/dpkg\", \"/usr/bin/rpm\", + \"/usr/bin/unattended-upgrade\", \"/usr/bin/containerd\", \"/usr/local/bin/containerd\", + \"/usr/bin/dockerd\", \"/usr/bin/npm\", ~\"/usr/bin/pip*\"]","category":"File + Activity","creationDate":1606142961130,"updateDate":1674486390957,"filters":[],"actions":[],"agentConstraint":"","enabled":false,"defaultRule":true,"creator":{"name":"","handle":""},"updater":{"name":"","handle":""}},"type":"agent_rule"},{"id":"xda-xrq-k9e","attributes":{"version":25,"name":"cron_at_job_creation_open","description":"An + unauthorized job was added to cron scheduling","expression":"(\n open.flags + & (O_CREAT|O_RDWR|O_WRONLY) > 0 &&\n (open.file.path in [ ~\"/var/spool/cron/**\", + ~\"/etc/cron.*/**\", ~\"/etc/crontab\" ])\n && process.file.path not in + [ \"/usr/bin/at\", \"/usr/bin/crontab\" ]\n)\n&& process.file.path not in + [~\"/usr/bin/apt*\", \"/usr/bin/dpkg\", \"/usr/bin/rpm\", \"/usr/bin/unattended-upgrade\", + \"/usr/bin/containerd\", \"/usr/local/bin/containerd\", \"/usr/bin/dockerd\", + \"/usr/bin/npm\", ~\"/usr/bin/pip*\"]","category":"File Activity","creationDate":1606142961130,"updateDate":1674486390712,"filters":[],"actions":[],"agentConstraint":"","enabled":false,"defaultRule":true,"creator":{"name":"","handle":""},"updater":{"name":"","handle":""}},"type":"agent_rule"},{"id":"vxt-pdr-0cl","attributes":{"version":25,"name":"cron_at_job_creation_link","description":"An + unauthorized job was added to cron scheduling","expression":"(\n (link.file.path + in [ ~\"/var/spool/cron/**\", ~\"/etc/cron.*/**\", ~\"/etc/crontab\" ]\n || + link.file.destination.path in [ ~\"/var/spool/cron/**\", ~\"/etc/cron.*/**\", + ~\"/etc/crontab\" ])\n && process.file.path not in [ \"/usr/bin/at\", \"/usr/bin/crontab\" + ]\n)\n&& process.file.path not in [~\"/usr/bin/apt*\", \"/usr/bin/dpkg\", + \"/usr/bin/rpm\", \"/usr/bin/unattended-upgrade\", \"/usr/bin/containerd\", + \"/usr/local/bin/containerd\", \"/usr/bin/dockerd\", \"/usr/bin/npm\", ~\"/usr/bin/pip*\"]","category":"File + Activity","creationDate":1606142961130,"updateDate":1674486390691,"filters":[],"actions":[],"agentConstraint":"","enabled":false,"defaultRule":true,"creator":{"name":"","handle":""},"updater":{"name":"","handle":""}},"type":"agent_rule"},{"id":"z01-5m6-bbi","attributes":{"version":1,"name":"gcp_imds","description":"An + GCP IMDS was called via a network utility","expression":"exec.comm in [\"wget\", + \"curl\", \"lwp-download\"] && exec.args in [~\"*metadata.google.internal/computeMetadata/v1/instance/service-accounts/default/token\", + ~\"*169.254.169.254/computeMetadata/v1/instance/service-accounts/default/token\"]","category":"Process + Activity","creationDate":0,"updateDate":1670604148337,"filters":[],"actions":[],"agentConstraint":"","enabled":true,"defaultRule":true,"creator":{"name":"","handle":""},"updater":{"name":"","handle":""}},"type":"agent_rule"},{"id":"tez-7by-uke","attributes":{"version":1,"name":"azure_imds","description":"An + Azure IMDS was called via a network utility","expression":"exec.comm in [\"wget\", + \"curl\", \"lwp-download\"] && exec.args in [~\"*169.254.169.254/metadata/identity/oauth2/token?api-version=*\"]","category":"Process + Activity","creationDate":0,"updateDate":1670604148316,"filters":[],"actions":[],"agentConstraint":"","enabled":true,"defaultRule":true,"creator":{"name":"","handle":""},"updater":{"name":"","handle":""}},"type":"agent_rule"},{"id":"fcs-rzj-p0a","attributes":{"version":1,"name":"net_unusual_request","description":"Network + utility executed with suspicious URI","expression":"exec.comm in [\"wget\", + \"curl\", \"lwp-download\"] && exec.args in [~\"*.php*\", ~\"*.jpg*\"] ","category":"Process + Activity","creationDate":0,"updateDate":1670604148316,"filters":[],"actions":[],"agentConstraint":"","enabled":true,"defaultRule":true,"creator":{"name":"","handle":""},"updater":{"name":"","handle":""}},"type":"agent_rule"},{"id":"u4x-0kv-jq1","attributes":{"version":2,"name":"ptrace_antidebug","description":"A + process uses an anti-debugging technique to block debuggers","expression":"ptrace.request + == PTRACE_TRACEME && process.file.name != \"\"","category":"Kernel Activity","creationDate":1650293718435,"updateDate":1670604142703,"filters":[],"actions":[],"agentConstraint":"","enabled":true,"defaultRule":true,"creator":{"name":"","handle":""},"updater":{"name":"","handle":""}},"type":"agent_rule"},{"id":"hyc-d0a-iat","attributes":{"version":9,"name":"passwd_execution","description":"The + passwd or chpasswd utility was used to modify an account password","expression":"exec.file.path + in [\"/usr/bin/passwd\", \"/usr/sbin/chpasswd\"] && exec.args_flags not in + [\"S\", \"status\"]","category":"Process Activity","creationDate":1617722068383,"updateDate":1666888149907,"filters":[],"actions":[],"agentConstraint":"","enabled":true,"defaultRule":true,"creator":{"name":"","handle":""},"updater":{"name":"","handle":""}},"type":"agent_rule"},{"id":"vls-ztk-8p0","attributes":{"version":2,"name":"dirty_pipe_exploitation","description":"Potential + Dirty pipe exploitation","expression":"(splice.pipe_exit_flag & PIPE_BUF_FLAG_CAN_MERGE) + > 0 && (process.uid != 0 && process.gid != 0)","category":"File Activity","creationDate":1648564123563,"updateDate":1666888149012,"filters":[],"actions":[],"agentConstraint":"","enabled":true,"defaultRule":true,"creator":{"name":"","handle":""},"updater":{"name":"","handle":""}},"type":"agent_rule"},{"id":"3ga-ibr-dlw","attributes":{"version":19,"name":"net_util_in_container","description":"A + network utility was executed in a container","expression":"(exec.comm in [\"socat\", + \"dig\", \"nslookup\", \"host\", ~\"netcat*\", ~\"nc*\", \"ncat\"] ||\n exec.comm + in [\"wget\", \"curl\", \"lwp-download\"]) &&\ncontainer.id != \"\" && exec.args + not in [ ~\"*localhost*\", ~\"*127.0.0.1*\", ~\"*motd.ubuntu.com*\" ]","category":"Process + Activity","creationDate":1617722068439,"updateDate":1666888148873,"filters":[],"actions":[],"agentConstraint":"","enabled":true,"defaultRule":true,"creator":{"name":"","handle":""},"updater":{"name":"","handle":""}},"type":"agent_rule"},{"id":"kel-je5-jhu","attributes":{"version":14,"name":"net_util","description":"A + network utility was executed","expression":"(exec.comm in [\"socat\", \"dig\", + \"nslookup\", \"host\", ~\"netcat*\", ~\"nc*\", \"ncat\"] ||\n exec.comm in + [\"wget\", \"curl\", \"lwp-download\"]) &&\ncontainer.id == \"\" && exec.args + not in [ ~\"*localhost*\", ~\"*127.0.0.1*\", ~\"*motd.ubuntu.com*\" ]","category":"Process + Activity","creationDate":1617722067377,"updateDate":1666888148817,"filters":[],"actions":[],"agentConstraint":"","enabled":true,"defaultRule":true,"creator":{"name":"","handle":""},"updater":{"name":"","handle":""}},"type":"agent_rule"},{"id":"zp1-2vr-dji","attributes":{"version":1,"name":"ld_preload_unusual_library_path","description":"The + LD_PRELOAD variable is populated by a link to a suspicious file directory","expression":"exec.envs + in [~\"LD_PRELOAD=*/tmp/*\" ,~\"LD_PRELOAD=/dev/shm/*\" ]","category":"Process + Activity","creationDate":0,"updateDate":1665475122104,"filters":[],"actions":[],"agentConstraint":"","enabled":true,"defaultRule":true,"creator":{"name":"","handle":""},"updater":{"name":"","handle":""}},"type":"agent_rule"},{"id":"iha-seu-ukg","attributes":{"version":18,"name":"pam_modification_chown","description":"PAM + may have been modified without authorization","expression":"(\n (chown.file.path + in [ ~\"/etc/pam.d/**\", \"/etc/pam.conf\" ])\n) && (chown.file.destination.uid + != chown.file.uid || chown.file.destination.gid != chown.file.gid)","category":"File + Activity","creationDate":1642158535185,"updateDate":1665475117830,"filters":[],"actions":[],"agentConstraint":"","enabled":true,"defaultRule":true,"creator":{"name":"","handle":""},"updater":{"name":"","handle":""}},"type":"agent_rule"},{"id":"5jz-f4m-ujl","attributes":{"version":17,"name":"pam_modification_chmod","description":"PAM + may have been modified without authorization","expression":"(\n (chmod.file.path + in [ ~\"/etc/pam.d/**\", \"/etc/pam.conf\" ])\n) && chmod.file.destination.mode + != chmod.file.mode","category":"File Activity","creationDate":1606142936138,"updateDate":1665475098297,"filters":[],"actions":[],"agentConstraint":"","enabled":true,"defaultRule":true,"creator":{"name":"","handle":""},"updater":{"name":"","handle":""}},"type":"agent_rule"},{"id":"hyg-xco-0yu","attributes":{"version":19,"name":"ssh_authorized_keys_chmod","description":"SSH + modified keys may have been modified","expression":"(\n chmod.file.name + in [ \"authorized_keys\", \"authorized_keys2\" ] && (chmod.file.path in [ + ~\"/root/.ssh/*\", ~\"/home/*/.ssh/*\", ~\"/var/lib/*/.ssh/*\" ])\n) && chmod.file.destination.mode + != chmod.file.mode","category":"File Activity","creationDate":1642158535014,"updateDate":1665475096405,"filters":[],"actions":[],"agentConstraint":"","enabled":true,"defaultRule":true,"creator":{"name":"","handle":""},"updater":{"name":"","handle":""}},"type":"agent_rule"},{"id":"m6c-qaa-oq5","attributes":{"version":1,"name":"shell_history_symlink","description":"A + symbolic link for shell history was created targeting /dev/null","expression":"exec.comm + == \"ln\" && exec.args in [~\"*.*history*\", \"/dev/null\"]","category":"Process + Activity","creationDate":0,"updateDate":1661193978111,"filters":[],"actions":[],"agentConstraint":"","enabled":true,"defaultRule":true,"creator":{"name":"","handle":""},"updater":{"name":"","handle":""}},"type":"agent_rule"},{"id":"e8x-hfv-opq","attributes":{"version":3,"name":"potential_cryptominer","description":"A + process resolved a DNS name associated with cryptomining activity","expression":"dns.question.name + in [~\"*minexmr.com\", ~\"*nanopool.org\", ~\"*supportxmr.com\", ~\"*c3pool.com\", + ~\"*p2pool.io\", ~\"*ethermine.org\", ~\"*f2pool.com\", ~\"*poolin.me\", ~\"*rplant.xyz\"] + && process.file.name != \"\"","category":"Network Activity","creationDate":1648643213236,"updateDate":1658502066736,"filters":[],"actions":[],"agentConstraint":"","enabled":true,"defaultRule":true,"creator":{"name":"","handle":""},"updater":{"name":"","handle":""}},"type":"agent_rule"},{"id":"o9o-bqw-xda","attributes":{"version":2,"name":"paste_site","description":"A + DNS lookup was done for a pastebin-like site","expression":"dns.question.name + in [\"pastebin.com\", \"ghostbin.com\", \"termbin.com\", \"klgrth.io\"] && + process.file.name != \"\"","category":"Network Activity","creationDate":1648643213212,"updateDate":1654020328112,"filters":[],"actions":[],"agentConstraint":"","enabled":true,"defaultRule":true,"creator":{"name":"","handle":""},"updater":{"name":"","handle":""}},"type":"agent_rule"},{"id":"ozc-4r6-5v6","attributes":{"version":2,"name":"kernel_module_load_container","description":"A + container loaded a new kernel module","expression":"load_module.name != \"\" + && container.id !=\"\"","category":"Kernel Activity","creationDate":1650293718705,"updateDate":1650371510304,"filters":[],"actions":[],"agentConstraint":"","enabled":true,"defaultRule":true,"creator":{"name":"","handle":""},"updater":{"name":"","handle":""}},"type":"agent_rule"},{"id":"qxl-uky-d3i","attributes":{"version":1,"name":"ptrace_injection","description":"A + process attempted to inject code into another process","expression":"ptrace.request + == PTRACE_POKETEXT || ptrace.request == PTRACE_POKEDATA || ptrace.request + == PTRACE_POKEUSR","category":"Kernel Activity","creationDate":1650293718540,"updateDate":1650293782685,"filters":[],"actions":[],"agentConstraint":"","enabled":true,"defaultRule":true,"creator":{"name":"","handle":""},"updater":{"name":"","handle":""}},"type":"agent_rule"},{"id":"hkb-qnu-nin","attributes":{"version":1,"name":"kernel_module_load_from_memory_container","description":"A + kernel module was loaded from memory inside a container","expression":"load_module.loaded_from_memory + == true && container.id !=\"\"","category":"Kernel Activity","creationDate":1650293718365,"updateDate":1650293782651,"filters":[],"actions":[],"agentConstraint":"","enabled":true,"defaultRule":true,"creator":{"name":"","handle":""},"updater":{"name":"","handle":""}},"type":"agent_rule"},{"id":"vgp-c7n-4ww","attributes":{"version":17,"name":"pam_modification_open","description":"PAM + may have been modified without authorization","expression":"(\n open.flags + & (O_CREAT|O_TRUNC|O_RDWR|O_WRONLY) > 0 &&\n (open.file.path in [ ~\"/etc/pam.d/**\", + \"/etc/pam.conf\" ])\n)","category":"File Activity","creationDate":1642158535331,"updateDate":1643993958380,"filters":[],"actions":[],"agentConstraint":"","enabled":true,"defaultRule":true,"creator":{"name":"","handle":""},"updater":{"name":"","handle":""}},"type":"agent_rule"},{"id":"dk5-qem-ukk","attributes":{"version":17,"name":"pam_modification_link","description":"PAM + may have been modified without authorization","expression":"(\n (link.file.path + in [ ~\"/etc/pam.d/**\", \"/etc/pam.conf\" ]\n || link.file.destination.path + in [ ~\"/etc/pam.d/**\", \"/etc/pam.conf\" ])\n)","category":"File Activity","creationDate":1642158535089,"updateDate":1643993957839,"filters":[],"actions":[],"agentConstraint":"","enabled":true,"defaultRule":true,"creator":{"name":"","handle":""},"updater":{"name":"","handle":""}},"type":"agent_rule"},{"id":"g0j-tcx-9yi","attributes":{"version":16,"name":"nsswitch_conf_mod_link","description":"Nsswitch + Configuration Modified","expression":"(\n (link.file.path in [ \"/etc/nsswitch.conf\" + ]\n || link.file.destination.path in [ \"/etc/nsswitch.conf\" ])\n)","category":"File + Activity","creationDate":1606142958657,"updateDate":1628512222322,"filters":[],"actions":[],"agentConstraint":"","enabled":true,"defaultRule":true,"creator":{"name":"","handle":""},"updater":{"name":"","handle":""}},"type":"agent_rule"},{"id":"wu3-ect-q5y","attributes":{"version":16,"name":"nsswitch_conf_mod_rename","description":"Nsswitch + Configuration Modified","expression":"(\n (rename.file.path in [ \"/etc/nsswitch.conf\" + ]\n || rename.file.destination.path in [ \"/etc/nsswitch.conf\" ])\n)","category":"File + Activity","creationDate":1606142958657,"updateDate":1628512222322,"filters":[],"actions":[],"agentConstraint":"","enabled":true,"defaultRule":true,"creator":{"name":"","handle":""},"updater":{"name":"","handle":""}},"type":"agent_rule"},{"id":"nfl-b7w-jla","attributes":{"version":16,"name":"nsswitch_conf_mod_unlink","description":"Nsswitch + Configuration Modified","expression":"(\n (unlink.file.path in [ \"/etc/nsswitch.conf\" + ])\n)","category":"File Activity","creationDate":1606142958657,"updateDate":1628512222322,"filters":[],"actions":[],"agentConstraint":"","enabled":true,"defaultRule":true,"creator":{"name":"","handle":""},"updater":{"name":"","handle":""}},"type":"agent_rule"},{"id":"vti-qnm-wg7","attributes":{"version":16,"name":"nsswitch_conf_mod_utimes","description":"Nsswitch + Configuration Modified","expression":"(\n (utimes.file.path in [ \"/etc/nsswitch.conf\" + ])\n)","category":"File Activity","creationDate":1606142958657,"updateDate":1628512222322,"filters":[],"actions":[],"agentConstraint":"","enabled":true,"defaultRule":true,"creator":{"name":"","handle":""},"updater":{"name":"","handle":""}},"type":"agent_rule"}]} + + ' headers: content-type: - - application/json;charset=utf-8 + - application/json status: code: 200 message: OK @@ -813,13 +1089,11 @@ interactions: accept: - '*/*' method: DELETE - uri: https://api.datadoghq.com/api/v2/security_monitoring/cloud_workload_security/agent_rules/w3n-qy8-qud + uri: https://api.datadoghq.com/api/v2/security_monitoring/cloud_workload_security/agent_rules/7ob-i7p-lcg response: body: string: '' - headers: - content-type: - - application/json;charset=utf-8 + headers: {} status: code: 204 message: No Content diff --git a/tests/v2/cassettes/test_scenarios/test_get_all_csm_threats_agent_rules_returns_ok_response.frozen b/tests/v2/cassettes/test_scenarios/test_get_all_csm_threats_agent_rules_returns_ok_response.frozen new file mode 100644 index 0000000000..1a6e5c3ef8 --- /dev/null +++ b/tests/v2/cassettes/test_scenarios/test_get_all_csm_threats_agent_rules_returns_ok_response.frozen @@ -0,0 +1 @@ +2024-03-07T18:00:19.397Z \ No newline at end of file diff --git a/tests/v2/cassettes/test_scenarios/test_get_all_csm_threats_agent_rules_returns_ok_response.yaml b/tests/v2/cassettes/test_scenarios/test_get_all_csm_threats_agent_rules_returns_ok_response.yaml new file mode 100644 index 0000000000..b3d8a45c2c --- /dev/null +++ b/tests/v2/cassettes/test_scenarios/test_get_all_csm_threats_agent_rules_returns_ok_response.yaml @@ -0,0 +1,1418 @@ +interactions: +- request: + body: null + headers: + accept: + - application/json + method: GET + uri: https://api.datadoghq.com/api/v2/remote_config/products/cws/agent_rules + response: + body: + string: '{"data":[{"id":"cwq-z6j-igp","type":"agent_rule","attributes":{"category":"Kernel + Activity","creationDate":1691743022000,"creator":{"name":"Threat Detection + Engineering CI/CD","handle":"9b3398f3-af79-49aa-b643-8a607ee6f848"},"defaultRule":false,"description":"Unauthorized + network access by deno runtime","enabled":true,"expression":"bind.addr.family\u003e=0 + \u0026\u0026 process.comm==\"deno\" \u0026\u0026 process.args not in [r\".*(allow-net|allow-ffi|-A|allow-all).*\"]","filters":["os + == \"linux\""],"name":"Deno_unauthorized_network_access_performed","updateDate":1698239523000,"updater":{"name":"Juvenal + Araujo","handle":"juvenal.araujo@datadoghq.com"}}},{"id":"lsi-6pb-7th","type":"agent_rule","attributes":{"category":"File + Activity","creationDate":1691743022000,"creator":{"name":"Threat Detection + Engineering CI/CD","handle":"9b3398f3-af79-49aa-b643-8a607ee6f848"},"defaultRule":false,"description":"Unauthorized + filesystem read by deno runtime","enabled":false,"expression":"process.comm==\"deno\" + \u0026\u0026 open.flags==524288 \u0026\u0026 open.file.name not in process.argv + \u0026\u0026 process.args not in [r\".*(allow-read|-A|allow-all).*\"]","filters":["os + == \"linux\""],"name":"Deno_unauthorized_read_executed","updateDate":1698237510000,"updater":{"name":"Juvenal + Araujo","handle":"juvenal.araujo@datadoghq.com"}}},{"id":"mal-nic-u3y","type":"agent_rule","attributes":{"category":"Process + Activity","creationDate":1691743022000,"creator":{"name":"Threat Detection + Engineering CI/CD","handle":"9b3398f3-af79-49aa-b643-8a607ee6f848"},"defaultRule":false,"description":"Unauthorized + subprocess created by deno runtime","enabled":true,"expression":"exec.comm + !=\"\" \u0026\u0026 process.ancestors.comm==\"deno\" \u0026\u0026 process.ancestors.args + not in [r\".*(allow-run|-A|allow-all).*\"]","filters":["os == \"linux\""],"name":"Deno_unauthorized_subprocess_created","updateDate":1698239525000,"updater":{"name":"Juvenal + Araujo","handle":"juvenal.araujo@datadoghq.com"}}},{"id":"q17-vsb-c4k","type":"agent_rule","attributes":{"category":"File + Activity","creationDate":1691743022000,"creator":{"name":"Threat Detection + Engineering CI/CD","handle":"9b3398f3-af79-49aa-b643-8a607ee6f848"},"defaultRule":false,"description":"Unauthorized + filesystem write by deno runtime","enabled":false,"expression":"process.comm==\"deno\" + \u0026\u0026 open.flags \u00261==1 \u0026\u0026 process.args not in [r\".*(allow-write|-A|allow-all).*\"]","filters":["os + == \"linux\""],"name":"Deno_unauthorized_write_executed","updateDate":1698237513000,"updater":{"name":"Juvenal + Araujo","handle":"juvenal.araujo@datadoghq.com"}}},{"id":"qp4-oog-vwu","type":"agent_rule","attributes":{"category":"Process + Activity","creationDate":1682687626000,"creator":{"name":"Threat Detection + Engineering CI/CD","handle":"9b3398f3-af79-49aa-b643-8a607ee6f848"},"defaultRule":false,"description":"A + shell command was executed from a JupyterHub code cell","enabled":true,"expression":"exec.file.path + == \"/usr/bin/bash\" \u0026\u0026 process.ancestors.comm == \"jupyterhub-sing\"","filters":["os + == \"linux\""],"name":"jupyterhub_shell","updateDate":1698238456000,"updater":{"name":"Juvenal + Araujo","handle":"juvenal.araujo@datadoghq.com"}}},{"id":"doi-13m-kzx","type":"agent_rule","attributes":{"category":"Process + Activity","creationDate":1688462439000,"creator":{"name":"Threat Detection + Engineering CI/CD","handle":"9b3398f3-af79-49aa-b643-8a607ee6f848"},"defaultRule":false,"description":"Kubernetes + offensive tool executed","enabled":true,"expression":"(exec.file.name in [ + ~\"python*\" ] \u0026\u0026 (\"KubiScan.py\" in exec.argv || \"kubestriker\" + in exec.argv )) || exec.file.name in [\"kubiscan\",\"kdigger\",\"kube-hunter\",\"rakkess\",\"peirates\",\"kubescape\",\"kubeaudit\",\"kube-linter\",\"stratus\",~\"botb-*\"]","filters":["os + == \"linux\""],"name":"kubernetes_offensive_tool_executed","updateDate":1698238459000,"updater":{"name":"Juvenal + Araujo","handle":"juvenal.araujo@datadoghq.com"}}},{"id":"p24-io5-dv2","type":"agent_rule","attributes":{"category":"Process + Activity","creationDate":1702898544000,"creator":{"name":"Ahmed Mkadem","handle":"ahmed.mkadem@datadoghq.com"},"defaultRule":false,"description":"iptables + used to allow egress traffic","enabled":true,"expression":"exec.comm == \"iptables\" + \u0026\u0026 process.args in [r\".*OUTPUT.*((25[0-5]|(2[0-4]|1\\d|[1-9]|)\\d)\\.?\\b){4}.*ACCEPT\"] + \u0026\u0026 process.args not in [r\"(127\\.)|(10\\.)|(172\\.1[6-9]\\.)|(172\\.2[0-9]\\.)|(^172\\.3[0-1]\\.)|(192\\.168\\.)|(169\\.254\\.)\"]","filters":["os + == \"linux\""],"name":"tde_malware_egress_traffic_allowed_iptables","updateDate":1702898544000,"updater":{"name":"Ahmed + Mkadem","handle":"ahmed.mkadem@datadoghq.com"}}},{"id":"wy7-3ug-3k7","type":"agent_rule","attributes":{"category":"File + Activity","creationDate":1702898570000,"creator":{"name":"Ahmed Mkadem","handle":"ahmed.mkadem@datadoghq.com"},"defaultRule":false,"description":"Multiple + files with extensions created under common user directories","enabled":true,"expression":"rename.file.path + in [~\"/home/**\", ~\"/root/**\", ~\"/bin/**\", ~\"/usr/bin/**\", ~\"/var/log/**\", + ~\"/var/lib/log/**\", ~\"/var/backup/*\", ~\"/var/www/**\"] \u0026\u0026 rename.file.destination.name + in [r\"\\.[0-9a-z]+$\"] \u0026\u0026 rename.file.destination.name not in [r\".*\\.(lock|dbtmp|log|journal|ini|sh|json|yml|tmp|snap|txt|pyc|stat|hcl|[0-9])+$\"] + \u0026\u0026 process.comm not in [\"python\",\"python3\",\"agent\",\"security-agent\",\"kubectl\",\"kubelet\",\"datadog-cluster\",\"postgres\"]","filters":["os + == \"linux\""],"name":"tde_malware_files_with_extensions_created","updateDate":1703590999000,"updater":{"name":"Ahmed + Mkadem","handle":"ahmed.mkadem@datadoghq.com"}}},{"id":"s7a-oly-ndz","type":"agent_rule","attributes":{"category":"Kernel + Activity","creationDate":1702898596000,"creator":{"name":"Ahmed Mkadem","handle":"ahmed.mkadem@datadoghq.com"},"defaultRule":false,"description":"Kernel + module loaded from common tmp directories","enabled":true,"expression":"load_module.file.path + in [ ~\"/tmp/**\", ~\"/var/tmp/**\" ]","filters":["os == \"linux\""],"name":"tde_malware_kernel_module_loaded_from_tmp","updateDate":1702898596000,"updater":{"name":"Ahmed + Mkadem","handle":"ahmed.mkadem@datadoghq.com"}}},{"id":"wvn-ega-hae","type":"agent_rule","attributes":{"category":"Kernel + Activity","creationDate":1702898618000,"creator":{"name":"Ahmed Mkadem","handle":"ahmed.mkadem@datadoghq.com"},"defaultRule":false,"description":"Libpam.so + library hooked using ebpf","enabled":true,"expression":"bpf.cmd == BPF_MAP_CREATE + \u0026\u0026 process.args in [r\".*libpam.so.*\"]","filters":["os == \"linux\""],"name":"tde_malware_libpam_hooked_using_ebpf","updateDate":1702898618000,"updater":{"name":"Ahmed + Mkadem","handle":"ahmed.mkadem@datadoghq.com"}}},{"id":"aie-5ua-pqh","type":"agent_rule","attributes":{"category":"Kernel + Activity","creationDate":1702898642000,"creator":{"name":"Ahmed Mkadem","handle":"ahmed.mkadem@datadoghq.com"},"defaultRule":false,"description":"A + process is tracing privileged processes or sshd for possible credential dumping","enabled":true,"expression":"((ptrace.tracee.euid==0 + \u0026\u0026 ptrace.tracee.uid ==0)||ptrace.tracee.comm in [~\"*sshd*\"]) + \u0026\u0026 process.comm not in [\"dlv\"]","filters":["os == \"linux\""],"name":"tde_malware_privileged_processes_or_sshd_traced","updateDate":1702898642000,"updater":{"name":"Ahmed + Mkadem","handle":"ahmed.mkadem@datadoghq.com"}}},{"id":"46g-4uu-8q2","type":"agent_rule","attributes":{"category":"Process + Activity","creationDate":1702898821000,"creator":{"name":"Ahmed Mkadem","handle":"ahmed.mkadem@datadoghq.com"},"defaultRule":false,"description":"Proxychaining + technique used","enabled":true,"expression":"exec.comm == \"proxychains\"","filters":["os + == \"linux\""],"name":"tde_malware_proxychains_executed","updateDate":1702898821000,"updater":{"name":"Ahmed + Mkadem","handle":"ahmed.mkadem@datadoghq.com"}}},{"id":"yyy-5go-xpw","type":"agent_rule","attributes":{"category":"File + Activity","creationDate":1702898856000,"creator":{"name":"Ahmed Mkadem","handle":"ahmed.mkadem@datadoghq.com"},"defaultRule":false,"description":"A + possible ransomware note created under common user directories","enabled":true,"expression":"open.file.path + in [\"/home/*\", \"/root/*\", \"/bin/*\", \"/usr/bin/*\", \"/opt/*\", \"/etc/*\", + \"/var/log/*\", \"/var/lib/log/*\", \"/var/backup/*\", \"/var/www/*\"] \u0026\u0026 + open.file.name in [r\".*(restore|recovery|readme|instruction|how_to|ransom).*|.*(your_|crypt|lock|important).*\\.txt$\"]","filters":["os + == \"linux\""],"name":"tde_malware_ransomware_notes_written","updateDate":1702898856000,"updater":{"name":"Ahmed + Mkadem","handle":"ahmed.mkadem@datadoghq.com"}}},{"id":"vdn-l8j-9h1","type":"agent_rule","attributes":{"category":"File + Activity","creationDate":1702898880000,"creator":{"name":"Ahmed Mkadem","handle":"ahmed.mkadem@datadoghq.com"},"defaultRule":false,"description":"A + process deleted common system log files","enabled":true,"expression":"unlink.file.path + in [\"/var/run/utmp\", \"/var/log/wtmp\", \"/var/log/btmp\", \"/var/log/lastlog\", + \"/var/log/faillog\", \"/var/log/syslog\", \"/var/log/messages\", \"/var/log/secure\", + \"/var/log/auth.log\", \"/var/log/boot.log\", \"/var/log/kern.log\"] \u0026\u0026 + process.comm !=\"dockerd\"","filters":["os == \"linux\""],"name":"tde_malware_system_logs_deleted","updateDate":1702898880000,"updater":{"name":"Ahmed + Mkadem","handle":"ahmed.mkadem@datadoghq.com"}}},{"id":"ofh-ne6-jcq","type":"agent_rule","attributes":{"category":"Process + Activity","creationDate":1702898912000,"creator":{"name":"Ahmed Mkadem","handle":"ahmed.mkadem@datadoghq.com"},"defaultRule":false,"description":"Tunneling + and port forwarding tool used","enabled":true,"expression":"((exec.comm == + \"pivotnacci\" || exec.comm == \"gost\") \u0026\u0026 process.args in [r\".*(-L|-C|-R).*\"])||(exec.comm + in [\"ssh\", \"sshd\"] \u0026\u0026 process.args in [r\".*(-R|-L|-D|w).*\"] + \u0026\u0026 process.args in [r\"((25[0-5]|(2[0-4]|1\\d|[1-9])\\d)\\.?\\b){4}\"] + ) || (exec.comm == \"sshuttle\" \u0026\u0026 process.args in [r\".*(-r|--remote|-l|--listen).*\"]) + || (exec.comm == \"socat\" \u0026\u0026 process.args in [r\".*(TCP4-LISTEN:|SOCKS).*\"]) + || (exec.comm in [\"iodine\", \"iodined\", \"dnscat\", \"hans\", \"hans-ubuntu\", + \"ptunnel-ng\", \"ssf\", \"3proxy\", \"ngrok\"] \u0026\u0026 process.parent.comm + in [\"bash\", \"dash\", \"ash\", \"sh\", \"tcsh\", \"csh\", \"zsh\", \"ksh\", + \"fish\"])","filters":["os == \"linux\""],"name":"tde_malware_tunneling_and_port_forwarding_technique_used","updateDate":1702898912000,"updater":{"name":"Ahmed + Mkadem","handle":"ahmed.mkadem@datadoghq.com"}}},{"id":"7nc-c8z-od7","type":"agent_rule","attributes":{"category":"Process + Activity","creationDate":1707330428000,"creator":{"name":"Juvenal Araujo","handle":"juvenal.araujo@datadoghq.com"},"defaultRule":false,"description":"nsenter + used in container to execute code on the OS PID1","enabled":true,"expression":"exec.file.name + == \"nsenter\" \u0026\u0026 exec.args_options in [\"target=1\", \"t=1\"] \u0026\u0026 + container.id !=\"\"","filters":["os == \"linux\""],"name":"tde_nsenter_pid1_detection","updateDate":1707330428000,"updater":{"name":"Juvenal + Araujo","handle":"juvenal.araujo@datadoghq.com"}}},{"id":"vui-e82-jrw","type":"agent_rule","attributes":{"category":"Network + Activity","creationDate":1705501135000,"creator":{"name":"Ahmed Mkadem","handle":"ahmed.mkadem@datadoghq.com"},"defaultRule":false,"description":"Connection + to red team domain","enabled":true,"expression":"dns.question.name in [~\"*.interact.sh\" + , ~\"*.oast.pro\" , ~\"*.oast.live\" , ~\"*.oast.site\" , ~\"*.oast.online\" + , ~\"*.oast.fun\" , ~\"*.oast.me\" , ~\"*.burpcollaborator.net\" , ~\"*.oastify.com\" + , ~\"*canarytokens.com\" , ~\"*.requestbin.net\" , ~\"*.dnslog.cn\"]","filters":["os + == \"linux\""],"name":"tde_red_team_domains_used","updateDate":1705501135000,"updater":{"name":"Ahmed + Mkadem","handle":"ahmed.mkadem@datadoghq.com"}}},{"id":"7ts-208-rn4","type":"agent_rule","attributes":{"category":"Process + Activity","creationDate":1707493323000,"creator":{"name":"Detection Engineer","handle":""},"defaultRule":true,"description":"An + AppArmor profile was modified in an interactive session","enabled":true,"expression":"exec.file.name + in [\"aa-disable\", \"aa-complain\", \"aa-audit\"] \u0026\u0026 exec.tty_name + !=\"\"","filters":["os == \"linux\""],"name":"apparmor_modified_tty","updateDate":1708708314000,"updater":{"name":"Malo + Le Goff","handle":"malo.legoff@datadoghq.com"}}},{"id":"def-000-7m7","type":"agent_rule","attributes":{"category":"Process + Activity","creationDate":1707493323000,"creator":{"name":"Detection Engineer","handle":""},"defaultRule":true,"description":"The + auditctl command was used to modify auditd","enabled":true,"expression":"exec.file.name + == \"auditctl\" \u0026\u0026 exec.args_flags not in [\"s\", \"l\"]","filters":["os + == \"linux\""],"name":"auditctl_usage","updateDate":1707493323000,"updater":{"name":"Detection + Engineer","handle":""}}},{"id":"def-000-ly8","type":"agent_rule","attributes":{"category":"Process + Activity","creationDate":1707493323000,"creator":{"name":"Detection Engineer","handle":""},"defaultRule":true,"description":"The + auditd configuration file was modified without using auditctl","enabled":true,"expression":"open.file.path + == \"/etc/audit/auditd.conf\" \u0026\u0026 open.flags \u0026 (O_CREAT|O_TRUNC|O_RDWR|O_WRONLY) + \u003e 0 \u0026\u0026 process.file.name != \"auditctl\"","filters":["os == + \"linux\""],"name":"auditd_config_modified","updateDate":1707493323000,"updater":{"name":"Detection + Engineer","handle":""}}},{"id":"def-000-ehx","type":"agent_rule","attributes":{"category":"Process + Activity","creationDate":1707493323000,"creator":{"name":"Detection Engineer","handle":""},"defaultRule":true,"description":"The + auditd rules file was modified without using auditctl","enabled":true,"expression":"open.file.path + in [\"/etc/audit/rules.d/audit.rules\", \"/etc/audit/audit.rules\"] \u0026\u0026 + open.flags \u0026 (O_CREAT|O_TRUNC|O_RDWR|O_WRONLY) \u003e 0 \u0026\u0026 + process.file.name != \"auditctl\"","filters":["os == \"linux\""],"name":"auditd_rule_file_modified","updateDate":1707493323000,"updater":{"name":"Detection + Engineer","handle":""}}},{"id":"9f3-haw-91q","type":"agent_rule","attributes":{"category":"File + Activity","creationDate":1707493323000,"creator":{"name":"Detection Engineer","handle":""},"defaultRule":true,"description":"The + AWS EKS service account token was accessed","enabled":true,"expression":"open.file.path + =~ \"/var/run/secrets/eks.amazonaws.com/serviceaccount/**\" \u0026\u0026 open.file.name + == \"token\" \u0026\u0026 process.file.path not in [\"/opt/datadog-agent/embedded/bin/agent\", + \"/opt/datadog-agent/embedded/bin/system-probe\", \"/opt/datadog-agent/embedded/bin/security-agent\", + \"/opt/datadog-agent/embedded/bin/process-agent\", \"/opt/datadog-agent/bin/agent/agent\", + \"/opt/datadog/apm/inject/auto_inject_runc\", \"/usr/bin/dd-host-install\", + \"/usr/bin/dd-host-container-install\", \"/usr/bin/dd-container-install\", + \"/opt/datadog-agent/bin/datadog-cluster-agent\"]","filters":["os == \"linux\""],"name":"aws_eks_service_account_token_accessed","updateDate":1707493323000,"updater":{"name":"Detection + Engineer","handle":""}}},{"id":"wgv-wsb-pse","type":"agent_rule","attributes":{"category":"Process + Activity","creationDate":1707493323000,"creator":{"name":"Detection Engineer","handle":""},"defaultRule":true,"description":"An + AWS IMDS was called via a network utility","enabled":true,"expression":"exec.comm + in [\"wget\", \"curl\", \"lwp-download\"] \u0026\u0026 exec.args in [~\"*169.254.169.254/latest/meta-data/iam/security-credentials/*\", + \"*169.254.170.2$AWS_CONTAINER_CREDENTIALS_RELATIVE_URI\", ~\"*169.254.170.2/*/credentials?id=*\"]","filters":["os + == \"linux\""],"name":"aws_imds","updateDate":1707493323000,"updater":{"name":"Detection + Engineer","handle":""}}},{"id":"c2g-31u-jpk","type":"agent_rule","attributes":{"category":"Process + Activity","creationDate":1707493323000,"creator":{"name":"Detection Engineer","handle":""},"defaultRule":true,"description":"An + Azure IMDS was called via a network utility","enabled":true,"expression":"exec.comm + in [\"wget\", \"curl\", \"lwp-download\"] \u0026\u0026 exec.args in [~\"*169.254.169.254/metadata/identity/oauth2/token?api-version=*\"]","filters":["os + == \"linux\""],"name":"azure_imds","updateDate":1707493323000,"updater":{"name":"Detection + Engineer","handle":""}}},{"id":"def-000-a41","type":"agent_rule","attributes":{"category":"Process + Activity","creationDate":1707493323000,"creator":{"name":"Detection Engineer","handle":""},"defaultRule":true,"description":"The + base64 command was used to decode information","enabled":true,"expression":"exec.file.name + == \"base64\" \u0026\u0026 exec.args_flags in [\"d\"]","filters":["os == \"linux\""],"name":"base64_decode","updateDate":1707493323000,"updater":{"name":"Detection + Engineer","handle":""}}},{"id":"def-000-4tl","type":"agent_rule","attributes":{"category":"Process + Activity","creationDate":1707493323000,"creator":{"name":"Detection Engineer","handle":""},"defaultRule":true,"description":"Certutil + was executed to transmit or decode a potentially malicious file","enabled":true,"expression":"exec.file.name + == \"certutil.exe\" \u0026\u0026 ((exec.cmdline =~ \"*urlcache*\" \u0026\u0026 + exec.cmdline =~ \"*split*\") || exec.cmdline =~ \"*decode*\")","filters":["os + == \"windows\""],"name":"certutil_usage","updateDate":1707493323000,"updater":{"name":"Detection + Engineer","handle":""}}},{"id":"def-000-nin","type":"agent_rule","attributes":{"category":"Network + Activity","creationDate":1707493323000,"creator":{"name":"Detection Engineer","handle":""},"defaultRule":true,"description":"A + newly created file contacted a chatroom domain","enabled":true,"expression":"dns.question.name + in [\"discord.com\", \"api.telegram.org\", \"cdn.discordapp.com\"] \u0026\u0026 + process.file.in_upper_layer \u0026\u0026 process.file.change_time \u003c 60s","filters":["os + == \"linux\""],"name":"chatroom_request","updateDate":1707493323000,"updater":{"name":"Detection + Engineer","handle":""}}},{"id":"647-nlb-uld","type":"agent_rule","attributes":{"category":"Process + Activity","creationDate":1707493323000,"creator":{"name":"Detection Engineer","handle":""},"defaultRule":true,"description":"A + network utility (nmap) commonly used in intrusion attacks was executed","enabled":true,"expression":"exec.file.name + in [\"nmap\", \"masscan\", \"fping\", \"zgrab\", \"zgrab2\", \"rustscan\", + \"pnscan\"] \u0026\u0026 exec.args_flags not in [\"V\", \"version\"]","filters":["os + == \"linux\""],"name":"common_net_intrusion_util","updateDate":1707493323000,"updater":{"name":"Detection + Engineer","handle":""}}},{"id":"smg-le8-msf","type":"agent_rule","attributes":{"category":"File + Activity","creationDate":1707493323000,"creator":{"name":"Detection Engineer","handle":""},"defaultRule":true,"description":"A + compiler wrote a suspicious file in a container","enabled":true,"expression":"open.flags + \u0026 O_CREAT \u003e 0\n\u0026\u0026 (\n (open.file.path =~ \"/tmp/**\" + \u0026\u0026 open.file.name in [~\"*.ko\", ~\".*\"])\n || open.file.path + in [~\"/var/tmp/**\", ~\"/dev/shm/**\", ~\"/root/**\", ~\"*/bin/*\", ~\"/usr/local/lib/**\"]\n)\n\u0026\u0026 + (process.comm in [\"javac\", \"clang\", \"gcc\",\"bcc\"] || process.ancestors.comm + in [\"javac\", \"clang\", \"gcc\",\"bcc\"])\n\u0026\u0026 process.file.name + not in [\"pip\", ~\"python*\"]\n\u0026\u0026 container.id != \"\"","filters":["os + == \"linux\""],"name":"compile_after_delivery","updateDate":1707493323000,"updater":{"name":"Detection + Engineer","handle":""}}},{"id":"ehh-ypb-9pl","type":"agent_rule","attributes":{"category":"Process + Activity","creationDate":1707493323000,"creator":{"name":"Detection Engineer","handle":""},"defaultRule":true,"description":"A + compiler was executed inside of a container","enabled":true,"expression":"(exec.file.name + in [\"javac\", \"clang\", \"gcc\",\"bcc\"] || (exec.file.name == \"go\" \u0026\u0026 + exec.args in [~\"*build*\", ~\"*run*\"])) \u0026\u0026 container.id !=\"\" + \u0026\u0026 process.ancestors.file.path != \"/usr/bin/cilium-agent\"","filters":["os + == \"linux\""],"name":"compiler_in_container","updateDate":1707493323000,"updater":{"name":"Detection + Engineer","handle":""}}},{"id":"def-000-u7b","type":"agent_rule","attributes":{"category":"Process + Activity","creationDate":1707493323000,"creator":{"name":"Detection Engineer","handle":""},"defaultRule":true,"description":"Known + offensive tool crackmap exec executed","enabled":true,"expression":"exec.cmdline + in [~\"*crackmapexec*\", ~\"*cme*\"]","filters":["os == \"windows\""],"name":"crackmap_exec_executed","updateDate":1707493323000,"updater":{"name":"Detection + Engineer","handle":""}}},{"id":"s9m-foq-qqz","type":"agent_rule","attributes":{"category":"File + Activity","creationDate":1707493323000,"creator":{"name":"Detection Engineer","handle":""},"defaultRule":true,"description":"Sensitive + credential files were modified using a non-standard tool","enabled":true,"expression":"(\n (chmod.file.path + in [ \"/etc/shadow\", \"/etc/gshadow\" ])\n \u0026\u0026 process.file.path + not in [ \"/sbin/vipw\", \"/usr/sbin/vipw\", \"/sbin/vigr\", \"/usr/sbin/vigr\", + \"/usr/bin/containerd\", \"/usr/local/bin/containerd\", \"/usr/bin/dockerd\", + \"/usr/local/bin/dockerd\", \"/usr/sbin/groupadd\", \"/usr/sbin/useradd\", + \"/usr/sbin/usermod\", \"/usr/sbin/userdel\", \"/usr/bin/gpasswd\", \"/usr/bin/chage\", + \"/usr/sbin/chpasswd\", \"/usr/bin/passwd\" ]\n \u0026\u0026 process.ancestors.file.path + not in [~\"/usr/bin/apt*\", \"/usr/bin/dpkg\", \"/usr/bin/rpm\", \"/usr/bin/unattended-upgrade\", + \"/usr/bin/npm\", ~\"/usr/bin/pip*\", \"/usr/bin/yum\", \"/sbin/apk\", \"/usr/lib/snapd/snapd\"]\n) + \u0026\u0026 chmod.file.destination.mode != chmod.file.mode","filters":["os + == \"linux\""],"name":"credential_modified_chmod","updateDate":1707493323000,"updater":{"name":"Detection + Engineer","handle":""}}},{"id":"td2-31c-ln4","type":"agent_rule","attributes":{"category":"File + Activity","creationDate":1707493323000,"creator":{"name":"Detection Engineer","handle":""},"defaultRule":true,"description":"Sensitive + credential files were modified using a non-standard tool","enabled":true,"expression":"(\n (chown.file.path + in [ \"/etc/shadow\", \"/etc/gshadow\" ])\n \u0026\u0026 process.file.path + not in [ \"/sbin/vipw\", \"/usr/sbin/vipw\", \"/sbin/vigr\", \"/usr/sbin/vigr\", + \"/usr/bin/containerd\", \"/usr/local/bin/containerd\", \"/usr/bin/dockerd\", + \"/usr/local/bin/dockerd\", \"/usr/sbin/groupadd\", \"/usr/sbin/useradd\", + \"/usr/sbin/usermod\", \"/usr/sbin/userdel\", \"/usr/bin/gpasswd\", \"/usr/bin/chage\", + \"/usr/sbin/chpasswd\", \"/usr/bin/passwd\" ]\n \u0026\u0026 process.ancestors.file.path + not in [~\"/usr/bin/apt*\", \"/usr/bin/dpkg\", \"/usr/bin/rpm\", \"/usr/bin/unattended-upgrade\", + \"/usr/bin/npm\", ~\"/usr/bin/pip*\", \"/usr/bin/yum\", \"/sbin/apk\", \"/usr/lib/snapd/snapd\"]\n) + \u0026\u0026 (chown.file.destination.uid != chown.file.uid || chown.file.destination.gid + != chown.file.gid)","filters":["os == \"linux\""],"name":"credential_modified_chown","updateDate":1707493323000,"updater":{"name":"Detection + Engineer","handle":""}}},{"id":"lli-czr-q4y","type":"agent_rule","attributes":{"category":"File + Activity","creationDate":1707493323000,"creator":{"name":"Detection Engineer","handle":""},"defaultRule":true,"description":"Sensitive + credential files were modified using a non-standard tool","enabled":true,"expression":"(\n (link.file.path + in [ \"/etc/shadow\", \"/etc/gshadow\" ]\n || link.file.destination.path + in [ \"/etc/shadow\", \"/etc/gshadow\" ])\n \u0026\u0026 process.file.path + not in [ \"/sbin/vipw\", \"/usr/sbin/vipw\", \"/sbin/vigr\", \"/usr/sbin/vigr\", + \"/usr/bin/containerd\", \"/usr/local/bin/containerd\", \"/usr/bin/dockerd\", + \"/usr/local/bin/dockerd\", \"/usr/sbin/groupadd\", \"/usr/sbin/useradd\", + \"/usr/sbin/usermod\", \"/usr/sbin/userdel\", \"/usr/bin/gpasswd\", \"/usr/bin/chage\", + \"/usr/sbin/chpasswd\", \"/usr/bin/passwd\" ]\n \u0026\u0026 process.ancestors.file.path + not in [~\"/usr/bin/apt*\", \"/usr/bin/dpkg\", \"/usr/bin/rpm\", \"/usr/bin/unattended-upgrade\", + \"/usr/bin/npm\", ~\"/usr/bin/pip*\", \"/usr/bin/yum\", \"/sbin/apk\", \"/usr/lib/snapd/snapd\"]\n)","filters":["os + == \"linux\""],"name":"credential_modified_link","updateDate":1707493323000,"updater":{"name":"Detection + Engineer","handle":""}}},{"id":"def-000-3b9","type":"agent_rule","attributes":{"category":"File + Activity","creationDate":1707493323000,"creator":{"name":"Detection Engineer","handle":""},"defaultRule":true,"description":"Sensitive + credential files were modified using a non-standard tool","enabled":true,"expression":"(\n open.flags + \u0026 ((O_CREAT|O_RDWR|O_WRONLY|O_TRUNC)) \u003e 0 \u0026\u0026\n (open.file.path + in [ \"/etc/shadow\", \"/etc/gshadow\" ])\n \u0026\u0026 process.file.path + not in [ \"/sbin/vipw\", \"/usr/sbin/vipw\", \"/sbin/vigr\", \"/usr/sbin/vigr\", + \"/usr/bin/containerd\", \"/usr/local/bin/containerd\", \"/usr/bin/dockerd\", + \"/usr/local/bin/dockerd\", \"/usr/sbin/groupadd\", \"/usr/sbin/useradd\", + \"/usr/sbin/usermod\", \"/usr/sbin/userdel\", \"/usr/bin/gpasswd\", \"/usr/bin/chage\", + \"/usr/sbin/chpasswd\", \"/usr/bin/passwd\" ]\n \u0026\u0026 process.ancestors.file.path + not in [~\"/usr/bin/apt*\", \"/usr/bin/dpkg\", \"/usr/bin/rpm\", \"/usr/bin/unattended-upgrade\", + \"/usr/bin/npm\", ~\"/usr/bin/pip*\", \"/usr/bin/yum\", \"/sbin/apk\", \"/usr/lib/snapd/snapd\"]\n) + \u0026\u0026 container.created_at \u003e 90s","filters":["os == \"linux\""],"name":"credential_modified_open_v2","updateDate":1707493323000,"updater":{"name":"Detection + Engineer","handle":""}}},{"id":"0yj-grp-cmx","type":"agent_rule","attributes":{"category":"File + Activity","creationDate":1707493323000,"creator":{"name":"Detection Engineer","handle":""},"defaultRule":true,"description":"Sensitive + credential files were modified using a non-standard tool","enabled":true,"expression":"(\n (rename.file.path + in [ \"/etc/shadow\", \"/etc/gshadow\" ]\n || rename.file.destination.path + in [ \"/etc/shadow\", \"/etc/gshadow\" ])\n \u0026\u0026 process.file.path + not in [ \"/sbin/vipw\", \"/usr/sbin/vipw\", \"/sbin/vigr\", \"/usr/sbin/vigr\", + \"/usr/bin/containerd\", \"/usr/local/bin/containerd\", \"/usr/bin/dockerd\", + \"/usr/local/bin/dockerd\", \"/usr/sbin/groupadd\", \"/usr/sbin/useradd\", + \"/usr/sbin/usermod\", \"/usr/sbin/userdel\", \"/usr/bin/gpasswd\", \"/usr/bin/chage\", + \"/usr/sbin/chpasswd\", \"/usr/bin/passwd\" ]\n \u0026\u0026 process.ancestors.file.path + not in [~\"/usr/bin/apt*\", \"/usr/bin/dpkg\", \"/usr/bin/rpm\", \"/usr/bin/unattended-upgrade\", + \"/usr/bin/npm\", ~\"/usr/bin/pip*\", \"/usr/bin/yum\", \"/sbin/apk\", \"/usr/lib/snapd/snapd\"]\n)","filters":["os + == \"linux\""],"name":"credential_modified_rename","updateDate":1707493323000,"updater":{"name":"Detection + Engineer","handle":""}}},{"id":"q08-c9l-rsp","type":"agent_rule","attributes":{"category":"File + Activity","creationDate":1707493323000,"creator":{"name":"Detection Engineer","handle":""},"defaultRule":true,"description":"Sensitive + credential files were modified using a non-standard tool","enabled":true,"expression":"(\n (unlink.file.path + in [ \"/etc/shadow\", \"/etc/gshadow\" ])\n \u0026\u0026 process.file.path + not in [ \"/sbin/vipw\", \"/usr/sbin/vipw\", \"/sbin/vigr\", \"/usr/sbin/vigr\", + \"/usr/bin/containerd\", \"/usr/local/bin/containerd\", \"/usr/bin/dockerd\", + \"/usr/local/bin/dockerd\", \"/usr/sbin/groupadd\", \"/usr/sbin/useradd\", + \"/usr/sbin/usermod\", \"/usr/sbin/userdel\", \"/usr/bin/gpasswd\", \"/usr/bin/chage\", + \"/usr/sbin/chpasswd\", \"/usr/bin/passwd\" ]\n \u0026\u0026 process.ancestors.file.path + not in [~\"/usr/bin/apt*\", \"/usr/bin/dpkg\", \"/usr/bin/rpm\", \"/usr/bin/unattended-upgrade\", + \"/usr/bin/npm\", ~\"/usr/bin/pip*\", \"/usr/bin/yum\", \"/sbin/apk\", \"/usr/lib/snapd/snapd\"]\n)","filters":["os + == \"linux\""],"name":"credential_modified_unlink","updateDate":1707493323000,"updater":{"name":"Detection + Engineer","handle":""}}},{"id":"kv9-026-vhz","type":"agent_rule","attributes":{"category":"File + Activity","creationDate":1707493323000,"creator":{"name":"Detection Engineer","handle":""},"defaultRule":true,"description":"Sensitive + credential files were modified using a non-standard tool","enabled":true,"expression":"(\n (utimes.file.path + in [ \"/etc/shadow\", \"/etc/gshadow\" ])\n \u0026\u0026 process.file.path + not in [ \"/sbin/vipw\", \"/usr/sbin/vipw\", \"/sbin/vigr\", \"/usr/sbin/vigr\", + \"/usr/bin/containerd\", \"/usr/local/bin/containerd\", \"/usr/bin/dockerd\", + \"/usr/local/bin/dockerd\", \"/usr/sbin/groupadd\", \"/usr/sbin/useradd\", + \"/usr/sbin/usermod\", \"/usr/sbin/userdel\", \"/usr/bin/gpasswd\", \"/usr/bin/chage\", + \"/usr/sbin/chpasswd\", \"/usr/bin/passwd\" ]\n \u0026\u0026 process.ancestors.file.path + not in [~\"/usr/bin/apt*\", \"/usr/bin/dpkg\", \"/usr/bin/rpm\", \"/usr/bin/unattended-upgrade\", + \"/usr/bin/npm\", ~\"/usr/bin/pip*\", \"/usr/bin/yum\", \"/sbin/apk\", \"/usr/lib/snapd/snapd\"]\n)","filters":["os + == \"linux\""],"name":"credential_modified_utimes","updateDate":1707493323000,"updater":{"name":"Detection + Engineer","handle":""}}},{"id":"ogb-clp-hot","type":"agent_rule","attributes":{"category":"File + Activity","creationDate":1707493323000,"creator":{"name":"Detection Engineer","handle":""},"defaultRule":true,"description":"An + unauthorized job was added to cron scheduling","enabled":true,"expression":"(\n (chmod.file.path + in [ ~\"/var/spool/cron/**\", ~\"/etc/cron.*/**\", ~\"/etc/crontab\" ])\n \u0026\u0026 + process.file.path not in [ \"/usr/bin/at\", \"/usr/bin/crontab\" ]\n) \u0026\u0026 + chmod.file.destination.mode != chmod.file.mode\n\u0026\u0026 process.file.path + not in [~\"/usr/bin/apt*\", \"/usr/bin/dpkg\", \"/usr/bin/rpm\", \"/usr/bin/unattended-upgrade\", + \"/usr/bin/containerd\", \"/usr/local/bin/containerd\", \"/usr/bin/dockerd\", + \"/usr/bin/npm\", ~\"/usr/bin/pip*\"]","filters":["os == \"linux\""],"name":"cron_at_job_creation_chmod","updateDate":1707493323000,"updater":{"name":"Detection + Engineer","handle":""}}},{"id":"wnk-nli-nbp","type":"agent_rule","attributes":{"category":"File + Activity","creationDate":1707493323000,"creator":{"name":"Detection Engineer","handle":""},"defaultRule":true,"description":"An + unauthorized job was added to cron scheduling","enabled":true,"expression":"(\n (chown.file.path + in [ ~\"/var/spool/cron/**\", ~\"/etc/cron.*/**\", ~\"/etc/crontab\" ])\n \u0026\u0026 + process.file.path not in [ \"/usr/bin/at\", \"/usr/bin/crontab\" ]\n) \u0026\u0026 + (chown.file.destination.uid != chown.file.uid || chown.file.destination.gid + != chown.file.gid)\n\u0026\u0026 process.file.path not in [~\"/usr/bin/apt*\", + \"/usr/bin/dpkg\", \"/usr/bin/rpm\", \"/usr/bin/unattended-upgrade\", \"/usr/bin/containerd\", + \"/usr/local/bin/containerd\", \"/usr/bin/dockerd\", \"/usr/bin/npm\", ~\"/usr/bin/pip*\"]","filters":["os + == \"linux\""],"name":"cron_at_job_creation_chown","updateDate":1707493323000,"updater":{"name":"Detection + Engineer","handle":""}}},{"id":"mcv-y5o-zg5","type":"agent_rule","attributes":{"category":"File + Activity","creationDate":1707493323000,"creator":{"name":"Detection Engineer","handle":""},"defaultRule":true,"description":"An + unauthorized job was added to cron scheduling","enabled":true,"expression":"(\n (link.file.path + in [ ~\"/var/spool/cron/**\", ~\"/etc/cron.*/**\", ~\"/etc/crontab\" ]\n || + link.file.destination.path in [ ~\"/var/spool/cron/**\", ~\"/etc/cron.*/**\", + ~\"/etc/crontab\" ])\n \u0026\u0026 process.file.path not in [ \"/usr/bin/at\", + \"/usr/bin/crontab\" ]\n)\n\u0026\u0026 process.file.path not in [~\"/usr/bin/apt*\", + \"/usr/bin/dpkg\", \"/usr/bin/rpm\", \"/usr/bin/unattended-upgrade\", \"/usr/bin/containerd\", + \"/usr/local/bin/containerd\", \"/usr/bin/dockerd\", \"/usr/bin/npm\", ~\"/usr/bin/pip*\"]","filters":["os + == \"linux\""],"name":"cron_at_job_creation_link","updateDate":1707493323000,"updater":{"name":"Detection + Engineer","handle":""}}},{"id":"uis-h13-41q","type":"agent_rule","attributes":{"category":"File + Activity","creationDate":1707493323000,"creator":{"name":"Detection Engineer","handle":""},"defaultRule":true,"description":"An + unauthorized job was added to cron scheduling","enabled":true,"expression":"(\n open.flags + \u0026 (O_CREAT|O_RDWR|O_WRONLY) \u003e 0 \u0026\u0026\n (open.file.path + in [ ~\"/var/spool/cron/**\", ~\"/etc/cron.*/**\", ~\"/etc/crontab\" ])\n \u0026\u0026 + process.file.path not in [ \"/usr/bin/at\", \"/usr/bin/crontab\" ]\n)\n\u0026\u0026 + process.file.path not in [~\"/usr/bin/apt*\", \"/usr/bin/dpkg\", \"/usr/bin/rpm\", + \"/usr/bin/unattended-upgrade\", \"/usr/bin/containerd\", \"/usr/local/bin/containerd\", + \"/usr/bin/dockerd\", \"/usr/bin/npm\", ~\"/usr/bin/pip*\"]","filters":["os + == \"linux\""],"name":"cron_at_job_creation_open","updateDate":1707493323000,"updater":{"name":"Detection + Engineer","handle":""}}},{"id":"xa1-b6v-n2l","type":"agent_rule","attributes":{"category":"File + Activity","creationDate":1707493323000,"creator":{"name":"Detection Engineer","handle":""},"defaultRule":true,"description":"An + unauthorized job was added to cron scheduling","enabled":true,"expression":"(\n (rename.file.path + in [ ~\"/var/spool/cron/**\", ~\"/etc/cron.*/**\", ~\"/etc/crontab\" ]\n || + rename.file.destination.path in [ ~\"/var/spool/cron/**\", ~\"/etc/cron.*/**\", + ~\"/etc/crontab\" ])\n \u0026\u0026 process.file.path not in [ \"/usr/bin/at\", + \"/usr/bin/crontab\" ]\n)\n\u0026\u0026 process.file.path not in [~\"/usr/bin/apt*\", + \"/usr/bin/dpkg\", \"/usr/bin/rpm\", \"/usr/bin/unattended-upgrade\", \"/usr/bin/containerd\", + \"/usr/local/bin/containerd\", \"/usr/bin/dockerd\", \"/usr/bin/npm\", ~\"/usr/bin/pip*\"]","filters":["os + == \"linux\""],"name":"cron_at_job_creation_rename","updateDate":1707493323000,"updater":{"name":"Detection + Engineer","handle":""}}},{"id":"m23-qb9-9s8","type":"agent_rule","attributes":{"category":"File + Activity","creationDate":1707493323000,"creator":{"name":"Detection Engineer","handle":""},"defaultRule":true,"description":"An + unauthorized job was added to cron scheduling","enabled":true,"expression":"(\n (unlink.file.path + in [ ~\"/var/spool/cron/**\", ~\"/etc/cron.*/**\", ~\"/etc/crontab\" ])\n \u0026\u0026 + process.file.path not in [ \"/usr/bin/at\", \"/usr/bin/crontab\" ]\n)\n\u0026\u0026 + process.file.path not in [~\"/usr/bin/apt*\", \"/usr/bin/dpkg\", \"/usr/bin/rpm\", + \"/usr/bin/unattended-upgrade\", \"/usr/bin/containerd\", \"/usr/local/bin/containerd\", + \"/usr/bin/dockerd\", \"/usr/bin/npm\", ~\"/usr/bin/pip*\"]","filters":["os + == \"linux\""],"name":"cron_at_job_creation_unlink","updateDate":1707493323000,"updater":{"name":"Detection + Engineer","handle":""}}},{"id":"4mx-n6o-mmb","type":"agent_rule","attributes":{"category":"File + Activity","creationDate":1707493323000,"creator":{"name":"Detection Engineer","handle":""},"defaultRule":true,"description":"An + unauthorized job was added to cron scheduling","enabled":true,"expression":"(\n (utimes.file.path + in [ ~\"/var/spool/cron/**\", ~\"/etc/cron.*/**\", ~\"/etc/crontab\" ])\n \u0026\u0026 + process.file.path not in [ \"/usr/bin/at\", \"/usr/bin/crontab\" ]\n)\n\u0026\u0026 + process.file.path not in [~\"/usr/bin/apt*\", \"/usr/bin/dpkg\", \"/usr/bin/rpm\", + \"/usr/bin/unattended-upgrade\", \"/usr/bin/containerd\", \"/usr/local/bin/containerd\", + \"/usr/bin/dockerd\", \"/usr/bin/npm\", ~\"/usr/bin/pip*\"]","filters":["os + == \"linux\""],"name":"cron_at_job_creation_utimes","updateDate":1707493323000,"updater":{"name":"Detection + Engineer","handle":""}}},{"id":"jr3-0m8-jlj","type":"agent_rule","attributes":{"category":"Process + Activity","creationDate":1707493323000,"creator":{"name":"Detection Engineer","handle":""},"defaultRule":true,"description":"A + process launched with arguments associated with cryptominers","enabled":true,"expression":"exec.args_flags + in [\"cpu-priority\", \"donate-level\", ~\"randomx-1gb-pages\"] || exec.args + in [~\"*stratum+tcp*\", ~\"*stratum+ssl*\", ~\"*stratum1+tcp*\", ~\"*stratum1+ssl*\", + ~\"*stratum2+tcp*\", ~\"*stratum2+ssl*\", ~\"*nicehash*\", ~\"*yespower*\"]","filters":["os + == \"linux\""],"name":"cryptominer_args","updateDate":1707493323000,"updater":{"name":"Detection + Engineer","handle":""}}},{"id":"def-000-6jw","type":"agent_rule","attributes":{"category":"Process + Activity","creationDate":1707493323000,"creator":{"name":"Detection Engineer","handle":""},"defaultRule":true,"description":"Process + environment variables match cryptocurrency miner","enabled":true,"expression":"exec.envs + in [\"POOL_USER\", \"POOL_URL\", \"POOL_PASS\", \"DONATE_LEVEL\"]","filters":["os + == \"linux\""],"name":"cryptominer_envs","updateDate":1707493323000,"updater":{"name":"Detection + Engineer","handle":""}}},{"id":"def-000-h1x","type":"agent_rule","attributes":{"category":"Process + Activity","creationDate":1707493323000,"creator":{"name":"Detection Engineer","handle":""},"defaultRule":true,"description":"The + Docker socket was referenced in a cURL command","enabled":true,"expression":"exec.file.name + == \"curl\" \u0026\u0026 exec.args_flags in [\"unix-socket\"] \u0026\u0026 + exec.args in [\"*docker.sock*\"] \u0026\u0026 container.id != \"\"","filters":["os + == \"linux\""],"name":"curl_docker_socket","updateDate":1707493323000,"updater":{"name":"Detection + Engineer","handle":""}}},{"id":"mq1-y7n-kf2","type":"agent_rule","attributes":{"category":"Process + Activity","creationDate":1707493323000,"creator":{"name":"Detection Engineer","handle":""},"defaultRule":true,"description":"A + database application spawned a shell, shell utility, or HTTP utility","enabled":true,"expression":"(exec.file.path + in [ \"/bin/dash\",\n \"/usr/bin/dash\",\n \"/bin/sh\",\n \"/bin/static-sh\",\n \"/usr/bin/sh\",\n \"/bin/bash\",\n \"/usr/bin/bash\",\n \"/bin/bash-static\",\n \"/usr/bin/zsh\",\n \"/usr/bin/ash\",\n \"/usr/bin/csh\",\n \"/usr/bin/ksh\",\n \"/usr/bin/tcsh\",\n \"/usr/lib/initramfs-tools/bin/busybox\",\n \"/bin/busybox\",\n \"/usr/bin/fish\",\n \"/bin/ksh93\",\n \"/bin/rksh\",\n \"/bin/rksh93\",\n \"/bin/lksh\",\n \"/bin/mksh\",\n \"/bin/mksh-static\",\n \"/usr/bin/csharp\",\n \"/bin/posh\",\n \"/usr/bin/rc\",\n \"/bin/sash\",\n \"/usr/bin/yash\",\n \"/bin/zsh5\",\n \"/bin/zsh5-static\" + ] ||\n exec.comm in [\"wget\", \"curl\", \"lwp-download\"] ||\n exec.file.path + in [\"/bin/cat\",\"/bin/chgrp\",\"/bin/chmod\",\"/bin/chown\",\"/bin/cp\",\"/bin/date\",\"/bin/dd\",\"/bin/df\",\"/bin/dir\",\"/bin/echo\",\"/bin/ln\",\"/bin/ls\",\"/bin/mkdir\",\"/bin/mknod\",\"/bin/mktemp\",\"/bin/mv\",\"/bin/pwd\",\"/bin/readlink\",\"/bin/rm\",\"/bin/rmdir\",\"/bin/sleep\",\"/bin/stty\",\"/bin/sync\",\"/bin/touch\",\"/bin/uname\",\"/bin/vdir\",\"/usr/bin/arch\",\"/usr/bin/b2sum\",\"/usr/bin/base32\",\"/usr/bin/base64\",\"/usr/bin/basename\",\"/usr/bin/chcon\",\"/usr/bin/cksum\",\"/usr/bin/comm\",\"/usr/bin/csplit\",\"/usr/bin/cut\",\"/usr/bin/dircolors\",\"/usr/bin/dirname\",\"/usr/bin/du\",\"/usr/bin/env\",\"/usr/bin/expand\",\"/usr/bin/expr\",\"/usr/bin/factor\",\"/usr/bin/fmt\",\"/usr/bin/fold\",\"/usr/bin/groups\",\"/usr/bin/head\",\"/usr/bin/hostid\",\"/usr/bin/id\",\"/usr/bin/install\",\"/usr/bin/join\",\"/usr/bin/link\",\"/usr/bin/logname\",\"/usr/bin/md5sum\",\"/usr/bin/md5sum.textutils\",\"/usr/bin/mkfifo\",\"/usr/bin/nice\",\"/usr/bin/nl\",\"/usr/bin/nohup\",\"/usr/bin/nproc\",\"/usr/bin/numfmt\",\"/usr/bin/od\",\"/usr/bin/paste\",\"/usr/bin/pathchk\",\"/usr/bin/pinky\",\"/usr/bin/pr\",\"/usr/bin/printenv\",\"/usr/bin/printf\",\"/usr/bin/ptx\",\"/usr/bin/realpath\",\"/usr/bin/runcon\",\"/usr/bin/seq\",\"/usr/bin/sha1sum\",\"/usr/bin/sha224sum\",\"/usr/bin/sha256sum\",\"/usr/bin/sha384sum\",\"/usr/bin/sha512sum\",\"/usr/bin/shred\",\"/usr/bin/shuf\",\"/usr/bin/sort\",\"/usr/bin/split\",\"/usr/bin/stat\",\"/usr/bin/stdbuf\",\"/usr/bin/sum\",\"/usr/bin/tac\",\"/usr/bin/tail\",\"/usr/bin/tee\",\"/usr/bin/test\",\"/usr/bin/timeout\",\"/usr/bin/tr\",\"/usr/bin/truncate\",\"/usr/bin/tsort\",\"/usr/bin/tty\",\"/usr/bin/unexpand\",\"/usr/bin/uniq\",\"/usr/bin/unlink\",\"/usr/bin/users\",\"/usr/bin/wc\",\"/usr/bin/who\",\"/usr/bin/whoami\",\"/usr/sbin/chroot\"]) + \u0026\u0026\nprocess.parent.file.name in [\"mysqld\", \"mongod\", \"postgres\"] + \u0026\u0026\n!(process.parent.file.name == \"initdb\" \u0026\u0026\nexec.args + == \"-c locale -a\") \u0026\u0026\n!(process.parent.file.name == \"postgres\" + \u0026\u0026\nexec.args == ~\"*pg_wal*\")","filters":["os == \"linux\""],"name":"database_shell_execution","updateDate":1707493323000,"updater":{"name":"Detection + Engineer","handle":""}}},{"id":"def-000-u1r","type":"agent_rule","attributes":{"category":"File + Activity","creationDate":1707493323000,"creator":{"name":"Detection Engineer","handle":""},"defaultRule":true,"description":"A + process deleted common system log files","enabled":true,"expression":"unlink.file.path + in [\"/var/run/utmp\", \"/var/log/wtmp\", \"/var/log/btmp\", \"/var/log/lastlog\", + \"/var/log/faillog\", \"/var/log/syslog\", \"/var/log/messages\", \"/var/log/secure\", + \"/var/log/auth.log\", \"/var/log/boot.log\", \"/var/log/kern.log\"] \u0026\u0026 + process.comm not in [\"dockerd\", \"containerd\"]","filters":["os == \"linux\""],"name":"delete_system_log","updateDate":1707493323000,"updater":{"name":"Detection + Engineer","handle":""}}},{"id":"def-000-juz","type":"agent_rule","attributes":{"category":"Process + Activity","creationDate":1707493323000,"creator":{"name":"Detection Engineer","handle":""},"defaultRule":true,"description":"A + privileged container was created","enabled":true,"expression":"exec.file.name + != \"\" \u0026\u0026 container.created_at \u003c 1s \u0026\u0026 process.cap_permitted + \u0026 CAP_SYS_ADMIN \u003e 0","filters":["os == \"linux\""],"name":"deploy_priv_container","updateDate":1707493323000,"updater":{"name":"Detection + Engineer","handle":""}}},{"id":"sej-11b-ey6","type":"agent_rule","attributes":{"category":"File + Activity","creationDate":1707493323000,"creator":{"name":"Detection Engineer","handle":""},"defaultRule":true,"description":"Potential + Dirty pipe exploitation attempt","enabled":true,"expression":"(splice.pipe_entry_flag + \u0026 PIPE_BUF_FLAG_CAN_MERGE) != 0 \u0026\u0026 (splice.pipe_exit_flag \u0026 + PIPE_BUF_FLAG_CAN_MERGE) == 0 \u0026\u0026 (process.uid != 0 \u0026\u0026 + process.gid != 0)","filters":["os == \"linux\""],"name":"dirty_pipe_attempt","updateDate":1707493323000,"updater":{"name":"Detection + Engineer","handle":""}}},{"id":"422-svi-03v","type":"agent_rule","attributes":{"category":"File + Activity","creationDate":1707493323000,"creator":{"name":"Detection Engineer","handle":""},"defaultRule":true,"description":"Potential + Dirty pipe exploitation","enabled":true,"expression":"(splice.pipe_exit_flag + \u0026 PIPE_BUF_FLAG_CAN_MERGE) \u003e 0 \u0026\u0026 (process.uid != 0 \u0026\u0026 + process.gid != 0)","filters":["os == \"linux\""],"name":"dirty_pipe_exploitation","updateDate":1707493323000,"updater":{"name":"Detection + Engineer","handle":""}}},{"id":"2rq-drz-11u","type":"agent_rule","attributes":{"category":"File + Activity","creationDate":1707493323000,"creator":{"name":"Detection Engineer","handle":""},"defaultRule":true,"description":"A + process unlinked a dynamic linker config file","enabled":true,"expression":"unlink.file.path + in [\"/etc/ld.so.preload\", \"/etc/ld.so.conf\", ~\"/etc/ld.so.conf.d/*.conf\"] + \u0026\u0026 process.file.path not in [~\"/usr/bin/apt*\", \"/usr/bin/dpkg\", + \"/usr/bin/rpm\", \"/usr/bin/unattended-upgrade\", \"/usr/bin/npm\", ~\"/usr/bin/pip*\", + \"/usr/bin/yum\", \"/sbin/apk\", \"/usr/lib/snapd/snapd\"]","filters":["os + == \"linux\""],"name":"dynamic_linker_config_unlink","updateDate":1707493323000,"updater":{"name":"Detection + Engineer","handle":""}}},{"id":"2s5-ipa-ooo","type":"agent_rule","attributes":{"category":"File + Activity","creationDate":1707493323000,"creator":{"name":"Detection Engineer","handle":""},"defaultRule":true,"description":"A + process wrote to a dynamic linker config file","enabled":true,"expression":"open.file.path + in [\"/etc/ld.so.preload\", \"/etc/ld.so.conf\", \"/etc/ld.so.conf.d/*.conf\"] + \u0026\u0026 open.flags \u0026 (O_CREAT|O_TRUNC|O_RDWR|O_WRONLY) \u003e 0 + \u0026\u0026 process.file.path not in [~\"/usr/bin/apt*\", \"/usr/bin/dpkg\", + \"/usr/bin/rpm\", \"/usr/bin/unattended-upgrade\", \"/usr/bin/containerd\", + \"/usr/local/bin/containerd\", \"/usr/bin/dockerd\", \"/usr/bin/npm\", ~\"/usr/bin/pip*\"] + \u0026\u0026 process.ancestors.file.path not in [\"/opt/datadog-agent/embedded/bin/agent\", + \"/opt/datadog-agent/embedded/bin/system-probe\", \"/opt/datadog-agent/embedded/bin/security-agent\", + \"/opt/datadog-agent/embedded/bin/process-agent\", \"/opt/datadog-agent/bin/agent/agent\", + \"/opt/datadog/apm/inject/auto_inject_runc\", \"/usr/bin/dd-host-install\", + \"/usr/bin/dd-host-container-install\", \"/usr/bin/dd-container-install\", + \"/opt/datadog-agent/bin/datadog-cluster-agent\"]","filters":["os == \"linux\""],"name":"dynamic_linker_config_write","updateDate":1707493323000,"updater":{"name":"Detection + Engineer","handle":""}}},{"id":"def-000-4xu","type":"agent_rule","attributes":{"category":"Process + Activity","creationDate":1707493323000,"creator":{"name":"Detection Engineer","handle":""},"defaultRule":true,"description":"Kernel + modules were listed using the lsmod command","enabled":true,"expression":"exec.comm + == \"lsmod\"","filters":["os == \"linux\""],"name":"exec_lsmod","updateDate":1707493323000,"updater":{"name":"Detection + Engineer","handle":""}}},{"id":"def-000-fqm","type":"agent_rule","attributes":{"category":"Process + Activity","creationDate":1707493323000,"creator":{"name":"Detection Engineer","handle":""},"defaultRule":true,"description":"The + whoami command was executed","enabled":true,"expression":"exec.comm == \"whoami\"","filters":["os + == \"linux\""],"name":"exec_whoami","updateDate":1707493323000,"updater":{"name":"Detection + Engineer","handle":""}}},{"id":"def-000-ev8","type":"agent_rule","attributes":{"category":"Process + Activity","creationDate":1707493323000,"creator":{"name":"Detection Engineer","handle":""},"defaultRule":true,"description":"The + wrmsr program executed","enabled":true,"expression":"exec.comm == \"wrmsr\"","filters":["os + == \"linux\""],"name":"exec_wrmsr","updateDate":1707493323000,"updater":{"name":"Detection + Engineer","handle":""}}},{"id":"def-000-bus","type":"agent_rule","attributes":{"category":"File + Activity","creationDate":1707493323000,"creator":{"name":"Detection Engineer","handle":""},"defaultRule":true,"description":"The + executable bit was added to a newly created file","enabled":true,"expression":"chmod.file.in_upper_layer + \u0026\u0026\nchmod.file.change_time \u003c 30s \u0026\u0026\ncontainer.id + != \"\" \u0026\u0026\nchmod.file.destination.mode != chmod.file.mode \u0026\u0026\nchmod.file.destination.mode + \u0026 S_IXUSR|S_IXGRP|S_IXOTH \u003e 0 \u0026\u0026\nprocess.argv in [\"+x\"]","filters":["os + == \"linux\""],"name":"executable_bit_added","updateDate":1707493323000,"updater":{"name":"Detection + Engineer","handle":""}}},{"id":"ro4-rju-1vq","type":"agent_rule","attributes":{"category":"Process + Activity","creationDate":1707493323000,"creator":{"name":"Detection Engineer","handle":""},"defaultRule":true,"description":"An + GCP IMDS was called via a network utility","enabled":true,"expression":"exec.comm + in [\"wget\", \"curl\", \"lwp-download\"] \u0026\u0026 exec.args in [~\"*metadata.google.internal/computeMetadata/v1/instance/service-accounts/default/token\", + ~\"*169.254.169.254/computeMetadata/v1/instance/service-accounts/default/token\"]","filters":["os + == \"linux\""],"name":"gcp_imds","updateDate":1707493323000,"updater":{"name":"Detection + Engineer","handle":""}}},{"id":"def-000-bgf","type":"agent_rule","attributes":{"category":"Process + Activity","creationDate":1707493323000,"creator":{"name":"Detection Engineer","handle":""},"defaultRule":true,"description":"A + hidden file was executed in a suspicious folder","enabled":true,"expression":"exec.file.name + =~ \".*\" \u0026\u0026 exec.file.path in [~\"/home/**\", ~\"/tmp/**\", ~\"/var/tmp/**\", + ~\"/dev/shm/**\"]","filters":["os == \"linux\""],"name":"hidden_file_executed","updateDate":1707493323000,"updater":{"name":"Detection + Engineer","handle":""}}},{"id":"jeh-18e-m9h","type":"agent_rule","attributes":{"category":"Process + Activity","creationDate":1707493323000,"creator":{"name":"Detection Engineer","handle":""},"defaultRule":true,"description":"An + interactive shell was started inside of a container","enabled":true,"expression":"exec.file.path + in [ \"/bin/dash\",\n \"/usr/bin/dash\",\n \"/bin/sh\",\n \"/bin/static-sh\",\n \"/usr/bin/sh\",\n \"/bin/bash\",\n \"/usr/bin/bash\",\n \"/bin/bash-static\",\n \"/usr/bin/zsh\",\n \"/usr/bin/ash\",\n \"/usr/bin/csh\",\n \"/usr/bin/ksh\",\n \"/usr/bin/tcsh\",\n \"/usr/lib/initramfs-tools/bin/busybox\",\n \"/bin/busybox\",\n \"/usr/bin/fish\",\n \"/bin/ksh93\",\n \"/bin/rksh\",\n \"/bin/rksh93\",\n \"/bin/lksh\",\n \"/bin/mksh\",\n \"/bin/mksh-static\",\n \"/usr/bin/csharp\",\n \"/bin/posh\",\n \"/usr/bin/rc\",\n \"/bin/sash\",\n \"/usr/bin/yash\",\n \"/bin/zsh5\",\n \"/bin/zsh5-static\" + ] \u0026\u0026 exec.args_flags in [\"i\"] \u0026\u0026 container.id !=\"\"","filters":["os + == \"linux\""],"name":"interactive_shell_in_container","updateDate":1707493323000,"updater":{"name":"Detection + Engineer","handle":""}}},{"id":"4ov-ang-2gx","type":"agent_rule","attributes":{"category":"Network + Activity","creationDate":1707493323000,"creator":{"name":"Detection Engineer","handle":""},"defaultRule":true,"description":"A + DNS lookup was done for a IP check service","enabled":true,"expression":"dns.question.name + in [\"icanhazip.com\", \"ip-api.com\", \"myip.opendns.com\", \"checkip.amazonaws.com\", + \"whatismyip.akamai.com\"] \u0026\u0026 process.file.name != \"\"","filters":["os + == \"linux\""],"name":"ip_check_domain","updateDate":1707493323000,"updater":{"name":"Detection + Engineer","handle":""}}},{"id":"def-000-88h","type":"agent_rule","attributes":{"category":"Process + Activity","creationDate":1707493323000,"creator":{"name":"Detection Engineer","handle":""},"defaultRule":true,"description":"Egress + traffic allowed using iptables","enabled":true,"expression":"exec.comm == + \"iptables\" \u0026\u0026 process.args in [r\".*OUTPUT.*((25[0-5]|(2[0-4]|1\\d|[1-9]|)\\d)\\.?\\b){4}.*ACCEPT\"] + \u0026\u0026 process.args not in [r\"(127\\.)|(10\\.)|(172\\.1[6-9]\\.)|(172\\.2[0-9]\\.)|(^172\\.3[0-1]\\.)|(192\\.168\\.)|(169\\.254\\.)\"]","filters":["os + == \"linux\""],"name":"iptables_egress_allowed","updateDate":1707493323000,"updater":{"name":"Detection + Engineer","handle":""}}},{"id":"def-000-but","type":"agent_rule","attributes":{"category":"Process + Activity","creationDate":1707493323000,"creator":{"name":"Detection Engineer","handle":""},"defaultRule":true,"description":"A + java process spawned a shell, shell utility, or HTTP utility","enabled":true,"expression":"(exec.file.path + in [ \"/bin/dash\",\n \"/usr/bin/dash\",\n \"/bin/sh\",\n \"/bin/static-sh\",\n \"/usr/bin/sh\",\n \"/bin/bash\",\n \"/usr/bin/bash\",\n \"/bin/bash-static\",\n \"/usr/bin/zsh\",\n \"/usr/bin/ash\",\n \"/usr/bin/csh\",\n \"/usr/bin/ksh\",\n \"/usr/bin/tcsh\",\n \"/usr/lib/initramfs-tools/bin/busybox\",\n \"/bin/busybox\",\n \"/usr/bin/fish\",\n \"/bin/ksh93\",\n \"/bin/rksh\",\n \"/bin/rksh93\",\n \"/bin/lksh\",\n \"/bin/mksh\",\n \"/bin/mksh-static\",\n \"/usr/bin/csharp\",\n \"/bin/posh\",\n \"/usr/bin/rc\",\n \"/bin/sash\",\n \"/usr/bin/yash\",\n \"/bin/zsh5\",\n \"/bin/zsh5-static\" + ] ||\n exec.comm in [\"wget\", \"curl\", \"lwp-download\"] ||\n exec.file.path + in [\"/bin/cat\",\"/bin/chgrp\",\"/bin/chmod\",\"/bin/chown\",\"/bin/cp\",\"/bin/date\",\"/bin/dd\",\"/bin/df\",\"/bin/dir\",\"/bin/echo\",\"/bin/ln\",\"/bin/ls\",\"/bin/mkdir\",\"/bin/mknod\",\"/bin/mktemp\",\"/bin/mv\",\"/bin/pwd\",\"/bin/readlink\",\"/bin/rm\",\"/bin/rmdir\",\"/bin/sleep\",\"/bin/stty\",\"/bin/sync\",\"/bin/touch\",\"/bin/uname\",\"/bin/vdir\",\"/usr/bin/arch\",\"/usr/bin/b2sum\",\"/usr/bin/base32\",\"/usr/bin/base64\",\"/usr/bin/basename\",\"/usr/bin/chcon\",\"/usr/bin/cksum\",\"/usr/bin/comm\",\"/usr/bin/csplit\",\"/usr/bin/cut\",\"/usr/bin/dircolors\",\"/usr/bin/dirname\",\"/usr/bin/du\",\"/usr/bin/env\",\"/usr/bin/expand\",\"/usr/bin/expr\",\"/usr/bin/factor\",\"/usr/bin/fmt\",\"/usr/bin/fold\",\"/usr/bin/groups\",\"/usr/bin/head\",\"/usr/bin/hostid\",\"/usr/bin/id\",\"/usr/bin/install\",\"/usr/bin/join\",\"/usr/bin/link\",\"/usr/bin/logname\",\"/usr/bin/md5sum\",\"/usr/bin/md5sum.textutils\",\"/usr/bin/mkfifo\",\"/usr/bin/nice\",\"/usr/bin/nl\",\"/usr/bin/nohup\",\"/usr/bin/nproc\",\"/usr/bin/numfmt\",\"/usr/bin/od\",\"/usr/bin/paste\",\"/usr/bin/pathchk\",\"/usr/bin/pinky\",\"/usr/bin/pr\",\"/usr/bin/printenv\",\"/usr/bin/printf\",\"/usr/bin/ptx\",\"/usr/bin/realpath\",\"/usr/bin/runcon\",\"/usr/bin/seq\",\"/usr/bin/sha1sum\",\"/usr/bin/sha224sum\",\"/usr/bin/sha256sum\",\"/usr/bin/sha384sum\",\"/usr/bin/sha512sum\",\"/usr/bin/shred\",\"/usr/bin/shuf\",\"/usr/bin/sort\",\"/usr/bin/split\",\"/usr/bin/stat\",\"/usr/bin/stdbuf\",\"/usr/bin/sum\",\"/usr/bin/tac\",\"/usr/bin/tail\",\"/usr/bin/tee\",\"/usr/bin/test\",\"/usr/bin/timeout\",\"/usr/bin/tr\",\"/usr/bin/truncate\",\"/usr/bin/tsort\",\"/usr/bin/tty\",\"/usr/bin/unexpand\",\"/usr/bin/uniq\",\"/usr/bin/unlink\",\"/usr/bin/users\",\"/usr/bin/wc\",\"/usr/bin/who\",\"/usr/bin/whoami\",\"/usr/sbin/chroot\"])\n\u0026\u0026 + process.parent.file.name == \"java\"","filters":["os == \"linux\""],"name":"java_shell_execution_parent","updateDate":1707493323000,"updater":{"name":"Detection + Engineer","handle":""}}},{"id":"def-000-mfu","type":"agent_rule","attributes":{"category":"Process + Activity","creationDate":1707493323000,"creator":{"name":"Detection Engineer","handle":""},"defaultRule":true,"description":"A + Jupyter notebook executed a shell","enabled":true,"expression":"(exec.file.name + in [\"cat\",\"chgrp\",\"chmod\",\"chown\",\"cp\",\"date\",\"dd\",\"df\",\"dir\",\"echo\",\"ln\",\"ls\",\"mkdir\",\"mknod\",\"mktemp\",\"mv\",\"pwd\",\"readlink\",\"rm\",\"rmdir\",\"sleep\",\"stty\",\"sync\",\"touch\",\"uname\",\"vdir\",\"arch\",\"b2sum\",\"base32\",\"base64\",\"basename\",\"chcon\",\"cksum\",\"comm\",\"csplit\",\"cut\",\"dircolors\",\"dirname\",\"du\",\"env\",\"expand\",\"expr\",\"factor\",\"fmt\",\"fold\",\"groups\",\"head\",\"hostid\",\"id\",\"install\",\"join\",\"link\",\"logname\",\"md5sum\",\"textutils\",\"mkfifo\",\"nice\",\"nl\",\"nohup\",\"nproc\",\"numfmt\",\"od\",\"paste\",\"pathchk\",\"pinky\",\"pr\",\"printenv\",\"printf\",\"ptx\",\"realpath\",\"runcon\",\"seq\",\"sha1sum\",\"sha224sum\",\"sha256sum\",\"sha384sum\",\"sha512sum\",\"shred\",\"shuf\",\"sort\",\"split\",\"stat\",\"stdbuf\",\"sum\",\"tac\",\"tail\",\"tee\",\"test\",\"timeout\",\"tr\",\"truncate\",\"tsort\",\"tty\",\"unexpand\",\"uniq\",\"unlink\",\"users\",\"wc\",\"who\",\"whoami\",\"chroot\"] + || exec.file.name in [\"wget\", \"curl\", \"lwp-download\"] || exec.file.name + in [\"dash\",\"sh\",\"static-sh\",\"sh\",\"bash\",\"bash\",\"bash-static\",\"zsh\",\"ash\",\"csh\",\"ksh\",\"tcsh\",\"busybox\",\"busybox\",\"fish\",\"ksh93\",\"rksh\",\"rksh93\",\"lksh\",\"mksh\",\"mksh-static\",\"csharp\",\"posh\",\"rc\",\"sash\",\"yash\",\"zsh5\",\"zsh5-static\"]) + \u0026\u0026 process.ancestors.comm in [\"jupyter-noteboo\", \"jupyter-lab\"]","filters":["os + == \"linux\""],"name":"jupyter_shell_execution","updateDate":1707493323000,"updater":{"name":"Detection + Engineer","handle":""}}},{"id":"0i7-z9o-zed","type":"agent_rule","attributes":{"category":"File + Activity","creationDate":1707493323000,"creator":{"name":"Detection Engineer","handle":""},"defaultRule":true,"description":"The + Kubernetes pod service account token was accessed","enabled":true,"expression":"open.file.path + in [~\"/var/run/secrets/kubernetes.io/serviceaccount/**\", ~\"/run/secrets/kubernetes.io/serviceaccount/**\"] + \u0026\u0026 open.file.name == \"token\" \u0026\u0026 process.file.path not + in [\"/opt/datadog-agent/embedded/bin/agent\", \"/opt/datadog-agent/embedded/bin/system-probe\", + \"/opt/datadog-agent/embedded/bin/security-agent\", \"/opt/datadog-agent/embedded/bin/process-agent\", + \"/opt/datadog-agent/bin/agent/agent\", \"/opt/datadog/apm/inject/auto_inject_runc\", + \"/usr/bin/dd-host-install\", \"/usr/bin/dd-host-container-install\", \"/usr/bin/dd-container-install\", + \"/opt/datadog-agent/bin/datadog-cluster-agent\"] \u0026\u0026 process.file.path + not in [\"/usr/bin/cilium-agent\", \"/coredns\", \"/usr/bin/cilium-operator\", + \"/manager\", \"/fluent-bit/bin/fluent-bit\", \"/usr/local/bin/cloud-node-manager\", + \"/secrets-store-csi\", \"/bin/secrets-store-csi-driver-provider-aws\", \"/usr/bin/calico-node\", + \"/opt/aws/amazon-cloudwatch-agent/bin/amazon-cloudwatch-agent\", \"/nginx-ingress-controller\", + \"/cluster-autoscaler\", \"/cluster-proportional-autoscaler\", \"/haproxy-ingress-controller\", + \"/kube-state-metrics\", \"/fluent-bit-gke-exporter\", \"/bin/external-secrets\", + \"/node-termination-handler\", \"/fluent-bit-gke-exporter\", \"/bin/vault\", + \"/usr/local/bin/kubectl\", \"/local-provisioner\", \"/usr/bin/gitlab-runner\", + \"/usr/local/bin/vaultd\", \"/usr/local/bin/trace-driveline-writer\", \"/usr/local/bin/registration-controller\", + \"/usr/local/bin/cluster-autoscaler\"] \u0026\u0026 process.ancestors.file.path + not in [\"/opt/datadog-agent/embedded/bin/agent\", \"/opt/datadog-agent/embedded/bin/system-probe\", + \"/opt/datadog-agent/embedded/bin/security-agent\", \"/opt/datadog-agent/embedded/bin/process-agent\", + \"/opt/datadog-agent/bin/agent/agent\", \"/opt/datadog/apm/inject/auto_inject_runc\", + \"/usr/bin/dd-host-install\", \"/usr/bin/dd-host-container-install\", \"/usr/bin/dd-container-install\", + \"/opt/datadog-agent/bin/datadog-cluster-agent\"]","filters":["os == \"linux\""],"name":"k8s_pod_service_account_token_accessed","updateDate":1707493323000,"updater":{"name":"Detection + Engineer","handle":""}}},{"id":"2dz-kyt-nme","type":"agent_rule","attributes":{"category":"File + Activity","creationDate":1707493323000,"creator":{"name":"Detection Engineer","handle":""},"defaultRule":true,"description":"A + new kernel module was added","enabled":true,"expression":"(\n (chmod.file.path + in [ ~\"/lib/modules/**\", ~\"/usr/lib/modules/**\" ])\n \u0026\u0026 process.file.path + not in [~\"/usr/bin/apt*\", \"/usr/bin/dpkg\", \"/usr/bin/rpm\", \"/usr/bin/unattended-upgrade\", + \"/usr/bin/npm\", ~\"/usr/bin/pip*\", \"/usr/bin/yum\", \"/sbin/apk\", \"/usr/lib/snapd/snapd\"]\n \u0026\u0026 + process.ancestors.file.path not in [~\"/usr/bin/apt*\", \"/usr/bin/dpkg\", + \"/usr/bin/rpm\", \"/usr/bin/unattended-upgrade\", \"/usr/bin/npm\", ~\"/usr/bin/pip*\", + \"/usr/bin/yum\", \"/sbin/apk\", \"/usr/lib/snapd/snapd\"] \u0026\u0026 process.ancestors.file.path + != \"/usr/bin/kmod\"\n) \u0026\u0026 chmod.file.destination.mode != chmod.file.mode","filters":["os + == \"linux\""],"name":"kernel_module_chmod","updateDate":1707493323000,"updater":{"name":"Detection + Engineer","handle":""}}},{"id":"94l-lhd-e33","type":"agent_rule","attributes":{"category":"File + Activity","creationDate":1707493323000,"creator":{"name":"Detection Engineer","handle":""},"defaultRule":true,"description":"A + new kernel module was added","enabled":true,"expression":"(\n (chown.file.path + in [ ~\"/lib/modules/**\", ~\"/usr/lib/modules/**\" ])\n \u0026\u0026 process.file.path + not in [~\"/usr/bin/apt*\", \"/usr/bin/dpkg\", \"/usr/bin/rpm\", \"/usr/bin/unattended-upgrade\", + \"/usr/bin/npm\", ~\"/usr/bin/pip*\", \"/usr/bin/yum\", \"/sbin/apk\", \"/usr/lib/snapd/snapd\"]\n \u0026\u0026 + process.ancestors.file.path not in [~\"/usr/bin/apt*\", \"/usr/bin/dpkg\", + \"/usr/bin/rpm\", \"/usr/bin/unattended-upgrade\", \"/usr/bin/npm\", ~\"/usr/bin/pip*\", + \"/usr/bin/yum\", \"/sbin/apk\", \"/usr/lib/snapd/snapd\"] \u0026\u0026 process.ancestors.file.path + != \"/usr/bin/kmod\"\n) \u0026\u0026 (chown.file.destination.uid != chown.file.uid + || chown.file.destination.gid != chown.file.gid)","filters":["os == \"linux\""],"name":"kernel_module_chown","updateDate":1707493323000,"updater":{"name":"Detection + Engineer","handle":""}}},{"id":"ucb-5zb-rmj","type":"agent_rule","attributes":{"category":"File + Activity","creationDate":1707493323000,"creator":{"name":"Detection Engineer","handle":""},"defaultRule":true,"description":"A + new kernel module was added","enabled":true,"expression":"(\n (link.file.path + in [ ~\"/lib/modules/**\", ~\"/usr/lib/modules/**\" ]\n || link.file.destination.path + in [ ~\"/lib/modules/**\", ~\"/usr/lib/modules/**\" ])\n \u0026\u0026 process.file.path + not in [~\"/usr/bin/apt*\", \"/usr/bin/dpkg\", \"/usr/bin/rpm\", \"/usr/bin/unattended-upgrade\", + \"/usr/bin/npm\", ~\"/usr/bin/pip*\", \"/usr/bin/yum\", \"/sbin/apk\", \"/usr/lib/snapd/snapd\"]\n \u0026\u0026 + process.ancestors.file.path not in [~\"/usr/bin/apt*\", \"/usr/bin/dpkg\", + \"/usr/bin/rpm\", \"/usr/bin/unattended-upgrade\", \"/usr/bin/npm\", ~\"/usr/bin/pip*\", + \"/usr/bin/yum\", \"/sbin/apk\", \"/usr/lib/snapd/snapd\"] \u0026\u0026 process.ancestors.file.path + != \"/usr/bin/kmod\"\n)","filters":["os == \"linux\""],"name":"kernel_module_link","updateDate":1707493323000,"updater":{"name":"Detection + Engineer","handle":""}}},{"id":"5t3-iiv-rv5","type":"agent_rule","attributes":{"category":"Kernel + Activity","creationDate":1707493323000,"creator":{"name":"Detection Engineer","handle":""},"defaultRule":true,"description":"A + kernel module was loaded","enabled":true,"expression":"load_module.name not + in [\"nf_tables\", \"iptable_filter\", \"ip6table_filter\", \"bpfilter\", + \"ip6_tables\", \"ip6table_nat\", \"nf_reject_ipv4\", \"ipt_REJECT\", \"iptable_raw\"] + \u0026\u0026 process.ancestors.file.name not in [~\"falcon*\", \"unattended-upgrade\", + \"apt.systemd.daily\", \"xtables-legacy-multi\", \"ssm-agent-worker\"]","filters":["os + == \"linux\""],"name":"kernel_module_load","updateDate":1707493323000,"updater":{"name":"Detection + Engineer","handle":""}}},{"id":"dkb-9ud-0ca","type":"agent_rule","attributes":{"category":"Kernel + Activity","creationDate":1707493323000,"creator":{"name":"Detection Engineer","handle":""},"defaultRule":true,"description":"A + container loaded a new kernel module","enabled":true,"expression":"load_module.name + != \"\" \u0026\u0026 container.id !=\"\"","filters":["os == \"linux\""],"name":"kernel_module_load_container","updateDate":1707493323000,"updater":{"name":"Detection + Engineer","handle":""}}},{"id":"lrg-avx-x1k","type":"agent_rule","attributes":{"category":"Kernel + Activity","creationDate":1707493323000,"creator":{"name":"Detection Engineer","handle":""},"defaultRule":true,"description":"A + kernel module was loaded from memory","enabled":true,"expression":"load_module.loaded_from_memory + == true","filters":["os == \"linux\""],"name":"kernel_module_load_from_memory","updateDate":1707493323000,"updater":{"name":"Detection + Engineer","handle":""}}},{"id":"gx3-4a5-w9a","type":"agent_rule","attributes":{"category":"Kernel + Activity","creationDate":1707493323000,"creator":{"name":"Detection Engineer","handle":""},"defaultRule":true,"description":"A + kernel module was loaded from memory inside a container","enabled":true,"expression":"load_module.loaded_from_memory + == true \u0026\u0026 container.id !=\"\"","filters":["os == \"linux\""],"name":"kernel_module_load_from_memory_container","updateDate":1707493323000,"updater":{"name":"Detection + Engineer","handle":""}}},{"id":"56y-vsb-zqu","type":"agent_rule","attributes":{"category":"File + Activity","creationDate":1707493323000,"creator":{"name":"Detection Engineer","handle":""},"defaultRule":true,"description":"A + new kernel module was added","enabled":true,"expression":"(\n open.flags + \u0026 (O_CREAT|O_TRUNC|O_RDWR|O_WRONLY) \u003e 0 \u0026\u0026\n (open.file.path + in [ ~\"/lib/modules/**\", ~\"/usr/lib/modules/**\" ])\n \u0026\u0026 process.file.path + not in [~\"/usr/bin/apt*\", \"/usr/bin/dpkg\", \"/usr/bin/rpm\", \"/usr/bin/unattended-upgrade\", + \"/usr/bin/npm\", ~\"/usr/bin/pip*\", \"/usr/bin/yum\", \"/sbin/apk\", \"/usr/lib/snapd/snapd\"]\n \u0026\u0026 + process.ancestors.file.path not in [~\"/usr/bin/apt*\", \"/usr/bin/dpkg\", + \"/usr/bin/rpm\", \"/usr/bin/unattended-upgrade\", \"/usr/bin/npm\", ~\"/usr/bin/pip*\", + \"/usr/bin/yum\", \"/sbin/apk\", \"/usr/lib/snapd/snapd\"] \u0026\u0026 process.ancestors.file.path + != \"/usr/bin/kmod\"\n)","filters":["os == \"linux\""],"name":"kernel_module_open","updateDate":1707493323000,"updater":{"name":"Detection + Engineer","handle":""}}},{"id":"3i1-zpd-ycj","type":"agent_rule","attributes":{"category":"File + Activity","creationDate":1707493323000,"creator":{"name":"Detection Engineer","handle":""},"defaultRule":true,"description":"A + new kernel module was added","enabled":true,"expression":"(\n (rename.file.path + in [ ~\"/lib/modules/**\", ~\"/usr/lib/modules/**\" ]\n || rename.file.destination.path + in [ ~\"/lib/modules/**\", ~\"/usr/lib/modules/**\" ])\n \u0026\u0026 process.file.path + not in [~\"/usr/bin/apt*\", \"/usr/bin/dpkg\", \"/usr/bin/rpm\", \"/usr/bin/unattended-upgrade\", + \"/usr/bin/npm\", ~\"/usr/bin/pip*\", \"/usr/bin/yum\", \"/sbin/apk\", \"/usr/lib/snapd/snapd\"]\n \u0026\u0026 + process.ancestors.file.path not in [~\"/usr/bin/apt*\", \"/usr/bin/dpkg\", + \"/usr/bin/rpm\", \"/usr/bin/unattended-upgrade\", \"/usr/bin/npm\", ~\"/usr/bin/pip*\", + \"/usr/bin/yum\", \"/sbin/apk\", \"/usr/lib/snapd/snapd\"] \u0026\u0026 process.ancestors.file.path + != \"/usr/bin/kmod\"\n)","filters":["os == \"linux\""],"name":"kernel_module_rename","updateDate":1707493323000,"updater":{"name":"Detection + Engineer","handle":""}}},{"id":"20v-gdb-0ha","type":"agent_rule","attributes":{"category":"File + Activity","creationDate":1707493323000,"creator":{"name":"Detection Engineer","handle":""},"defaultRule":true,"description":"A + new kernel module was added","enabled":true,"expression":"(\n (unlink.file.path + in [ ~\"/lib/modules/**\", ~\"/usr/lib/modules/**\" ])\n \u0026\u0026 process.file.path + not in [~\"/usr/bin/apt*\", \"/usr/bin/dpkg\", \"/usr/bin/rpm\", \"/usr/bin/unattended-upgrade\", + \"/usr/bin/npm\", ~\"/usr/bin/pip*\", \"/usr/bin/yum\", \"/sbin/apk\", \"/usr/lib/snapd/snapd\"]\n \u0026\u0026 + process.ancestors.file.path not in [~\"/usr/bin/apt*\", \"/usr/bin/dpkg\", + \"/usr/bin/rpm\", \"/usr/bin/unattended-upgrade\", \"/usr/bin/npm\", ~\"/usr/bin/pip*\", + \"/usr/bin/yum\", \"/sbin/apk\", \"/usr/lib/snapd/snapd\"] \u0026\u0026 process.ancestors.file.path + != \"/usr/bin/kmod\"\n)","filters":["os == \"linux\""],"name":"kernel_module_unlink","updateDate":1707493323000,"updater":{"name":"Detection + Engineer","handle":""}}},{"id":"fyq-x5u-mv1","type":"agent_rule","attributes":{"category":"File + Activity","creationDate":1707493323000,"creator":{"name":"Detection Engineer","handle":""},"defaultRule":true,"description":"A + new kernel module was added","enabled":true,"expression":"(\n (utimes.file.path + in [ ~\"/lib/modules/**\", ~\"/usr/lib/modules/**\" ])\n \u0026\u0026 process.file.path + not in [~\"/usr/bin/apt*\", \"/usr/bin/dpkg\", \"/usr/bin/rpm\", \"/usr/bin/unattended-upgrade\", + \"/usr/bin/npm\", ~\"/usr/bin/pip*\", \"/usr/bin/yum\", \"/sbin/apk\", \"/usr/lib/snapd/snapd\"]\n \u0026\u0026 + process.ancestors.file.path not in [~\"/usr/bin/apt*\", \"/usr/bin/dpkg\", + \"/usr/bin/rpm\", \"/usr/bin/unattended-upgrade\", \"/usr/bin/npm\", ~\"/usr/bin/pip*\", + \"/usr/bin/yum\", \"/sbin/apk\", \"/usr/lib/snapd/snapd\"] \u0026\u0026 process.ancestors.file.path + != \"/usr/bin/kmod\"\n)","filters":["os == \"linux\""],"name":"kernel_module_utimes","updateDate":1707493323000,"updater":{"name":"Detection + Engineer","handle":""}}},{"id":"def-000-dpm","type":"agent_rule","attributes":{"category":"Process + Activity","creationDate":1707493323000,"creator":{"name":"Detection Engineer","handle":""},"defaultRule":true,"description":"A + process attempted to enable writing to model-specific registers","enabled":true,"expression":"exec.comm + == \"modprobe\" \u0026\u0026 process.args =~ \"*msr*allow_writes*\"","filters":["os + == \"linux\""],"name":"kernel_msr_write","updateDate":1707493323000,"updater":{"name":"Detection + Engineer","handle":""}}},{"id":"def-000-xv7","type":"agent_rule","attributes":{"category":"Process + Activity","creationDate":1707493323000,"creator":{"name":"Detection Engineer","handle":""},"defaultRule":true,"description":"Kernel + modules were listed using the kmod command","enabled":true,"expression":"exec.comm + == \"kmod\" \u0026\u0026 exec.args in [~\"*list*\"]","filters":["os == \"linux\""],"name":"kmod_list","updateDate":1707493323000,"updater":{"name":"Detection + Engineer","handle":""}}},{"id":"def-000-b7s","type":"agent_rule","attributes":{"category":"Network + Activity","creationDate":1707493323000,"creator":{"name":"Detection Engineer","handle":""},"defaultRule":true,"description":"Kubernetes + DNS enumeration","enabled":true,"expression":"dns.question.name == \"any.any.svc.cluster.local\" + \u0026\u0026 dns.question.type == SRV \u0026\u0026 container.id != \"\"","filters":["os + == \"linux\""],"name":"kubernetes_dns_enumeration","updateDate":1707493323000,"updater":{"name":"Detection + Engineer","handle":""}}},{"id":"j8a-wic-bvi","type":"agent_rule","attributes":{"category":"Process + Activity","creationDate":1707493323000,"creator":{"name":"Detection Engineer","handle":""},"defaultRule":true,"description":"The + LD_PRELOAD variable is populated by a link to a suspicious file directory","enabled":true,"expression":"exec.envs + in [~\"LD_PRELOAD=*/tmp/*\" ,~\"LD_PRELOAD=/dev/shm/*\" ]","filters":["os + == \"linux\""],"name":"ld_preload_unusual_library_path","updateDate":1707493323000,"updater":{"name":"Detection + Engineer","handle":""}}},{"id":"def-000-fbb","type":"agent_rule","attributes":{"category":"Kernel + Activity","creationDate":1707493323000,"creator":{"name":"Detection Engineer","handle":""},"defaultRule":true,"description":"Library + libpam.so hooked using eBPF","enabled":true,"expression":"bpf.cmd == BPF_MAP_CREATE + \u0026\u0026 process.args in [r\".*libpam.so.*\"]","filters":["os == \"linux\""],"name":"libpam_ebpf_hook","updateDate":1707493323000,"updater":{"name":"Detection + Engineer","handle":""}}},{"id":"def-000-j1b","type":"agent_rule","attributes":{"category":"Process + Activity","creationDate":1707493323000,"creator":{"name":"Detection Engineer","handle":""},"defaultRule":true,"description":"Looney + Tunables (CVE-2023-4911) exploit attempted","enabled":true,"expression":"exec.file.mode + \u0026 S_ISUID \u003e 0 \u0026\u0026 exec.file.uid == 0 \u0026\u0026 exec.uid + != 0 \u0026\u0026 exec.envs in [~\"*GLIBC_TUNABLES*\"]","filters":["os == + \"linux\""],"name":"looney_tunables_exploit","updateDate":1707493323000,"updater":{"name":"Detection + Engineer","handle":""}}},{"id":"def-000-6ql","type":"agent_rule","attributes":{"category":"Process + Activity","creationDate":1707493323000,"creator":{"name":"Detection Engineer","handle":""},"defaultRule":true,"description":"memfd + object created","enabled":true,"expression":"exec.file.name =~ \"memfd*\" + \u0026\u0026 exec.file.path == \"\"","filters":["os == \"linux\""],"name":"memfd_create","updateDate":1707493323000,"updater":{"name":"Detection + Engineer","handle":""}}},{"id":"def-000-d1i","type":"agent_rule","attributes":{"category":"Process + Activity","creationDate":1707493323000,"creator":{"name":"Detection Engineer","handle":""},"defaultRule":true,"description":"Process + memory was dumped using the minidump function from comsvcs.dll","enabled":true,"expression":"exec.cmdline + =~ \"*MiniDump*\"","filters":["os == \"windows\""],"name":"minidump_usage","updateDate":1707493323000,"updater":{"name":"Detection + Engineer","handle":""}}},{"id":"caz-yrk-14e","type":"agent_rule","attributes":{"category":"Network + Activity","creationDate":1707493323000,"creator":{"name":"Detection Engineer","handle":""},"defaultRule":true,"description":"A + process resolved a DNS name associated with cryptomining activity","enabled":true,"expression":"dns.question.name + in [~\"*minexmr.com\", ~\"*nanopool.org\", ~\"*supportxmr.com\", ~\"*c3pool.com\", + ~\"*p2pool.io\", ~\"*ethermine.org\", ~\"*f2pool.com\", ~\"*poolin.me\", ~\"*rplant.xyz\"] + \u0026\u0026 process.file.name != \"\"","filters":["os == \"linux\""],"name":"mining_pool_lookup","updateDate":1707493323000,"updater":{"name":"Detection + Engineer","handle":""}}},{"id":"def-000-mxb","type":"agent_rule","attributes":{"category":"File + Activity","creationDate":1707493323000,"creator":{"name":"Detection Engineer","handle":""},"defaultRule":true,"description":"The + host file system was mounted in a container","enabled":true,"expression":"mount.source.path + == \"/\" \u0026\u0026 mount.fs_type != \"overlay\" \u0026\u0026 container.id + != \"\"","filters":["os == \"linux\""],"name":"mount_host_fs","updateDate":1707493323000,"updater":{"name":"Detection + Engineer","handle":""}}},{"id":"def-000-mr5","type":"agent_rule","attributes":{"category":"File + Activity","creationDate":1707493323000,"creator":{"name":"Detection Engineer","handle":""},"defaultRule":true,"description":"Process + hidden using mount","enabled":true,"expression":"mount.mountpoint.path =~ + \"/proc/*\" \u0026\u0026 process.file.name !~ \"runc*\"","filters":["os == + \"linux\""],"name":"mount_proc_hide","updateDate":1707493323000,"updater":{"name":"Detection + Engineer","handle":""}}},{"id":"zfb-ixo-o4w","type":"agent_rule","attributes":{"category":"File + Activity","creationDate":1707493323000,"creator":{"name":"Detection Engineer","handle":""},"defaultRule":true,"description":"A + suspicious file was written by a network utility","enabled":true,"expression":"open.flags + \u0026 O_CREAT \u003e 0 \u0026\u0026 process.comm in [\"wget\", \"curl\", + \"lwp-download\"]\n\u0026\u0026 (\n (open.file.path =~ \"/tmp/**\" \u0026\u0026 + open.file.name in [~\"*.sh\", ~\"*.c\", ~\"*.so\", ~\"*.ko\"])\n || open.file.path + in [~\"/usr/**\", ~\"/lib/**\", ~\"/etc/**\", ~\"/var/tmp/**\", ~\"/dev/shm/**\"]\n)","filters":["os + == \"linux\""],"name":"net_file_download","updateDate":1707493323000,"updater":{"name":"Detection + Engineer","handle":""}}},{"id":"sqi-q1z-onu","type":"agent_rule","attributes":{"category":"Process + Activity","creationDate":1707493323000,"creator":{"name":"Detection Engineer","handle":""},"defaultRule":true,"description":"Network + utility executed with suspicious URI","enabled":true,"expression":"exec.comm + in [\"wget\", \"curl\", \"lwp-download\"] \u0026\u0026 exec.args in [~\"*.php*\", + ~\"*.jpg*\"] ","filters":["os == \"linux\""],"name":"net_unusual_request","updateDate":1707493323000,"updater":{"name":"Detection + Engineer","handle":""}}},{"id":"7y2-ihu-hm2","type":"agent_rule","attributes":{"category":"Process + Activity","creationDate":1707493323000,"creator":{"name":"Detection Engineer","handle":""},"defaultRule":true,"description":"A + network utility was executed","enabled":true,"expression":"(exec.comm in [\"socat\", + \"dig\", \"nslookup\", \"host\", ~\"netcat*\", ~\"nc*\", \"ncat\"] ||\n exec.comm + in [\"wget\", \"curl\", \"lwp-download\"]) \u0026\u0026\ncontainer.id == \"\" + \u0026\u0026 exec.args not in [ ~\"*localhost*\", ~\"*127.0.0.1*\", ~\"*motd.ubuntu.com*\" + ]","filters":["os == \"linux\""],"name":"net_util","updateDate":1707493323000,"updater":{"name":"Detection + Engineer","handle":""}}},{"id":"a52-req-ghm","type":"agent_rule","attributes":{"category":"Process + Activity","creationDate":1707493323000,"creator":{"name":"Detection Engineer","handle":""},"defaultRule":true,"description":"Exfiltration + attempt via network utility","enabled":true,"expression":"exec.comm in [\"wget\", + \"curl\", \"lwp-download\"] \u0026\u0026 \nexec.args_options in [ ~\"post-file=*\", + ~\"post-data=*\", ~\"T=*\", ~\"d=@*\", ~\"upload-file=*\", ~\"F=file*\"] \u0026\u0026\nexec.args + not in [~\"*localhost*\", ~\"*127.0.0.1*\"]","filters":["os == \"linux\""],"name":"net_util_exfiltration","updateDate":1707493323000,"updater":{"name":"Detection + Engineer","handle":""}}},{"id":"w0z-64n-bss","type":"agent_rule","attributes":{"category":"Process + Activity","creationDate":1707493323000,"creator":{"name":"Detection Engineer","handle":""},"defaultRule":true,"description":"A + network utility was executed in a container","enabled":true,"expression":"(exec.comm + in [\"socat\", \"dig\", \"nslookup\", \"host\", ~\"netcat*\", ~\"nc*\", \"ncat\"] + ||\n exec.comm in [\"wget\", \"curl\", \"lwp-download\"]) \u0026\u0026\ncontainer.id + != \"\" \u0026\u0026 exec.args not in [ ~\"*localhost*\", ~\"*127.0.0.1*\", + ~\"*motd.ubuntu.com*\" ]","filters":["os == \"linux\""],"name":"net_util_in_container","updateDate":1707493323000,"updater":{"name":"Detection + Engineer","handle":""}}},{"id":"def-000-0ra","type":"agent_rule","attributes":{"category":"Process + Activity","creationDate":1707493323000,"creator":{"name":"Detection Engineer","handle":""},"defaultRule":true,"description":"A + network utility was executed in a container","enabled":true,"expression":"(exec.comm + in [\"socat\", \"dig\", \"nslookup\", \"host\", ~\"netcat*\", ~\"nc*\", \"ncat\"] + ||\n exec.comm in [\"wget\", \"curl\", \"lwp-download\"]) \u0026\u0026\ncontainer.id + != \"\" \u0026\u0026 exec.args not in [ ~\"*localhost*\", ~\"*127.0.0.1*\", + ~\"*motd.ubuntu.com*\" ] \u0026\u0026 container.created_at \u003e 90s","filters":["os + == \"linux\""],"name":"net_util_in_container_v2","updateDate":1707493323000,"updater":{"name":"Detection + Engineer","handle":""}}},{"id":"def-000-9rk","type":"agent_rule","attributes":{"category":"Process + Activity","creationDate":1707493323000,"creator":{"name":"Detection Engineer","handle":""},"defaultRule":true,"description":"Local + account groups were enumerated after container start up","enabled":true,"expression":"exec.file.name + in [\"tcpdump\", \"tshark\"]","filters":["os == \"linux\""],"name":"network_sniffing_tool","updateDate":1707493323000,"updater":{"name":"Detection + Engineer","handle":""}}},{"id":"xgw-28i-480","type":"agent_rule","attributes":{"category":"Process + Activity","creationDate":1707493323000,"creator":{"name":"Detection Engineer","handle":""},"defaultRule":true,"description":"A + container executed a new binary not found in the container image","enabled":true,"expression":"container.id + != \"\" \u0026\u0026 process.file.in_upper_layer \u0026\u0026 process.file.modification_time + \u003c 30s \u0026\u0026 exec.file.name != \"\"","filters":["os == \"linux\""],"name":"new_binary_execution_in_container","updateDate":1707493323000,"updater":{"name":"Detection + Engineer","handle":""}}},{"id":"mqh-lgo-brj","type":"agent_rule","attributes":{"category":"File + Activity","creationDate":1707493323000,"creator":{"name":"Detection Engineer","handle":""},"defaultRule":true,"description":"nsswitch + may have been modified without authorization","enabled":true,"expression":"(\n (chmod.file.path + in [ \"/etc/nsswitch.conf\" ])\n) \u0026\u0026 chmod.file.destination.mode + != chmod.file.mode \u0026\u0026 process.file.path not in [~\"/usr/bin/apt*\", + \"/usr/bin/dpkg\", \"/usr/bin/rpm\", \"/usr/bin/unattended-upgrade\", \"/usr/bin/containerd\", + \"/usr/local/bin/containerd\", \"/usr/bin/dockerd\", \"/usr/bin/npm\", ~\"/usr/bin/pip*\"]","filters":["os + == \"linux\""],"name":"nsswitch_conf_mod_chmod","updateDate":1707493323000,"updater":{"name":"Detection + Engineer","handle":""}}},{"id":"v2b-cd3-clr","type":"agent_rule","attributes":{"category":"File + Activity","creationDate":1707493323000,"creator":{"name":"Detection Engineer","handle":""},"defaultRule":true,"description":"nsswitch + may have been modified without authorization","enabled":true,"expression":"(\n (chown.file.path + in [ \"/etc/nsswitch.conf\" ])\n) \u0026\u0026 (chown.file.destination.uid + != chown.file.uid || chown.file.destination.gid != chown.file.gid) \u0026\u0026 + process.file.path not in [~\"/usr/bin/apt*\", \"/usr/bin/dpkg\", \"/usr/bin/rpm\", + \"/usr/bin/unattended-upgrade\", \"/usr/bin/containerd\", \"/usr/local/bin/containerd\", + \"/usr/bin/dockerd\", \"/usr/bin/npm\", ~\"/usr/bin/pip*\"]","filters":["os + == \"linux\""],"name":"nsswitch_conf_mod_chown","updateDate":1707493323000,"updater":{"name":"Detection + Engineer","handle":""}}},{"id":"wwc-6it-t7i","type":"agent_rule","attributes":{"category":"File + Activity","creationDate":1707493323000,"creator":{"name":"Detection Engineer","handle":""},"defaultRule":true,"description":"nsswitch + may have been modified without authorization","enabled":true,"expression":"(\n (link.file.path + in [ \"/etc/nsswitch.conf\" ]\n || link.file.destination.path in [ \"/etc/nsswitch.conf\" + ])\n)","filters":["os == \"linux\""],"name":"nsswitch_conf_mod_link","updateDate":1707493323000,"updater":{"name":"Detection + Engineer","handle":""}}},{"id":"e5h-onu-f7l","type":"agent_rule","attributes":{"category":"File + Activity","creationDate":1707493323000,"creator":{"name":"Detection Engineer","handle":""},"defaultRule":true,"description":"nsswitch + may have been modified without authorization","enabled":true,"expression":"(\n open.flags + \u0026 ((O_RDWR|O_WRONLY|O_CREAT)) \u003e 0 \u0026\u0026\n (open.file.path + in [ \"/etc/nsswitch.conf\" ])\n) \u0026\u0026 process.file.path not in [~\"/usr/bin/apt*\", + \"/usr/bin/dpkg\", \"/usr/bin/rpm\", \"/usr/bin/unattended-upgrade\", \"/usr/bin/containerd\", + \"/usr/local/bin/containerd\", \"/usr/bin/dockerd\", \"/usr/bin/npm\", ~\"/usr/bin/pip*\"]","filters":["os + == \"linux\""],"name":"nsswitch_conf_mod_open","updateDate":1707493323000,"updater":{"name":"Detection + Engineer","handle":""}}},{"id":"def-000-i9x","type":"agent_rule","attributes":{"category":"File + Activity","creationDate":1707493323000,"creator":{"name":"Detection Engineer","handle":""},"defaultRule":true,"description":"nsswitch + may have been modified without authorization","enabled":true,"expression":"(\n open.flags + \u0026 ((O_RDWR|O_WRONLY|O_CREAT)) \u003e 0 \u0026\u0026\n (open.file.path + in [ \"/etc/nsswitch.conf\" ])\n) \u0026\u0026 container.created_at \u003e + 90s \u0026\u0026 process.file.path not in [~\"/usr/bin/apt*\", \"/usr/bin/dpkg\", + \"/usr/bin/rpm\", \"/usr/bin/unattended-upgrade\", \"/usr/bin/containerd\", + \"/usr/local/bin/containerd\", \"/usr/bin/dockerd\", \"/usr/bin/npm\", ~\"/usr/bin/pip*\"]","filters":["os + == \"linux\""],"name":"nsswitch_conf_mod_open_v2","updateDate":1707493323000,"updater":{"name":"Detection + Engineer","handle":""}}},{"id":"sif-d9p-wzg","type":"agent_rule","attributes":{"category":"File + Activity","creationDate":1707493323000,"creator":{"name":"Detection Engineer","handle":""},"defaultRule":true,"description":"nsswitch + may have been modified without authorization","enabled":true,"expression":"(\n (rename.file.path + in [ \"/etc/nsswitch.conf\" ]\n || rename.file.destination.path in [ \"/etc/nsswitch.conf\" + ])\n)","filters":["os == \"linux\""],"name":"nsswitch_conf_mod_rename","updateDate":1707493323000,"updater":{"name":"Detection + Engineer","handle":""}}},{"id":"4mu-d2x-fyk","type":"agent_rule","attributes":{"category":"File + Activity","creationDate":1707493323000,"creator":{"name":"Detection Engineer","handle":""},"defaultRule":true,"description":"nsswitch + may have been modified without authorization","enabled":true,"expression":"(\n (unlink.file.path + in [ \"/etc/nsswitch.conf\" ])\n)","filters":["os == \"linux\""],"name":"nsswitch_conf_mod_unlink","updateDate":1707493323000,"updater":{"name":"Detection + Engineer","handle":""}}},{"id":"qt9-i99-q9p","type":"agent_rule","attributes":{"category":"File + Activity","creationDate":1707493323000,"creator":{"name":"Detection Engineer","handle":""},"defaultRule":true,"description":"nsswitch + may have been modified without authorization","enabled":true,"expression":"(\n (utimes.file.path + in [ \"/etc/nsswitch.conf\" ])\n)","filters":["os == \"linux\""],"name":"nsswitch_conf_mod_utimes","updateDate":1707493323000,"updater":{"name":"Detection + Engineer","handle":""}}},{"id":"def-000-d4i","type":"agent_rule","attributes":{"category":"Process + Activity","creationDate":1707493323000,"creator":{"name":"Detection Engineer","handle":""},"defaultRule":true,"description":"NTDS + file referenced in commandline","enabled":true,"expression":"exec.cmdline + =~ \"*ntds.dit*\"","filters":["os == \"windows\""],"name":"ntds_in_commandline","updateDate":1707493323000,"updater":{"name":"Detection + Engineer","handle":""}}},{"id":"def-000-49j","type":"agent_rule","attributes":{"category":"Process + Activity","creationDate":1707493323000,"creator":{"name":"Detection Engineer","handle":""},"defaultRule":true,"description":"A + known kubernetes pentesting tool has been executed","enabled":true,"expression":"(exec.file.name + in [ ~\"python*\" ] \u0026\u0026 (\"KubiScan.py\" in exec.argv || \"kubestriker\" + in exec.argv ) ) || exec.file.name in [ \"kubiscan\",\"kdigger\",\"kube-hunter\",\"rakkess\",\"peirates\",\"kubescape\",\"kubeaudit\",\"kube-linter\",\"stratus\",~\"botb-*\"]","filters":["os + == \"linux\""],"name":"offensive_k8s_tool","updateDate":1707493323000,"updater":{"name":"Detection + Engineer","handle":""}}},{"id":"4yt-ize-avz","type":"agent_rule","attributes":{"category":"Process + Activity","creationDate":1707493323000,"creator":{"name":"Detection Engineer","handle":""},"defaultRule":true,"description":"Omiagent + spawns a privileged child process","enabled":true,"expression":"exec.uid \u003e= + 0 \u0026\u0026 process.ancestors.file.name == \"omiagent\"","filters":["os + == \"linux\""],"name":"omigod","updateDate":1707493323000,"updater":{"name":"Detection + Engineer","handle":""}}},{"id":"def-000-tp8","type":"agent_rule","attributes":{"category":"File + Activity","creationDate":1707493323000,"creator":{"name":"Detection Engineer","handle":""},"defaultRule":true,"description":"A + process opened a model-specific register (MSR) configuration file","enabled":true,"expression":"open.file.path + == \"/sys/module/msr/parameters/allow_writes\" \u0026\u0026 open.flags \u0026 + O_CREAT|O_TRUNC|O_RDWR|O_WRONLY \u003e 0","filters":["os == \"linux\""],"name":"open_msr_writes","updateDate":1707493323000,"updater":{"name":"Detection + Engineer","handle":""}}},{"id":"m7d-vlh-3yq","type":"agent_rule","attributes":{"category":"Process + Activity","creationDate":1707493323000,"creator":{"name":"Detection Engineer","handle":""},"defaultRule":true,"description":"Package + management was detected in a container","enabled":true,"expression":"exec.file.path + in [~\"/usr/bin/apt*\", \"/usr/bin/dpkg\", \"/usr/bin/rpm\", \"/usr/bin/unattended-upgrade\", + \"/usr/bin/npm\", ~\"/usr/bin/pip*\", \"/usr/bin/yum\", \"/sbin/apk\", \"/usr/lib/snapd/snapd\"] + \u0026\u0026 container.id != \"\"","filters":["os == \"linux\""],"name":"package_management_in_container","updateDate":1707493323000,"updater":{"name":"Detection + Engineer","handle":""}}},{"id":"def-000-k6i","type":"agent_rule","attributes":{"category":"Process + Activity","creationDate":1707493323000,"creator":{"name":"Detection Engineer","handle":""},"defaultRule":true,"description":"Package + management was detected in a conatiner outside of container start_up","enabled":true,"expression":"exec.file.path + in [~\"/usr/bin/apt*\", \"/usr/bin/dpkg\", \"/usr/bin/rpm\", \"/usr/bin/unattended-upgrade\", + \"/usr/bin/npm\", ~\"/usr/bin/pip*\", \"/usr/bin/yum\", \"/sbin/apk\", \"/usr/lib/snapd/snapd\"] + \u0026\u0026 container.id != \"\" \u0026\u0026 container.created_at \u003e + 90s","filters":["os == \"linux\""],"name":"package_management_in_container_v2","updateDate":1707493323000,"updater":{"name":"Detection + Engineer","handle":""}}},{"id":"34t-hic-8cn","type":"agent_rule","attributes":{"category":"File + Activity","creationDate":1707493323000,"creator":{"name":"Detection Engineer","handle":""},"defaultRule":true,"description":"PAM + may have been modified without authorization","enabled":true,"expression":"(\n (chmod.file.path + in [ ~\"/etc/pam.d/**\", \"/etc/pam.conf\" ])\n) \u0026\u0026 chmod.file.destination.mode + != chmod.file.mode","filters":["os == \"linux\""],"name":"pam_modification_chmod","updateDate":1707493323000,"updater":{"name":"Detection + Engineer","handle":""}}},{"id":"pfu-dvh-e5w","type":"agent_rule","attributes":{"category":"File + Activity","creationDate":1707493323000,"creator":{"name":"Detection Engineer","handle":""},"defaultRule":true,"description":"PAM + may have been modified without authorization","enabled":true,"expression":"(\n (chown.file.path + in [ ~\"/etc/pam.d/**\", \"/etc/pam.conf\" ])\n) \u0026\u0026 (chown.file.destination.uid + != chown.file.uid || chown.file.destination.gid != chown.file.gid)","filters":["os + == \"linux\""],"name":"pam_modification_chown","updateDate":1707493323000,"updater":{"name":"Detection + Engineer","handle":""}}},{"id":"x7i-34j-1rv","type":"agent_rule","attributes":{"category":"File + Activity","creationDate":1707493323000,"creator":{"name":"Detection Engineer","handle":""},"defaultRule":true,"description":"PAM + may have been modified without authorization","enabled":true,"expression":"(\n (link.file.path + in [ ~\"/etc/pam.d/**\", \"/etc/pam.conf\" ]\n || link.file.destination.path + in [ ~\"/etc/pam.d/**\", \"/etc/pam.conf\" ])\n)","filters":["os == \"linux\""],"name":"pam_modification_link","updateDate":1707493323000,"updater":{"name":"Detection + Engineer","handle":""}}},{"id":"w7o-w48-j34","type":"agent_rule","attributes":{"category":"File + Activity","creationDate":1707493323000,"creator":{"name":"Detection Engineer","handle":""},"defaultRule":true,"description":"PAM + may have been modified without authorization","enabled":true,"expression":"(\n open.flags + \u0026 (O_CREAT|O_TRUNC|O_RDWR|O_WRONLY) \u003e 0 \u0026\u0026\n (open.file.path + in [ ~\"/etc/pam.d/**\", \"/etc/pam.conf\" ])\n)","filters":["os == \"linux\""],"name":"pam_modification_open","updateDate":1707493323000,"updater":{"name":"Detection + Engineer","handle":""}}},{"id":"wri-hx3-4n3","type":"agent_rule","attributes":{"category":"File + Activity","creationDate":1707493323000,"creator":{"name":"Detection Engineer","handle":""},"defaultRule":true,"description":"PAM + may have been modified without authorization","enabled":true,"expression":"(\n (rename.file.path + in [ ~\"/etc/pam.d/**\", \"/etc/pam.conf\" ]\n || rename.file.destination.path + in [ ~\"/etc/pam.d/**\", \"/etc/pam.conf\" ])\n)","filters":["os == \"linux\""],"name":"pam_modification_rename","updateDate":1707493323000,"updater":{"name":"Detection + Engineer","handle":""}}},{"id":"900-1sj-xhs","type":"agent_rule","attributes":{"category":"File + Activity","creationDate":1707493323000,"creator":{"name":"Detection Engineer","handle":""},"defaultRule":true,"description":"PAM + may have been modified without authorization","enabled":true,"expression":"(\n (unlink.file.path + in [ ~\"/etc/pam.d/**\", \"/etc/pam.conf\" ])\n)","filters":["os == \"linux\""],"name":"pam_modification_unlink","updateDate":1707493323000,"updater":{"name":"Detection + Engineer","handle":""}}},{"id":"pxk-42u-fga","type":"agent_rule","attributes":{"category":"File + Activity","creationDate":1707493323000,"creator":{"name":"Detection Engineer","handle":""},"defaultRule":true,"description":"PAM + may have been modified without authorization","enabled":true,"expression":"(\n (utimes.file.path + in [ ~\"/etc/pam.d/**\", \"/etc/pam.conf\" ])\n) \u0026\u0026 process.file.path + not in [~\"/usr/bin/apt*\", \"/usr/bin/dpkg\", \"/usr/bin/rpm\", \"/usr/bin/unattended-upgrade\", + \"/usr/bin/containerd\", \"/usr/local/bin/containerd\", \"/usr/bin/dockerd\", + \"/usr/bin/npm\", ~\"/usr/bin/pip*\"]","filters":["os == \"linux\""],"name":"pam_modification_utimes","updateDate":1707493323000,"updater":{"name":"Detection + Engineer","handle":""}}},{"id":"l2e-aka-bw6","type":"agent_rule","attributes":{"category":"Process + Activity","creationDate":1707493323000,"creator":{"name":"Detection Engineer","handle":""},"defaultRule":true,"description":"The + passwd or chpasswd utility was used to modify an account password","enabled":true,"expression":"exec.file.path + in [\"/usr/bin/passwd\", \"/usr/sbin/chpasswd\"] \u0026\u0026 exec.args_flags + not in [\"S\", \"status\"]","filters":["os == \"linux\""],"name":"passwd_execution","updateDate":1707493323000,"updater":{"name":"Detection + Engineer","handle":""}}},{"id":"460-gys-lqp","type":"agent_rule","attributes":{"category":"Network + Activity","creationDate":1707493323000,"creator":{"name":"Detection Engineer","handle":""},"defaultRule":true,"description":"A + DNS lookup was done for a pastebin-like site","enabled":true,"expression":"dns.question.name + in [\"pastebin.com\", \"ghostbin.com\", \"termbin.com\", \"klgrth.io\"] \u0026\u0026 + process.file.name != \"\"","filters":["os == \"linux\""],"name":"paste_site","updateDate":1707493323000,"updater":{"name":"Detection + Engineer","handle":""}}},{"id":"7vi-w5r-h15","type":"agent_rule","attributes":{"category":"File + Activity","creationDate":1707493323000,"creator":{"name":"Detection Engineer","handle":""},"defaultRule":true,"description":"Critical + system binaries may have been modified","enabled":true,"expression":"(\n (chmod.file.path + in [ ~\"/bin/*\", ~\"/sbin/*\", ~\"/usr/bin/*\", ~\"/usr/sbin/*\", ~\"/usr/local/bin/*\", + ~\"/usr/local/sbin/*\", ~\"/boot/**\" ])\n \u0026\u0026 process.file.path + not in [~\"/usr/bin/apt*\", \"/usr/bin/dpkg\", \"/usr/bin/rpm\", \"/usr/bin/unattended-upgrade\", + \"/usr/bin/containerd\", \"/usr/local/bin/containerd\", \"/usr/bin/dockerd\", + \"/usr/bin/npm\", ~\"/usr/bin/pip*\"]\n \u0026\u0026 process.ancestors.file.path + not in [~\"/usr/bin/apt*\", \"/usr/bin/dpkg\", \"/usr/bin/rpm\", \"/usr/bin/unattended-upgrade\", + \"/usr/bin/npm\", ~\"/usr/bin/pip*\", \"/usr/bin/yum\", \"/sbin/apk\", \"/usr/lib/snapd/snapd\"]\n) + \u0026\u0026 chmod.file.destination.mode != chmod.file.mode","filters":["os + == \"linux\""],"name":"pci_11_5_critical_binaries_chmod","updateDate":1707493323000,"updater":{"name":"Detection + Engineer","handle":""}}},{"id":"xiu-ghq-4zi","type":"agent_rule","attributes":{"category":"File + Activity","creationDate":1707493323000,"creator":{"name":"Detection Engineer","handle":""},"defaultRule":true,"description":"Critical + system binaries may have been modified","enabled":true,"expression":"(\n (chown.file.path + in [ ~\"/bin/*\", ~\"/sbin/*\", ~\"/usr/bin/*\", ~\"/usr/sbin/*\", ~\"/usr/local/bin/*\", + ~\"/usr/local/sbin/*\", ~\"/boot/**\" ])\n \u0026\u0026 process.file.path + not in [~\"/usr/bin/apt*\", \"/usr/bin/dpkg\", \"/usr/bin/rpm\", \"/usr/bin/unattended-upgrade\", + \"/usr/bin/containerd\", \"/usr/local/bin/containerd\", \"/usr/bin/dockerd\", + \"/usr/bin/npm\", ~\"/usr/bin/pip*\"]\n \u0026\u0026 process.ancestors.file.path + not in [~\"/usr/bin/apt*\", \"/usr/bin/dpkg\", \"/usr/bin/rpm\", \"/usr/bin/unattended-upgrade\", + \"/usr/bin/npm\", ~\"/usr/bin/pip*\", \"/usr/bin/yum\", \"/sbin/apk\", \"/usr/lib/snapd/snapd\"]\n) + \u0026\u0026 (chown.file.destination.uid != chown.file.uid || chown.file.destination.gid + != chown.file.gid)","filters":["os == \"linux\""],"name":"pci_11_5_critical_binaries_chown","updateDate":1707493323000,"updater":{"name":"Detection + Engineer","handle":""}}},{"id":"9ym-18v-5zi","type":"agent_rule","attributes":{"category":"File + Activity","creationDate":1707493323000,"creator":{"name":"Detection Engineer","handle":""},"defaultRule":true,"description":"Critical + system binaries may have been modified","enabled":true,"expression":"(\n (link.file.path + in [ ~\"/bin/*\", ~\"/sbin/*\", ~\"/usr/bin/*\", ~\"/usr/sbin/*\", ~\"/usr/local/bin/*\", + ~\"/usr/local/sbin/*\", ~\"/boot/**\" ]\n || link.file.destination.path + in [ ~\"/bin/*\", ~\"/sbin/*\", ~\"/usr/bin/*\", ~\"/usr/sbin/*\", ~\"/usr/local/bin/*\", + ~\"/usr/local/sbin/*\", ~\"/boot/**\" ])\n \u0026\u0026 process.file.path + not in [~\"/usr/bin/apt*\", \"/usr/bin/dpkg\", \"/usr/bin/rpm\", \"/usr/bin/unattended-upgrade\", + \"/usr/bin/containerd\", \"/usr/local/bin/containerd\", \"/usr/bin/dockerd\", + \"/usr/bin/npm\", ~\"/usr/bin/pip*\"]\n \u0026\u0026 process.ancestors.file.path + not in [~\"/usr/bin/apt*\", \"/usr/bin/dpkg\", \"/usr/bin/rpm\", \"/usr/bin/unattended-upgrade\", + \"/usr/bin/npm\", ~\"/usr/bin/pip*\", \"/usr/bin/yum\", \"/sbin/apk\", \"/usr/lib/snapd/snapd\"]\n)","filters":["os + == \"linux\""],"name":"pci_11_5_critical_binaries_link","updateDate":1707493323000,"updater":{"name":"Detection + Engineer","handle":""}}},{"id":"fpa-r6g-2em","type":"agent_rule","attributes":{"category":"File + Activity","creationDate":1707493323000,"creator":{"name":"Detection Engineer","handle":""},"defaultRule":true,"description":"Critical + system binaries may have been modified","enabled":true,"expression":"(\n open.flags + \u0026 (O_CREAT|O_TRUNC|O_RDWR|O_WRONLY) \u003e 0 \u0026\u0026\n open.file.path + in [ ~\"/bin/*\", ~\"/sbin/*\", ~\"/usr/bin/*\", ~\"/usr/sbin/*\", ~\"/usr/local/bin/*\", + ~\"/usr/local/sbin/*\", ~\"/boot/**\" ]\n \u0026\u0026 process.file.path + not in [~\"/usr/bin/apt*\", \"/usr/bin/dpkg\", \"/usr/bin/rpm\", \"/usr/bin/unattended-upgrade\", + \"/usr/bin/containerd\", \"/usr/local/bin/containerd\", \"/usr/bin/dockerd\", + \"/usr/bin/npm\", ~\"/usr/bin/pip*\"]\n \u0026\u0026 process.ancestors.file.path + not in [~\"/usr/bin/apt*\", \"/usr/bin/dpkg\", \"/usr/bin/rpm\", \"/usr/bin/unattended-upgrade\", + \"/usr/bin/npm\", ~\"/usr/bin/pip*\", \"/usr/bin/yum\", \"/sbin/apk\", \"/usr/lib/snapd/snapd\"]\n)","filters":["os + == \"linux\""],"name":"pci_11_5_critical_binaries_open","updateDate":1707493323000,"updater":{"name":"Detection + Engineer","handle":""}}},{"id":"def-000-y7j","type":"agent_rule","attributes":{"category":"File + Activity","creationDate":1707493323000,"creator":{"name":"Detection Engineer","handle":""},"defaultRule":true,"description":"Critical + system binaries may have been modified","enabled":true,"expression":"(\n open.flags + \u0026 (O_CREAT|O_TRUNC|O_RDWR|O_WRONLY) \u003e 0 \u0026\u0026\n open.file.path + in [ ~\"/bin/*\", ~\"/sbin/*\", ~\"/usr/bin/*\", ~\"/usr/sbin/*\", ~\"/usr/local/bin/*\", + ~\"/usr/local/sbin/*\", ~\"/boot/**\" ]\n \u0026\u0026 process.file.path + not in [~\"/usr/bin/apt*\", \"/usr/bin/dpkg\", \"/usr/bin/rpm\", \"/usr/bin/unattended-upgrade\", + \"/usr/bin/containerd\", \"/usr/local/bin/containerd\", \"/usr/bin/dockerd\", + \"/usr/bin/npm\", ~\"/usr/bin/pip*\"]\n \u0026\u0026 process.ancestors.file.path + not in [~\"/usr/bin/apt*\", \"/usr/bin/dpkg\", \"/usr/bin/rpm\", \"/usr/bin/unattended-upgrade\", + \"/usr/bin/npm\", ~\"/usr/bin/pip*\", \"/usr/bin/yum\", \"/sbin/apk\", \"/usr/lib/snapd/snapd\"]\n) + \u0026\u0026 container.created_at \u003e 90s","filters":["os == \"linux\""],"name":"pci_11_5_critical_binaries_open_v2","updateDate":1707493323000,"updater":{"name":"Detection + Engineer","handle":""}}},{"id":"9pu-mp3-xea","type":"agent_rule","attributes":{"category":"File + Activity","creationDate":1707493323000,"creator":{"name":"Detection Engineer","handle":""},"defaultRule":true,"description":"Critical + system binaries may have been modified","enabled":true,"expression":"(\n (rename.file.path + in [ ~\"/bin/*\", ~\"/sbin/*\", ~\"/usr/bin/*\", ~\"/usr/sbin/*\", ~\"/usr/local/bin/*\", + ~\"/usr/local/sbin/*\", ~\"/boot/**\" ]\n || rename.file.destination.path + in [ ~\"/bin/*\", ~\"/sbin/*\", ~\"/usr/bin/*\", ~\"/usr/sbin/*\", ~\"/usr/local/bin/*\", + ~\"/usr/local/sbin/*\", ~\"/boot/**\" ])\n \u0026\u0026 process.file.path + not in [~\"/usr/bin/apt*\", \"/usr/bin/dpkg\", \"/usr/bin/rpm\", \"/usr/bin/unattended-upgrade\", + \"/usr/bin/containerd\", \"/usr/local/bin/containerd\", \"/usr/bin/dockerd\", + \"/usr/bin/npm\", ~\"/usr/bin/pip*\"]\n \u0026\u0026 process.ancestors.file.path + not in [~\"/usr/bin/apt*\", \"/usr/bin/dpkg\", \"/usr/bin/rpm\", \"/usr/bin/unattended-upgrade\", + \"/usr/bin/npm\", ~\"/usr/bin/pip*\", \"/usr/bin/yum\", \"/sbin/apk\", \"/usr/lib/snapd/snapd\"]\n)","filters":["os + == \"linux\""],"name":"pci_11_5_critical_binaries_rename","updateDate":1707493323000,"updater":{"name":"Detection + Engineer","handle":""}}},{"id":"ssp-47a-p20","type":"agent_rule","attributes":{"category":"File + Activity","creationDate":1707493323000,"creator":{"name":"Detection Engineer","handle":""},"defaultRule":true,"description":"Critical + system binaries may have been modified","enabled":true,"expression":"(\n (unlink.file.path + in [ ~\"/bin/*\", ~\"/sbin/*\", ~\"/usr/bin/*\", ~\"/usr/sbin/*\", ~\"/usr/local/bin/*\", + ~\"/usr/local/sbin/*\", ~\"/boot/**\" ])\n \u0026\u0026 process.file.path + not in [~\"/usr/bin/apt*\", \"/usr/bin/dpkg\", \"/usr/bin/rpm\", \"/usr/bin/unattended-upgrade\", + \"/usr/bin/containerd\", \"/usr/local/bin/containerd\", \"/usr/bin/dockerd\", + \"/usr/bin/npm\", ~\"/usr/bin/pip*\"]\n \u0026\u0026 process.ancestors.file.path + not in [~\"/usr/bin/apt*\", \"/usr/bin/dpkg\", \"/usr/bin/rpm\", \"/usr/bin/unattended-upgrade\", + \"/usr/bin/npm\", ~\"/usr/bin/pip*\", \"/usr/bin/yum\", \"/sbin/apk\", \"/usr/lib/snapd/snapd\"]\n)","filters":["os + == \"linux\""],"name":"pci_11_5_critical_binaries_unlink","updateDate":1707493323000,"updater":{"name":"Detection + Engineer","handle":""}}},{"id":"q0u-s8m-8pd","type":"agent_rule","attributes":{"category":"File + Activity","creationDate":1707493323000,"creator":{"name":"Detection Engineer","handle":""},"defaultRule":true,"description":"Critical + system binaries may have been modified","enabled":true,"expression":"(\n (utimes.file.path + in [ ~\"/bin/*\", ~\"/sbin/*\", ~\"/usr/bin/*\", ~\"/usr/sbin/*\", ~\"/usr/local/bin/*\", + ~\"/usr/local/sbin/*\", ~\"/boot/**\" ])\n \u0026\u0026 process.file.path + not in [~\"/usr/bin/apt*\", \"/usr/bin/dpkg\", \"/usr/bin/rpm\", \"/usr/bin/unattended-upgrade\", + \"/usr/bin/containerd\", \"/usr/local/bin/containerd\", \"/usr/bin/dockerd\", + \"/usr/bin/npm\", ~\"/usr/bin/pip*\"]\n \u0026\u0026 process.ancestors.file.path + not in [~\"/usr/bin/apt*\", \"/usr/bin/dpkg\", \"/usr/bin/rpm\", \"/usr/bin/unattended-upgrade\", + \"/usr/bin/npm\", ~\"/usr/bin/pip*\", \"/usr/bin/yum\", \"/sbin/apk\", \"/usr/lib/snapd/snapd\"]\n)","filters":["os + == \"linux\""],"name":"pci_11_5_critical_binaries_utimes","updateDate":1707493323000,"updater":{"name":"Detection + Engineer","handle":""}}},{"id":"def-000-8j2","type":"agent_rule","attributes":{"category":"Process + Activity","creationDate":1707493323000,"creator":{"name":"Detection Engineer","handle":""},"defaultRule":true,"description":"A + web application spawned a shell or shell utility","enabled":true,"expression":"(exec.file.path + in [ \"/bin/dash\",\n \"/usr/bin/dash\",\n \"/bin/sh\",\n \"/bin/static-sh\",\n \"/usr/bin/sh\",\n \"/bin/bash\",\n \"/usr/bin/bash\",\n \"/bin/bash-static\",\n \"/usr/bin/zsh\",\n \"/usr/bin/ash\",\n \"/usr/bin/csh\",\n \"/usr/bin/ksh\",\n \"/usr/bin/tcsh\",\n \"/usr/lib/initramfs-tools/bin/busybox\",\n \"/bin/busybox\",\n \"/usr/bin/fish\",\n \"/bin/ksh93\",\n \"/bin/rksh\",\n \"/bin/rksh93\",\n \"/bin/lksh\",\n \"/bin/mksh\",\n \"/bin/mksh-static\",\n \"/usr/bin/csharp\",\n \"/bin/posh\",\n \"/usr/bin/rc\",\n \"/bin/sash\",\n \"/usr/bin/yash\",\n \"/bin/zsh5\",\n \"/bin/zsh5-static\" + ] || exec.comm in [\"wget\", \"curl\", \"lwp-download\"] || exec.file.path + in [\"/bin/cat\",\"/bin/chgrp\",\"/bin/chmod\",\"/bin/chown\",\"/bin/cp\",\"/bin/date\",\"/bin/dd\",\"/bin/df\",\"/bin/dir\",\"/bin/echo\",\"/bin/ln\",\"/bin/ls\",\"/bin/mkdir\",\"/bin/mknod\",\"/bin/mktemp\",\"/bin/mv\",\"/bin/pwd\",\"/bin/readlink\",\"/bin/rm\",\"/bin/rmdir\",\"/bin/sleep\",\"/bin/stty\",\"/bin/sync\",\"/bin/touch\",\"/bin/uname\",\"/bin/vdir\",\"/usr/bin/arch\",\"/usr/bin/b2sum\",\"/usr/bin/base32\",\"/usr/bin/base64\",\"/usr/bin/basename\",\"/usr/bin/chcon\",\"/usr/bin/cksum\",\"/usr/bin/comm\",\"/usr/bin/csplit\",\"/usr/bin/cut\",\"/usr/bin/dircolors\",\"/usr/bin/dirname\",\"/usr/bin/du\",\"/usr/bin/env\",\"/usr/bin/expand\",\"/usr/bin/expr\",\"/usr/bin/factor\",\"/usr/bin/fmt\",\"/usr/bin/fold\",\"/usr/bin/groups\",\"/usr/bin/head\",\"/usr/bin/hostid\",\"/usr/bin/id\",\"/usr/bin/install\",\"/usr/bin/join\",\"/usr/bin/link\",\"/usr/bin/logname\",\"/usr/bin/md5sum\",\"/usr/bin/md5sum.textutils\",\"/usr/bin/mkfifo\",\"/usr/bin/nice\",\"/usr/bin/nl\",\"/usr/bin/nohup\",\"/usr/bin/nproc\",\"/usr/bin/numfmt\",\"/usr/bin/od\",\"/usr/bin/paste\",\"/usr/bin/pathchk\",\"/usr/bin/pinky\",\"/usr/bin/pr\",\"/usr/bin/printenv\",\"/usr/bin/printf\",\"/usr/bin/ptx\",\"/usr/bin/realpath\",\"/usr/bin/runcon\",\"/usr/bin/seq\",\"/usr/bin/sha1sum\",\"/usr/bin/sha224sum\",\"/usr/bin/sha256sum\",\"/usr/bin/sha384sum\",\"/usr/bin/sha512sum\",\"/usr/bin/shred\",\"/usr/bin/shuf\",\"/usr/bin/sort\",\"/usr/bin/split\",\"/usr/bin/stat\",\"/usr/bin/stdbuf\",\"/usr/bin/sum\",\"/usr/bin/tac\",\"/usr/bin/tail\",\"/usr/bin/tee\",\"/usr/bin/test\",\"/usr/bin/timeout\",\"/usr/bin/tr\",\"/usr/bin/truncate\",\"/usr/bin/tsort\",\"/usr/bin/tty\",\"/usr/bin/unexpand\",\"/usr/bin/uniq\",\"/usr/bin/unlink\",\"/usr/bin/users\",\"/usr/bin/wc\",\"/usr/bin/who\",\"/usr/bin/whoami\",\"/usr/sbin/chroot\"]) + \u0026\u0026\n(process.parent.file.name in [\"apache2\", \"nginx\", ~\"tomcat*\", + \"httpd\"] || process.parent.file.name =~ \"php*\")","filters":["os == \"linux\""],"name":"potential_web_shell_parent","updateDate":1707493323000,"updater":{"name":"Detection + Engineer","handle":""}}},{"id":"def-000-oy4","type":"agent_rule","attributes":{"category":"Process + Activity","creationDate":1707493323000,"creator":{"name":"Detection Engineer","handle":""},"defaultRule":true,"description":"A + tool used to dump process memory has been executed","enabled":true,"expression":"exec.file.name + in [\"procmon.exe\",\"procdump.exe\"]","filters":["os == \"windows\""],"name":"procdump_execution","updateDate":1707493323000,"updater":{"name":"Detection + Engineer","handle":""}}},{"id":"def-000-oyv","type":"agent_rule","attributes":{"category":"Process + Activity","creationDate":1707493323000,"creator":{"name":"Detection Engineer","handle":""},"defaultRule":true,"description":"Processes + were listed using the ps command","enabled":true,"expression":"exec.comm == + \"ps\" \u0026\u0026 exec.argv not in [\"-p\", \"--pid\"] \u0026\u0026 process.ancestors.file.name + not in [\"qualys-cloud-agent\", \"amazon-ssm-agent\"] \u0026\u0026 process.parent.file.name + not in [\"rkhunter\", \"jspawnhelper\", ~\"vm-agent*\", \"PassengerAgent\", + \"node\", \"wdavdaemon\", \"chkrootkit\", \"tsagentd\", \"wazuh-modulesd\", + \"wdavdaemon\", \"talend-remote-engine-service\", \"check_procs\", \"newrelic-daemon\"]","filters":["os + == \"linux\""],"name":"ps_discovery","updateDate":1707493323000,"updater":{"name":"Detection + Engineer","handle":""}}},{"id":"pwu-7u7-iiq","type":"agent_rule","attributes":{"category":"Kernel + Activity","creationDate":1707493323000,"creator":{"name":"Detection Engineer","handle":""},"defaultRule":true,"description":"A + process uses an anti-debugging technique to block debuggers","enabled":true,"expression":"ptrace.request + == PTRACE_TRACEME \u0026\u0026 process.file.name != \"\"","filters":["os == + \"linux\""],"name":"ptrace_antidebug","updateDate":1707493323000,"updater":{"name":"Detection + Engineer","handle":""}}},{"id":"kpm-7kh-xz5","type":"agent_rule","attributes":{"category":"Kernel + Activity","creationDate":1707493323000,"creator":{"name":"Detection Engineer","handle":""},"defaultRule":true,"description":"A + process attempted to inject code into another process","enabled":true,"expression":"ptrace.request + == PTRACE_POKETEXT || ptrace.request == PTRACE_POKEDATA || ptrace.request + == PTRACE_POKEUSR","filters":["os == \"linux\""],"name":"ptrace_injection","updateDate":1707493323000,"updater":{"name":"Detection + Engineer","handle":""}}},{"id":"wpz-bim-6rb","type":"agent_rule","attributes":{"category":"Process + Activity","creationDate":1707493323000,"creator":{"name":"Detection Engineer","handle":""},"defaultRule":true,"description":"A + process was spawned with indicators of exploitation of CVE-2021-4034","enabled":true,"expression":"(exec.file.path + == \"/usr/bin/pkexec\" \u0026\u0026 exec.envs in [~\"*SHELL*\", ~\"*PATH*\"] + \u0026\u0026 exec.envs not in [~\"*DISPLAY*\", ~\"*DESKTOP_SESSION*\"] \u0026\u0026 + exec.uid != 0)","filters":["os == \"linux\""],"name":"pwnkit_privilege_escalation","updateDate":1707493323000,"updater":{"name":"Detection + Engineer","handle":""}}},{"id":"g7f-kfr-tdb","type":"agent_rule","attributes":{"category":"Process + Activity","creationDate":1707493323000,"creator":{"name":"Detection Engineer","handle":""},"defaultRule":true,"description":"Python + code was provided on the command line","enabled":true,"expression":"exec.file.name + == ~\"python*\" \u0026\u0026 exec.args_flags in [\"c\"] \u0026\u0026 exec.args + in [~\"*-c*SOCK_STREAM*\", ~\"*-c*subprocess*\", \"*-c*/bash*\", \"*-c*/bin/sh*\", + \"*-c*pty.spawn*\"] \u0026\u0026 exec.args !~ \"*setuptools*\"","filters":["os + == \"linux\""],"name":"python_cli_code","updateDate":1707493323000,"updater":{"name":"Detection + Engineer","handle":""}}},{"id":"def-000-do7","type":"agent_rule","attributes":{"category":"File + Activity","creationDate":1707493323000,"creator":{"name":"Detection Engineer","handle":""},"defaultRule":true,"description":"Possible + ransomware note created under common user directories","enabled":true,"expression":"open.flags + \u0026 O_CREAT \u003e 0\n\u0026\u0026 open.file.path in [~\"/home/**\", ~\"/root/**\", + ~\"/bin/**\", ~\"/usr/bin/**\", ~\"/opt/**\", ~\"/etc/**\", ~\"/var/log/**\", + ~\"/var/lib/log/**\", ~\"/var/backup/**\", ~\"/var/www/**\"]\n\u0026\u0026 + open.file.name in [r\"(?i).*(restore|recover|read|instruction|how_to|ransom|lock).*(your_|crypt|lock|file|ransom).*\"] + \u0026\u0026 open.file.name not in [r\".*\\.lock$\"]","filters":["os == \"linux\""],"name":"ransomware_note","updateDate":1707493323000,"updater":{"name":"Detection + Engineer","handle":""}}},{"id":"def-000-y27","type":"agent_rule","attributes":{"category":"File + Activity","creationDate":1707493323000,"creator":{"name":"Detection Engineer","handle":""},"defaultRule":true,"description":"RC + scripts modified","enabled":true,"expression":"(open.flags \u0026 (O_CREAT|O_TRUNC|O_RDWR|O_WRONLY) + \u003e 0 \u0026\u0026 (open.file.path in [\"/etc/rc.common\", \"/etc/rc.local\"])) + \u0026\u0026 process.ancestors.file.path not in [~\"/usr/bin/apt*\", \"/usr/bin/dpkg\", + \"/usr/bin/rpm\", \"/usr/bin/unattended-upgrade\", \"/usr/bin/npm\", ~\"/usr/bin/pip*\", + \"/usr/bin/yum\", \"/sbin/apk\", \"/usr/lib/snapd/snapd\"]","filters":["os + == \"linux\""],"name":"rc_scripts_modified","updateDate":1707493323000,"updater":{"name":"Detection + Engineer","handle":""}}},{"id":"def-000-qwm","type":"agent_rule","attributes":{"category":"File + Activity","creationDate":1707493323000,"creator":{"name":"Detection Engineer","handle":""},"defaultRule":true,"description":"The + kubeconfig file was accessed","enabled":true,"expression":"open.file.path + in [~\"/home/*/.kube/config\", \"/root/.kube/config\"]","filters":["os == + \"linux\""],"name":"read_kubeconfig","updateDate":1707493323000,"updater":{"name":"Detection + Engineer","handle":""}}},{"id":"def-000-rhk","type":"agent_rule","attributes":{"category":"File + Activity","creationDate":1707493323000,"creator":{"name":"Detection Engineer","handle":""},"defaultRule":true,"description":"OS + information was read from the /etc/lsb-release file","enabled":true,"expression":"open.file.path + == \"/etc/lsb-release\" \u0026\u0026 open.flags \u0026 O_RDONLY \u003e 0","filters":["os + == \"linux\""],"name":"read_release_info","updateDate":1707493323000,"updater":{"name":"Detection + Engineer","handle":""}}},{"id":"def-000-npv","type":"agent_rule","attributes":{"category":"File + Activity","creationDate":1707493323000,"creator":{"name":"Detection Engineer","handle":""},"defaultRule":true,"description":"Detects + CVE-2022-0543","enabled":true,"expression":"(open.file.path =~ \"/usr/lib/x86_64-linux-gnu/*\" + \u0026\u0026 open.file.name in [\"libc-2.29.so\", \"libc-2.30.so\", \"libc-2.31.so\", + \"libc-2.32.so\", \"libc-2.33.so\", \"libc-2.34.so\", \"libc-2.35.so\", \"libc-2.36.so\", + \"libc-2.37.so\"]) \u0026\u0026 process.ancestors.comm in [\"redis-check-rdb\", + \"redis-server\"]","filters":["os == \"linux\""],"name":"redis_sandbox_escape","updateDate":1707493323000,"updater":{"name":"Detection + Engineer","handle":""}}},{"id":"def-000-wv3","type":"agent_rule","attributes":{"category":"File + Activity","creationDate":1707493323000,"creator":{"name":"Detection Engineer","handle":""},"defaultRule":true,"description":"Redis + module has been created","enabled":true,"expression":"(open.flags \u0026 (O_CREAT|O_TRUNC|O_RDWR|O_WRONLY) + \u003e 0 \u0026\u0026 open.file.path =~ \"/tmp/**\" \u0026\u0026 open.file.name + in [~\"*.rdb\", ~\"*.aof\", ~\"*.so\"]) \u0026\u0026 process.file.name in + [\"redis-check-rdb\", \"redis-server\"]","filters":["os == \"linux\""],"name":"redis_save_module","updateDate":1707493323000,"updater":{"name":"Detection + Engineer","handle":""}}},{"id":"tlu-qlm-1ow","type":"agent_rule","attributes":{"category":"File + Activity","creationDate":1707493323000,"creator":{"name":"Detection Engineer","handle":""},"defaultRule":true,"description":"The + runc binary was modified in a non-standard way","enabled":true,"expression":"open.file.path + in [\"/usr/bin/runc\", \"/usr/sbin/runc\", \"/usr/bin/docker-runc\"]\n\u0026\u0026 + open.flags \u0026 O_CREAT|O_TRUNC|O_RDWR|O_WRONLY \u003e 0\n\u0026\u0026 process.file.path + not in [~\"/usr/bin/apt*\", \"/usr/bin/dpkg\", \"/usr/bin/rpm\", \"/usr/bin/unattended-upgrade\", + \"/usr/bin/containerd\", \"/usr/local/bin/containerd\", \"/usr/bin/dockerd\", + \"/usr/bin/npm\", ~\"/usr/bin/pip*\"]\n\u0026\u0026 process.ancestors.file.path + not in [~\"/usr/bin/apt*\", \"/usr/bin/dpkg\", \"/usr/bin/rpm\", \"/usr/bin/unattended-upgrade\", + \"/usr/bin/npm\", ~\"/usr/bin/pip*\", \"/usr/bin/yum\", \"/sbin/apk\", \"/usr/lib/snapd/snapd\"]","filters":["os + == \"linux\""],"name":"runc_modification","updateDate":1707493323000,"updater":{"name":"Detection + Engineer","handle":""}}},{"id":"def-000-vqm","type":"agent_rule","attributes":{"category":"Process + Activity","creationDate":1707493323000,"creator":{"name":"Detection Engineer","handle":""},"defaultRule":true,"description":"A + scheduled task was created","enabled":true,"expression":"exec.file.name in + [\"at.exe\",\"schtasks.exe\"]","filters":["os == \"windows\""],"name":"scheduled_task_creation","updateDate":1707493323000,"updater":{"name":"Detection + Engineer","handle":""}}},{"id":"wgq-lg4-tas","type":"agent_rule","attributes":{"category":"Kernel + Activity","creationDate":1707493323000,"creator":{"name":"Detection Engineer","handle":""},"defaultRule":true,"description":"SELinux + enforcement status was disabled","enabled":true,"expression":"selinux.enforce.status + in [\"permissive\", \"disabled\"] \u0026\u0026 process.ancestors.args != ~\"*BECOME-SUCCESS*\"","filters":["os + == \"linux\""],"name":"selinux_disable_enforcement","updateDate":1707493323000,"updater":{"name":"Detection + Engineer","handle":""}}},{"id":"def-000-j45","type":"agent_rule","attributes":{"category":"Kernel + Activity","creationDate":1707493323000,"creator":{"name":"Detection Engineer","handle":""},"defaultRule":true,"description":"A + process is tracing privileged processes or sshd for possible credential dumping","enabled":true,"expression":"(ptrace.request + == PTRACE_PEEKTEXT || ptrace.request == PTRACE_PEEKDATA || ptrace.request + == PTRACE_PEEKUSR) \u0026\u0026 ptrace.tracee.euid == 0 \u0026\u0026 process.comm + not in [\"dlv\", \"dlv-linux-amd64\", \"strace\", \"gdb\", \"lldb-server\"]","filters":["os + == \"linux\""],"name":"sensitive_tracing","updateDate":1707493323000,"updater":{"name":"Detection + Engineer","handle":""}}},{"id":"def-000-uv8","type":"agent_rule","attributes":{"category":"Process + Activity","creationDate":1707493323000,"creator":{"name":"Detection Engineer","handle":""},"defaultRule":true,"description":"systemctl + used to stop a service","enabled":true,"expression":"exec.file.name == \"systemctl\" + \u0026\u0026 exec.args in [~\"*stop*\"]","filters":["os == \"linux\""],"name":"service_stop","updateDate":1707493323000,"updater":{"name":"Detection + Engineer","handle":""}}},{"id":"dfr-by9-sx8","type":"agent_rule","attributes":{"category":"File + Activity","creationDate":1707493323000,"creator":{"name":"Detection Engineer","handle":""},"defaultRule":true,"description":"Shell + History was Deleted","enabled":true,"expression":"(unlink.file.name =~ r\".([dbazfi]*sh)(_history)$\") + \u0026\u0026 process.comm not in [\"dockerd\", \"containerd\"]","filters":["os + == \"linux\""],"name":"shell_history_deleted","updateDate":1707493323000,"updater":{"name":"Detection + Engineer","handle":""}}},{"id":"dmf-a2c-odj","type":"agent_rule","attributes":{"category":"Process + Activity","creationDate":1707493323000,"creator":{"name":"Detection Engineer","handle":""},"defaultRule":true,"description":"A + symbolic link for shell history was created targeting /dev/null","enabled":true,"expression":"exec.comm + == \"ln\" \u0026\u0026 exec.args in [~\"*.*history*\", \"/dev/null\"]","filters":["os + == \"linux\""],"name":"shell_history_symlink","updateDate":1707493323000,"updater":{"name":"Detection + Engineer","handle":""}}},{"id":"v5x-8l4-d6a","type":"agent_rule","attributes":{"category":"File + Activity","creationDate":1707493323000,"creator":{"name":"Detection Engineer","handle":""},"defaultRule":true,"description":"Shell + History was Deleted","enabled":true,"expression":"open.flags \u0026 (O_CREAT|O_TRUNC|O_RDWR|O_WRONLY) + \u003e 0 \u0026\u0026 open.file.name =~ r\".([dbazfi]*sh)(_history)$\" \u0026\u0026 + open.file.path in [~\"/root/*\", ~\"/home/**\"] \u0026\u0026 process.file.name + == \"truncate\"","filters":["os == \"linux\""],"name":"shell_history_truncated","updateDate":1707493323000,"updater":{"name":"Detection + Engineer","handle":""}}},{"id":"def-000-fn2","type":"agent_rule","attributes":{"category":"Process + Activity","creationDate":1707493323000,"creator":{"name":"Detection Engineer","handle":""},"defaultRule":true,"description":"Shell + profile was modified","enabled":true,"expression":"open.file.path in [~\"/home/*/*profile\", + ~\"/home/*/*rc\"] \u0026\u0026 open.flags \u0026 ((O_CREAT|O_TRUNC|O_RDWR|O_WRONLY)) + \u003e 0","filters":["os == \"linux\""],"name":"shell_profile_modification","updateDate":1707493323000,"updater":{"name":"Detection + Engineer","handle":""}}},{"id":"htc-275-0wt","type":"agent_rule","attributes":{"category":"File + Activity","creationDate":1707493323000,"creator":{"name":"Detection Engineer","handle":""},"defaultRule":true,"description":"SSH + modified keys may have been modified","enabled":true,"expression":"(\n chmod.file.name + in [ \"authorized_keys\", \"authorized_keys2\" ] \u0026\u0026 (chmod.file.path + in [ ~\"/root/.ssh/*\", ~\"/home/*/.ssh/*\", ~\"/var/lib/*/.ssh/*\" ])\n) + \u0026\u0026 chmod.file.destination.mode != chmod.file.mode","filters":["os + == \"linux\""],"name":"ssh_authorized_keys_chmod","updateDate":1707493323000,"updater":{"name":"Detection + Engineer","handle":""}}},{"id":"7q3-6aa-pix","type":"agent_rule","attributes":{"category":"File + Activity","creationDate":1707493323000,"creator":{"name":"Detection Engineer","handle":""},"defaultRule":true,"description":"SSH + modified keys may have been modified","enabled":true,"expression":"(\n chown.file.name + in [ \"authorized_keys\", \"authorized_keys2\" ] \u0026\u0026 (chown.file.path + in [ ~\"/root/.ssh/*\", ~\"/home/*/.ssh/*\", ~\"/var/lib/*/.ssh/*\" ])\n) + \u0026\u0026 (chown.file.destination.uid != chown.file.uid || chown.file.destination.gid + != chown.file.gid)","filters":["os == \"linux\""],"name":"ssh_authorized_keys_chown","updateDate":1707493323000,"updater":{"name":"Detection + Engineer","handle":""}}},{"id":"91f-pyq-54k","type":"agent_rule","attributes":{"category":"File + Activity","creationDate":1707493323000,"creator":{"name":"Detection Engineer","handle":""},"defaultRule":true,"description":"SSH + modified keys may have been modified","enabled":true,"expression":"(\n link.file.name + in [ \"authorized_keys\", \"authorized_keys2\" ] \u0026\u0026 (link.file.path + in [ ~\"/root/.ssh/*\", ~\"/home/*/.ssh/*\", ~\"/var/lib/*/.ssh/*\" ]\n || + link.file.destination.path in [ ~\"/root/.ssh/*\", ~\"/home/*/.ssh/*\", ~\"/var/lib/*/.ssh/*\" + ])\n)","filters":["os == \"linux\""],"name":"ssh_authorized_keys_link","updateDate":1707493323000,"updater":{"name":"Detection + Engineer","handle":""}}},{"id":"rpc-ji0-zfu","type":"agent_rule","attributes":{"category":"File + Activity","creationDate":1707493323000,"creator":{"name":"Detection Engineer","handle":""},"defaultRule":true,"description":"SSH + modified keys may have been modified","enabled":true,"expression":"(\n open.flags + \u0026 (O_CREAT|O_TRUNC|O_RDWR|O_WRONLY) \u003e 0 \u0026\u0026\n open.file.name + in [ \"authorized_keys\", \"authorized_keys2\" ] \u0026\u0026 (open.file.path + in [ ~\"/root/.ssh/*\", ~\"/home/*/.ssh/*\", ~\"/var/lib/*/.ssh/*\" ])\n)","filters":["os + == \"linux\""],"name":"ssh_authorized_keys_open","updateDate":1707493323000,"updater":{"name":"Detection + Engineer","handle":""}}},{"id":"def-000-qwu","type":"agent_rule","attributes":{"category":"File + Activity","creationDate":1707493323000,"creator":{"name":"Detection Engineer","handle":""},"defaultRule":true,"description":"SSH + modified keys may have been modified","enabled":true,"expression":"(\n open.flags + \u0026 (O_CREAT|O_TRUNC|O_RDWR|O_WRONLY) \u003e 0 \u0026\u0026\n open.file.name + in [ \"authorized_keys\", \"authorized_keys2\" ] \u0026\u0026 (open.file.path + in [ ~\"/root/.ssh/*\", ~\"/home/*/.ssh/*\", ~\"/var/lib/*/.ssh/*\" ])\n) + \u0026\u0026 container.created_at \u003e 90s","filters":["os == \"linux\""],"name":"ssh_authorized_keys_open_v2","updateDate":1707493323000,"updater":{"name":"Detection + Engineer","handle":""}}},{"id":"t5u-qdx-650","type":"agent_rule","attributes":{"category":"File + Activity","creationDate":1707493323000,"creator":{"name":"Detection Engineer","handle":""},"defaultRule":true,"description":"SSH + modified keys may have been modified","enabled":true,"expression":"(\n rename.file.name + in [ \"authorized_keys\", \"authorized_keys2\" ] \u0026\u0026 (rename.file.path + in [ ~\"/root/.ssh/*\", ~\"/home/*/.ssh/*\", ~\"/var/lib/*/.ssh/*\" ]\n || + rename.file.destination.path in [ ~\"/root/.ssh/*\", ~\"/home/*/.ssh/*\", + ~\"/var/lib/*/.ssh/*\" ])\n)","filters":["os == \"linux\""],"name":"ssh_authorized_keys_rename","updateDate":1707493323000,"updater":{"name":"Detection + Engineer","handle":""}}},{"id":"y0y-3gl-645","type":"agent_rule","attributes":{"category":"File + Activity","creationDate":1707493323000,"creator":{"name":"Detection Engineer","handle":""},"defaultRule":true,"description":"SSH + modified keys may have been modified","enabled":true,"expression":"(\n unlink.file.name + in [ \"authorized_keys\", \"authorized_keys2\" ] \u0026\u0026 (unlink.file.path + in [ ~\"/root/.ssh/*\", ~\"/home/*/.ssh/*\", ~\"/var/lib/*/.ssh/*\" ])\n)","filters":["os + == \"linux\""],"name":"ssh_authorized_keys_unlink","updateDate":1707493323000,"updater":{"name":"Detection + Engineer","handle":""}}},{"id":"hba-kfe-1xr","type":"agent_rule","attributes":{"category":"File + Activity","creationDate":1707493323000,"creator":{"name":"Detection Engineer","handle":""},"defaultRule":true,"description":"SSH + modified keys may have been modified","enabled":true,"expression":"(\n utimes.file.name + in [ \"authorized_keys\", \"authorized_keys2\" ] \u0026\u0026 (utimes.file.path + in [ ~\"/root/.ssh/*\", ~\"/home/*/.ssh/*\", ~\"/var/lib/*/.ssh/*\" ])\n)","filters":["os + == \"linux\""],"name":"ssh_authorized_keys_utimes","updateDate":1707493323000,"updater":{"name":"Detection + Engineer","handle":""}}},{"id":"def-000-o13","type":"agent_rule","attributes":{"category":"File + Activity","creationDate":1707493323000,"creator":{"name":"Detection Engineer","handle":""},"defaultRule":true,"description":"The + configuration directory for an ssh worm","enabled":true,"expression":"open.file.path + in [\"/root/.prng/*\", ~\"/home/*/.prng/*\", ~\"/root/.config/prng/*\", ~\"/home/*/.config/prng/*\"] + \u0026\u0026 open.flags \u0026 (O_CREAT|O_TRUNC|O_RDWR|O_WRONLY) \u003e 0","filters":["os + == \"linux\""],"name":"ssh_it_tool_config_write","updateDate":1707493323000,"updater":{"name":"Detection + Engineer","handle":""}}},{"id":"y5i-yxn-27t","type":"agent_rule","attributes":{"category":"File + Activity","creationDate":1707493323000,"creator":{"name":"Detection Engineer","handle":""},"defaultRule":true,"description":"SSL + certificates may have been tampered with","enabled":true,"expression":"(\n (chmod.file.path + in [ ~\"/etc/ssl/certs/**\", ~\"/etc/pki/**\" ])\n \u0026\u0026 process.file.path + not in [~\"/usr/bin/apt*\", \"/usr/bin/dpkg\", \"/usr/bin/rpm\", \"/usr/bin/unattended-upgrade\", + \"/usr/bin/npm\", ~\"/usr/bin/pip*\", \"/usr/bin/yum\", \"/sbin/apk\", \"/usr/lib/snapd/snapd\"]\n) + \u0026\u0026 chmod.file.mode != chmod.file.destination.mode\n\u0026\u0026 + process.file.path != \"/usr/sbin/update-ca-certificates\"\n\u0026\u0026 process.ancestors.file.path + != \"/usr/sbin/update-ca-certificates\"\n\u0026\u0026 process.ancestors.file.path + not in [~\"/usr/bin/apt*\", \"/usr/bin/dpkg\", \"/usr/bin/rpm\", \"/usr/bin/unattended-upgrade\", + \"/usr/bin/npm\", ~\"/usr/bin/pip*\", \"/usr/bin/yum\", \"/sbin/apk\", \"/usr/lib/snapd/snapd\"]\n\u0026\u0026 + process.file.name !~ \"runc*\"","filters":["os == \"linux\""],"name":"ssl_certificate_tampering_chmod","updateDate":1707493323000,"updater":{"name":"Detection + Engineer","handle":""}}},{"id":"kyr-sg6-us9","type":"agent_rule","attributes":{"category":"File + Activity","creationDate":1707493323000,"creator":{"name":"Detection Engineer","handle":""},"defaultRule":true,"description":"SSL + certificates may have been tampered with","enabled":true,"expression":"(\n (chown.file.path + in [ ~\"/etc/ssl/certs/**\", ~\"/etc/pki/**\" ])\n \u0026\u0026 process.file.path + not in [~\"/usr/bin/apt*\", \"/usr/bin/dpkg\", \"/usr/bin/rpm\", \"/usr/bin/unattended-upgrade\", + \"/usr/bin/npm\", ~\"/usr/bin/pip*\", \"/usr/bin/yum\", \"/sbin/apk\", \"/usr/lib/snapd/snapd\"]\n) + \u0026\u0026 (chown.file.destination.uid != chown.file.uid || chown.file.destination.gid + != chown.file.gid)\n\u0026\u0026 process.file.path != \"/usr/sbin/update-ca-certificates\"\n\u0026\u0026 + process.ancestors.file.path != \"/usr/sbin/update-ca-certificates\"\n\u0026\u0026 + process.ancestors.file.path not in [~\"/usr/bin/apt*\", \"/usr/bin/dpkg\", + \"/usr/bin/rpm\", \"/usr/bin/unattended-upgrade\", \"/usr/bin/npm\", ~\"/usr/bin/pip*\", + \"/usr/bin/yum\", \"/sbin/apk\", \"/usr/lib/snapd/snapd\"]\n\u0026\u0026 process.file.name + !~ \"runc*\"","filters":["os == \"linux\""],"name":"ssl_certificate_tampering_chown","updateDate":1707493323000,"updater":{"name":"Detection + Engineer","handle":""}}},{"id":"w6f-wte-i63","type":"agent_rule","attributes":{"category":"File + Activity","creationDate":1707493323000,"creator":{"name":"Detection Engineer","handle":""},"defaultRule":true,"description":"SSL + certificates may have been tampered with","enabled":true,"expression":"(\n (link.file.path + in [ ~\"/etc/ssl/certs/**\", ~\"/etc/pki/**\" ]\n || link.file.destination.path + in [ ~\"/etc/ssl/certs/**\", ~\"/etc/pki/**\" ])\n \u0026\u0026 process.file.path + not in [~\"/usr/bin/apt*\", \"/usr/bin/dpkg\", \"/usr/bin/rpm\", \"/usr/bin/unattended-upgrade\", + \"/usr/bin/npm\", ~\"/usr/bin/pip*\", \"/usr/bin/yum\", \"/sbin/apk\", \"/usr/lib/snapd/snapd\"]\n \u0026\u0026 + process.file.path != \"/usr/sbin/update-ca-certificates\"\n \u0026\u0026 + process.ancestors.file.path != \"/usr/sbin/update-ca-certificates\"\n \u0026\u0026 + process.ancestors.file.path not in [~\"/usr/bin/apt*\", \"/usr/bin/dpkg\", + \"/usr/bin/rpm\", \"/usr/bin/unattended-upgrade\", \"/usr/bin/npm\", ~\"/usr/bin/pip*\", + \"/usr/bin/yum\", \"/sbin/apk\", \"/usr/lib/snapd/snapd\"]\n \u0026\u0026 + process.file.name !~ \"runc*\"\n)","filters":["os == \"linux\""],"name":"ssl_certificate_tampering_link","updateDate":1707493323000,"updater":{"name":"Detection + Engineer","handle":""}}},{"id":"191-ty1-ede","type":"agent_rule","attributes":{"category":"File + Activity","creationDate":1707493323000,"creator":{"name":"Detection Engineer","handle":""},"defaultRule":true,"description":"SSL + certificates may have been tampered with","enabled":true,"expression":"(\n open.flags + \u0026 (O_CREAT|O_RDWR|O_WRONLY) \u003e 0 \u0026\u0026\n (open.file.path + in [ ~\"/etc/ssl/certs/**\", ~\"/etc/pki/**\" ])\n)\n\u0026\u0026 process.file.path + != \"/usr/sbin/update-ca-certificates\"\n\u0026\u0026 process.ancestors.file.path + != \"/usr/sbin/update-ca-certificates\"\n\u0026\u0026 process.ancestors.file.path + not in [~\"/usr/bin/apt*\", \"/usr/bin/dpkg\", \"/usr/bin/rpm\", \"/usr/bin/unattended-upgrade\", + \"/usr/bin/npm\", ~\"/usr/bin/pip*\", \"/usr/bin/yum\", \"/sbin/apk\", \"/usr/lib/snapd/snapd\"]\n\u0026\u0026 + process.file.name !~ \"runc*\"","filters":["os == \"linux\""],"name":"ssl_certificate_tampering_open","updateDate":1707493323000,"updater":{"name":"Detection + Engineer","handle":""}}},{"id":"def-000-qt6","type":"agent_rule","attributes":{"category":"File + Activity","creationDate":1707493323000,"creator":{"name":"Detection Engineer","handle":""},"defaultRule":true,"description":"SSL + certificates may have been tampered with","enabled":true,"expression":"(\n open.flags + \u0026 (O_CREAT|O_RDWR|O_WRONLY) \u003e 0 \u0026\u0026\n (open.file.path + in [ ~\"/etc/ssl/certs/**\", ~\"/etc/pki/**\" ])\n)\n\u0026\u0026 process.file.path + != \"/usr/sbin/update-ca-certificates\"\n\u0026\u0026 process.ancestors.file.path + != \"/usr/sbin/update-ca-certificates\"\n\u0026\u0026 process.ancestors.file.path + not in [~\"/usr/bin/apt*\", \"/usr/bin/dpkg\", \"/usr/bin/rpm\", \"/usr/bin/unattended-upgrade\", + \"/usr/bin/npm\", ~\"/usr/bin/pip*\", \"/usr/bin/yum\", \"/sbin/apk\", \"/usr/lib/snapd/snapd\"]\n\u0026\u0026 + process.file.name !~ \"runc*\"\n\u0026\u0026 container.created_at \u003e 90s","filters":["os + == \"linux\""],"name":"ssl_certificate_tampering_open_v2","updateDate":1707493323000,"updater":{"name":"Detection + Engineer","handle":""}}},{"id":"o5t-b08-86p","type":"agent_rule","attributes":{"category":"File + Activity","creationDate":1707493323000,"creator":{"name":"Detection Engineer","handle":""},"defaultRule":true,"description":"SSL + certificates may have been tampered with","enabled":true,"expression":"(\n (rename.file.path + in [ ~\"/etc/ssl/certs/**\", ~\"/etc/pki/**\" ]\n || rename.file.destination.path + in [ ~\"/etc/ssl/certs/**\", ~\"/etc/pki/**\" ])\n \u0026\u0026 process.file.path + not in [~\"/usr/bin/apt*\", \"/usr/bin/dpkg\", \"/usr/bin/rpm\", \"/usr/bin/unattended-upgrade\", + \"/usr/bin/npm\", ~\"/usr/bin/pip*\", \"/usr/bin/yum\", \"/sbin/apk\", \"/usr/lib/snapd/snapd\"]\n)\n\u0026\u0026 + process.file.path != \"/usr/sbin/update-ca-certificates\"\n\u0026\u0026 process.ancestors.file.path + != \"/usr/sbin/update-ca-certificates\"\n\u0026\u0026 process.ancestors.file.path + not in [~\"/usr/bin/apt*\", \"/usr/bin/dpkg\", \"/usr/bin/rpm\", \"/usr/bin/unattended-upgrade\", + \"/usr/bin/npm\", ~\"/usr/bin/pip*\", \"/usr/bin/yum\", \"/sbin/apk\", \"/usr/lib/snapd/snapd\"]\n\u0026\u0026 + process.file.name !~ \"runc*\"","filters":["os == \"linux\""],"name":"ssl_certificate_tampering_rename","updateDate":1707493323000,"updater":{"name":"Detection + Engineer","handle":""}}},{"id":"9y1-cbb-p03","type":"agent_rule","attributes":{"category":"File + Activity","creationDate":1707493323000,"creator":{"name":"Detection Engineer","handle":""},"defaultRule":true,"description":"SSL + certificates may have been tampered with","enabled":true,"expression":"(\n (unlink.file.path + in [ ~\"/etc/ssl/certs/**\" ])\n \u0026\u0026 process.file.path not in + [~\"/usr/bin/apt*\", \"/usr/bin/dpkg\", \"/usr/bin/rpm\", \"/usr/bin/unattended-upgrade\", + \"/usr/bin/npm\", ~\"/usr/bin/pip*\", \"/usr/bin/yum\", \"/sbin/apk\", \"/usr/lib/snapd/snapd\"]\n)\n\u0026\u0026 + process.file.path != \"/usr/sbin/update-ca-certificates\"\n\u0026\u0026 process.ancestors.file.path + != \"/usr/sbin/update-ca-certificates\"\n\u0026\u0026 process.ancestors.file.path + not in [~\"/usr/bin/apt*\", \"/usr/bin/dpkg\", \"/usr/bin/rpm\", \"/usr/bin/unattended-upgrade\", + \"/usr/bin/npm\", ~\"/usr/bin/pip*\", \"/usr/bin/yum\", \"/sbin/apk\", \"/usr/lib/snapd/snapd\"]\n\u0026\u0026 + process.file.name !~ \"runc*\"","filters":["os == \"linux\""],"name":"ssl_certificate_tampering_unlink","updateDate":1707493323000,"updater":{"name":"Detection + Engineer","handle":""}}},{"id":"ayv-hqe-lx8","type":"agent_rule","attributes":{"category":"File + Activity","creationDate":1707493323000,"creator":{"name":"Detection Engineer","handle":""},"defaultRule":true,"description":"SSL + certificates may have been tampered with","enabled":true,"expression":"(\n (utimes.file.path + in [ ~\"/etc/ssl/certs/**\" ])\n \u0026\u0026 process.file.path not in + [~\"/usr/bin/apt*\", \"/usr/bin/dpkg\", \"/usr/bin/rpm\", \"/usr/bin/unattended-upgrade\", + \"/usr/bin/npm\", ~\"/usr/bin/pip*\", \"/usr/bin/yum\", \"/sbin/apk\", \"/usr/lib/snapd/snapd\"]\n)\n\u0026\u0026 + process.file.path != \"/usr/sbin/update-ca-certificates\"\n\u0026\u0026 process.ancestors.file.path + != \"/usr/sbin/update-ca-certificates\"\n\u0026\u0026 process.ancestors.file.path + not in [~\"/usr/bin/apt*\", \"/usr/bin/dpkg\", \"/usr/bin/rpm\", \"/usr/bin/unattended-upgrade\", + \"/usr/bin/npm\", ~\"/usr/bin/pip*\", \"/usr/bin/yum\", \"/sbin/apk\", \"/usr/lib/snapd/snapd\"]\n\u0026\u0026 + process.file.name !~ \"runc*\"","filters":["os == \"linux\""],"name":"ssl_certificate_tampering_utimes","updateDate":1707493323000,"updater":{"name":"Detection + Engineer","handle":""}}},{"id":"def-000-crv","type":"agent_rule","attributes":{"category":"File + Activity","creationDate":1707493323000,"creator":{"name":"Detection Engineer","handle":""},"defaultRule":true,"description":"Sudoers + policy file may have been modified without authorization","enabled":true,"expression":"(\n (chmod.file.path + == \"/etc/sudoers\") \n) \u0026\u0026 chmod.file.destination.mode != chmod.file.mode + \u0026\u0026 process.ancestors.file.path not in [~\"/usr/bin/apt*\", \"/usr/bin/dpkg\", + \"/usr/bin/rpm\", \"/usr/bin/unattended-upgrade\", \"/usr/bin/npm\", ~\"/usr/bin/pip*\", + \"/usr/bin/yum\", \"/sbin/apk\", \"/usr/lib/snapd/snapd\"]","filters":["os + == \"linux\""],"name":"sudoers_policy_modified_chmod","updateDate":1707493323000,"updater":{"name":"Detection + Engineer","handle":""}}},{"id":"def-000-l8e","type":"agent_rule","attributes":{"category":"File + Activity","creationDate":1707493323000,"creator":{"name":"Detection Engineer","handle":""},"defaultRule":true,"description":"Sudoers + policy file may have been modified without authorization","enabled":true,"expression":"(\n (chown.file.path + == \"/etc/sudoers\")\n) \u0026\u0026 (chown.file.destination.uid != chown.file.uid + || chown.file.destination.gid != chown.file.gid)","filters":["os == \"linux\""],"name":"sudoers_policy_modified_chown","updateDate":1707493323000,"updater":{"name":"Detection + Engineer","handle":""}}},{"id":"def-000-myb","type":"agent_rule","attributes":{"category":"File + Activity","creationDate":1707493323000,"creator":{"name":"Detection Engineer","handle":""},"defaultRule":true,"description":"Sudoers + policy file may have been modified without authorization","enabled":true,"expression":"(\n (link.file.path + == \"/etc/sudoers\"\n || link.file.destination.path == \"/etc/sudoers\")\n)","filters":["os + == \"linux\""],"name":"sudoers_policy_modified_link","updateDate":1707493323000,"updater":{"name":"Detection + Engineer","handle":""}}},{"id":"def-000-mmo","type":"agent_rule","attributes":{"category":"File + Activity","creationDate":1707493323000,"creator":{"name":"Detection Engineer","handle":""},"defaultRule":true,"description":"Sudoers + policy file may have been modified without authorization","enabled":true,"expression":"\n(open.flags + \u0026 (O_CREAT|O_TRUNC|O_RDWR|O_WRONLY) \u003e 0 \u0026\u0026\n(open.file.path + == \"/etc/sudoers\")) \u0026\u0026 process.file.path not in [~\"/usr/bin/apt*\", + \"/usr/bin/dpkg\", \"/usr/bin/rpm\", \"/usr/bin/unattended-upgrade\", \"/usr/bin/npm\", + ~\"/usr/bin/pip*\", \"/usr/bin/yum\", \"/sbin/apk\", \"/usr/lib/snapd/snapd\"]","filters":["os + == \"linux\""],"name":"sudoers_policy_modified_open","updateDate":1707493323000,"updater":{"name":"Detection + Engineer","handle":""}}},{"id":"def-000-550","type":"agent_rule","attributes":{"category":"File + Activity","creationDate":1707493323000,"creator":{"name":"Detection Engineer","handle":""},"defaultRule":true,"description":"Sudoers + policy file may have been modified without authorization","enabled":true,"expression":"(\n (rename.file.path + == \"/etc/sudoers\"\n || rename.file.destination.path == \"/etc/sudoers\")\n)","filters":["os + == \"linux\""],"name":"sudoers_policy_modified_rename","updateDate":1707493323000,"updater":{"name":"Detection + Engineer","handle":""}}},{"id":"def-000-bxs","type":"agent_rule","attributes":{"category":"File + Activity","creationDate":1707493323000,"creator":{"name":"Detection Engineer","handle":""},"defaultRule":true,"description":"Sudoers + policy file may have been modified without authorization","enabled":true,"expression":"(\n (unlink.file.path + == \"/etc/sudoers\")\n)","filters":["os == \"linux\""],"name":"sudoers_policy_modified_unlink","updateDate":1707493323000,"updater":{"name":"Detection + Engineer","handle":""}}},{"id":"def-000-s07","type":"agent_rule","attributes":{"category":"File + Activity","creationDate":1707493323000,"creator":{"name":"Detection Engineer","handle":""},"defaultRule":true,"description":"Sudoers + policy file may have been modified without authorization","enabled":true,"expression":"(\n (utimes.file.path + == \"/etc/sudoers\")\n) \u0026\u0026 process.file.path not in [~\"/usr/bin/apt*\", + \"/usr/bin/dpkg\", \"/usr/bin/rpm\", \"/usr/bin/unattended-upgrade\", \"/usr/bin/containerd\", + \"/usr/local/bin/containerd\", \"/usr/bin/dockerd\", \"/usr/bin/npm\", ~\"/usr/bin/pip*\"]","filters":["os + == \"linux\""],"name":"sudoers_policy_modified_utimes","updateDate":1707493323000,"updater":{"name":"Detection + Engineer","handle":""}}},{"id":"def-000-5wh","type":"agent_rule","attributes":{"category":"Process + Activity","creationDate":1707493323000,"creator":{"name":"Detection Engineer","handle":""},"defaultRule":true,"description":"a + SUID file was executed","enabled":true,"expression":"(setuid.euid == 0 || + setuid.uid == 0) \u0026\u0026 process.file.mode \u0026 S_ISUID \u003e 0 \u0026\u0026 + process.file.uid == 0 \u0026\u0026 process.uid != 0 \u0026\u0026 process.file.path + != \"/usr/bin/sudo\"","filters":["os == \"linux\""],"name":"suid_file_execution","updateDate":1707493323000,"updater":{"name":"Detection + Engineer","handle":""}}},{"id":"def-000-4y4","type":"agent_rule","attributes":{"category":"Process + Activity","creationDate":1707493323000,"creator":{"name":"Detection Engineer","handle":""},"defaultRule":true,"description":"A + suspicious bitsadmin command has been executed","enabled":true,"expression":"exec.file.name + == \"bitsadmin.exe\" \u0026\u0026 exec.cmdline in [~\"*addfile*\", ~\"*create*\", + ~\"*resume*\"]","filters":["os == \"windows\""],"name":"suspicious_bitsadmin_usage","updateDate":1707493323000,"updater":{"name":"Detection + Engineer","handle":""}}},{"id":"afj-5sv-2wb","type":"agent_rule","attributes":{"category":"Process + Activity","creationDate":1707493323000,"creator":{"name":"Detection Engineer","handle":""},"defaultRule":true,"description":"A + container management utility was executed in a container","enabled":true,"expression":"exec.file.name + in [\"docker\", \"kubectl\"] \u0026\u0026 container.id != \"\"","filters":["os + == \"linux\""],"name":"suspicious_container_client","updateDate":1707493323000,"updater":{"name":"Detection + Engineer","handle":""}}},{"id":"def-000-2k6","type":"agent_rule","attributes":{"category":"Process + Activity","creationDate":1707493323000,"creator":{"name":"Detection Engineer","handle":""},"defaultRule":true,"description":"Suspicious + usage of ntdsutil","enabled":true,"expression":"exec.file.name == \"ntdsutil.exe\" + \u0026\u0026 exec.cmdline in [~\"*ntds*\", ~\"*create*\"]","filters":["os + == \"windows\""],"name":"suspicious_ntdsutil_usage","updateDate":1707493323000,"updater":{"name":"Detection + Engineer","handle":""}}},{"id":"def-000-zo8","type":"agent_rule","attributes":{"category":"Process + Activity","creationDate":1707493323000,"creator":{"name":"Detection Engineer","handle":""},"defaultRule":true,"description":"Recently + written or modified suid file has been executed","enabled":true,"expression":"((process.file.mode + \u0026 S_ISUID \u003e 0) \u0026\u0026 process.file.modification_time \u003c + 30s) \u0026\u0026 exec.file.name != \"\" \u0026\u0026 process.ancestors.file.path + not in [\"/opt/datadog-agent/embedded/bin/agent\", \"/opt/datadog-agent/embedded/bin/system-probe\", + \"/opt/datadog-agent/embedded/bin/security-agent\", \"/opt/datadog-agent/embedded/bin/process-agent\", + \"/opt/datadog-agent/bin/agent/agent\", \"/opt/datadog/apm/inject/auto_inject_runc\", + \"/usr/bin/dd-host-install\", \"/usr/bin/dd-host-container-install\", \"/usr/bin/dd-container-install\", + \"/opt/datadog-agent/bin/datadog-cluster-agent\"]","filters":["os == \"linux\""],"name":"suspicious_suid_execution","updateDate":1707493323000,"updater":{"name":"Detection + Engineer","handle":""}}},{"id":"48s-46n-g4w","type":"agent_rule","attributes":{"category":"File + Activity","creationDate":1707493323000,"creator":{"name":"Detection Engineer","handle":""},"defaultRule":true,"description":"A + service may have been modified without authorization","enabled":true,"expression":"(\n (chmod.file.path + in [ ~\"/lib/systemd/system/**\", ~\"/usr/lib/systemd/system/**\", ~\"/etc/systemd/system/**\" + ])\n \u0026\u0026 process.file.path not in [~\"/usr/bin/apt*\", \"/usr/bin/dpkg\", + \"/usr/bin/rpm\", \"/usr/bin/unattended-upgrade\", \"/usr/bin/npm\", ~\"/usr/bin/pip*\", + \"/usr/bin/yum\", \"/sbin/apk\", \"/usr/lib/snapd/snapd\"]\n) \u0026\u0026 + chmod.file.destination.mode != chmod.file.mode","filters":["os == \"linux\""],"name":"systemd_modification_chmod","updateDate":1707493323000,"updater":{"name":"Detection + Engineer","handle":""}}},{"id":"wwy-h4d-pwm","type":"agent_rule","attributes":{"category":"File + Activity","creationDate":1707493323000,"creator":{"name":"Detection Engineer","handle":""},"defaultRule":true,"description":"A + service may have been modified without authorization","enabled":true,"expression":"(\n (chown.file.path + in [ ~\"/lib/systemd/system/**\", ~\"/usr/lib/systemd/system/**\", ~\"/etc/systemd/system/**\" + ])\n \u0026\u0026 process.file.path not in [~\"/usr/bin/apt*\", \"/usr/bin/dpkg\", + \"/usr/bin/rpm\", \"/usr/bin/unattended-upgrade\", \"/usr/bin/npm\", ~\"/usr/bin/pip*\", + \"/usr/bin/yum\", \"/sbin/apk\", \"/usr/lib/snapd/snapd\"]\n) \u0026\u0026 + (chown.file.destination.uid != chown.file.uid || chown.file.destination.gid + != chown.file.gid)","filters":["os == \"linux\""],"name":"systemd_modification_chown","updateDate":1707493323000,"updater":{"name":"Detection + Engineer","handle":""}}},{"id":"64n-p6m-uq1","type":"agent_rule","attributes":{"category":"File + Activity","creationDate":1707493323000,"creator":{"name":"Detection Engineer","handle":""},"defaultRule":true,"description":"A + service may have been modified without authorization","enabled":true,"expression":"(\n (link.file.path + in [ ~\"/lib/systemd/system/**\", ~\"/usr/lib/systemd/system/**\", ~\"/etc/systemd/system/**\" + ]\n || link.file.destination.path in [ ~\"/lib/systemd/system/**\", ~\"/usr/lib/systemd/system/**\", + ~\"/etc/systemd/system/**\" ])\n \u0026\u0026 process.file.path not in + [~\"/usr/bin/apt*\", \"/usr/bin/dpkg\", \"/usr/bin/rpm\", \"/usr/bin/unattended-upgrade\", + \"/usr/bin/npm\", ~\"/usr/bin/pip*\", \"/usr/bin/yum\", \"/sbin/apk\", \"/usr/lib/snapd/snapd\"]\n)","filters":["os + == \"linux\""],"name":"systemd_modification_link","updateDate":1707493323000,"updater":{"name":"Detection + Engineer","handle":""}}},{"id":"7zw-qbm-y6d","type":"agent_rule","attributes":{"category":"File + Activity","creationDate":1707493323000,"creator":{"name":"Detection Engineer","handle":""},"defaultRule":true,"description":"A + service may have been modified without authorization","enabled":true,"expression":"(\n open.flags + \u0026 (O_CREAT|O_RDWR|O_WRONLY) \u003e 0 \u0026\u0026\n (open.file.path + in [ ~\"/lib/systemd/system/**\", ~\"/usr/lib/systemd/system/**\", ~\"/etc/systemd/system/**\" + ])\n \u0026\u0026 process.file.path not in [~\"/usr/bin/apt*\", \"/usr/bin/dpkg\", + \"/usr/bin/rpm\", \"/usr/bin/unattended-upgrade\", \"/usr/bin/npm\", ~\"/usr/bin/pip*\", + \"/usr/bin/yum\", \"/sbin/apk\", \"/usr/lib/snapd/snapd\"]\n)","filters":["os + == \"linux\""],"name":"systemd_modification_open","updateDate":1707493323000,"updater":{"name":"Detection + Engineer","handle":""}}},{"id":"prk-6q1-g0m","type":"agent_rule","attributes":{"category":"File + Activity","creationDate":1707493323000,"creator":{"name":"Detection Engineer","handle":""},"defaultRule":true,"description":"A + service may have been modified without authorization","enabled":true,"expression":"(\n (rename.file.path + in [ ~\"/lib/systemd/system/**\", ~\"/usr/lib/systemd/system/**\", ~\"/etc/systemd/system/**\" + ]\n || rename.file.destination.path in [ ~\"/lib/systemd/system/**\", ~\"/usr/lib/systemd/system/**\", + ~\"/etc/systemd/system/**\" ])\n \u0026\u0026 process.file.path not in + [~\"/usr/bin/apt*\", \"/usr/bin/dpkg\", \"/usr/bin/rpm\", \"/usr/bin/unattended-upgrade\", + \"/usr/bin/npm\", ~\"/usr/bin/pip*\", \"/usr/bin/yum\", \"/sbin/apk\", \"/usr/lib/snapd/snapd\"]\n)","filters":["os + == \"linux\""],"name":"systemd_modification_rename","updateDate":1707493323000,"updater":{"name":"Detection + Engineer","handle":""}}},{"id":"jlt-y4v-dax","type":"agent_rule","attributes":{"category":"File + Activity","creationDate":1707493323000,"creator":{"name":"Detection Engineer","handle":""},"defaultRule":true,"description":"A + service may have been modified without authorization","enabled":true,"expression":"(\n (unlink.file.path + in [ ~\"/lib/systemd/system/**\", ~\"/usr/lib/systemd/system/**\", ~\"/etc/systemd/system/**\" + ])\n \u0026\u0026 process.file.path not in [~\"/usr/bin/apt*\", \"/usr/bin/dpkg\", + \"/usr/bin/rpm\", \"/usr/bin/unattended-upgrade\", \"/usr/bin/npm\", ~\"/usr/bin/pip*\", + \"/usr/bin/yum\", \"/sbin/apk\", \"/usr/lib/snapd/snapd\"]\n)","filters":["os + == \"linux\""],"name":"systemd_modification_unlink","updateDate":1707493323000,"updater":{"name":"Detection + Engineer","handle":""}}},{"id":"yjj-o5q-x00","type":"agent_rule","attributes":{"category":"File + Activity","creationDate":1707493323000,"creator":{"name":"Detection Engineer","handle":""},"defaultRule":true,"description":"A + service may have been modified without authorization","enabled":true,"expression":"(\n (utimes.file.path + in [ ~\"/lib/systemd/system/**\", ~\"/usr/lib/systemd/system/**\", ~\"/etc/systemd/system/**\" + ])\n \u0026\u0026 process.file.path not in [~\"/usr/bin/apt*\", \"/usr/bin/dpkg\", + \"/usr/bin/rpm\", \"/usr/bin/unattended-upgrade\", \"/usr/bin/npm\", ~\"/usr/bin/pip*\", + \"/usr/bin/yum\", \"/sbin/apk\", \"/usr/lib/snapd/snapd\"]\n)","filters":["os + == \"linux\""],"name":"systemd_modification_utimes","updateDate":1707493323000,"updater":{"name":"Detection + Engineer","handle":""}}},{"id":"def-000-18q","type":"agent_rule","attributes":{"category":"Process + Activity","creationDate":1707493323000,"creator":{"name":"Detection Engineer","handle":""},"defaultRule":true,"description":"Tar + archive created","enabled":true,"expression":"exec.file.path == \"/usr/bin/tar\" + \u0026\u0026 exec.args_flags in [\"create\",\"c\"]","filters":["os == \"linux\""],"name":"tar_execution","updateDate":1707493323000,"updater":{"name":"Detection + Engineer","handle":""}}},{"id":"def-000-925","type":"agent_rule","attributes":{"category":"Process + Activity","creationDate":1707493323000,"creator":{"name":"Detection Engineer","handle":""},"defaultRule":true,"description":"A + shell with a TTY was executed in a container","enabled":true,"expression":"exec.file.path + in [ \"/bin/dash\",\n \"/usr/bin/dash\",\n \"/bin/sh\",\n \"/bin/static-sh\",\n \"/usr/bin/sh\",\n \"/bin/bash\",\n \"/usr/bin/bash\",\n \"/bin/bash-static\",\n \"/usr/bin/zsh\",\n \"/usr/bin/ash\",\n \"/usr/bin/csh\",\n \"/usr/bin/ksh\",\n \"/usr/bin/tcsh\",\n \"/usr/lib/initramfs-tools/bin/busybox\",\n \"/bin/busybox\",\n \"/usr/bin/fish\",\n \"/bin/ksh93\",\n \"/bin/rksh\",\n \"/bin/rksh93\",\n \"/bin/lksh\",\n \"/bin/mksh\",\n \"/bin/mksh-static\",\n \"/usr/bin/csharp\",\n \"/bin/posh\",\n \"/usr/bin/rc\",\n \"/bin/sash\",\n \"/usr/bin/yash\",\n \"/bin/zsh5\",\n \"/bin/zsh5-static\" + ] \u0026\u0026 process.tty_name != \"\" \u0026\u0026 process.container.id + != \"\"","filters":["os == \"linux\""],"name":"tty_shell_in_container","updateDate":1707493323000,"updater":{"name":"Detection + Engineer","handle":""}}},{"id":"def-000-hlr","type":"agent_rule","attributes":{"category":"Process + Activity","creationDate":1707493323000,"creator":{"name":"Detection Engineer","handle":""},"defaultRule":true,"description":"Tunneling + or port forwarding tool used","enabled":true,"expression":"((exec.comm == + \"pivotnacci\" || exec.comm == \"gost\") \u0026\u0026 process.args in [r\".*(-L|-C|-R).*\"]) + || (exec.comm in [\"ssh\", \"sshd\"] \u0026\u0026 process.args in [r\".*(-R|-L|-D|w).*\"] + \u0026\u0026 process.args in [r\"((25[0-5]|(2[0-4]|1\\d|[1-9])\\d)\\.?\\b){4}\"] + ) || (exec.comm == \"sshuttle\" \u0026\u0026 process.args in [r\".*(-r|--remote|-l|--listen).*\"]) + || (exec.comm == \"socat\" \u0026\u0026 process.args in [r\".*(TCP4-LISTEN:|SOCKS).*\"]) + || (exec.comm in [\"iodine\", \"iodined\", \"dnscat\", \"hans\", \"hans-ubuntu\", + \"ptunnel-ng\", \"ssf\", \"3proxy\", \"ngrok\"] \u0026\u0026 process.parent.comm + in [\"bash\", \"dash\", \"ash\", \"sh\", \"tcsh\", \"csh\", \"zsh\", \"ksh\", + \"fish\"])","filters":["os == \"linux\""],"name":"tunnel_traffic","updateDate":1707493323000,"updater":{"name":"Detection + Engineer","handle":""}}},{"id":"07y-k18-cih","type":"agent_rule","attributes":{"category":"Process + Activity","creationDate":1707493323000,"creator":{"name":"Detection Engineer","handle":""},"defaultRule":true,"description":"A + user was created via an interactive session","enabled":true,"expression":"exec.file.name + in [\"useradd\", \"newusers\", \"adduser\"] \u0026\u0026 exec.tty_name !=\"\" + \u0026\u0026 process.ancestors.file.path not in [~\"/usr/bin/apt*\", \"/usr/bin/dpkg\", + \"/usr/bin/rpm\", \"/usr/bin/unattended-upgrade\", \"/usr/bin/npm\", ~\"/usr/bin/pip*\", + \"/usr/bin/yum\", \"/sbin/apk\", \"/usr/lib/snapd/snapd\"] \u0026\u0026 exec.args_flags + not in [\"D\"]","filters":["os == \"linux\""],"name":"user_created_tty","updateDate":1707493323000,"updater":{"name":"Detection + Engineer","handle":""}}},{"id":"def-000-qem","type":"agent_rule","attributes":{"category":"Process + Activity","creationDate":1707493323000,"creator":{"name":"Detection Engineer","handle":""},"defaultRule":true,"description":"A + user was deleted via an interactive session","enabled":true,"expression":"exec.file.name + in [\"userdel\", \"deluser\"] \u0026\u0026 exec.tty_name !=\"\" \u0026\u0026 + process.ancestors.file.path not in [~\"/usr/bin/apt*\", \"/usr/bin/dpkg\", + \"/usr/bin/rpm\", \"/usr/bin/unattended-upgrade\", \"/usr/bin/npm\", ~\"/usr/bin/pip*\", + \"/usr/bin/yum\", \"/sbin/apk\", \"/usr/lib/snapd/snapd\"]","filters":["os + == \"linux\""],"name":"user_deleted_tty","updateDate":1707493323000,"updater":{"name":"Detection + Engineer","handle":""}}},{"id":"def-000-vjv","type":"agent_rule","attributes":{"category":"Process + Activity","creationDate":1707493323000,"creator":{"name":"Detection Engineer","handle":""},"defaultRule":true,"description":"Command + executed via WMI","enabled":true,"expression":"exec.file.name in [~\"powershell*\",\"cmd.exe\"] + \u0026\u0026 process.parent.file.name == \"WmiPrvSE.exe\"","filters":["os + == \"windows\""],"name":"wmi_spawning_shell","updateDate":1707493323000,"updater":{"name":"Detection + Engineer","handle":""}}}]}' + headers: + content-type: + - application/json + status: + code: 200 + message: OK +version: 1 diff --git a/tests/v2/cassettes/test_scenarios/test_get_the_latest_cloud_workload_security_policy_returns_ok_response.frozen b/tests/v2/cassettes/test_scenarios/test_get_the_latest_cloud_workload_security_policy_returns_ok_response.frozen index c889c00f99..1537435fe4 100644 --- a/tests/v2/cassettes/test_scenarios/test_get_the_latest_cloud_workload_security_policy_returns_ok_response.frozen +++ b/tests/v2/cassettes/test_scenarios/test_get_the_latest_cloud_workload_security_policy_returns_ok_response.frozen @@ -1 +1 @@ -2022-05-12T09:51:26.237Z \ No newline at end of file +2024-03-07T18:00:22.467Z \ No newline at end of file diff --git a/tests/v2/cassettes/test_scenarios/test_get_the_latest_cloud_workload_security_policy_returns_ok_response.yaml b/tests/v2/cassettes/test_scenarios/test_get_the_latest_cloud_workload_security_policy_returns_ok_response.yaml index d9f9fdf204..c997febc04 100644 --- a/tests/v2/cassettes/test_scenarios/test_get_the_latest_cloud_workload_security_policy_returns_ok_response.yaml +++ b/tests/v2/cassettes/test_scenarios/test_get_the_latest_cloud_workload_security_policy_returns_ok_response.yaml @@ -10,810 +10,1185 @@ interactions: body: string: "# IMPORTANT: Edits to this file will not be reflected in the Datadog\ \ App and will be overwritten with new policy file downloads. Please modify\ - \ rules in the Datadog App for full functionality.\nversion: '1652349086649'\n\ - rules:\n- id: apparmor_modified_tty\n version: a7f3b5c2\n description: AppArmor\ - \ Profile Modified\n expression: exec.file.name in [\"aa-disable\", \"aa-complain\"\ - , \"aa-audit\"] && exec.tty_name\n !=\"\"\n- id: aws_metadata_service\n\ - \ version: 4601e52e\n description: EC2 Instance Metadata Service Accessed\ - \ via Network Utility\n expression: exec.file.path in [\"/usr/bin/wget\"\ - , \"/usr/bin/curl\"] && exec.args in\n [~\"*169.254.169.254*\"]\n- id:\ - \ common_net_intrusion_util\n version: c7198131\n description: Nmap Execution\ - \ Detected\n expression: exec.file.path == \"/usr/bin/nmap\"\n- id: compiler_in_container\n\ - \ version: 441a7e85\n description: Compiler Executed in Container\n expression:\ - \ (exec.file.name in [\"javac\", \"clang\", \"gcc\",\"bcc\"] || (exec.file.name\n\ - \ == \"go\" && exec.args in [~\"*build*\", ~\"*run*\"])) && container.id\ - \ !=\"\" && process.ancestors.file.path\n != \"/usr/bin/cilium-agent\"\n\ - - id: credential_modified_chmod\n version: 7e14d921\n description: Either\ - \ /etc/shadow/ or /etc/gshadow was modified by a non-standard\n tool\n\ - \ expression: \"(\\n (chmod.file.path in [ \\\"/etc/shadow\\\", \\\"/etc/gshadow\\\ - \" ])\\n\\\n \\ && process.file.path not in [ \\\"/sbin/vipw\\\", \\\ - \"/usr/sbin/vipw\\\", \\\"/sbin/vigr\\\"\\\n , \\\"/usr/sbin/vigr\\\" ]\\\ - n && process.ancestors.file.path not in [\\\"/usr/bin/apt\\\"\\\n ,\ - \ \\\"/usr/bin/apt-get\\\", \\\"/usr/bin/apt-config\\\", \\\"/usr/bin/dpkg\\\ - \", \\\"/usr/bin/aptitude-curses\\\"\\\n , \\\"/usr/bin/rpm\\\", \\\"/usr/bin/unattended-upgrade\\\ - \"]\\n) && chmod.mode != chmod.file.mode\"\n- id: credential_modified_chown\n\ - \ version: 3731e0d5\n description: Either /etc/shadow/ or /etc/gshadow was\ - \ modified by a non-standard\n tool\n expression: \"(\\n (chown.file.path\ - \ in [ \\\"/etc/shadow\\\", \\\"/etc/gshadow\\\" ])\\n\\\n \\ && process.file.path\ - \ not in [ \\\"/sbin/vipw\\\", \\\"/usr/sbin/vipw\\\", \\\"/sbin/vigr\\\"\\\ - \n , \\\"/usr/sbin/vigr\\\" ]\\n && process.ancestors.file.path not\ - \ in [\\\"/usr/bin/apt\\\"\\\n , \\\"/usr/bin/apt-get\\\", \\\"/usr/bin/apt-config\\\ - \", \\\"/usr/bin/dpkg\\\", \\\"/usr/bin/aptitude-curses\\\"\\\n , \\\"\ - /usr/bin/rpm\\\", \\\"/usr/bin/unattended-upgrade\\\"]\\n) && (chown.uid !=\ - \ chown.file.uid\\\n \\ || chown.gid != chown.file.gid)\"\n- id: credential_modified_link\n\ - \ version: 7594ec54\n description: Either /etc/shadow/ or /etc/gshadow was\ - \ modified by a non-standard\n tool\n expression: \"(\\n (link.file.path\ - \ in [ \\\"/etc/shadow\\\", \\\"/etc/gshadow\\\" ]\\n \\\n \\ || link.file.destination.path\ - \ in [ \\\"/etc/shadow\\\", \\\"/etc/gshadow\\\" ])\\n\\\n \\ && process.file.path\ - \ not in [ \\\"/sbin/vipw\\\", \\\"/usr/sbin/vipw\\\", \\\"/sbin/vigr\\\"\\\ - \n , \\\"/usr/sbin/vigr\\\" ]\\n && process.ancestors.file.path not\ - \ in [\\\"/usr/bin/apt\\\"\\\n , \\\"/usr/bin/apt-get\\\", \\\"/usr/bin/apt-config\\\ - \", \\\"/usr/bin/dpkg\\\", \\\"/usr/bin/aptitude-curses\\\"\\\n , \\\"\ - /usr/bin/rpm\\\", \\\"/usr/bin/unattended-upgrade\\\"]\\n)\"\n- id: credential_modified_open\n\ - \ version: 2d65e37f\n description: Either /etc/shadow/ or /etc/gshadow was\ - \ modified by a non-standard\n tool\n expression: \"(\\n open.flags\ - \ & ((O_CREAT|O_RDWR|O_WRONLY|O_TRUNC)) > 0 &&\\n \\\n \\ (open.file.path\ - \ in [ \\\"/etc/shadow\\\", \\\"/etc/gshadow\\\" ])\\n && process.file.path\\\ - \n \\ not in [ \\\"/sbin/vipw\\\", \\\"/usr/sbin/vipw\\\", \\\"/sbin/vigr\\\ - \", \\\"/usr/sbin/vigr\\\"\\\n \\ ]\\n && process.ancestors.file.path\ - \ not in [\\\"/usr/bin/apt\\\", \\\"/usr/bin/apt-get\\\"\\\n , \\\"/usr/bin/apt-config\\\ - \", \\\"/usr/bin/dpkg\\\", \\\"/usr/bin/aptitude-curses\\\", \\\"\\\n /usr/bin/rpm\\\ - \", \\\"/usr/bin/unattended-upgrade\\\"]\\n)\"\n- id: credential_modified_rename\n\ - \ version: 8bb8242b\n description: Either /etc/shadow/ or /etc/gshadow was\ - \ modified by a non-standard\n tool\n expression: \"(\\n (rename.file.path\ - \ in [ \\\"/etc/shadow\\\", \\\"/etc/gshadow\\\" ]\\n\\\n \\ || rename.file.destination.path\ - \ in [ \\\"/etc/shadow\\\", \\\"/etc/gshadow\\\" ])\\n\\\n \\ && process.file.path\ - \ not in [ \\\"/sbin/vipw\\\", \\\"/usr/sbin/vipw\\\", \\\"/sbin/vigr\\\"\\\ - \n , \\\"/usr/sbin/vigr\\\" ]\\n && process.ancestors.file.path not\ - \ in [\\\"/usr/bin/apt\\\"\\\n , \\\"/usr/bin/apt-get\\\", \\\"/usr/bin/apt-config\\\ - \", \\\"/usr/bin/dpkg\\\", \\\"/usr/bin/aptitude-curses\\\"\\\n , \\\"\ - /usr/bin/rpm\\\", \\\"/usr/bin/unattended-upgrade\\\"]\\n)\"\n- id: credential_modified_unlink\n\ - \ version: 5af577d\n description: Either /etc/shadow/ or /etc/gshadow was\ - \ modified by a non-standard\n tool\n expression: \"(\\n (unlink.file.path\ - \ in [ \\\"/etc/shadow\\\", \\\"/etc/gshadow\\\" ])\\n\\\n \\ && process.file.path\ - \ not in [ \\\"/sbin/vipw\\\", \\\"/usr/sbin/vipw\\\", \\\"/sbin/vigr\\\"\\\ - \n , \\\"/usr/sbin/vigr\\\" ]\\n && process.ancestors.file.path not\ - \ in [\\\"/usr/bin/apt\\\"\\\n , \\\"/usr/bin/apt-get\\\", \\\"/usr/bin/apt-config\\\ - \", \\\"/usr/bin/dpkg\\\", \\\"/usr/bin/aptitude-curses\\\"\\\n , \\\"\ - /usr/bin/rpm\\\", \\\"/usr/bin/unattended-upgrade\\\"]\\n)\"\n- id: credential_modified_utimes\n\ - \ version: 1c101338\n description: Either /etc/shadow/ or /etc/gshadow was\ - \ modified by a non-standard\n tool\n expression: \"(\\n (utimes.file.path\ - \ in [ \\\"/etc/shadow\\\", \\\"/etc/gshadow\\\" ])\\n\\\n \\ && process.file.path\ - \ not in [ \\\"/sbin/vipw\\\", \\\"/usr/sbin/vipw\\\", \\\"/sbin/vigr\\\"\\\ - \n , \\\"/usr/sbin/vigr\\\" ]\\n && process.ancestors.file.path not\ - \ in [\\\"/usr/bin/apt\\\"\\\n , \\\"/usr/bin/apt-get\\\", \\\"/usr/bin/apt-config\\\ - \", \\\"/usr/bin/dpkg\\\", \\\"/usr/bin/aptitude-curses\\\"\\\n , \\\"\ - /usr/bin/rpm\\\", \\\"/usr/bin/unattended-upgrade\\\"]\\n)\"\n- id: cron_at_job_creation_chmod\n\ - \ version: 13512ebc\n description: Cron AT Job Creation\n expression: \"\ - (\\n (chmod.file.path in [ ~\\\"/var/spool/cron/*\\\" ])\\n && process.file.path\\\ - \n \\ not in [ \\\"/usr/bin/at\\\", \\\"/usr/bin/crontab\\\" ]\\n) && chmod.mode\ - \ != chmod.file.mode\"\n- id: cron_at_job_creation_chown\n version: ee7b306c\n\ - \ description: Cron AT Job Creation\n expression: \"(\\n (chown.file.path\ - \ in [ ~\\\"/var/spool/cron/*\\\" ])\\n && process.file.path\\\n \\\ - \ not in [ \\\"/usr/bin/at\\\", \\\"/usr/bin/crontab\\\" ]\\n) && (chown.uid\ - \ != chown.file.uid\\\n \\ || chown.gid != chown.file.gid)\"\n- id: cron_at_job_creation_link\n\ - \ version: b83e03f6\n description: Cron AT Job Creation\n expression: \"\ - (\\n (link.file.path in [ ~\\\"/var/spool/cron/*\\\" ]\\n || link.file.destination.path\\\ - \n \\ in [ ~\\\"/var/spool/cron/*\\\" ])\\n && process.file.path not\ - \ in [ \\\"/usr/bin/at\\\"\\\n , \\\"/usr/bin/crontab\\\" ]\\n)\"\n- id:\ - \ cron_at_job_creation_open\n version: 561ad06\n description: Cron AT Job\ - \ Creation\n expression: \"(\\n open.flags & (O_CREAT|O_RDWR|O_WRONLY)\ - \ > 0 &&\\n (open.file.path\\\n \\ in [ ~\\\"/var/spool/cron/*\\\" ])\\\ - n && process.file.path not in [ \\\"/usr/bin/at\\\"\\\n , \\\"/usr/bin/crontab\\\ - \" ]\\n)\"\n- id: cron_at_job_creation_rename\n version: 59b739d8\n description:\ - \ Cron AT Job Creation\n expression: \"(\\n (rename.file.path in [ ~\\\ - \"/var/spool/cron/*\\\" ]\\n || rename.file.destination.path\\\n \\\ - \ in [ ~\\\"/var/spool/cron/*\\\" ])\\n && process.file.path not in [ \\\ - \"/usr/bin/at\\\"\\\n , \\\"/usr/bin/crontab\\\" ]\\n)\"\n- id: cron_at_job_creation_unlink\n\ - \ version: 82b6d187\n description: Cron AT Job Creation\n expression: \"\ - (\\n (unlink.file.path in [ ~\\\"/var/spool/cron/*\\\" ])\\n && process.file.path\\\ - \n \\ not in [ \\\"/usr/bin/at\\\", \\\"/usr/bin/crontab\\\" ]\\n)\"\n\ - - id: cron_at_job_creation_utimes\n version: d460ba68\n description: Cron\ - \ AT Job Creation\n expression: \"(\\n (utimes.file.path in [ ~\\\"/var/spool/cron/*\\\ - \" ])\\n && process.file.path\\\n \\ not in [ \\\"/usr/bin/at\\\", \\\ - \"/usr/bin/crontab\\\" ]\\n)\"\n- id: database_shell_execution\n version:\ - \ 3508c713\n description: A database application spawned a shell, shell utility,\ - \ or HTTP utility\n expression: \"(exec.file.path in [ \\\"/bin/dash\\\"\ - , \\\"/usr/bin/dash\\\",\\n \\\"/bin/sh\\\"\\\n , \\\"/bin/static-sh\\\ - \", \\\"/usr/bin/sh\\\",\\n \\\"/usr/bin/bash\\\",\\n \\\"/bin/bash-static\\\ - \"\\\n ,\\n \\\"/usr/bin/zsh\\\",\\n \\\"/usr/bin/ash\\\",\\n \\\"/usr/bin/csh\\\ - \",\\n \\\"/usr/bin/ksh\\\"\\\n ,\\n \\\"/usr/bin/tcsh\\\",\\n \\\"\ - /usr/lib/initramfs-tools/bin/busybox\\\",\\n \\\"/bin/busybox\\\"\\\n \ - \ ,\\n \\\"/usr/bin/fish\\\",\\n \\\"/bin/ksh93\\\",\\n \\\"/bin/rksh\\\ - \", \\\"/bin/rksh93\\\",\\n\\\n \\ \\\"/bin/lksh\\\",\\n \\\"/bin/mksh\\\ - \", \\\"/bin/mksh-static\\\",\\n \\\"/usr/bin/csharp\\\"\\\n ,\\n \\\"\ - /bin/posh\\\",\\n \\\"/usr/bin/rc\\\",\\n \\\"/bin/sash\\\",\\n \\\"/usr/bin/yash\\\ - \"\\\n ,\\n \\\"/bin/zsh5\\\", \\\"/bin/zsh5-static\\\" ] ||\\n exec.file.path\ - \ in [\\\"/usr/bin/wget\\\"\\\n , \\\"/usr/bin/curl\\\"] ||\\n exec.file.path\ - \ in [\\\"/bin/cat\\\",\\\"/bin/chgrp\\\",\\\"/bin/chmod\\\"\\\n ,\\\"\ - /bin/chown\\\",\\\"/bin/cp\\\",\\\"/bin/date\\\",\\\"/bin/dd\\\",\\\"/bin/df\\\ - \",\\\"/bin/dir\\\"\\\n ,\\\"/bin/echo\\\",\\\"/bin/ln\\\",\\\"/bin/ls\\\ - \",\\\"/bin/mkdir\\\",\\\"/bin/mknod\\\",\\\"/bin/mktemp\\\"\\\n ,\\\"\ - /bin/mv\\\",\\\"/bin/pwd\\\",\\\"/bin/readlink\\\",\\\"/bin/rm\\\",\\\"/bin/rmdir\\\ - \",\\\"/bin/sleep\\\"\\\n ,\\\"/bin/stty\\\",\\\"/bin/sync\\\",\\\"/bin/touch\\\ - \",\\\"/bin/uname\\\",\\\"/bin/vdir\\\",\\\"/usr/bin/arch\\\"\\\n ,\\\"\ - /usr/bin/b2sum\\\",\\\"/usr/bin/base32\\\",\\\"/usr/bin/base64\\\",\\\"/usr/bin/basename\\\ - \"\\\n ,\\\"/usr/bin/chcon\\\",\\\"/usr/bin/cksum\\\",\\\"/usr/bin/comm\\\ - \",\\\"/usr/bin/csplit\\\",\\\"\\\n /usr/bin/cut\\\",\\\"/usr/bin/dircolors\\\ - \",\\\"/usr/bin/dirname\\\",\\\"/usr/bin/du\\\",\\\"\\\n /usr/bin/env\\\ - \",\\\"/usr/bin/expand\\\",\\\"/usr/bin/expr\\\",\\\"/usr/bin/factor\\\",\\\ - \"/usr/bin/fmt\\\"\\\n ,\\\"/usr/bin/fold\\\",\\\"/usr/bin/groups\\\",\\\ - \"/usr/bin/head\\\",\\\"/usr/bin/hostid\\\",\\\"\\\n /usr/bin/id\\\",\\\ - \"/usr/bin/install\\\",\\\"/usr/bin/join\\\",\\\"/usr/bin/link\\\",\\\"/usr/bin/logname\\\ - \"\\\n ,\\\"/usr/bin/md5sum\\\",\\\"/usr/bin/md5sum.textutils\\\",\\\"\ - /usr/bin/mkfifo\\\",\\\"/usr/bin/nice\\\"\\\n ,\\\"/usr/bin/nl\\\",\\\"\ - /usr/bin/nohup\\\",\\\"/usr/bin/nproc\\\",\\\"/usr/bin/numfmt\\\",\\\"\\\n\ - \ /usr/bin/od\\\",\\\"/usr/bin/paste\\\",\\\"/usr/bin/pathchk\\\",\\\"\ - /usr/bin/pinky\\\",\\\"/usr/bin/pr\\\"\\\n ,\\\"/usr/bin/printenv\\\",\\\ - \"/usr/bin/printf\\\",\\\"/usr/bin/ptx\\\",\\\"/usr/bin/realpath\\\"\\\n \ - \ ,\\\"/usr/bin/runcon\\\",\\\"/usr/bin/seq\\\",\\\"/usr/bin/sha1sum\\\"\ - ,\\\"/usr/bin/sha224sum\\\"\\\n ,\\\"/usr/bin/sha256sum\\\",\\\"/usr/bin/sha384sum\\\ - \",\\\"/usr/bin/sha512sum\\\",\\\"/usr/bin/shred\\\"\\\n ,\\\"/usr/bin/shuf\\\ - \",\\\"/usr/bin/sort\\\",\\\"/usr/bin/split\\\",\\\"/usr/bin/stat\\\",\\\"\ - /usr/bin/stdbuf\\\"\\\n ,\\\"/usr/bin/sum\\\",\\\"/usr/bin/tac\\\",\\\"\ - /usr/bin/tail\\\",\\\"/usr/bin/tee\\\",\\\"/usr/bin/test\\\"\\\n ,\\\"\ - /usr/bin/timeout\\\",\\\"/usr/bin/tr\\\",\\\"/usr/bin/truncate\\\",\\\"/usr/bin/tsort\\\ - \"\\\n ,\\\"/usr/bin/tty\\\",\\\"/usr/bin/unexpand\\\",\\\"/usr/bin/uniq\\\ - \",\\\"/usr/bin/unlink\\\"\\\n ,\\\"/usr/bin/users\\\",\\\"/usr/bin/wc\\\ - \",\\\"/usr/bin/who\\\",\\\"/usr/bin/whoami\\\",\\\"/usr/sbin/chroot\\\"\\\ - \n ]) &&\\nprocess.ancestors.file.name in [\\\"mysqld\\\", \\\"mongod\\\ - \", \\\"postgres\\\"] &&\\n\\\n !(process.ancestors.file.name == \\\"initdb\\\ - \" &&\\nexec.args == ~\\\"*locale -a*\\\")\"\n- id: dirty_pipe_attempt\n \ - \ version: 8814807c\n description: Potential Dirty pipe exploitation attempt\n\ + \ rules in the Datadog App for full functionality.\nversion: '1709834422927'\n\ + rules:\n- id: Deno_unauthorized_network_access_performed\n version: 482a395e\n\ + \ description: Unauthorized network access by deno runtime\n expression:\ + \ bind.addr.family>=0 && process.comm==\"deno\" && process.args not in [r\"\ + .*(allow-net|allow-ffi|-A|allow-all).*\"]\n agent_version: ''\n filters:\ + \ []\n- id: Deno_unauthorized_subprocess_created\n version: d2d82b09\n description:\ + \ Unauthorized subprocess created by deno runtime\n expression: exec.comm\ + \ !=\"\" && process.ancestors.comm==\"deno\" && process.ancestors.args\n \ + \ not in [r\".*(allow-run|-A|allow-all).*\"]\n agent_version: ''\n filters:\ + \ []\n- id: apparmor_modified_tty\n version: a7f3b5c2\n description: An\ + \ AppArmor profile was modified in an interactive session\n expression: exec.file.name\ + \ in [\"aa-disable\", \"aa-complain\", \"aa-audit\"] && exec.tty_name\n \ + \ !=\"\"\n agent_version: ''\n filters:\n - os == \"linux\"\n- id: auditctl_usage\n\ + \ version: fdc2412d\n description: The auditctl command was used to modify\ + \ auditd\n expression: exec.file.name == \"auditctl\"\n agent_version: ''\n\ + \ filters: []\n- id: auditd_config_modified\n version: c7f52a7a\n description:\ + \ The auditd configuration file was modified without using auditctl\n expression:\ + \ open.file.path == \"/etc/audit/auditd.conf\" && open.flags & (O_CREAT|O_TRUNC|O_RDWR|O_WRONLY)\n\ + \ > 0 && process.file.name != \"auditctl\"\n agent_version: ''\n filters:\n\ + \ - os == \"linux\"\n- id: auditd_rule_file_modified\n version: c533115d\n\ + \ description: The auditd rules file was modified without using auditctl\n\ + \ expression: open.file.path in [\"/etc/audit/rules.d/audit.rules\", \"/etc/audit/audit.rules\"\ + ]\n && open.flags & (O_CREAT|O_TRUNC|O_RDWR|O_WRONLY) > 0 && process.file.name\ + \ !=\n \"auditctl\"\n agent_version: ''\n filters:\n - os == \"linux\"\ + \n- id: aws_eks_service_account_token_accessed\n version: d6a7a4a0\n description:\ + \ The AWS EKS service account token was accessed\n expression: open.file.path\ + \ =~ \"/var/run/secrets/eks.amazonaws.com/serviceaccount/**\"\n && open.file.name\ + \ == \"token\" && process.file.path not in [\"/opt/datadog-agent/embedded/bin/agent\"\ + ,\n \"/opt/datadog-agent/embedded/bin/system-probe\", \"/opt/datadog-agent/embedded/bin/security-agent\"\ + ,\n \"/opt/datadog-agent/embedded/bin/process-agent\", \"/opt/datadog-agent/bin/agent/agent\"\ + ,\n \"/opt/datadog/apm/inject/auto_inject_runc\", \"/usr/bin/dd-host-install\"\ + , \"/usr/bin/dd-host-container-install\",\n \"/usr/bin/dd-container-install\"\ + , \"/opt/datadog-agent/bin/datadog-cluster-agent\"]\n agent_version: ''\n\ + \ filters: []\n- id: aws_imds\n version: 6d47fcfe\n description: An AWS\ + \ IMDS was called via a network utility\n expression: exec.comm in [\"wget\"\ + , \"curl\", \"lwp-download\"] && exec.args in [~\"*169.254.169.254/latest/meta-data/iam/security-credentials/*\"\ + ,\n \"*169.254.170.2$AWS_CONTAINER_CREDENTIALS_RELATIVE_URI\", ~\"*169.254.170.2/*/credentials?id=*\"\ + ]\n agent_version: ''\n filters: []\n- id: azure_imds\n version: 784f9a83\n\ + \ description: An Azure IMDS was called via a network utility\n expression:\ + \ exec.comm in [\"wget\", \"curl\", \"lwp-download\"] && exec.args in [~\"\ + *169.254.169.254/metadata/identity/oauth2/token?api-version=*\"]\n agent_version:\ + \ ''\n filters: []\n- id: base64_decode\n version: dd942ef2\n description:\ + \ The base64 command was used to decode information\n expression: exec.file.name\ + \ == \"base64\" && exec.args_flags in [\"d\"]\n agent_version: ''\n filters:\ + \ []\n- id: certutil_usage\n version: 4b9c58b5\n description: Certutil was\ + \ executed to transmit or decode a potentially malicious\n file\n expression:\ + \ exec.file.name == \"certutil.exe\" && ((exec.cmdline =~ \"*urlcache*\" &&\n\ + \ exec.cmdline =~ \"*split*\") || exec.cmdline =~ \"*decode*\")\n agent_version:\ + \ ''\n filters:\n - os == \"windows\"\n- id: chatroom_request\n version:\ + \ 91aa2a0f\n description: A newly created file contacted a chatroom domain\n\ + \ expression: dns.question.name in [\"discord.com\", \"api.telegram.org\"\ + , \"cdn.discordapp.com\"]\n && process.file.in_upper_layer && process.file.change_time\ + \ < 60s\n agent_version: ''\n filters:\n - os == \"linux\"\n- id: compile_after_delivery\n\ + \ version: f41c1e36\n description: A compiler wrote a suspicious file in\ + \ a container\n expression: |-\n open.flags & O_CREAT > 0\n && (\n\ + \ (open.file.path =~ \"/tmp/**\" && open.file.name in [~\"*.ko\", ~\"\ + .*\"])\n || open.file.path in [~\"/var/tmp/**\", ~\"/dev/shm/**\", ~\"\ + /root/**\", ~\"*/bin/*\", ~\"/usr/local/lib/**\"]\n )\n && (process.comm\ + \ in [\"javac\", \"clang\", \"gcc\",\"bcc\"] || process.ancestors.comm in\ + \ [\"javac\", \"clang\", \"gcc\",\"bcc\"])\n && process.file.name not in\ + \ [\"pip\", ~\"python*\"]\n && container.id != \"\"\n agent_version: ''\n\ + \ filters:\n - os == \"linux\"\n- id: compiler_in_container\n version:\ + \ 441a7e85\n description: Compiler Executed in Container\n expression: (exec.file.name\ + \ in [\"javac\", \"clang\", \"gcc\",\"bcc\"] || (exec.file.name\n == \"\ + go\" && exec.args in [~\"*build*\", ~\"*run*\"])) && container.id !=\"\" &&\ + \ process.ancestors.file.path\n != \"/usr/bin/cilium-agent\"\n agent_version:\ + \ ''\n filters: []\n- id: crackmap_exec_executed\n version: 62b05d89\n \ + \ description: Known offensive tool crackmap exec executed\n expression:\ + \ exec.cmdline in [~\"*crackmapexec*\", ~\"*cme*\"]\n agent_version: ''\n\ + \ filters:\n - os == \"windows\"\n- id: credential_modified_chown\n version:\ + \ b5e2cf51\n description: Sensitive credential files were modified using\ + \ a non-standard tool\n expression: |-\n (\n (chown.file.path in\ + \ [ \"/etc/shadow\", \"/etc/gshadow\" ])\n && process.file.path not\ + \ in [ \"/sbin/vipw\", \"/usr/sbin/vipw\", \"/sbin/vigr\", \"/usr/sbin/vigr\"\ + , \"/usr/bin/containerd\", \"/usr/local/bin/containerd\", \"/usr/bin/dockerd\"\ + , \"/usr/local/bin/dockerd\", \"/usr/sbin/groupadd\", \"/usr/sbin/useradd\"\ + , \"/usr/sbin/usermod\", \"/usr/sbin/userdel\", \"/usr/bin/gpasswd\", \"/usr/bin/chage\"\ + , \"/usr/sbin/chpasswd\", \"/usr/bin/passwd\" ]\n && process.ancestors.file.path\ + \ not in [~\"/usr/bin/apt*\", \"/usr/bin/dpkg\", \"/usr/bin/rpm\", \"/usr/bin/unattended-upgrade\"\ + , \"/usr/bin/npm\", ~\"/usr/bin/pip*\", \"/usr/bin/yum\", \"/sbin/apk\", \"\ + /usr/lib/snapd/snapd\"]\n ) && (chown.file.destination.uid != chown.file.uid\ + \ || chown.file.destination.gid != chown.file.gid)\n agent_version: ''\n\ + \ filters: []\n- id: credential_modified_link\n version: 5fe23f72\n description:\ + \ Sensitive credential files were modified using a non-standard tool\n expression:\ + \ |-\n (\n (link.file.path in [ \"/etc/shadow\", \"/etc/gshadow\"\ + \ ]\n || link.file.destination.path in [ \"/etc/shadow\", \"/etc/gshadow\"\ + \ ])\n && process.file.path not in [ \"/sbin/vipw\", \"/usr/sbin/vipw\"\ + , \"/sbin/vigr\", \"/usr/sbin/vigr\", \"/usr/bin/containerd\", \"/usr/local/bin/containerd\"\ + , \"/usr/bin/dockerd\", \"/usr/local/bin/dockerd\", \"/usr/sbin/groupadd\"\ + , \"/usr/sbin/useradd\", \"/usr/sbin/usermod\", \"/usr/sbin/userdel\", \"\ + /usr/bin/gpasswd\", \"/usr/bin/chage\", \"/usr/sbin/chpasswd\", \"/usr/bin/passwd\"\ + \ ]\n && process.ancestors.file.path not in [~\"/usr/bin/apt*\", \"\ + /usr/bin/dpkg\", \"/usr/bin/rpm\", \"/usr/bin/unattended-upgrade\", \"/usr/bin/npm\"\ + , ~\"/usr/bin/pip*\", \"/usr/bin/yum\", \"/sbin/apk\", \"/usr/lib/snapd/snapd\"\ + ]\n )\n agent_version: ''\n filters: []\n- id: credential_modified_open_v2\n\ + \ version: 5aec9afe\n description: Sensitive credential files were modified\ + \ using a non-standard tool\n expression: |-\n (\n open.flags &\ + \ ((O_CREAT|O_RDWR|O_WRONLY|O_TRUNC)) > 0 &&\n (open.file.path in [\ + \ \"/etc/shadow\", \"/etc/gshadow\" ])\n && process.file.path not in\ + \ [ \"/sbin/vipw\", \"/usr/sbin/vipw\", \"/sbin/vigr\", \"/usr/sbin/vigr\"\ + , \"/usr/bin/containerd\", \"/usr/local/bin/containerd\", \"/usr/bin/dockerd\"\ + , \"/usr/local/bin/dockerd\", \"/usr/sbin/groupadd\", \"/usr/sbin/useradd\"\ + , \"/usr/sbin/usermod\", \"/usr/sbin/userdel\", \"/usr/bin/gpasswd\", \"/usr/bin/chage\"\ + , \"/usr/sbin/chpasswd\", \"/usr/bin/passwd\" ]\n && process.ancestors.file.path\ + \ not in [~\"/usr/bin/apt*\", \"/usr/bin/dpkg\", \"/usr/bin/rpm\", \"/usr/bin/unattended-upgrade\"\ + , \"/usr/bin/npm\", ~\"/usr/bin/pip*\", \"/usr/bin/yum\", \"/sbin/apk\", \"\ + /usr/lib/snapd/snapd\"]\n ) && container.created_at > 90s\n agent_version:\ + \ ''\n filters:\n - os == \"linux\"\n- id: credential_modified_rename\n\ + \ version: b7458786\n description: Sensitive credential files were modified\ + \ using a non-standard tool\n expression: |-\n (\n (rename.file.path\ + \ in [ \"/etc/shadow\", \"/etc/gshadow\" ]\n || rename.file.destination.path\ + \ in [ \"/etc/shadow\", \"/etc/gshadow\" ])\n && process.file.path\ + \ not in [ \"/sbin/vipw\", \"/usr/sbin/vipw\", \"/sbin/vigr\", \"/usr/sbin/vigr\"\ + , \"/usr/bin/containerd\", \"/usr/local/bin/containerd\", \"/usr/bin/dockerd\"\ + , \"/usr/local/bin/dockerd\", \"/usr/sbin/groupadd\", \"/usr/sbin/useradd\"\ + , \"/usr/sbin/usermod\", \"/usr/sbin/userdel\", \"/usr/bin/gpasswd\", \"/usr/bin/chage\"\ + , \"/usr/sbin/chpasswd\", \"/usr/bin/passwd\" ]\n && process.ancestors.file.path\ + \ not in [~\"/usr/bin/apt*\", \"/usr/bin/dpkg\", \"/usr/bin/rpm\", \"/usr/bin/unattended-upgrade\"\ + , \"/usr/bin/npm\", ~\"/usr/bin/pip*\", \"/usr/bin/yum\", \"/sbin/apk\", \"\ + /usr/lib/snapd/snapd\"]\n )\n agent_version: ''\n filters: []\n- id:\ + \ credential_modified_unlink\n version: 557758b6\n description: Sensitive\ + \ credential files were modified using a non-standard tool\n expression:\ + \ |-\n (\n (unlink.file.path in [ \"/etc/shadow\", \"/etc/gshadow\"\ + \ ])\n && process.file.path not in [ \"/sbin/vipw\", \"/usr/sbin/vipw\"\ + , \"/sbin/vigr\", \"/usr/sbin/vigr\", \"/usr/bin/containerd\", \"/usr/local/bin/containerd\"\ + , \"/usr/bin/dockerd\", \"/usr/local/bin/dockerd\", \"/usr/sbin/groupadd\"\ + , \"/usr/sbin/useradd\", \"/usr/sbin/usermod\", \"/usr/sbin/userdel\", \"\ + /usr/bin/gpasswd\", \"/usr/bin/chage\", \"/usr/sbin/chpasswd\", \"/usr/bin/passwd\"\ + \ ]\n && process.ancestors.file.path not in [~\"/usr/bin/apt*\", \"\ + /usr/bin/dpkg\", \"/usr/bin/rpm\", \"/usr/bin/unattended-upgrade\", \"/usr/bin/npm\"\ + , ~\"/usr/bin/pip*\", \"/usr/bin/yum\", \"/sbin/apk\", \"/usr/lib/snapd/snapd\"\ + ]\n )\n agent_version: ''\n filters: []\n- id: credential_modified_utimes\n\ + \ version: de8d14c5\n description: Sensitive credential files were modified\ + \ using a non-standard tool\n expression: |-\n (\n (utimes.file.path\ + \ in [ \"/etc/shadow\", \"/etc/gshadow\" ])\n && process.file.path\ + \ not in [ \"/sbin/vipw\", \"/usr/sbin/vipw\", \"/sbin/vigr\", \"/usr/sbin/vigr\"\ + , \"/usr/bin/containerd\", \"/usr/local/bin/containerd\", \"/usr/bin/dockerd\"\ + , \"/usr/local/bin/dockerd\", \"/usr/sbin/groupadd\", \"/usr/sbin/useradd\"\ + , \"/usr/sbin/usermod\", \"/usr/sbin/userdel\", \"/usr/bin/gpasswd\", \"/usr/bin/chage\"\ + , \"/usr/sbin/chpasswd\", \"/usr/bin/passwd\" ]\n && process.ancestors.file.path\ + \ not in [~\"/usr/bin/apt*\", \"/usr/bin/dpkg\", \"/usr/bin/rpm\", \"/usr/bin/unattended-upgrade\"\ + , \"/usr/bin/npm\", ~\"/usr/bin/pip*\", \"/usr/bin/yum\", \"/sbin/apk\", \"\ + /usr/lib/snapd/snapd\"]\n )\n agent_version: ''\n filters: []\n- id:\ + \ cryptominer_envs\n version: 735b7690\n description: Process environment\ + \ variables match cryptocurrency miner\n expression: exec.envs in [~\"*POOL_USER*\"\ + , ~\"*POOL_URL*\", ~\"*POOL_PASS*\", ~\"*DONATE_LEVEL*\"]\n agent_version:\ + \ ''\n filters:\n - os == \"linux\"\n- id: curl_docker_socket\n version:\ + \ f736b6e6\n description: The Docker socket was referenced in a cURL command\n\ + \ expression: exec.file.name == \"curl\" && exec.args_flags in [\"unix-socket\"\ + ] && exec.args\n in [\"*docker.sock*\"] && container.id != \"\"\n agent_version:\ + \ ''\n filters: []\n- id: database_shell_execution\n version: 3508c713\n\ + \ description: A database application spawned a shell, shell utility, or\ + \ HTTP utility\n expression: |-\n (exec.file.path in [ \"/bin/dash\",\n\ + \ \"/usr/bin/dash\",\n \"/bin/sh\",\n \"/bin/static-sh\",\n\ + \ \"/usr/bin/sh\",\n \"/bin/bash\",\n \"/usr/bin/bash\",\n\ + \ \"/bin/bash-static\",\n \"/usr/bin/zsh\",\n \"/usr/bin/ash\"\ + ,\n \"/usr/bin/csh\",\n \"/usr/bin/ksh\",\n \"/usr/bin/tcsh\"\ + ,\n \"/usr/lib/initramfs-tools/bin/busybox\",\n \"/bin/busybox\"\ + ,\n \"/usr/bin/fish\",\n \"/bin/ksh93\",\n \"/bin/rksh\",\n\ + \ \"/bin/rksh93\",\n \"/bin/lksh\",\n \"/bin/mksh\",\n \ + \ \"/bin/mksh-static\",\n \"/usr/bin/csharp\",\n \"/bin/posh\"\ + ,\n \"/usr/bin/rc\",\n \"/bin/sash\",\n \"/usr/bin/yash\",\n\ + \ \"/bin/zsh5\",\n \"/bin/zsh5-static\" ] ||\n exec.comm in\ + \ [\"wget\", \"curl\", \"lwp-download\"] ||\n exec.file.path in [\"/bin/cat\"\ + ,\"/bin/chgrp\",\"/bin/chmod\",\"/bin/chown\",\"/bin/cp\",\"/bin/date\",\"\ + /bin/dd\",\"/bin/df\",\"/bin/dir\",\"/bin/echo\",\"/bin/ln\",\"/bin/ls\",\"\ + /bin/mkdir\",\"/bin/mknod\",\"/bin/mktemp\",\"/bin/mv\",\"/bin/pwd\",\"/bin/readlink\"\ + ,\"/bin/rm\",\"/bin/rmdir\",\"/bin/sleep\",\"/bin/stty\",\"/bin/sync\",\"\ + /bin/touch\",\"/bin/uname\",\"/bin/vdir\",\"/usr/bin/arch\",\"/usr/bin/b2sum\"\ + ,\"/usr/bin/base32\",\"/usr/bin/base64\",\"/usr/bin/basename\",\"/usr/bin/chcon\"\ + ,\"/usr/bin/cksum\",\"/usr/bin/comm\",\"/usr/bin/csplit\",\"/usr/bin/cut\"\ + ,\"/usr/bin/dircolors\",\"/usr/bin/dirname\",\"/usr/bin/du\",\"/usr/bin/env\"\ + ,\"/usr/bin/expand\",\"/usr/bin/expr\",\"/usr/bin/factor\",\"/usr/bin/fmt\"\ + ,\"/usr/bin/fold\",\"/usr/bin/groups\",\"/usr/bin/head\",\"/usr/bin/hostid\"\ + ,\"/usr/bin/id\",\"/usr/bin/install\",\"/usr/bin/join\",\"/usr/bin/link\"\ + ,\"/usr/bin/logname\",\"/usr/bin/md5sum\",\"/usr/bin/md5sum.textutils\",\"\ + /usr/bin/mkfifo\",\"/usr/bin/nice\",\"/usr/bin/nl\",\"/usr/bin/nohup\",\"\ + /usr/bin/nproc\",\"/usr/bin/numfmt\",\"/usr/bin/od\",\"/usr/bin/paste\",\"\ + /usr/bin/pathchk\",\"/usr/bin/pinky\",\"/usr/bin/pr\",\"/usr/bin/printenv\"\ + ,\"/usr/bin/printf\",\"/usr/bin/ptx\",\"/usr/bin/realpath\",\"/usr/bin/runcon\"\ + ,\"/usr/bin/seq\",\"/usr/bin/sha1sum\",\"/usr/bin/sha224sum\",\"/usr/bin/sha256sum\"\ + ,\"/usr/bin/sha384sum\",\"/usr/bin/sha512sum\",\"/usr/bin/shred\",\"/usr/bin/shuf\"\ + ,\"/usr/bin/sort\",\"/usr/bin/split\",\"/usr/bin/stat\",\"/usr/bin/stdbuf\"\ + ,\"/usr/bin/sum\",\"/usr/bin/tac\",\"/usr/bin/tail\",\"/usr/bin/tee\",\"/usr/bin/test\"\ + ,\"/usr/bin/timeout\",\"/usr/bin/tr\",\"/usr/bin/truncate\",\"/usr/bin/tsort\"\ + ,\"/usr/bin/tty\",\"/usr/bin/unexpand\",\"/usr/bin/uniq\",\"/usr/bin/unlink\"\ + ,\"/usr/bin/users\",\"/usr/bin/wc\",\"/usr/bin/who\",\"/usr/bin/whoami\",\"\ + /usr/sbin/chroot\"]) &&\n process.parent.file.name in [\"mysqld\", \"mongod\"\ + , \"postgres\"] &&\n !(process.parent.file.name == \"initdb\" &&\n exec.args\ + \ == \"-c locale -a\") &&\n !(process.parent.file.name == \"postgres\"\ + \ &&\n exec.args == ~\"*pg_wal*\")\n agent_version: ''\n filters:\n \ + \ - os == \"linux\"\n- id: delete_system_log\n version: 5436807c\n description:\ + \ A process deleted common system log files\n expression: unlink.file.path\ + \ in [\"/var/run/utmp\", \"/var/log/wtmp\", \"/var/log/btmp\",\n \"/var/log/lastlog\"\ + , \"/var/log/faillog\", \"/var/log/syslog\", \"/var/log/messages\",\n \"\ + /var/log/secure\", \"/var/log/auth.log\", \"/var/log/boot.log\", \"/var/log/kern.log\"\ + ]\n && process.comm not in [\"dockerd\", \"containerd\"]\n agent_version:\ + \ ''\n filters:\n - os == \"linux\"\n- id: deploy_priv_container\n version:\ + \ 356d5ee7\n description: A privileged container was created\n expression:\ + \ exec.file.name != \"\" && container.created_at < 1s && process.cap_permitted\n\ + \ & CAP_SYS_ADMIN > 0\n agent_version: ''\n filters: []\n- id: dirty_pipe_attempt\n\ + \ version: 8814807c\n description: Potential Dirty pipe exploitation attempt\n\ \ expression: (splice.pipe_entry_flag & PIPE_BUF_FLAG_CAN_MERGE) != 0 &&\ - \ (splice.pipe_exit_flag\n & PIPE_BUF_FLAG_CAN_MERGE) == 0\n- id: dirty_pipe_exploitation\n\ + \ (splice.pipe_exit_flag\n & PIPE_BUF_FLAG_CAN_MERGE) == 0 && (process.uid\ + \ != 0 && process.gid != 0)\n agent_version: ''\n filters: []\n- id: dirty_pipe_exploitation\n\ \ version: 9bcacfe3\n description: Potential Dirty pipe exploitation\n \ - \ expression: (splice.pipe_exit_flag & PIPE_BUF_FLAG_CAN_MERGE) > 0\n- id:\ - \ example_agent_rule\n version: 28ba1078\n description: An example agent\ - \ rule generated in terraform\n expression: exec.file.name == \"java\"\n\ - - id: java_shell_execution\n version: 24c2eb7c\n description: Java process\ - \ spawned shell/utility\n expression: \"(exec.file.path in [ \\\"/bin/dash\\\ - \", \\\"/usr/bin/dash\\\",\\n \\\"/bin/sh\\\"\\\n , \\\"/bin/static-sh\\\ - \", \\\"/usr/bin/sh\\\",\\n \\\"/usr/bin/bash\\\",\\n \\\"/bin/bash-static\\\ - \"\\\n ,\\n \\\"/usr/bin/zsh\\\",\\n \\\"/usr/bin/ash\\\",\\n \\\"/usr/bin/csh\\\ - \",\\n \\\"/usr/bin/ksh\\\"\\\n ,\\n \\\"/usr/bin/tcsh\\\",\\n \\\"\ - /usr/lib/initramfs-tools/bin/busybox\\\",\\n \\\"/bin/busybox\\\"\\\n \ - \ ,\\n \\\"/usr/bin/fish\\\",\\n \\\"/bin/ksh93\\\",\\n \\\"/bin/rksh\\\ - \", \\\"/bin/rksh93\\\",\\n\\\n \\ \\\"/bin/lksh\\\",\\n \\\"/bin/mksh\\\ - \", \\\"/bin/mksh-static\\\",\\n \\\"/usr/bin/csharp\\\"\\\n ,\\n \\\"\ - /bin/posh\\\",\\n \\\"/usr/bin/rc\\\",\\n \\\"/bin/sash\\\",\\n \\\"/usr/bin/yash\\\ - \"\\\n ,\\n \\\"/bin/zsh5\\\", \\\"/bin/zsh5-static\\\" ] ||\\n exec.file.path\ - \ in [\\\"/usr/bin/wget\\\"\\\n , \\\"/usr/bin/curl\\\"] ||\\n exec.file.path\ - \ in [\\\"/bin/cat\\\",\\\"/bin/chgrp\\\",\\\"/bin/chmod\\\"\\\n ,\\\"\ - /bin/chown\\\",\\\"/bin/cp\\\",\\\"/bin/date\\\",\\\"/bin/dd\\\",\\\"/bin/df\\\ - \",\\\"/bin/dir\\\"\\\n ,\\\"/bin/echo\\\",\\\"/bin/ln\\\",\\\"/bin/ls\\\ - \",\\\"/bin/mkdir\\\",\\\"/bin/mknod\\\",\\\"/bin/mktemp\\\"\\\n ,\\\"\ - /bin/mv\\\",\\\"/bin/pwd\\\",\\\"/bin/readlink\\\",\\\"/bin/rm\\\",\\\"/bin/rmdir\\\ - \",\\\"/bin/sleep\\\"\\\n ,\\\"/bin/stty\\\",\\\"/bin/sync\\\",\\\"/bin/touch\\\ - \",\\\"/bin/uname\\\",\\\"/bin/vdir\\\",\\\"/usr/bin/arch\\\"\\\n ,\\\"\ - /usr/bin/b2sum\\\",\\\"/usr/bin/base32\\\",\\\"/usr/bin/base64\\\",\\\"/usr/bin/basename\\\ - \"\\\n ,\\\"/usr/bin/chcon\\\",\\\"/usr/bin/cksum\\\",\\\"/usr/bin/comm\\\ - \",\\\"/usr/bin/csplit\\\",\\\"\\\n /usr/bin/cut\\\",\\\"/usr/bin/dircolors\\\ - \",\\\"/usr/bin/dirname\\\",\\\"/usr/bin/du\\\",\\\"\\\n /usr/bin/env\\\ - \",\\\"/usr/bin/expand\\\",\\\"/usr/bin/expr\\\",\\\"/usr/bin/factor\\\",\\\ - \"/usr/bin/fmt\\\"\\\n ,\\\"/usr/bin/fold\\\",\\\"/usr/bin/groups\\\",\\\ - \"/usr/bin/head\\\",\\\"/usr/bin/hostid\\\",\\\"\\\n /usr/bin/id\\\",\\\ - \"/usr/bin/install\\\",\\\"/usr/bin/join\\\",\\\"/usr/bin/link\\\",\\\"/usr/bin/logname\\\ - \"\\\n ,\\\"/usr/bin/md5sum\\\",\\\"/usr/bin/md5sum.textutils\\\",\\\"\ - /usr/bin/mkfifo\\\",\\\"/usr/bin/nice\\\"\\\n ,\\\"/usr/bin/nl\\\",\\\"\ - /usr/bin/nohup\\\",\\\"/usr/bin/nproc\\\",\\\"/usr/bin/numfmt\\\",\\\"\\\n\ - \ /usr/bin/od\\\",\\\"/usr/bin/paste\\\",\\\"/usr/bin/pathchk\\\",\\\"\ - /usr/bin/pinky\\\",\\\"/usr/bin/pr\\\"\\\n ,\\\"/usr/bin/printenv\\\",\\\ - \"/usr/bin/printf\\\",\\\"/usr/bin/ptx\\\",\\\"/usr/bin/realpath\\\"\\\n \ - \ ,\\\"/usr/bin/runcon\\\",\\\"/usr/bin/seq\\\",\\\"/usr/bin/sha1sum\\\"\ - ,\\\"/usr/bin/sha224sum\\\"\\\n ,\\\"/usr/bin/sha256sum\\\",\\\"/usr/bin/sha384sum\\\ - \",\\\"/usr/bin/sha512sum\\\",\\\"/usr/bin/shred\\\"\\\n ,\\\"/usr/bin/shuf\\\ - \",\\\"/usr/bin/sort\\\",\\\"/usr/bin/split\\\",\\\"/usr/bin/stat\\\",\\\"\ - /usr/bin/stdbuf\\\"\\\n ,\\\"/usr/bin/sum\\\",\\\"/usr/bin/tac\\\",\\\"\ - /usr/bin/tail\\\",\\\"/usr/bin/tee\\\",\\\"/usr/bin/test\\\"\\\n ,\\\"\ - /usr/bin/timeout\\\",\\\"/usr/bin/tr\\\",\\\"/usr/bin/truncate\\\",\\\"/usr/bin/tsort\\\ - \"\\\n ,\\\"/usr/bin/tty\\\",\\\"/usr/bin/unexpand\\\",\\\"/usr/bin/uniq\\\ - \",\\\"/usr/bin/unlink\\\"\\\n ,\\\"/usr/bin/users\\\",\\\"/usr/bin/wc\\\ - \",\\\"/usr/bin/who\\\",\\\"/usr/bin/whoami\\\",\\\"/usr/sbin/chroot\\\"\\\ - \n ])\\n&& process.ancestors.file.name == \\\"java\\\"\"\n- id: kernel_module_chmod\n\ - \ version: 82c61c82\n description: A kernel module was added to /lib/modules/\n\ - \ expression: \"(\\n (chmod.file.path in [ ~\\\"/lib/modules/*\\\", ~\\\ - \"/usr/lib/modules/*\\\"\\\n \\ ])\\n && process.file.path not in [\\\ - \"/usr/bin/apt\\\", \\\"/usr/bin/apt-get\\\"\\\n , \\\"/usr/bin/apt-config\\\ - \", \\\"/usr/bin/dpkg\\\", \\\"/usr/bin/aptitude-curses\\\", \\\"\\\n /usr/bin/rpm\\\ - \", \\\"/usr/bin/unattended-upgrade\\\"]\\n && process.ancestors.file.path\\\ - \n \\ not in [\\\"/usr/bin/apt\\\", \\\"/usr/bin/apt-get\\\", \\\"/usr/bin/apt-config\\\ - \", \\\"\\\n /usr/bin/dpkg\\\", \\\"/usr/bin/aptitude-curses\\\", \\\"\ - /usr/bin/rpm\\\", \\\"/usr/bin/unattended-upgrade\\\"\\\n ] && process.ancestors.file.path\ - \ != \\\"/usr/bin/kmod\\\"\\n) && chmod.mode != chmod.file.mode\"\n- id: kernel_module_chown\n\ - \ version: ca2cf124\n description: A kernel module was added to /lib/modules/\n\ - \ expression: \"(\\n (chown.file.path in [ ~\\\"/lib/modules/*\\\", ~\\\ - \"/usr/lib/modules/*\\\"\\\n \\ ])\\n && process.file.path not in [\\\ - \"/usr/bin/apt\\\", \\\"/usr/bin/apt-get\\\"\\\n , \\\"/usr/bin/apt-config\\\ - \", \\\"/usr/bin/dpkg\\\", \\\"/usr/bin/aptitude-curses\\\", \\\"\\\n /usr/bin/rpm\\\ - \", \\\"/usr/bin/unattended-upgrade\\\"]\\n && process.ancestors.file.path\\\ - \n \\ not in [\\\"/usr/bin/apt\\\", \\\"/usr/bin/apt-get\\\", \\\"/usr/bin/apt-config\\\ - \", \\\"\\\n /usr/bin/dpkg\\\", \\\"/usr/bin/aptitude-curses\\\", \\\"\ - /usr/bin/rpm\\\", \\\"/usr/bin/unattended-upgrade\\\"\\\n ] && process.ancestors.file.path\ - \ != \\\"/usr/bin/kmod\\\"\\n) && (chown.uid != chown.file.uid\\\n \\ ||\ - \ chown.gid != chown.file.gid)\"\n- id: kernel_module_link\n version: a18ca197\n\ - \ description: A kernel module was added to /lib/modules/\n expression:\ - \ \"(\\n (link.file.path in [ ~\\\"/lib/modules/*\\\", ~\\\"/usr/lib/modules/*\\\ - \"\\\n \\ ]\\n || link.file.destination.path in [ ~\\\"/lib/modules/*\\\ - \", ~\\\"/usr/lib/modules/*\\\"\\\n \\ ])\\n && process.file.path not\ - \ in [\\\"/usr/bin/apt\\\", \\\"/usr/bin/apt-get\\\"\\\n , \\\"/usr/bin/apt-config\\\ - \", \\\"/usr/bin/dpkg\\\", \\\"/usr/bin/aptitude-curses\\\", \\\"\\\n /usr/bin/rpm\\\ - \", \\\"/usr/bin/unattended-upgrade\\\"]\\n && process.ancestors.file.path\\\ - \n \\ not in [\\\"/usr/bin/apt\\\", \\\"/usr/bin/apt-get\\\", \\\"/usr/bin/apt-config\\\ - \", \\\"\\\n /usr/bin/dpkg\\\", \\\"/usr/bin/aptitude-curses\\\", \\\"\ - /usr/bin/rpm\\\", \\\"/usr/bin/unattended-upgrade\\\"\\\n ] && process.ancestors.file.path\ - \ != \\\"/usr/bin/kmod\\\"\\n)\"\n- id: kernel_module_load\n version: 904592b4\n\ - \ description: A kernel module was loaded\n expression: load_module.name\ - \ != \"\"\n- id: kernel_module_load_container\n version: 139b666a\n description:\ - \ A container loaded a new kernel module\n expression: load_module.name !=\ - \ \"\" && container.id !=\"\"\n- id: kernel_module_load_from_memory\n version:\ - \ 78122acd\n description: A kernel module was loaded from memory\n expression:\ - \ load_module.loaded_from_memory == true\n- id: kernel_module_load_from_memory_container\n\ + \ expression: (splice.pipe_exit_flag & PIPE_BUF_FLAG_CAN_MERGE) > 0 && (process.uid\n\ + \ != 0 && process.gid != 0)\n agent_version: ''\n filters: []\n- id:\ + \ dynamic_linker_config_unlink\n version: 1924611e\n description: A process\ + \ unlinked a dynamic linker config file\n expression: unlink.file.path in\ + \ [\"/etc/ld.so.preload\", \"/etc/ld.so.conf\", ~\"/etc/ld.so.conf.d/*.conf\"\ + ]\n && process.file.path not in [~\"/usr/bin/apt*\", \"/usr/bin/dpkg\"\ + , \"/usr/bin/rpm\",\n \"/usr/bin/unattended-upgrade\", \"/usr/bin/npm\"\ + , ~\"/usr/bin/pip*\", \"/usr/bin/yum\",\n \"/sbin/apk\", \"/usr/lib/snapd/snapd\"\ + ]\n agent_version: ''\n filters:\n - os == \"linux\"\n- id: dynamic_linker_config_write\n\ + \ version: 764fc516\n description: A process wrote to a dynamic linker config\ + \ file\n expression: open.file.path in [\"/etc/ld.so.preload\", \"/etc/ld.so.conf\"\ + , \"/etc/ld.so.conf.d/*.conf\"]\n && open.flags & (O_CREAT|O_TRUNC|O_RDWR|O_WRONLY)\ + \ > 0 && process.file.path not\n in [~\"/usr/bin/apt*\", \"/usr/bin/dpkg\"\ + , \"/usr/bin/rpm\", \"/usr/bin/unattended-upgrade\",\n \"/usr/bin/containerd\"\ + , \"/usr/local/bin/containerd\", \"/usr/bin/dockerd\", \"/usr/bin/npm\",\n\ + \ ~\"/usr/bin/pip*\"] && process.ancestors.file.path not in [\"/opt/datadog-agent/embedded/bin/agent\"\ + ,\n \"/opt/datadog-agent/embedded/bin/system-probe\", \"/opt/datadog-agent/embedded/bin/security-agent\"\ + ,\n \"/opt/datadog-agent/embedded/bin/process-agent\", \"/opt/datadog-agent/bin/agent/agent\"\ + ,\n \"/opt/datadog/apm/inject/auto_inject_runc\", \"/usr/bin/dd-host-install\"\ + , \"/usr/bin/dd-host-container-install\",\n \"/usr/bin/dd-container-install\"\ + , \"/opt/datadog-agent/bin/datadog-cluster-agent\"]\n agent_version: ''\n\ + \ filters: []\n- id: exec_lsmod\n version: 1a14c811\n description: Kernel\ + \ modules were listed using the lsmod command\n expression: exec.comm ==\ + \ \"lsmod\"\n agent_version: ''\n filters:\n - os == \"linux\"\n- id: exec_whoami\n\ + \ version: 90ea91b6\n description: The whoami command was executed\n expression:\ + \ exec.comm == \"whoami\"\n agent_version: ''\n filters:\n - os == \"linux\"\ + \n- id: exec_wrmsr\n version: 13ea7d84\n description: The wrmsr program\ + \ executed\n expression: exec.comm == \"wrmsr\"\n agent_version: ''\n filters:\n\ + \ - os == \"linux\"\n- id: executable_bit_added\n version: 6f8761f\n description:\ + \ The executable bit was added to a newly created file\n expression: |-\n\ + \ chmod.file.in_upper_layer &&\n chmod.file.change_time < 30s &&\n \ + \ container.id != \"\" &&\n chmod.file.destination.mode != chmod.file.mode\ + \ &&\n chmod.file.destination.mode & S_IXUSR|S_IXGRP|S_IXOTH > 0 &&\n \ + \ process.argv in [\"+x\"]\n agent_version: ''\n filters: []\n- id: gcp_imds\n\ + \ version: 3035dbbf\n description: An GCP IMDS was called via a network\ + \ utility\n expression: exec.comm in [\"wget\", \"curl\", \"lwp-download\"\ + ] && exec.args in [~\"*metadata.google.internal/computeMetadata/v1/instance/service-accounts/default/token\"\ + ,\n ~\"*169.254.169.254/computeMetadata/v1/instance/service-accounts/default/token\"\ + ]\n agent_version: ''\n filters: []\n- id: hidden_file_executed\n version:\ + \ 60fd84a9\n description: A hidden file was executed in a suspicious folder\n\ + \ expression: exec.file.name =~ \".*\" && exec.file.path in [~\"/home/**\"\ + , ~\"/tmp/**\",\n ~\"/var/tmp/**\", ~\"/dev/shm/**\"]\n agent_version:\ + \ ''\n filters: []\n- id: interactive_shell_in_container\n version: f8bc8845\n\ + \ description: An interactive shell was started inside of a container\n \ + \ expression: |-\n exec.file.path in [ \"/bin/dash\",\n \"/usr/bin/dash\"\ + ,\n \"/bin/sh\",\n \"/bin/static-sh\",\n \"/usr/bin/sh\",\n\ + \ \"/bin/bash\",\n \"/usr/bin/bash\",\n \"/bin/bash-static\"\ + ,\n \"/usr/bin/zsh\",\n \"/usr/bin/ash\",\n \"/usr/bin/csh\"\ + ,\n \"/usr/bin/ksh\",\n \"/usr/bin/tcsh\",\n \"/usr/lib/initramfs-tools/bin/busybox\"\ + ,\n \"/bin/busybox\",\n \"/usr/bin/fish\",\n \"/bin/ksh93\"\ + ,\n \"/bin/rksh\",\n \"/bin/rksh93\",\n \"/bin/lksh\",\n \ + \ \"/bin/mksh\",\n \"/bin/mksh-static\",\n \"/usr/bin/csharp\"\ + ,\n \"/bin/posh\",\n \"/usr/bin/rc\",\n \"/bin/sash\",\n \ + \ \"/usr/bin/yash\",\n \"/bin/zsh5\",\n \"/bin/zsh5-static\"\ + \ ] && exec.args_flags in [\"i\"] && container.id !=\"\"\n agent_version:\ + \ ''\n filters:\n - os == \"linux\"\n- id: ip_check_domain\n version: d8a9934\n\ + \ description: A DNS lookup was done for a IP check service\n expression:\ + \ dns.question.name in [\"icanhazip.com\", \"ip-api.com\", \"myip.opendns.com\"\ + ,\n \"checkip.amazonaws.com\", \"whatismyip.akamai.com\"] && process.file.name\ + \ != \"\"\n agent_version: ''\n filters: []\n- id: iptables_egress_allowed\n\ + \ version: a5be0ef9\n description: Egress traffic allowed using iptables\n\ + \ expression: exec.comm == \"iptables\" && process.args in [r\".*OUTPUT.*((25[0-5]|(2[0-4]|1\\\ + d|[1-9]|)\\d)\\.?\\b){4}.*ACCEPT\"]\n && process.args not in [r\"(127\\\ + .)|(10\\.)|(172\\.1[6-9]\\.)|(172\\.2[0-9]\\.)|(^172\\.3[0-1]\\.)|(192\\.168\\\ + .)|(169\\.254\\.)\"]\n agent_version: ''\n filters:\n - os == \"linux\"\ + \n- id: java_shell_execution_parent\n version: 1bcff0aa\n description: A\ + \ java process spawned a shell, shell utility, or HTTP utility\n expression:\ + \ |-\n (exec.file.path in [ \"/bin/dash\",\n \"/usr/bin/dash\",\n\ + \ \"/bin/sh\",\n \"/bin/static-sh\",\n \"/usr/bin/sh\",\n \ + \ \"/bin/bash\",\n \"/usr/bin/bash\",\n \"/bin/bash-static\"\ + ,\n \"/usr/bin/zsh\",\n \"/usr/bin/ash\",\n \"/usr/bin/csh\"\ + ,\n \"/usr/bin/ksh\",\n \"/usr/bin/tcsh\",\n \"/usr/lib/initramfs-tools/bin/busybox\"\ + ,\n \"/bin/busybox\",\n \"/usr/bin/fish\",\n \"/bin/ksh93\"\ + ,\n \"/bin/rksh\",\n \"/bin/rksh93\",\n \"/bin/lksh\",\n \ + \ \"/bin/mksh\",\n \"/bin/mksh-static\",\n \"/usr/bin/csharp\"\ + ,\n \"/bin/posh\",\n \"/usr/bin/rc\",\n \"/bin/sash\",\n \ + \ \"/usr/bin/yash\",\n \"/bin/zsh5\",\n \"/bin/zsh5-static\"\ + \ ] ||\n exec.comm in [\"wget\", \"curl\", \"lwp-download\"] ||\n \ + \ exec.file.path in [\"/bin/cat\",\"/bin/chgrp\",\"/bin/chmod\",\"/bin/chown\"\ + ,\"/bin/cp\",\"/bin/date\",\"/bin/dd\",\"/bin/df\",\"/bin/dir\",\"/bin/echo\"\ + ,\"/bin/ln\",\"/bin/ls\",\"/bin/mkdir\",\"/bin/mknod\",\"/bin/mktemp\",\"\ + /bin/mv\",\"/bin/pwd\",\"/bin/readlink\",\"/bin/rm\",\"/bin/rmdir\",\"/bin/sleep\"\ + ,\"/bin/stty\",\"/bin/sync\",\"/bin/touch\",\"/bin/uname\",\"/bin/vdir\",\"\ + /usr/bin/arch\",\"/usr/bin/b2sum\",\"/usr/bin/base32\",\"/usr/bin/base64\"\ + ,\"/usr/bin/basename\",\"/usr/bin/chcon\",\"/usr/bin/cksum\",\"/usr/bin/comm\"\ + ,\"/usr/bin/csplit\",\"/usr/bin/cut\",\"/usr/bin/dircolors\",\"/usr/bin/dirname\"\ + ,\"/usr/bin/du\",\"/usr/bin/env\",\"/usr/bin/expand\",\"/usr/bin/expr\",\"\ + /usr/bin/factor\",\"/usr/bin/fmt\",\"/usr/bin/fold\",\"/usr/bin/groups\",\"\ + /usr/bin/head\",\"/usr/bin/hostid\",\"/usr/bin/id\",\"/usr/bin/install\",\"\ + /usr/bin/join\",\"/usr/bin/link\",\"/usr/bin/logname\",\"/usr/bin/md5sum\"\ + ,\"/usr/bin/md5sum.textutils\",\"/usr/bin/mkfifo\",\"/usr/bin/nice\",\"/usr/bin/nl\"\ + ,\"/usr/bin/nohup\",\"/usr/bin/nproc\",\"/usr/bin/numfmt\",\"/usr/bin/od\"\ + ,\"/usr/bin/paste\",\"/usr/bin/pathchk\",\"/usr/bin/pinky\",\"/usr/bin/pr\"\ + ,\"/usr/bin/printenv\",\"/usr/bin/printf\",\"/usr/bin/ptx\",\"/usr/bin/realpath\"\ + ,\"/usr/bin/runcon\",\"/usr/bin/seq\",\"/usr/bin/sha1sum\",\"/usr/bin/sha224sum\"\ + ,\"/usr/bin/sha256sum\",\"/usr/bin/sha384sum\",\"/usr/bin/sha512sum\",\"/usr/bin/shred\"\ + ,\"/usr/bin/shuf\",\"/usr/bin/sort\",\"/usr/bin/split\",\"/usr/bin/stat\"\ + ,\"/usr/bin/stdbuf\",\"/usr/bin/sum\",\"/usr/bin/tac\",\"/usr/bin/tail\",\"\ + /usr/bin/tee\",\"/usr/bin/test\",\"/usr/bin/timeout\",\"/usr/bin/tr\",\"/usr/bin/truncate\"\ + ,\"/usr/bin/tsort\",\"/usr/bin/tty\",\"/usr/bin/unexpand\",\"/usr/bin/uniq\"\ + ,\"/usr/bin/unlink\",\"/usr/bin/users\",\"/usr/bin/wc\",\"/usr/bin/who\",\"\ + /usr/bin/whoami\",\"/usr/sbin/chroot\"])\n && process.parent.file.name\ + \ == \"java\"\n agent_version: ''\n filters:\n - os == \"linux\"\n- id:\ + \ jupyterhub_shell\n version: ee1b8429\n description: A shell command was\ + \ executed from a JupyterHub code cell\n expression: exec.file.path == \"\ + /usr/bin/bash\" && process.ancestors.comm == \"jupyterhub-sing\"\n agent_version:\ + \ ''\n filters: []\n- id: k8s_pod_service_account_token_accessed\n version:\ + \ 88c0ee3a\n description: The Kubernetes pod service account token was accessed\n\ + \ expression: open.file.path in [~\"/var/run/secrets/kubernetes.io/serviceaccount/**\"\ + ,\n ~\"/run/secrets/kubernetes.io/serviceaccount/**\"] && open.file.name\ + \ == \"token\"\n && process.file.path not in [\"/opt/datadog-agent/embedded/bin/agent\"\ + , \"/opt/datadog-agent/embedded/bin/system-probe\",\n \"/opt/datadog-agent/embedded/bin/security-agent\"\ + , \"/opt/datadog-agent/embedded/bin/process-agent\",\n \"/opt/datadog-agent/bin/agent/agent\"\ + , \"/opt/datadog/apm/inject/auto_inject_runc\",\n \"/usr/bin/dd-host-install\"\ + , \"/usr/bin/dd-host-container-install\", \"/usr/bin/dd-container-install\"\ + ,\n \"/opt/datadog-agent/bin/datadog-cluster-agent\"] && process.file.path\ + \ not in [\"/usr/bin/cilium-agent\",\n \"/coredns\", \"/usr/bin/cilium-operator\"\ + , \"/manager\", \"/fluent-bit/bin/fluent-bit\",\n \"/usr/local/bin/cloud-node-manager\"\ + , \"/secrets-store-csi\", \"/bin/secrets-store-csi-driver-provider-aws\",\n\ + \ \"/usr/bin/calico-node\", \"/opt/aws/amazon-cloudwatch-agent/bin/amazon-cloudwatch-agent\"\ + ,\n \"/nginx-ingress-controller\", \"/cluster-autoscaler\", \"/cluster-proportional-autoscaler\"\ + ,\n \"/haproxy-ingress-controller\", \"/kube-state-metrics\", \"/fluent-bit-gke-exporter\"\ + ,\n \"/bin/external-secrets\", \"/node-termination-handler\", \"/fluent-bit-gke-exporter\"\ + ]\n && process.ancestors.file.path not in [\"/opt/datadog-agent/embedded/bin/agent\"\ + ,\n \"/opt/datadog-agent/embedded/bin/system-probe\", \"/opt/datadog-agent/embedded/bin/security-agent\"\ + ,\n \"/opt/datadog-agent/embedded/bin/process-agent\", \"/opt/datadog-agent/bin/agent/agent\"\ + ,\n \"/opt/datadog/apm/inject/auto_inject_runc\", \"/usr/bin/dd-host-install\"\ + , \"/usr/bin/dd-host-container-install\",\n \"/usr/bin/dd-container-install\"\ + , \"/opt/datadog-agent/bin/datadog-cluster-agent\"]\n agent_version: ''\n\ + \ filters:\n - os == \"linux\"\n- id: kernel_module_chmod\n version: 93da2ba6\n\ + \ description: A new kernel module was added\n expression: |-\n (\n \ + \ (chmod.file.path in [ ~\"/lib/modules/**\", ~\"/usr/lib/modules/**\"\ + \ ])\n && process.file.path not in [~\"/usr/bin/apt*\", \"/usr/bin/dpkg\"\ + , \"/usr/bin/rpm\", \"/usr/bin/unattended-upgrade\", \"/usr/bin/npm\", ~\"\ + /usr/bin/pip*\", \"/usr/bin/yum\", \"/sbin/apk\", \"/usr/lib/snapd/snapd\"\ + ]\n && process.ancestors.file.path not in [~\"/usr/bin/apt*\", \"/usr/bin/dpkg\"\ + , \"/usr/bin/rpm\", \"/usr/bin/unattended-upgrade\", \"/usr/bin/npm\", ~\"\ + /usr/bin/pip*\", \"/usr/bin/yum\", \"/sbin/apk\", \"/usr/lib/snapd/snapd\"\ + ] && process.ancestors.file.path != \"/usr/bin/kmod\"\n ) && chmod.file.destination.mode\ + \ != chmod.file.mode\n agent_version: ''\n filters:\n - os == \"linux\"\ + \n- id: kernel_module_chown\n version: ca2cf124\n description: A new kernel\ + \ module was added\n expression: |-\n (\n (chown.file.path in [\ + \ ~\"/lib/modules/**\", ~\"/usr/lib/modules/**\" ])\n && process.file.path\ + \ not in [~\"/usr/bin/apt*\", \"/usr/bin/dpkg\", \"/usr/bin/rpm\", \"/usr/bin/unattended-upgrade\"\ + , \"/usr/bin/npm\", ~\"/usr/bin/pip*\", \"/usr/bin/yum\", \"/sbin/apk\", \"\ + /usr/lib/snapd/snapd\"]\n && process.ancestors.file.path not in [~\"\ + /usr/bin/apt*\", \"/usr/bin/dpkg\", \"/usr/bin/rpm\", \"/usr/bin/unattended-upgrade\"\ + , \"/usr/bin/npm\", ~\"/usr/bin/pip*\", \"/usr/bin/yum\", \"/sbin/apk\", \"\ + /usr/lib/snapd/snapd\"] && process.ancestors.file.path != \"/usr/bin/kmod\"\ + \n ) && (chown.file.destination.uid != chown.file.uid || chown.file.destination.gid\ + \ != chown.file.gid)\n agent_version: ''\n filters: []\n- id: kernel_module_link\n\ + \ version: ae6469e5\n description: A new kernel module was added\n expression:\ + \ |-\n (\n (link.file.path in [ ~\"/lib/modules/**\", ~\"/usr/lib/modules/**\"\ + \ ]\n || link.file.destination.path in [ ~\"/lib/modules/**\", ~\"\ + /usr/lib/modules/**\" ])\n && process.file.path not in [~\"/usr/bin/apt*\"\ + , \"/usr/bin/dpkg\", \"/usr/bin/rpm\", \"/usr/bin/unattended-upgrade\", \"\ + /usr/bin/npm\", ~\"/usr/bin/pip*\", \"/usr/bin/yum\", \"/sbin/apk\", \"/usr/lib/snapd/snapd\"\ + ]\n && process.ancestors.file.path not in [~\"/usr/bin/apt*\", \"/usr/bin/dpkg\"\ + , \"/usr/bin/rpm\", \"/usr/bin/unattended-upgrade\", \"/usr/bin/npm\", ~\"\ + /usr/bin/pip*\", \"/usr/bin/yum\", \"/sbin/apk\", \"/usr/lib/snapd/snapd\"\ + ] && process.ancestors.file.path != \"/usr/bin/kmod\"\n )\n agent_version:\ + \ ''\n filters: []\n- id: kernel_module_load\n version: 904592b4\n description:\ + \ A kernel module was loaded\n expression: load_module.name not in [\"nf_tables\"\ + , \"iptable_filter\", \"ip6table_filter\",\n \"bpfilter\", \"ip6_tables\"\ + , \"ip6table_nat\", \"nf_reject_ipv4\", \"ipt_REJECT\", \"iptable_raw\"]\n\ + \ && process.ancestors.file.name not in [~\"falcon*\", \"unattended-upgrade\"\ + , \"apt.systemd.daily\",\n \"xtables-legacy-multi\", \"ssm-agent-worker\"\ + ]\n agent_version: ''\n filters:\n - os == \"linux\"\n- id: kernel_module_load_container\n\ + \ version: 139b666a\n description: A container loaded a new kernel module\n\ + \ expression: load_module.name != \"\" && container.id !=\"\"\n agent_version:\ + \ ''\n filters: []\n- id: kernel_module_load_from_memory\n version: 78122acd\n\ + \ description: A kernel module was loaded from memory\n expression: load_module.loaded_from_memory\ + \ == true\n agent_version: ''\n filters:\n - os == \"linux\"\n- id: kernel_module_load_from_memory_container\n\ \ version: a277c753\n description: A kernel module was loaded from memory\ \ inside a container\n expression: load_module.loaded_from_memory == true\ - \ && container.id !=\"\"\n- id: kernel_module_open\n version: 55f9569\n \ - \ description: A kernel module was added to /lib/modules/\n expression: \"\ - (\\n open.flags & (O_CREAT|O_TRUNC|O_RDWR|O_WRONLY) > 0 &&\\n (open.file.path\\\ - \n \\ in [ ~\\\"/lib/modules/*\\\", ~\\\"/usr/lib/modules/*\\\" ])\\n \ - \ && process.file.path\\\n \\ not in [\\\"/usr/bin/apt\\\", \\\"/usr/bin/apt-get\\\ - \", \\\"/usr/bin/apt-config\\\", \\\"\\\n /usr/bin/dpkg\\\", \\\"/usr/bin/aptitude-curses\\\ - \", \\\"/usr/bin/rpm\\\", \\\"/usr/bin/unattended-upgrade\\\"\\\n ]\\n\ - \ && process.ancestors.file.path not in [\\\"/usr/bin/apt\\\", \\\"/usr/bin/apt-get\\\ - \"\\\n , \\\"/usr/bin/apt-config\\\", \\\"/usr/bin/dpkg\\\", \\\"/usr/bin/aptitude-curses\\\ - \", \\\"\\\n /usr/bin/rpm\\\", \\\"/usr/bin/unattended-upgrade\\\"] &&\ - \ process.ancestors.file.path\\\n \\ != \\\"/usr/bin/kmod\\\"\\n)\"\n-\ - \ id: kernel_module_rename\n version: 9d8cb7d8\n description: A kernel module\ - \ was added to /lib/modules/\n expression: \"(\\n (rename.file.path in\ - \ [ ~\\\"/lib/modules/*\\\", ~\\\"/usr/lib/modules/*\\\"\\\n \\ ]\\n \ - \ || rename.file.destination.path in [ ~\\\"/lib/modules/*\\\", ~\\\"/usr/lib/modules/*\\\ - \"\\\n \\ ])\\n && process.file.path not in [\\\"/usr/bin/apt\\\", \\\ - \"/usr/bin/apt-get\\\"\\\n , \\\"/usr/bin/apt-config\\\", \\\"/usr/bin/dpkg\\\ - \", \\\"/usr/bin/aptitude-curses\\\", \\\"\\\n /usr/bin/rpm\\\", \\\"/usr/bin/unattended-upgrade\\\ - \"]\\n && process.ancestors.file.path\\\n \\ not in [\\\"/usr/bin/apt\\\ - \", \\\"/usr/bin/apt-get\\\", \\\"/usr/bin/apt-config\\\", \\\"\\\n /usr/bin/dpkg\\\ - \", \\\"/usr/bin/aptitude-curses\\\", \\\"/usr/bin/rpm\\\", \\\"/usr/bin/unattended-upgrade\\\ - \"\\\n ] && process.ancestors.file.path != \\\"/usr/bin/kmod\\\"\\n)\"\n\ - - id: kernel_module_unlink\n version: 652391be\n description: A kernel module\ - \ was added to /lib/modules/\n expression: \"(\\n (unlink.file.path in\ - \ [ ~\\\"/lib/modules/*\\\", ~\\\"/usr/lib/modules/*\\\"\\\n \\ ])\\n \ - \ && process.file.path not in [\\\"/usr/bin/apt\\\", \\\"/usr/bin/apt-get\\\ - \"\\\n , \\\"/usr/bin/apt-config\\\", \\\"/usr/bin/dpkg\\\", \\\"/usr/bin/aptitude-curses\\\ - \", \\\"\\\n /usr/bin/rpm\\\", \\\"/usr/bin/unattended-upgrade\\\"]\\n\ - \ && process.ancestors.file.path\\\n \\ not in [\\\"/usr/bin/apt\\\"\ - , \\\"/usr/bin/apt-get\\\", \\\"/usr/bin/apt-config\\\", \\\"\\\n /usr/bin/dpkg\\\ - \", \\\"/usr/bin/aptitude-curses\\\", \\\"/usr/bin/rpm\\\", \\\"/usr/bin/unattended-upgrade\\\ - \"\\\n ] && process.ancestors.file.path != \\\"/usr/bin/kmod\\\"\\n)\"\n\ - - id: kernel_module_utimes\n version: 405d45e7\n description: A kernel module\ - \ was added to /lib/modules/\n expression: \"(\\n (utimes.file.path in\ - \ [ ~\\\"/lib/modules/*\\\", ~\\\"/usr/lib/modules/*\\\"\\\n \\ ])\\n \ - \ && process.file.path not in [\\\"/usr/bin/apt\\\", \\\"/usr/bin/apt-get\\\ - \"\\\n , \\\"/usr/bin/apt-config\\\", \\\"/usr/bin/dpkg\\\", \\\"/usr/bin/aptitude-curses\\\ - \", \\\"\\\n /usr/bin/rpm\\\", \\\"/usr/bin/unattended-upgrade\\\"]\\n\ - \ && process.ancestors.file.path\\\n \\ not in [\\\"/usr/bin/apt\\\"\ - , \\\"/usr/bin/apt-get\\\", \\\"/usr/bin/apt-config\\\", \\\"\\\n /usr/bin/dpkg\\\ - \", \\\"/usr/bin/aptitude-curses\\\", \\\"/usr/bin/rpm\\\", \\\"/usr/bin/unattended-upgrade\\\ - \"\\\n ] && process.ancestors.file.path != \\\"/usr/bin/kmod\\\"\\n)\"\n\ - - id: net_util\n version: fc362090\n description: A network utility was\ - \ executed from a suspicious location\n expression: \"(exec.file.path in\ - \ [\\\"/usr/bin/socat\\\", \\\"/usr/bin/dig\\\", \\\"/usr/bin/nslookup\\\"\ - \\\n , \\\"/usr/bin/netcat\\\", \\\"/usr/bin/nc\\\"] ||\\n exec.file.path\ - \ in [\\\"/usr/bin/wget\\\"\\\n , \\\"/usr/bin/curl\\\"]) &&\\ncontainer.id\ - \ == \\\"\\\" && (exec.args not in [ ~\\\"*localhost*\\\"\\\n , ~\\\"*127.0.0.1*\\\ - \", ~\\\"*motd.ubuntu.com*\\\" ] || process.ancestors.comm != \\\"50-motd-news\\\ - \"\\\n ) && process.ancestors.file.path in [ ~\\\"/tmp/**\\\", ~\\\"/var/tmp/**\\\ - \", ~\\\"/home/**\\\"\\\n , ~\\\"/run/user/**\\\" ]\"\n- id: net_util_in_container\n\ - \ version: 69e03ac1\n description: A network utility was executed from a\ - \ suspicious location in a container\n expression: \"(exec.file.path in [\\\ - \"/usr/bin/socat\\\", \\\"/usr/bin/dig\\\", \\\"/usr/bin/nslookup\\\"\\\n\ - \ , \\\"/usr/bin/netcat\\\", \\\"/usr/bin/nc\\\"] ||\\n exec.file.path\ - \ in [\\\"/usr/bin/wget\\\"\\\n , \\\"/usr/bin/curl\\\"]) &&\\ncontainer.id\ - \ != \\\"\\\" && (exec.args not in [ ~\\\"*localhost*\\\"\\\n , ~\\\"*127.0.0.1*\\\ - \", ~\\\"*motd.ubuntu.com*\\\" ] || process.ancestors.comm != \\\"50-motd-news\\\ - \"\\\n ) && process.ancestors.file.path in [ ~\\\"/tmp/**\\\", ~\\\"/var/tmp/**\\\ - \", ~\\\"/home/**\\\"\\\n , ~\\\"/run/user/**\\\" ]\"\n- id: new_binary_execution_in_container\n\ - \ version: 9dc42e1d\n description: A container executed a new a binary not\ - \ found in the container image\n expression: container.id !=\"\" && !process.file.in_upper_layer\ - \ && process.file.modification_time\n < 30s && exec.file.name !=\"\"\n\ - - id: new_kernel_module_audit\n version: 904592b4\n description: A kernel\ - \ module was loaded\n expression: load_module.name != \"\"\n- id: new_kernel_module_audit_container\n\ - \ version: 139b666a\n description: A kernel module was loaded\n expression:\ - \ load_module.name != \"\" && container.id !=\"\"\n- id: nsswitch_conf_mod_chmod\n\ - \ version: d301aedf\n description: Nsswitch Configuration Modified\n expression:\ - \ \"(\\n (chmod.file.path in [ \\\"/etc/nsswitch.conf\\\" ])\\n) && chmod.mode\\\ - \n \\ != chmod.file.mode\"\n- id: nsswitch_conf_mod_chown\n version: '69383592'\n\ - \ description: Nsswitch Configuration Modified\n expression: \"(\\n (chown.file.path\ - \ in [ \\\"/etc/nsswitch.conf\\\" ])\\n) && (chown.uid\\\n \\ != chown.file.uid\ - \ || chown.gid != chown.file.gid)\"\n- id: nsswitch_conf_mod_link\n version:\ - \ e0565b29\n description: Nsswitch Configuration Modified\n expression:\ - \ \"(\\n (link.file.path in [ \\\"/etc/nsswitch.conf\\\" ]\\n || link.file.destination.path\\\ - \n \\ in [ \\\"/etc/nsswitch.conf\\\" ])\\n)\"\n- id: nsswitch_conf_mod_open\n\ - \ version: b5602c6f\n description: Nsswitch Configuration Modified\n expression:\ - \ \"(\\n open.flags & ((O_RDWR|O_WRONLY|O_CREAT)) > 0 &&\\n (open.file.path\\\ - \n \\ in [ \\\"/etc/nsswitch.conf\\\" ])\\n)\"\n- id: nsswitch_conf_mod_rename\n\ - \ version: aad34176\n description: Nsswitch Configuration Modified\n expression:\ - \ \"(\\n (rename.file.path in [ \\\"/etc/nsswitch.conf\\\" ]\\n || rename.file.destination.path\\\ - \n \\ in [ \\\"/etc/nsswitch.conf\\\" ])\\n)\"\n- id: nsswitch_conf_mod_unlink\n\ - \ version: 8a3e2fbb\n description: Nsswitch Configuration Modified\n expression:\ - \ \"(\\n (unlink.file.path in [ \\\"/etc/nsswitch.conf\\\" ])\\n)\"\n-\ - \ id: nsswitch_conf_mod_utimes\n version: 902597c0\n description: Nsswitch\ - \ Configuration Modified\n expression: \"(\\n (utimes.file.path in [ \\\ - \"/etc/nsswitch.conf\\\" ])\\n)\"\n- id: package_management_in_container\n\ - \ version: c152fcaf\n description: Package management in container\n expression:\ - \ exec.file.path in [\"/usr/bin/apt\", \"/usr/bin/apt-get\", \"/usr/bin/apt-config\"\ - ,\n \"/usr/bin/dpkg\", \"/usr/bin/aptitude-curses\", \"/usr/bin/rpm\",\ - \ \"/usr/bin/unattended-upgrade\"]\n && container.id != \"\"\n- id: pam_modification_chmod\n\ - \ version: 974a676e\n description: PAM Configuration Files Modification\n\ - \ expression: \"(\\n (chmod.file.path in [ ~\\\"/etc/pam.d/*\\\", \\\"\ - /etc/pam.conf\\\" ])\\n\\\n ) && chmod.mode != chmod.file.mode\"\n- id:\ - \ pam_modification_chown\n version: ca22d0ab\n description: PAM Configuration\ - \ Files Modification\n expression: \"(\\n (chown.file.path in [ ~\\\"\ - /etc/pam.d/*\\\", \\\"/etc/pam.conf\\\" ])\\n\\\n ) && (chown.uid != chown.file.uid\ - \ || chown.gid != chown.file.gid)\"\n- id: pam_modification_link\n version:\ - \ 3d5d6b31\n description: PAM Configuration Files Modification\n expression:\ - \ \"(\\n (link.file.path in [ ~\\\"/etc/pam.d/*\\\", \\\"/etc/pam.conf\\\ - \" ]\\n\\\n \\ || link.file.destination.path in [ ~\\\"/etc/pam.d/*\\\ - \", \\\"/etc/pam.conf\\\" ])\\n\\\n )\"\n- id: pam_modification_open\n\ - \ version: 9440f452\n description: PAM Configuration Files Modification\n\ - \ expression: \"(\\n open.flags & (O_CREAT|O_TRUNC|O_RDWR|O_WRONLY) >\ - \ 0 &&\\n (open.file.path\\\n \\ in [ ~\\\"/etc/pam.d/*\\\", \\\"/etc/pam.conf\\\ - \" ])\\n)\"\n- id: pam_modification_rename\n version: bd1d257a\n description:\ - \ PAM Configuration Files Modification\n expression: \"(\\n (rename.file.path\ - \ in [ ~\\\"/etc/pam.d/*\\\", \\\"/etc/pam.conf\\\"\\\n \\ ]\\n || rename.file.destination.path\ - \ in [ ~\\\"/etc/pam.d/*\\\", \\\"/etc/pam.conf\\\"\\\n \\ ])\\n)\"\n-\ - \ id: pam_modification_unlink\n version: c3dc53e1\n description: PAM Configuration\ - \ Files Modification\n expression: \"(\\n (unlink.file.path in [ ~\\\"\ - /etc/pam.d/*\\\", \\\"/etc/pam.conf\\\"\\\n \\ ])\\n)\"\n- id: pam_modification_utimes\n\ - \ version: d377b599\n description: PAM Configuration Files Modification\n\ - \ expression: \"(\\n (utimes.file.path in [ ~\\\"/etc/pam.d/*\\\", \\\"\ - /etc/pam.conf\\\"\\\n \\ ])\\n)\"\n- id: passwd_execution\n version: e1d41f5e\n\ - \ description: Passwd utility executed\n expression: exec.file.path == \"\ - /usr/bin/passwd\"\n- id: pci_11_5_critical_binaries_chmod\n version: 1945831d\n\ - \ description: Critical System Binaries\n expression: \"(\\n (chmod.file.path\ - \ in [ ~\\\"/bin/*\\\", ~\\\"/sbin/*\\\", ~\\\"/usr/bin/*\\\"\\\n , ~\\\ - \"/usr/sbin/*\\\", ~\\\"/usr/local/bin/*\\\", ~\\\"/usr/local/sbin/*\\\",\ - \ ~\\\"/boot/*\\\"\\\n \\ ])\\n && process.file.path not in [\\\"/usr/bin/apt\\\ - \", \\\"/usr/bin/apt-get\\\"\\\n , \\\"/usr/bin/apt-config\\\", \\\"/usr/bin/dpkg\\\ - \", \\\"/usr/bin/aptitude-curses\\\", \\\"\\\n /usr/bin/rpm\\\", \\\"/usr/bin/unattended-upgrade\\\ - \"]\\n && process.ancestors.file.path\\\n \\ not in [\\\"/usr/bin/apt\\\ - \", \\\"/usr/bin/apt-get\\\", \\\"/usr/bin/apt-config\\\", \\\"\\\n /usr/bin/dpkg\\\ - \", \\\"/usr/bin/aptitude-curses\\\", \\\"/usr/bin/rpm\\\", \\\"/usr/bin/unattended-upgrade\\\ - \"\\\n ]\\n) && chmod.mode != chmod.file.mode\"\n- id: pci_11_5_critical_binaries_chown\n\ - \ version: 21da2189\n description: Critical System Binaries\n expression:\ - \ \"(\\n (chown.file.path in [ ~\\\"/bin/*\\\", ~\\\"/sbin/*\\\", ~\\\"\ - /usr/bin/*\\\"\\\n , ~\\\"/usr/sbin/*\\\", ~\\\"/usr/local/bin/*\\\", ~\\\ - \"/usr/local/sbin/*\\\", ~\\\"/boot/*\\\"\\\n \\ ])\\n && process.file.path\ - \ not in [\\\"/usr/bin/apt\\\", \\\"/usr/bin/apt-get\\\"\\\n , \\\"/usr/bin/apt-config\\\ - \", \\\"/usr/bin/dpkg\\\", \\\"/usr/bin/aptitude-curses\\\", \\\"\\\n /usr/bin/rpm\\\ - \", \\\"/usr/bin/unattended-upgrade\\\"]\\n && process.ancestors.file.path\\\ - \n \\ not in [\\\"/usr/bin/apt\\\", \\\"/usr/bin/apt-get\\\", \\\"/usr/bin/apt-config\\\ - \", \\\"\\\n /usr/bin/dpkg\\\", \\\"/usr/bin/aptitude-curses\\\", \\\"\ - /usr/bin/rpm\\\", \\\"/usr/bin/unattended-upgrade\\\"\\\n ]\\n) && (chown.uid\ - \ != chown.file.uid || chown.gid != chown.file.gid)\"\n- id: pci_11_5_critical_binaries_link\n\ - \ version: a7ac587c\n description: Critical System Binaries\n expression:\ - \ \"(\\n (link.file.path in [ ~\\\"/bin/*\\\", ~\\\"/sbin/*\\\", ~\\\"\ - /usr/bin/*\\\"\\\n , ~\\\"/usr/sbin/*\\\", ~\\\"/usr/local/bin/*\\\", ~\\\ - \"/usr/local/sbin/*\\\", ~\\\"/boot/*\\\"\\\n \\ ]\\n || link.file.destination.path\ - \ in [ ~\\\"/bin/*\\\", ~\\\"/sbin/*\\\", ~\\\"/usr/bin/*\\\"\\\n , ~\\\ - \"/usr/sbin/*\\\", ~\\\"/usr/local/bin/*\\\", ~\\\"/usr/local/sbin/*\\\",\ - \ ~\\\"/boot/*\\\"\\\n \\ ])\\n && process.file.path not in [\\\"/usr/bin/apt\\\ - \", \\\"/usr/bin/apt-get\\\"\\\n , \\\"/usr/bin/apt-config\\\", \\\"/usr/bin/dpkg\\\ - \", \\\"/usr/bin/aptitude-curses\\\", \\\"\\\n /usr/bin/rpm\\\", \\\"/usr/bin/unattended-upgrade\\\ - \"]\\n && process.ancestors.file.path\\\n \\ not in [\\\"/usr/bin/apt\\\ - \", \\\"/usr/bin/apt-get\\\", \\\"/usr/bin/apt-config\\\", \\\"\\\n /usr/bin/dpkg\\\ - \", \\\"/usr/bin/aptitude-curses\\\", \\\"/usr/bin/rpm\\\", \\\"/usr/bin/unattended-upgrade\\\ - \"\\\n ]\\n)\"\n- id: pci_11_5_critical_binaries_open\n version: f583ba7c\n\ - \ description: Critical System Binaries\n expression: \"(\\n open.flags\ - \ & (O_CREAT|O_TRUNC|O_RDWR|O_WRONLY) > 0 &&\\n (open.file.path\\\n \ - \ \\ in [ ~\\\"/bin/*\\\", ~\\\"/sbin/*\\\", ~\\\"/usr/bin/*\\\", ~\\\"/usr/sbin/*\\\ - \", ~\\\"/usr/local/bin/*\\\"\\\n , ~\\\"/usr/local/sbin/*\\\", ~\\\"/boot/*\\\ - \" ])\\n && process.file.path not in [\\\"\\\n /usr/bin/apt\\\", \\\"\ - /usr/bin/apt-get\\\", \\\"/usr/bin/apt-config\\\", \\\"/usr/bin/dpkg\\\"\\\ - \n , \\\"/usr/bin/aptitude-curses\\\", \\\"/usr/bin/rpm\\\", \\\"/usr/bin/unattended-upgrade\\\ - \"\\\n ]\\n && process.ancestors.file.path not in [\\\"/usr/bin/apt\\\ - \", \\\"/usr/bin/apt-get\\\"\\\n , \\\"/usr/bin/apt-config\\\", \\\"/usr/bin/dpkg\\\ - \", \\\"/usr/bin/aptitude-curses\\\", \\\"\\\n /usr/bin/rpm\\\", \\\"/usr/bin/unattended-upgrade\\\ - \"]\\n)\"\n- id: pci_11_5_critical_binaries_rename\n version: e0bc0857\n\ - \ description: Critical System Binaries\n expression: \"(\\n (rename.file.path\ - \ in [ ~\\\"/bin/*\\\", ~\\\"/sbin/*\\\", ~\\\"/usr/bin/*\\\"\\\n , ~\\\ - \"/usr/sbin/*\\\", ~\\\"/usr/local/bin/*\\\", ~\\\"/usr/local/sbin/*\\\",\ - \ ~\\\"/boot/*\\\"\\\n \\ ]\\n || rename.file.destination.path in [\ - \ ~\\\"/bin/*\\\", ~\\\"/sbin/*\\\", ~\\\"/usr/bin/*\\\"\\\n , ~\\\"/usr/sbin/*\\\ - \", ~\\\"/usr/local/bin/*\\\", ~\\\"/usr/local/sbin/*\\\", ~\\\"/boot/*\\\"\ - \\\n \\ ])\\n && process.file.path not in [\\\"/usr/bin/apt\\\", \\\"\ - /usr/bin/apt-get\\\"\\\n , \\\"/usr/bin/apt-config\\\", \\\"/usr/bin/dpkg\\\ - \", \\\"/usr/bin/aptitude-curses\\\", \\\"\\\n /usr/bin/rpm\\\", \\\"/usr/bin/unattended-upgrade\\\ - \"]\\n && process.ancestors.file.path\\\n \\ not in [\\\"/usr/bin/apt\\\ - \", \\\"/usr/bin/apt-get\\\", \\\"/usr/bin/apt-config\\\", \\\"\\\n /usr/bin/dpkg\\\ - \", \\\"/usr/bin/aptitude-curses\\\", \\\"/usr/bin/rpm\\\", \\\"/usr/bin/unattended-upgrade\\\ - \"\\\n ]\\n)\"\n- id: pci_11_5_critical_binaries_unlink\n version: 3bb086ca\n\ - \ description: Critical System Binaries\n expression: \"(\\n (unlink.file.path\ - \ in [ ~\\\"/bin/*\\\", ~\\\"/sbin/*\\\", ~\\\"/usr/bin/*\\\"\\\n , ~\\\ - \"/usr/sbin/*\\\", ~\\\"/usr/local/bin/*\\\", ~\\\"/usr/local/sbin/*\\\",\ - \ ~\\\"/boot/*\\\"\\\n \\ ])\\n && process.file.path not in [\\\"/usr/bin/apt\\\ - \", \\\"/usr/bin/apt-get\\\"\\\n , \\\"/usr/bin/apt-config\\\", \\\"/usr/bin/dpkg\\\ - \", \\\"/usr/bin/aptitude-curses\\\", \\\"\\\n /usr/bin/rpm\\\", \\\"/usr/bin/unattended-upgrade\\\ - \"]\\n && process.ancestors.file.path\\\n \\ not in [\\\"/usr/bin/apt\\\ - \", \\\"/usr/bin/apt-get\\\", \\\"/usr/bin/apt-config\\\", \\\"\\\n /usr/bin/dpkg\\\ - \", \\\"/usr/bin/aptitude-curses\\\", \\\"/usr/bin/rpm\\\", \\\"/usr/bin/unattended-upgrade\\\ - \"\\\n ]\\n)\"\n- id: pci_11_5_critical_binaries_utimes\n version: 6d979630\n\ - \ description: Critical System Binaries\n expression: \"(\\n (utimes.file.path\ - \ in [ ~\\\"/bin/*\\\", ~\\\"/sbin/*\\\", ~\\\"/usr/bin/*\\\"\\\n , ~\\\ - \"/usr/sbin/*\\\", ~\\\"/usr/local/bin/*\\\", ~\\\"/usr/local/sbin/*\\\",\ - \ ~\\\"/boot/*\\\"\\\n \\ ])\\n && process.file.path not in [\\\"/usr/bin/apt\\\ - \", \\\"/usr/bin/apt-get\\\"\\\n , \\\"/usr/bin/apt-config\\\", \\\"/usr/bin/dpkg\\\ - \", \\\"/usr/bin/aptitude-curses\\\", \\\"\\\n /usr/bin/rpm\\\", \\\"/usr/bin/unattended-upgrade\\\ - \"]\\n && process.ancestors.file.path\\\n \\ not in [\\\"/usr/bin/apt\\\ - \", \\\"/usr/bin/apt-get\\\", \\\"/usr/bin/apt-config\\\", \\\"\\\n /usr/bin/dpkg\\\ - \", \\\"/usr/bin/aptitude-curses\\\", \\\"/usr/bin/rpm\\\", \\\"/usr/bin/unattended-upgrade\\\ - \"\\\n ]\\n)\"\n- id: potential_web_shell\n version: dcaa6f4d\n description:\ - \ A webapp process (language engine or webserver) spawned a shell, shell\n\ - \ utility, or HTTP utility\n expression: \"(exec.file.path in [ \\\"/bin/dash\\\ - \", \\\"/usr/bin/dash\\\",\\n \\\"/bin/sh\\\"\\\n , \\\"/bin/static-sh\\\ - \", \\\"/usr/bin/sh\\\",\\n \\\"/usr/bin/bash\\\",\\n \\\"/bin/bash-static\\\ - \"\\\n ,\\n \\\"/usr/bin/zsh\\\",\\n \\\"/usr/bin/ash\\\",\\n \\\"/usr/bin/csh\\\ - \",\\n \\\"/usr/bin/ksh\\\"\\\n ,\\n \\\"/usr/bin/tcsh\\\",\\n \\\"\ - /usr/lib/initramfs-tools/bin/busybox\\\",\\n \\\"/bin/busybox\\\"\\\n \ - \ ,\\n \\\"/usr/bin/fish\\\",\\n \\\"/bin/ksh93\\\",\\n \\\"/bin/rksh\\\ - \", \\\"/bin/rksh93\\\",\\n\\\n \\ \\\"/bin/lksh\\\",\\n \\\"/bin/mksh\\\ - \", \\\"/bin/mksh-static\\\",\\n \\\"/usr/bin/csharp\\\"\\\n ,\\n \\\"\ - /bin/posh\\\",\\n \\\"/usr/bin/rc\\\",\\n \\\"/bin/sash\\\",\\n \\\"/usr/bin/yash\\\ - \"\\\n ,\\n \\\"/bin/zsh5\\\", \\\"/bin/zsh5-static\\\" ] || exec.file.path\ - \ in [\\\"/usr/bin/wget\\\"\\\n , \\\"/usr/bin/curl\\\"] || exec.file.path\ - \ in [\\\"/bin/cat\\\",\\\"/bin/chgrp\\\",\\\"/bin/chmod\\\"\\\n ,\\\"\ - /bin/chown\\\",\\\"/bin/cp\\\",\\\"/bin/date\\\",\\\"/bin/dd\\\",\\\"/bin/df\\\ - \",\\\"/bin/dir\\\"\\\n ,\\\"/bin/echo\\\",\\\"/bin/ln\\\",\\\"/bin/ls\\\ - \",\\\"/bin/mkdir\\\",\\\"/bin/mknod\\\",\\\"/bin/mktemp\\\"\\\n ,\\\"\ - /bin/mv\\\",\\\"/bin/pwd\\\",\\\"/bin/readlink\\\",\\\"/bin/rm\\\",\\\"/bin/rmdir\\\ - \",\\\"/bin/sleep\\\"\\\n ,\\\"/bin/stty\\\",\\\"/bin/sync\\\",\\\"/bin/touch\\\ - \",\\\"/bin/uname\\\",\\\"/bin/vdir\\\",\\\"/usr/bin/arch\\\"\\\n ,\\\"\ - /usr/bin/b2sum\\\",\\\"/usr/bin/base32\\\",\\\"/usr/bin/base64\\\",\\\"/usr/bin/basename\\\ - \"\\\n ,\\\"/usr/bin/chcon\\\",\\\"/usr/bin/cksum\\\",\\\"/usr/bin/comm\\\ - \",\\\"/usr/bin/csplit\\\",\\\"\\\n /usr/bin/cut\\\",\\\"/usr/bin/dircolors\\\ - \",\\\"/usr/bin/dirname\\\",\\\"/usr/bin/du\\\",\\\"\\\n /usr/bin/env\\\ - \",\\\"/usr/bin/expand\\\",\\\"/usr/bin/expr\\\",\\\"/usr/bin/factor\\\",\\\ - \"/usr/bin/fmt\\\"\\\n ,\\\"/usr/bin/fold\\\",\\\"/usr/bin/groups\\\",\\\ - \"/usr/bin/head\\\",\\\"/usr/bin/hostid\\\",\\\"\\\n /usr/bin/id\\\",\\\ - \"/usr/bin/install\\\",\\\"/usr/bin/join\\\",\\\"/usr/bin/link\\\",\\\"/usr/bin/logname\\\ - \"\\\n ,\\\"/usr/bin/md5sum\\\",\\\"/usr/bin/md5sum.textutils\\\",\\\"\ - /usr/bin/mkfifo\\\",\\\"/usr/bin/nice\\\"\\\n ,\\\"/usr/bin/nl\\\",\\\"\ - /usr/bin/nohup\\\",\\\"/usr/bin/nproc\\\",\\\"/usr/bin/numfmt\\\",\\\"\\\n\ - \ /usr/bin/od\\\",\\\"/usr/bin/paste\\\",\\\"/usr/bin/pathchk\\\",\\\"\ - /usr/bin/pinky\\\",\\\"/usr/bin/pr\\\"\\\n ,\\\"/usr/bin/printenv\\\",\\\ - \"/usr/bin/printf\\\",\\\"/usr/bin/ptx\\\",\\\"/usr/bin/realpath\\\"\\\n \ - \ ,\\\"/usr/bin/runcon\\\",\\\"/usr/bin/seq\\\",\\\"/usr/bin/sha1sum\\\"\ - ,\\\"/usr/bin/sha224sum\\\"\\\n ,\\\"/usr/bin/sha256sum\\\",\\\"/usr/bin/sha384sum\\\ - \",\\\"/usr/bin/sha512sum\\\",\\\"/usr/bin/shred\\\"\\\n ,\\\"/usr/bin/shuf\\\ - \",\\\"/usr/bin/sort\\\",\\\"/usr/bin/split\\\",\\\"/usr/bin/stat\\\",\\\"\ - /usr/bin/stdbuf\\\"\\\n ,\\\"/usr/bin/sum\\\",\\\"/usr/bin/tac\\\",\\\"\ - /usr/bin/tail\\\",\\\"/usr/bin/tee\\\",\\\"/usr/bin/test\\\"\\\n ,\\\"\ - /usr/bin/timeout\\\",\\\"/usr/bin/tr\\\",\\\"/usr/bin/truncate\\\",\\\"/usr/bin/tsort\\\ - \"\\\n ,\\\"/usr/bin/tty\\\",\\\"/usr/bin/unexpand\\\",\\\"/usr/bin/uniq\\\ - \",\\\"/usr/bin/unlink\\\"\\\n ,\\\"/usr/bin/users\\\",\\\"/usr/bin/wc\\\ - \",\\\"/usr/bin/who\\\",\\\"/usr/bin/whoami\\\",\\\"/usr/sbin/chroot\\\"\\\ - \n ]) &&\\n(process.ancestors.file.name in [~\\\"python2*\\\", ~\\\"python3*\\\ - \", \\\"node\\\"\\\n , \\\"apache2\\\", \\\"nginx\\\", ~\\\"tomcat*\\\"\ - ] || process.ancestors.file.name =~ \\\"php*\\\"\\\n ) &&\\nprocess.ancestors.comm\ - \ not in [\\\"pip3\\\", \\\"pip\\\", \\\"npm\\\"]\"\n- id: ptrace_antidebug\n\ - \ version: a6289ff7\n description: A process uses an anti-debugging technique\ - \ to block debuggers\n expression: ptrace.request == PTRACE_TRACEME\n- id:\ - \ ptrace_injection\n version: 6d290a43\n description: A process attempted\ - \ to inject code into another process\n expression: ptrace.request == PTRACE_POKETEXT\ - \ || ptrace.request == PTRACE_POKEDATA\n || ptrace.request == PTRACE_POKEUSR\n\ - - id: pwnkit_privilege_escalation\n version: c83bbabc\n description: A process\ - \ was spawned with indicators of exploitation of CVE-2021-4034\n expression:\ - \ (exec.file.path == \"/usr/bin/pkexec\" && exec.envs in [~\"*SHELL*\", ~\"\ - *PATH*\"]\n && exec.uid != 0)\n- id: runc_modification\n version: c7144439\n\ - \ description: Runc Binary Modified\n expression: 'open.file.path in [\"\ - /usr/bin/runc\", \"/usr/sbin/runc\", \"/usr/bin/docker-runc\"]\n\n && open.flags\ - \ & O_CREAT|O_TRUNC|O_RDWR|O_WRONLY > 0\n\n && process.file.path not in\ - \ [\"/usr/bin/apt\", \"/usr/bin/apt-get\", \"/usr/bin/apt-config\",\n \"\ - /usr/bin/dpkg\", \"/usr/bin/aptitude-curses\", \"/usr/bin/rpm\", \"/usr/bin/unattended-upgrade\"\ - ]\n\n && process.ancestors.file.path not in [\"/usr/bin/apt\", \"/usr/bin/apt-get\"\ - , \"/usr/bin/apt-config\",\n \"/usr/bin/dpkg\", \"/usr/bin/aptitude-curses\"\ - , \"/usr/bin/rpm\", \"/usr/bin/unattended-upgrade\"]'\n- id: selinux_disable_enforcement\n\ - \ version: afa9a8ba\n description: SELinux enforcement status was disabled\n\ - \ expression: selinux.enforce.status in [\"permissive\", \"disabled\"]\n\ - - id: ssh_authorized_keys_chmod\n version: e4096f79\n description: SSH Authorized\ - \ Keys Modified\n expression: \"(\\n chmod.file.name == \\\"authorized_keys\\\ - \" && (chmod.file.path in\\\n \\ [ ~\\\"*/.ssh/*\\\" ])\\n) && chmod.mode\ - \ != chmod.file.mode\"\n- id: ssh_authorized_keys_chown\n version: 9639bf6\n\ - \ description: SSH Authorized Keys Modified\n expression: \"(\\n chown.file.name\ - \ == \\\"authorized_keys\\\" && (chown.file.path in\\\n \\ [ ~\\\"*/.ssh/*\\\ - \" ])\\n) && (chown.uid != chown.file.uid || chown.gid != chown.file.gid)\"\ - \n- id: ssh_authorized_keys_link\n version: 81382bdd\n description: SSH\ - \ Authorized Keys Modified\n expression: \"(\\n link.file.name == \\\"\ - authorized_keys\\\" && (link.file.path in\\\n \\ [ ~\\\"*/.ssh/*\\\" ]\\\ - n || link.file.destination.path in [ ~\\\"*/.ssh/*\\\" ])\\n\\\n )\"\ - \n- id: ssh_authorized_keys_open\n version: 1ae8f7d6\n description: SSH\ - \ Authorized Keys Modified\n expression: \"(\\n open.flags & (O_CREAT|O_TRUNC|O_RDWR|O_WRONLY)\ - \ > 0 &&\\n open.file.name\\\n \\ == \\\"authorized_keys\\\" && (open.file.path\ - \ in [ ~\\\"*/.ssh/*\\\" ])\\n)\"\n- id: ssh_authorized_keys_rename\n version:\ - \ fd3bdabf\n description: SSH Authorized Keys Modified\n expression: \"\ - (\\n rename.file.name == \\\"authorized_keys\\\" && (rename.file.path\\\ - \n \\ in [ ~\\\"*/.ssh/*\\\" ]\\n || rename.file.destination.path in\ - \ [ ~\\\"*/.ssh/*\\\"\\\n \\ ])\\n)\"\n- id: ssh_authorized_keys_unlink\n\ - \ version: 54cf4a88\n description: SSH Authorized Keys Modified\n expression:\ - \ \"(\\n unlink.file.name == \\\"authorized_keys\\\" && (unlink.file.path\\\ - \n \\ in [ ~\\\"*/.ssh/*\\\" ])\\n)\"\n- id: ssh_authorized_keys_utimes\n\ - \ version: 59377e61\n description: SSH Authorized Keys Modified\n expression:\ - \ \"(\\n utimes.file.name == \\\"authorized_keys\\\" && (utimes.file.path\\\ - \n \\ in [ ~\\\"*/.ssh/*\\\" ])\\n)\"\n- id: ssl_certificate_tampering_chmod\n\ - \ version: d8ac6517\n description: SSL Certificate Tampering\n expression:\ - \ \"(\\n (chmod.file.path in [ ~\\\"/etc/ssl/certs/*\\\" ])\\n && process.file.path\\\ - \n \\ not in [\\\"/usr/bin/apt\\\", \\\"/usr/bin/apt-get\\\", \\\"/usr/bin/apt-config\\\ - \", \\\"\\\n /usr/bin/dpkg\\\", \\\"/usr/bin/aptitude-curses\\\", \\\"\ - /usr/bin/rpm\\\", \\\"/usr/bin/unattended-upgrade\\\"\\\n ]\\n) && chmod.mode\ - \ != chmod.file.mode\"\n- id: ssl_certificate_tampering_chown\n version:\ - \ 3d04895f\n description: SSL Certificate Tampering\n expression: \"(\\\ - n (chown.file.path in [ ~\\\"/etc/ssl/certs/*\\\" ])\\n && process.file.path\\\ - \n \\ not in [\\\"/usr/bin/apt\\\", \\\"/usr/bin/apt-get\\\", \\\"/usr/bin/apt-config\\\ - \", \\\"\\\n /usr/bin/dpkg\\\", \\\"/usr/bin/aptitude-curses\\\", \\\"\ - /usr/bin/rpm\\\", \\\"/usr/bin/unattended-upgrade\\\"\\\n ]\\n) && (chown.uid\ - \ != chown.file.uid || chown.gid != chown.file.gid)\"\n- id: ssl_certificate_tampering_link\n\ - \ version: eb594616\n description: SSL Certificate Tampering\n expression:\ - \ \"(\\n (link.file.path in [ ~\\\"/etc/ssl/certs/*\\\" ]\\n || link.file.destination.path\\\ - \n \\ in [ ~\\\"/etc/ssl/certs/*\\\" ])\\n && process.file.path not\ - \ in [\\\"/usr/bin/apt\\\"\\\n , \\\"/usr/bin/apt-get\\\", \\\"/usr/bin/apt-config\\\ - \", \\\"/usr/bin/dpkg\\\", \\\"/usr/bin/aptitude-curses\\\"\\\n , \\\"\ - /usr/bin/rpm\\\", \\\"/usr/bin/unattended-upgrade\\\"]\\n)\"\n- id: ssl_certificate_tampering_open\n\ - \ version: 59d94d53\n description: SSL Certificate Tampering\n expression:\ - \ \"(\\n open.flags & (O_CREAT|O_RDWR|O_WRONLY) > 0 &&\\n (open.file.path\\\ - \n \\ in [ ~\\\"/etc/ssl/certs/*\\\" ])\\n && process.file.path not\ - \ in [\\\"/usr/bin/apt\\\"\\\n , \\\"/usr/bin/apt-get\\\", \\\"/usr/bin/apt-config\\\ - \", \\\"/usr/bin/dpkg\\\", \\\"/usr/bin/aptitude-curses\\\"\\\n , \\\"\ - /usr/bin/rpm\\\", \\\"/usr/bin/unattended-upgrade\\\"]\\n)\"\n- id: ssl_certificate_tampering_rename\n\ - \ version: e42eefb4\n description: SSL Certificate Tampering\n expression:\ - \ \"(\\n (rename.file.path in [ ~\\\"/etc/ssl/certs/*\\\" ]\\n || rename.file.destination.path\\\ - \n \\ in [ ~\\\"/etc/ssl/certs/*\\\" ])\\n && process.file.path not\ - \ in [\\\"/usr/bin/apt\\\"\\\n , \\\"/usr/bin/apt-get\\\", \\\"/usr/bin/apt-config\\\ - \", \\\"/usr/bin/dpkg\\\", \\\"/usr/bin/aptitude-curses\\\"\\\n , \\\"\ - /usr/bin/rpm\\\", \\\"/usr/bin/unattended-upgrade\\\"]\\n)\"\n- id: ssl_certificate_tampering_unlink\n\ - \ version: 37c40311\n description: SSL Certificate Tampering\n expression:\ - \ \"(\\n (unlink.file.path in [ ~\\\"/etc/ssl/certs/*\\\" ])\\n && process.file.path\\\ - \n \\ not in [\\\"/usr/bin/apt\\\", \\\"/usr/bin/apt-get\\\", \\\"/usr/bin/apt-config\\\ - \", \\\"\\\n /usr/bin/dpkg\\\", \\\"/usr/bin/aptitude-curses\\\", \\\"\ - /usr/bin/rpm\\\", \\\"/usr/bin/unattended-upgrade\\\"\\\n ]\\n)\"\n- id:\ - \ ssl_certificate_tampering_utimes\n version: de3d3032\n description: SSL\ - \ Certificate Tampering\n expression: \"(\\n (utimes.file.path in [ ~\\\ - \"/etc/ssl/certs/*\\\" ])\\n && process.file.path\\\n \\ not in [\\\"\ - /usr/bin/apt\\\", \\\"/usr/bin/apt-get\\\", \\\"/usr/bin/apt-config\\\", \\\ - \"\\\n /usr/bin/dpkg\\\", \\\"/usr/bin/aptitude-curses\\\", \\\"/usr/bin/rpm\\\ - \", \\\"/usr/bin/unattended-upgrade\\\"\\\n ]\\n)\"\n- id: suspicious_container_client\n\ - \ version: 8b9461f4\n description: A container management utility was executed\ - \ in a container\n expression: exec.file.name in [\"docker\", \"kubectl\"\ - ] && container.id != \"\"\n- id: systemd_modification_chmod\n version: b0643139\n\ - \ description: Systemd Modification\n expression: \"(\\n (chmod.file.path\ - \ in [ ~\\\"/lib/systemd/system/*\\\", ~\\\"/usr/lib/systemd/system/*\\\"\\\ - \n , ~\\\"/etc/systemd/system/*\\\" ])\\n && process.file.path not in\ - \ [\\\"/usr/bin/apt\\\"\\\n , \\\"/usr/bin/apt-get\\\", \\\"/usr/bin/apt-config\\\ - \", \\\"/usr/bin/dpkg\\\", \\\"/usr/bin/aptitude-curses\\\"\\\n , \\\"\ - /usr/bin/rpm\\\", \\\"/usr/bin/unattended-upgrade\\\"]\\n) && chmod.mode !=\ - \ chmod.file.mode\"\n- id: systemd_modification_chown\n version: 380d501\n\ - \ description: Systemd Modification\n expression: \"(\\n (chown.file.path\ - \ in [ ~\\\"/lib/systemd/system/*\\\", ~\\\"/usr/lib/systemd/system/*\\\"\\\ - \n , ~\\\"/etc/systemd/system/*\\\" ])\\n && process.file.path not in\ - \ [\\\"/usr/bin/apt\\\"\\\n , \\\"/usr/bin/apt-get\\\", \\\"/usr/bin/apt-config\\\ - \", \\\"/usr/bin/dpkg\\\", \\\"/usr/bin/aptitude-curses\\\"\\\n , \\\"\ - /usr/bin/rpm\\\", \\\"/usr/bin/unattended-upgrade\\\"]\\n) && (chown.uid !=\ - \ chown.file.uid\\\n \\ || chown.gid != chown.file.gid)\"\n- id: systemd_modification_link\n\ - \ version: cbd89cec\n description: Systemd Modification\n expression: \"\ - (\\n (link.file.path in [ ~\\\"/lib/systemd/system/*\\\", ~\\\"/usr/lib/systemd/system/*\\\ - \"\\\n , ~\\\"/etc/systemd/system/*\\\" ]\\n || link.file.destination.path\ - \ in [ ~\\\"/lib/systemd/system/*\\\"\\\n , ~\\\"/usr/lib/systemd/system/*\\\ - \", ~\\\"/etc/systemd/system/*\\\" ])\\n && process.file.path\\\n \\\ - \ not in [\\\"/usr/bin/apt\\\", \\\"/usr/bin/apt-get\\\", \\\"/usr/bin/apt-config\\\ - \", \\\"\\\n /usr/bin/dpkg\\\", \\\"/usr/bin/aptitude-curses\\\", \\\"\ - /usr/bin/rpm\\\", \\\"/usr/bin/unattended-upgrade\\\"\\\n ]\\n)\"\n- id:\ - \ systemd_modification_open\n version: b6dce303\n description: Systemd Modification\n\ - \ expression: \"(\\n open.flags & (O_CREAT|O_RDWR|O_WRONLY) > 0 &&\\n\ - \ (open.file.path\\\n \\ in [ ~\\\"/lib/systemd/system/*\\\", ~\\\"\ - /usr/lib/systemd/system/*\\\", ~\\\"/etc/systemd/system/*\\\"\\\n \\ ])\\\ - n && process.file.path not in [\\\"/usr/bin/apt\\\", \\\"/usr/bin/apt-get\\\ - \"\\\n , \\\"/usr/bin/apt-config\\\", \\\"/usr/bin/dpkg\\\", \\\"/usr/bin/aptitude-curses\\\ - \", \\\"\\\n /usr/bin/rpm\\\", \\\"/usr/bin/unattended-upgrade\\\"]\\n)\"\ - \n- id: systemd_modification_rename\n version: 1e723c46\n description: Systemd\ - \ Modification\n expression: \"(\\n (rename.file.path in [ ~\\\"/lib/systemd/system/*\\\ - \", ~\\\"/usr/lib/systemd/system/*\\\"\\\n , ~\\\"/etc/systemd/system/*\\\ - \" ]\\n || rename.file.destination.path in [ ~\\\"/lib/systemd/system/*\\\ - \"\\\n , ~\\\"/usr/lib/systemd/system/*\\\", ~\\\"/etc/systemd/system/*\\\ - \" ])\\n && process.file.path\\\n \\ not in [\\\"/usr/bin/apt\\\", \\\ - \"/usr/bin/apt-get\\\", \\\"/usr/bin/apt-config\\\", \\\"\\\n /usr/bin/dpkg\\\ - \", \\\"/usr/bin/aptitude-curses\\\", \\\"/usr/bin/rpm\\\", \\\"/usr/bin/unattended-upgrade\\\ - \"\\\n ]\\n)\"\n- id: systemd_modification_unlink\n version: dcb17382\n\ - \ description: Systemd Modification\n expression: \"(\\n (unlink.file.path\ - \ in [ ~\\\"/lib/systemd/system/*\\\", ~\\\"/usr/lib/systemd/system/*\\\"\\\ - \n , ~\\\"/etc/systemd/system/*\\\" ])\\n && process.file.path not in\ - \ [\\\"/usr/bin/apt\\\"\\\n , \\\"/usr/bin/apt-get\\\", \\\"/usr/bin/apt-config\\\ - \", \\\"/usr/bin/dpkg\\\", \\\"/usr/bin/aptitude-curses\\\"\\\n , \\\"\ - /usr/bin/rpm\\\", \\\"/usr/bin/unattended-upgrade\\\"]\\n)\"\n- id: systemd_modification_utimes\n\ - \ version: 6b596fc5\n description: Systemd Modification\n expression: \"\ - (\\n (utimes.file.path in [ ~\\\"/lib/systemd/system/*\\\", ~\\\"/usr/lib/systemd/system/*\\\ - \"\\\n , ~\\\"/etc/systemd/system/*\\\" ])\\n && process.file.path not\ - \ in [\\\"/usr/bin/apt\\\"\\\n , \\\"/usr/bin/apt-get\\\", \\\"/usr/bin/apt-config\\\ - \", \\\"/usr/bin/dpkg\\\", \\\"/usr/bin/aptitude-curses\\\"\\\n , \\\"\ - /usr/bin/rpm\\\", \\\"/usr/bin/unattended-upgrade\\\"]\\n)\"\n- id: testtypescriptcreateacloudworkloadsecurityagentrulereturnsokresponse1651997883\n\ - \ version: f43786f8\n description: Test Agent rule\n expression: exec.file.name\ - \ == \"sh\"\n- id: testtypescriptdeleteacloudworkloadsecurityagentrulereturnsokresponse1651997884\n\ - \ version: f43786f8\n description: My Agent rule\n expression: exec.file.name\ - \ == \"sh\"\n- id: testtypescriptgetacloudworkloadsecurityagentrulereturnsokresponse1651997885\n\ - \ version: f43786f8\n description: My Agent rule\n expression: exec.file.name\ - \ == \"sh\"\n- id: testtypescriptgetallcloudworkloadsecurityagentrulesreturnsokresponse1651867149\n\ - \ version: f43786f8\n description: My Agent rule\n expression: exec.file.name\ - \ == \"sh\"\n- id: testtypescriptgetallcloudworkloadsecurityagentrulesreturnsokresponse1651912469\n\ - \ version: f43786f8\n description: My Agent rule\n expression: exec.file.name\ - \ == \"sh\"\n- id: testtypescriptgetallcloudworkloadsecurityagentrulesreturnsokresponse1651915814\n\ - \ version: f43786f8\n description: My Agent rule\n expression: exec.file.name\ - \ == \"sh\"\n- id: testtypescriptgetallcloudworkloadsecurityagentrulesreturnsokresponse1651943471\n\ - \ version: f43786f8\n description: My Agent rule\n expression: exec.file.name\ - \ == \"sh\"\n- id: testtypescriptgetallcloudworkloadsecurityagentrulesreturnsokresponse1651997885\n\ - \ version: f43786f8\n description: My Agent rule\n expression: exec.file.name\ - \ == \"sh\"\n- id: testtypescriptgetallcloudworkloadsecurityagentrulesreturnsokresponse1652008845\n\ - \ version: f43786f8\n description: My Agent rule\n expression: exec.file.name\ - \ == \"sh\"\n- id: testtypescriptupdateacloudworkloadsecurityagentrulereturnsbadrequestresponse1651997886\n\ - \ version: f43786f8\n description: My Agent rule\n expression: exec.file.name\ - \ == \"sh\"\n- id: testtypescriptupdateacloudworkloadsecurityagentrulereturnsokresponse1651997887\n\ - \ version: f43786f8\n description: Test Agent rule\n expression: exec.file.name\ - \ == \"sh\"\n- id: tf_TestAccDatadogCloudWorkloadSecurityAgentRule_local_1643386657\n\ - \ version: 28ba1078\n description: an agent rule\n expression: exec.file.name\ - \ == \"java\"\n- id: tf_TestAccDatadogCloudWorkloadSecurityAgentRule_local_1643386695\n\ - \ version: 28ba1078\n description: an agent rule\n expression: exec.file.name\ - \ == \"java\"\n- id: tf_TestAccDatadogCloudWorkloadSecurityAgentRule_local_1643386742\n\ - \ version: 28ba1078\n description: an agent rule\n expression: exec.file.name\ - \ == \"java\"\n- id: tf_TestAccDatadogCloudWorkloadSecurityAgentRule_local_1643386809\n\ - \ version: 28ba1078\n description: an agent rule\n expression: exec.file.name\ - \ == \"java\"\n- id: tf_TestAccDatadogCloudWorkloadSecurityAgentRule_local_1643386858\n\ - \ version: 28ba1078\n description: an agent rule\n expression: exec.file.name\ - \ == \"java\"\n- id: tf_TestAccDatadogCloudWorkloadSecurityAgentRule_local_1643386909\n\ - \ version: 28ba1078\n description: an agent rule\n expression: exec.file.name\ - \ == \"java\"\n- id: tf_TestAccDatadogCloudWorkloadSecurityAgentRule_local_1643387039\n\ - \ version: 28ba1078\n description: an agent rule\n expression: exec.file.name\ - \ == \"java\"\n- id: tf_TestAccDatadogCloudWorkloadSecurityAgentRule_local_1643387090\n\ - \ version: 28ba1078\n description: an agent rule\n expression: exec.file.name\ - \ == \"java\"\n- id: tf_TestAccDatadogCloudWorkloadSecurityAgentRule_local_1643387148\n\ - \ version: 28ba1078\n description: an agent rule\n expression: exec.file.name\ - \ == \"java\"\n- id: tf_TestAccDatadogCloudWorkloadSecurityAgentRule_local_1643387484\n\ - \ version: 28ba1078\n description: an agent rule\n expression: exec.file.name\ - \ == \"java\"\n- id: tf_TestAccDatadogCloudWorkloadSecurityAgentRule_local_1643387531\n\ - \ version: 28ba1078\n description: an agent rule\n expression: exec.file.name\ - \ == \"java\"\n- id: tf_TestAccDatadogCloudWorkloadSecurityAgentRule_local_1643387579\n\ - \ version: 28ba1078\n description: an agent rule\n expression: exec.file.name\ - \ == \"java\"\n- id: tf_TestAccDatadogCloudWorkloadSecurityAgentRule_local_1643388161\n\ - \ version: 28ba1078\n description: an agent rule\n expression: exec.file.name\ - \ == \"java\"\n- id: tf_TestAccDatadogCloudWorkloadSecurityAgentRule_local_1643388208\n\ - \ version: 28ba1078\n description: an agent rule\n expression: exec.file.name\ - \ == \"java\"\n- id: tf_TestAccDatadogCloudWorkloadSecurityAgentRule_local_1643388257\n\ - \ version: 28ba1078\n description: an agent rule\n expression: exec.file.name\ - \ == \"java\"\n- id: tf_TestAccDatadogCloudWorkloadSecurityAgentRule_local_1643388666\n\ - \ version: 28ba1078\n description: an agent rule\n expression: exec.file.name\ - \ == \"java\"\n- id: tf_TestAccDatadogCloudWorkloadSecurityAgentRule_local_1643388726\n\ - \ version: 28ba1078\n description: an agent rule\n expression: exec.file.name\ - \ == \"java\"\n- id: tf_TestAccDatadogCloudWorkloadSecurityAgentRule_local_1643388847\n\ - \ version: 28ba1078\n description: an agent rule\n expression: exec.file.name\ - \ == \"java\"\n- id: tf_TestAccDatadogCloudWorkloadSecurityAgentRule_local_1643388890\n\ - \ version: 28ba1078\n description: an agent rule\n expression: exec.file.name\ - \ == \"java\"\n- id: tf_TestAccDatadogCloudWorkloadSecurityAgentRule_local_1643388939\n\ - \ version: 28ba1078\n description: an agent rule\n expression: exec.file.name\ - \ == \"java\"\n- id: tf_TestAccDatadogCloudWorkloadSecurityAgentRule_local_1643389111\n\ - \ version: 28ba1078\n description: an agent rule\n expression: exec.file.name\ - \ == \"java\"\n- id: tf_TestAccDatadogCloudWorkloadSecurityAgentRule_local_1643389165\n\ - \ version: 28ba1078\n description: an agent rule\n expression: exec.file.name\ - \ == \"java\"\n- id: tf_TestAccDatadogCloudWorkloadSecurityAgentRule_local_1643389210\n\ - \ version: 28ba1078\n description: an agent rule\n expression: exec.file.name\ - \ == \"java\"\n- id: tf_TestAccDatadogCloudWorkloadSecurityAgentRule_local_1643389339\n\ - \ version: 28ba1078\n description: an agent rule\n expression: exec.file.name\ - \ == \"java\"\n- id: tf_TestAccDatadogCloudWorkloadSecurityAgentRule_local_1643389389\n\ - \ version: 28ba1078\n description: an agent rule\n expression: exec.file.name\ - \ == \"java\"\n- id: tf_TestAccDatadogCloudWorkloadSecurityAgentRule_local_1643389484\n\ - \ version: 28ba1078\n description: an agent rule\n expression: exec.file.name\ - \ == \"java\"\n- id: tf_TestAccDatadogCloudWorkloadSecurityAgentRule_local_1643389530\n\ - \ version: 28ba1078\n description: an agent rule\n expression: exec.file.name\ - \ == \"java\"\n- id: tf_TestAccDatadogCloudWorkloadSecurityAgentRule_local_1643389627\n\ - \ version: 28ba1078\n description: an agent rule\n expression: exec.file.name\ - \ == \"java\"\n- id: tf_TestAccDatadogCloudWorkloadSecurityAgentRule_local_1643389685\n\ - \ version: 28ba1078\n description: an agent rule\n expression: exec.file.name\ - \ == \"java\"\n- id: tf_TestAccDatadogCloudWorkloadSecurityAgentRule_local_1643389756\n\ - \ version: 28ba1078\n description: an agent rule\n expression: exec.file.name\ - \ == \"java\"\n- id: tf_TestAccDatadogCloudWorkloadSecurityAgentRule_local_1643389931\n\ - \ version: 28ba1078\n description: an agent rule\n expression: exec.file.name\ - \ == \"java\"\n- id: tf_TestAccDatadogCloudWorkloadSecurityAgentRule_local_1643389977\n\ - \ version: 28ba1078\n description: an agent rule\n expression: exec.file.name\ - \ == \"java\"\n- id: tf_TestAccDatadogCloudWorkloadSecurityAgentRule_local_1643390108\n\ - \ version: 28ba1078\n description: an agent rule\n expression: exec.file.name\ - \ == \"java\"\n- id: tf_TestAccDatadogCloudWorkloadSecurityAgentRule_local_1643390130\n\ - \ version: 28ba1078\n description: an agent rule\n expression: exec.file.name\ - \ == \"java\"\n- id: tf_TestAccDatadogCloudWorkloadSecurityAgentRule_local_1643390151\n\ - \ version: 28ba1078\n description: an agent rule\n expression: exec.file.name\ - \ == \"java\"\n- id: tf_TestAccDatadogCloudWorkloadSecurityAgentRule_local_1643391687\n\ - \ version: 28ba1078\n description: an agent rule\n expression: exec.file.name\ - \ == \"java\"\n- id: tf_TestAccDatadogCloudWorkloadSecurityAgentRule_local_1643391707\n\ - \ version: 28ba1078\n description: an agent rule\n expression: exec.file.name\ - \ == \"java\"\n- id: tf_TestAccDatadogCloudWorkloadSecurityAgentRule_local_1643391729\n\ - \ version: 28ba1078\n description: an agent rule\n expression: exec.file.name\ - \ == \"java\"\n- id: tf_TestAccDatadogCloudWorkloadSecurityAgentRule_local_1643391983\n\ - \ version: 28ba1078\n description: an agent rule\n expression: exec.file.name\ - \ == \"java\"\n- id: tf_TestAccDatadogCloudWorkloadSecurityAgentRule_local_1643392003\n\ - \ version: 28ba1078\n description: an agent rule\n expression: exec.file.name\ - \ == \"java\"\n- id: tf_TestAccDatadogCloudWorkloadSecurityAgentRule_local_1643392026\n\ - \ version: 28ba1078\n description: an agent rule\n expression: exec.file.name\ - \ == \"java\"\n- id: tf_TestAccDatadogCloudWorkloadSecurityAgentRule_local_1643392419\n\ - \ version: 28ba1078\n description: an agent rule\n expression: exec.file.name\ - \ == \"java\"\n- id: tf_TestAccDatadogCloudWorkloadSecurityAgentRule_local_1643392438\n\ - \ version: 28ba1078\n description: an agent rule\n expression: exec.file.name\ - \ == \"java\"\n- id: tf_TestAccDatadogCloudWorkloadSecurityAgentRule_local_1643392458\n\ - \ version: 28ba1078\n description: an agent rule\n expression: exec.file.name\ - \ == \"java\"\n- id: tf_TestAccDatadogCloudWorkloadSecurityAgentRule_local_1643392885\n\ - \ version: 28ba1078\n description: an agent rule\n expression: exec.file.name\ - \ == \"java\"\n- id: tf_TestAccDatadogCloudWorkloadSecurityAgentRule_local_1643392903\n\ - \ version: 28ba1078\n description: an agent rule\n expression: exec.file.name\ - \ == \"java\"\n- id: tf_TestAccDatadogCloudWorkloadSecurityAgentRule_local_1643392923\n\ - \ version: 28ba1078\n description: an agent rule\n expression: exec.file.name\ - \ == \"java\"\n- id: tf_TestAccDatadogCloudWorkloadSecurityAgentRulesDatasource_local_1643386718\n\ - \ version: 28ba1078\n description: an agent rule\n expression: exec.file.name\ - \ == \"java\"\n- id: tf_TestAccDatadogCloudWorkloadSecurityAgentRulesDatasource_local_1643386786\n\ - \ version: 28ba1078\n description: an agent rule\n expression: exec.file.name\ - \ == \"java\"\n- id: tf_TestAccDatadogCloudWorkloadSecurityAgentRulesDatasource_local_1643386831\n\ - \ version: 28ba1078\n description: an agent rule\n expression: exec.file.name\ - \ == \"java\"\n- id: tf_TestAccDatadogCloudWorkloadSecurityAgentRulesDatasource_local_1643386882\n\ - \ version: 28ba1078\n description: an agent rule\n expression: exec.file.name\ - \ == \"java\"\n- id: tf_TestAccDatadogCloudWorkloadSecurityAgentRulesDatasource_local_1643387014\n\ - \ version: 28ba1078\n description: an agent rule\n expression: exec.file.name\ - \ == \"java\"\n- id: tf_TestAccDatadogCloudWorkloadSecurityAgentRulesDatasource_local_1643387063\n\ - \ version: 28ba1078\n description: an agent rule\n expression: exec.file.name\ - \ == \"java\"\n- id: tf_TestAccDatadogCloudWorkloadSecurityAgentRulesDatasource_local_1643387120\n\ - \ version: 28ba1078\n description: an agent rule\n expression: exec.file.name\ - \ == \"java\"\n- id: tf_TestAccDatadogCloudWorkloadSecurityAgentRulesDatasource_local_1643387461\n\ - \ version: 28ba1078\n description: an agent rule\n expression: exec.file.name\ - \ == \"java\"\n- id: tf_TestAccDatadogCloudWorkloadSecurityAgentRulesDatasource_local_1643387505\n\ - \ version: 28ba1078\n description: an agent rule\n expression: exec.file.name\ - \ == \"java\"\n- id: tf_TestAccDatadogCloudWorkloadSecurityAgentRulesDatasource_local_1643387554\n\ - \ version: 28ba1078\n description: an agent rule\n expression: exec.file.name\ - \ == \"java\"\n- id: tf_TestAccDatadogCloudWorkloadSecurityAgentRulesDatasource_local_1643387992\n\ - \ version: 28ba1078\n description: an agent rule\n expression: exec.file.name\ - \ == \"java\"\n- id: tf_TestAccDatadogCloudWorkloadSecurityAgentRulesDatasource_local_1643388137\n\ - \ version: 2dd188de\n description: an agent rule\n expression: exec.file.name\ - \ == \"go\"\n- id: tf_TestAccDatadogCloudWorkloadSecurityAgentRulesDatasource_local_1643388182\n\ - \ version: 2dd188de\n description: an agent rule\n expression: exec.file.name\ - \ == \"go\"\n- id: tf_TestAccDatadogCloudWorkloadSecurityAgentRulesDatasource_local_1643388230\n\ - \ version: 2dd188de\n description: an agent rule\n expression: exec.file.name\ - \ == \"go\"\n- id: tf_TestAccDatadogCloudWorkloadSecurityAgentRulesDatasource_local_1643388700\n\ - \ version: 2dd188de\n description: an agent rule\n expression: exec.file.name\ - \ == \"go\"\n- id: tf_TestAccDatadogCloudWorkloadSecurityAgentRulesDatasource_local_1643388825\n\ - \ version: 2dd188de\n description: an agent rule\n expression: exec.file.name\ - \ == \"go\"\n- id: tf_TestAccDatadogCloudWorkloadSecurityAgentRulesDatasource_local_1643388866\n\ - \ version: 2dd188de\n description: an agent rule\n expression: exec.file.name\ - \ == \"go\"\n- id: tf_TestAccDatadogCloudWorkloadSecurityAgentRulesDatasource_local_1643388912\n\ - \ version: 2dd188de\n description: an agent rule\n expression: exec.file.name\ - \ == \"go\"\n- id: tf_TestAccDatadogCloudWorkloadSecurityAgentRulesDatasource_local_1643389088\n\ - \ version: 2dd188de\n description: an agent rule\n expression: exec.file.name\ - \ == \"go\"\n- id: tf_TestAccDatadogCloudWorkloadSecurityAgentRulesDatasource_local_1643389136\n\ - \ version: 2dd188de\n description: an agent rule\n expression: exec.file.name\ - \ == \"go\"\n- id: tf_TestAccDatadogCloudWorkloadSecurityAgentRulesDatasource_local_1643389186\n\ - \ version: 2dd188de\n description: an agent rule\n expression: exec.file.name\ - \ == \"go\"\n- id: tf_TestAccDatadogCloudWorkloadSecurityAgentRulesDatasource_local_1643389317\n\ - \ version: 2dd188de\n description: an agent rule\n expression: exec.file.name\ - \ == \"go\"\n- id: tf_TestAccDatadogCloudWorkloadSecurityAgentRulesDatasource_local_1643389363\n\ - \ version: 2dd188de\n description: an agent rule\n expression: exec.file.name\ - \ == \"go\"\n- id: tf_TestAccDatadogCloudWorkloadSecurityAgentRulesDatasource_local_1643389411\n\ - \ version: 2dd188de\n description: an agent rule\n expression: exec.file.name\ - \ == \"go\"\n- id: tf_TestAccDatadogCloudWorkloadSecurityAgentRulesDatasource_local_1643389460\n\ - \ version: 2dd188de\n description: an agent rule\n expression: exec.file.name\ - \ == \"go\"\n- id: tf_TestAccDatadogCloudWorkloadSecurityAgentRulesDatasource_local_1643389507\n\ - \ version: 2dd188de\n description: an agent rule\n expression: exec.file.name\ - \ == \"go\"\n- id: tf_TestAccDatadogCloudWorkloadSecurityAgentRulesDatasource_local_1643389553\n\ - \ version: 2dd188de\n description: an agent rule\n expression: exec.file.name\ - \ == \"go\"\n- id: tf_TestAccDatadogCloudWorkloadSecurityAgentRulesDatasource_local_1643389911\n\ - \ version: 2dd188de\n description: an agent rule\n expression: exec.file.name\ - \ == \"go\"\n- id: tf_TestAccDatadogCloudWorkloadSecurityAgentRulesDatasource_local_1643389955\n\ - \ version: 2dd188de\n description: an agent rule\n expression: exec.file.name\ - \ == \"go\"\n- id: tf_TestAccDatadogCloudWorkloadSecurityAgentRulesDatasource_local_1643390389\n\ - \ version: 2dd188de\n description: an agent rule\n expression: exec.file.name\ - \ == \"go\"\n- id: tf_TestAccDatadogCloudWorkloadSecurityAgentRulesDatasource_local_1643390410\n\ - \ version: 2dd188de\n description: an agent rule\n expression: exec.file.name\ - \ == \"go\"\n- id: tf_TestAccDatadogCloudWorkloadSecurityAgentRulesDatasource_local_1643390432\n\ - \ version: 2dd188de\n description: an agent rule\n expression: exec.file.name\ - \ == \"go\"\n- id: user_created_tty\n version: 5b5f4a52\n description: User\ - \ Created Interactively\n expression: exec.file.name in [\"useradd\", \"\ - newusers\"] && exec.tty_name !=\"\"\n" + \ && container.id !=\"\"\n agent_version: ''\n filters: []\n- id: kernel_module_open\n\ + \ version: 55f9569\n description: A new kernel module was added\n expression:\ + \ |-\n (\n open.flags & (O_CREAT|O_TRUNC|O_RDWR|O_WRONLY) > 0 &&\n\ + \ (open.file.path in [ ~\"/lib/modules/**\", ~\"/usr/lib/modules/**\"\ + \ ])\n && process.file.path not in [~\"/usr/bin/apt*\", \"/usr/bin/dpkg\"\ + , \"/usr/bin/rpm\", \"/usr/bin/unattended-upgrade\", \"/usr/bin/npm\", ~\"\ + /usr/bin/pip*\", \"/usr/bin/yum\", \"/sbin/apk\", \"/usr/lib/snapd/snapd\"\ + ]\n && process.ancestors.file.path not in [~\"/usr/bin/apt*\", \"/usr/bin/dpkg\"\ + , \"/usr/bin/rpm\", \"/usr/bin/unattended-upgrade\", \"/usr/bin/npm\", ~\"\ + /usr/bin/pip*\", \"/usr/bin/yum\", \"/sbin/apk\", \"/usr/lib/snapd/snapd\"\ + ] && process.ancestors.file.path != \"/usr/bin/kmod\"\n )\n agent_version:\ + \ ''\n filters: []\n- id: kernel_module_rename\n version: 8dd78e74\n description:\ + \ A new kernel module was added\n expression: |-\n (\n (rename.file.path\ + \ in [ ~\"/lib/modules/**\", ~\"/usr/lib/modules/**\" ]\n || rename.file.destination.path\ + \ in [ ~\"/lib/modules/**\", ~\"/usr/lib/modules/**\" ])\n && process.file.path\ + \ not in [~\"/usr/bin/apt*\", \"/usr/bin/dpkg\", \"/usr/bin/rpm\", \"/usr/bin/unattended-upgrade\"\ + , \"/usr/bin/npm\", ~\"/usr/bin/pip*\", \"/usr/bin/yum\", \"/sbin/apk\", \"\ + /usr/lib/snapd/snapd\"]\n && process.ancestors.file.path not in [~\"\ + /usr/bin/apt*\", \"/usr/bin/dpkg\", \"/usr/bin/rpm\", \"/usr/bin/unattended-upgrade\"\ + , \"/usr/bin/npm\", ~\"/usr/bin/pip*\", \"/usr/bin/yum\", \"/sbin/apk\", \"\ + /usr/lib/snapd/snapd\"] && process.ancestors.file.path != \"/usr/bin/kmod\"\ + \n )\n agent_version: ''\n filters: []\n- id: kernel_module_unlink\n\ + \ version: 652391be\n description: A new kernel module was added\n expression:\ + \ |-\n (\n (unlink.file.path in [ ~\"/lib/modules/**\", ~\"/usr/lib/modules/**\"\ + \ ])\n && process.file.path not in [~\"/usr/bin/apt*\", \"/usr/bin/dpkg\"\ + , \"/usr/bin/rpm\", \"/usr/bin/unattended-upgrade\", \"/usr/bin/npm\", ~\"\ + /usr/bin/pip*\", \"/usr/bin/yum\", \"/sbin/apk\", \"/usr/lib/snapd/snapd\"\ + ]\n && process.ancestors.file.path not in [~\"/usr/bin/apt*\", \"/usr/bin/dpkg\"\ + , \"/usr/bin/rpm\", \"/usr/bin/unattended-upgrade\", \"/usr/bin/npm\", ~\"\ + /usr/bin/pip*\", \"/usr/bin/yum\", \"/sbin/apk\", \"/usr/lib/snapd/snapd\"\ + ] && process.ancestors.file.path != \"/usr/bin/kmod\"\n )\n agent_version:\ + \ ''\n filters: []\n- id: kernel_module_utimes\n version: 405d45e7\n description:\ + \ A new kernel module was added\n expression: |-\n (\n (utimes.file.path\ + \ in [ ~\"/lib/modules/**\", ~\"/usr/lib/modules/**\" ])\n && process.file.path\ + \ not in [~\"/usr/bin/apt*\", \"/usr/bin/dpkg\", \"/usr/bin/rpm\", \"/usr/bin/unattended-upgrade\"\ + , \"/usr/bin/npm\", ~\"/usr/bin/pip*\", \"/usr/bin/yum\", \"/sbin/apk\", \"\ + /usr/lib/snapd/snapd\"]\n && process.ancestors.file.path not in [~\"\ + /usr/bin/apt*\", \"/usr/bin/dpkg\", \"/usr/bin/rpm\", \"/usr/bin/unattended-upgrade\"\ + , \"/usr/bin/npm\", ~\"/usr/bin/pip*\", \"/usr/bin/yum\", \"/sbin/apk\", \"\ + /usr/lib/snapd/snapd\"] && process.ancestors.file.path != \"/usr/bin/kmod\"\ + \n )\n agent_version: ''\n filters: []\n- id: kernel_msr_write\n version:\ + \ 2c433a21\n description: A process attempted to enable writing to model-specific\ + \ registers\n expression: exec.comm == \"modprobe\" && process.args =~ \"\ + *msr*allow_writes*\"\n agent_version: ''\n filters:\n - os == \"linux\"\ + \n- id: kmod_list\n version: c353a548\n description: Kernel modules were\ + \ listed using the kmod command\n expression: exec.comm == \"kmod\" && exec.args\ + \ in [~\"*list*\"]\n agent_version: ''\n filters:\n - os == \"linux\"\n\ + - id: kubernetes_dns_enumeration\n version: 70a1304\n description: Kubernetes\ + \ DNS enumeration\n expression: dns.question.name == \"any.any.svc.cluster.local\"\ + \ && dns.question.type\n == SRV && container.id != \"\"\n agent_version:\ + \ ''\n filters:\n - os == \"linux\"\n- id: kubernetes_offensive_tool_executed\n\ + \ version: 18130cbb\n description: Kubernetes offensive tool executed\n\ + \ expression: (exec.file.name in [ ~\"python*\" ] && (\"KubiScan.py\" in\ + \ exec.argv ||\n \"kubestriker\" in exec.argv )) || exec.file.name in [\"\ + kubiscan\",\"kdigger\",\"kube-hunter\",\"rakkess\",\"peirates\",\"kubescape\"\ + ,\"kubeaudit\",\"kube-linter\",\"stratus\",~\"botb-*\"]\n agent_version:\ + \ ''\n filters: []\n- id: ld_preload_unusual_library_path\n version: cc6fd0c4\n\ + \ description: The LD_PRELOAD variable is populated by a link to a suspicious\ + \ file\n directory\n expression: exec.envs in [~\"LD_PRELOAD=*/tmp/*\"\ + \ ,~\"LD_PRELOAD=/dev/shm/*\" ]\n agent_version: ''\n filters: []\n- id:\ + \ libpam_ebpf_hook\n version: adbe1bb1\n description: Library libpam.so\ + \ hooked using eBPF\n expression: bpf.cmd == BPF_MAP_CREATE && process.args\ + \ in [r\".*libpam.so.*\"]\n agent_version: ''\n filters:\n - os == \"linux\"\ + \n- id: looney_tunables_exploit\n version: 7e9f4346\n description: Looney\ + \ Tunables (CVE-2023-4911) exploit attempted\n expression: exec.file.mode\ + \ & S_ISUID > 0 && exec.file.uid == 0 && exec.uid != 0\n && exec.envs in\ + \ [~\"*GLIBC_TUNABLES*\"]\n agent_version: ''\n filters:\n - os == \"linux\"\ + \n- id: memfd_create\n version: 5908512a\n description: memfd object created\n\ + \ expression: exec.file.name =~ \"memfd*\" && exec.file.path == \"\"\n agent_version:\ + \ ''\n filters: []\n- id: minidump_usage\n version: 3de40e55\n description:\ + \ Process memory was dumped using the minidump function from comsvcs.dll\n\ + \ expression: exec.cmdline =~ \"*MiniDump*\"\n agent_version: ''\n filters:\n\ + \ - os == \"windows\"\n- id: mount_host_fs\n version: accb4f\n description:\ + \ The host file system was mounted in a container\n expression: mount.source.path\ + \ == \"/\" && mount.fs_type != \"overlay\" && container.id\n != \"\"\n\ + \ agent_version: ''\n filters: []\n- id: net_file_download\n version: 75b930ad\n\ + \ description: A suspicious file was written by a network utility\n expression:\ + \ |-\n open.flags & O_CREAT > 0 && process.comm in [\"wget\", \"curl\"\ + , \"lwp-download\"]\n && (\n (open.file.path =~ \"/tmp/**\" && open.file.name\ + \ in [~\"*.sh\", ~\"*.c\", ~\"*.so\", ~\"*.ko\"])\n || open.file.path\ + \ in [~\"/usr/**\", ~\"/lib/**\", ~\"/etc/**\", ~\"/var/tmp/**\", ~\"/dev/shm/**\"\ + ]\n )\n agent_version: ''\n filters:\n - os == \"linux\"\n- id: net_unusual_request\n\ + \ version: 3df2d9ef\n description: Network utility executed with suspicious\ + \ URI\n expression: 'exec.comm in [\"wget\", \"curl\", \"lwp-download\"]\ + \ && exec.args in [~\"*.php*\",\n ~\"*.jpg*\"] '\n agent_version: ''\n\ + \ filters: []\n- id: net_util\n version: c3f2117b\n description: A network\ + \ utility was executed\n expression: |-\n (exec.comm in [\"socat\", \"\ + dig\", \"nslookup\", \"host\", ~\"netcat*\", ~\"nc*\", \"ncat\"] ||\n \ + \ exec.comm in [\"wget\", \"curl\", \"lwp-download\"]) &&\n container.id\ + \ == \"\" && exec.args not in [ ~\"*localhost*\", ~\"*127.0.0.1*\", ~\"*motd.ubuntu.com*\"\ + \ ]\n agent_version: ''\n filters: []\n- id: net_util_exfiltration\n version:\ + \ 5f7c8871\n description: Exfiltration attempt via network utility\n expression:\ + \ \"exec.comm in [\\\"wget\\\", \\\"curl\\\", \\\"lwp-download\\\"] && \\\ + nexec.args_options\\\n \\ in [ ~\\\"post-file=*\\\", ~\\\"post-data=*\\\ + \", ~\\\"T=*\\\", ~\\\"d=@*\\\", ~\\\"upload-file=*\\\"\\\n , ~\\\"F=file*\\\ + \"] &&\\nexec.args not in [~\\\"*localhost*\\\", ~\\\"*127.0.0.1*\\\"]\"\n\ + \ agent_version: ''\n filters:\n - os == \"linux\"\n- id: net_util_in_container\n\ + \ version: 69e03ac1\n description: A network utility was executed in a container\n\ + \ expression: |-\n (exec.comm in [\"socat\", \"dig\", \"nslookup\", \"\ + host\", ~\"netcat*\", ~\"nc*\", \"ncat\"] ||\n exec.comm in [\"wget\"\ + , \"curl\", \"lwp-download\"]) &&\n container.id != \"\" && exec.args not\ + \ in [ ~\"*localhost*\", ~\"*127.0.0.1*\", ~\"*motd.ubuntu.com*\" ]\n agent_version:\ + \ ''\n filters: []\n- id: net_util_in_container_v2\n version: 26d8eba1\n\ + \ description: A network utility was executed in a container\n expression:\ + \ |-\n (exec.comm in [\"socat\", \"dig\", \"nslookup\", \"host\", ~\"netcat*\"\ + , ~\"nc*\", \"ncat\"] ||\n exec.comm in [\"wget\", \"curl\", \"lwp-download\"\ + ]) &&\n container.id != \"\" && exec.args not in [ ~\"*localhost*\", ~\"\ + *127.0.0.1*\", ~\"*motd.ubuntu.com*\" ] && container.created_at > 180s\n \ + \ agent_version: ''\n filters: []\n- id: network_sniffing_tool\n version:\ + \ 4ae409bf\n description: Local account groups were enumerated after container\ + \ start up\n expression: exec.file.name in [\"tcpdump\", \"tshark\"]\n agent_version:\ + \ ''\n filters:\n - os == \"linux\"\n- id: new_binary_execution_in_container\n\ + \ version: 9dc42e1d\n description: A container executed a new binary not\ + \ found in the container image\n expression: container.id != \"\" && process.file.in_upper_layer\ + \ && process.file.modification_time\n < 30s && exec.file.name != \"\"\n\ + \ agent_version: ''\n filters: []\n- id: nsswitch_conf_mod_chmod\n version:\ + \ d301aedf\n description: nsswitch may have been modified without authorization\n\ + \ expression: |-\n (\n (chmod.file.path in [ \"/etc/nsswitch.conf\"\ + \ ])\n ) && chmod.file.destination.mode != chmod.file.mode && process.file.path\ + \ not in [~\"/usr/bin/apt*\", \"/usr/bin/dpkg\", \"/usr/bin/rpm\", \"/usr/bin/unattended-upgrade\"\ + , \"/usr/bin/containerd\", \"/usr/local/bin/containerd\", \"/usr/bin/dockerd\"\ + , \"/usr/bin/npm\", ~\"/usr/bin/pip*\"]\n agent_version: ''\n filters:\n\ + \ - os == \"linux\"\n- id: nsswitch_conf_mod_chown\n version: '69383592'\n\ + \ description: nsswitch may have been modified without authorization\n expression:\ + \ |-\n (\n (chown.file.path in [ \"/etc/nsswitch.conf\" ])\n \ + \ ) && (chown.file.destination.uid != chown.file.uid || chown.file.destination.gid\ + \ != chown.file.gid) && process.file.path not in [~\"/usr/bin/apt*\", \"/usr/bin/dpkg\"\ + , \"/usr/bin/rpm\", \"/usr/bin/unattended-upgrade\", \"/usr/bin/containerd\"\ + , \"/usr/local/bin/containerd\", \"/usr/bin/dockerd\", \"/usr/bin/npm\", ~\"\ + /usr/bin/pip*\"]\n agent_version: ''\n filters:\n - os == \"linux\"\n-\ + \ id: nsswitch_conf_mod_link\n version: e0565b29\n description: Nsswitch\ + \ Configuration Modified\n expression: |-\n (\n (link.file.path\ + \ in [ \"/etc/nsswitch.conf\" ]\n || link.file.destination.path in\ + \ [ \"/etc/nsswitch.conf\" ])\n )\n agent_version: ''\n filters: []\n\ + - id: nsswitch_conf_mod_open\n version: b5602c6f\n description: nsswitch\ + \ may have been modified without authorization\n expression: |-\n (\n\ + \ open.flags & ((O_RDWR|O_WRONLY|O_CREAT)) > 0 &&\n (open.file.path\ + \ in [ \"/etc/nsswitch.conf\" ])\n ) && process.file.path not in [~\"/usr/bin/apt*\"\ + , \"/usr/bin/dpkg\", \"/usr/bin/rpm\", \"/usr/bin/unattended-upgrade\", \"\ + /usr/bin/containerd\", \"/usr/local/bin/containerd\", \"/usr/bin/dockerd\"\ + , \"/usr/bin/npm\", ~\"/usr/bin/pip*\"]\n agent_version: ''\n filters:\n\ + \ - os == \"linux\"\n- id: nsswitch_conf_mod_open_v2\n version: abef53c9\n\ + \ description: nsswitch may have been modified without authorization\n expression:\ + \ |-\n (\n open.flags & ((O_RDWR|O_WRONLY|O_CREAT)) > 0 &&\n \ + \ (open.file.path in [ \"/etc/nsswitch.conf\" ])\n ) && container.created_at\ + \ > 90s && process.file.path not in [~\"/usr/bin/apt*\", \"/usr/bin/dpkg\"\ + , \"/usr/bin/rpm\", \"/usr/bin/unattended-upgrade\", \"/usr/bin/containerd\"\ + , \"/usr/local/bin/containerd\", \"/usr/bin/dockerd\", \"/usr/bin/npm\", ~\"\ + /usr/bin/pip*\"]\n agent_version: ''\n filters:\n - os == \"linux\"\n-\ + \ id: nsswitch_conf_mod_rename\n version: aad34176\n description: Nsswitch\ + \ Configuration Modified\n expression: |-\n (\n (rename.file.path\ + \ in [ \"/etc/nsswitch.conf\" ]\n || rename.file.destination.path in\ + \ [ \"/etc/nsswitch.conf\" ])\n )\n agent_version: ''\n filters: []\n\ + - id: nsswitch_conf_mod_unlink\n version: 8a3e2fbb\n description: Nsswitch\ + \ Configuration Modified\n expression: |-\n (\n (unlink.file.path\ + \ in [ \"/etc/nsswitch.conf\" ])\n )\n agent_version: ''\n filters: []\n\ + - id: nsswitch_conf_mod_utimes\n version: 902597c0\n description: Nsswitch\ + \ Configuration Modified\n expression: |-\n (\n (utimes.file.path\ + \ in [ \"/etc/nsswitch.conf\" ])\n )\n agent_version: ''\n filters: []\n\ + - id: ntds_in_commandline\n version: 5cdd4bba\n description: NTDS file referenced\ + \ in commandline\n expression: exec.cmdline =~ \"*ntds.dit*\"\n agent_version:\ + \ ''\n filters:\n - os == \"windows\"\n- id: offensive_k8s_tool\n version:\ + \ b83fba22\n description: A known kubernetes pentesting tool has been executed\n\ + \ expression: (exec.file.name in [ ~\"python*\" ] && (\"KubiScan.py\" in\ + \ exec.argv ||\n \"kubestriker\" in exec.argv ) ) || exec.file.name in\ + \ [ \"kubiscan\",\"kdigger\",\"kube-hunter\",\"rakkess\",\"peirates\",\"kubescape\"\ + ,\"kubeaudit\",\"kube-linter\",\"stratus\",~\"botb-*\"]\n agent_version:\ + \ ''\n filters: []\n- id: omigod\n version: 2064b3b4\n description: Omiagent\ + \ spawns a privileged child process\n expression: exec.uid >= 0 && process.ancestors.file.name\ + \ == \"omiagent\"\n agent_version: ''\n filters:\n - os == \"linux\"\n\ + - id: open_msr_writes\n version: 261f8f98\n description: A process opened\ + \ a model-specific register (MSR) configuration file\n expression: open.file.path\ + \ == \"/sys/module/msr/parameters/allow_writes\" && open.flags\n & O_CREAT|O_TRUNC|O_RDWR|O_WRONLY\ + \ > 0\n agent_version: ''\n filters:\n - os == \"linux\"\n- id: package_management_in_container\n\ + \ version: c152fcaf\n description: Package management was detected in a\ + \ container\n expression: exec.file.path in [~\"/usr/bin/apt*\", \"/usr/bin/dpkg\"\ + , \"/usr/bin/rpm\",\n \"/usr/bin/unattended-upgrade\", \"/usr/bin/npm\"\ + , ~\"/usr/bin/pip*\", \"/usr/bin/yum\",\n \"/sbin/apk\", \"/usr/lib/snapd/snapd\"\ + ] && container.id != \"\"\n agent_version: ''\n filters: []\n- id: package_management_in_container_v2\n\ + \ version: 7eb85510\n description: Package management was detected in a\ + \ conatiner outside of container\n start_up\n expression: exec.file.path\ + \ in [~\"/usr/bin/apt*\", \"/usr/bin/dpkg\", \"/usr/bin/rpm\",\n \"/usr/bin/unattended-upgrade\"\ + , \"/usr/bin/npm\", ~\"/usr/bin/pip*\", \"/usr/bin/yum\",\n \"/sbin/apk\"\ + , \"/usr/lib/snapd/snapd\"] && container.id != \"\" && container.created_at\n\ + \ > 90s\n agent_version: ''\n filters:\n - os == \"linux\"\n- id: pam_modification_chmod\n\ + \ version: 974a676e\n description: PAM may have been modified without authorization\n\ + \ expression: |-\n (\n (chmod.file.path in [ ~\"/etc/pam.d/**\"\ + , \"/etc/pam.conf\" ])\n ) && chmod.file.destination.mode != chmod.file.mode\n\ + \ agent_version: ''\n filters: []\n- id: pam_modification_chown\n version:\ + \ d89aa0a7\n description: PAM may have been modified without authorization\n\ + \ expression: |-\n (\n (chown.file.path in [ ~\"/etc/pam.d/**\"\ + , \"/etc/pam.conf\" ])\n ) && (chown.file.destination.uid != chown.file.uid\ + \ || chown.file.destination.gid != chown.file.gid)\n agent_version: ''\n\ + \ filters: []\n- id: pam_modification_link\n version: aa68153f\n description:\ + \ PAM may have been modified without authorization\n expression: |-\n \ + \ (\n (link.file.path in [ ~\"/etc/pam.d/**\", \"/etc/pam.conf\" ]\n\ + \ || link.file.destination.path in [ ~\"/etc/pam.d/**\", \"/etc/pam.conf\"\ + \ ])\n )\n agent_version: ''\n filters: []\n- id: pam_modification_open\n\ + \ version: e22e05b7\n description: PAM may have been modified without authorization\n\ + \ expression: |-\n (\n open.flags & (O_CREAT|O_TRUNC|O_RDWR|O_WRONLY)\ + \ > 0 &&\n (open.file.path in [ ~\"/etc/pam.d/**\", \"/etc/pam.conf\"\ + \ ])\n )\n agent_version: ''\n filters: []\n- id: pam_modification_rename\n\ + \ version: bd1d257a\n description: PAM may have been modified without authorization\n\ + \ expression: |-\n (\n (rename.file.path in [ ~\"/etc/pam.d/**\"\ + , \"/etc/pam.conf\" ]\n || rename.file.destination.path in [ ~\"/etc/pam.d/**\"\ + , \"/etc/pam.conf\" ])\n )\n agent_version: ''\n filters: []\n- id: pam_modification_unlink\n\ + \ version: c3dc53e1\n description: PAM may have been modified without authorization\n\ + \ expression: |-\n (\n (unlink.file.path in [ ~\"/etc/pam.d/**\"\ + , \"/etc/pam.conf\" ])\n )\n agent_version: ''\n filters: []\n- id: pam_modification_utimes\n\ + \ version: d377b599\n description: PAM may have been modified without authorization\n\ + \ expression: |-\n (\n (utimes.file.path in [ ~\"/etc/pam.d/**\"\ + , \"/etc/pam.conf\" ])\n ) && process.file.path not in [~\"/usr/bin/apt*\"\ + , \"/usr/bin/dpkg\", \"/usr/bin/rpm\", \"/usr/bin/unattended-upgrade\", \"\ + /usr/bin/containerd\", \"/usr/local/bin/containerd\", \"/usr/bin/dockerd\"\ + , \"/usr/bin/npm\", ~\"/usr/bin/pip*\"]\n agent_version: ''\n filters: []\n\ + - id: passwd_execution\n version: e1d41f5e\n description: The passwd or\ + \ chpasswd utility was used to modify an account password\n expression: exec.file.path\ + \ in [\"/usr/bin/passwd\", \"/usr/sbin/chpasswd\"] && exec.args_flags\n \ + \ not in [\"S\", \"status\"]\n agent_version: ''\n filters: []\n- id: paste_site\n\ + \ version: 3dcef11\n description: A DNS lookup was done for a pastebin-like\ + \ site\n expression: dns.question.name in [\"pastebin.com\", \"ghostbin.com\"\ + , \"termbin.com\",\n \"klgrth.io\"] && process.file.name != \"\"\n agent_version:\ + \ ''\n filters: []\n- id: pci_11_5_critical_binaries_chmod\n version: b858137e\n\ + \ description: Critical system binaries may have been modified\n expression:\ + \ |-\n (\n (chmod.file.path in [ ~\"/bin/*\", ~\"/sbin/*\", ~\"\ + /usr/bin/*\", ~\"/usr/sbin/*\", ~\"/usr/local/bin/*\", ~\"/usr/local/sbin/*\"\ + , ~\"/boot/**\" ])\n && process.file.path not in [~\"/usr/bin/apt*\"\ + , \"/usr/bin/dpkg\", \"/usr/bin/rpm\", \"/usr/bin/unattended-upgrade\", \"\ + /usr/bin/containerd\", \"/usr/local/bin/containerd\", \"/usr/bin/dockerd\"\ + , \"/usr/bin/npm\", ~\"/usr/bin/pip*\"]\n && process.ancestors.file.path\ + \ not in [~\"/usr/bin/apt*\", \"/usr/bin/dpkg\", \"/usr/bin/rpm\", \"/usr/bin/unattended-upgrade\"\ + , \"/usr/bin/npm\", ~\"/usr/bin/pip*\", \"/usr/bin/yum\", \"/sbin/apk\", \"\ + /usr/lib/snapd/snapd\"]\n ) && chmod.file.destination.mode != chmod.file.mode\n\ + \ agent_version: ''\n filters: []\n- id: pci_11_5_critical_binaries_chown\n\ + \ version: d6630ebc\n description: Critical system binaries may have been\ + \ modified\n expression: |-\n (\n (chown.file.path in [ ~\"/bin/*\"\ + , ~\"/sbin/*\", ~\"/usr/bin/*\", ~\"/usr/sbin/*\", ~\"/usr/local/bin/*\",\ + \ ~\"/usr/local/sbin/*\", ~\"/boot/**\" ])\n && process.file.path not\ + \ in [~\"/usr/bin/apt*\", \"/usr/bin/dpkg\", \"/usr/bin/rpm\", \"/usr/bin/unattended-upgrade\"\ + , \"/usr/bin/containerd\", \"/usr/local/bin/containerd\", \"/usr/bin/dockerd\"\ + , \"/usr/bin/npm\", ~\"/usr/bin/pip*\"]\n && process.ancestors.file.path\ + \ not in [~\"/usr/bin/apt*\", \"/usr/bin/dpkg\", \"/usr/bin/rpm\", \"/usr/bin/unattended-upgrade\"\ + , \"/usr/bin/npm\", ~\"/usr/bin/pip*\", \"/usr/bin/yum\", \"/sbin/apk\", \"\ + /usr/lib/snapd/snapd\"]\n ) && (chown.file.destination.uid != chown.file.uid\ + \ || chown.file.destination.gid != chown.file.gid)\n agent_version: ''\n\ + \ filters: []\n- id: pci_11_5_critical_binaries_link\n version: 9b8182c6\n\ + \ description: Critical system binaries may have been modified\n expression:\ + \ |-\n (\n (link.file.path in [ ~\"/bin/*\", ~\"/sbin/*\", ~\"/usr/bin/*\"\ + , ~\"/usr/sbin/*\", ~\"/usr/local/bin/*\", ~\"/usr/local/sbin/*\", ~\"/boot/**\"\ + \ ]\n || link.file.destination.path in [ ~\"/bin/*\", ~\"/sbin/*\"\ + , ~\"/usr/bin/*\", ~\"/usr/sbin/*\", ~\"/usr/local/bin/*\", ~\"/usr/local/sbin/*\"\ + , ~\"/boot/**\" ])\n && process.file.path not in [~\"/usr/bin/apt*\"\ + , \"/usr/bin/dpkg\", \"/usr/bin/rpm\", \"/usr/bin/unattended-upgrade\", \"\ + /usr/bin/containerd\", \"/usr/local/bin/containerd\", \"/usr/bin/dockerd\"\ + , \"/usr/bin/npm\", ~\"/usr/bin/pip*\"]\n && process.ancestors.file.path\ + \ not in [~\"/usr/bin/apt*\", \"/usr/bin/dpkg\", \"/usr/bin/rpm\", \"/usr/bin/unattended-upgrade\"\ + , \"/usr/bin/npm\", ~\"/usr/bin/pip*\", \"/usr/bin/yum\", \"/sbin/apk\", \"\ + /usr/lib/snapd/snapd\"]\n )\n agent_version: ''\n filters: []\n- id:\ + \ pci_11_5_critical_binaries_open\n version: ce1c6918\n description: Critical\ + \ system binaries may have been modified\n expression: |-\n (\n \ + \ open.flags & (O_CREAT|O_TRUNC|O_RDWR|O_WRONLY) > 0 &&\n open.file.path\ + \ in [ ~\"/bin/*\", ~\"/sbin/*\", ~\"/usr/bin/*\", ~\"/usr/sbin/*\", ~\"/usr/local/bin/*\"\ + , ~\"/usr/local/sbin/*\", ~\"/boot/**\" ]\n && process.file.path not\ + \ in [~\"/usr/bin/apt*\", \"/usr/bin/dpkg\", \"/usr/bin/rpm\", \"/usr/bin/unattended-upgrade\"\ + , \"/usr/bin/containerd\", \"/usr/local/bin/containerd\", \"/usr/bin/dockerd\"\ + , \"/usr/bin/npm\", ~\"/usr/bin/pip*\"]\n && process.ancestors.file.path\ + \ not in [~\"/usr/bin/apt*\", \"/usr/bin/dpkg\", \"/usr/bin/rpm\", \"/usr/bin/unattended-upgrade\"\ + , \"/usr/bin/npm\", ~\"/usr/bin/pip*\", \"/usr/bin/yum\", \"/sbin/apk\", \"\ + /usr/lib/snapd/snapd\"]\n )\n agent_version: ''\n filters:\n - os ==\ + \ \"linux\"\n- id: pci_11_5_critical_binaries_open_v2\n version: 45abd074\n\ + \ description: Critical system binaries may have been modified\n expression:\ + \ |-\n (\n open.flags & (O_CREAT|O_TRUNC|O_RDWR|O_WRONLY) > 0 &&\n\ + \ open.file.path in [ ~\"/bin/*\", ~\"/sbin/*\", ~\"/usr/bin/*\", ~\"\ + /usr/sbin/*\", ~\"/usr/local/bin/*\", ~\"/usr/local/sbin/*\", ~\"/boot/**\"\ + \ ]\n && process.file.path not in [~\"/usr/bin/apt*\", \"/usr/bin/dpkg\"\ + , \"/usr/bin/rpm\", \"/usr/bin/unattended-upgrade\", \"/usr/bin/containerd\"\ + , \"/usr/local/bin/containerd\", \"/usr/bin/dockerd\", \"/usr/bin/npm\", ~\"\ + /usr/bin/pip*\"]\n && process.ancestors.file.path not in [~\"/usr/bin/apt*\"\ + , \"/usr/bin/dpkg\", \"/usr/bin/rpm\", \"/usr/bin/unattended-upgrade\", \"\ + /usr/bin/npm\", ~\"/usr/bin/pip*\", \"/usr/bin/yum\", \"/sbin/apk\", \"/usr/lib/snapd/snapd\"\ + ]\n ) && container.created_at > 90s\n agent_version: ''\n filters:\n\ + \ - os == \"linux\"\n- id: pci_11_5_critical_binaries_rename\n version:\ + \ 2a133ffc\n description: Critical system binaries may have been modified\n\ + \ expression: |-\n (\n (rename.file.path in [ ~\"/bin/*\", ~\"\ + /sbin/*\", ~\"/usr/bin/*\", ~\"/usr/sbin/*\", ~\"/usr/local/bin/*\", ~\"/usr/local/sbin/*\"\ + , ~\"/boot/**\" ]\n || rename.file.destination.path in [ ~\"/bin/*\"\ + , ~\"/sbin/*\", ~\"/usr/bin/*\", ~\"/usr/sbin/*\", ~\"/usr/local/bin/*\",\ + \ ~\"/usr/local/sbin/*\", ~\"/boot/**\" ])\n && process.file.path not\ + \ in [~\"/usr/bin/apt*\", \"/usr/bin/dpkg\", \"/usr/bin/rpm\", \"/usr/bin/unattended-upgrade\"\ + , \"/usr/bin/containerd\", \"/usr/local/bin/containerd\", \"/usr/bin/dockerd\"\ + , \"/usr/bin/npm\", ~\"/usr/bin/pip*\"]\n && process.ancestors.file.path\ + \ not in [~\"/usr/bin/apt*\", \"/usr/bin/dpkg\", \"/usr/bin/rpm\", \"/usr/bin/unattended-upgrade\"\ + , \"/usr/bin/npm\", ~\"/usr/bin/pip*\", \"/usr/bin/yum\", \"/sbin/apk\", \"\ + /usr/lib/snapd/snapd\"]\n )\n agent_version: ''\n filters: []\n- id:\ + \ pci_11_5_critical_binaries_unlink\n version: a750ab26\n description: Critical\ + \ system binaries may have been modified\n expression: |-\n (\n \ + \ (unlink.file.path in [ ~\"/bin/*\", ~\"/sbin/*\", ~\"/usr/bin/*\", ~\"\ + /usr/sbin/*\", ~\"/usr/local/bin/*\", ~\"/usr/local/sbin/*\", ~\"/boot/**\"\ + \ ])\n && process.file.path not in [~\"/usr/bin/apt*\", \"/usr/bin/dpkg\"\ + , \"/usr/bin/rpm\", \"/usr/bin/unattended-upgrade\", \"/usr/bin/containerd\"\ + , \"/usr/local/bin/containerd\", \"/usr/bin/dockerd\", \"/usr/bin/npm\", ~\"\ + /usr/bin/pip*\"]\n && process.ancestors.file.path not in [~\"/usr/bin/apt*\"\ + , \"/usr/bin/dpkg\", \"/usr/bin/rpm\", \"/usr/bin/unattended-upgrade\", \"\ + /usr/bin/npm\", ~\"/usr/bin/pip*\", \"/usr/bin/yum\", \"/sbin/apk\", \"/usr/lib/snapd/snapd\"\ + ]\n )\n agent_version: ''\n filters:\n - os == \"linux\"\n- id: pci_11_5_critical_binaries_utimes\n\ + \ version: 5e2a9d6f\n description: Critical system binaries may have been\ + \ modified\n expression: |-\n (\n (utimes.file.path in [ ~\"/bin/*\"\ + , ~\"/sbin/*\", ~\"/usr/bin/*\", ~\"/usr/sbin/*\", ~\"/usr/local/bin/*\",\ + \ ~\"/usr/local/sbin/*\", ~\"/boot/**\" ])\n && process.file.path not\ + \ in [~\"/usr/bin/apt*\", \"/usr/bin/dpkg\", \"/usr/bin/rpm\", \"/usr/bin/unattended-upgrade\"\ + , \"/usr/bin/containerd\", \"/usr/local/bin/containerd\", \"/usr/bin/dockerd\"\ + , \"/usr/bin/npm\", ~\"/usr/bin/pip*\"]\n && process.ancestors.file.path\ + \ not in [~\"/usr/bin/apt*\", \"/usr/bin/dpkg\", \"/usr/bin/rpm\", \"/usr/bin/unattended-upgrade\"\ + , \"/usr/bin/npm\", ~\"/usr/bin/pip*\", \"/usr/bin/yum\", \"/sbin/apk\", \"\ + /usr/lib/snapd/snapd\"]\n )\n agent_version: ''\n filters: []\n- id:\ + \ potential_cryptominer\n version: 47048a42\n description: A process resolved\ + \ a DNS name associated with cryptomining activity\n expression: dns.question.name\ + \ in [~\"*minexmr.com\", ~\"*nanopool.org\", ~\"*supportxmr.com\",\n ~\"\ + *c3pool.com\", ~\"*p2pool.io\", ~\"*ethermine.org\", ~\"*f2pool.com\", ~\"\ + *poolin.me\",\n ~\"*rplant.xyz\"] && process.file.name != \"\"\n agent_version:\ + \ ''\n filters: []\n- id: potential_web_shell_parent\n version: b67ffbcd\n\ + \ description: A web application spawned a shell or shell utility\n expression:\ + \ |-\n (exec.file.path in [ \"/bin/dash\",\n \"/usr/bin/dash\",\n\ + \ \"/bin/sh\",\n \"/bin/static-sh\",\n \"/usr/bin/sh\",\n \ + \ \"/bin/bash\",\n \"/usr/bin/bash\",\n \"/bin/bash-static\"\ + ,\n \"/usr/bin/zsh\",\n \"/usr/bin/ash\",\n \"/usr/bin/csh\"\ + ,\n \"/usr/bin/ksh\",\n \"/usr/bin/tcsh\",\n \"/usr/lib/initramfs-tools/bin/busybox\"\ + ,\n \"/bin/busybox\",\n \"/usr/bin/fish\",\n \"/bin/ksh93\"\ + ,\n \"/bin/rksh\",\n \"/bin/rksh93\",\n \"/bin/lksh\",\n \ + \ \"/bin/mksh\",\n \"/bin/mksh-static\",\n \"/usr/bin/csharp\"\ + ,\n \"/bin/posh\",\n \"/usr/bin/rc\",\n \"/bin/sash\",\n \ + \ \"/usr/bin/yash\",\n \"/bin/zsh5\",\n \"/bin/zsh5-static\"\ + \ ] || exec.comm in [\"wget\", \"curl\", \"lwp-download\"] || exec.file.path\ + \ in [\"/bin/cat\",\"/bin/chgrp\",\"/bin/chmod\",\"/bin/chown\",\"/bin/cp\"\ + ,\"/bin/date\",\"/bin/dd\",\"/bin/df\",\"/bin/dir\",\"/bin/echo\",\"/bin/ln\"\ + ,\"/bin/ls\",\"/bin/mkdir\",\"/bin/mknod\",\"/bin/mktemp\",\"/bin/mv\",\"\ + /bin/pwd\",\"/bin/readlink\",\"/bin/rm\",\"/bin/rmdir\",\"/bin/sleep\",\"\ + /bin/stty\",\"/bin/sync\",\"/bin/touch\",\"/bin/uname\",\"/bin/vdir\",\"/usr/bin/arch\"\ + ,\"/usr/bin/b2sum\",\"/usr/bin/base32\",\"/usr/bin/base64\",\"/usr/bin/basename\"\ + ,\"/usr/bin/chcon\",\"/usr/bin/cksum\",\"/usr/bin/comm\",\"/usr/bin/csplit\"\ + ,\"/usr/bin/cut\",\"/usr/bin/dircolors\",\"/usr/bin/dirname\",\"/usr/bin/du\"\ + ,\"/usr/bin/env\",\"/usr/bin/expand\",\"/usr/bin/expr\",\"/usr/bin/factor\"\ + ,\"/usr/bin/fmt\",\"/usr/bin/fold\",\"/usr/bin/groups\",\"/usr/bin/head\"\ + ,\"/usr/bin/hostid\",\"/usr/bin/id\",\"/usr/bin/install\",\"/usr/bin/join\"\ + ,\"/usr/bin/link\",\"/usr/bin/logname\",\"/usr/bin/md5sum\",\"/usr/bin/md5sum.textutils\"\ + ,\"/usr/bin/mkfifo\",\"/usr/bin/nice\",\"/usr/bin/nl\",\"/usr/bin/nohup\"\ + ,\"/usr/bin/nproc\",\"/usr/bin/numfmt\",\"/usr/bin/od\",\"/usr/bin/paste\"\ + ,\"/usr/bin/pathchk\",\"/usr/bin/pinky\",\"/usr/bin/pr\",\"/usr/bin/printenv\"\ + ,\"/usr/bin/printf\",\"/usr/bin/ptx\",\"/usr/bin/realpath\",\"/usr/bin/runcon\"\ + ,\"/usr/bin/seq\",\"/usr/bin/sha1sum\",\"/usr/bin/sha224sum\",\"/usr/bin/sha256sum\"\ + ,\"/usr/bin/sha384sum\",\"/usr/bin/sha512sum\",\"/usr/bin/shred\",\"/usr/bin/shuf\"\ + ,\"/usr/bin/sort\",\"/usr/bin/split\",\"/usr/bin/stat\",\"/usr/bin/stdbuf\"\ + ,\"/usr/bin/sum\",\"/usr/bin/tac\",\"/usr/bin/tail\",\"/usr/bin/tee\",\"/usr/bin/test\"\ + ,\"/usr/bin/timeout\",\"/usr/bin/tr\",\"/usr/bin/truncate\",\"/usr/bin/tsort\"\ + ,\"/usr/bin/tty\",\"/usr/bin/unexpand\",\"/usr/bin/uniq\",\"/usr/bin/unlink\"\ + ,\"/usr/bin/users\",\"/usr/bin/wc\",\"/usr/bin/who\",\"/usr/bin/whoami\",\"\ + /usr/sbin/chroot\"]) &&\n (process.parent.file.name in [\"apache2\", \"\ + nginx\", ~\"tomcat*\", \"httpd\"] || process.parent.file.name =~ \"php*\"\ + )\n agent_version: ''\n filters: []\n- id: procdump_execution\n version:\ + \ bfcebb5c\n description: A tool used to dump process memory has been executed\n\ + \ expression: exec.file.name in [\"procmon.exe\",\"procdump.exe\"]\n agent_version:\ + \ ''\n filters:\n - os == \"windows\"\n- id: ptrace_antidebug\n version:\ + \ a6289ff7\n description: A process uses an anti-debugging technique to block\ + \ debuggers\n expression: ptrace.request == PTRACE_TRACEME && process.file.name\ + \ != \"\"\n agent_version: ''\n filters: []\n- id: ptrace_injection\n version:\ + \ 6d290a43\n description: A process attempted to inject code into another\ + \ process\n expression: ptrace.request == PTRACE_POKETEXT || ptrace.request\ + \ == PTRACE_POKEDATA\n || ptrace.request == PTRACE_POKEUSR\n agent_version:\ + \ ''\n filters: []\n- id: pwnkit_privilege_escalation\n version: c83bbabc\n\ + \ description: A process was spawned with indicators of exploitation of CVE-2021-4034\n\ + \ expression: (exec.file.path == \"/usr/bin/pkexec\" && exec.envs in [~\"\ + *SHELL*\", ~\"*PATH*\"]\n && exec.envs not in [~\"*DISPLAY*\", ~\"*DESKTOP_SESSION*\"\ + ] && exec.uid != 0)\n agent_version: ''\n filters:\n - os == \"linux\"\n\ + - id: python_cli_code\n version: '989474'\n description: Python code was\ + \ provided on the command line\n expression: exec.file.name == ~\"python*\"\ + \ && exec.args_flags in [\"c\"] && exec.args\n in [~\"*-c*SOCK_STREAM*\"\ + , ~\"*-c*subprocess*\", \"*-c*/bash*\", \"*-c*/bin/sh*\", \"*-c*pty.spawn*\"\ + ]\n && exec.args !~ \"*setuptools*\"\n agent_version: ''\n filters: []\n\ + - id: ransomware_note\n version: ffd9b885\n description: Possible ransomware\ + \ note created under common user directories\n expression: open.flags & O_CREAT\ + \ > 0 && open.file.path in [~\"/home/**\", ~\"/root/**\",\n ~\"/bin/**\"\ + , ~\"/usr/bin/**\", ~\"/opt/**\", ~\"/etc/**\", ~\"/var/log/**\", ~\"/var/lib/log/**\"\ + ,\n ~\"/var/backup/**\", ~\"/var/www/**\"] && open.file.name in [r\"(?i).*(restore|recovery|readme|instruction|how_to|ransom).*|.*(your_|crypt|lock|important).*\\\ + .txt$\"]\n && open.file.name != \"README.md\"\n agent_version: ''\n filters:\n\ + \ - os == \"linux\"\n- id: rc_scripts_modified\n version: af295b08\n description:\ + \ RC scripts modified\n expression: (open.flags & (O_CREAT|O_TRUNC|O_RDWR|O_WRONLY)\ + \ > 0 && (open.file.path\n in [\"/etc/rc.common\", \"/etc/rc.local\"]))\ + \ && process.ancestors.file.path not in\n [~\"/usr/bin/apt*\", \"/usr/bin/dpkg\"\ + , \"/usr/bin/rpm\", \"/usr/bin/unattended-upgrade\",\n \"/usr/bin/npm\"\ + , ~\"/usr/bin/pip*\", \"/usr/bin/yum\", \"/sbin/apk\", \"/usr/lib/snapd/snapd\"\ + ]\n agent_version: ''\n filters: []\n- id: read_kubeconfig\n version: '80926379'\n\ + \ description: The kubeconfig file was accessed\n expression: open.file.path\ + \ in [~\"/home/*/.kube/config\", \"/root/.kube/config\"]\n agent_version:\ + \ ''\n filters: []\n- id: read_release_info\n version: d0cc9710\n description:\ + \ OS information was read from the /etc/lsb-release file\n expression: open.file.path\ + \ == \"/etc/lsb-release\" && open.flags & O_RDONLY > 0\n agent_version: ''\n\ + \ filters: []\n- id: redis_sandbox_escape\n version: d7eb615a\n description:\ + \ Detects CVE-2022-0543\n expression: (open.file.path =~ \"/usr/lib/x86_64-linux-gnu/*\"\ + \ && open.file.name in\n [\"libc-2.29.so\", \"libc-2.30.so\", \"libc-2.31.so\"\ + , \"libc-2.32.so\", \"libc-2.33.so\",\n \"libc-2.34.so\", \"libc-2.35.so\"\ + , \"libc-2.36.so\", \"libc-2.37.so\"]) && process.ancestors.comm\n in [\"\ + redis-check-rdb\", \"redis-server\"]\n agent_version: ''\n filters: []\n\ + - id: redis_save_module\n version: b1cb9110\n description: Redis module\ + \ has been created\n expression: (open.flags & (O_CREAT|O_TRUNC|O_RDWR|O_WRONLY)\ + \ > 0 && open.file.path\n =~ \"/tmp/**\" && open.file.name in [~\"*.rdb\"\ + , ~\"*.aof\", ~\"*.so\"]) && process.file.name\n in [\"redis-check-rdb\"\ + , \"redis-server\"]\n agent_version: ''\n filters: []\n- id: runc_modification\n\ + \ version: c7144439\n description: The runc binary was modified in a non-standard\ + \ way\n expression: |-\n open.file.path in [\"/usr/bin/runc\", \"/usr/sbin/runc\"\ + , \"/usr/bin/docker-runc\"]\n && open.flags & O_CREAT|O_TRUNC|O_RDWR|O_WRONLY\ + \ > 0\n && process.file.path not in [~\"/usr/bin/apt*\", \"/usr/bin/dpkg\"\ + , \"/usr/bin/rpm\", \"/usr/bin/unattended-upgrade\", \"/usr/bin/containerd\"\ + , \"/usr/local/bin/containerd\", \"/usr/bin/dockerd\", \"/usr/bin/npm\", ~\"\ + /usr/bin/pip*\"]\n && process.ancestors.file.path not in [~\"/usr/bin/apt*\"\ + , \"/usr/bin/dpkg\", \"/usr/bin/rpm\", \"/usr/bin/unattended-upgrade\", \"\ + /usr/bin/npm\", ~\"/usr/bin/pip*\", \"/usr/bin/yum\", \"/sbin/apk\", \"/usr/lib/snapd/snapd\"\ + ]\n agent_version: ''\n filters: []\n- id: scheduled_task_creation\n version:\ + \ 9c3f2289\n description: A scheduled task was created\n expression: exec.file.name\ + \ in [\"at.exe\",\"schtasks.exe\"]\n agent_version: ''\n filters:\n - os\ + \ == \"windows\"\n- id: selinux_disable_enforcement\n version: afa9a8ba\n\ + \ description: SELinux enforcement status was disabled\n expression: selinux.enforce.status\ + \ in [\"permissive\", \"disabled\"] && process.ancestors.args\n != ~\"\ + *BECOME-SUCCESS*\"\n agent_version: ''\n filters: []\n- id: sensitive_tracing\n\ + \ version: c4585b20\n description: A process is tracing privileged processes\ + \ or sshd for possible credential\n dumping\n expression: (ptrace.request\ + \ == PTRACE_PEEKTEXT || ptrace.request == PTRACE_PEEKDATA\n || ptrace.request\ + \ == PTRACE_PEEKUSR) && ptrace.tracee.euid == 0 && process.comm\n not in\ + \ [\"dlv\", \"dlv-linux-amd64\", \"strace\", \"gdb\", \"lldb-server\"]\n \ + \ agent_version: ''\n filters:\n - os == \"linux\"\n- id: service_stop\n\ + \ version: 8e434232\n description: systemctl used to stop a service\n expression:\ + \ exec.file.name == \"systemctl\" && exec.args in [~\"*stop*\"]\n agent_version:\ + \ ''\n filters: []\n- id: shell_history_deleted\n version: ff763e6\n description:\ + \ Shell History was Deleted\n expression: (unlink.file.name =~ r\".([dbazfi]*sh)(_history)$\"\ + ) && process.comm\n not in [\"dockerd\", \"containerd\"]\n agent_version:\ + \ ''\n filters: []\n- id: shell_history_symlink\n version: 31982e4d\n description:\ + \ A symbolic link for shell history was created targeting /dev/null\n expression:\ + \ exec.comm == \"ln\" && exec.args in [~\"*.*history*\", \"/dev/null\"]\n\ + \ agent_version: ''\n filters: []\n- id: shell_history_truncated\n version:\ + \ 38ec83e8\n description: Shell History was Deleted\n expression: open.flags\ + \ & (O_CREAT|O_TRUNC|O_RDWR|O_WRONLY) > 0 && open.file.name\n =~ r\".([dbazfi]*sh)(_history)$\"\ + \ && open.file.path in [~\"/root/*\", ~\"/home/**\"]\n && process.file.name\ + \ == \"truncate\"\n agent_version: ''\n filters: []\n- id: shell_profile_modification\n\ + \ version: d1cecdac\n description: Shell profile was modified\n expression:\ + \ open.file.path in [~\"/home/*/*profile\", ~\"/home/*/*rc\"] && open.flags\n\ + \ & ((O_CREAT|O_TRUNC|O_RDWR|O_WRONLY)) > 0\n agent_version: ''\n filters:\ + \ []\n- id: ssh_authorized_keys_chmod\n version: 79be8a18\n description:\ + \ SSH modified keys may have been modified\n expression: |-\n (\n \ + \ chmod.file.name in [ \"authorized_keys\", \"authorized_keys2\" ] && (chmod.file.path\ + \ in [ ~\"/root/.ssh/*\", ~\"/home/*/.ssh/*\", ~\"/var/lib/*/.ssh/*\" ])\n\ + \ ) && chmod.file.destination.mode != chmod.file.mode\n agent_version:\ + \ ''\n filters: []\n- id: ssh_authorized_keys_chown\n version: 7c835bfd\n\ + \ description: SSH modified keys may have been modified\n expression: |-\n\ + \ (\n chown.file.name in [ \"authorized_keys\", \"authorized_keys2\"\ + \ ] && (chown.file.path in [ ~\"/root/.ssh/*\", ~\"/home/*/.ssh/*\", ~\"/var/lib/*/.ssh/*\"\ + \ ])\n ) && (chown.file.destination.uid != chown.file.uid || chown.file.destination.gid\ + \ != chown.file.gid)\n agent_version: ''\n filters:\n - os == \"linux\"\ + \n- id: ssh_authorized_keys_link\n version: 979d56a1\n description: SSH\ + \ modified keys may have been modified\n expression: |-\n (\n link.file.name\ + \ in [ \"authorized_keys\", \"authorized_keys2\" ] && (link.file.path in [\ + \ ~\"/root/.ssh/*\", ~\"/home/*/.ssh/*\", ~\"/var/lib/*/.ssh/*\" ]\n \ + \ || link.file.destination.path in [ ~\"/root/.ssh/*\", ~\"/home/*/.ssh/*\"\ + , ~\"/var/lib/*/.ssh/*\" ])\n )\n agent_version: ''\n filters: []\n-\ + \ id: ssh_authorized_keys_open\n version: c4fa7b8f\n description: SSH modified\ + \ keys may have been modified\n expression: |-\n (\n open.flags\ + \ & (O_CREAT|O_TRUNC|O_RDWR|O_WRONLY) > 0 &&\n open.file.name in [\ + \ \"authorized_keys\", \"authorized_keys2\" ] && (open.file.path in [ ~\"\ + /root/.ssh/*\", ~\"/home/*/.ssh/*\", ~\"/var/lib/*/.ssh/*\" ])\n )\n agent_version:\ + \ ''\n filters: []\n- id: ssh_authorized_keys_open_v2\n version: 513f8108\n\ + \ description: SSH modified keys may have been modified\n expression: |-\n\ + \ (\n open.flags & (O_CREAT|O_TRUNC|O_RDWR|O_WRONLY) > 0 &&\n \ + \ open.file.name in [ \"authorized_keys\", \"authorized_keys2\" ] &&\ + \ (open.file.path in [ ~\"/root/.ssh/*\", ~\"/home/*/.ssh/*\", ~\"/var/lib/*/.ssh/*\"\ + \ ])\n ) && container.created_at > 90s\n agent_version: ''\n filters:\n\ + \ - os == \"linux\"\n- id: ssh_authorized_keys_rename\n version: 6f58449a\n\ + \ description: SSH modified keys may have been modified\n expression: |-\n\ + \ (\n rename.file.name in [ \"authorized_keys\", \"authorized_keys2\"\ + \ ] && (rename.file.path in [ ~\"/root/.ssh/*\", ~\"/home/*/.ssh/*\", ~\"\ + /var/lib/*/.ssh/*\" ]\n || rename.file.destination.path in [ ~\"/root/.ssh/*\"\ + , ~\"/home/*/.ssh/*\", ~\"/var/lib/*/.ssh/*\" ])\n )\n agent_version:\ + \ ''\n filters:\n - os == \"linux\"\n- id: ssh_authorized_keys_unlink\n\ + \ version: 41090e4e\n description: SSH modified keys may have been modified\n\ + \ expression: |-\n (\n unlink.file.name in [ \"authorized_keys\"\ + , \"authorized_keys2\" ] && (unlink.file.path in [ ~\"/root/.ssh/*\", ~\"\ + /home/*/.ssh/*\", ~\"/var/lib/*/.ssh/*\" ])\n )\n agent_version: ''\n\ + \ filters:\n - os == \"linux\"\n- id: ssh_authorized_keys_utimes\n version:\ + \ c614f0d\n description: SSH modified keys may have been modified\n expression:\ + \ |-\n (\n utimes.file.name in [ \"authorized_keys\", \"authorized_keys2\"\ + \ ] && (utimes.file.path in [ ~\"/root/.ssh/*\", ~\"/home/*/.ssh/*\", ~\"\ + /var/lib/*/.ssh/*\" ])\n )\n agent_version: ''\n filters: []\n- id: ssl_certificate_tampering_chmod\n\ + \ version: 128236e9\n description: SSL certificates may have been tampered\ + \ with\n expression: |-\n (\n (chmod.file.path in [ ~\"/etc/ssl/certs/**\"\ + , ~\"/etc/pki/**\" ])\n && process.file.path not in [~\"/usr/bin/apt*\"\ + , \"/usr/bin/dpkg\", \"/usr/bin/rpm\", \"/usr/bin/unattended-upgrade\", \"\ + /usr/bin/npm\", ~\"/usr/bin/pip*\", \"/usr/bin/yum\", \"/sbin/apk\", \"/usr/lib/snapd/snapd\"\ + ]\n ) && chmod.file.mode != chmod.file.destination.mode\n && process.file.path\ + \ != \"/usr/sbin/update-ca-certificates\"\n && process.ancestors.file.path\ + \ != \"/usr/sbin/update-ca-certificates\"\n && process.ancestors.file.path\ + \ not in [~\"/usr/bin/apt*\", \"/usr/bin/dpkg\", \"/usr/bin/rpm\", \"/usr/bin/unattended-upgrade\"\ + , \"/usr/bin/npm\", ~\"/usr/bin/pip*\", \"/usr/bin/yum\", \"/sbin/apk\", \"\ + /usr/lib/snapd/snapd\"]\n && process.file.name !~ \"runc*\"\n agent_version:\ + \ ''\n filters: []\n- id: ssl_certificate_tampering_chown\n version: 5af3db18\n\ + \ description: SSL certificates may have been tampered with\n expression:\ + \ |-\n (\n (chown.file.path in [ ~\"/etc/ssl/certs/**\", ~\"/etc/pki/**\"\ + \ ])\n && process.file.path not in [~\"/usr/bin/apt*\", \"/usr/bin/dpkg\"\ + , \"/usr/bin/rpm\", \"/usr/bin/unattended-upgrade\", \"/usr/bin/npm\", ~\"\ + /usr/bin/pip*\", \"/usr/bin/yum\", \"/sbin/apk\", \"/usr/lib/snapd/snapd\"\ + ]\n ) && (chown.file.destination.uid != chown.file.uid || chown.file.destination.gid\ + \ != chown.file.gid)\n && process.file.path != \"/usr/sbin/update-ca-certificates\"\ + \n && process.ancestors.file.path != \"/usr/sbin/update-ca-certificates\"\ + \n && process.ancestors.file.path not in [~\"/usr/bin/apt*\", \"/usr/bin/dpkg\"\ + , \"/usr/bin/rpm\", \"/usr/bin/unattended-upgrade\", \"/usr/bin/npm\", ~\"\ + /usr/bin/pip*\", \"/usr/bin/yum\", \"/sbin/apk\", \"/usr/lib/snapd/snapd\"\ + ]\n && process.file.name !~ \"runc*\"\n agent_version: ''\n filters:\n\ + \ - os == \"linux\"\n- id: ssl_certificate_tampering_link\n version: 1f02b72d\n\ + \ description: SSL certificates may have been tampered with\n expression:\ + \ |-\n (\n (link.file.path in [ ~\"/etc/ssl/certs/**\", ~\"/etc/pki/**\"\ + \ ]\n || link.file.destination.path in [ ~\"/etc/ssl/certs/**\", ~\"\ + /etc/pki/**\" ])\n && process.file.path not in [~\"/usr/bin/apt*\"\ + , \"/usr/bin/dpkg\", \"/usr/bin/rpm\", \"/usr/bin/unattended-upgrade\", \"\ + /usr/bin/npm\", ~\"/usr/bin/pip*\", \"/usr/bin/yum\", \"/sbin/apk\", \"/usr/lib/snapd/snapd\"\ + ]\n && process.file.path != \"/usr/sbin/update-ca-certificates\"\n\ + \ && process.ancestors.file.path != \"/usr/sbin/update-ca-certificates\"\ + \n && process.ancestors.file.path not in [~\"/usr/bin/apt*\", \"/usr/bin/dpkg\"\ + , \"/usr/bin/rpm\", \"/usr/bin/unattended-upgrade\", \"/usr/bin/npm\", ~\"\ + /usr/bin/pip*\", \"/usr/bin/yum\", \"/sbin/apk\", \"/usr/lib/snapd/snapd\"\ + ]\n && process.file.name !~ \"runc*\"\n )\n agent_version: ''\n\ + \ filters: []\n- id: ssl_certificate_tampering_open\n version: c34bcf3a\n\ + \ description: SSL certificates may have been tampered with\n expression:\ + \ |-\n (\n open.flags & (O_CREAT|O_RDWR|O_WRONLY) > 0 &&\n \ + \ (open.file.path in [ ~\"/etc/ssl/certs/**\", ~\"/etc/pki/**\" ])\n \ + \ )\n && process.file.path != \"/usr/sbin/update-ca-certificates\"\n \ + \ && process.ancestors.file.path != \"/usr/sbin/update-ca-certificates\"\n\ + \ && process.ancestors.file.path not in [~\"/usr/bin/apt*\", \"/usr/bin/dpkg\"\ + , \"/usr/bin/rpm\", \"/usr/bin/unattended-upgrade\", \"/usr/bin/npm\", ~\"\ + /usr/bin/pip*\", \"/usr/bin/yum\", \"/sbin/apk\", \"/usr/lib/snapd/snapd\"\ + ]\n && process.file.name !~ \"runc*\"\n agent_version: ''\n filters:\ + \ []\n- id: ssl_certificate_tampering_open_v2\n version: a90058eb\n description:\ + \ SSL certificates may have been tampered with\n expression: |-\n (\n\ + \ open.flags & (O_CREAT|O_RDWR|O_WRONLY) > 0 &&\n (open.file.path\ + \ in [ ~\"/etc/ssl/certs/**\", ~\"/etc/pki/**\" ])\n )\n && process.file.path\ + \ != \"/usr/sbin/update-ca-certificates\"\n && process.ancestors.file.path\ + \ != \"/usr/sbin/update-ca-certificates\"\n && process.ancestors.file.path\ + \ not in [~\"/usr/bin/apt*\", \"/usr/bin/dpkg\", \"/usr/bin/rpm\", \"/usr/bin/unattended-upgrade\"\ + , \"/usr/bin/npm\", ~\"/usr/bin/pip*\", \"/usr/bin/yum\", \"/sbin/apk\", \"\ + /usr/lib/snapd/snapd\"]\n && process.file.name !~ \"runc*\"\n && container.created_at\ + \ > 90s\n agent_version: ''\n filters:\n - os == \"linux\"\n- id: ssl_certificate_tampering_rename\n\ + \ version: e74f2226\n description: SSL certificates may have been tampered\ + \ with\n expression: |-\n (\n (rename.file.path in [ ~\"/etc/ssl/certs/**\"\ + , ~\"/etc/pki/**\" ]\n || rename.file.destination.path in [ ~\"/etc/ssl/certs/**\"\ + , ~\"/etc/pki/**\" ])\n && process.file.path not in [~\"/usr/bin/apt*\"\ + , \"/usr/bin/dpkg\", \"/usr/bin/rpm\", \"/usr/bin/unattended-upgrade\", \"\ + /usr/bin/npm\", ~\"/usr/bin/pip*\", \"/usr/bin/yum\", \"/sbin/apk\", \"/usr/lib/snapd/snapd\"\ + ]\n )\n && process.file.path != \"/usr/sbin/update-ca-certificates\"\ + \n && process.ancestors.file.path != \"/usr/sbin/update-ca-certificates\"\ + \n && process.ancestors.file.path not in [~\"/usr/bin/apt*\", \"/usr/bin/dpkg\"\ + , \"/usr/bin/rpm\", \"/usr/bin/unattended-upgrade\", \"/usr/bin/npm\", ~\"\ + /usr/bin/pip*\", \"/usr/bin/yum\", \"/sbin/apk\", \"/usr/lib/snapd/snapd\"\ + ]\n && process.file.name !~ \"runc*\"\n agent_version: ''\n filters:\ + \ []\n- id: ssl_certificate_tampering_unlink\n version: 774e2aea\n description:\ + \ SSL certificates may have been tampered with\n expression: |-\n (\n\ + \ (unlink.file.path in [ ~\"/etc/ssl/certs/**\" ])\n && process.file.path\ + \ not in [~\"/usr/bin/apt*\", \"/usr/bin/dpkg\", \"/usr/bin/rpm\", \"/usr/bin/unattended-upgrade\"\ + , \"/usr/bin/npm\", ~\"/usr/bin/pip*\", \"/usr/bin/yum\", \"/sbin/apk\", \"\ + /usr/lib/snapd/snapd\"]\n )\n && process.file.path != \"/usr/sbin/update-ca-certificates\"\ + \n && process.ancestors.file.path != \"/usr/sbin/update-ca-certificates\"\ + \n && process.ancestors.file.path not in [~\"/usr/bin/apt*\", \"/usr/bin/dpkg\"\ + , \"/usr/bin/rpm\", \"/usr/bin/unattended-upgrade\", \"/usr/bin/npm\", ~\"\ + /usr/bin/pip*\", \"/usr/bin/yum\", \"/sbin/apk\", \"/usr/lib/snapd/snapd\"\ + ]\n && process.file.name !~ \"runc*\"\n agent_version: ''\n filters:\ + \ []\n- id: ssl_certificate_tampering_utimes\n version: 29db81c1\n description:\ + \ SSL certificates may have been tampered with\n expression: |-\n (\n\ + \ (utimes.file.path in [ ~\"/etc/ssl/certs/**\" ])\n && process.file.path\ + \ not in [~\"/usr/bin/apt*\", \"/usr/bin/dpkg\", \"/usr/bin/rpm\", \"/usr/bin/unattended-upgrade\"\ + , \"/usr/bin/npm\", ~\"/usr/bin/pip*\", \"/usr/bin/yum\", \"/sbin/apk\", \"\ + /usr/lib/snapd/snapd\"]\n )\n && process.file.path != \"/usr/sbin/update-ca-certificates\"\ + \n && process.ancestors.file.path != \"/usr/sbin/update-ca-certificates\"\ + \n && process.ancestors.file.path not in [~\"/usr/bin/apt*\", \"/usr/bin/dpkg\"\ + , \"/usr/bin/rpm\", \"/usr/bin/unattended-upgrade\", \"/usr/bin/npm\", ~\"\ + /usr/bin/pip*\", \"/usr/bin/yum\", \"/sbin/apk\", \"/usr/lib/snapd/snapd\"\ + ]\n && process.file.name !~ \"runc*\"\n agent_version: ''\n filters:\n\ + \ - os == \"linux\"\n- id: sudoers_policy_modified_chmod\n version: ae70daab\n\ + \ description: Sudoers policy file may have been modified without authorization\n\ + \ expression: \"(\\n (chmod.file.path == \\\"/etc/sudoers\\\") \\n) &&\ + \ chmod.file.destination.mode\\\n \\ != chmod.file.mode && process.ancestors.file.path\ + \ not in [~\\\"/usr/bin/apt*\\\"\\\n , \\\"/usr/bin/dpkg\\\", \\\"/usr/bin/rpm\\\ + \", \\\"/usr/bin/unattended-upgrade\\\", \\\"/usr/bin/npm\\\"\\\n , ~\\\ + \"/usr/bin/pip*\\\", \\\"/usr/bin/yum\\\", \\\"/sbin/apk\\\", \\\"/usr/lib/snapd/snapd\\\ + \"\\\n ]\"\n agent_version: ''\n filters:\n - os == \"linux\"\n- id:\ + \ sudoers_policy_modified_chown\n version: 898b1aa0\n description: Sudoers\ + \ policy file may have been modified without authorization\n expression:\ + \ |-\n (\n (chown.file.path == \"/etc/sudoers\")\n ) && (chown.file.destination.uid\ + \ != chown.file.uid || chown.file.destination.gid != chown.file.gid)\n agent_version:\ + \ ''\n filters: []\n- id: sudoers_policy_modified_link\n version: 1f1b8962\n\ + \ description: Sudoers policy file may have been modified without authorization\n\ + \ expression: |-\n (\n (link.file.path == \"/etc/sudoers\"\n \ + \ || link.file.destination.path == \"/etc/sudoers\")\n )\n agent_version:\ + \ ''\n filters: []\n- id: sudoers_policy_modified_open\n version: af2610b6\n\ + \ description: Sudoers policy file may have been modified without authorization\n\ + \ expression: |2-\n\n (open.flags & (O_CREAT|O_TRUNC|O_RDWR|O_WRONLY)\ + \ > 0 &&\n (open.file.path == \"/etc/sudoers\")) && process.file.path not\ + \ in [~\"/usr/bin/apt*\", \"/usr/bin/dpkg\", \"/usr/bin/rpm\", \"/usr/bin/unattended-upgrade\"\ + , \"/usr/bin/npm\", ~\"/usr/bin/pip*\", \"/usr/bin/yum\", \"/sbin/apk\", \"\ + /usr/lib/snapd/snapd\"]\n agent_version: ''\n filters:\n - os == \"linux\"\ + \n- id: sudoers_policy_modified_rename\n version: 531fc9ae\n description:\ + \ Sudoers policy file may have been modified without authorization\n expression:\ + \ |-\n (\n (rename.file.path == \"/etc/sudoers\"\n || rename.file.destination.path\ + \ == \"/etc/sudoers\")\n )\n agent_version: ''\n filters:\n - os ==\ + \ \"linux\"\n- id: sudoers_policy_modified_unlink\n version: 5568da57\n \ + \ description: Sudoers policy file may have been modified without authorization\n\ + \ expression: |-\n (\n (unlink.file.path == \"/etc/sudoers\")\n\ + \ )\n agent_version: ''\n filters: []\n- id: sudoers_policy_modified_utimes\n\ + \ version: d99c2466\n description: Sudoers policy file may have been modified\ + \ without authorization\n expression: |-\n (\n (utimes.file.path\ + \ == \"/etc/sudoers\")\n ) && process.file.path not in [~\"/usr/bin/apt*\"\ + , \"/usr/bin/dpkg\", \"/usr/bin/rpm\", \"/usr/bin/unattended-upgrade\", \"\ + /usr/bin/containerd\", \"/usr/local/bin/containerd\", \"/usr/bin/dockerd\"\ + , \"/usr/bin/npm\", ~\"/usr/bin/pip*\"]\n agent_version: ''\n filters:\n\ + \ - os == \"linux\"\n- id: suid_file_execution\n version: 1b4f4075\n description:\ + \ a SUID file was executed\n expression: (setuid.euid == 0 || setuid.uid\ + \ == 0) && process.file.mode & S_ISUID\n > 0 && process.file.uid ==\ + \ 0 && process.uid != 0 && process.file.path != \"/usr/bin/sudo\"\n agent_version:\ + \ ''\n filters: []\n- id: suspicious_bitsadmin_usage\n version: 86c03d62\n\ + \ description: A suspicious bitsadmin command has been executed\n expression:\ + \ exec.file.name == \"bitsadmin.exe\" && exec.cmdline in [~\"*addfile*\",\n\ + \ ~\"*create*\", ~\"*resume*\"]\n agent_version: ''\n filters:\n - os\ + \ == \"windows\"\n- id: suspicious_container_client\n version: 8b9461f4\n\ + \ description: A container management utility was executed in a container\n\ + \ expression: exec.file.name in [\"docker\", \"kubectl\"] && container.id\ + \ != \"\"\n agent_version: ''\n filters:\n - os == \"linux\"\n- id: suspicious_suid_execution\n\ + \ version: 216c8207\n description: Recently written or modified suid file\ + \ has been executed\n expression: ((process.file.mode & S_ISUID > 0) && process.file.modification_time\n\ + \ < 30s) && exec.file.name != \"\" && process.ancestors.file.path not in\ + \ [\"/opt/datadog-agent/embedded/bin/agent\",\n \"/opt/datadog-agent/embedded/bin/system-probe\"\ + , \"/opt/datadog-agent/embedded/bin/security-agent\",\n \"/opt/datadog-agent/embedded/bin/process-agent\"\ + , \"/opt/datadog-agent/bin/agent/agent\",\n \"/opt/datadog/apm/inject/auto_inject_runc\"\ + , \"/usr/bin/dd-host-install\", \"/usr/bin/dd-host-container-install\",\n\ + \ \"/usr/bin/dd-container-install\", \"/opt/datadog-agent/bin/datadog-cluster-agent\"\ + ]\n agent_version: ''\n filters:\n - os == \"linux\"\n- id: systemd_modification_chmod\n\ + \ version: e555b2b0\n description: A service may have been modified without\ + \ authorization\n expression: |-\n (\n (chmod.file.path in [ ~\"\ + /lib/systemd/system/**\", ~\"/usr/lib/systemd/system/**\", ~\"/etc/systemd/system/**\"\ + \ ])\n && process.file.path not in [~\"/usr/bin/apt*\", \"/usr/bin/dpkg\"\ + , \"/usr/bin/rpm\", \"/usr/bin/unattended-upgrade\", \"/usr/bin/npm\", ~\"\ + /usr/bin/pip*\", \"/usr/bin/yum\", \"/sbin/apk\", \"/usr/lib/snapd/snapd\"\ + ]\n ) && chmod.file.destination.mode != chmod.file.mode\n agent_version:\ + \ ''\n filters: []\n- id: systemd_modification_chown\n version: a0497885\n\ + \ description: A service may have been modified without authorization\n \ + \ expression: |-\n (\n (chown.file.path in [ ~\"/lib/systemd/system/**\"\ + , ~\"/usr/lib/systemd/system/**\", ~\"/etc/systemd/system/**\" ])\n \ + \ && process.file.path not in [~\"/usr/bin/apt*\", \"/usr/bin/dpkg\", \"\ + /usr/bin/rpm\", \"/usr/bin/unattended-upgrade\", \"/usr/bin/npm\", ~\"/usr/bin/pip*\"\ + , \"/usr/bin/yum\", \"/sbin/apk\", \"/usr/lib/snapd/snapd\"]\n ) && (chown.file.destination.uid\ + \ != chown.file.uid || chown.file.destination.gid != chown.file.gid)\n agent_version:\ + \ ''\n filters: []\n- id: systemd_modification_link\n version: 11a77f5b\n\ + \ description: A service may have been modified without authorization\n \ + \ expression: |-\n (\n (link.file.path in [ ~\"/lib/systemd/system/**\"\ + , ~\"/usr/lib/systemd/system/**\", ~\"/etc/systemd/system/**\" ]\n \ + \ || link.file.destination.path in [ ~\"/lib/systemd/system/**\", ~\"/usr/lib/systemd/system/**\"\ + , ~\"/etc/systemd/system/**\" ])\n && process.file.path not in [~\"\ + /usr/bin/apt*\", \"/usr/bin/dpkg\", \"/usr/bin/rpm\", \"/usr/bin/unattended-upgrade\"\ + , \"/usr/bin/npm\", ~\"/usr/bin/pip*\", \"/usr/bin/yum\", \"/sbin/apk\", \"\ + /usr/lib/snapd/snapd\"]\n )\n agent_version: ''\n filters: []\n- id:\ + \ systemd_modification_open\n version: 13b2daf3\n description: A service\ + \ may have been modified without authorization\n expression: |-\n (\n\ + \ open.flags & (O_CREAT|O_RDWR|O_WRONLY) > 0 &&\n (open.file.path\ + \ in [ ~\"/lib/systemd/system/**\", ~\"/usr/lib/systemd/system/**\", ~\"/etc/systemd/system/**\"\ + \ ])\n && process.file.path not in [~\"/usr/bin/apt*\", \"/usr/bin/dpkg\"\ + , \"/usr/bin/rpm\", \"/usr/bin/unattended-upgrade\", \"/usr/bin/npm\", ~\"\ + /usr/bin/pip*\", \"/usr/bin/yum\", \"/sbin/apk\", \"/usr/lib/snapd/snapd\"\ + ]\n )\n agent_version: ''\n filters:\n - os == \"linux\"\n- id: systemd_modification_rename\n\ + \ version: 9759ce6\n description: A service may have been modified without\ + \ authorization\n expression: |-\n (\n (rename.file.path in [ ~\"\ + /lib/systemd/system/**\", ~\"/usr/lib/systemd/system/**\", ~\"/etc/systemd/system/**\"\ + \ ]\n || rename.file.destination.path in [ ~\"/lib/systemd/system/**\"\ + , ~\"/usr/lib/systemd/system/**\", ~\"/etc/systemd/system/**\" ])\n \ + \ && process.file.path not in [~\"/usr/bin/apt*\", \"/usr/bin/dpkg\", \"\ + /usr/bin/rpm\", \"/usr/bin/unattended-upgrade\", \"/usr/bin/npm\", ~\"/usr/bin/pip*\"\ + , \"/usr/bin/yum\", \"/sbin/apk\", \"/usr/lib/snapd/snapd\"]\n )\n agent_version:\ + \ ''\n filters: []\n- id: systemd_modification_unlink\n version: 8400ece8\n\ + \ description: A service may have been modified without authorization\n \ + \ expression: |-\n (\n (unlink.file.path in [ ~\"/lib/systemd/system/**\"\ + , ~\"/usr/lib/systemd/system/**\", ~\"/etc/systemd/system/**\" ])\n \ + \ && process.file.path not in [~\"/usr/bin/apt*\", \"/usr/bin/dpkg\", \"\ + /usr/bin/rpm\", \"/usr/bin/unattended-upgrade\", \"/usr/bin/npm\", ~\"/usr/bin/pip*\"\ + , \"/usr/bin/yum\", \"/sbin/apk\", \"/usr/lib/snapd/snapd\"]\n )\n agent_version:\ + \ ''\n filters:\n - os == \"linux\"\n- id: systemd_modification_utimes\n\ + \ version: 82acf2d\n description: A service may have been modified without\ + \ authorization\n expression: |-\n (\n (utimes.file.path in [ ~\"\ + /lib/systemd/system/**\", ~\"/usr/lib/systemd/system/**\", ~\"/etc/systemd/system/**\"\ + \ ])\n && process.file.path not in [~\"/usr/bin/apt*\", \"/usr/bin/dpkg\"\ + , \"/usr/bin/rpm\", \"/usr/bin/unattended-upgrade\", \"/usr/bin/npm\", ~\"\ + /usr/bin/pip*\", \"/usr/bin/yum\", \"/sbin/apk\", \"/usr/lib/snapd/snapd\"\ + ]\n )\n agent_version: ''\n filters:\n - os == \"linux\"\n- id: tar_execution\n\ + \ version: e63af392\n description: Tar archive created\n expression: exec.file.path\ + \ == \"/usr/bin/tar\" && exec.args_flags in [\"create\",\"c\"]\n agent_version:\ + \ ''\n filters:\n - os == \"linux\"\n- id: tde_malware_egress_traffic_allowed_iptables\n\ + \ version: 14f124d7\n description: iptables used to allow egress traffic\n\ + \ expression: exec.comm == \"iptables\" && process.args in [r\".*OUTPUT.*((25[0-5]|(2[0-4]|1\\\ + d|[1-9]|)\\d)\\.?\\b){4}.*ACCEPT\"]\n && process.args not in [r\"(127\\\ + .)|(10\\.)|(172\\.1[6-9]\\.)|(172\\.2[0-9]\\.)|(172\\.3[0-1]|\\.)|(192\\.168\\\ + .)|(169\\.254\\.)\"]\n agent_version: ''\n filters:\n - os == \"linux\"\ + \n- id: tde_malware_files_with_extensions_created\n version: 161c317f\n \ + \ description: Multiple files with extensions created under common user directories\n\ + \ expression: rename.file.path in [~\"/home/**\", ~\"/root/**\", ~\"/bin/**\"\ + , ~\"/usr/bin/**\",\n ~\"/var/log/**\", ~\"/var/lib/log/**\", ~\"/var/backup/*\"\ + , ~\"/var/www/**\"] && rename.file.destination.name\n in [r\"\\.[0-9a-z]+$\"\ + ] && rename.file.destination.name not in [r\".*\\.(lock|dbtmp|log|journal|ini|sh|json|yml|tmp|snap|txt|pyc|stat|hcl|[0-9])+$\"\ + ]\n && process.comm not in [\"python\",\"python3\",\"agent\",\"security-agent\"\ + ,\"kubectl\",\"kubelet\",\"datadog-cluster\"]\n agent_version: ''\n filters:\n\ + \ - os == \"linux\"\n- id: tde_malware_kernel_module_loaded_from_tmp\n version:\ + \ 7673f399\n description: Kernel module loaded from common tmp directories\n\ + \ expression: load_module.file.path in [ ~\"/tmp/**\", ~\"/var/tmp/**\" ]\n\ + \ agent_version: ''\n filters:\n - os == \"linux\"\n- id: tde_malware_libpam_hooked_using_ebpf\n\ + \ version: adbe1bb1\n description: Libpam.so library hooked using ebpf\n\ + \ expression: bpf.cmd == BPF_MAP_CREATE && process.args in [r\".*libpam.so.*\"\ + ]\n agent_version: ''\n filters:\n - os == \"linux\"\n- id: tde_malware_privileged_processes_or_sshd_traced\n\ + \ version: eda95b21\n description: A process is tracing privileged processes\ + \ or sshd for possible credential\n dumping\n expression: ((ptrace.tracee.euid==0\ + \ && ptrace.tracee.uid ==0)||ptrace.tracee.comm\n in [~\"*sshd*\"]) &&\ + \ process.comm not in [\"dlv\"]\n agent_version: ''\n filters:\n - os ==\ + \ \"linux\"\n- id: tde_malware_proxychains_executed\n version: 192a7f03\n\ + \ description: Proxychaining technique used\n expression: exec.comm == \"\ + proxychains\"\n agent_version: ''\n filters:\n - os == \"linux\"\n- id:\ + \ tde_malware_ransomware_notes_written\n version: 6d3052dc\n description:\ + \ A possible ransomware note created under common user directories\n expression:\ + \ open.file.path in [~\"/home/**\", ~\"/root/**\", ~\"/bin/**\", ~\"/usr/bin/**\"\ + ,\n ~\"/opt/**\", ~\"/etc/**\", ~\"/var/log/**\", ~\"/var/lib/log/**\"\ + , ~\"/var/backup/**\",\n ~\"/var/www/**\"] && open.file.name in [r\".*(restore|recovery|readme|instruction|how_to|ransom).*\"\ + ,\n r\".*(your_|crypt|lock|important).*\\.txt$\"]\n agent_version: ''\n\ + \ filters:\n - os == \"linux\"\n- id: tde_malware_system_logs_deleted\n\ + \ version: f5fec42d\n description: A process deleted common system log files\n\ + \ expression: unlink.file.path in [\"/var/run/utmp\", \"/var/log/wtmp\",\ + \ \"/var/log/btmp\",\n \"/var/log/lastlog\", \"/var/log/faillog\", \"/var/log/syslog\"\ + , \"/var/log/messages\",\n \"/var/log/secure\", \"/var/log/auth.log\",\ + \ \"/var/log/boot.log\", \"/var/log/kern.log\"]\n && process.comm !=\"\ + dockerd\"\n agent_version: ''\n filters:\n - os == \"linux\"\n- id: tde_malware_tunneling_and_port_forwarding_technique_used\n\ + \ version: e253fced\n description: Tunneling and port forwarding tool used\n\ + \ expression: ((exec.comm == \"pivotnacci\" || exec.comm == \"gost\") &&\ + \ process.args\n in [r\".*(-L|-C|-R).*\"])||(exec.comm in [\"ssh\", \"\ + sshd\"] && process.args in [r\".*(-R|-L|-D|w).*\"]\n && process.args in\ + \ [r\"((25[0-5]|(2[0-4]|1\\d|[1-9])\\d)\\.?\\b){4}\"] ) || (exec.comm\n \ + \ == \"sshuttle\" && process.args in [r\".*(-r|--remote|-l|--listen).*\"\ + ]) || (exec.comm\n == \"socat\" && process.args in [r\".*(TCP4-LISTEN:|SOCKS).*\"\ + ]) || (exec.comm in\n [\"iodine\", \"iodined\", \"dnscat\", \"hans\", \"\ + hans-ubuntu\", \"ptunnel-ng\", \"ssf\", \"3proxy\",\n \"ngrok\"] && process.parent.comm\ + \ in [\"bash\", \"dash\", \"ash\", \"sh\", \"tcsh\", \"csh\",\n \"zsh\"\ + , \"ksh\", \"fish\"])\n agent_version: ''\n filters:\n - os == \"linux\"\ + \n- id: tde_nsenter_pid1_detection\n version: 7a2d42c7\n description: nsenter\ + \ used in container to execute code on the OS PID1\n expression: exec.file.name\ + \ == \"nsenter\" && exec.args_options in [\"target=1\", \"t=1\"]\n && container.id\ + \ !=\"\"\n agent_version: ''\n filters:\n - os == \"linux\"\n- id: tde_red_team_domains_used\n\ + \ version: 1b507607\n description: Connection to red team domain\n expression:\ + \ dns.question.name in [~\"*.interact.sh\" , ~\"*.oast.pro\" , ~\"*.oast.live\"\ + \n , ~\"*.oast.site\" , ~\"*.oast.online\" , ~\"*.oast.fun\" , ~\"*.oast.me\"\ + \ , ~\"*.burpcollaborator.net\"\n , ~\"*.oastify.com\" , ~\"*canarytokens.com\"\ + \ , ~\"*.requestbin.net\" , ~\"*.dnslog.cn\"]\n agent_version: ''\n filters:\n\ + \ - os == \"linux\"\n- id: tde_testing_tampering\n version: c2be3b92\n \ + \ description: testing only\n expression: exec.comm == \"abcdefgh\"\n agent_version:\ + \ ''\n filters:\n - os == \"linux\"\n- id: tty_shell_in_container\n version:\ + \ 3d9489bb\n description: A shell with a TTY was executed in a container\n\ + \ expression: |-\n exec.file.path in [ \"/bin/dash\",\n \"/usr/bin/dash\"\ + ,\n \"/bin/sh\",\n \"/bin/static-sh\",\n \"/usr/bin/sh\",\n\ + \ \"/bin/bash\",\n \"/usr/bin/bash\",\n \"/bin/bash-static\"\ + ,\n \"/usr/bin/zsh\",\n \"/usr/bin/ash\",\n \"/usr/bin/csh\"\ + ,\n \"/usr/bin/ksh\",\n \"/usr/bin/tcsh\",\n \"/usr/lib/initramfs-tools/bin/busybox\"\ + ,\n \"/bin/busybox\",\n \"/usr/bin/fish\",\n \"/bin/ksh93\"\ + ,\n \"/bin/rksh\",\n \"/bin/rksh93\",\n \"/bin/lksh\",\n \ + \ \"/bin/mksh\",\n \"/bin/mksh-static\",\n \"/usr/bin/csharp\"\ + ,\n \"/bin/posh\",\n \"/usr/bin/rc\",\n \"/bin/sash\",\n \ + \ \"/usr/bin/yash\",\n \"/bin/zsh5\",\n \"/bin/zsh5-static\"\ + \ ] && process.tty_name != \"\" && process.container.id != \"\"\n agent_version:\ + \ ''\n filters: []\n- id: tunnel_traffic\n version: 816201a5\n description:\ + \ Tunneling or port forwarding tool used\n expression: ((exec.comm == \"\ + pivotnacci\" || exec.comm == \"gost\") && process.args\n in [r\".*(-L|-C|-R).*\"\ + ]) || (exec.comm in [\"ssh\", \"sshd\"] && process.args in [r\".*(-R|-L|-D|w).*\"\ + ]\n && process.args in [r\"((25[0-5]|(2[0-4]|1\\d|[1-9])\\d)\\.?\\b){4}\"\ + ] ) || (exec.comm\n == \"sshuttle\" && process.args in [r\".*(-r|--remote|-l|--listen).*\"\ + ]) || (exec.comm\n == \"socat\" && process.args in [r\".*(TCP4-LISTEN:|SOCKS).*\"\ + ]) || (exec.comm in\n [\"iodine\", \"iodined\", \"dnscat\", \"hans\", \"\ + hans-ubuntu\", \"ptunnel-ng\", \"ssf\", \"3proxy\",\n \"ngrok\"] && process.parent.comm\ + \ in [\"bash\", \"dash\", \"ash\", \"sh\", \"tcsh\", \"csh\",\n \"zsh\"\ + , \"ksh\", \"fish\"])\n agent_version: ''\n filters:\n - os == \"linux\"\ + \n- id: user_created_tty\n version: 5b5f4a52\n description: A user was created\ + \ via an interactive session\n expression: exec.file.name in [\"useradd\"\ + , \"newusers\", \"adduser\"] && exec.tty_name\n !=\"\" && process.ancestors.file.path\ + \ not in [~\"/usr/bin/apt*\", \"/usr/bin/dpkg\",\n \"/usr/bin/rpm\", \"\ + /usr/bin/unattended-upgrade\", \"/usr/bin/npm\", ~\"/usr/bin/pip*\",\n \ + \ \"/usr/bin/yum\", \"/sbin/apk\", \"/usr/lib/snapd/snapd\"] && exec.args_flags\ + \ not in\n [\"D\"]\n agent_version: ''\n filters: []\n- id: user_deleted_tty\n\ + \ version: ad8edbe\n description: A user was deleted via an interactive\ + \ session\n expression: exec.file.name in [\"userdel\", \"deluser\"] && exec.tty_name\ + \ !=\"\" && process.ancestors.file.path\n not in [~\"/usr/bin/apt*\", \"\ + /usr/bin/dpkg\", \"/usr/bin/rpm\", \"/usr/bin/unattended-upgrade\",\n \"\ + /usr/bin/npm\", ~\"/usr/bin/pip*\", \"/usr/bin/yum\", \"/sbin/apk\", \"/usr/lib/snapd/snapd\"\ + ]\n agent_version: ''\n filters: []\n- id: wmi_spawning_shell\n version:\ + \ 6b9ff5c7\n description: Command executed via WMI\n expression: exec.file.name\ + \ in [~\"powershell*\",\"cmd.exe\"] && process.parent.file.name\n == \"\ + WmiPrvSE.exe\"\n agent_version: ''\n filters:\n - os == \"windows\"\n" headers: content-type: - application/yaml diff --git a/tests/v2/cassettes/test_scenarios/test_get_the_latest_csm_threats_policy_returns_ok_response.frozen b/tests/v2/cassettes/test_scenarios/test_get_the_latest_csm_threats_policy_returns_ok_response.frozen new file mode 100644 index 0000000000..075e9525a3 --- /dev/null +++ b/tests/v2/cassettes/test_scenarios/test_get_the_latest_csm_threats_policy_returns_ok_response.frozen @@ -0,0 +1 @@ +2024-03-07T18:00:21.914Z \ No newline at end of file diff --git a/tests/v2/cassettes/test_scenarios/test_get_the_latest_csm_threats_policy_returns_ok_response.yaml b/tests/v2/cassettes/test_scenarios/test_get_the_latest_csm_threats_policy_returns_ok_response.yaml new file mode 100644 index 0000000000..0b89b402cc --- /dev/null +++ b/tests/v2/cassettes/test_scenarios/test_get_the_latest_csm_threats_policy_returns_ok_response.yaml @@ -0,0 +1,18 @@ +interactions: +- request: + body: null + headers: + accept: + - application/zip, application/json + method: GET + uri: https://api.datadoghq.com/api/v2/remote_config/products/cws/policy/download + response: + body: + string: UEsDBBQACAAIAAAAAAAAAAAAAAAAAAAAAAAOAAAAZGVmYXVsdC5wb2xpY3nsfftz4zaS8O/7VyD8rnK2biiNPY/dpG52P2fs3czNy2V5NrcV+2NBJCQiIgEGACVrzjd/+1d48AEKlGjJr5koVRkLYOPV6G4AjUb3/wFv3p9+PDs/+nD+IziJsOBAUCBizMEYJwjMcZIAQgUYIcDQOEGhQBHABIgYgWMoYEQn4CjLACSRBh4hQGeIzRkWAhEwxyIGBM1BRhMcLnStEZ2ThMKI98FpgiBHIKURHi8AyxPEXdWPKQPjPEnAOCehwJTABItF/08zxDim5Edw0D886D/1Wfji2Z9ULT/+CQAAfICjHwHMMshSygLVDEZRIMRCfQcgQjxkOBOqliMiWzuSsCBjVKMAclCUk12DBGAiEIOhwDMEOOKyB6a2MU4EYqZx3QHKwatXwEswya88k4+uMqbL/QjQFQr7sqU+gSmSLfzqQehHmMNRgrwnQKZCmmYJxMQkYR5h4V2C77/XxYVYBKr0d6+8og1TQfQjGMOEozo6ZOlQJEHO4QS58HAeoxIKhDRN1fRCDnKOIkkhZr4UTHRrY5ewRbNeOTjIJjwYJ3DCFSUqBHGJiMS77DbWKAgpGeNJOf8rxxwBDZ0zKL+AZSqQRE1zAXKOyaRE1OZooBkiGg0ZFLGCHSARDlTN+t+oLzulkKKhFT6+B3sfg9dnJ0fn1x+D87NPH15ffwzOjn85u/4Y/HL28cO7f+2Dv4KnslTGaIg4r2H7uzq2uyJS8lYg6+iKS83S945DRSU1JKpu9COd6quUJKEmms2XywfE85wHaMoDjtgMhyiAYUhzIgJBp4jIFOK8HelHvwzBydshMKWBKQ1UaTUBjRq2x/SrL8AbzCAbsJwMOAoZEnyAprwPU/iZEjjn/ZCmA9Mj06FBr1ejZUsAqK56S6hUbZX8P6CZGER6gfDhBBExQOkIRRGKBiNMBipLTfAaQL7gAqV+xugIdYJHYc6wWPidWzCjWFmg7LK74wOYpQNMfkOhJFNBA/07YDkJFWzOmaojivyYcuFjwgVMEue3kBIBMUGsDcoN4O50kRMmOReImUF2EMtzHuA04m2L8C9D8Ob98VBRbAiTBEVghiGAgCAxp2wKcoHlDmBzKlZLi1zaNEHNJ0ihPcyZGm8yz/xim1JbaOVapAp88XoHL3/oH7543jd/BwkUiItBigT0JV4GGKYVvYQMRYgIDBM+6MkWqvJ/fto//LejX4bB648fzo/efDg5k7Lm+OTD+Zujd8Pg7OTd0fmbf54En87eeE/Al0bJQW9Qq/tvOHrV6zIBn3OGVk6BBPj6JkFiXyNfYUQsBhTmIj4cKLHyN5hh3+wZO6FpBDl6+TyIUEij1p2SBnLuk3RBgMmYslRtJ7ZEli0rdcvOrZJCaNRhiCFiQk5k+27wtYFQI5Pt5EKPTjBIeIoFoKwYKQQZFZoWkwVIYYJDTHO9AVg79DkmEZ3zjoMvOt5HV0ihYG9P01MaJZggtTD1cpaEMIxRr0KS9Z1nCRY9bx9cXzu+6kH1vP31WIyhYJSmAUO/54gLJ1fJg1CyACFDUGJQbYqUtFWnKlhWAiKaQrwFqUSE91U3MCW1Y0WEeUiZ3Eqm6iCR4b5ACZowmPYpmyjWi0jfgMEsU5CXS2sxJkGeZYgFCVwgtvQ5jCGZoEDgFIH/BC+f8vXYo2lKSUCQCDARLJejCOTctqHRkj9gj6Qw2ze1JAvNfVid03RdAAoBwym3KHhz9LqObLILEoEp5DyE6qA2zjBRSP08YXBU/jiUv1jORQGXEfXrcuWJ558S0oiuLlxN00zu0uFYIBZEKMEzxNxn3gKWgTmjQrIwz3lW41t16gXltmBzvF37JbC1uTZ7a7mFLgEkP5cJAPZcu06RZi0bSbM69KdUrZj9nne5X6vt+tp1Xvii97GmVlluEKHZgMdpmWaUiiLRUzsg80HunxIawmSQ4JGEuCyb27fGVHBKter9BmdQbePCBGp6mYSh98QbhaF3KbtaFIEkRFxQ1rmw1fLywaSkrQxnahTZQsSU1Pv+/ffVvPdxpM4y688wBUEFmARNsmmlvfraggnHEQJ0fDt0t+di2LVob5aSTUyo59yGjHKcRIYsWC5RuL/vQJ5nnWuq+azoUCK43IyHOMF5ajbV67HOYDhNYRbI3gUNKWeh/S2hcwLoeIwIxzMEBKVJWVwNrruQXLdmF+upQVTRivxm8BWmqMtWrNrkVmq8ME6pc4RDOTKln6uKKVnGwRwxVKkhjPoBEEp8LiCJIIsUPtYOvIuUq0swAPZUdxtCx+ggeAwjOi9VEhOTBpbYWuZj61QMvAGXZDPD2bw81Nk5JjVhze+1HEV5Bd1GZbaWbi0f1VmQhlN3geYX1eaE0TyDUSM354g5M1PqyIyQfXqdZJDzud2tMIYTZBcNYwecyQKXbQh3sWuB+i9VPTATPRsv2XRiZbAstdI5gUIgEqHIz7MJgxGyPhMFXmshw5ndwiJPq9mF2bSaAjwacAKzSP9bX5SUdKroMZKbRaJOKP1UbuS/e1X/nNaOPzfkUDonXxOH0nlzW7Dj0B2HPhSH1gmyzqK53ovVvsqc62vQAj9Zgp/gqMOp1sHRCSbTr4ehZW9vyM9WBdfXoKqijtHO1e3Ew0483IV42Ih55ak3mB1+Nfxr38HVLuGsy7fiUm6/uIWzZYDjqL9j2h3TPgTT2joBowgOoAB/BT900ZM6WJohAlOn3v5RcvSe7u8N+bG5Jtcr2a3KOwZ/NAy+EQvn5OvaVOv+3pCFdxy347jHw3ECp8hp+vBIOU71d8dxO477OjiOkgCK4Dc6CtQeF1PSfldzREBOYC5iyvBnFIHf6EhbKkaRNjOR1QEexijKE0wmd8FfzpsZcx/MM0qTgexEeQ0s+Uxm9HtLWQKObsx65fwLm/zK6ircb6y2X9OLu6TC25AI7dTc5ebQSY4tFxOPgxwd1xCPlRzvRUe9I1+bfNsODI+Bel2Hgy2I16q8gz5+i6bujE92VOykYpqhxyqD215/OF992PTv0jfviPKrIcp2heojIMsW9ekW5NUUr+tVq1s0tqPl+6Xlds3iY6Bltx5xR15fD3m1qtEeBXk5lWY78nqc5LXIBE1lIwFkEzdNFbgBCcyJJB3tXgCySZ4iIjiAnNMQq8c16kutVr45hTmfVoVZ7mcMU4bFQmIgogQK5CdophSLXzwGSUTTK/9gMvIzOFGviotHRnXTcS4YFHn6HyLMNNGVOZwnds7BMtDBMtThMtRhDYrgEMWQxya5QDyjc8RuOkmIzJyTdGqmCJEZZpTIeQEzyLCskoMUirCYljBnDJFwAVSFW06P7I6emNOPH98Fn4YnZ3JWdOLsXfn79Gg4lInjjx+Ozk+Cdyf/PHnXZeQ5SwJN7wGXf5wPvM5jBI4VENBASuQxNEZyoMZ9BAg/nb0rHgtuOWolI6oHcTlzu01QeMkJvvJ1t1xvKb2eHl5fgvQ0ROP1QpenHxEUcAQ5CniMksS8QqiePTb4uYAGMMsSHGp/CzyDc6Lew6k6nug/xWOvJ4Ay8PP5+en2r0/rK0eFzvr1ipJykMfek5rkrwnA5U8y250poMCh31qXs9CovW3HpyLb1221FPzcWmV7Y2Hrl2nrF+EulODRABMsGEzH3BeUJlx3POeLEb1yDcn5pWhmjJ14mPL4h2eOfLbc4SLbCZ+44dP27NXYD3kMWeYomtFWTLJmZYpe2mdr4SaNzzx+0ZJd9BnIJaqCuNnz7KWSNjvp1kK5GzI/44nERJFQt3RFgs5JmShhIihQ+bsEjsblL8yKnyiMafE7KatKePErndaA0ymp2k6nAqVlk+ms+JXNSxCGYCQPLmU6rX7VquUJQmVFXMhtgvm9IGHxW9A8jItELkV5kZiZqkruZBqwFACHPE+tDMjRs8NmzsvnzZyikZIk45ASK2PaqFmSgJVWr6atnNxKRpiFNKGMNzKbTUd5PYXIzEpeZZBEjRwLJWMYCmrnpFY/xjSxKlAXx1anYgQtiJhyga2cRqpwiVFl/Uaxhb6CNMo0nTTHnUYvGijWOX2BrtSbdquP6XSMx7SeI/dwVtrqEKFxnlkZct9sZeRpA1PUGmUGuUB2hojD2BpWhsl0YWUwO4WJaMyoyhtbOeKqnmQIJrIpKy8nDfrk6HcrGcODBjZ5DA8PnzsyX7xcznz2Fwfki4Mme/GYocjOyK2xcMoslC4xiRSydjoaNaqwmxQwtJPYmmeBkJ3kVvXy9EttvhTMTuUkhPZEi+YojNwqkjlZZsuc4N/tdJMFco5sWTC3BjaPaSMJU1zkGLMLRqnwLvfryvbipJxBhoiobYbVcpMu+O+JOpymlEy0CUhGuZgw4+CprOe7vdaa5P5R7laikVcvUW2dJYAfAnVWRsCH3v4Nai6701r3F6+XTYI5TLr4oIhQggQKtEujIKGFUqXlEK3BI+M2AehiIKETbe5kCm+wr3aq9SofUblIlacElZHQyWDezBg1MxLIRUInVt4Y4qSZxxe8mZUiztXp24JDYc6QlQVzEfebhUeUiqXMKWJEZVqOMdQ2qXxRX1ON1JQn68+ZEcoSuggyhmfrXs5LGJygiZpBA6ld9Wir8s3nr3G0VAe/VsP1/wQH3MIDzIIMsRQLSVvfg9dHp8HwX8Pg6Pj9mw81Dw8rcICZWAQZzlAAhdyMOc/ap4WbGXAs4YGEl6NIKBb6HGkX3gAPe1KCh6ivuoKIYAt1ngbfg9M3pyfBT5/+Hvz93dE/gtdHH4L3J2f/ONmXuFJe4OyiV1isLfmqKFkg0phPWE7ljInE0w6yoEJiHSkbYfK2MNgFDX8FT8FtomFBYIpDZS6BWOEGcsWtSCkdNYxSQ5hKgK7EeIdUQnJzzLTISCTCQRL1Oe1nDKlz1RNQz1VOIEvNdJXXjwY9/XHZW8+96ZDvwNrwpjM7Z1i4r27LidVObgS9o4lt9UPZYVrXzOotOKS8N1q44/uErsa1a70zdnbjuHMU+SCOIpUvm4S3mA6/RYygBKQ0yksD/QRzUZrnixgBVfqWFO5ql6fAZKXr1eGq+/o84+r/eYyA/mp5D+zsfKdjZ82BqmNvWcqdW07VWflRct6EwfT2+ylr79bNXMiPwQiLQF0pt3W4ggUjLOwraOjwx7f5UGq3CTUL7CVXeS4g22Hes6fcglu6hGmppYMteNeS34Nh8Oa/Pw3PruXff5ydqr8fz39u2ruVMphNZlrg/sdVB66ehNkq36P/eH36+D2PFp5G+xNKJ2qmBWIEJoOQplku0PvCE+nsQGsNSYgKL8i+cYPMBxEawzwR2j2pvpFtujTdor71MxHjKEJEe/Re5TLsyEAqJmk6a2u4DKRJtPV9bk1R8gV4/Zr7Tntv9cUbxDRFpcFG3XnfCmd+6xFT8/Fv7jLXOrNrBAZQt5YSU1xAdgde7WoCZ3d7ubu93N1eAqcHVSXfsdOgoYM9A86CMEbhNLBc8jZE4/GHIUgoneaZ4veIEqQilkDw5hSo4oVDflN+A25vcemLQ0hi+BlnhVNfnPkww0UqXeCsL8+NsrjJUx3Cme2fX36Yx1BgrorAKUwhbnH/W2kFO6BP7b14gCZyJAFMEjp3rzAnCgIIBsdjHAIDafbxRT2b48/eaRb12f44i9Wdef3ex0/np5/O+729vcMXvz71X1xe7x3++tR/fnl9cBFd/3rg/3B5vX8R7V/0/3Yx2v+f5//b7x29fn1yet44nLKaE1/m7R0c/vmiv3+9d/BU//nz4UX/4NeX/g+XVVq2Y9L/T2U8+/Wpf2AAfpAFXv5FJ17+cCG3CBf9/Q4r2m9wBptmOYG+l3CTtSxQqk12Vjm7da0osVvX7ntd21nl7KxydlY5tZydVc7OKme0s8oxyYe2yimXmNrO12nxIreU608Nv+XZQiDWzYb8vzSw3GSjEaXTSjFltqqm2AZbUWfcAL1WFstksUIWi6NaF82SqFZDtRDqRcMsf2rlU7KkWO+Kpa5c5dQCp9e22rKmVrRiMSvWMbOEmdWrWLiKNcssV2aVKhanck0ql6LaClQsPMV6Y5aZcnXRi0p9LamWELVyaPFSEqRZHspVQYs4swaUot9I/FLQ639KsW6kuUFEJbtLkV0X0aVkNgJZyeFC/BZStxS2CvOFaK0kaiFIVedrYrOUllpI1mRjKRK1JKwEYF3u1cVdXcrVhVsh04woM7xf4N/Iq1JMmfEroWRkkRZBRvJUAkfJmZp4KaSKpqCaDDGio5QYhaBQ8kGLhVIaFDKgfNvUYJe121NnKX2G8/Q/1RlNZ+hDVv1Pubv31DnK01/UUcdTZwJPn3u88tRS+6XPKp45a3j6LOIVZw9PnzW8tPpTtVacGzx9TvDkmcDTZwBP7/c9vb/36vt5ZcXouL6uRXXRMs03Mk3irchK4KjDWX/6Fx5kNNowiuTbfIQYQQJxkNHoPoNJ4ioMTz2c5LTsUB9TRyhJpd6/SYGaPQXeBZ/8tmwKVs6enL6iOSu8jmwmpAxFhFt9MkA0QwyqBQx4gxQSOEH69zjJERH+COs+VUnPYfeS0DzyCY2QX6/CEK0vpQDyQ45Vrplw+4sfMTxDTJLMDEdyzPNGd2GCQ6raKDEH53yglb2+6sEcijCuT777mypPJphc+Zgo5ayaHUaTxHS8RHwuKA9hMztjNKNMqGjdTZgYZoxeLdpqlvyrxCXyUyQYDnkD2f5kinx0Jes3RUbqKKrvYH2DOD0EiW+BWGquuP0YkihZmj53jTOYJ66plB0MhaZOlaunRAo1ZPtDnGCRwJHPclL/UtWkWnBZSQkGQ6QnPMEE+cq2zVUDQxOsHvrKwTUQ2STApQnbmVJ9I2Jv/Z5AGUsF2lhqhTtGFa5/WresqsxmNl/ob+57McGjgbHsKtf43Oiqa/k3cstwlyaPd2D+ujSib8GR6LrxWCHwpjUzu23cX3Zniza3kPfPFm4fkDu2WB7Rji3uyQ1nVzZqf19xz1zU4mCqMxNZtXVzPtm57h2DflVjWzeeVQx6U/ahsGVvtsw6EnYb3pHlTbuNsMBkHBgrmSelxUygW9A5L5tZo8z6bBU3wES7wyLjgCG1ocbZ7LlpIDg7+a+T1+f15hicr8S81eMv3hgmISVqht2UATPR1+ePqB9BnCjfTVe6n36CJjBc+GmeCHUG59xoB/w5ZVN5WNpgHte946web+qZ1Gbp9kTf4uw6XnN2tYVzjG3MaBqkKKVtscXb6BXIksAqueXodL31HsmyguU33QI2B7ZuArsMsbD9vRXD326jvo05bvXPe8/L+EYv36wa2pzy7hbr5RHtFmv1X1cmWeEv+J7ZpN05cGcyt+rr6g24c+07JvqqxrZuPLfIRKue5N8zE7V6Jd6R+fKIdmSu/utM5u0Ok++dzNu8I+/IfHlEOzJX/60nc866+OAwrnn0M2xE1PNsWUw92aeS/FHi8wyFeIxDoO83t3fhXL7+SWmkLx9B86XOqy/A66Wc9dTzIz0U3utwbEppFCSYO1/SdPJSML0DJwVqEoHr8bJsvssr2MqOJogIDxDJU8RaPQnV7IaOPwzBMvQGI1p+9ybBIVn05f98FvbNPWhfXXOr4VplxCJTZYZn/3Qcibs8YkuiwLhtCXKS8xwmQYJHDLJFIBnHhYnzGIF3x8Hp2cm7j0fHpQNsgDnIaJYnyt/AaAGgUihrZwT1J9Q4QSDCDIViK/0Islxjf/GqLr3q6afRHnhiZVePpKvDwArM4FEG0wCNsnEQU+rcv73TqDKwfU6BhCxpH/10+vfNBzjKxv0wjSTQT6d/D94fnWrdwMkSZ2Pzrq/sRr8L/SeUErQIRE7MM0btFss5TgUKzg0o2Hv9zxP/8OnhM//5DwcH+4VHrUr2bT7qymKy8tYw/PTmuHD5U33PscJNlVt3p9Wkjt4/3r356XVw/unD0U/vToZd8JOidBzpeBBOka++Azr6DYXi1h3TSWGtGnB6B3jVibdTTHCUp1mQczhxDqFwaG+0a+qBb55mlvAuagHjnISymNb9hTTls5D3ow5G6HNMIjrn7UI9jRJM9KB77zHBx3madViZZNfIJMgoTQL9Rtk1yGppZojTZKbU0FKGK0S3hlVQEXBDgWdbvfh0P23+4vVSTNBVysz75C9ej0BC5Uj6lE10Ds+zjDJhQYXPFEyZzg5VGlOdRCJWxmCoqmV82ChBaYJJP0U6ybIEEtG/Wnze7jV0qmxwY8pFMHYeAuSyIT/rBcB45JQUp0qWAQS2VyGr+vqc5iyssctA8ZH+NuaBWjnlyOgMsQQuXNcG3YctkRbEOFrJZMbJiOYsVW7bMap/M4qJMOP8AjxlHzboLdv56rn8ApQtfwfmIkho1ymFRbubt5oru5xRubUUiOhNwK25takd9yyduVGZN33CdX1FWlb6/ffWMbKpVVfINS5XwLKFtWHrPo81X/VD85cb1uxPqWcdK6+vWyzE5TmlOJzKk049YM8N/L90OdrISS72fQwpQeWa5g/2HFbPkJTIrJHAp7M3m0/wv9/s9a9r79/P4iI8TP+3bNLzLsG/d0OCwImbwBv0e0tOzJY8AVTD5jTU98gRVudrwvXaJn9LAaqGR5AIodBDlews4WSxLZ5T77d65npV3KtW+C5jQckDlzycyJ4ZzB8c/rn/tP+0f2DSKRVRPx/lROSyM51238WcBOhKYrf9XHZS+17sP5VDrVuTO56NxQuFxgvvCbhQiNS/6qi80MR5QSp3LVT1lhuUXSjv2L5k/Fc9Wb7IiaCAZc55+St69X+Ln3kmW7CL/v2VTPZ0s7VWKy3ORX2STKnaNF14l93WAzUja31FrWSZW1vmvyoO+u4BOag+X8HscDdlDzVloM3P+F/BD095lwmVUxRwgsdjee4RlDrXrHeya+WLNv0MVWvmCq2VPAKNhXYLbAx0lCM3UJ6gNphd11tHEWby7CjxLngM2bTDuZugeTDCBLJFzZfPeqFTDQVVj6QJmgNdl5q8Mc2JImd5sK0K4LQ6H28wcDfZWJvvJVeZ9ueURnhsYoTZrjKbWO12KiGcz7EIY+U6Okhp1P4kogAFKVyAGM4QGCFEgO6R2eHRXIAi3uWWKs8bPpXQm96ij9pfdP1yZgOj+Ye7zCnp5G78Rm9EFS0vAh4RVTheCnSiiru1Gd9RUUVFbdYNj4aIXDYPbhqyynUwiV9LiRugs80w8bGg0zZY3GtYKF4bdcx+d1PFtUjcMZtNHS27+D82gbTvrHfkU5FPu0HnY6GeFkPPbvJ6vUnnWlraAKntBn6PBqluw787QUarGdjjQYbTPOwWkCEirk+qytQlwcTJaR/Oj4f6ssQOn71c7JauVGW/+hEWHW596HiMCMczFEz/wls1DEdgSuic1ExoQIaIUAw3AbIUiCHX07u9rtzlqgx88bKFiCkpFCt73tt8hIchJP1s4UmYQm8zk4LBk13lguEpYo2v+2C/xVWTKoV5CIn3xJtGeKK8mqiq/Dgn6jGYx+B0ijj3nngZwgwKxA0ID2GGzG+YR8rBlSqaYFNUR7Dn3pMv3oiKkd9FpNMUT9wn+Y8pVg+6tDtjDqAVRi/GSVSsgptPBSrsLP7aCFvmeroma6KmUx0oT25sShu7FjvS4iZfAisFT4s5Hdh7PzzbN1GvcnM7MN4qBkrzOvAV8AZ8wY3Z6CDlbJBBBlMkKx7Ubexq14X2lWXbK59OoQQzGE7hBAXa206KiFirJDvVRUBVRJt8IIHC29TzNqxV7nqXdduGpBuYAayZjJYNe9f5gEKpKWkuiiAbDb1tcDt6229ktrbUs2cwDSyFbKvu9PTo/YPvZdo8zMi9TAbTfqRNBKqM29ChboLDFk3j48Ch2x3JDXF4txrHm+O87VDyGFDe8gxpHcatSjro5zpUeZMN/hKK23R1jwDFd/eu+E4x2q6geAQ4bX+Eug4nTcJdr6joUOlWiG5XWjwGRLc+VLxbnLTqLh4FTtpetd0AJ39cXWgGOZ9Hqz2un8fIwAHKQBib33WjmJzrl11q+hcAktLQQgFTtoWiw7ETrw1T9aVEhXFSb3Kd0cFKZzdDWYoLpWvohCiBAt760K09IpgqOcLET/AUgVoNG+CiJSZY0UQR12sSUy5qaYFYWktOkwkTcR/T7YzbsxAHBwfBiyBkWOAQJtpABSPefjh4bUALU/eiRIsY2RxTNz8bSNIxdsO89rugtFqy+bni2KXMOuiIUvGo3tHej/BZGuS38LTWXjtu+5y4irFaToyPgrHcB8YdY+0Ya0PGemjlQTsjth0THgEftpwR7pENrf50U0jcY+92QuLbERLbsHCbmurhWXh7LVWLkuoeuWzHZDsmM0zWctG347Mdn+34rHmU3OKKtp0L2+8PHp4J268PHoqLut5E3GP/dnvWb4fNt2Hk9vupR8DIrddTO0bZMcp9M0rrpeVjYJS2O8sdo+wY5U4YhQpEBIZJMEcjE2Vbh+t2ccgRmKMRgFmWGBMAbTxdBdgGlJkfW/sRWfJ+0GAKzRM6OnBtMmszsvxppKLCuzKrwMLOupyFRu1tOz4V2WXIYGfBz61VtjcWtn6Ztn4R7kKSlDDBgsF0zH1BacJ1x4sQyctDcn4pmtEBlZcKmYDKS/lsucNFthM+ccOn7dmrsV8EcV4qqoM6O8uwZmWKXtpna+EmDR0c2pld9BlUMbK7+uuwX2rUzCTUaFX0cP3TxLA3CR3I3iR0NHudKGFMXHv9uwRWEe71LxVsXv00se71hJVVqfDsZlpqwEX8e5MwQfB1alb80uHwNfarmPg6nVa/atUWIfJ1Qkc51791sHz1u4iYrxJF2HyVMLHzK17UQfQrdjfh2uv8r8PqWzkqvr6VUzRSEqCJuF9lTBs1mxj8NZI1weCrnNxK1sPz1zObTauA/WVKR7ivkkU8+HqOhZIyqH+Vk1r9MGH+y3QZ77/MMYH/qzTlAls5jVQRH7XK+o1iC30FaZRpOmmOO41eNFCsc/oCXQm5ill9TKdjPKb1HIJDqz5idYjQOM+sDLnRsDLytIEpao1SmfDYGSIOY2tYGSbThZXB7BQmojGjKm9s5YirepIhmMimrLycNOiTo9+tZAwPGtjkMTw8fO7IfPFyOfPZXxyQLw6a7MVjhiI7I7fGwimzULrEJFKk2ulo1KjCblLA0E5ia54FQnaSW9XLbT21+VIwO5WTENoTLZqjMHKrSOZkmS1zgn+3000WyDmyZcHcGtg8po0kTHGRo7aeYcwoFQ1fUHvF/llvHvV6U9mhwQyGMTqUC5QKI662uoKmxj+VFwuRmeWqtaJXX4Cn/BV22NUyGipXvivNF4/008vCRFF57S1ezBkXvzd/lrnupWkDMbK9lJI+upJTX/RbJTuYHvIgwjykM+SOuWZcqbY6ms/4bbuZz7jlA2xWGVX6yquV72d4dfwBYsUd/D2HyYLrePRVCG8Tpb6MyWdXuEQ4ZW1sWjxDBd5v6uQSoyRT6S/ezFSm6PEUco7IBLGjos0ijP48grMIolSKQeCF8VQyw1TH+Bdc1aDOn3P4OY994+g/Wi4pYIJI5DOUUoF8JLkC+RyxmVpOZM0onCpPuSpoIkFzhhIc+qaGDsShgsYHkAgcoVE+cXNAQe+5pBJIgAT3FfxEUQkKY4J/z5FkkFFCwynQH7cKwaC71jceVCXs6fnZ0euTQP37/mQr21M9bB2ivZXxi2Fb0Sd0GRDSSDKnoAASKmLEtn8H3Drg049vT85P/vtcCb5VQMdH50drgT4Nz9bjZ06mWATlW+cA8RAmcD2q5pCXp33lxxaTCIdQci6gY2B82mutAB0D4/L+wH/+9NnzzTHXPPq/qkcmyabyayVx6g7shz+fvHundVu906Pzn3s1o28FVyl1esdvhqfvjv5loI9Phm/PP54Gw5Ph8M3HD/WChcv8DiuQem0fhAkOQtri6FqBaHKTyM0YneEIRYAWDveUaAadHBx0MJIvHpnXXAE4rOCVoAxb/AX7YW/48fXbYHh+dnL03uDLD3s8HxkyUdJTZildRy2lNmllOhOLviKmXrOl774Ar8eRyDOlfejgg4FBwmk6hwwFhLqt8E8p53iUoBqsnH9UxCEAOYmUe8c0pUTKQlaG3MBoC77v4IO7BLB8ZJcn9S/eIKYpKh1XM6OmfVIqhZuaYJOmmWj1hJ3QiZ3Go6W8EQyneWZlzedz22G226038/b+hvf7vT2m1nV0zZDaolzLs/q1PLSxXInm65jOA0Gv9aRcy9VFFlvQnAXXKrCAyruW1Rug/b4hmEa7BTMzr9+76MtS/9ZhiWRhoImEBw2lvkU9Z6+BAbsF3f/eRqYlzseFemKZ3n7pXUWRozTl3uX+/jeq2l4xpwhGwTQfIe3MwjWf5zECFYTyc6Hjq4Vqt7zF5K5i4EFftjnQjaoBKl62cjsOj6EEQS43OWPqGuDHIZCfWKpXYzk2WU5HIpFLiyKThI98U9Md+PpotOBy6nF23Nl7B0MR5gGHJBrRq0D7inGN/Fj5guDF7uPQf/ri+bPNB+YMalDQ5dVfXgYvn/uqsD8h+aA10IGX4FHoH/YPf9DhDYr0s6eN9EEjfdhIP2uknzfSLxrpl430n2X6skUoVDplhW1fnUB8Fo1kDTpLnk86xT4v5muGAitsuS1XJVAR4LA8aW8dGmhDCeua6vXxKzR65C9Ix+bXEo4b1HAL6M1JaD3FbRNzErDw6KyDx5hXuMpXCpGHaAFJBFkE5vB2LuucC1W5cuQkLIU7X8oZlXe4vsp3bDVu7BLoD3CF/Udb43kYIyk0okBAPtUxx1rPryUwkMCKC7qKmBvq8qAwajwexrIt3lGNx5Hiq8BABEiu3aFycOQa0vDknQQHNTCgXyvrB8amnbWja2Vm05++aaBvKtf6SsRSzDmeqekv2mrT6OkTnTxy9n46ef3x/Yk//PT69clw2OFYxxHhWOAZCgSDISZrFFiYAwNX9+OWlRpQygDncaSeXmfFcTBkKNLmD0r7WzWyAdb22lUzJydv1yt5Tk7erlfynJy8/TQ804uLBlL/oj6qh/crJkKt6KX2M0pmas6SmdmzwDR6+dxTb91lJfLXRC9HSRKNuq9GRmsZcEGdEeW0OVUoKlW7hASwKLg5zpeVG17ZmDvaqWy5i/sDbQkTY0nHiyBCCRLuw+FQWbv8rAEVAx5bwBuMyjKXVAOTuxHm9fd+jUbw8xhf9ni8v1f0bv/fvP22WZfTXi0otSXnphjgi7Q9KjtfpCOa4FBHMB2XNkBxDSuFpkVANkHK76UKwkXyDgERO14+JMQ95/2e6YhekIpmb4yD4o7uvuhg231scWu2inLa1U5a06QX9UIF1eIVQo6ivMDsiNSMUVnB2l2sxquBtvaw2yK25ZjeM23VRz7osbCud6o56149KfudTrecx0HhDgdFwRQtVjjKGA5/rrbxEvT+zFNr7gpqTl8bPZc81sg6LJzOtnnY0JoQzmOb4KysQlFZ5t61Uz73rLR4WXjQWSnfrm86K273DLczKw/8Ut81i20r2QNOYmPBv/Ectryv2HAKra51e6a/YUs38T/mmsq2p9oPOJUbLduOGjYnhpa3pw84RS0PfXezdBezBLZ7Leqaw/Znog84hfWnmJtNQesD0w0noSk3Oz0W3bCtbdmy/cHgA07p0sn3xlPa+tTwodDc+tzsIdFce2a2IZrbHqrdE5qxUNE2An1xqiMHuJB8rgxp6mENCsOOhfbCSGR1YE5ZujmenVceGhEZI5MmJup5Gkr3cOACtj85zqBdlq4OKE2CEDGhj+IoEDDNEMNksuoc+g7UijSpV9dgbMU2R+3NvTUiEQ44Twayb9wygcmm+FG9cLyDO5Plk7Dj9Ns8HP9pJSa+e1W/rsuzCArkh9Cvz73nqsJ1FXWrlX21c+Q2b/0CPJaTsMvVyApubdVPPDS3tscM+KNz671oSHbcfV9zenfc3b5hf1jmXuF7fg1vW/V0UzR1qPVblhitI7oZ84H1DHjrFX5TOHdzdbfjSxt/tyszH5S/284b61Vkq0KidObh3Qp23/TejdY3pfBWXfCOyMGOyB8ZkYOtleltrLBKpf6gnLA6atMNN3SdNOAd6v2Wt3Q73r9vjHfj/U24etWtysNy9coQYRb37bjtthjkViv7ajF+h9y24nLtgbltVfC5HbfdCYPcamVfLca35rY8oojxIKMJDhflw+gVF4G6ANAF9HPa+4n96O1dEOC6C3z1ClwYVtOdu/D2wQXZwEq0M5lc2HRy4T0BFzalNLJYljZylqmlAUB0kXpbkmIaUIu8qLigmhpAg24uvMttKKLtsunBKKL7BdSr4pGyGZ33yMxWW3Deurt8hChv7DeXMG5Br1b+r5qtjXHZqm59OFw+ryHz5mYelkO2tkf5JQYfMLjtHSx8N5/+FQqYhyOA7kqZtey0UvVyJwy14vD7CDG6dCC+G5y0H1EeI06ax5Z1y+TDyI/7eVi/arJxFMghr3YwCcHw05tjPbNzyLs7kWx/GsqRyHFUe+57fQ1MnsxSefvLhwC9lQXD4I3qkVwrlmDKKutfCo9n685vI+UxNaJddpM8wyGmOQ9GWHAYpZgEOYcTpyg+qsGDEr70jXaX/jkldNmiesoPitelYRolmJReQGAUyWJab93TdwQmwRDPU9SNpkq8lBQchAludcVfQoEUEjjRjgDqsdcLnADl7KMEX4uirs+tlZ2rZivJVcqlkki0jWp1ZaIJqIPnxhoCiIi4HEk7XQwrqlAwgI5BUWrtAG9GA0W1K0lAAjXm/0ZTriTKSmFyhkJERLIAc4albASUVQuELK7lzM05ol3Y7K2RIcsrgO6Qfs0byLUE/Cd49pTvl2irUKuIouvxWvuzi6CAEZ1oP60DlI5QFKFILzGFn9Z1gNo/gJ8xOkKd4FGYMywWfucWzHhWFii77O74AGbpQLsjHcBcUOPONFh2lhP5MeXCL12hO76VrNgG5QZwd7rICZOcC8QK/7vrSV2hPbKee7erlI4K1xAPviFqszJXxxA9JvPX8sS44rPaTC19+sa1wDdXvG1KUS0qqcdEUW5L6B1F3ZiiHlpH56LAFV5SHgkBtlwD3z79Wc12M+69/U5800ywGYm26T0fDYnevi3ejq7uga7aFaqPhrLabdtun0Ka4q+TKdztd2NHqEuE2q6nfjyE2mqutaOQ+6CQVq39I6KQNhOjHYXcLoUIyFar5s4hA5CFMZ6hzr5lOyhZqwuYYngCshVBO1TL3hMv7KCPEWJhor1iEjRVw02CVy74VMwXCM7P/3U3yuUaoaNduNdduNdduFfL26ZkWLfefIOrFpETgpJAMDge47AAt0SagsBkApS/ZCbAmLI5ZJGKClaEzTMlN+D2vT3bd2uGZ1QQGIbYs4Pcyo8TyoXt47Z078q8fm/Pf3ftv772z1R0mH1Zvla7ko1cTgKQf5q+qu2Kzq5lXcfX8zLQjANwb+/wxa9P/ReX13uHvz71n19eH1xE178e+D9c7l9E+xf9v12M9v/n+f96l6DZGTkazuNciAR5K/rBrn0TGu7aT659X4XuI87xqSppCMWK+s5fnz73370Znp98+PF6+PH122E7qjCNMFHrrv6lbswjwlW0YODFkPDir5+PciJymcw0SflkovE8ln+eZYxeLTwV9JHRqTNMX9WwFqLAi8xf80f/qwUY8Myfz/rPVP9RYudy/UKec8SC4gmXEM6YiUc6/FPdZfEMQwAJwEQgBkMhV3mu6Xhz+nddpcqGYaTwTdDcxOkEHowi+bsWKKsmC7pfoX0tGzPX/qa8BjzusLVRs2w8dneYZQN5r7McIXXHFqHkjzSza2dunuJARYXDZKJ3p665e21sP8odqJy5X96/WTtN3a/9NVYzOkdMdaMnd9VppOM5OIRYVVK280uKT9lseKLAWwb9/wMAAP//UEsHCF4/Fq5+LgAAbm8BAFBLAwQUAAgACAAAAAAAAAAAAAAAAAAAAAAADQAAAGN1c3RvbS5wb2xpY3m0WG1z27gR/n6/Yo+9uZFUk7YcJ5d4Ru24TjpNk1w8ifPJdjkgsRQRgQAPWFhWyua3dwCSeovtyG76RQRW++Dl2cUuFn+C1+/O3n84P/n9/BhecUEWSAOVwkIhJMJcSAlKE2QIBguJOSEHoYBKhJeMGNdTOKlrYIq3yhmCvkYzN4IIFcwFlaBwDrWWIl+0o3I9V1IzbhM4k8gsQqW5KBZgnER72/CFNlA4KaFwKiehFZOCFslP12is0OoYoqODg+ingD/+CQAgBsGP4SUqnTrFHJXaiC/IU4U012aWsjxHa9MaTaFNhTyAADja3IiawqCf1oDQAaEFQrYAjkqDcYpEhR28EJLQdEtol6EtTCYQSaHcTdTJ8aY2aNuVZ0LxhHFukoJVQi7+MjmAX3+F2mg/T5LrqppMIj9XtC5nZmqDZYSCCxMlowGTUs9jhdS0raIQTXzSdZiUw2QUXfXbFJZlEvkxFExavJcxg4yneIO5ox1o8ga2C0tYgQf+OJ7uIkTXqJJCsqmdTJ4eHh0+f76SComJYhX2RK2Rd70LmX4HO3BIxt1PoXVZN1WaG2S78LiCQAf5cVR6YwYe4edJtOlVKkdL2tzjd0uNO0lzagfOvu93PoTgoxwvIH8cXd/3PPh1PJmMd/GosLQd6Nlyqc+uXhCa0mWpLVHK29g4gfAX+GWGcMws9OxBYXQFDP7ZjvMPl0GuOUK+GusRxAQ/CoesZlQG3X1nzX4m1H7GbHmPawXl1a5iK9Q0+q6TzFyGRiGhTXVRoLLiGlPSWt7rJm+WKFiiwKNgC/UICgYrDkKg8eaGr1G9oFKrUQRXnoJB9MZl4mPOVFIvIq8TUCEKNQ1EfluWjJih2fp3OPQKt8zhMcLmTEV70YyL6RSNb7kM49IpCj3DZjO0NtqLahSGEdpOxeasxq7NHBfUQ6XooJYMI2ejva9RpimLdznBxDGtmJwzgylOPUMpGVYUIk+DsyNPRU0ebG+zUv8fOIvc30ICCNqRoBvp8YZaxTyv1k/2bUrtz+v7T+dnn86T0WBw+PTiIH561QwOLw7io6tmfMmbi3H84qoZXvLhZfLXy2z476P/JKOT09NXZ+fR1T1xYDA+/O0yGTaD8UH7+e3wMhlfPItfXK36fp6u/68geHJxEI87hRce8Ox523n24jI5fHp0mQwfaJ8QLFN/OUvxhvyR0Ore3PTOSRK1xDbMtte6FXKZopziaEIE0sob0gAXBnPSRiyt/gjjGfSOvxZqPJtfo/1SV7g/GkV78DXaN1rTsuNDUN/uQ1Lfv2ZmX+rpZl9k38gyls9cvb8mmc/nXiNYeH1NHC0JxTxVqyNqosvEW5LFX67+/MsOoPV0cZkMpM5nDc+oqhupp81n7YxishFKNLZsPlutmkUlG/+/Vaxu6IaaepE3lhg1ZS6b4EbDfur1LLacqgtUPkSExpNoL2JTVD4iWMydEbSIe4EPETnJriXRy3h7SY9z6WwbOmptyZ/ZB3rkzIdomVaaO4mprw6Qpz5rpVTVt0b1AIAWAC2gTXOd+1FV/xjv82N3C9tyQe8XVNUbXtP14WHblyKrWZWWWs+Qp86nwxSzurht52+DbmI1SJEZZhbQwiDAYA32iM1mdZHkFfdKfzv7e/ru5Cw9/fDq5PzVnZFS9svZ6Z63vunaiGshcYo87Ub2id2k1pbc54789lh00q8DREgMud/1aixYjgXagB8rlI+1tlZkEn2s4qhIMAncVbVQ08ezNRjUYZ1J+MUEneCTroDb+MMJT+nBsGk25eE0ttFs5Jc6iq6Gd59WLq8fTLG+WeQlE8ree0c6W+p5MgnzUok/HIZk/Hh6NpPu2lq+f9Vb34RhyuoqNJX2l7/udeEO5+gNvYJ5BvH/naRWJecyPvQZKtqDPj+FZshGobXMTaGn614DKe9ay2y16vW5ailZy1RriaqN+1uV8LIeMeE2jo3BXF+jWTS+2K2wEcqSceGRpSn1PCXdtEQOk1GTjAYL7Uza5GZRUxNSlKhqbYgpGvq0RTf0ywN9tK3aUqmnNuU+r3zv2HdKvQm7qk/qaXs7ebwJnZJCzb4xomfUOLXvqKo3bDLfFmTbAsksST3dkBVMyG2ZXdhtUYXWsqm/tK/r+aSMGyJfAyfb4Exr+kboc2wQfnsh+HkScZ3P0PCHHU1ySqH02YopnnpHSAtt5sxwL1vGkXQtjmwY9bzHhxdEj4cVvi3S/rcQNBhsBSFxrUmxPBfRsrRa/jnVlqLhnZluEL9t4tMm/hBq9mHTrI0dPMXa0hPuA/ktZcBqmA+NH+llMw8D3aF4T+WxUXhEVxCqxK2NWls6Iol3lziD2DRxbLDShE0smziWwhKqdne3DalzRveMd356dhS/ff3x/NXvx83H96dvPt46VKBKaC5UcOS2xX2TK+tn2IOoZMr239hlTpHz3br1t1hNW54L/3kSEotvqanRs01Ca2ZQ0drE4WHCz9V9u0/7S3n77T5f2s+s/RTCltHVcKfzoSz6UjqtBR+nHAlDQL3tBHSabdkrFORaERMKja+Bu5TdPtbo9l38/Uc4e/1y/PgjsfWc4HW7RQTb9q8PNtVhia2BI2JmijQZB5om45bl5WITwcNj4k7kGOQpIatSrqtwM7krOpxqpVrmPBkGOXgYtLDHE8CVTf5wvvxar9e+RqMkvH+wnBJbRuCv9KNEM0tJbfRGX4pr3BBYQZsC7VPJpqhwaqNfLf/OnKlzLSXLtGGkTaKQ1lVFsfAe3IlypphZkJ6hsmvixGDYVCbUOp4rn1mSXN2Zlf8bAAD//1BLBwi30KkUMAgAAAUaAABQSwECFAAUAAgACAAAAAAAXj8Wrn4uAABubwEADgAAAAAAAAAAAAAAAAAAAAAAZGVmYXVsdC5wb2xpY3lQSwECFAAUAAgACAAAAAAAt9CpFDAIAAAFGgAADQAAAAAAAAAAAAAAAAC6LgAAY3VzdG9tLnBvbGljeVBLBQYAAAAAAgACAHcAAAAlNwAAAAA= + headers: + content-type: + - application/zip + status: + code: 200 + message: OK +version: 1 diff --git a/tests/v2/cassettes/test_scenarios/test_update_a_cloud_workload_security_agent_rule_returns_bad_request_response.frozen b/tests/v2/cassettes/test_scenarios/test_update_a_cloud_workload_security_agent_rule_returns_bad_request_response.frozen index 8028840b89..5e91e2259f 100644 --- a/tests/v2/cassettes/test_scenarios/test_update_a_cloud_workload_security_agent_rule_returns_bad_request_response.frozen +++ b/tests/v2/cassettes/test_scenarios/test_update_a_cloud_workload_security_agent_rule_returns_bad_request_response.frozen @@ -1 +1 @@ -2022-05-12T09:51:26.947Z \ No newline at end of file +2024-03-07T18:00:28.216Z \ No newline at end of file diff --git a/tests/v2/cassettes/test_scenarios/test_update_a_cloud_workload_security_agent_rule_returns_bad_request_response.yaml b/tests/v2/cassettes/test_scenarios/test_update_a_cloud_workload_security_agent_rule_returns_bad_request_response.yaml index 38429a7aae..5825d3fab0 100644 --- a/tests/v2/cassettes/test_scenarios/test_update_a_cloud_workload_security_agent_rule_returns_bad_request_response.yaml +++ b/tests/v2/cassettes/test_scenarios/test_update_a_cloud_workload_security_agent_rule_returns_bad_request_response.yaml @@ -1,7 +1,7 @@ interactions: - request: body: '{"data":{"attributes":{"description":"My Agent rule","enabled":true,"expression":"exec.file.name - == \"sh\"","name":"testupdateacloudworkloadsecurityagentrulereturnsbadrequestresponse1652349086"},"type":"agent_rule"}}' + == \"sh\"","name":"testupdateacloudworkloadsecurityagentrulereturnsbadrequestresponse1709834428"},"type":"agent_rule"}}' headers: accept: - application/json @@ -11,12 +11,16 @@ interactions: uri: https://api.datadoghq.com/api/v2/security_monitoring/cloud_workload_security/agent_rules response: body: - string: '{"data":{"attributes":{"category":"Process Activity","name":"testupdateacloudworkloadsecurityagentrulereturnsbadrequestresponse1652349086","creator":{"handle":"frog@datadoghq.com","name":null},"description":"My - Agent rule","enabled":true,"defaultRule":false,"version":1,"updater":{"handle":"frog@datadoghq.com","name":null},"updateDate":1652349087367,"creationDate":1652349087367,"expression":"exec.file.name - == \"sh\""},"type":"agent_rule","id":"ezf-mkn-g0o"}}' + string: '{"data":{"id":"fzi-lju-e5j","attributes":{"version":1,"name":"testupdateacloudworkloadsecurityagentrulereturnsbadrequestresponse1709834428","description":"My + Agent rule","expression":"exec.file.name == \"sh\"","category":"Process Activity","creationAuthorUuId":"cc32ddea-b5e4-11ec-93be-da7ad0900002","creationDate":1709834428669,"updateAuthorUuId":"cc32ddea-b5e4-11ec-93be-da7ad0900002","updateDate":1709834428669,"filters":["os + == \"linux\""],"actions":[],"agentConstraint":"","enabled":true,"defaultRule":false,"creator":{"name":"Malo + Le Goff","handle":"malo.legoff@datadoghq.com"},"updater":{"name":"Malo Le + Goff","handle":"malo.legoff@datadoghq.com"}},"type":"agent_rule"}} + + ' headers: content-type: - - application/json;charset=utf-8 + - application/json status: code: 200 message: OK @@ -29,12 +33,14 @@ interactions: content-type: - application/json method: PATCH - uri: https://api.datadoghq.com/api/v2/security_monitoring/cloud_workload_security/agent_rules/ezf-mkn-g0o + uri: https://api.datadoghq.com/api/v2/security_monitoring/cloud_workload_security/agent_rules/fzi-lju-e5j response: body: string: '{"errors":["input_validation_error(Field ''expression'' is invalid: - rule `testupdateacloudworkloadsecurityagentrulereturnsbadrequestresponse1652349086` - definition error: syntax error: 1:18: unexpected token \"sh\" (expected \"~\"))"]}' + rule `testupdateacloudworkloadsecurityagentrulereturnsbadrequestresponse1709834428` + error: syntax error `1:18: unexpected token \"sh\" (expected \"~\")`)"]} + + ' headers: content-type: - application/json @@ -47,13 +53,11 @@ interactions: accept: - '*/*' method: DELETE - uri: https://api.datadoghq.com/api/v2/security_monitoring/cloud_workload_security/agent_rules/ezf-mkn-g0o + uri: https://api.datadoghq.com/api/v2/security_monitoring/cloud_workload_security/agent_rules/fzi-lju-e5j response: body: string: '' - headers: - content-type: - - application/json;charset=utf-8 + headers: {} status: code: 204 message: No Content diff --git a/tests/v2/cassettes/test_scenarios/test_update_a_cloud_workload_security_agent_rule_returns_not_found_response.frozen b/tests/v2/cassettes/test_scenarios/test_update_a_cloud_workload_security_agent_rule_returns_not_found_response.frozen index 27f706249c..6a148b16d8 100644 --- a/tests/v2/cassettes/test_scenarios/test_update_a_cloud_workload_security_agent_rule_returns_not_found_response.frozen +++ b/tests/v2/cassettes/test_scenarios/test_update_a_cloud_workload_security_agent_rule_returns_not_found_response.frozen @@ -1 +1 @@ -2022-01-11T18:11:42.604Z \ No newline at end of file +2024-03-07T18:00:29.647Z \ No newline at end of file diff --git a/tests/v2/cassettes/test_scenarios/test_update_a_cloud_workload_security_agent_rule_returns_not_found_response.yaml b/tests/v2/cassettes/test_scenarios/test_update_a_cloud_workload_security_agent_rule_returns_not_found_response.yaml index a1c5c5f338..771af07a7f 100644 --- a/tests/v2/cassettes/test_scenarios/test_update_a_cloud_workload_security_agent_rule_returns_not_found_response.yaml +++ b/tests/v2/cassettes/test_scenarios/test_update_a_cloud_workload_security_agent_rule_returns_not_found_response.yaml @@ -11,7 +11,9 @@ interactions: uri: https://api.datadoghq.com/api/v2/security_monitoring/cloud_workload_security/agent_rules/abc-123-xyz response: body: - string: '{"errors":["not_found(Agent rule not found: agentRuleId=abc-123-xyz)"]}' + string: '{"errors":["not_found(Agent rule not found: agentRuleId=abc-123-xyz)"]} + + ' headers: content-type: - application/json diff --git a/tests/v2/cassettes/test_scenarios/test_update_a_cloud_workload_security_agent_rule_returns_ok_response.frozen b/tests/v2/cassettes/test_scenarios/test_update_a_cloud_workload_security_agent_rule_returns_ok_response.frozen index 0aec4a5ed8..770516816c 100644 --- a/tests/v2/cassettes/test_scenarios/test_update_a_cloud_workload_security_agent_rule_returns_ok_response.frozen +++ b/tests/v2/cassettes/test_scenarios/test_update_a_cloud_workload_security_agent_rule_returns_ok_response.frozen @@ -1 +1 @@ -2022-05-12T09:51:28.357Z \ No newline at end of file +2024-03-07T18:00:30.008Z \ No newline at end of file diff --git a/tests/v2/cassettes/test_scenarios/test_update_a_cloud_workload_security_agent_rule_returns_ok_response.yaml b/tests/v2/cassettes/test_scenarios/test_update_a_cloud_workload_security_agent_rule_returns_ok_response.yaml index f1dc5e7b04..530309607e 100644 --- a/tests/v2/cassettes/test_scenarios/test_update_a_cloud_workload_security_agent_rule_returns_ok_response.yaml +++ b/tests/v2/cassettes/test_scenarios/test_update_a_cloud_workload_security_agent_rule_returns_ok_response.yaml @@ -1,7 +1,7 @@ interactions: - request: body: '{"data":{"attributes":{"description":"My Agent rule","enabled":true,"expression":"exec.file.name - == \"sh\"","name":"testupdateacloudworkloadsecurityagentrulereturnsokresponse1652349088"},"type":"agent_rule"}}' + == \"sh\"","name":"testupdateacloudworkloadsecurityagentrulereturnsokresponse1709834430"},"type":"agent_rule"}}' headers: accept: - application/json @@ -11,12 +11,16 @@ interactions: uri: https://api.datadoghq.com/api/v2/security_monitoring/cloud_workload_security/agent_rules response: body: - string: '{"data":{"attributes":{"category":"Process Activity","name":"testupdateacloudworkloadsecurityagentrulereturnsokresponse1652349088","creator":{"handle":"frog@datadoghq.com","name":null},"description":"My - Agent rule","enabled":true,"defaultRule":false,"version":1,"updater":{"handle":"frog@datadoghq.com","name":null},"updateDate":1652349088786,"creationDate":1652349088786,"expression":"exec.file.name - == \"sh\""},"type":"agent_rule","id":"ivl-0d3-hga"}}' + string: '{"data":{"id":"a6l-4pq-5hh","attributes":{"version":1,"name":"testupdateacloudworkloadsecurityagentrulereturnsokresponse1709834430","description":"My + Agent rule","expression":"exec.file.name == \"sh\"","category":"Process Activity","creationAuthorUuId":"cc32ddea-b5e4-11ec-93be-da7ad0900002","creationDate":1709834430436,"updateAuthorUuId":"cc32ddea-b5e4-11ec-93be-da7ad0900002","updateDate":1709834430436,"filters":["os + == \"linux\""],"actions":[],"agentConstraint":"","enabled":true,"defaultRule":false,"creator":{"name":"Malo + Le Goff","handle":"malo.legoff@datadoghq.com"},"updater":{"name":"Malo Le + Goff","handle":"malo.legoff@datadoghq.com"}},"type":"agent_rule"}} + + ' headers: content-type: - - application/json;charset=utf-8 + - application/json status: code: 200 message: OK @@ -29,15 +33,19 @@ interactions: content-type: - application/json method: PATCH - uri: https://api.datadoghq.com/api/v2/security_monitoring/cloud_workload_security/agent_rules/ivl-0d3-hga + uri: https://api.datadoghq.com/api/v2/security_monitoring/cloud_workload_security/agent_rules/a6l-4pq-5hh response: body: - string: '{"data":{"attributes":{"category":"Process Activity","name":"testupdateacloudworkloadsecurityagentrulereturnsokresponse1652349088","creator":{"handle":"frog@datadoghq.com","name":null},"description":"Test - Agent rule","enabled":true,"defaultRule":false,"version":2,"updater":{"handle":"frog@datadoghq.com","name":null},"updateDate":1652349089262,"creationDate":1652349088786,"expression":"exec.file.name - == \"sh\""},"type":"agent_rule","id":"ivl-0d3-hga"}}' + string: '{"data":{"id":"a6l-4pq-5hh","attributes":{"version":2,"name":"testupdateacloudworkloadsecurityagentrulereturnsokresponse1709834430","description":"Test + Agent rule","expression":"exec.file.name == \"sh\"","category":"Process Activity","creationAuthorUuId":"cc32ddea-b5e4-11ec-93be-da7ad0900002","creationDate":1709834430436,"updateAuthorUuId":"cc32ddea-b5e4-11ec-93be-da7ad0900002","updateDate":1709834430890,"filters":["os + == \"linux\""],"actions":[],"agentConstraint":"","enabled":true,"defaultRule":false,"creator":{"name":"Malo + Le Goff","handle":"malo.legoff@datadoghq.com"},"updater":{"name":"Malo Le + Goff","handle":"malo.legoff@datadoghq.com"}},"type":"agent_rule"}} + + ' headers: content-type: - - application/json;charset=utf-8 + - application/json status: code: 200 message: OK @@ -47,13 +55,11 @@ interactions: accept: - '*/*' method: DELETE - uri: https://api.datadoghq.com/api/v2/security_monitoring/cloud_workload_security/agent_rules/ivl-0d3-hga + uri: https://api.datadoghq.com/api/v2/security_monitoring/cloud_workload_security/agent_rules/a6l-4pq-5hh response: body: string: '' - headers: - content-type: - - application/json;charset=utf-8 + headers: {} status: code: 204 message: No Content diff --git a/tests/v2/cassettes/test_scenarios/test_update_a_csm_threats_agent_rule_returns_bad_request_response.frozen b/tests/v2/cassettes/test_scenarios/test_update_a_csm_threats_agent_rule_returns_bad_request_response.frozen new file mode 100644 index 0000000000..5eb364ea96 --- /dev/null +++ b/tests/v2/cassettes/test_scenarios/test_update_a_csm_threats_agent_rule_returns_bad_request_response.frozen @@ -0,0 +1 @@ +2024-03-07T18:00:23.328Z \ No newline at end of file diff --git a/tests/v2/cassettes/test_scenarios/test_update_a_csm_threats_agent_rule_returns_bad_request_response.yaml b/tests/v2/cassettes/test_scenarios/test_update_a_csm_threats_agent_rule_returns_bad_request_response.yaml new file mode 100644 index 0000000000..aa21e4819b --- /dev/null +++ b/tests/v2/cassettes/test_scenarios/test_update_a_csm_threats_agent_rule_returns_bad_request_response.yaml @@ -0,0 +1,61 @@ +interactions: +- request: + body: '{"data":{"attributes":{"description":"My Agent rule","enabled":true,"expression":"exec.file.name + == \"sh\"","name":"testupdateacsmthreatsagentrulereturnsbadrequestresponse1709834423"},"type":"agent_rule"}}' + headers: + accept: + - application/json + content-type: + - application/json + method: POST + uri: https://api.datadoghq.com/api/v2/remote_config/products/cws/agent_rules + response: + body: + string: '{"data":{"id":"5xo-szc-l3l","type":"agent_rule","attributes":{"category":"Process + Activity","creationDate":1709834423720,"creator":{"name":"Malo Le Goff","handle":"malo.legoff@datadoghq.com"},"defaultRule":false,"description":"My + Agent rule","enabled":true,"expression":"exec.file.name == \"sh\"","filters":null,"name":"testupdateacsmthreatsagentrulereturnsbadrequestresponse1709834423","updateDate":1709834423720,"updater":{"name":"Malo + Le Goff","handle":"malo.legoff@datadoghq.com"}}}}' + headers: + content-type: + - application/json + status: + code: 200 + message: OK +- request: + body: '{"data":{"attributes":{"description":"Test Agent rule","enabled":true,"expression":"open.file.path + = sh"},"id":"abc-123-xyz","type":"agent_rule"}}' + headers: + accept: + - application/json + content-type: + - application/json + method: PATCH + uri: https://api.datadoghq.com/api/v2/remote_config/products/cws/agent_rules/5xo-szc-l3l + response: + body: + string: '{"errors":[{"title":"failed to update rule"}]} + + ' + headers: + content-type: + - application/json + status: + code: 400 + message: Bad Request +- request: + body: null + headers: + accept: + - '*/*' + method: DELETE + uri: https://api.datadoghq.com/api/v2/remote_config/products/cws/agent_rules/5xo-szc-l3l + response: + body: + string: '' + headers: + content-type: + - application/json + status: + code: 204 + message: No Content +version: 1 diff --git a/tests/v2/cassettes/test_scenarios/test_update_a_csm_threats_agent_rule_returns_not_found_response.frozen b/tests/v2/cassettes/test_scenarios/test_update_a_csm_threats_agent_rule_returns_not_found_response.frozen new file mode 100644 index 0000000000..39725d6136 --- /dev/null +++ b/tests/v2/cassettes/test_scenarios/test_update_a_csm_threats_agent_rule_returns_not_found_response.frozen @@ -0,0 +1 @@ +2024-03-07T18:00:25.485Z \ No newline at end of file diff --git a/tests/v2/cassettes/test_scenarios/test_update_a_csm_threats_agent_rule_returns_not_found_response.yaml b/tests/v2/cassettes/test_scenarios/test_update_a_csm_threats_agent_rule_returns_not_found_response.yaml new file mode 100644 index 0000000000..a58608b19e --- /dev/null +++ b/tests/v2/cassettes/test_scenarios/test_update_a_csm_threats_agent_rule_returns_not_found_response.yaml @@ -0,0 +1,23 @@ +interactions: +- request: + body: '{"data":{"attributes":{"description":"My Agent rule","enabled":true,"expression":"exec.file.name + == \"sh\""},"id":"abc-123-xyz","type":"agent_rule"}}' + headers: + accept: + - application/json + content-type: + - application/json + method: PATCH + uri: https://api.datadoghq.com/api/v2/remote_config/products/cws/agent_rules/abc-123-xyz + response: + body: + string: '{"errors":[{"title":"failed to update rule"}]} + + ' + headers: + content-type: + - application/json + status: + code: 404 + message: Not Found +version: 1 diff --git a/tests/v2/cassettes/test_scenarios/test_update_a_csm_threats_agent_rule_returns_ok_response.frozen b/tests/v2/cassettes/test_scenarios/test_update_a_csm_threats_agent_rule_returns_ok_response.frozen new file mode 100644 index 0000000000..f2ff096723 --- /dev/null +++ b/tests/v2/cassettes/test_scenarios/test_update_a_csm_threats_agent_rule_returns_ok_response.frozen @@ -0,0 +1 @@ +2024-03-07T18:00:25.966Z \ No newline at end of file diff --git a/tests/v2/cassettes/test_scenarios/test_update_a_csm_threats_agent_rule_returns_ok_response.yaml b/tests/v2/cassettes/test_scenarios/test_update_a_csm_threats_agent_rule_returns_ok_response.yaml new file mode 100644 index 0000000000..1bb30fdd8b --- /dev/null +++ b/tests/v2/cassettes/test_scenarios/test_update_a_csm_threats_agent_rule_returns_ok_response.yaml @@ -0,0 +1,62 @@ +interactions: +- request: + body: '{"data":{"attributes":{"description":"My Agent rule","enabled":true,"expression":"exec.file.name + == \"sh\"","name":"testupdateacsmthreatsagentrulereturnsokresponse1709834425"},"type":"agent_rule"}}' + headers: + accept: + - application/json + content-type: + - application/json + method: POST + uri: https://api.datadoghq.com/api/v2/remote_config/products/cws/agent_rules + response: + body: + string: '{"data":{"id":"tnh-7wr-sbw","type":"agent_rule","attributes":{"category":"Process + Activity","creationDate":1709834426368,"creator":{"name":"Malo Le Goff","handle":"malo.legoff@datadoghq.com"},"defaultRule":false,"description":"My + Agent rule","enabled":true,"expression":"exec.file.name == \"sh\"","filters":null,"name":"testupdateacsmthreatsagentrulereturnsokresponse1709834425","updateDate":1709834426368,"updater":{"name":"Malo + Le Goff","handle":"malo.legoff@datadoghq.com"}}}}' + headers: + content-type: + - application/json + status: + code: 200 + message: OK +- request: + body: '{"data":{"attributes":{"description":"Test Agent rule","enabled":true,"expression":"exec.file.name + == \"sh\""},"id":"tnh-7wr-sbw","type":"agent_rule"}}' + headers: + accept: + - application/json + content-type: + - application/json + method: PATCH + uri: https://api.datadoghq.com/api/v2/remote_config/products/cws/agent_rules/tnh-7wr-sbw + response: + body: + string: '{"data":{"id":"tnh-7wr-sbw","type":"agent_rule","attributes":{"category":"Process + Activity","creationDate":1709834426000,"creator":{"name":"Malo Le Goff","handle":"malo.legoff@datadoghq.com"},"defaultRule":false,"description":"Test + Agent rule","enabled":true,"expression":"exec.file.name == \"sh\"","filters":null,"name":"testupdateacsmthreatsagentrulereturnsokresponse1709834425","updateDate":1709834427132,"updater":{"name":"Malo + Le Goff","handle":"malo.legoff@datadoghq.com"}}}}' + headers: + content-type: + - application/json + status: + code: 200 + message: OK +- request: + body: null + headers: + accept: + - '*/*' + method: DELETE + uri: https://api.datadoghq.com/api/v2/remote_config/products/cws/agent_rules/tnh-7wr-sbw + response: + body: + string: '' + headers: + content-type: + - application/json + status: + code: 204 + message: No Content +version: 1 diff --git a/tests/v2/features/cloud_workload_security.feature b/tests/v2/features/cloud_workload_security.feature index ae068c81dc..338b440b42 100644 --- a/tests/v2/features/cloud_workload_security.feature +++ b/tests/v2/features/cloud_workload_security.feature @@ -10,6 +10,27 @@ Feature: Cloud Workload Security And a valid "appKeyAuth" key in the system And an instance of "CloudWorkloadSecurity" API + @team:DataDog/k9-cloud-security-platform @team:DataDog/k9-cws-backend + Scenario: Create a CSM Threats Agent rule returns "Bad Request" response + Given new "CreateCSMThreatsAgentRule" request + And body with value {"data": {"attributes": {"description": "My Agent rule", "enabled": true, "expression": "exec.file.name == sh", "name": "my_agent_rule"}, "type": "agent_rule"}} + When the request is sent + Then the response status is 400 Bad Request + + @skip @team:DataDog/k9-cloud-security-platform @team:DataDog/k9-cws-backend + Scenario: Create a CSM Threats Agent rule returns "Conflict" response + Given new "CreateCSMThreatsAgentRule" request + And body with value {"data": {"attributes": {"description": "My Agent rule", "enabled": true, "expression": "exec.file.name == \"sh\"", "name": "my_agent_rule"}, "type": "agent_rule"}} + When the request is sent + Then the response status is 409 Conflict + + @team:DataDog/k9-cloud-security-platform @team:DataDog/k9-cws-backend + Scenario: Create a CSM Threats Agent rule returns "OK" response + Given new "CreateCSMThreatsAgentRule" request + And body with value {"data": {"attributes": {"description": "My Agent rule", "enabled": true, "expression": "exec.file.name == \"sh\"", "name": "my_agent_rule"}, "type": "agent_rule"}} + When the request is sent + Then the response status is 200 OK + @team:DataDog/k9-cloud-security-platform @team:DataDog/k9-cws-backend Scenario: Create a Cloud Workload Security Agent rule returns "Bad Request" response Given new "CreateCloudWorkloadSecurityAgentRule" request @@ -33,6 +54,21 @@ Feature: Cloud Workload Security And the response "data.type" is equal to "agent_rule" And the response "data.attributes.description" is equal to "Test Agent rule" + @team:DataDog/k9-cloud-security-platform @team:DataDog/k9-cws-backend + Scenario: Delete a CSM Threats Agent rule returns "Not Found" response + Given new "DeleteCSMThreatsAgentRule" request + And request contains "agent_rule_id" parameter with value "abc-123-xyz" + When the request is sent + Then the response status is 404 Not Found + + @team:DataDog/k9-cloud-security-platform @team:DataDog/k9-cws-backend + Scenario: Delete a CSM Threats Agent rule returns "OK" response + Given there is a valid "agent_rule_rc" in the system + And new "DeleteCSMThreatsAgentRule" request + And request contains "agent_rule_id" parameter from "agent_rule.data.id" + When the request is sent + Then the response status is 204 OK + @team:DataDog/k9-cloud-security-platform @team:DataDog/k9-cws-backend Scenario: Delete a Cloud Workload Security Agent rule returns "Not Found" response Given new "DeleteCloudWorkloadSecurityAgentRule" request @@ -48,6 +84,23 @@ Feature: Cloud Workload Security When the request is sent Then the response status is 204 OK + @team:DataDog/k9-cloud-security-platform @team:DataDog/k9-cws-backend + Scenario: Get a CSM Threats Agent rule returns "Not Found" response + Given new "GetCSMThreatsAgentRule" request + And request contains "agent_rule_id" parameter with value "abc-123-xyz" + When the request is sent + Then the response status is 404 Not Found + + @team:DataDog/k9-cloud-security-platform @team:DataDog/k9-cws-backend + Scenario: Get a CSM Threats Agent rule returns "OK" response + Given there is a valid "agent_rule_rc" in the system + And new "GetCSMThreatsAgentRule" request + And request contains "agent_rule_id" parameter from "agent_rule.data.id" + When the request is sent + Then the response status is 200 OK + And the response "data.type" is equal to "agent_rule" + And the response "data.attributes.description" is equal to "My Agent rule" + @team:DataDog/k9-cloud-security-platform @team:DataDog/k9-cws-backend Scenario: Get a Cloud Workload Security Agent rule returns "Not Found" response Given new "GetCloudWorkloadSecurityAgentRule" request @@ -65,6 +118,12 @@ Feature: Cloud Workload Security And the response "data.type" is equal to "agent_rule" And the response "data.attributes.description" is equal to "My Agent rule" + @team:DataDog/k9-cloud-security-platform @team:DataDog/k9-cws-backend + Scenario: Get all CSM Threats Agent rules returns "OK" response + Given new "ListCSMThreatsAgentRules" request + When the request is sent + Then the response status is 200 OK + @team:DataDog/k9-cloud-security-platform @team:DataDog/k9-cws-backend Scenario: Get all Cloud Workload Security Agent rules returns "OK" response Given there is a valid "agent_rule" in the system @@ -73,12 +132,54 @@ Feature: Cloud Workload Security Then the response status is 200 OK And the response "data[0].type" is equal to "agent_rule" + @team:DataDog/k9-cloud-security-platform @team:DataDog/k9-cws-backend + Scenario: Get the latest CSM Threats policy returns "OK" response + Given new "DownloadCSMThreatsPolicy" request + When the request is sent + Then the response status is 200 OK + @team:DataDog/k9-cloud-security-platform @team:DataDog/k9-cws-backend Scenario: Get the latest Cloud Workload Security policy returns "OK" response Given new "DownloadCloudWorkloadPolicyFile" request When the request is sent Then the response status is 200 OK + @team:DataDog/k9-cloud-security-platform @team:DataDog/k9-cws-backend + Scenario: Update a CSM Threats Agent rule returns "Bad Request" response + Given there is a valid "agent_rule_rc" in the system + And new "UpdateCSMThreatsAgentRule" request + And request contains "agent_rule_id" parameter from "agent_rule.data.id" + And body with value {"data": {"attributes": {"description": "Test Agent rule", "enabled": true, "expression": "open.file.path = sh"}, "type": "agent_rule", "id":"abc-123-xyz"}} + When the request is sent + Then the response status is 400 Bad Request + + @skip @team:DataDog/k9-cloud-security-platform @team:DataDog/k9-cws-backend + Scenario: Update a CSM Threats Agent rule returns "Concurrent Modification" response + Given new "UpdateCSMThreatsAgentRule" request + And request contains "agent_rule_id" parameter from "REPLACE.ME" + And body with value {"data": {"attributes": {"description": "My Agent rule", "enabled": true, "expression": "exec.file.name == \"sh\""}, "type": "agent_rule"}} + When the request is sent + Then the response status is 409 Concurrent Modification + + @team:DataDog/k9-cloud-security-platform @team:DataDog/k9-cws-backend + Scenario: Update a CSM Threats Agent rule returns "Not Found" response + Given new "UpdateCSMThreatsAgentRule" request + And request contains "agent_rule_id" parameter with value "abc-123-xyz" + And body with value {"data": {"attributes": {"description": "My Agent rule", "enabled": true, "expression": "exec.file.name == \"sh\""}, "type": "agent_rule", "id":"abc-123-xyz"}} + When the request is sent + Then the response status is 404 Not Found + + @team:DataDog/k9-cloud-security-platform @team:DataDog/k9-cws-backend + Scenario: Update a CSM Threats Agent rule returns "OK" response + Given there is a valid "agent_rule_rc" in the system + And new "UpdateCSMThreatsAgentRule" request + And request contains "agent_rule_id" parameter from "agent_rule.data.id" + And body with value {"data": {"attributes": {"description": "Test Agent rule", "enabled": true, "expression": "exec.file.name == \"sh\""}, "type": "agent_rule", "id":"{{ agent_rule.data.id }}"}} + When the request is sent + Then the response status is 200 OK + And the response "data.type" is equal to "agent_rule" + And the response "data.attributes.description" is equal to "Test Agent rule" + @team:DataDog/k9-cloud-security-platform @team:DataDog/k9-cws-backend Scenario: Update a Cloud Workload Security Agent rule returns "Bad Request" response Given there is a valid "agent_rule" in the system diff --git a/tests/v2/features/given.json b/tests/v2/features/given.json index 8c2a75b9b1..73de3c05e3 100644 --- a/tests/v2/features/given.json +++ b/tests/v2/features/given.json @@ -355,6 +355,18 @@ "tag": "Powerpack", "operationId": "CreatePowerpack" }, + { + "parameters": [ + { + "name": "body", + "value": "{\n \"data\": {\n \"type\": \"agent_rule\",\n \"attributes\": {\n \"name\": \"{{ unique_lower_alnum }}\",\n \"description\": \"My Agent rule\",\n \"expression\": \"exec.file.name == \\\"sh\\\"\",\n \"enabled\": true\n }\n }\n}" + } + ], + "step": "there is a valid \"agent_rule_rc\" in the system", + "key": "agent_rule", + "tag": "Cloud Workload Security", + "operationId": "CreateCSMThreatsAgentRule" + }, { "parameters": [ { diff --git a/tests/v2/features/undo.json b/tests/v2/features/undo.json index 387676557a..90fee66806 100644 --- a/tests/v2/features/undo.json +++ b/tests/v2/features/undo.json @@ -1333,6 +1333,49 @@ "type": "idempotent" } }, + "ListCSMThreatsAgentRules": { + "tag": "Cloud Workload Security", + "undo": { + "type": "safe" + } + }, + "CreateCSMThreatsAgentRule": { + "tag": "Cloud Workload Security", + "undo": { + "operationId": "DeleteCSMThreatsAgentRule", + "parameters": [ + { + "name": "agent_rule_id", + "source": "data.id" + } + ], + "type": "unsafe" + } + }, + "DeleteCSMThreatsAgentRule": { + "tag": "Cloud Workload Security", + "undo": { + "type": "idempotent" + } + }, + "GetCSMThreatsAgentRule": { + "tag": "Cloud Workload Security", + "undo": { + "type": "safe" + } + }, + "UpdateCSMThreatsAgentRule": { + "tag": "Cloud Workload Security", + "undo": { + "type": "idempotent" + } + }, + "DownloadCSMThreatsPolicy": { + "tag": "Cloud Workload Security", + "undo": { + "type": "safe" + } + }, "DeleteRestrictionPolicy": { "tag": "Restriction Policies", "undo": {