diff --git a/.apigentools-info b/.apigentools-info index 90839c6c442..056ea6fe2d4 100644 --- a/.apigentools-info +++ b/.apigentools-info @@ -4,13 +4,13 @@ "spec_versions": { "v1": { "apigentools_version": "1.6.6", - "regenerated": "2024-03-07 17:19:33.084088", - "spec_repo_commit": "52e6d7fb" + "regenerated": "2024-03-08 14:49:45.301266", + "spec_repo_commit": "f5ed7e52" }, "v2": { "apigentools_version": "1.6.6", - "regenerated": "2024-03-07 17:19:33.102076", - "spec_repo_commit": "52e6d7fb" + "regenerated": "2024-03-08 14:49:45.320203", + "spec_repo_commit": "f5ed7e52" } } } \ No newline at end of file diff --git a/.generator/schemas/v2/openapi.yaml b/.generator/schemas/v2/openapi.yaml index 9201083ceb7..f4faf832a9f 100644 --- a/.generator/schemas/v2/openapi.yaml +++ b/.generator/schemas/v2/openapi.yaml @@ -3919,9 +3919,27 @@ components: type: string x-enum-varnames: - CLOUD_COST_ACTIVITY + CloudWorkloadSecurityAgentRuleAction: + description: The action the rule can perform if triggered. + properties: + filter: + description: SECL expression used to target the container to apply the action + on + type: string + kill: + $ref: '#/components/schemas/CloudWorkloadSecurityAgentRuleKill' + type: object + CloudWorkloadSecurityAgentRuleActions: + description: The array of actions the rule can perform if triggered. + items: + $ref: '#/components/schemas/CloudWorkloadSecurityAgentRuleAction' + nullable: true + type: array CloudWorkloadSecurityAgentRuleAttributes: description: A Cloud Workload Security Agent rule returned by the API. properties: + actions: + $ref: '#/components/schemas/CloudWorkloadSecurityAgentRuleActions' agentConstraint: description: The version of the agent. type: string @@ -4054,6 +4072,17 @@ components: type: $ref: '#/components/schemas/CloudWorkloadSecurityAgentRuleType' type: object + CloudWorkloadSecurityAgentRuleID: + description: The ID of the agent rule. + example: 3dd-0uc-h1s + type: string + CloudWorkloadSecurityAgentRuleKill: + description: Kill system call applied on the container matching the rule + properties: + signal: + description: Supported signals for the kill system call. + type: string + type: object CloudWorkloadSecurityAgentRuleResponse: description: Response object that includes an Agent rule. properties: @@ -4090,6 +4119,8 @@ components: properties: attributes: $ref: '#/components/schemas/CloudWorkloadSecurityAgentRuleUpdateAttributes' + id: + $ref: '#/components/schemas/CloudWorkloadSecurityAgentRuleID' type: $ref: '#/components/schemas/CloudWorkloadSecurityAgentRuleType' required: @@ -29582,6 +29613,154 @@ paths: We are gradually onboarding support for more sources. If you have any feedback, contact [Datadog Support](https://docs.datadoghq.com/help/).' + /api/v2/remote_config/products/cws/agent_rules: + get: + description: Get the list of Cloud Security Management Threats Agent rules. + operationId: ListCSMThreatsAgentRules + responses: + '200': + content: + application/json: + schema: + $ref: '#/components/schemas/CloudWorkloadSecurityAgentRulesListResponse' + description: OK + '403': + $ref: '#/components/responses/NotAuthorizedResponse' + '429': + $ref: '#/components/responses/TooManyRequestsResponse' + summary: Get all CSM Threats Agent rules + tags: + - Cloud Workload Security + post: + description: Create a new Cloud Security Management Threats Agent rule with + the given parameters. + operationId: CreateCSMThreatsAgentRule + requestBody: + content: + application/json: + schema: + $ref: '#/components/schemas/CloudWorkloadSecurityAgentRuleCreateRequest' + description: The definition of the new Agent rule. + required: true + responses: + '200': + content: + application/json: + schema: + $ref: '#/components/schemas/CloudWorkloadSecurityAgentRuleResponse' + description: OK + '400': + $ref: '#/components/responses/BadRequestResponse' + '403': + $ref: '#/components/responses/NotAuthorizedResponse' + '409': + $ref: '#/components/responses/ConflictResponse' + '429': + $ref: '#/components/responses/TooManyRequestsResponse' + summary: Create a CSM Threats Agent rule + tags: + - Cloud Workload Security + x-codegen-request-body-name: body + /api/v2/remote_config/products/cws/agent_rules/{agent_rule_id}: + delete: + description: Delete a specific Cloud Security Management Threats Agent rule. + operationId: DeleteCSMThreatsAgentRule + parameters: + - $ref: '#/components/parameters/CloudWorkloadSecurityAgentRuleID' + responses: + '204': + description: OK + '403': + $ref: '#/components/responses/NotAuthorizedResponse' + '404': + $ref: '#/components/responses/NotFoundResponse' + '429': + $ref: '#/components/responses/TooManyRequestsResponse' + summary: Delete a CSM Threats Agent rule + tags: + - Cloud Workload Security + get: + description: Get the details of a specific Cloud Security Management Threats + Agent rule. + operationId: GetCSMThreatsAgentRule + parameters: + - $ref: '#/components/parameters/CloudWorkloadSecurityAgentRuleID' + responses: + '200': + content: + application/json: + schema: + $ref: '#/components/schemas/CloudWorkloadSecurityAgentRuleResponse' + description: OK + '403': + $ref: '#/components/responses/NotAuthorizedResponse' + '404': + $ref: '#/components/responses/NotFoundResponse' + '429': + $ref: '#/components/responses/TooManyRequestsResponse' + summary: Get a CSM Threats Agent rule + tags: + - Cloud Workload Security + patch: + description: 'Update a specific Cloud Security Management Threats Agent rule. + + Returns the Agent rule object when the request is successful.' + operationId: UpdateCSMThreatsAgentRule + parameters: + - $ref: '#/components/parameters/CloudWorkloadSecurityAgentRuleID' + requestBody: + content: + application/json: + schema: + $ref: '#/components/schemas/CloudWorkloadSecurityAgentRuleUpdateRequest' + description: New definition of the Agent rule. + required: true + responses: + '200': + content: + application/json: + schema: + $ref: '#/components/schemas/CloudWorkloadSecurityAgentRuleResponse' + description: OK + '400': + $ref: '#/components/responses/BadRequestResponse' + '403': + $ref: '#/components/responses/NotAuthorizedResponse' + '404': + $ref: '#/components/responses/NotFoundResponse' + '409': + $ref: '#/components/responses/ConcurrentModificationResponse' + '429': + $ref: '#/components/responses/TooManyRequestsResponse' + summary: Update a CSM Threats Agent rule + tags: + - Cloud Workload Security + x-codegen-request-body-name: body + /api/v2/remote_config/products/cws/policy/download: + get: + description: 'The download endpoint generates a CSM Threats policy file from + your currently active + + CSM Threats rules, and downloads them as a `.policy` file. This file can then + be deployed to + + your Agents to update the policy running in your environment.' + operationId: DownloadCSMThreatsPolicy + responses: + '200': + content: + application/zip: + schema: + format: binary + type: string + description: OK + '403': + $ref: '#/components/responses/NotAuthorizedResponse' + '429': + $ref: '#/components/responses/TooManyRequestsResponse' + summary: Get the latest CSM Threats policy + tags: + - Cloud Workload Security /api/v2/restriction_policy/{resource_id}: delete: description: Deletes the restriction policy associated with a specified resource. @@ -34821,6 +35000,11 @@ tags: [Test Visibility in Datadog page](https://docs.datadoghq.com/tests/) for more information. name: CI Visibility Tests +- description: Cloud Security Management Threats (CSM Threats) monitors file, network, + and process activity across your environment to detect real-time threats to your + infrastructure. See [Cloud Security Management Threats](https://docs.datadoghq.com/security/threats/) + for more information on setting up CSM Threats. + name: CSM Threats - description: View and manage cases and projects within Case Management. See the [Case Management page](https://docs.datadoghq.com/service_management/case_management/) for more information. diff --git a/api/datadogV2/api_cloud_workload_security.go b/api/datadogV2/api_cloud_workload_security.go index b0cf2c61f28..d1336095979 100644 --- a/api/datadogV2/api_cloud_workload_security.go +++ b/api/datadogV2/api_cloud_workload_security.go @@ -17,6 +17,79 @@ import ( // CloudWorkloadSecurityApi service type type CloudWorkloadSecurityApi datadog.Service +// CreateCSMThreatsAgentRule Create a CSM Threats Agent rule. +// Create a new Cloud Security Management Threats Agent rule with the given parameters. +func (a *CloudWorkloadSecurityApi) CreateCSMThreatsAgentRule(ctx _context.Context, body CloudWorkloadSecurityAgentRuleCreateRequest) (CloudWorkloadSecurityAgentRuleResponse, *_nethttp.Response, error) { + var ( + localVarHTTPMethod = _nethttp.MethodPost + localVarPostBody interface{} + localVarReturnValue CloudWorkloadSecurityAgentRuleResponse + ) + + localBasePath, err := a.Client.Cfg.ServerURLWithContext(ctx, "v2.CloudWorkloadSecurityApi.CreateCSMThreatsAgentRule") + if err != nil { + return localVarReturnValue, nil, datadog.GenericOpenAPIError{ErrorMessage: err.Error()} + } + + localVarPath := localBasePath + "/api/v2/remote_config/products/cws/agent_rules" + + localVarHeaderParams := make(map[string]string) + localVarQueryParams := _neturl.Values{} + localVarFormParams := _neturl.Values{} + localVarHeaderParams["Content-Type"] = "application/json" + localVarHeaderParams["Accept"] = "application/json" + + // body params + localVarPostBody = &body + datadog.SetAuthKeys( + ctx, + &localVarHeaderParams, + [2]string{"apiKeyAuth", "DD-API-KEY"}, + [2]string{"appKeyAuth", "DD-APPLICATION-KEY"}, + ) + req, err := a.Client.PrepareRequest(ctx, localVarPath, localVarHTTPMethod, localVarPostBody, localVarHeaderParams, localVarQueryParams, localVarFormParams, nil) + if err != nil { + return localVarReturnValue, nil, err + } + + localVarHTTPResponse, err := a.Client.CallAPI(req) + if err != nil || localVarHTTPResponse == nil { + return localVarReturnValue, localVarHTTPResponse, err + } + + localVarBody, err := datadog.ReadBody(localVarHTTPResponse) + if err != nil { + return localVarReturnValue, localVarHTTPResponse, err + } + + if localVarHTTPResponse.StatusCode >= 300 { + newErr := datadog.GenericOpenAPIError{ + ErrorBody: localVarBody, + ErrorMessage: localVarHTTPResponse.Status, + } + if localVarHTTPResponse.StatusCode == 400 || localVarHTTPResponse.StatusCode == 403 || localVarHTTPResponse.StatusCode == 409 || localVarHTTPResponse.StatusCode == 429 { + var v APIErrorResponse + err = a.Client.Decode(&v, localVarBody, localVarHTTPResponse.Header.Get("Content-Type")) + if err != nil { + return localVarReturnValue, localVarHTTPResponse, newErr + } + newErr.ErrorModel = v + } + return localVarReturnValue, localVarHTTPResponse, newErr + } + + err = a.Client.Decode(&localVarReturnValue, localVarBody, localVarHTTPResponse.Header.Get("Content-Type")) + if err != nil { + newErr := datadog.GenericOpenAPIError{ + ErrorBody: localVarBody, + ErrorMessage: err.Error(), + } + return localVarReturnValue, localVarHTTPResponse, newErr + } + + return localVarReturnValue, localVarHTTPResponse, nil +} + // CreateCloudWorkloadSecurityAgentRule Create a Cloud Workload Security Agent rule. // Create a new Agent rule with the given parameters. func (a *CloudWorkloadSecurityApi) CreateCloudWorkloadSecurityAgentRule(ctx _context.Context, body CloudWorkloadSecurityAgentRuleCreateRequest) (CloudWorkloadSecurityAgentRuleResponse, *_nethttp.Response, error) { @@ -90,6 +163,67 @@ func (a *CloudWorkloadSecurityApi) CreateCloudWorkloadSecurityAgentRule(ctx _con return localVarReturnValue, localVarHTTPResponse, nil } +// DeleteCSMThreatsAgentRule Delete a CSM Threats Agent rule. +// Delete a specific Cloud Security Management Threats Agent rule. +func (a *CloudWorkloadSecurityApi) DeleteCSMThreatsAgentRule(ctx _context.Context, agentRuleId string) (*_nethttp.Response, error) { + var ( + localVarHTTPMethod = _nethttp.MethodDelete + localVarPostBody interface{} + ) + + localBasePath, err := a.Client.Cfg.ServerURLWithContext(ctx, "v2.CloudWorkloadSecurityApi.DeleteCSMThreatsAgentRule") + if err != nil { + return nil, datadog.GenericOpenAPIError{ErrorMessage: err.Error()} + } + + localVarPath := localBasePath + "/api/v2/remote_config/products/cws/agent_rules/{agent_rule_id}" + localVarPath = strings.Replace(localVarPath, "{"+"agent_rule_id"+"}", _neturl.PathEscape(datadog.ParameterToString(agentRuleId, "")), -1) + + localVarHeaderParams := make(map[string]string) + localVarQueryParams := _neturl.Values{} + localVarFormParams := _neturl.Values{} + localVarHeaderParams["Accept"] = "*/*" + + datadog.SetAuthKeys( + ctx, + &localVarHeaderParams, + [2]string{"apiKeyAuth", "DD-API-KEY"}, + [2]string{"appKeyAuth", "DD-APPLICATION-KEY"}, + ) + req, err := a.Client.PrepareRequest(ctx, localVarPath, localVarHTTPMethod, localVarPostBody, localVarHeaderParams, localVarQueryParams, localVarFormParams, nil) + if err != nil { + return nil, err + } + + localVarHTTPResponse, err := a.Client.CallAPI(req) + if err != nil || localVarHTTPResponse == nil { + return localVarHTTPResponse, err + } + + localVarBody, err := datadog.ReadBody(localVarHTTPResponse) + if err != nil { + return localVarHTTPResponse, err + } + + if localVarHTTPResponse.StatusCode >= 300 { + newErr := datadog.GenericOpenAPIError{ + ErrorBody: localVarBody, + ErrorMessage: localVarHTTPResponse.Status, + } + if localVarHTTPResponse.StatusCode == 403 || localVarHTTPResponse.StatusCode == 404 || localVarHTTPResponse.StatusCode == 429 { + var v APIErrorResponse + err = a.Client.Decode(&v, localVarBody, localVarHTTPResponse.Header.Get("Content-Type")) + if err != nil { + return localVarHTTPResponse, newErr + } + newErr.ErrorModel = v + } + return localVarHTTPResponse, newErr + } + + return localVarHTTPResponse, nil +} + // DeleteCloudWorkloadSecurityAgentRule Delete a Cloud Workload Security Agent rule. // Delete a specific Agent rule. func (a *CloudWorkloadSecurityApi) DeleteCloudWorkloadSecurityAgentRule(ctx _context.Context, agentRuleId string) (*_nethttp.Response, error) { @@ -151,6 +285,70 @@ func (a *CloudWorkloadSecurityApi) DeleteCloudWorkloadSecurityAgentRule(ctx _con return localVarHTTPResponse, nil } +// DownloadCSMThreatsPolicy Get the latest CSM Threats policy. +// The download endpoint generates a CSM Threats policy file from your currently active +// CSM Threats rules, and downloads them as a `.policy` file. This file can then be deployed to +// your Agents to update the policy running in your environment. +func (a *CloudWorkloadSecurityApi) DownloadCSMThreatsPolicy(ctx _context.Context) (_io.Reader, *_nethttp.Response, error) { + var ( + localVarHTTPMethod = _nethttp.MethodGet + localVarPostBody interface{} + localVarReturnValue _io.Reader + ) + + localBasePath, err := a.Client.Cfg.ServerURLWithContext(ctx, "v2.CloudWorkloadSecurityApi.DownloadCSMThreatsPolicy") + if err != nil { + return localVarReturnValue, nil, datadog.GenericOpenAPIError{ErrorMessage: err.Error()} + } + + localVarPath := localBasePath + "/api/v2/remote_config/products/cws/policy/download" + + localVarHeaderParams := make(map[string]string) + localVarQueryParams := _neturl.Values{} + localVarFormParams := _neturl.Values{} + localVarHeaderParams["Accept"] = "application/json" + + datadog.SetAuthKeys( + ctx, + &localVarHeaderParams, + [2]string{"apiKeyAuth", "DD-API-KEY"}, + [2]string{"appKeyAuth", "DD-APPLICATION-KEY"}, + ) + req, err := a.Client.PrepareRequest(ctx, localVarPath, localVarHTTPMethod, localVarPostBody, localVarHeaderParams, localVarQueryParams, localVarFormParams, nil) + if err != nil { + return localVarReturnValue, nil, err + } + + localVarHTTPResponse, err := a.Client.CallAPI(req) + if err != nil || localVarHTTPResponse == nil { + return localVarReturnValue, localVarHTTPResponse, err + } + + if localVarHTTPResponse.StatusCode >= 300 { + + localVarBody, err := datadog.ReadBody(localVarHTTPResponse) + if err != nil { + return localVarReturnValue, localVarHTTPResponse, err + } + newErr := datadog.GenericOpenAPIError{ + ErrorBody: localVarBody, + ErrorMessage: localVarHTTPResponse.Status, + } + if localVarHTTPResponse.StatusCode == 403 || localVarHTTPResponse.StatusCode == 429 { + var v APIErrorResponse + err = a.Client.Decode(&v, localVarBody, localVarHTTPResponse.Header.Get("Content-Type")) + if err != nil { + return localVarReturnValue, localVarHTTPResponse, newErr + } + newErr.ErrorModel = v + } + return localVarReturnValue, localVarHTTPResponse, newErr + } + localVarReturnValue = localVarHTTPResponse.Body + + return localVarReturnValue, localVarHTTPResponse, nil +} + // DownloadCloudWorkloadPolicyFile Get the latest Cloud Workload Security policy. // The download endpoint generates a Cloud Workload Security policy file from your currently active // Cloud Workload Security rules, and downloads them as a .policy file. This file can then be deployed to @@ -215,6 +413,77 @@ func (a *CloudWorkloadSecurityApi) DownloadCloudWorkloadPolicyFile(ctx _context. return localVarReturnValue, localVarHTTPResponse, nil } +// GetCSMThreatsAgentRule Get a CSM Threats Agent rule. +// Get the details of a specific Cloud Security Management Threats Agent rule. +func (a *CloudWorkloadSecurityApi) GetCSMThreatsAgentRule(ctx _context.Context, agentRuleId string) (CloudWorkloadSecurityAgentRuleResponse, *_nethttp.Response, error) { + var ( + localVarHTTPMethod = _nethttp.MethodGet + localVarPostBody interface{} + localVarReturnValue CloudWorkloadSecurityAgentRuleResponse + ) + + localBasePath, err := a.Client.Cfg.ServerURLWithContext(ctx, "v2.CloudWorkloadSecurityApi.GetCSMThreatsAgentRule") + if err != nil { + return localVarReturnValue, nil, datadog.GenericOpenAPIError{ErrorMessage: err.Error()} + } + + localVarPath := localBasePath + "/api/v2/remote_config/products/cws/agent_rules/{agent_rule_id}" + localVarPath = strings.Replace(localVarPath, "{"+"agent_rule_id"+"}", _neturl.PathEscape(datadog.ParameterToString(agentRuleId, "")), -1) + + localVarHeaderParams := make(map[string]string) + localVarQueryParams := _neturl.Values{} + localVarFormParams := _neturl.Values{} + localVarHeaderParams["Accept"] = "application/json" + + datadog.SetAuthKeys( + ctx, + &localVarHeaderParams, + [2]string{"apiKeyAuth", "DD-API-KEY"}, + [2]string{"appKeyAuth", "DD-APPLICATION-KEY"}, + ) + req, err := a.Client.PrepareRequest(ctx, localVarPath, localVarHTTPMethod, localVarPostBody, localVarHeaderParams, localVarQueryParams, localVarFormParams, nil) + if err != nil { + return localVarReturnValue, nil, err + } + + localVarHTTPResponse, err := a.Client.CallAPI(req) + if err != nil || localVarHTTPResponse == nil { + return localVarReturnValue, localVarHTTPResponse, err + } + + localVarBody, err := datadog.ReadBody(localVarHTTPResponse) + if err != nil { + return localVarReturnValue, localVarHTTPResponse, err + } + + if localVarHTTPResponse.StatusCode >= 300 { + newErr := datadog.GenericOpenAPIError{ + ErrorBody: localVarBody, + ErrorMessage: localVarHTTPResponse.Status, + } + if localVarHTTPResponse.StatusCode == 403 || localVarHTTPResponse.StatusCode == 404 || localVarHTTPResponse.StatusCode == 429 { + var v APIErrorResponse + err = a.Client.Decode(&v, localVarBody, localVarHTTPResponse.Header.Get("Content-Type")) + if err != nil { + return localVarReturnValue, localVarHTTPResponse, newErr + } + newErr.ErrorModel = v + } + return localVarReturnValue, localVarHTTPResponse, newErr + } + + err = a.Client.Decode(&localVarReturnValue, localVarBody, localVarHTTPResponse.Header.Get("Content-Type")) + if err != nil { + newErr := datadog.GenericOpenAPIError{ + ErrorBody: localVarBody, + ErrorMessage: err.Error(), + } + return localVarReturnValue, localVarHTTPResponse, newErr + } + + return localVarReturnValue, localVarHTTPResponse, nil +} + // GetCloudWorkloadSecurityAgentRule Get a Cloud Workload Security Agent rule. // Get the details of a specific Agent rule. func (a *CloudWorkloadSecurityApi) GetCloudWorkloadSecurityAgentRule(ctx _context.Context, agentRuleId string) (CloudWorkloadSecurityAgentRuleResponse, *_nethttp.Response, error) { @@ -286,6 +555,76 @@ func (a *CloudWorkloadSecurityApi) GetCloudWorkloadSecurityAgentRule(ctx _contex return localVarReturnValue, localVarHTTPResponse, nil } +// ListCSMThreatsAgentRules Get all CSM Threats Agent rules. +// Get the list of Cloud Security Management Threats Agent rules. +func (a *CloudWorkloadSecurityApi) ListCSMThreatsAgentRules(ctx _context.Context) (CloudWorkloadSecurityAgentRulesListResponse, *_nethttp.Response, error) { + var ( + localVarHTTPMethod = _nethttp.MethodGet + localVarPostBody interface{} + localVarReturnValue CloudWorkloadSecurityAgentRulesListResponse + ) + + localBasePath, err := a.Client.Cfg.ServerURLWithContext(ctx, "v2.CloudWorkloadSecurityApi.ListCSMThreatsAgentRules") + if err != nil { + return localVarReturnValue, nil, datadog.GenericOpenAPIError{ErrorMessage: err.Error()} + } + + localVarPath := localBasePath + "/api/v2/remote_config/products/cws/agent_rules" + + localVarHeaderParams := make(map[string]string) + localVarQueryParams := _neturl.Values{} + localVarFormParams := _neturl.Values{} + localVarHeaderParams["Accept"] = "application/json" + + datadog.SetAuthKeys( + ctx, + &localVarHeaderParams, + [2]string{"apiKeyAuth", "DD-API-KEY"}, + [2]string{"appKeyAuth", "DD-APPLICATION-KEY"}, + ) + req, err := a.Client.PrepareRequest(ctx, localVarPath, localVarHTTPMethod, localVarPostBody, localVarHeaderParams, localVarQueryParams, localVarFormParams, nil) + if err != nil { + return localVarReturnValue, nil, err + } + + localVarHTTPResponse, err := a.Client.CallAPI(req) + if err != nil || localVarHTTPResponse == nil { + return localVarReturnValue, localVarHTTPResponse, err + } + + localVarBody, err := datadog.ReadBody(localVarHTTPResponse) + if err != nil { + return localVarReturnValue, localVarHTTPResponse, err + } + + if localVarHTTPResponse.StatusCode >= 300 { + newErr := datadog.GenericOpenAPIError{ + ErrorBody: localVarBody, + ErrorMessage: localVarHTTPResponse.Status, + } + if localVarHTTPResponse.StatusCode == 403 || localVarHTTPResponse.StatusCode == 429 { + var v APIErrorResponse + err = a.Client.Decode(&v, localVarBody, localVarHTTPResponse.Header.Get("Content-Type")) + if err != nil { + return localVarReturnValue, localVarHTTPResponse, newErr + } + newErr.ErrorModel = v + } + return localVarReturnValue, localVarHTTPResponse, newErr + } + + err = a.Client.Decode(&localVarReturnValue, localVarBody, localVarHTTPResponse.Header.Get("Content-Type")) + if err != nil { + newErr := datadog.GenericOpenAPIError{ + ErrorBody: localVarBody, + ErrorMessage: err.Error(), + } + return localVarReturnValue, localVarHTTPResponse, newErr + } + + return localVarReturnValue, localVarHTTPResponse, nil +} + // ListCloudWorkloadSecurityAgentRules Get all Cloud Workload Security Agent rules. // Get the list of Agent rules. func (a *CloudWorkloadSecurityApi) ListCloudWorkloadSecurityAgentRules(ctx _context.Context) (CloudWorkloadSecurityAgentRulesListResponse, *_nethttp.Response, error) { @@ -356,6 +695,81 @@ func (a *CloudWorkloadSecurityApi) ListCloudWorkloadSecurityAgentRules(ctx _cont return localVarReturnValue, localVarHTTPResponse, nil } +// UpdateCSMThreatsAgentRule Update a CSM Threats Agent rule. +// Update a specific Cloud Security Management Threats Agent rule. +// Returns the Agent rule object when the request is successful. +func (a *CloudWorkloadSecurityApi) UpdateCSMThreatsAgentRule(ctx _context.Context, agentRuleId string, body CloudWorkloadSecurityAgentRuleUpdateRequest) (CloudWorkloadSecurityAgentRuleResponse, *_nethttp.Response, error) { + var ( + localVarHTTPMethod = _nethttp.MethodPatch + localVarPostBody interface{} + localVarReturnValue CloudWorkloadSecurityAgentRuleResponse + ) + + localBasePath, err := a.Client.Cfg.ServerURLWithContext(ctx, "v2.CloudWorkloadSecurityApi.UpdateCSMThreatsAgentRule") + if err != nil { + return localVarReturnValue, nil, datadog.GenericOpenAPIError{ErrorMessage: err.Error()} + } + + localVarPath := localBasePath + "/api/v2/remote_config/products/cws/agent_rules/{agent_rule_id}" + localVarPath = strings.Replace(localVarPath, "{"+"agent_rule_id"+"}", _neturl.PathEscape(datadog.ParameterToString(agentRuleId, "")), -1) + + localVarHeaderParams := make(map[string]string) + localVarQueryParams := _neturl.Values{} + localVarFormParams := _neturl.Values{} + localVarHeaderParams["Content-Type"] = "application/json" + localVarHeaderParams["Accept"] = "application/json" + + // body params + localVarPostBody = &body + datadog.SetAuthKeys( + ctx, + &localVarHeaderParams, + [2]string{"apiKeyAuth", "DD-API-KEY"}, + [2]string{"appKeyAuth", "DD-APPLICATION-KEY"}, + ) + req, err := a.Client.PrepareRequest(ctx, localVarPath, localVarHTTPMethod, localVarPostBody, localVarHeaderParams, localVarQueryParams, localVarFormParams, nil) + if err != nil { + return localVarReturnValue, nil, err + } + + localVarHTTPResponse, err := a.Client.CallAPI(req) + if err != nil || localVarHTTPResponse == nil { + return localVarReturnValue, localVarHTTPResponse, err + } + + localVarBody, err := datadog.ReadBody(localVarHTTPResponse) + if err != nil { + return localVarReturnValue, localVarHTTPResponse, err + } + + if localVarHTTPResponse.StatusCode >= 300 { + newErr := datadog.GenericOpenAPIError{ + ErrorBody: localVarBody, + ErrorMessage: localVarHTTPResponse.Status, + } + if localVarHTTPResponse.StatusCode == 400 || localVarHTTPResponse.StatusCode == 403 || localVarHTTPResponse.StatusCode == 404 || localVarHTTPResponse.StatusCode == 409 || localVarHTTPResponse.StatusCode == 429 { + var v APIErrorResponse + err = a.Client.Decode(&v, localVarBody, localVarHTTPResponse.Header.Get("Content-Type")) + if err != nil { + return localVarReturnValue, localVarHTTPResponse, newErr + } + newErr.ErrorModel = v + } + return localVarReturnValue, localVarHTTPResponse, newErr + } + + err = a.Client.Decode(&localVarReturnValue, localVarBody, localVarHTTPResponse.Header.Get("Content-Type")) + if err != nil { + newErr := datadog.GenericOpenAPIError{ + ErrorBody: localVarBody, + ErrorMessage: err.Error(), + } + return localVarReturnValue, localVarHTTPResponse, newErr + } + + return localVarReturnValue, localVarHTTPResponse, nil +} + // UpdateCloudWorkloadSecurityAgentRule Update a Cloud Workload Security Agent rule. // Update a specific Agent rule. // Returns the Agent rule object when the request is successful. diff --git a/api/datadogV2/doc.go b/api/datadogV2/doc.go index e7ab9a7b049..5f029182e8a 100644 --- a/api/datadogV2/doc.go +++ b/api/datadogV2/doc.go @@ -50,11 +50,17 @@ // - [CloudCostManagementApi.ListCostAzureUCConfigs] // - [CloudCostManagementApi.UpdateCostAWSCURConfig] // - [CloudCostManagementApi.UpdateCostAzureUCConfigs] +// - [CloudWorkloadSecurityApi.CreateCSMThreatsAgentRule] // - [CloudWorkloadSecurityApi.CreateCloudWorkloadSecurityAgentRule] +// - [CloudWorkloadSecurityApi.DeleteCSMThreatsAgentRule] // - [CloudWorkloadSecurityApi.DeleteCloudWorkloadSecurityAgentRule] +// - [CloudWorkloadSecurityApi.DownloadCSMThreatsPolicy] // - [CloudWorkloadSecurityApi.DownloadCloudWorkloadPolicyFile] +// - [CloudWorkloadSecurityApi.GetCSMThreatsAgentRule] // - [CloudWorkloadSecurityApi.GetCloudWorkloadSecurityAgentRule] +// - [CloudWorkloadSecurityApi.ListCSMThreatsAgentRules] // - [CloudWorkloadSecurityApi.ListCloudWorkloadSecurityAgentRules] +// - [CloudWorkloadSecurityApi.UpdateCSMThreatsAgentRule] // - [CloudWorkloadSecurityApi.UpdateCloudWorkloadSecurityAgentRule] // - [CloudflareIntegrationApi.CreateCloudflareAccount] // - [CloudflareIntegrationApi.DeleteCloudflareAccount] diff --git a/api/datadogV2/model_cloud_workload_security_agent_rule_action.go b/api/datadogV2/model_cloud_workload_security_agent_rule_action.go new file mode 100644 index 00000000000..932cf34863f --- /dev/null +++ b/api/datadogV2/model_cloud_workload_security_agent_rule_action.go @@ -0,0 +1,146 @@ +// Unless explicitly stated otherwise all files in this repository are licensed under the Apache-2.0 License. +// This product includes software developed at Datadog (https://www.datadoghq.com/). +// Copyright 2019-Present Datadog, Inc. + +package datadogV2 + +import ( + "github.com/DataDog/datadog-api-client-go/v2/api/datadog" +) + +// CloudWorkloadSecurityAgentRuleAction The action the rule can perform if triggered. +type CloudWorkloadSecurityAgentRuleAction struct { + // SECL expression used to target the container to apply the action on + Filter *string `json:"filter,omitempty"` + // Kill system call applied on the container matching the rule + Kill *CloudWorkloadSecurityAgentRuleKill `json:"kill,omitempty"` + // UnparsedObject contains the raw value of the object if there was an error when deserializing into the struct + UnparsedObject map[string]interface{} `json:"-"` + AdditionalProperties map[string]interface{} +} + +// NewCloudWorkloadSecurityAgentRuleAction instantiates a new CloudWorkloadSecurityAgentRuleAction object. +// This constructor will assign default values to properties that have it defined, +// and makes sure properties required by API are set, but the set of arguments +// will change when the set of required properties is changed. +func NewCloudWorkloadSecurityAgentRuleAction() *CloudWorkloadSecurityAgentRuleAction { + this := CloudWorkloadSecurityAgentRuleAction{} + return &this +} + +// NewCloudWorkloadSecurityAgentRuleActionWithDefaults instantiates a new CloudWorkloadSecurityAgentRuleAction object. +// This constructor will only assign default values to properties that have it defined, +// but it doesn't guarantee that properties required by API are set. +func NewCloudWorkloadSecurityAgentRuleActionWithDefaults() *CloudWorkloadSecurityAgentRuleAction { + this := CloudWorkloadSecurityAgentRuleAction{} + return &this +} + +// GetFilter returns the Filter field value if set, zero value otherwise. +func (o *CloudWorkloadSecurityAgentRuleAction) GetFilter() string { + if o == nil || o.Filter == nil { + var ret string + return ret + } + return *o.Filter +} + +// GetFilterOk returns a tuple with the Filter field value if set, nil otherwise +// and a boolean to check if the value has been set. +func (o *CloudWorkloadSecurityAgentRuleAction) GetFilterOk() (*string, bool) { + if o == nil || o.Filter == nil { + return nil, false + } + return o.Filter, true +} + +// HasFilter returns a boolean if a field has been set. +func (o *CloudWorkloadSecurityAgentRuleAction) HasFilter() bool { + return o != nil && o.Filter != nil +} + +// SetFilter gets a reference to the given string and assigns it to the Filter field. +func (o *CloudWorkloadSecurityAgentRuleAction) SetFilter(v string) { + o.Filter = &v +} + +// GetKill returns the Kill field value if set, zero value otherwise. +func (o *CloudWorkloadSecurityAgentRuleAction) GetKill() CloudWorkloadSecurityAgentRuleKill { + if o == nil || o.Kill == nil { + var ret CloudWorkloadSecurityAgentRuleKill + return ret + } + return *o.Kill +} + +// GetKillOk returns a tuple with the Kill field value if set, nil otherwise +// and a boolean to check if the value has been set. +func (o *CloudWorkloadSecurityAgentRuleAction) GetKillOk() (*CloudWorkloadSecurityAgentRuleKill, bool) { + if o == nil || o.Kill == nil { + return nil, false + } + return o.Kill, true +} + +// HasKill returns a boolean if a field has been set. +func (o *CloudWorkloadSecurityAgentRuleAction) HasKill() bool { + return o != nil && o.Kill != nil +} + +// SetKill gets a reference to the given CloudWorkloadSecurityAgentRuleKill and assigns it to the Kill field. +func (o *CloudWorkloadSecurityAgentRuleAction) SetKill(v CloudWorkloadSecurityAgentRuleKill) { + o.Kill = &v +} + +// MarshalJSON serializes the struct using spec logic. +func (o CloudWorkloadSecurityAgentRuleAction) MarshalJSON() ([]byte, error) { + toSerialize := map[string]interface{}{} + if o.UnparsedObject != nil { + return datadog.Marshal(o.UnparsedObject) + } + if o.Filter != nil { + toSerialize["filter"] = o.Filter + } + if o.Kill != nil { + toSerialize["kill"] = o.Kill + } + + for key, value := range o.AdditionalProperties { + toSerialize[key] = value + } + return datadog.Marshal(toSerialize) +} + +// UnmarshalJSON deserializes the given payload. +func (o *CloudWorkloadSecurityAgentRuleAction) UnmarshalJSON(bytes []byte) (err error) { + all := struct { + Filter *string `json:"filter,omitempty"` + Kill *CloudWorkloadSecurityAgentRuleKill `json:"kill,omitempty"` + }{} + if err = datadog.Unmarshal(bytes, &all); err != nil { + return datadog.Unmarshal(bytes, &o.UnparsedObject) + } + additionalProperties := make(map[string]interface{}) + if err = datadog.Unmarshal(bytes, &additionalProperties); err == nil { + datadog.DeleteKeys(additionalProperties, &[]string{"filter", "kill"}) + } else { + return err + } + + hasInvalidField := false + o.Filter = all.Filter + if all.Kill != nil && all.Kill.UnparsedObject != nil && o.UnparsedObject == nil { + hasInvalidField = true + } + o.Kill = all.Kill + + if len(additionalProperties) > 0 { + o.AdditionalProperties = additionalProperties + } + + if hasInvalidField { + return datadog.Unmarshal(bytes, &o.UnparsedObject) + } + + return nil +} diff --git a/api/datadogV2/model_cloud_workload_security_agent_rule_attributes.go b/api/datadogV2/model_cloud_workload_security_agent_rule_attributes.go index 9ad3f600dff..4e4b7ffe4f9 100644 --- a/api/datadogV2/model_cloud_workload_security_agent_rule_attributes.go +++ b/api/datadogV2/model_cloud_workload_security_agent_rule_attributes.go @@ -10,6 +10,8 @@ import ( // CloudWorkloadSecurityAgentRuleAttributes A Cloud Workload Security Agent rule returned by the API. type CloudWorkloadSecurityAgentRuleAttributes struct { + // The array of actions the rule can perform if triggered. + Actions []CloudWorkloadSecurityAgentRuleAction `json:"actions,omitempty"` // The version of the agent. AgentConstraint *string `json:"agentConstraint,omitempty"` // The category of the Agent rule. @@ -64,6 +66,35 @@ func NewCloudWorkloadSecurityAgentRuleAttributesWithDefaults() *CloudWorkloadSec return &this } +// GetActions returns the Actions field value if set, zero value otherwise (both if not set or set to explicit null). +func (o *CloudWorkloadSecurityAgentRuleAttributes) GetActions() []CloudWorkloadSecurityAgentRuleAction { + if o == nil { + var ret []CloudWorkloadSecurityAgentRuleAction + return ret + } + return o.Actions +} + +// GetActionsOk returns a tuple with the Actions field value if set, nil otherwise +// and a boolean to check if the value has been set. +// NOTE: If the value is an explicit nil, `nil, true` will be returned. +func (o *CloudWorkloadSecurityAgentRuleAttributes) GetActionsOk() (*[]CloudWorkloadSecurityAgentRuleAction, bool) { + if o == nil || o.Actions == nil { + return nil, false + } + return &o.Actions, true +} + +// HasActions returns a boolean if a field has been set. +func (o *CloudWorkloadSecurityAgentRuleAttributes) HasActions() bool { + return o != nil && o.Actions != nil +} + +// SetActions gets a reference to the given []CloudWorkloadSecurityAgentRuleAction and assigns it to the Actions field. +func (o *CloudWorkloadSecurityAgentRuleAttributes) SetActions(v []CloudWorkloadSecurityAgentRuleAction) { + o.Actions = v +} + // GetAgentConstraint returns the AgentConstraint field value if set, zero value otherwise. func (o *CloudWorkloadSecurityAgentRuleAttributes) GetAgentConstraint() string { if o == nil || o.AgentConstraint == nil { @@ -518,6 +549,9 @@ func (o CloudWorkloadSecurityAgentRuleAttributes) MarshalJSON() ([]byte, error) if o.UnparsedObject != nil { return datadog.Marshal(o.UnparsedObject) } + if o.Actions != nil { + toSerialize["actions"] = o.Actions + } if o.AgentConstraint != nil { toSerialize["agentConstraint"] = o.AgentConstraint } @@ -576,6 +610,7 @@ func (o CloudWorkloadSecurityAgentRuleAttributes) MarshalJSON() ([]byte, error) // UnmarshalJSON deserializes the given payload. func (o *CloudWorkloadSecurityAgentRuleAttributes) UnmarshalJSON(bytes []byte) (err error) { all := struct { + Actions []CloudWorkloadSecurityAgentRuleAction `json:"actions,omitempty"` AgentConstraint *string `json:"agentConstraint,omitempty"` Category *string `json:"category,omitempty"` CreationAuthorUuId *string `json:"creationAuthorUuId,omitempty"` @@ -598,12 +633,13 @@ func (o *CloudWorkloadSecurityAgentRuleAttributes) UnmarshalJSON(bytes []byte) ( } additionalProperties := make(map[string]interface{}) if err = datadog.Unmarshal(bytes, &additionalProperties); err == nil { - datadog.DeleteKeys(additionalProperties, &[]string{"agentConstraint", "category", "creationAuthorUuId", "creationDate", "creator", "defaultRule", "description", "enabled", "expression", "filters", "name", "updateAuthorUuId", "updateDate", "updatedAt", "updater", "version"}) + datadog.DeleteKeys(additionalProperties, &[]string{"actions", "agentConstraint", "category", "creationAuthorUuId", "creationDate", "creator", "defaultRule", "description", "enabled", "expression", "filters", "name", "updateAuthorUuId", "updateDate", "updatedAt", "updater", "version"}) } else { return err } hasInvalidField := false + o.Actions = all.Actions o.AgentConstraint = all.AgentConstraint o.Category = all.Category o.CreationAuthorUuId = all.CreationAuthorUuId diff --git a/api/datadogV2/model_cloud_workload_security_agent_rule_kill.go b/api/datadogV2/model_cloud_workload_security_agent_rule_kill.go new file mode 100644 index 00000000000..7ad3e6c20b9 --- /dev/null +++ b/api/datadogV2/model_cloud_workload_security_agent_rule_kill.go @@ -0,0 +1,102 @@ +// Unless explicitly stated otherwise all files in this repository are licensed under the Apache-2.0 License. +// This product includes software developed at Datadog (https://www.datadoghq.com/). +// Copyright 2019-Present Datadog, Inc. + +package datadogV2 + +import ( + "github.com/DataDog/datadog-api-client-go/v2/api/datadog" +) + +// CloudWorkloadSecurityAgentRuleKill Kill system call applied on the container matching the rule +type CloudWorkloadSecurityAgentRuleKill struct { + // Supported signals for the kill system call. + Signal *string `json:"signal,omitempty"` + // UnparsedObject contains the raw value of the object if there was an error when deserializing into the struct + UnparsedObject map[string]interface{} `json:"-"` + AdditionalProperties map[string]interface{} +} + +// NewCloudWorkloadSecurityAgentRuleKill instantiates a new CloudWorkloadSecurityAgentRuleKill object. +// This constructor will assign default values to properties that have it defined, +// and makes sure properties required by API are set, but the set of arguments +// will change when the set of required properties is changed. +func NewCloudWorkloadSecurityAgentRuleKill() *CloudWorkloadSecurityAgentRuleKill { + this := CloudWorkloadSecurityAgentRuleKill{} + return &this +} + +// NewCloudWorkloadSecurityAgentRuleKillWithDefaults instantiates a new CloudWorkloadSecurityAgentRuleKill object. +// This constructor will only assign default values to properties that have it defined, +// but it doesn't guarantee that properties required by API are set. +func NewCloudWorkloadSecurityAgentRuleKillWithDefaults() *CloudWorkloadSecurityAgentRuleKill { + this := CloudWorkloadSecurityAgentRuleKill{} + return &this +} + +// GetSignal returns the Signal field value if set, zero value otherwise. +func (o *CloudWorkloadSecurityAgentRuleKill) GetSignal() string { + if o == nil || o.Signal == nil { + var ret string + return ret + } + return *o.Signal +} + +// GetSignalOk returns a tuple with the Signal field value if set, nil otherwise +// and a boolean to check if the value has been set. +func (o *CloudWorkloadSecurityAgentRuleKill) GetSignalOk() (*string, bool) { + if o == nil || o.Signal == nil { + return nil, false + } + return o.Signal, true +} + +// HasSignal returns a boolean if a field has been set. +func (o *CloudWorkloadSecurityAgentRuleKill) HasSignal() bool { + return o != nil && o.Signal != nil +} + +// SetSignal gets a reference to the given string and assigns it to the Signal field. +func (o *CloudWorkloadSecurityAgentRuleKill) SetSignal(v string) { + o.Signal = &v +} + +// MarshalJSON serializes the struct using spec logic. +func (o CloudWorkloadSecurityAgentRuleKill) MarshalJSON() ([]byte, error) { + toSerialize := map[string]interface{}{} + if o.UnparsedObject != nil { + return datadog.Marshal(o.UnparsedObject) + } + if o.Signal != nil { + toSerialize["signal"] = o.Signal + } + + for key, value := range o.AdditionalProperties { + toSerialize[key] = value + } + return datadog.Marshal(toSerialize) +} + +// UnmarshalJSON deserializes the given payload. +func (o *CloudWorkloadSecurityAgentRuleKill) UnmarshalJSON(bytes []byte) (err error) { + all := struct { + Signal *string `json:"signal,omitempty"` + }{} + if err = datadog.Unmarshal(bytes, &all); err != nil { + return datadog.Unmarshal(bytes, &o.UnparsedObject) + } + additionalProperties := make(map[string]interface{}) + if err = datadog.Unmarshal(bytes, &additionalProperties); err == nil { + datadog.DeleteKeys(additionalProperties, &[]string{"signal"}) + } else { + return err + } + o.Signal = all.Signal + + if len(additionalProperties) > 0 { + o.AdditionalProperties = additionalProperties + } + + return nil +} diff --git a/api/datadogV2/model_cloud_workload_security_agent_rule_update_data.go b/api/datadogV2/model_cloud_workload_security_agent_rule_update_data.go index 2f430775d61..3f600789781 100644 --- a/api/datadogV2/model_cloud_workload_security_agent_rule_update_data.go +++ b/api/datadogV2/model_cloud_workload_security_agent_rule_update_data.go @@ -14,6 +14,8 @@ import ( type CloudWorkloadSecurityAgentRuleUpdateData struct { // Update an existing Cloud Workload Security Agent rule. Attributes CloudWorkloadSecurityAgentRuleUpdateAttributes `json:"attributes"` + // The ID of the agent rule. + Id *string `json:"id,omitempty"` // The type of the resource. The value should always be `agent_rule`. Type CloudWorkloadSecurityAgentRuleType `json:"type"` // UnparsedObject contains the raw value of the object if there was an error when deserializing into the struct @@ -65,6 +67,34 @@ func (o *CloudWorkloadSecurityAgentRuleUpdateData) SetAttributes(v CloudWorkload o.Attributes = v } +// GetId returns the Id field value if set, zero value otherwise. +func (o *CloudWorkloadSecurityAgentRuleUpdateData) GetId() string { + if o == nil || o.Id == nil { + var ret string + return ret + } + return *o.Id +} + +// GetIdOk returns a tuple with the Id field value if set, nil otherwise +// and a boolean to check if the value has been set. +func (o *CloudWorkloadSecurityAgentRuleUpdateData) GetIdOk() (*string, bool) { + if o == nil || o.Id == nil { + return nil, false + } + return o.Id, true +} + +// HasId returns a boolean if a field has been set. +func (o *CloudWorkloadSecurityAgentRuleUpdateData) HasId() bool { + return o != nil && o.Id != nil +} + +// SetId gets a reference to the given string and assigns it to the Id field. +func (o *CloudWorkloadSecurityAgentRuleUpdateData) SetId(v string) { + o.Id = &v +} + // GetType returns the Type field value. func (o *CloudWorkloadSecurityAgentRuleUpdateData) GetType() CloudWorkloadSecurityAgentRuleType { if o == nil { @@ -95,6 +125,9 @@ func (o CloudWorkloadSecurityAgentRuleUpdateData) MarshalJSON() ([]byte, error) return datadog.Marshal(o.UnparsedObject) } toSerialize["attributes"] = o.Attributes + if o.Id != nil { + toSerialize["id"] = o.Id + } toSerialize["type"] = o.Type for key, value := range o.AdditionalProperties { @@ -107,6 +140,7 @@ func (o CloudWorkloadSecurityAgentRuleUpdateData) MarshalJSON() ([]byte, error) func (o *CloudWorkloadSecurityAgentRuleUpdateData) UnmarshalJSON(bytes []byte) (err error) { all := struct { Attributes *CloudWorkloadSecurityAgentRuleUpdateAttributes `json:"attributes"` + Id *string `json:"id,omitempty"` Type *CloudWorkloadSecurityAgentRuleType `json:"type"` }{} if err = datadog.Unmarshal(bytes, &all); err != nil { @@ -120,7 +154,7 @@ func (o *CloudWorkloadSecurityAgentRuleUpdateData) UnmarshalJSON(bytes []byte) ( } additionalProperties := make(map[string]interface{}) if err = datadog.Unmarshal(bytes, &additionalProperties); err == nil { - datadog.DeleteKeys(additionalProperties, &[]string{"attributes", "type"}) + datadog.DeleteKeys(additionalProperties, &[]string{"attributes", "id", "type"}) } else { return err } @@ -130,6 +164,7 @@ func (o *CloudWorkloadSecurityAgentRuleUpdateData) UnmarshalJSON(bytes []byte) ( hasInvalidField = true } o.Attributes = *all.Attributes + o.Id = all.Id if !all.Type.IsValid() { hasInvalidField = true } else { diff --git a/examples/v2/cloud-workload-security/CreateCSMThreatsAgentRule.go b/examples/v2/cloud-workload-security/CreateCSMThreatsAgentRule.go new file mode 100644 index 00000000000..65e2a756da6 --- /dev/null +++ b/examples/v2/cloud-workload-security/CreateCSMThreatsAgentRule.go @@ -0,0 +1,40 @@ +// Create a CSM Threats Agent rule returns "OK" response + +package main + +import ( + "context" + "encoding/json" + "fmt" + "os" + + "github.com/DataDog/datadog-api-client-go/v2/api/datadog" + "github.com/DataDog/datadog-api-client-go/v2/api/datadogV2" +) + +func main() { + body := datadogV2.CloudWorkloadSecurityAgentRuleCreateRequest{ + Data: datadogV2.CloudWorkloadSecurityAgentRuleCreateData{ + Attributes: datadogV2.CloudWorkloadSecurityAgentRuleCreateAttributes{ + Description: datadog.PtrString("My Agent rule"), + Enabled: datadog.PtrBool(true), + Expression: `exec.file.name == "sh"`, + Name: "my_agent_rule", + }, + Type: datadogV2.CLOUDWORKLOADSECURITYAGENTRULETYPE_AGENT_RULE, + }, + } + ctx := datadog.NewDefaultContext(context.Background()) + configuration := datadog.NewConfiguration() + apiClient := datadog.NewAPIClient(configuration) + api := datadogV2.NewCloudWorkloadSecurityApi(apiClient) + resp, r, err := api.CreateCSMThreatsAgentRule(ctx, body) + + if err != nil { + fmt.Fprintf(os.Stderr, "Error when calling `CloudWorkloadSecurityApi.CreateCSMThreatsAgentRule`: %v\n", err) + fmt.Fprintf(os.Stderr, "Full HTTP response: %v\n", r) + } + + responseContent, _ := json.MarshalIndent(resp, "", " ") + fmt.Fprintf(os.Stdout, "Response from `CloudWorkloadSecurityApi.CreateCSMThreatsAgentRule`:\n%s\n", responseContent) +} diff --git a/examples/v2/cloud-workload-security/DeleteCSMThreatsAgentRule.go b/examples/v2/cloud-workload-security/DeleteCSMThreatsAgentRule.go new file mode 100644 index 00000000000..14975d144ee --- /dev/null +++ b/examples/v2/cloud-workload-security/DeleteCSMThreatsAgentRule.go @@ -0,0 +1,28 @@ +// Delete a CSM Threats Agent rule returns "OK" response + +package main + +import ( + "context" + "fmt" + "os" + + "github.com/DataDog/datadog-api-client-go/v2/api/datadog" + "github.com/DataDog/datadog-api-client-go/v2/api/datadogV2" +) + +func main() { + // there is a valid "agent_rule_rc" in the system + AgentRuleDataID := os.Getenv("AGENT_RULE_DATA_ID") + + ctx := datadog.NewDefaultContext(context.Background()) + configuration := datadog.NewConfiguration() + apiClient := datadog.NewAPIClient(configuration) + api := datadogV2.NewCloudWorkloadSecurityApi(apiClient) + r, err := api.DeleteCSMThreatsAgentRule(ctx, AgentRuleDataID) + + if err != nil { + fmt.Fprintf(os.Stderr, "Error when calling `CloudWorkloadSecurityApi.DeleteCSMThreatsAgentRule`: %v\n", err) + fmt.Fprintf(os.Stderr, "Full HTTP response: %v\n", r) + } +} diff --git a/examples/v2/cloud-workload-security/DownloadCSMThreatsPolicy.go b/examples/v2/cloud-workload-security/DownloadCSMThreatsPolicy.go new file mode 100644 index 00000000000..a1ab6312d26 --- /dev/null +++ b/examples/v2/cloud-workload-security/DownloadCSMThreatsPolicy.go @@ -0,0 +1,29 @@ +// Get the latest CSM Threats policy returns "OK" response + +package main + +import ( + "context" + "fmt" + "io/ioutil" + "os" + + "github.com/DataDog/datadog-api-client-go/v2/api/datadog" + "github.com/DataDog/datadog-api-client-go/v2/api/datadogV2" +) + +func main() { + ctx := datadog.NewDefaultContext(context.Background()) + configuration := datadog.NewConfiguration() + apiClient := datadog.NewAPIClient(configuration) + api := datadogV2.NewCloudWorkloadSecurityApi(apiClient) + resp, r, err := api.DownloadCSMThreatsPolicy(ctx) + + if err != nil { + fmt.Fprintf(os.Stderr, "Error when calling `CloudWorkloadSecurityApi.DownloadCSMThreatsPolicy`: %v\n", err) + fmt.Fprintf(os.Stderr, "Full HTTP response: %v\n", r) + } + + responseContent, _ := ioutil.ReadAll(resp) + fmt.Fprintf(os.Stdout, "Response from `CloudWorkloadSecurityApi.DownloadCSMThreatsPolicy`:\n%s\n", responseContent) +} diff --git a/examples/v2/cloud-workload-security/GetCSMThreatsAgentRule.go b/examples/v2/cloud-workload-security/GetCSMThreatsAgentRule.go new file mode 100644 index 00000000000..1ca3e580db9 --- /dev/null +++ b/examples/v2/cloud-workload-security/GetCSMThreatsAgentRule.go @@ -0,0 +1,32 @@ +// Get a CSM Threats Agent rule returns "OK" response + +package main + +import ( + "context" + "encoding/json" + "fmt" + "os" + + "github.com/DataDog/datadog-api-client-go/v2/api/datadog" + "github.com/DataDog/datadog-api-client-go/v2/api/datadogV2" +) + +func main() { + // there is a valid "agent_rule_rc" in the system + AgentRuleDataID := os.Getenv("AGENT_RULE_DATA_ID") + + ctx := datadog.NewDefaultContext(context.Background()) + configuration := datadog.NewConfiguration() + apiClient := datadog.NewAPIClient(configuration) + api := datadogV2.NewCloudWorkloadSecurityApi(apiClient) + resp, r, err := api.GetCSMThreatsAgentRule(ctx, AgentRuleDataID) + + if err != nil { + fmt.Fprintf(os.Stderr, "Error when calling `CloudWorkloadSecurityApi.GetCSMThreatsAgentRule`: %v\n", err) + fmt.Fprintf(os.Stderr, "Full HTTP response: %v\n", r) + } + + responseContent, _ := json.MarshalIndent(resp, "", " ") + fmt.Fprintf(os.Stdout, "Response from `CloudWorkloadSecurityApi.GetCSMThreatsAgentRule`:\n%s\n", responseContent) +} diff --git a/examples/v2/cloud-workload-security/ListCSMThreatsAgentRules.go b/examples/v2/cloud-workload-security/ListCSMThreatsAgentRules.go new file mode 100644 index 00000000000..55f6133eab2 --- /dev/null +++ b/examples/v2/cloud-workload-security/ListCSMThreatsAgentRules.go @@ -0,0 +1,29 @@ +// Get all CSM Threats Agent rules returns "OK" response + +package main + +import ( + "context" + "encoding/json" + "fmt" + "os" + + "github.com/DataDog/datadog-api-client-go/v2/api/datadog" + "github.com/DataDog/datadog-api-client-go/v2/api/datadogV2" +) + +func main() { + ctx := datadog.NewDefaultContext(context.Background()) + configuration := datadog.NewConfiguration() + apiClient := datadog.NewAPIClient(configuration) + api := datadogV2.NewCloudWorkloadSecurityApi(apiClient) + resp, r, err := api.ListCSMThreatsAgentRules(ctx) + + if err != nil { + fmt.Fprintf(os.Stderr, "Error when calling `CloudWorkloadSecurityApi.ListCSMThreatsAgentRules`: %v\n", err) + fmt.Fprintf(os.Stderr, "Full HTTP response: %v\n", r) + } + + responseContent, _ := json.MarshalIndent(resp, "", " ") + fmt.Fprintf(os.Stdout, "Response from `CloudWorkloadSecurityApi.ListCSMThreatsAgentRules`:\n%s\n", responseContent) +} diff --git a/examples/v2/cloud-workload-security/UpdateCSMThreatsAgentRule.go b/examples/v2/cloud-workload-security/UpdateCSMThreatsAgentRule.go new file mode 100644 index 00000000000..e9c204b3ab1 --- /dev/null +++ b/examples/v2/cloud-workload-security/UpdateCSMThreatsAgentRule.go @@ -0,0 +1,43 @@ +// Update a CSM Threats Agent rule returns "OK" response + +package main + +import ( + "context" + "encoding/json" + "fmt" + "os" + + "github.com/DataDog/datadog-api-client-go/v2/api/datadog" + "github.com/DataDog/datadog-api-client-go/v2/api/datadogV2" +) + +func main() { + // there is a valid "agent_rule_rc" in the system + AgentRuleDataID := os.Getenv("AGENT_RULE_DATA_ID") + + body := datadogV2.CloudWorkloadSecurityAgentRuleUpdateRequest{ + Data: datadogV2.CloudWorkloadSecurityAgentRuleUpdateData{ + Attributes: datadogV2.CloudWorkloadSecurityAgentRuleUpdateAttributes{ + Description: datadog.PtrString("Test Agent rule"), + Enabled: datadog.PtrBool(true), + Expression: datadog.PtrString(`exec.file.name == "sh"`), + }, + Type: datadogV2.CLOUDWORKLOADSECURITYAGENTRULETYPE_AGENT_RULE, + Id: datadog.PtrString(AgentRuleDataID), + }, + } + ctx := datadog.NewDefaultContext(context.Background()) + configuration := datadog.NewConfiguration() + apiClient := datadog.NewAPIClient(configuration) + api := datadogV2.NewCloudWorkloadSecurityApi(apiClient) + resp, r, err := api.UpdateCSMThreatsAgentRule(ctx, AgentRuleDataID, body) + + if err != nil { + fmt.Fprintf(os.Stderr, "Error when calling `CloudWorkloadSecurityApi.UpdateCSMThreatsAgentRule`: %v\n", err) + fmt.Fprintf(os.Stderr, "Full HTTP response: %v\n", r) + } + + responseContent, _ := json.MarshalIndent(resp, "", " ") + fmt.Fprintf(os.Stdout, "Response from `CloudWorkloadSecurityApi.UpdateCSMThreatsAgentRule`:\n%s\n", responseContent) +} diff --git a/tests/scenarios/api_mappings.go b/tests/scenarios/api_mappings.go index 905c587e251..146df41cbd9 100644 --- a/tests/scenarios/api_mappings.go +++ b/tests/scenarios/api_mappings.go @@ -78,11 +78,11 @@ var apiMappings = map[string]map[string]reflect.Value{ "SecurityMonitoringApi": reflect.ValueOf(datadogV2.NewSecurityMonitoringApi), "PowerpackApi": reflect.ValueOf(datadogV2.NewPowerpackApi), "ProcessesApi": reflect.ValueOf(datadogV2.NewProcessesApi), + "CloudWorkloadSecurityApi": reflect.ValueOf(datadogV2.NewCloudWorkloadSecurityApi), "RestrictionPoliciesApi": reflect.ValueOf(datadogV2.NewRestrictionPoliciesApi), "RUMApi": reflect.ValueOf(datadogV2.NewRUMApi), "OrganizationsApi": reflect.ValueOf(datadogV2.NewOrganizationsApi), "ServiceScorecardsApi": reflect.ValueOf(datadogV2.NewServiceScorecardsApi), - "CloudWorkloadSecurityApi": reflect.ValueOf(datadogV2.NewCloudWorkloadSecurityApi), "SensitiveDataScannerApi": reflect.ValueOf(datadogV2.NewSensitiveDataScannerApi), "ServiceAccountsApi": reflect.ValueOf(datadogV2.NewServiceAccountsApi), "IncidentServicesApi": reflect.ValueOf(datadogV2.NewIncidentServicesApi), diff --git a/tests/scenarios/cassettes/TestScenarios/v2/Feature_Cloud_Workload_Security/Scenario_Create_a_CSM_Threats_Agent_rule_returns_Bad_Request_response.freeze b/tests/scenarios/cassettes/TestScenarios/v2/Feature_Cloud_Workload_Security/Scenario_Create_a_CSM_Threats_Agent_rule_returns_Bad_Request_response.freeze new file mode 100644 index 00000000000..c8506d59b94 --- /dev/null +++ b/tests/scenarios/cassettes/TestScenarios/v2/Feature_Cloud_Workload_Security/Scenario_Create_a_CSM_Threats_Agent_rule_returns_Bad_Request_response.freeze @@ -0,0 +1 @@ +2024-03-08T14:19:01.846Z \ No newline at end of file diff --git a/tests/scenarios/cassettes/TestScenarios/v2/Feature_Cloud_Workload_Security/Scenario_Create_a_CSM_Threats_Agent_rule_returns_Bad_Request_response.yaml b/tests/scenarios/cassettes/TestScenarios/v2/Feature_Cloud_Workload_Security/Scenario_Create_a_CSM_Threats_Agent_rule_returns_Bad_Request_response.yaml new file mode 100644 index 00000000000..d6c1bd6120e --- /dev/null +++ b/tests/scenarios/cassettes/TestScenarios/v2/Feature_Cloud_Workload_Security/Scenario_Create_a_CSM_Threats_Agent_rule_returns_Bad_Request_response.yaml @@ -0,0 +1,23 @@ +interactions: +- request: + body: | + {"data":{"attributes":{"description":"My Agent rule","enabled":true,"expression":"exec.file.name == sh","name":"my_agent_rule"},"type":"agent_rule"}} + form: {} + headers: + Accept: + - application/json + Content-Type: + - application/json + id: 0 + method: POST + url: https://api.datadoghq.com/api/v2/remote_config/products/cws/agent_rules + response: + body: '{"errors":["input_validation_error(Field ''expression'' is invalid: rule + `my_agent_rule` error: rule compilation error: field `sh` not found)"]}' + code: 400 + duration: 0ms + headers: + Content-Type: + - application/json + status: 400 Bad Request +version: 2 diff --git a/tests/scenarios/cassettes/TestScenarios/v2/Feature_Cloud_Workload_Security/Scenario_Create_a_CSM_Threats_Agent_rule_returns_Conflict_response.freeze b/tests/scenarios/cassettes/TestScenarios/v2/Feature_Cloud_Workload_Security/Scenario_Create_a_CSM_Threats_Agent_rule_returns_Conflict_response.freeze new file mode 100644 index 00000000000..2dccd862e9d --- /dev/null +++ b/tests/scenarios/cassettes/TestScenarios/v2/Feature_Cloud_Workload_Security/Scenario_Create_a_CSM_Threats_Agent_rule_returns_Conflict_response.freeze @@ -0,0 +1 @@ +2024-03-06T09:58:37.695Z \ No newline at end of file diff --git a/tests/scenarios/cassettes/TestScenarios/v2/Feature_Cloud_Workload_Security/Scenario_Create_a_CSM_Threats_Agent_rule_returns_Conflict_response.yaml b/tests/scenarios/cassettes/TestScenarios/v2/Feature_Cloud_Workload_Security/Scenario_Create_a_CSM_Threats_Agent_rule_returns_Conflict_response.yaml new file mode 100644 index 00000000000..4dcb89a911e --- /dev/null +++ b/tests/scenarios/cassettes/TestScenarios/v2/Feature_Cloud_Workload_Security/Scenario_Create_a_CSM_Threats_Agent_rule_returns_Conflict_response.yaml @@ -0,0 +1,42 @@ +interactions: +- request: + body: | + {"data":{"attributes":{"description":"My Agent rule","enabled":true,"expression":"exec.file.name == \"sh\"","name":"my_agent_rule"},"type":"agent_rule"}} + form: {} + headers: + Accept: + - application/json + Content-Type: + - application/json + id: 0 + method: POST + url: https://api.datadoghq.com/api/v2/remote_config/products/cws/agent_rules + response: + body: '{"data":{"id":"8r4-bdz-7ma","type":"agent_rule","attributes":{"category":"Process + Activity","creationDate":1709719118032,"creator":{"name":"Malo Le Goff","handle":"malo.legoff@datadoghq.com"},"defaultRule":false,"description":"My + Agent rule","enabled":true,"expression":"exec.file.name == \"sh\"","filters":null,"name":"my_agent_rule","updateDate":1709719118032,"updater":{"name":"Malo + Le Goff","handle":"malo.legoff@datadoghq.com"}}}}' + code: 200 + duration: 0ms + headers: + Content-Type: + - application/json + status: 200 OK +- request: + body: '' + form: {} + headers: + Accept: + - '*/*' + id: 1 + method: DELETE + url: https://api.datadoghq.com/api/v2/remote_config/products/cws/agent_rules/8r4-bdz-7ma + response: + body: '' + code: 200 + duration: 0ms + headers: + Content-Type: + - application/json + status: 200 OK +version: 2 diff --git a/tests/scenarios/cassettes/TestScenarios/v2/Feature_Cloud_Workload_Security/Scenario_Create_a_CSM_Threats_Agent_rule_returns_OK_response.freeze b/tests/scenarios/cassettes/TestScenarios/v2/Feature_Cloud_Workload_Security/Scenario_Create_a_CSM_Threats_Agent_rule_returns_OK_response.freeze new file mode 100644 index 00000000000..4ff817ba663 --- /dev/null +++ b/tests/scenarios/cassettes/TestScenarios/v2/Feature_Cloud_Workload_Security/Scenario_Create_a_CSM_Threats_Agent_rule_returns_OK_response.freeze @@ -0,0 +1 @@ +2024-03-08T14:19:02.357Z \ No newline at end of file diff --git a/tests/scenarios/cassettes/TestScenarios/v2/Feature_Cloud_Workload_Security/Scenario_Create_a_CSM_Threats_Agent_rule_returns_OK_response.yaml b/tests/scenarios/cassettes/TestScenarios/v2/Feature_Cloud_Workload_Security/Scenario_Create_a_CSM_Threats_Agent_rule_returns_OK_response.yaml new file mode 100644 index 00000000000..c5cc99faf46 --- /dev/null +++ b/tests/scenarios/cassettes/TestScenarios/v2/Feature_Cloud_Workload_Security/Scenario_Create_a_CSM_Threats_Agent_rule_returns_OK_response.yaml @@ -0,0 +1,43 @@ +interactions: +- request: + body: | + {"data":{"attributes":{"description":"My Agent rule","enabled":true,"expression":"exec.file.name == \"sh\"","name":"my_agent_rule"},"type":"agent_rule"}} + form: {} + headers: + Accept: + - application/json + Content-Type: + - application/json + id: 0 + method: POST + url: https://api.datadoghq.com/api/v2/remote_config/products/cws/agent_rules + response: + body: '{"data":{"id":"zer-ow9-d4q","type":"agent_rule","attributes":{"category":"Process + Activity","creationDate":1709907542607,"creator":{"name":"Malo Le Goff","handle":"malo.legoff@datadoghq.com"},"defaultRule":false,"description":"My + Agent rule","enabled":true,"expression":"exec.file.name == \"sh\"","filters":["os + == \"linux\""],"name":"my_agent_rule","updateDate":1709907542607,"updater":{"name":"Malo + Le Goff","handle":"malo.legoff@datadoghq.com"}}}}' + code: 200 + duration: 0ms + headers: + Content-Type: + - application/json + status: 200 OK +- request: + body: '' + form: {} + headers: + Accept: + - '*/*' + id: 1 + method: DELETE + url: https://api.datadoghq.com/api/v2/remote_config/products/cws/agent_rules/zer-ow9-d4q + response: + body: '' + code: 204 + duration: 0ms + headers: + Content-Type: + - application/json + status: 204 No Content +version: 2 diff --git a/tests/scenarios/cassettes/TestScenarios/v2/Feature_Cloud_Workload_Security/Scenario_Create_a_Cloud_Workload_Security_Agent_rule_returns_Bad_Request_response.freeze b/tests/scenarios/cassettes/TestScenarios/v2/Feature_Cloud_Workload_Security/Scenario_Create_a_Cloud_Workload_Security_Agent_rule_returns_Bad_Request_response.freeze index d2976158307..e9ee5cb3f4d 100644 --- a/tests/scenarios/cassettes/TestScenarios/v2/Feature_Cloud_Workload_Security/Scenario_Create_a_Cloud_Workload_Security_Agent_rule_returns_Bad_Request_response.freeze +++ b/tests/scenarios/cassettes/TestScenarios/v2/Feature_Cloud_Workload_Security/Scenario_Create_a_Cloud_Workload_Security_Agent_rule_returns_Bad_Request_response.freeze @@ -1 +1 @@ -2022-01-11T18:11:35.118Z \ No newline at end of file +2024-03-08T14:19:03.967Z \ No newline at end of file diff --git a/tests/scenarios/cassettes/TestScenarios/v2/Feature_Cloud_Workload_Security/Scenario_Create_a_Cloud_Workload_Security_Agent_rule_returns_Bad_Request_response.yaml b/tests/scenarios/cassettes/TestScenarios/v2/Feature_Cloud_Workload_Security/Scenario_Create_a_Cloud_Workload_Security_Agent_rule_returns_Bad_Request_response.yaml index 4f27411f981..e7f8be70174 100644 --- a/tests/scenarios/cassettes/TestScenarios/v2/Feature_Cloud_Workload_Security/Scenario_Create_a_Cloud_Workload_Security_Agent_rule_returns_Bad_Request_response.yaml +++ b/tests/scenarios/cassettes/TestScenarios/v2/Feature_Cloud_Workload_Security/Scenario_Create_a_Cloud_Workload_Security_Agent_rule_returns_Bad_Request_response.yaml @@ -1,7 +1,7 @@ interactions: - request: body: | - {"data":{"attributes":{"description":"Test Agent rule","enabled":true,"expression":"open.file.path = sh","name":"testcreateacloudworkloadsecurityagentrulereturnsbadrequestresponse1641924695"},"type":"agent_rule"}} + {"data":{"attributes":{"description":"Test Agent rule","enabled":true,"expression":"open.file.path = sh","name":"testcreateacloudworkloadsecurityagentrulereturnsbadrequestresponse1709907543"},"type":"agent_rule"}} form: {} headers: Accept: @@ -13,8 +13,10 @@ interactions: url: https://api.datadoghq.com/api/v2/security_monitoring/cloud_workload_security/agent_rules response: body: '{"errors":["input_validation_error(Field ''expression'' is invalid: rule - `testcreateacloudworkloadsecurityagentrulereturnsbadrequestresponse1641924695` - definition error: syntax error: 1:18: unexpected token \"sh\" (expected \"~\"))"]}' + `testcreateacloudworkloadsecurityagentrulereturnsbadrequestresponse1709907543` + error: syntax error `1:18: unexpected token \"sh\" (expected \"~\")`)"]} + + ' code: 400 duration: 0ms headers: diff --git a/tests/scenarios/cassettes/TestScenarios/v2/Feature_Cloud_Workload_Security/Scenario_Create_a_Cloud_Workload_Security_Agent_rule_returns_OK_response.freeze b/tests/scenarios/cassettes/TestScenarios/v2/Feature_Cloud_Workload_Security/Scenario_Create_a_Cloud_Workload_Security_Agent_rule_returns_OK_response.freeze index 9c7c5b62953..bbb5bba9c39 100644 --- a/tests/scenarios/cassettes/TestScenarios/v2/Feature_Cloud_Workload_Security/Scenario_Create_a_Cloud_Workload_Security_Agent_rule_returns_OK_response.freeze +++ b/tests/scenarios/cassettes/TestScenarios/v2/Feature_Cloud_Workload_Security/Scenario_Create_a_Cloud_Workload_Security_Agent_rule_returns_OK_response.freeze @@ -1 +1 @@ -2022-05-12T09:51:20.359Z \ No newline at end of file +2024-03-08T14:19:04.358Z \ No newline at end of file diff --git a/tests/scenarios/cassettes/TestScenarios/v2/Feature_Cloud_Workload_Security/Scenario_Create_a_Cloud_Workload_Security_Agent_rule_returns_OK_response.yaml b/tests/scenarios/cassettes/TestScenarios/v2/Feature_Cloud_Workload_Security/Scenario_Create_a_Cloud_Workload_Security_Agent_rule_returns_OK_response.yaml index 1c5220bebaf..5cf006e3ef0 100644 --- a/tests/scenarios/cassettes/TestScenarios/v2/Feature_Cloud_Workload_Security/Scenario_Create_a_Cloud_Workload_Security_Agent_rule_returns_OK_response.yaml +++ b/tests/scenarios/cassettes/TestScenarios/v2/Feature_Cloud_Workload_Security/Scenario_Create_a_Cloud_Workload_Security_Agent_rule_returns_OK_response.yaml @@ -1,7 +1,7 @@ interactions: - request: body: | - {"data":{"attributes":{"description":"Test Agent rule","enabled":true,"expression":"exec.file.name == \"sh\"","name":"testcreateacloudworkloadsecurityagentrulereturnsokresponse1652349080"},"type":"agent_rule"}} + {"data":{"attributes":{"description":"Test Agent rule","enabled":true,"expression":"exec.file.name == \"sh\"","name":"testcreateacloudworkloadsecurityagentrulereturnsokresponse1709907544"},"type":"agent_rule"}} form: {} headers: Accept: @@ -12,14 +12,17 @@ interactions: method: POST url: https://api.datadoghq.com/api/v2/security_monitoring/cloud_workload_security/agent_rules response: - body: '{"data":{"attributes":{"category":"Process Activity","name":"testcreateacloudworkloadsecurityagentrulereturnsokresponse1652349080","creator":{"handle":"frog@datadoghq.com","name":null},"description":"Test - Agent rule","enabled":true,"defaultRule":false,"version":1,"updater":{"handle":"frog@datadoghq.com","name":null},"updateDate":1652349080821,"creationDate":1652349080821,"expression":"exec.file.name - == \"sh\""},"type":"agent_rule","id":"qb1-cn9-jwq"}}' + body: '{"data":{"id":"svr-luf-gzy","attributes":{"version":1,"name":"testcreateacloudworkloadsecurityagentrulereturnsokresponse1709907544","description":"Test + Agent rule","expression":"exec.file.name == \"sh\"","category":"Process Activity","creationAuthorUuId":"cc32ddea-b5e4-11ec-93be-da7ad0900002","creationDate":1709907544744,"updateAuthorUuId":"cc32ddea-b5e4-11ec-93be-da7ad0900002","updateDate":1709907544744,"filters":["os + == \"linux\""],"actions":[],"agentConstraint":"","enabled":true,"defaultRule":false,"creator":{"name":"Malo + Le Goff","handle":"malo.legoff@datadoghq.com"},"updater":{"name":"Malo Le Goff","handle":"malo.legoff@datadoghq.com"}},"type":"agent_rule"}} + + ' code: 200 duration: 0ms headers: Content-Type: - - application/json;charset=utf-8 + - application/json status: 200 OK - request: body: '' @@ -29,13 +32,11 @@ interactions: - '*/*' id: 1 method: DELETE - url: https://api.datadoghq.com/api/v2/security_monitoring/cloud_workload_security/agent_rules/qb1-cn9-jwq + url: https://api.datadoghq.com/api/v2/security_monitoring/cloud_workload_security/agent_rules/svr-luf-gzy response: body: '' code: 204 duration: 0ms - headers: - Content-Type: - - application/json;charset=utf-8 + headers: {} status: 204 No Content version: 2 diff --git a/tests/scenarios/cassettes/TestScenarios/v2/Feature_Cloud_Workload_Security/Scenario_Delete_a_CSM_Threats_Agent_rule_returns_Not_Found_response.freeze b/tests/scenarios/cassettes/TestScenarios/v2/Feature_Cloud_Workload_Security/Scenario_Delete_a_CSM_Threats_Agent_rule_returns_Not_Found_response.freeze new file mode 100644 index 00000000000..2a00f4dad77 --- /dev/null +++ b/tests/scenarios/cassettes/TestScenarios/v2/Feature_Cloud_Workload_Security/Scenario_Delete_a_CSM_Threats_Agent_rule_returns_Not_Found_response.freeze @@ -0,0 +1 @@ +2024-03-08T14:19:05.335Z \ No newline at end of file diff --git a/tests/scenarios/cassettes/TestScenarios/v2/Feature_Cloud_Workload_Security/Scenario_Delete_a_CSM_Threats_Agent_rule_returns_Not_Found_response.yaml b/tests/scenarios/cassettes/TestScenarios/v2/Feature_Cloud_Workload_Security/Scenario_Delete_a_CSM_Threats_Agent_rule_returns_Not_Found_response.yaml new file mode 100644 index 00000000000..2de1cc7fda1 --- /dev/null +++ b/tests/scenarios/cassettes/TestScenarios/v2/Feature_Cloud_Workload_Security/Scenario_Delete_a_CSM_Threats_Agent_rule_returns_Not_Found_response.yaml @@ -0,0 +1,21 @@ +interactions: +- request: + body: '' + form: {} + headers: + Accept: + - '*/*' + id: 0 + method: DELETE + url: https://api.datadoghq.com/api/v2/remote_config/products/cws/agent_rules/abc-123-xyz + response: + body: '{"errors":[{"title":"failed to delete rule"}]} + + ' + code: 404 + duration: 0ms + headers: + Content-Type: + - application/json + status: 404 Not Found +version: 2 diff --git a/tests/scenarios/cassettes/TestScenarios/v2/Feature_Cloud_Workload_Security/Scenario_Delete_a_CSM_Threats_Agent_rule_returns_OK_response.freeze b/tests/scenarios/cassettes/TestScenarios/v2/Feature_Cloud_Workload_Security/Scenario_Delete_a_CSM_Threats_Agent_rule_returns_OK_response.freeze new file mode 100644 index 00000000000..9b393995ff0 --- /dev/null +++ b/tests/scenarios/cassettes/TestScenarios/v2/Feature_Cloud_Workload_Security/Scenario_Delete_a_CSM_Threats_Agent_rule_returns_OK_response.freeze @@ -0,0 +1 @@ +2024-03-08T14:19:05.699Z \ No newline at end of file diff --git a/tests/scenarios/cassettes/TestScenarios/v2/Feature_Cloud_Workload_Security/Scenario_Delete_a_CSM_Threats_Agent_rule_returns_OK_response.yaml b/tests/scenarios/cassettes/TestScenarios/v2/Feature_Cloud_Workload_Security/Scenario_Delete_a_CSM_Threats_Agent_rule_returns_OK_response.yaml new file mode 100644 index 00000000000..dba93a774c8 --- /dev/null +++ b/tests/scenarios/cassettes/TestScenarios/v2/Feature_Cloud_Workload_Security/Scenario_Delete_a_CSM_Threats_Agent_rule_returns_OK_response.yaml @@ -0,0 +1,62 @@ +interactions: +- request: + body: | + {"data":{"attributes":{"description":"My Agent rule","enabled":true,"expression":"exec.file.name == \"sh\"","name":"testdeleteacsmthreatsagentrulereturnsokresponse1709907545"},"type":"agent_rule"}} + form: {} + headers: + Accept: + - application/json + Content-Type: + - application/json + id: 0 + method: POST + url: https://api.datadoghq.com/api/v2/remote_config/products/cws/agent_rules + response: + body: '{"data":{"id":"e19-wln-ypy","type":"agent_rule","attributes":{"category":"Process + Activity","creationDate":1709907546083,"creator":{"name":"Malo Le Goff","handle":"malo.legoff@datadoghq.com"},"defaultRule":false,"description":"My + Agent rule","enabled":true,"expression":"exec.file.name == \"sh\"","filters":["os + == \"linux\""],"name":"testdeleteacsmthreatsagentrulereturnsokresponse1709907545","updateDate":1709907546083,"updater":{"name":"Malo + Le Goff","handle":"malo.legoff@datadoghq.com"}}}}' + code: 200 + duration: 0ms + headers: + Content-Type: + - application/json + status: 200 OK +- request: + body: '' + form: {} + headers: + Accept: + - '*/*' + id: 1 + method: DELETE + url: https://api.datadoghq.com/api/v2/remote_config/products/cws/agent_rules/e19-wln-ypy + response: + body: '' + code: 204 + duration: 0ms + headers: + Content-Type: + - application/json + status: 204 No Content +- request: + body: '' + form: {} + headers: + Accept: + - '*/*' + id: 2 + method: DELETE + url: https://api.datadoghq.com/api/v2/remote_config/products/cws/agent_rules/e19-wln-ypy + response: + body: '{"errors":[{"title":"failed to delete rule"}]} + + ' + code: 404 + duration: 0ms + headers: + Content-Type: + - application/json + status: 404 Not Found +version: 2 diff --git a/tests/scenarios/cassettes/TestScenarios/v2/Feature_Cloud_Workload_Security/Scenario_Delete_a_Cloud_Workload_Security_Agent_rule_returns_Not_Found_response.freeze b/tests/scenarios/cassettes/TestScenarios/v2/Feature_Cloud_Workload_Security/Scenario_Delete_a_Cloud_Workload_Security_Agent_rule_returns_Not_Found_response.freeze index 9f8ca51b7a2..da35a9232ee 100644 --- a/tests/scenarios/cassettes/TestScenarios/v2/Feature_Cloud_Workload_Security/Scenario_Delete_a_Cloud_Workload_Security_Agent_rule_returns_Not_Found_response.freeze +++ b/tests/scenarios/cassettes/TestScenarios/v2/Feature_Cloud_Workload_Security/Scenario_Delete_a_Cloud_Workload_Security_Agent_rule_returns_Not_Found_response.freeze @@ -1 +1 @@ -2022-05-12T09:51:21.337Z \ No newline at end of file +2024-03-08T14:19:07.580Z \ No newline at end of file diff --git a/tests/scenarios/cassettes/TestScenarios/v2/Feature_Cloud_Workload_Security/Scenario_Delete_a_Cloud_Workload_Security_Agent_rule_returns_Not_Found_response.yaml b/tests/scenarios/cassettes/TestScenarios/v2/Feature_Cloud_Workload_Security/Scenario_Delete_a_Cloud_Workload_Security_Agent_rule_returns_Not_Found_response.yaml index 123f21f1bed..0a30fdeb3d0 100644 --- a/tests/scenarios/cassettes/TestScenarios/v2/Feature_Cloud_Workload_Security/Scenario_Delete_a_Cloud_Workload_Security_Agent_rule_returns_Not_Found_response.yaml +++ b/tests/scenarios/cassettes/TestScenarios/v2/Feature_Cloud_Workload_Security/Scenario_Delete_a_Cloud_Workload_Security_Agent_rule_returns_Not_Found_response.yaml @@ -9,7 +9,9 @@ interactions: method: DELETE url: https://api.datadoghq.com/api/v2/security_monitoring/cloud_workload_security/agent_rules/abc-123-xyz response: - body: '{"errors":["not_found(Agent rule not found: agentRuleId=abc-123-xyz)"]}' + body: '{"errors":["not_found(Agent rule not found: agentRuleId=abc-123-xyz)"]} + + ' code: 404 duration: 0ms headers: diff --git a/tests/scenarios/cassettes/TestScenarios/v2/Feature_Cloud_Workload_Security/Scenario_Delete_a_Cloud_Workload_Security_Agent_rule_returns_OK_response.freeze b/tests/scenarios/cassettes/TestScenarios/v2/Feature_Cloud_Workload_Security/Scenario_Delete_a_Cloud_Workload_Security_Agent_rule_returns_OK_response.freeze index c0bf1eb515f..7aaa4d93699 100644 --- a/tests/scenarios/cassettes/TestScenarios/v2/Feature_Cloud_Workload_Security/Scenario_Delete_a_Cloud_Workload_Security_Agent_rule_returns_OK_response.freeze +++ b/tests/scenarios/cassettes/TestScenarios/v2/Feature_Cloud_Workload_Security/Scenario_Delete_a_Cloud_Workload_Security_Agent_rule_returns_OK_response.freeze @@ -1 +1 @@ -2022-05-12T09:51:21.769Z \ No newline at end of file +2024-03-08T14:19:07.919Z \ No newline at end of file diff --git a/tests/scenarios/cassettes/TestScenarios/v2/Feature_Cloud_Workload_Security/Scenario_Delete_a_Cloud_Workload_Security_Agent_rule_returns_OK_response.yaml b/tests/scenarios/cassettes/TestScenarios/v2/Feature_Cloud_Workload_Security/Scenario_Delete_a_Cloud_Workload_Security_Agent_rule_returns_OK_response.yaml index e677d3a6799..b4430ab231d 100644 --- a/tests/scenarios/cassettes/TestScenarios/v2/Feature_Cloud_Workload_Security/Scenario_Delete_a_Cloud_Workload_Security_Agent_rule_returns_OK_response.yaml +++ b/tests/scenarios/cassettes/TestScenarios/v2/Feature_Cloud_Workload_Security/Scenario_Delete_a_Cloud_Workload_Security_Agent_rule_returns_OK_response.yaml @@ -1,7 +1,7 @@ interactions: - request: body: | - {"data":{"attributes":{"description":"My Agent rule","enabled":true,"expression":"exec.file.name == \"sh\"","name":"testdeleteacloudworkloadsecurityagentrulereturnsokresponse1652349081"},"type":"agent_rule"}} + {"data":{"attributes":{"description":"My Agent rule","enabled":true,"expression":"exec.file.name == \"sh\"","name":"testdeleteacloudworkloadsecurityagentrulereturnsokresponse1709907547"},"type":"agent_rule"}} form: {} headers: Accept: @@ -12,14 +12,17 @@ interactions: method: POST url: https://api.datadoghq.com/api/v2/security_monitoring/cloud_workload_security/agent_rules response: - body: '{"data":{"attributes":{"category":"Process Activity","name":"testdeleteacloudworkloadsecurityagentrulereturnsokresponse1652349081","creator":{"handle":"frog@datadoghq.com","name":null},"description":"My - Agent rule","enabled":true,"defaultRule":false,"version":1,"updater":{"handle":"frog@datadoghq.com","name":null},"updateDate":1652349082186,"creationDate":1652349082186,"expression":"exec.file.name - == \"sh\""},"type":"agent_rule","id":"hqy-ez4-nci"}}' + body: '{"data":{"id":"bo0-5k6-vtc","attributes":{"version":1,"name":"testdeleteacloudworkloadsecurityagentrulereturnsokresponse1709907547","description":"My + Agent rule","expression":"exec.file.name == \"sh\"","category":"Process Activity","creationAuthorUuId":"cc32ddea-b5e4-11ec-93be-da7ad0900002","creationDate":1709907548216,"updateAuthorUuId":"cc32ddea-b5e4-11ec-93be-da7ad0900002","updateDate":1709907548216,"filters":["os + == \"linux\""],"actions":[],"agentConstraint":"","enabled":true,"defaultRule":false,"creator":{"name":"Malo + Le Goff","handle":"malo.legoff@datadoghq.com"},"updater":{"name":"Malo Le Goff","handle":"malo.legoff@datadoghq.com"}},"type":"agent_rule"}} + + ' code: 200 duration: 0ms headers: Content-Type: - - application/json;charset=utf-8 + - application/json status: 200 OK - request: body: '' @@ -29,14 +32,12 @@ interactions: - '*/*' id: 1 method: DELETE - url: https://api.datadoghq.com/api/v2/security_monitoring/cloud_workload_security/agent_rules/hqy-ez4-nci + url: https://api.datadoghq.com/api/v2/security_monitoring/cloud_workload_security/agent_rules/bo0-5k6-vtc response: body: '' code: 204 duration: 0ms - headers: - Content-Type: - - application/json;charset=utf-8 + headers: {} status: 204 No Content - request: body: '' @@ -46,9 +47,11 @@ interactions: - '*/*' id: 2 method: DELETE - url: https://api.datadoghq.com/api/v2/security_monitoring/cloud_workload_security/agent_rules/hqy-ez4-nci + url: https://api.datadoghq.com/api/v2/security_monitoring/cloud_workload_security/agent_rules/bo0-5k6-vtc response: - body: '{"errors":["not_found(Agent rule not found: agentRuleId=hqy-ez4-nci)"]}' + body: '{"errors":["not_found(Agent rule not found: agentRuleId=bo0-5k6-vtc)"]} + + ' code: 404 duration: 0ms headers: diff --git a/tests/scenarios/cassettes/TestScenarios/v2/Feature_Cloud_Workload_Security/Scenario_Get_a_CSM_Threats_Agent_rule_returns_Not_Found_response.freeze b/tests/scenarios/cassettes/TestScenarios/v2/Feature_Cloud_Workload_Security/Scenario_Get_a_CSM_Threats_Agent_rule_returns_Not_Found_response.freeze new file mode 100644 index 00000000000..fa6ab0bcca0 --- /dev/null +++ b/tests/scenarios/cassettes/TestScenarios/v2/Feature_Cloud_Workload_Security/Scenario_Get_a_CSM_Threats_Agent_rule_returns_Not_Found_response.freeze @@ -0,0 +1 @@ +2024-03-08T14:19:09.189Z \ No newline at end of file diff --git a/tests/scenarios/cassettes/TestScenarios/v2/Feature_Cloud_Workload_Security/Scenario_Get_a_CSM_Threats_Agent_rule_returns_Not_Found_response.yaml b/tests/scenarios/cassettes/TestScenarios/v2/Feature_Cloud_Workload_Security/Scenario_Get_a_CSM_Threats_Agent_rule_returns_Not_Found_response.yaml new file mode 100644 index 00000000000..f46bb283ae7 --- /dev/null +++ b/tests/scenarios/cassettes/TestScenarios/v2/Feature_Cloud_Workload_Security/Scenario_Get_a_CSM_Threats_Agent_rule_returns_Not_Found_response.yaml @@ -0,0 +1,21 @@ +interactions: +- request: + body: '' + form: {} + headers: + Accept: + - application/json + id: 0 + method: GET + url: https://api.datadoghq.com/api/v2/remote_config/products/cws/agent_rules/abc-123-xyz + response: + body: '{"errors":[{"title":"failed to get rule"}]} + + ' + code: 404 + duration: 0ms + headers: + Content-Type: + - application/json + status: 404 Not Found +version: 2 diff --git a/tests/scenarios/cassettes/TestScenarios/v2/Feature_Cloud_Workload_Security/Scenario_Get_a_CSM_Threats_Agent_rule_returns_OK_response.freeze b/tests/scenarios/cassettes/TestScenarios/v2/Feature_Cloud_Workload_Security/Scenario_Get_a_CSM_Threats_Agent_rule_returns_OK_response.freeze new file mode 100644 index 00000000000..6a658aeb97c --- /dev/null +++ b/tests/scenarios/cassettes/TestScenarios/v2/Feature_Cloud_Workload_Security/Scenario_Get_a_CSM_Threats_Agent_rule_returns_OK_response.freeze @@ -0,0 +1 @@ +2024-03-08T14:19:09.586Z \ No newline at end of file diff --git a/tests/scenarios/cassettes/TestScenarios/v2/Feature_Cloud_Workload_Security/Scenario_Get_a_CSM_Threats_Agent_rule_returns_OK_response.yaml b/tests/scenarios/cassettes/TestScenarios/v2/Feature_Cloud_Workload_Security/Scenario_Get_a_CSM_Threats_Agent_rule_returns_OK_response.yaml new file mode 100644 index 00000000000..fbe3dedd460 --- /dev/null +++ b/tests/scenarios/cassettes/TestScenarios/v2/Feature_Cloud_Workload_Security/Scenario_Get_a_CSM_Threats_Agent_rule_returns_OK_response.yaml @@ -0,0 +1,64 @@ +interactions: +- request: + body: | + {"data":{"attributes":{"description":"My Agent rule","enabled":true,"expression":"exec.file.name == \"sh\"","name":"testgetacsmthreatsagentrulereturnsokresponse1709907549"},"type":"agent_rule"}} + form: {} + headers: + Accept: + - application/json + Content-Type: + - application/json + id: 0 + method: POST + url: https://api.datadoghq.com/api/v2/remote_config/products/cws/agent_rules + response: + body: '{"data":{"id":"hod-pqw-spq","type":"agent_rule","attributes":{"category":"Process + Activity","creationDate":1709907549922,"creator":{"name":"Malo Le Goff","handle":"malo.legoff@datadoghq.com"},"defaultRule":false,"description":"My + Agent rule","enabled":true,"expression":"exec.file.name == \"sh\"","filters":["os + == \"linux\""],"name":"testgetacsmthreatsagentrulereturnsokresponse1709907549","updateDate":1709907549922,"updater":{"name":"Malo + Le Goff","handle":"malo.legoff@datadoghq.com"}}}}' + code: 200 + duration: 0ms + headers: + Content-Type: + - application/json + status: 200 OK +- request: + body: '' + form: {} + headers: + Accept: + - application/json + id: 1 + method: GET + url: https://api.datadoghq.com/api/v2/remote_config/products/cws/agent_rules/hod-pqw-spq + response: + body: '{"data":{"id":"hod-pqw-spq","type":"agent_rule","attributes":{"category":"Process + Activity","creationDate":1709907549000,"creator":{"name":"Malo Le Goff","handle":"malo.legoff@datadoghq.com"},"defaultRule":false,"description":"My + Agent rule","enabled":true,"expression":"exec.file.name == \"sh\"","filters":["os + == \"linux\""],"name":"testgetacsmthreatsagentrulereturnsokresponse1709907549","updateDate":1709907549000,"updater":{"name":"Malo + Le Goff","handle":"malo.legoff@datadoghq.com"}}}}' + code: 200 + duration: 0ms + headers: + Content-Type: + - application/json + status: 200 OK +- request: + body: '' + form: {} + headers: + Accept: + - '*/*' + id: 2 + method: DELETE + url: https://api.datadoghq.com/api/v2/remote_config/products/cws/agent_rules/hod-pqw-spq + response: + body: '' + code: 204 + duration: 0ms + headers: + Content-Type: + - application/json + status: 204 No Content +version: 2 diff --git a/tests/scenarios/cassettes/TestScenarios/v2/Feature_Cloud_Workload_Security/Scenario_Get_a_Cloud_Workload_Security_Agent_rule_returns_Not_Found_response.freeze b/tests/scenarios/cassettes/TestScenarios/v2/Feature_Cloud_Workload_Security/Scenario_Get_a_Cloud_Workload_Security_Agent_rule_returns_Not_Found_response.freeze index 712680a66f1..723e55f423d 100644 --- a/tests/scenarios/cassettes/TestScenarios/v2/Feature_Cloud_Workload_Security/Scenario_Get_a_Cloud_Workload_Security_Agent_rule_returns_Not_Found_response.freeze +++ b/tests/scenarios/cassettes/TestScenarios/v2/Feature_Cloud_Workload_Security/Scenario_Get_a_Cloud_Workload_Security_Agent_rule_returns_Not_Found_response.freeze @@ -1 +1 @@ -2022-01-11T18:11:38.248Z \ No newline at end of file +2024-03-08T14:19:11.425Z \ No newline at end of file diff --git a/tests/scenarios/cassettes/TestScenarios/v2/Feature_Cloud_Workload_Security/Scenario_Get_a_Cloud_Workload_Security_Agent_rule_returns_Not_Found_response.yaml b/tests/scenarios/cassettes/TestScenarios/v2/Feature_Cloud_Workload_Security/Scenario_Get_a_Cloud_Workload_Security_Agent_rule_returns_Not_Found_response.yaml index 91a05e30a4e..770ec0d149a 100644 --- a/tests/scenarios/cassettes/TestScenarios/v2/Feature_Cloud_Workload_Security/Scenario_Get_a_Cloud_Workload_Security_Agent_rule_returns_Not_Found_response.yaml +++ b/tests/scenarios/cassettes/TestScenarios/v2/Feature_Cloud_Workload_Security/Scenario_Get_a_Cloud_Workload_Security_Agent_rule_returns_Not_Found_response.yaml @@ -9,7 +9,9 @@ interactions: method: GET url: https://api.datadoghq.com/api/v2/security_monitoring/cloud_workload_security/agent_rules/abc-123-xyz response: - body: '{"errors":["not_found(Agent rule not found: agentRuleId=abc-123-xyz)"]}' + body: '{"errors":["not_found(Agent rule not found: agentRuleId=abc-123-xyz)"]} + + ' code: 404 duration: 0ms headers: diff --git a/tests/scenarios/cassettes/TestScenarios/v2/Feature_Cloud_Workload_Security/Scenario_Get_a_Cloud_Workload_Security_Agent_rule_returns_OK_response.freeze b/tests/scenarios/cassettes/TestScenarios/v2/Feature_Cloud_Workload_Security/Scenario_Get_a_Cloud_Workload_Security_Agent_rule_returns_OK_response.freeze index e73f1c14f7d..fc05df64737 100644 --- a/tests/scenarios/cassettes/TestScenarios/v2/Feature_Cloud_Workload_Security/Scenario_Get_a_Cloud_Workload_Security_Agent_rule_returns_OK_response.freeze +++ b/tests/scenarios/cassettes/TestScenarios/v2/Feature_Cloud_Workload_Security/Scenario_Get_a_Cloud_Workload_Security_Agent_rule_returns_OK_response.freeze @@ -1 +1 @@ -2022-05-12T09:51:23.120Z \ No newline at end of file +2024-03-08T14:19:11.763Z \ No newline at end of file diff --git a/tests/scenarios/cassettes/TestScenarios/v2/Feature_Cloud_Workload_Security/Scenario_Get_a_Cloud_Workload_Security_Agent_rule_returns_OK_response.yaml b/tests/scenarios/cassettes/TestScenarios/v2/Feature_Cloud_Workload_Security/Scenario_Get_a_Cloud_Workload_Security_Agent_rule_returns_OK_response.yaml index 9ecf4ae8fe3..1ca342fb36e 100644 --- a/tests/scenarios/cassettes/TestScenarios/v2/Feature_Cloud_Workload_Security/Scenario_Get_a_Cloud_Workload_Security_Agent_rule_returns_OK_response.yaml +++ b/tests/scenarios/cassettes/TestScenarios/v2/Feature_Cloud_Workload_Security/Scenario_Get_a_Cloud_Workload_Security_Agent_rule_returns_OK_response.yaml @@ -1,7 +1,7 @@ interactions: - request: body: | - {"data":{"attributes":{"description":"My Agent rule","enabled":true,"expression":"exec.file.name == \"sh\"","name":"testgetacloudworkloadsecurityagentrulereturnsokresponse1652349083"},"type":"agent_rule"}} + {"data":{"attributes":{"description":"My Agent rule","enabled":true,"expression":"exec.file.name == \"sh\"","name":"testgetacloudworkloadsecurityagentrulereturnsokresponse1709907551"},"type":"agent_rule"}} form: {} headers: Accept: @@ -12,14 +12,17 @@ interactions: method: POST url: https://api.datadoghq.com/api/v2/security_monitoring/cloud_workload_security/agent_rules response: - body: '{"data":{"attributes":{"category":"Process Activity","name":"testgetacloudworkloadsecurityagentrulereturnsokresponse1652349083","creator":{"handle":"frog@datadoghq.com","name":null},"description":"My - Agent rule","enabled":true,"defaultRule":false,"version":1,"updater":{"handle":"frog@datadoghq.com","name":null},"updateDate":1652349083546,"creationDate":1652349083546,"expression":"exec.file.name - == \"sh\""},"type":"agent_rule","id":"xnm-bjf-tfb"}}' + body: '{"data":{"id":"ynn-umb-rss","attributes":{"version":1,"name":"testgetacloudworkloadsecurityagentrulereturnsokresponse1709907551","description":"My + Agent rule","expression":"exec.file.name == \"sh\"","category":"Process Activity","creationAuthorUuId":"cc32ddea-b5e4-11ec-93be-da7ad0900002","creationDate":1709907552061,"updateAuthorUuId":"cc32ddea-b5e4-11ec-93be-da7ad0900002","updateDate":1709907552061,"filters":["os + == \"linux\""],"actions":[],"agentConstraint":"","enabled":true,"defaultRule":false,"creator":{"name":"Malo + Le Goff","handle":"malo.legoff@datadoghq.com"},"updater":{"name":"Malo Le Goff","handle":"malo.legoff@datadoghq.com"}},"type":"agent_rule"}} + + ' code: 200 duration: 0ms headers: Content-Type: - - application/json;charset=utf-8 + - application/json status: 200 OK - request: body: '' @@ -29,16 +32,19 @@ interactions: - application/json id: 1 method: GET - url: https://api.datadoghq.com/api/v2/security_monitoring/cloud_workload_security/agent_rules/xnm-bjf-tfb + url: https://api.datadoghq.com/api/v2/security_monitoring/cloud_workload_security/agent_rules/ynn-umb-rss response: - body: '{"data":{"attributes":{"category":"Process Activity","name":"testgetacloudworkloadsecurityagentrulereturnsokresponse1652349083","creator":{"handle":"frog@datadoghq.com","name":null},"description":"My - Agent rule","enabled":true,"defaultRule":false,"version":1,"updater":{"handle":"frog@datadoghq.com","name":null},"updateDate":1652349083546,"creationDate":1652349083546,"expression":"exec.file.name - == \"sh\""},"type":"agent_rule","id":"xnm-bjf-tfb"}}' + body: '{"data":{"id":"ynn-umb-rss","attributes":{"version":1,"name":"testgetacloudworkloadsecurityagentrulereturnsokresponse1709907551","description":"My + Agent rule","expression":"exec.file.name == \"sh\"","category":"Process Activity","creationAuthorUuId":"cc32ddea-b5e4-11ec-93be-da7ad0900002","creationDate":1709907552061,"updateAuthorUuId":"cc32ddea-b5e4-11ec-93be-da7ad0900002","updateDate":1709907552061,"filters":["os + == \"linux\""],"actions":[],"agentConstraint":"","enabled":true,"defaultRule":false,"creator":{"name":"Malo + Le Goff","handle":"malo.legoff@datadoghq.com"},"updater":{"name":"Malo Le Goff","handle":"malo.legoff@datadoghq.com"}},"type":"agent_rule"}} + + ' code: 200 duration: 0ms headers: Content-Type: - - application/json;charset=utf-8 + - application/json status: 200 OK - request: body: '' @@ -48,13 +54,11 @@ interactions: - '*/*' id: 2 method: DELETE - url: https://api.datadoghq.com/api/v2/security_monitoring/cloud_workload_security/agent_rules/xnm-bjf-tfb + url: https://api.datadoghq.com/api/v2/security_monitoring/cloud_workload_security/agent_rules/ynn-umb-rss response: body: '' code: 204 duration: 0ms - headers: - Content-Type: - - application/json;charset=utf-8 + headers: {} status: 204 No Content version: 2 diff --git a/tests/scenarios/cassettes/TestScenarios/v2/Feature_Cloud_Workload_Security/Scenario_Get_all_CSM_Threats_Agent_rules_returns_OK_response.freeze b/tests/scenarios/cassettes/TestScenarios/v2/Feature_Cloud_Workload_Security/Scenario_Get_all_CSM_Threats_Agent_rules_returns_OK_response.freeze new file mode 100644 index 00000000000..38810c62a98 --- /dev/null +++ b/tests/scenarios/cassettes/TestScenarios/v2/Feature_Cloud_Workload_Security/Scenario_Get_all_CSM_Threats_Agent_rules_returns_OK_response.freeze @@ -0,0 +1 @@ +2024-03-08T14:19:12.809Z \ No newline at end of file diff --git a/tests/scenarios/cassettes/TestScenarios/v2/Feature_Cloud_Workload_Security/Scenario_Get_all_CSM_Threats_Agent_rules_returns_OK_response.yaml b/tests/scenarios/cassettes/TestScenarios/v2/Feature_Cloud_Workload_Security/Scenario_Get_all_CSM_Threats_Agent_rules_returns_OK_response.yaml new file mode 100644 index 00000000000..27eb64af442 --- /dev/null +++ b/tests/scenarios/cassettes/TestScenarios/v2/Feature_Cloud_Workload_Security/Scenario_Get_all_CSM_Threats_Agent_rules_returns_OK_response.yaml @@ -0,0 +1,1410 @@ +interactions: +- request: + body: '' + form: {} + headers: + Accept: + - application/json + id: 0 + method: GET + url: https://api.datadoghq.com/api/v2/remote_config/products/cws/agent_rules + response: + body: '{"data":[{"id":"cwq-z6j-igp","type":"agent_rule","attributes":{"category":"Kernel + Activity","creationDate":1691743022000,"creator":{"name":"Threat Detection Engineering + CI/CD","handle":"9b3398f3-af79-49aa-b643-8a607ee6f848"},"defaultRule":false,"description":"Unauthorized + network access by deno runtime","enabled":true,"expression":"bind.addr.family\u003e=0 + \u0026\u0026 process.comm==\"deno\" \u0026\u0026 process.args not in [r\".*(allow-net|allow-ffi|-A|allow-all).*\"]","filters":["os + == \"linux\""],"name":"Deno_unauthorized_network_access_performed","updateDate":1698239523000,"updater":{"name":"Juvenal + Araujo","handle":"juvenal.araujo@datadoghq.com"}}},{"id":"lsi-6pb-7th","type":"agent_rule","attributes":{"category":"File + Activity","creationDate":1691743022000,"creator":{"name":"Threat Detection Engineering + CI/CD","handle":"9b3398f3-af79-49aa-b643-8a607ee6f848"},"defaultRule":false,"description":"Unauthorized + filesystem read by deno runtime","enabled":false,"expression":"process.comm==\"deno\" + \u0026\u0026 open.flags==524288 \u0026\u0026 open.file.name not in process.argv + \u0026\u0026 process.args not in [r\".*(allow-read|-A|allow-all).*\"]","filters":["os + == \"linux\""],"name":"Deno_unauthorized_read_executed","updateDate":1698237510000,"updater":{"name":"Juvenal + Araujo","handle":"juvenal.araujo@datadoghq.com"}}},{"id":"mal-nic-u3y","type":"agent_rule","attributes":{"category":"Process + Activity","creationDate":1691743022000,"creator":{"name":"Threat Detection Engineering + CI/CD","handle":"9b3398f3-af79-49aa-b643-8a607ee6f848"},"defaultRule":false,"description":"Unauthorized + subprocess created by deno runtime","enabled":true,"expression":"exec.comm !=\"\" + \u0026\u0026 process.ancestors.comm==\"deno\" \u0026\u0026 process.ancestors.args + not in [r\".*(allow-run|-A|allow-all).*\"]","filters":["os == \"linux\""],"name":"Deno_unauthorized_subprocess_created","updateDate":1698239525000,"updater":{"name":"Juvenal + Araujo","handle":"juvenal.araujo@datadoghq.com"}}},{"id":"q17-vsb-c4k","type":"agent_rule","attributes":{"category":"File + Activity","creationDate":1691743022000,"creator":{"name":"Threat Detection Engineering + CI/CD","handle":"9b3398f3-af79-49aa-b643-8a607ee6f848"},"defaultRule":false,"description":"Unauthorized + filesystem write by deno runtime","enabled":false,"expression":"process.comm==\"deno\" + \u0026\u0026 open.flags \u00261==1 \u0026\u0026 process.args not in [r\".*(allow-write|-A|allow-all).*\"]","filters":["os + == \"linux\""],"name":"Deno_unauthorized_write_executed","updateDate":1698237513000,"updater":{"name":"Juvenal + Araujo","handle":"juvenal.araujo@datadoghq.com"}}},{"id":"qp4-oog-vwu","type":"agent_rule","attributes":{"category":"Process + Activity","creationDate":1682687626000,"creator":{"name":"Threat Detection Engineering + CI/CD","handle":"9b3398f3-af79-49aa-b643-8a607ee6f848"},"defaultRule":false,"description":"A + shell command was executed from a JupyterHub code cell","enabled":true,"expression":"exec.file.path + == \"/usr/bin/bash\" \u0026\u0026 process.ancestors.comm == \"jupyterhub-sing\"","filters":["os + == \"linux\""],"name":"jupyterhub_shell","updateDate":1698238456000,"updater":{"name":"Juvenal + Araujo","handle":"juvenal.araujo@datadoghq.com"}}},{"id":"doi-13m-kzx","type":"agent_rule","attributes":{"category":"Process + Activity","creationDate":1688462439000,"creator":{"name":"Threat Detection Engineering + CI/CD","handle":"9b3398f3-af79-49aa-b643-8a607ee6f848"},"defaultRule":false,"description":"Kubernetes + offensive tool executed","enabled":true,"expression":"(exec.file.name in [ ~\"python*\" + ] \u0026\u0026 (\"KubiScan.py\" in exec.argv || \"kubestriker\" in exec.argv + )) || exec.file.name in [\"kubiscan\",\"kdigger\",\"kube-hunter\",\"rakkess\",\"peirates\",\"kubescape\",\"kubeaudit\",\"kube-linter\",\"stratus\",~\"botb-*\"]","filters":["os + == \"linux\""],"name":"kubernetes_offensive_tool_executed","updateDate":1698238459000,"updater":{"name":"Juvenal + Araujo","handle":"juvenal.araujo@datadoghq.com"}}},{"id":"p24-io5-dv2","type":"agent_rule","attributes":{"category":"Process + Activity","creationDate":1702898544000,"creator":{"name":"Ahmed Mkadem","handle":"ahmed.mkadem@datadoghq.com"},"defaultRule":false,"description":"iptables + used to allow egress traffic","enabled":true,"expression":"exec.comm == \"iptables\" + \u0026\u0026 process.args in [r\".*OUTPUT.*((25[0-5]|(2[0-4]|1\\d|[1-9]|)\\d)\\.?\\b){4}.*ACCEPT\"] + \u0026\u0026 process.args not in [r\"(127\\.)|(10\\.)|(172\\.1[6-9]\\.)|(172\\.2[0-9]\\.)|(^172\\.3[0-1]\\.)|(192\\.168\\.)|(169\\.254\\.)\"]","filters":["os + == \"linux\""],"name":"tde_malware_egress_traffic_allowed_iptables","updateDate":1702898544000,"updater":{"name":"Ahmed + Mkadem","handle":"ahmed.mkadem@datadoghq.com"}}},{"id":"wy7-3ug-3k7","type":"agent_rule","attributes":{"category":"File + Activity","creationDate":1702898570000,"creator":{"name":"Ahmed Mkadem","handle":"ahmed.mkadem@datadoghq.com"},"defaultRule":false,"description":"Multiple + files with extensions created under common user directories","enabled":true,"expression":"rename.file.path + in [~\"/home/**\", ~\"/root/**\", ~\"/bin/**\", ~\"/usr/bin/**\", ~\"/var/log/**\", + ~\"/var/lib/log/**\", ~\"/var/backup/*\", ~\"/var/www/**\"] \u0026\u0026 rename.file.destination.name + in [r\"\\.[0-9a-z]+$\"] \u0026\u0026 rename.file.destination.name not in [r\".*\\.(lock|dbtmp|log|journal|ini|sh|json|yml|tmp|snap|txt|pyc|stat|hcl|[0-9])+$\"] + \u0026\u0026 process.comm not in [\"python\",\"python3\",\"agent\",\"security-agent\",\"kubectl\",\"kubelet\",\"datadog-cluster\",\"postgres\"]","filters":["os + == \"linux\""],"name":"tde_malware_files_with_extensions_created","updateDate":1703590999000,"updater":{"name":"Ahmed + Mkadem","handle":"ahmed.mkadem@datadoghq.com"}}},{"id":"s7a-oly-ndz","type":"agent_rule","attributes":{"category":"Kernel + Activity","creationDate":1702898596000,"creator":{"name":"Ahmed Mkadem","handle":"ahmed.mkadem@datadoghq.com"},"defaultRule":false,"description":"Kernel + module loaded from common tmp directories","enabled":true,"expression":"load_module.file.path + in [ ~\"/tmp/**\", ~\"/var/tmp/**\" ]","filters":["os == \"linux\""],"name":"tde_malware_kernel_module_loaded_from_tmp","updateDate":1702898596000,"updater":{"name":"Ahmed + Mkadem","handle":"ahmed.mkadem@datadoghq.com"}}},{"id":"wvn-ega-hae","type":"agent_rule","attributes":{"category":"Kernel + Activity","creationDate":1702898618000,"creator":{"name":"Ahmed Mkadem","handle":"ahmed.mkadem@datadoghq.com"},"defaultRule":false,"description":"Libpam.so + library hooked using ebpf","enabled":true,"expression":"bpf.cmd == BPF_MAP_CREATE + \u0026\u0026 process.args in [r\".*libpam.so.*\"]","filters":["os == \"linux\""],"name":"tde_malware_libpam_hooked_using_ebpf","updateDate":1702898618000,"updater":{"name":"Ahmed + Mkadem","handle":"ahmed.mkadem@datadoghq.com"}}},{"id":"aie-5ua-pqh","type":"agent_rule","attributes":{"category":"Kernel + Activity","creationDate":1702898642000,"creator":{"name":"Ahmed Mkadem","handle":"ahmed.mkadem@datadoghq.com"},"defaultRule":false,"description":"A + process is tracing privileged processes or sshd for possible credential dumping","enabled":true,"expression":"((ptrace.tracee.euid==0 + \u0026\u0026 ptrace.tracee.uid ==0)||ptrace.tracee.comm in [~\"*sshd*\"]) \u0026\u0026 + process.comm not in [\"dlv\"]","filters":["os == \"linux\""],"name":"tde_malware_privileged_processes_or_sshd_traced","updateDate":1702898642000,"updater":{"name":"Ahmed + Mkadem","handle":"ahmed.mkadem@datadoghq.com"}}},{"id":"46g-4uu-8q2","type":"agent_rule","attributes":{"category":"Process + Activity","creationDate":1702898821000,"creator":{"name":"Ahmed Mkadem","handle":"ahmed.mkadem@datadoghq.com"},"defaultRule":false,"description":"Proxychaining + technique used","enabled":true,"expression":"exec.comm == \"proxychains\"","filters":["os + == \"linux\""],"name":"tde_malware_proxychains_executed","updateDate":1702898821000,"updater":{"name":"Ahmed + Mkadem","handle":"ahmed.mkadem@datadoghq.com"}}},{"id":"yyy-5go-xpw","type":"agent_rule","attributes":{"category":"File + Activity","creationDate":1702898856000,"creator":{"name":"Ahmed Mkadem","handle":"ahmed.mkadem@datadoghq.com"},"defaultRule":false,"description":"A + possible ransomware note created under common user directories","enabled":true,"expression":"open.file.path + in [~\"/home/**\", ~\"/root/**\", ~\"/bin/**\", ~\"/usr/bin/**\", ~\"/opt/**\", + ~\"/etc/**\", ~\"/var/log/**\", ~\"/var/lib/log/**\", ~\"/var/backup/**\", ~\"/var/www/**\"] + \u0026\u0026 open.file.name in [r\".*(restore|recovery|readme|instruction|how_to|ransom).*\", + r\".*(your_|crypt|lock|important).*\\.txt$\"]","filters":["os == \"linux\""],"name":"tde_malware_ransomware_notes_written","updateDate":1709907009000,"updater":{"name":"Ahmed + Mkadem","handle":"ahmed.mkadem@datadoghq.com"}}},{"id":"vdn-l8j-9h1","type":"agent_rule","attributes":{"category":"File + Activity","creationDate":1702898880000,"creator":{"name":"Ahmed Mkadem","handle":"ahmed.mkadem@datadoghq.com"},"defaultRule":false,"description":"A + process deleted common system log files","enabled":true,"expression":"unlink.file.path + in [\"/var/run/utmp\", \"/var/log/wtmp\", \"/var/log/btmp\", \"/var/log/lastlog\", + \"/var/log/faillog\", \"/var/log/syslog\", \"/var/log/messages\", \"/var/log/secure\", + \"/var/log/auth.log\", \"/var/log/boot.log\", \"/var/log/kern.log\"] \u0026\u0026 + process.comm !=\"dockerd\"","filters":["os == \"linux\""],"name":"tde_malware_system_logs_deleted","updateDate":1702898880000,"updater":{"name":"Ahmed + Mkadem","handle":"ahmed.mkadem@datadoghq.com"}}},{"id":"ofh-ne6-jcq","type":"agent_rule","attributes":{"category":"Process + Activity","creationDate":1702898912000,"creator":{"name":"Ahmed Mkadem","handle":"ahmed.mkadem@datadoghq.com"},"defaultRule":false,"description":"Tunneling + and port forwarding tool used","enabled":true,"expression":"((exec.comm == \"pivotnacci\" + || exec.comm == \"gost\") \u0026\u0026 process.args in [r\".*(-L|-C|-R).*\"])||(exec.comm + in [\"ssh\", \"sshd\"] \u0026\u0026 process.args in [r\".*(-R|-L|-D|w).*\"] + \u0026\u0026 process.args in [r\"((25[0-5]|(2[0-4]|1\\d|[1-9])\\d)\\.?\\b){4}\"] + ) || (exec.comm == \"sshuttle\" \u0026\u0026 process.args in [r\".*(-r|--remote|-l|--listen).*\"]) + || (exec.comm == \"socat\" \u0026\u0026 process.args in [r\".*(TCP4-LISTEN:|SOCKS).*\"]) + || (exec.comm in [\"iodine\", \"iodined\", \"dnscat\", \"hans\", \"hans-ubuntu\", + \"ptunnel-ng\", \"ssf\", \"3proxy\", \"ngrok\"] \u0026\u0026 process.parent.comm + in [\"bash\", \"dash\", \"ash\", \"sh\", \"tcsh\", \"csh\", \"zsh\", \"ksh\", + \"fish\"])","filters":["os == \"linux\""],"name":"tde_malware_tunneling_and_port_forwarding_technique_used","updateDate":1702898912000,"updater":{"name":"Ahmed + Mkadem","handle":"ahmed.mkadem@datadoghq.com"}}},{"id":"7nc-c8z-od7","type":"agent_rule","attributes":{"category":"Process + Activity","creationDate":1707330428000,"creator":{"name":"Juvenal Araujo","handle":"juvenal.araujo@datadoghq.com"},"defaultRule":false,"description":"nsenter + used in container to execute code on the OS PID1","enabled":true,"expression":"exec.file.name + == \"nsenter\" \u0026\u0026 exec.args_options in [\"target=1\", \"t=1\"] \u0026\u0026 + container.id !=\"\"","filters":["os == \"linux\""],"name":"tde_nsenter_pid1_detection","updateDate":1707330428000,"updater":{"name":"Juvenal + Araujo","handle":"juvenal.araujo@datadoghq.com"}}},{"id":"vui-e82-jrw","type":"agent_rule","attributes":{"category":"Network + Activity","creationDate":1705501135000,"creator":{"name":"Ahmed Mkadem","handle":"ahmed.mkadem@datadoghq.com"},"defaultRule":false,"description":"Connection + to red team domain","enabled":true,"expression":"dns.question.name in [~\"*.interact.sh\" + , ~\"*.oast.pro\" , ~\"*.oast.live\" , ~\"*.oast.site\" , ~\"*.oast.online\" + , ~\"*.oast.fun\" , ~\"*.oast.me\" , ~\"*.burpcollaborator.net\" , ~\"*.oastify.com\" + , ~\"*canarytokens.com\" , ~\"*.requestbin.net\" , ~\"*.dnslog.cn\"]","filters":["os + == \"linux\""],"name":"tde_red_team_domains_used","updateDate":1705501135000,"updater":{"name":"Ahmed + Mkadem","handle":"ahmed.mkadem@datadoghq.com"}}},{"id":"7ts-208-rn4","type":"agent_rule","attributes":{"category":"Process + Activity","creationDate":1707493323000,"creator":{"name":"Detection Engineer","handle":""},"defaultRule":true,"description":"An + AppArmor profile was modified in an interactive session","enabled":true,"expression":"exec.file.name + in [\"aa-disable\", \"aa-complain\", \"aa-audit\"] \u0026\u0026 exec.tty_name + !=\"\"","filters":["os == \"linux\""],"name":"apparmor_modified_tty","updateDate":1708708314000,"updater":{"name":"Malo + Le Goff","handle":"malo.legoff@datadoghq.com"}}},{"id":"def-000-7m7","type":"agent_rule","attributes":{"category":"Process + Activity","creationDate":1707493323000,"creator":{"name":"Detection Engineer","handle":""},"defaultRule":true,"description":"The + auditctl command was used to modify auditd","enabled":true,"expression":"exec.file.name + == \"auditctl\" \u0026\u0026 exec.args_flags not in [\"s\", \"l\"]","filters":["os + == \"linux\""],"name":"auditctl_usage","updateDate":1707493323000,"updater":{"name":"Detection + Engineer","handle":""}}},{"id":"def-000-ly8","type":"agent_rule","attributes":{"category":"Process + Activity","creationDate":1707493323000,"creator":{"name":"Detection Engineer","handle":""},"defaultRule":true,"description":"The + auditd configuration file was modified without using auditctl","enabled":true,"expression":"open.file.path + == \"/etc/audit/auditd.conf\" \u0026\u0026 open.flags \u0026 (O_CREAT|O_TRUNC|O_RDWR|O_WRONLY) + \u003e 0 \u0026\u0026 process.file.name != \"auditctl\"","filters":["os == \"linux\""],"name":"auditd_config_modified","updateDate":1707493323000,"updater":{"name":"Detection + Engineer","handle":""}}},{"id":"def-000-ehx","type":"agent_rule","attributes":{"category":"Process + Activity","creationDate":1707493323000,"creator":{"name":"Detection Engineer","handle":""},"defaultRule":true,"description":"The + auditd rules file was modified without using auditctl","enabled":true,"expression":"open.file.path + in [\"/etc/audit/rules.d/audit.rules\", \"/etc/audit/audit.rules\"] \u0026\u0026 + open.flags \u0026 (O_CREAT|O_TRUNC|O_RDWR|O_WRONLY) \u003e 0 \u0026\u0026 process.file.name + != \"auditctl\"","filters":["os == \"linux\""],"name":"auditd_rule_file_modified","updateDate":1707493323000,"updater":{"name":"Detection + Engineer","handle":""}}},{"id":"9f3-haw-91q","type":"agent_rule","attributes":{"category":"File + Activity","creationDate":1707493323000,"creator":{"name":"Detection Engineer","handle":""},"defaultRule":true,"description":"The + AWS EKS service account token was accessed","enabled":true,"expression":"open.file.path + =~ \"/var/run/secrets/eks.amazonaws.com/serviceaccount/**\" \u0026\u0026 open.file.name + == \"token\" \u0026\u0026 process.file.path not in [\"/opt/datadog-agent/embedded/bin/agent\", + \"/opt/datadog-agent/embedded/bin/system-probe\", \"/opt/datadog-agent/embedded/bin/security-agent\", + \"/opt/datadog-agent/embedded/bin/process-agent\", \"/opt/datadog-agent/bin/agent/agent\", + \"/opt/datadog/apm/inject/auto_inject_runc\", \"/usr/bin/dd-host-install\", + \"/usr/bin/dd-host-container-install\", \"/usr/bin/dd-container-install\", \"/opt/datadog-agent/bin/datadog-cluster-agent\"]","filters":["os + == \"linux\""],"name":"aws_eks_service_account_token_accessed","updateDate":1707493323000,"updater":{"name":"Detection + Engineer","handle":""}}},{"id":"wgv-wsb-pse","type":"agent_rule","attributes":{"category":"Process + Activity","creationDate":1707493323000,"creator":{"name":"Detection Engineer","handle":""},"defaultRule":true,"description":"An + AWS IMDS was called via a network utility","enabled":true,"expression":"exec.comm + in [\"wget\", \"curl\", \"lwp-download\"] \u0026\u0026 exec.args in [~\"*169.254.169.254/latest/meta-data/iam/security-credentials/*\", + \"*169.254.170.2$AWS_CONTAINER_CREDENTIALS_RELATIVE_URI\", ~\"*169.254.170.2/*/credentials?id=*\"]","filters":["os + == \"linux\""],"name":"aws_imds","updateDate":1707493323000,"updater":{"name":"Detection + Engineer","handle":""}}},{"id":"c2g-31u-jpk","type":"agent_rule","attributes":{"category":"Process + Activity","creationDate":1707493323000,"creator":{"name":"Detection Engineer","handle":""},"defaultRule":true,"description":"An + Azure IMDS was called via a network utility","enabled":true,"expression":"exec.comm + in [\"wget\", \"curl\", \"lwp-download\"] \u0026\u0026 exec.args in [~\"*169.254.169.254/metadata/identity/oauth2/token?api-version=*\"]","filters":["os + == \"linux\""],"name":"azure_imds","updateDate":1707493323000,"updater":{"name":"Detection + Engineer","handle":""}}},{"id":"def-000-a41","type":"agent_rule","attributes":{"category":"Process + Activity","creationDate":1707493323000,"creator":{"name":"Detection Engineer","handle":""},"defaultRule":true,"description":"The + base64 command was used to decode information","enabled":true,"expression":"exec.file.name + == \"base64\" \u0026\u0026 exec.args_flags in [\"d\"]","filters":["os == \"linux\""],"name":"base64_decode","updateDate":1707493323000,"updater":{"name":"Detection + Engineer","handle":""}}},{"id":"def-000-4tl","type":"agent_rule","attributes":{"category":"Process + Activity","creationDate":1707493323000,"creator":{"name":"Detection Engineer","handle":""},"defaultRule":true,"description":"Certutil + was executed to transmit or decode a potentially malicious file","enabled":true,"expression":"exec.file.name + == \"certutil.exe\" \u0026\u0026 ((exec.cmdline =~ \"*urlcache*\" \u0026\u0026 + exec.cmdline =~ \"*split*\") || exec.cmdline =~ \"*decode*\")","filters":["os + == \"windows\""],"name":"certutil_usage","updateDate":1707493323000,"updater":{"name":"Detection + Engineer","handle":""}}},{"id":"def-000-nin","type":"agent_rule","attributes":{"category":"Network + Activity","creationDate":1707493323000,"creator":{"name":"Detection Engineer","handle":""},"defaultRule":true,"description":"A + newly created file contacted a chatroom domain","enabled":true,"expression":"dns.question.name + in [\"discord.com\", \"api.telegram.org\", \"cdn.discordapp.com\"] \u0026\u0026 + process.file.in_upper_layer \u0026\u0026 process.file.change_time \u003c 60s","filters":["os + == \"linux\""],"name":"chatroom_request","updateDate":1707493323000,"updater":{"name":"Detection + Engineer","handle":""}}},{"id":"647-nlb-uld","type":"agent_rule","attributes":{"category":"Process + Activity","creationDate":1707493323000,"creator":{"name":"Detection Engineer","handle":""},"defaultRule":true,"description":"A + network utility (nmap) commonly used in intrusion attacks was executed","enabled":true,"expression":"exec.file.name + in [\"nmap\", \"masscan\", \"fping\", \"zgrab\", \"zgrab2\", \"rustscan\", \"pnscan\"] + \u0026\u0026 exec.args_flags not in [\"V\", \"version\"]","filters":["os == + \"linux\""],"name":"common_net_intrusion_util","updateDate":1707493323000,"updater":{"name":"Detection + Engineer","handle":""}}},{"id":"smg-le8-msf","type":"agent_rule","attributes":{"category":"File + Activity","creationDate":1707493323000,"creator":{"name":"Detection Engineer","handle":""},"defaultRule":true,"description":"A + compiler wrote a suspicious file in a container","enabled":true,"expression":"open.flags + \u0026 O_CREAT \u003e 0\n\u0026\u0026 (\n (open.file.path =~ \"/tmp/**\" \u0026\u0026 + open.file.name in [~\"*.ko\", ~\".*\"])\n || open.file.path in [~\"/var/tmp/**\", + ~\"/dev/shm/**\", ~\"/root/**\", ~\"*/bin/*\", ~\"/usr/local/lib/**\"]\n)\n\u0026\u0026 + (process.comm in [\"javac\", \"clang\", \"gcc\",\"bcc\"] || process.ancestors.comm + in [\"javac\", \"clang\", \"gcc\",\"bcc\"])\n\u0026\u0026 process.file.name + not in [\"pip\", ~\"python*\"]\n\u0026\u0026 container.id != \"\"","filters":["os + == \"linux\""],"name":"compile_after_delivery","updateDate":1707493323000,"updater":{"name":"Detection + Engineer","handle":""}}},{"id":"ehh-ypb-9pl","type":"agent_rule","attributes":{"category":"Process + Activity","creationDate":1707493323000,"creator":{"name":"Detection Engineer","handle":""},"defaultRule":true,"description":"A + compiler was executed inside of a container","enabled":true,"expression":"(exec.file.name + in [\"javac\", \"clang\", \"gcc\",\"bcc\"] || (exec.file.name == \"go\" \u0026\u0026 + exec.args in [~\"*build*\", ~\"*run*\"])) \u0026\u0026 container.id !=\"\" \u0026\u0026 + process.ancestors.file.path != \"/usr/bin/cilium-agent\"","filters":["os == + \"linux\""],"name":"compiler_in_container","updateDate":1707493323000,"updater":{"name":"Detection + Engineer","handle":""}}},{"id":"def-000-u7b","type":"agent_rule","attributes":{"category":"Process + Activity","creationDate":1707493323000,"creator":{"name":"Detection Engineer","handle":""},"defaultRule":true,"description":"Known + offensive tool crackmap exec executed","enabled":true,"expression":"exec.cmdline + in [~\"*crackmapexec*\", ~\"*cme*\"]","filters":["os == \"windows\""],"name":"crackmap_exec_executed","updateDate":1707493323000,"updater":{"name":"Detection + Engineer","handle":""}}},{"id":"s9m-foq-qqz","type":"agent_rule","attributes":{"category":"File + Activity","creationDate":1707493323000,"creator":{"name":"Detection Engineer","handle":""},"defaultRule":true,"description":"Sensitive + credential files were modified using a non-standard tool","enabled":true,"expression":"(\n (chmod.file.path + in [ \"/etc/shadow\", \"/etc/gshadow\" ])\n \u0026\u0026 process.file.path + not in [ \"/sbin/vipw\", \"/usr/sbin/vipw\", \"/sbin/vigr\", \"/usr/sbin/vigr\", + \"/usr/bin/containerd\", \"/usr/local/bin/containerd\", \"/usr/bin/dockerd\", + \"/usr/local/bin/dockerd\", \"/usr/sbin/groupadd\", \"/usr/sbin/useradd\", \"/usr/sbin/usermod\", + \"/usr/sbin/userdel\", \"/usr/bin/gpasswd\", \"/usr/bin/chage\", \"/usr/sbin/chpasswd\", + \"/usr/bin/passwd\" ]\n \u0026\u0026 process.ancestors.file.path not in [~\"/usr/bin/apt*\", + \"/usr/bin/dpkg\", \"/usr/bin/rpm\", \"/usr/bin/unattended-upgrade\", \"/usr/bin/npm\", + ~\"/usr/bin/pip*\", \"/usr/bin/yum\", \"/sbin/apk\", \"/usr/lib/snapd/snapd\"]\n) + \u0026\u0026 chmod.file.destination.mode != chmod.file.mode","filters":["os + == \"linux\""],"name":"credential_modified_chmod","updateDate":1707493323000,"updater":{"name":"Detection + Engineer","handle":""}}},{"id":"td2-31c-ln4","type":"agent_rule","attributes":{"category":"File + Activity","creationDate":1707493323000,"creator":{"name":"Detection Engineer","handle":""},"defaultRule":true,"description":"Sensitive + credential files were modified using a non-standard tool","enabled":true,"expression":"(\n (chown.file.path + in [ \"/etc/shadow\", \"/etc/gshadow\" ])\n \u0026\u0026 process.file.path + not in [ \"/sbin/vipw\", \"/usr/sbin/vipw\", \"/sbin/vigr\", \"/usr/sbin/vigr\", + \"/usr/bin/containerd\", \"/usr/local/bin/containerd\", \"/usr/bin/dockerd\", + \"/usr/local/bin/dockerd\", \"/usr/sbin/groupadd\", \"/usr/sbin/useradd\", \"/usr/sbin/usermod\", + \"/usr/sbin/userdel\", \"/usr/bin/gpasswd\", \"/usr/bin/chage\", \"/usr/sbin/chpasswd\", + \"/usr/bin/passwd\" ]\n \u0026\u0026 process.ancestors.file.path not in [~\"/usr/bin/apt*\", + \"/usr/bin/dpkg\", \"/usr/bin/rpm\", \"/usr/bin/unattended-upgrade\", \"/usr/bin/npm\", + ~\"/usr/bin/pip*\", \"/usr/bin/yum\", \"/sbin/apk\", \"/usr/lib/snapd/snapd\"]\n) + \u0026\u0026 (chown.file.destination.uid != chown.file.uid || chown.file.destination.gid + != chown.file.gid)","filters":["os == \"linux\""],"name":"credential_modified_chown","updateDate":1707493323000,"updater":{"name":"Detection + Engineer","handle":""}}},{"id":"lli-czr-q4y","type":"agent_rule","attributes":{"category":"File + Activity","creationDate":1707493323000,"creator":{"name":"Detection Engineer","handle":""},"defaultRule":true,"description":"Sensitive + credential files were modified using a non-standard tool","enabled":true,"expression":"(\n (link.file.path + in [ \"/etc/shadow\", \"/etc/gshadow\" ]\n || link.file.destination.path + in [ \"/etc/shadow\", \"/etc/gshadow\" ])\n \u0026\u0026 process.file.path + not in [ \"/sbin/vipw\", \"/usr/sbin/vipw\", \"/sbin/vigr\", \"/usr/sbin/vigr\", + \"/usr/bin/containerd\", \"/usr/local/bin/containerd\", \"/usr/bin/dockerd\", + \"/usr/local/bin/dockerd\", \"/usr/sbin/groupadd\", \"/usr/sbin/useradd\", \"/usr/sbin/usermod\", + \"/usr/sbin/userdel\", \"/usr/bin/gpasswd\", \"/usr/bin/chage\", \"/usr/sbin/chpasswd\", + \"/usr/bin/passwd\" ]\n \u0026\u0026 process.ancestors.file.path not in [~\"/usr/bin/apt*\", + \"/usr/bin/dpkg\", \"/usr/bin/rpm\", \"/usr/bin/unattended-upgrade\", \"/usr/bin/npm\", + ~\"/usr/bin/pip*\", \"/usr/bin/yum\", \"/sbin/apk\", \"/usr/lib/snapd/snapd\"]\n)","filters":["os + == \"linux\""],"name":"credential_modified_link","updateDate":1707493323000,"updater":{"name":"Detection + Engineer","handle":""}}},{"id":"def-000-3b9","type":"agent_rule","attributes":{"category":"File + Activity","creationDate":1707493323000,"creator":{"name":"Detection Engineer","handle":""},"defaultRule":true,"description":"Sensitive + credential files were modified using a non-standard tool","enabled":true,"expression":"(\n open.flags + \u0026 ((O_CREAT|O_RDWR|O_WRONLY|O_TRUNC)) \u003e 0 \u0026\u0026\n (open.file.path + in [ \"/etc/shadow\", \"/etc/gshadow\" ])\n \u0026\u0026 process.file.path + not in [ \"/sbin/vipw\", \"/usr/sbin/vipw\", \"/sbin/vigr\", \"/usr/sbin/vigr\", + \"/usr/bin/containerd\", \"/usr/local/bin/containerd\", \"/usr/bin/dockerd\", + \"/usr/local/bin/dockerd\", \"/usr/sbin/groupadd\", \"/usr/sbin/useradd\", \"/usr/sbin/usermod\", + \"/usr/sbin/userdel\", \"/usr/bin/gpasswd\", \"/usr/bin/chage\", \"/usr/sbin/chpasswd\", + \"/usr/bin/passwd\" ]\n \u0026\u0026 process.ancestors.file.path not in [~\"/usr/bin/apt*\", + \"/usr/bin/dpkg\", \"/usr/bin/rpm\", \"/usr/bin/unattended-upgrade\", \"/usr/bin/npm\", + ~\"/usr/bin/pip*\", \"/usr/bin/yum\", \"/sbin/apk\", \"/usr/lib/snapd/snapd\"]\n) + \u0026\u0026 container.created_at \u003e 90s","filters":["os == \"linux\""],"name":"credential_modified_open_v2","updateDate":1707493323000,"updater":{"name":"Detection + Engineer","handle":""}}},{"id":"0yj-grp-cmx","type":"agent_rule","attributes":{"category":"File + Activity","creationDate":1707493323000,"creator":{"name":"Detection Engineer","handle":""},"defaultRule":true,"description":"Sensitive + credential files were modified using a non-standard tool","enabled":true,"expression":"(\n (rename.file.path + in [ \"/etc/shadow\", \"/etc/gshadow\" ]\n || rename.file.destination.path + in [ \"/etc/shadow\", \"/etc/gshadow\" ])\n \u0026\u0026 process.file.path + not in [ \"/sbin/vipw\", \"/usr/sbin/vipw\", \"/sbin/vigr\", \"/usr/sbin/vigr\", + \"/usr/bin/containerd\", \"/usr/local/bin/containerd\", \"/usr/bin/dockerd\", + \"/usr/local/bin/dockerd\", \"/usr/sbin/groupadd\", \"/usr/sbin/useradd\", \"/usr/sbin/usermod\", + \"/usr/sbin/userdel\", \"/usr/bin/gpasswd\", \"/usr/bin/chage\", \"/usr/sbin/chpasswd\", + \"/usr/bin/passwd\" ]\n \u0026\u0026 process.ancestors.file.path not in [~\"/usr/bin/apt*\", + \"/usr/bin/dpkg\", \"/usr/bin/rpm\", \"/usr/bin/unattended-upgrade\", \"/usr/bin/npm\", + ~\"/usr/bin/pip*\", \"/usr/bin/yum\", \"/sbin/apk\", \"/usr/lib/snapd/snapd\"]\n)","filters":["os + == \"linux\""],"name":"credential_modified_rename","updateDate":1707493323000,"updater":{"name":"Detection + Engineer","handle":""}}},{"id":"q08-c9l-rsp","type":"agent_rule","attributes":{"category":"File + Activity","creationDate":1707493323000,"creator":{"name":"Detection Engineer","handle":""},"defaultRule":true,"description":"Sensitive + credential files were modified using a non-standard tool","enabled":true,"expression":"(\n (unlink.file.path + in [ \"/etc/shadow\", \"/etc/gshadow\" ])\n \u0026\u0026 process.file.path + not in [ \"/sbin/vipw\", \"/usr/sbin/vipw\", \"/sbin/vigr\", \"/usr/sbin/vigr\", + \"/usr/bin/containerd\", \"/usr/local/bin/containerd\", \"/usr/bin/dockerd\", + \"/usr/local/bin/dockerd\", \"/usr/sbin/groupadd\", \"/usr/sbin/useradd\", \"/usr/sbin/usermod\", + \"/usr/sbin/userdel\", \"/usr/bin/gpasswd\", \"/usr/bin/chage\", \"/usr/sbin/chpasswd\", + \"/usr/bin/passwd\" ]\n \u0026\u0026 process.ancestors.file.path not in [~\"/usr/bin/apt*\", + \"/usr/bin/dpkg\", \"/usr/bin/rpm\", \"/usr/bin/unattended-upgrade\", \"/usr/bin/npm\", + ~\"/usr/bin/pip*\", \"/usr/bin/yum\", \"/sbin/apk\", \"/usr/lib/snapd/snapd\"]\n)","filters":["os + == \"linux\""],"name":"credential_modified_unlink","updateDate":1707493323000,"updater":{"name":"Detection + Engineer","handle":""}}},{"id":"kv9-026-vhz","type":"agent_rule","attributes":{"category":"File + Activity","creationDate":1707493323000,"creator":{"name":"Detection Engineer","handle":""},"defaultRule":true,"description":"Sensitive + credential files were modified using a non-standard tool","enabled":true,"expression":"(\n (utimes.file.path + in [ \"/etc/shadow\", \"/etc/gshadow\" ])\n \u0026\u0026 process.file.path + not in [ \"/sbin/vipw\", \"/usr/sbin/vipw\", \"/sbin/vigr\", \"/usr/sbin/vigr\", + \"/usr/bin/containerd\", \"/usr/local/bin/containerd\", \"/usr/bin/dockerd\", + \"/usr/local/bin/dockerd\", \"/usr/sbin/groupadd\", \"/usr/sbin/useradd\", \"/usr/sbin/usermod\", + \"/usr/sbin/userdel\", \"/usr/bin/gpasswd\", \"/usr/bin/chage\", \"/usr/sbin/chpasswd\", + \"/usr/bin/passwd\" ]\n \u0026\u0026 process.ancestors.file.path not in [~\"/usr/bin/apt*\", + \"/usr/bin/dpkg\", \"/usr/bin/rpm\", \"/usr/bin/unattended-upgrade\", \"/usr/bin/npm\", + ~\"/usr/bin/pip*\", \"/usr/bin/yum\", \"/sbin/apk\", \"/usr/lib/snapd/snapd\"]\n)","filters":["os + == \"linux\""],"name":"credential_modified_utimes","updateDate":1707493323000,"updater":{"name":"Detection + Engineer","handle":""}}},{"id":"ogb-clp-hot","type":"agent_rule","attributes":{"category":"File + Activity","creationDate":1707493323000,"creator":{"name":"Detection Engineer","handle":""},"defaultRule":true,"description":"An + unauthorized job was added to cron scheduling","enabled":true,"expression":"(\n (chmod.file.path + in [ ~\"/var/spool/cron/**\", ~\"/etc/cron.*/**\", ~\"/etc/crontab\" ])\n \u0026\u0026 + process.file.path not in [ \"/usr/bin/at\", \"/usr/bin/crontab\" ]\n) \u0026\u0026 + chmod.file.destination.mode != chmod.file.mode\n\u0026\u0026 process.file.path + not in [~\"/usr/bin/apt*\", \"/usr/bin/dpkg\", \"/usr/bin/rpm\", \"/usr/bin/unattended-upgrade\", + \"/usr/bin/containerd\", \"/usr/local/bin/containerd\", \"/usr/bin/dockerd\", + \"/usr/bin/npm\", ~\"/usr/bin/pip*\"]","filters":["os == \"linux\""],"name":"cron_at_job_creation_chmod","updateDate":1707493323000,"updater":{"name":"Detection + Engineer","handle":""}}},{"id":"wnk-nli-nbp","type":"agent_rule","attributes":{"category":"File + Activity","creationDate":1707493323000,"creator":{"name":"Detection Engineer","handle":""},"defaultRule":true,"description":"An + unauthorized job was added to cron scheduling","enabled":true,"expression":"(\n (chown.file.path + in [ ~\"/var/spool/cron/**\", ~\"/etc/cron.*/**\", ~\"/etc/crontab\" ])\n \u0026\u0026 + process.file.path not in [ \"/usr/bin/at\", \"/usr/bin/crontab\" ]\n) \u0026\u0026 + (chown.file.destination.uid != chown.file.uid || chown.file.destination.gid + != chown.file.gid)\n\u0026\u0026 process.file.path not in [~\"/usr/bin/apt*\", + \"/usr/bin/dpkg\", \"/usr/bin/rpm\", \"/usr/bin/unattended-upgrade\", \"/usr/bin/containerd\", + \"/usr/local/bin/containerd\", \"/usr/bin/dockerd\", \"/usr/bin/npm\", ~\"/usr/bin/pip*\"]","filters":["os + == \"linux\""],"name":"cron_at_job_creation_chown","updateDate":1707493323000,"updater":{"name":"Detection + Engineer","handle":""}}},{"id":"mcv-y5o-zg5","type":"agent_rule","attributes":{"category":"File + Activity","creationDate":1707493323000,"creator":{"name":"Detection Engineer","handle":""},"defaultRule":true,"description":"An + unauthorized job was added to cron scheduling","enabled":true,"expression":"(\n (link.file.path + in [ ~\"/var/spool/cron/**\", ~\"/etc/cron.*/**\", ~\"/etc/crontab\" ]\n || + link.file.destination.path in [ ~\"/var/spool/cron/**\", ~\"/etc/cron.*/**\", + ~\"/etc/crontab\" ])\n \u0026\u0026 process.file.path not in [ \"/usr/bin/at\", + \"/usr/bin/crontab\" ]\n)\n\u0026\u0026 process.file.path not in [~\"/usr/bin/apt*\", + \"/usr/bin/dpkg\", \"/usr/bin/rpm\", \"/usr/bin/unattended-upgrade\", \"/usr/bin/containerd\", + \"/usr/local/bin/containerd\", \"/usr/bin/dockerd\", \"/usr/bin/npm\", ~\"/usr/bin/pip*\"]","filters":["os + == \"linux\""],"name":"cron_at_job_creation_link","updateDate":1707493323000,"updater":{"name":"Detection + Engineer","handle":""}}},{"id":"uis-h13-41q","type":"agent_rule","attributes":{"category":"File + Activity","creationDate":1707493323000,"creator":{"name":"Detection Engineer","handle":""},"defaultRule":true,"description":"An + unauthorized job was added to cron scheduling","enabled":true,"expression":"(\n open.flags + \u0026 (O_CREAT|O_RDWR|O_WRONLY) \u003e 0 \u0026\u0026\n (open.file.path + in [ ~\"/var/spool/cron/**\", ~\"/etc/cron.*/**\", ~\"/etc/crontab\" ])\n \u0026\u0026 + process.file.path not in [ \"/usr/bin/at\", \"/usr/bin/crontab\" ]\n)\n\u0026\u0026 + process.file.path not in [~\"/usr/bin/apt*\", \"/usr/bin/dpkg\", \"/usr/bin/rpm\", + \"/usr/bin/unattended-upgrade\", \"/usr/bin/containerd\", \"/usr/local/bin/containerd\", + \"/usr/bin/dockerd\", \"/usr/bin/npm\", ~\"/usr/bin/pip*\"]","filters":["os + == \"linux\""],"name":"cron_at_job_creation_open","updateDate":1707493323000,"updater":{"name":"Detection + Engineer","handle":""}}},{"id":"xa1-b6v-n2l","type":"agent_rule","attributes":{"category":"File + Activity","creationDate":1707493323000,"creator":{"name":"Detection Engineer","handle":""},"defaultRule":true,"description":"An + unauthorized job was added to cron scheduling","enabled":true,"expression":"(\n (rename.file.path + in [ ~\"/var/spool/cron/**\", ~\"/etc/cron.*/**\", ~\"/etc/crontab\" ]\n || + rename.file.destination.path in [ ~\"/var/spool/cron/**\", ~\"/etc/cron.*/**\", + ~\"/etc/crontab\" ])\n \u0026\u0026 process.file.path not in [ \"/usr/bin/at\", + \"/usr/bin/crontab\" ]\n)\n\u0026\u0026 process.file.path not in [~\"/usr/bin/apt*\", + \"/usr/bin/dpkg\", \"/usr/bin/rpm\", \"/usr/bin/unattended-upgrade\", \"/usr/bin/containerd\", + \"/usr/local/bin/containerd\", \"/usr/bin/dockerd\", \"/usr/bin/npm\", ~\"/usr/bin/pip*\"]","filters":["os + == \"linux\""],"name":"cron_at_job_creation_rename","updateDate":1707493323000,"updater":{"name":"Detection + Engineer","handle":""}}},{"id":"m23-qb9-9s8","type":"agent_rule","attributes":{"category":"File + Activity","creationDate":1707493323000,"creator":{"name":"Detection Engineer","handle":""},"defaultRule":true,"description":"An + unauthorized job was added to cron scheduling","enabled":true,"expression":"(\n (unlink.file.path + in [ ~\"/var/spool/cron/**\", ~\"/etc/cron.*/**\", ~\"/etc/crontab\" ])\n \u0026\u0026 + process.file.path not in [ \"/usr/bin/at\", \"/usr/bin/crontab\" ]\n)\n\u0026\u0026 + process.file.path not in [~\"/usr/bin/apt*\", \"/usr/bin/dpkg\", \"/usr/bin/rpm\", + \"/usr/bin/unattended-upgrade\", \"/usr/bin/containerd\", \"/usr/local/bin/containerd\", + \"/usr/bin/dockerd\", \"/usr/bin/npm\", ~\"/usr/bin/pip*\"]","filters":["os + == \"linux\""],"name":"cron_at_job_creation_unlink","updateDate":1707493323000,"updater":{"name":"Detection + Engineer","handle":""}}},{"id":"4mx-n6o-mmb","type":"agent_rule","attributes":{"category":"File + Activity","creationDate":1707493323000,"creator":{"name":"Detection Engineer","handle":""},"defaultRule":true,"description":"An + unauthorized job was added to cron scheduling","enabled":true,"expression":"(\n (utimes.file.path + in [ ~\"/var/spool/cron/**\", ~\"/etc/cron.*/**\", ~\"/etc/crontab\" ])\n \u0026\u0026 + process.file.path not in [ \"/usr/bin/at\", \"/usr/bin/crontab\" ]\n)\n\u0026\u0026 + process.file.path not in [~\"/usr/bin/apt*\", \"/usr/bin/dpkg\", \"/usr/bin/rpm\", + \"/usr/bin/unattended-upgrade\", \"/usr/bin/containerd\", \"/usr/local/bin/containerd\", + \"/usr/bin/dockerd\", \"/usr/bin/npm\", ~\"/usr/bin/pip*\"]","filters":["os + == \"linux\""],"name":"cron_at_job_creation_utimes","updateDate":1707493323000,"updater":{"name":"Detection + Engineer","handle":""}}},{"id":"jr3-0m8-jlj","type":"agent_rule","attributes":{"category":"Process + Activity","creationDate":1707493323000,"creator":{"name":"Detection Engineer","handle":""},"defaultRule":true,"description":"A + process launched with arguments associated with cryptominers","enabled":true,"expression":"exec.args_flags + in [\"cpu-priority\", \"donate-level\", ~\"randomx-1gb-pages\"] || exec.args + in [~\"*stratum+tcp*\", ~\"*stratum+ssl*\", ~\"*stratum1+tcp*\", ~\"*stratum1+ssl*\", + ~\"*stratum2+tcp*\", ~\"*stratum2+ssl*\", ~\"*nicehash*\", ~\"*yespower*\"]","filters":["os + == \"linux\""],"name":"cryptominer_args","updateDate":1707493323000,"updater":{"name":"Detection + Engineer","handle":""}}},{"id":"def-000-6jw","type":"agent_rule","attributes":{"category":"Process + Activity","creationDate":1707493323000,"creator":{"name":"Detection Engineer","handle":""},"defaultRule":true,"description":"Process + environment variables match cryptocurrency miner","enabled":true,"expression":"exec.envs + in [\"POOL_USER\", \"POOL_URL\", \"POOL_PASS\", \"DONATE_LEVEL\"]","filters":["os + == \"linux\""],"name":"cryptominer_envs","updateDate":1707493323000,"updater":{"name":"Detection + Engineer","handle":""}}},{"id":"def-000-h1x","type":"agent_rule","attributes":{"category":"Process + Activity","creationDate":1707493323000,"creator":{"name":"Detection Engineer","handle":""},"defaultRule":true,"description":"The + Docker socket was referenced in a cURL command","enabled":true,"expression":"exec.file.name + == \"curl\" \u0026\u0026 exec.args_flags in [\"unix-socket\"] \u0026\u0026 exec.args + in [\"*docker.sock*\"] \u0026\u0026 container.id != \"\"","filters":["os == + \"linux\""],"name":"curl_docker_socket","updateDate":1707493323000,"updater":{"name":"Detection + Engineer","handle":""}}},{"id":"mq1-y7n-kf2","type":"agent_rule","attributes":{"category":"Process + Activity","creationDate":1707493323000,"creator":{"name":"Detection Engineer","handle":""},"defaultRule":true,"description":"A + database application spawned a shell, shell utility, or HTTP utility","enabled":true,"expression":"(exec.file.path + in [ \"/bin/dash\",\n \"/usr/bin/dash\",\n \"/bin/sh\",\n \"/bin/static-sh\",\n \"/usr/bin/sh\",\n \"/bin/bash\",\n \"/usr/bin/bash\",\n \"/bin/bash-static\",\n \"/usr/bin/zsh\",\n \"/usr/bin/ash\",\n \"/usr/bin/csh\",\n \"/usr/bin/ksh\",\n \"/usr/bin/tcsh\",\n \"/usr/lib/initramfs-tools/bin/busybox\",\n \"/bin/busybox\",\n \"/usr/bin/fish\",\n \"/bin/ksh93\",\n \"/bin/rksh\",\n \"/bin/rksh93\",\n \"/bin/lksh\",\n \"/bin/mksh\",\n \"/bin/mksh-static\",\n \"/usr/bin/csharp\",\n \"/bin/posh\",\n \"/usr/bin/rc\",\n \"/bin/sash\",\n \"/usr/bin/yash\",\n \"/bin/zsh5\",\n \"/bin/zsh5-static\" + ] ||\n exec.comm in [\"wget\", \"curl\", \"lwp-download\"] ||\n exec.file.path + in [\"/bin/cat\",\"/bin/chgrp\",\"/bin/chmod\",\"/bin/chown\",\"/bin/cp\",\"/bin/date\",\"/bin/dd\",\"/bin/df\",\"/bin/dir\",\"/bin/echo\",\"/bin/ln\",\"/bin/ls\",\"/bin/mkdir\",\"/bin/mknod\",\"/bin/mktemp\",\"/bin/mv\",\"/bin/pwd\",\"/bin/readlink\",\"/bin/rm\",\"/bin/rmdir\",\"/bin/sleep\",\"/bin/stty\",\"/bin/sync\",\"/bin/touch\",\"/bin/uname\",\"/bin/vdir\",\"/usr/bin/arch\",\"/usr/bin/b2sum\",\"/usr/bin/base32\",\"/usr/bin/base64\",\"/usr/bin/basename\",\"/usr/bin/chcon\",\"/usr/bin/cksum\",\"/usr/bin/comm\",\"/usr/bin/csplit\",\"/usr/bin/cut\",\"/usr/bin/dircolors\",\"/usr/bin/dirname\",\"/usr/bin/du\",\"/usr/bin/env\",\"/usr/bin/expand\",\"/usr/bin/expr\",\"/usr/bin/factor\",\"/usr/bin/fmt\",\"/usr/bin/fold\",\"/usr/bin/groups\",\"/usr/bin/head\",\"/usr/bin/hostid\",\"/usr/bin/id\",\"/usr/bin/install\",\"/usr/bin/join\",\"/usr/bin/link\",\"/usr/bin/logname\",\"/usr/bin/md5sum\",\"/usr/bin/md5sum.textutils\",\"/usr/bin/mkfifo\",\"/usr/bin/nice\",\"/usr/bin/nl\",\"/usr/bin/nohup\",\"/usr/bin/nproc\",\"/usr/bin/numfmt\",\"/usr/bin/od\",\"/usr/bin/paste\",\"/usr/bin/pathchk\",\"/usr/bin/pinky\",\"/usr/bin/pr\",\"/usr/bin/printenv\",\"/usr/bin/printf\",\"/usr/bin/ptx\",\"/usr/bin/realpath\",\"/usr/bin/runcon\",\"/usr/bin/seq\",\"/usr/bin/sha1sum\",\"/usr/bin/sha224sum\",\"/usr/bin/sha256sum\",\"/usr/bin/sha384sum\",\"/usr/bin/sha512sum\",\"/usr/bin/shred\",\"/usr/bin/shuf\",\"/usr/bin/sort\",\"/usr/bin/split\",\"/usr/bin/stat\",\"/usr/bin/stdbuf\",\"/usr/bin/sum\",\"/usr/bin/tac\",\"/usr/bin/tail\",\"/usr/bin/tee\",\"/usr/bin/test\",\"/usr/bin/timeout\",\"/usr/bin/tr\",\"/usr/bin/truncate\",\"/usr/bin/tsort\",\"/usr/bin/tty\",\"/usr/bin/unexpand\",\"/usr/bin/uniq\",\"/usr/bin/unlink\",\"/usr/bin/users\",\"/usr/bin/wc\",\"/usr/bin/who\",\"/usr/bin/whoami\",\"/usr/sbin/chroot\"]) + \u0026\u0026\nprocess.parent.file.name in [\"mysqld\", \"mongod\", \"postgres\"] + \u0026\u0026\n!(process.parent.file.name == \"initdb\" \u0026\u0026\nexec.args + == \"-c locale -a\") \u0026\u0026\n!(process.parent.file.name == \"postgres\" + \u0026\u0026\nexec.args == ~\"*pg_wal*\")","filters":["os == \"linux\""],"name":"database_shell_execution","updateDate":1707493323000,"updater":{"name":"Detection + Engineer","handle":""}}},{"id":"def-000-u1r","type":"agent_rule","attributes":{"category":"File + Activity","creationDate":1707493323000,"creator":{"name":"Detection Engineer","handle":""},"defaultRule":true,"description":"A + process deleted common system log files","enabled":true,"expression":"unlink.file.path + in [\"/var/run/utmp\", \"/var/log/wtmp\", \"/var/log/btmp\", \"/var/log/lastlog\", + \"/var/log/faillog\", \"/var/log/syslog\", \"/var/log/messages\", \"/var/log/secure\", + \"/var/log/auth.log\", \"/var/log/boot.log\", \"/var/log/kern.log\"] \u0026\u0026 + process.comm not in [\"dockerd\", \"containerd\"]","filters":["os == \"linux\""],"name":"delete_system_log","updateDate":1707493323000,"updater":{"name":"Detection + Engineer","handle":""}}},{"id":"def-000-juz","type":"agent_rule","attributes":{"category":"Process + Activity","creationDate":1707493323000,"creator":{"name":"Detection Engineer","handle":""},"defaultRule":true,"description":"A + privileged container was created","enabled":true,"expression":"exec.file.name + != \"\" \u0026\u0026 container.created_at \u003c 1s \u0026\u0026 process.cap_permitted + \u0026 CAP_SYS_ADMIN \u003e 0","filters":["os == \"linux\""],"name":"deploy_priv_container","updateDate":1707493323000,"updater":{"name":"Detection + Engineer","handle":""}}},{"id":"sej-11b-ey6","type":"agent_rule","attributes":{"category":"File + Activity","creationDate":1707493323000,"creator":{"name":"Detection Engineer","handle":""},"defaultRule":true,"description":"Potential + Dirty pipe exploitation attempt","enabled":true,"expression":"(splice.pipe_entry_flag + \u0026 PIPE_BUF_FLAG_CAN_MERGE) != 0 \u0026\u0026 (splice.pipe_exit_flag \u0026 + PIPE_BUF_FLAG_CAN_MERGE) == 0 \u0026\u0026 (process.uid != 0 \u0026\u0026 process.gid + != 0)","filters":["os == \"linux\""],"name":"dirty_pipe_attempt","updateDate":1707493323000,"updater":{"name":"Detection + Engineer","handle":""}}},{"id":"422-svi-03v","type":"agent_rule","attributes":{"category":"File + Activity","creationDate":1707493323000,"creator":{"name":"Detection Engineer","handle":""},"defaultRule":true,"description":"Potential + Dirty pipe exploitation","enabled":true,"expression":"(splice.pipe_exit_flag + \u0026 PIPE_BUF_FLAG_CAN_MERGE) \u003e 0 \u0026\u0026 (process.uid != 0 \u0026\u0026 + process.gid != 0)","filters":["os == \"linux\""],"name":"dirty_pipe_exploitation","updateDate":1707493323000,"updater":{"name":"Detection + Engineer","handle":""}}},{"id":"2rq-drz-11u","type":"agent_rule","attributes":{"category":"File + Activity","creationDate":1707493323000,"creator":{"name":"Detection Engineer","handle":""},"defaultRule":true,"description":"A + process unlinked a dynamic linker config file","enabled":true,"expression":"unlink.file.path + in [\"/etc/ld.so.preload\", \"/etc/ld.so.conf\", ~\"/etc/ld.so.conf.d/*.conf\"] + \u0026\u0026 process.file.path not in [~\"/usr/bin/apt*\", \"/usr/bin/dpkg\", + \"/usr/bin/rpm\", \"/usr/bin/unattended-upgrade\", \"/usr/bin/npm\", ~\"/usr/bin/pip*\", + \"/usr/bin/yum\", \"/sbin/apk\", \"/usr/lib/snapd/snapd\"]","filters":["os == + \"linux\""],"name":"dynamic_linker_config_unlink","updateDate":1707493323000,"updater":{"name":"Detection + Engineer","handle":""}}},{"id":"2s5-ipa-ooo","type":"agent_rule","attributes":{"category":"File + Activity","creationDate":1707493323000,"creator":{"name":"Detection Engineer","handle":""},"defaultRule":true,"description":"A + process wrote to a dynamic linker config file","enabled":true,"expression":"open.file.path + in [\"/etc/ld.so.preload\", \"/etc/ld.so.conf\", \"/etc/ld.so.conf.d/*.conf\"] + \u0026\u0026 open.flags \u0026 (O_CREAT|O_TRUNC|O_RDWR|O_WRONLY) \u003e 0 \u0026\u0026 + process.file.path not in [~\"/usr/bin/apt*\", \"/usr/bin/dpkg\", \"/usr/bin/rpm\", + \"/usr/bin/unattended-upgrade\", \"/usr/bin/containerd\", \"/usr/local/bin/containerd\", + \"/usr/bin/dockerd\", \"/usr/bin/npm\", ~\"/usr/bin/pip*\"] \u0026\u0026 process.ancestors.file.path + not in [\"/opt/datadog-agent/embedded/bin/agent\", \"/opt/datadog-agent/embedded/bin/system-probe\", + \"/opt/datadog-agent/embedded/bin/security-agent\", \"/opt/datadog-agent/embedded/bin/process-agent\", + \"/opt/datadog-agent/bin/agent/agent\", \"/opt/datadog/apm/inject/auto_inject_runc\", + \"/usr/bin/dd-host-install\", \"/usr/bin/dd-host-container-install\", \"/usr/bin/dd-container-install\", + \"/opt/datadog-agent/bin/datadog-cluster-agent\"]","filters":["os == \"linux\""],"name":"dynamic_linker_config_write","updateDate":1707493323000,"updater":{"name":"Detection + Engineer","handle":""}}},{"id":"def-000-4xu","type":"agent_rule","attributes":{"category":"Process + Activity","creationDate":1707493323000,"creator":{"name":"Detection Engineer","handle":""},"defaultRule":true,"description":"Kernel + modules were listed using the lsmod command","enabled":true,"expression":"exec.comm + == \"lsmod\"","filters":["os == \"linux\""],"name":"exec_lsmod","updateDate":1707493323000,"updater":{"name":"Detection + Engineer","handle":""}}},{"id":"def-000-fqm","type":"agent_rule","attributes":{"category":"Process + Activity","creationDate":1707493323000,"creator":{"name":"Detection Engineer","handle":""},"defaultRule":true,"description":"The + whoami command was executed","enabled":true,"expression":"exec.comm == \"whoami\"","filters":["os + == \"linux\""],"name":"exec_whoami","updateDate":1707493323000,"updater":{"name":"Detection + Engineer","handle":""}}},{"id":"def-000-ev8","type":"agent_rule","attributes":{"category":"Process + Activity","creationDate":1707493323000,"creator":{"name":"Detection Engineer","handle":""},"defaultRule":true,"description":"The + wrmsr program executed","enabled":true,"expression":"exec.comm == \"wrmsr\"","filters":["os + == \"linux\""],"name":"exec_wrmsr","updateDate":1707493323000,"updater":{"name":"Detection + Engineer","handle":""}}},{"id":"def-000-bus","type":"agent_rule","attributes":{"category":"File + Activity","creationDate":1707493323000,"creator":{"name":"Detection Engineer","handle":""},"defaultRule":true,"description":"The + executable bit was added to a newly created file","enabled":true,"expression":"chmod.file.in_upper_layer + \u0026\u0026\nchmod.file.change_time \u003c 30s \u0026\u0026\ncontainer.id != + \"\" \u0026\u0026\nchmod.file.destination.mode != chmod.file.mode \u0026\u0026\nchmod.file.destination.mode + \u0026 S_IXUSR|S_IXGRP|S_IXOTH \u003e 0 \u0026\u0026\nprocess.argv in [\"+x\"]","filters":["os + == \"linux\""],"name":"executable_bit_added","updateDate":1707493323000,"updater":{"name":"Detection + Engineer","handle":""}}},{"id":"ro4-rju-1vq","type":"agent_rule","attributes":{"category":"Process + Activity","creationDate":1707493323000,"creator":{"name":"Detection Engineer","handle":""},"defaultRule":true,"description":"An + GCP IMDS was called via a network utility","enabled":true,"expression":"exec.comm + in [\"wget\", \"curl\", \"lwp-download\"] \u0026\u0026 exec.args in [~\"*metadata.google.internal/computeMetadata/v1/instance/service-accounts/default/token\", + ~\"*169.254.169.254/computeMetadata/v1/instance/service-accounts/default/token\"]","filters":["os + == \"linux\""],"name":"gcp_imds","updateDate":1707493323000,"updater":{"name":"Detection + Engineer","handle":""}}},{"id":"def-000-bgf","type":"agent_rule","attributes":{"category":"Process + Activity","creationDate":1707493323000,"creator":{"name":"Detection Engineer","handle":""},"defaultRule":true,"description":"A + hidden file was executed in a suspicious folder","enabled":true,"expression":"exec.file.name + =~ \".*\" \u0026\u0026 exec.file.path in [~\"/home/**\", ~\"/tmp/**\", ~\"/var/tmp/**\", + ~\"/dev/shm/**\"]","filters":["os == \"linux\""],"name":"hidden_file_executed","updateDate":1707493323000,"updater":{"name":"Detection + Engineer","handle":""}}},{"id":"jeh-18e-m9h","type":"agent_rule","attributes":{"category":"Process + Activity","creationDate":1707493323000,"creator":{"name":"Detection Engineer","handle":""},"defaultRule":true,"description":"An + interactive shell was started inside of a container","enabled":true,"expression":"exec.file.path + in [ \"/bin/dash\",\n \"/usr/bin/dash\",\n \"/bin/sh\",\n \"/bin/static-sh\",\n \"/usr/bin/sh\",\n \"/bin/bash\",\n \"/usr/bin/bash\",\n \"/bin/bash-static\",\n \"/usr/bin/zsh\",\n \"/usr/bin/ash\",\n \"/usr/bin/csh\",\n \"/usr/bin/ksh\",\n \"/usr/bin/tcsh\",\n \"/usr/lib/initramfs-tools/bin/busybox\",\n \"/bin/busybox\",\n \"/usr/bin/fish\",\n \"/bin/ksh93\",\n \"/bin/rksh\",\n \"/bin/rksh93\",\n \"/bin/lksh\",\n \"/bin/mksh\",\n \"/bin/mksh-static\",\n \"/usr/bin/csharp\",\n \"/bin/posh\",\n \"/usr/bin/rc\",\n \"/bin/sash\",\n \"/usr/bin/yash\",\n \"/bin/zsh5\",\n \"/bin/zsh5-static\" + ] \u0026\u0026 exec.args_flags in [\"i\"] \u0026\u0026 container.id !=\"\"","filters":["os + == \"linux\""],"name":"interactive_shell_in_container","updateDate":1707493323000,"updater":{"name":"Detection + Engineer","handle":""}}},{"id":"4ov-ang-2gx","type":"agent_rule","attributes":{"category":"Network + Activity","creationDate":1707493323000,"creator":{"name":"Detection Engineer","handle":""},"defaultRule":true,"description":"A + DNS lookup was done for a IP check service","enabled":true,"expression":"dns.question.name + in [\"icanhazip.com\", \"ip-api.com\", \"myip.opendns.com\", \"checkip.amazonaws.com\", + \"whatismyip.akamai.com\"] \u0026\u0026 process.file.name != \"\"","filters":["os + == \"linux\""],"name":"ip_check_domain","updateDate":1707493323000,"updater":{"name":"Detection + Engineer","handle":""}}},{"id":"def-000-88h","type":"agent_rule","attributes":{"category":"Process + Activity","creationDate":1707493323000,"creator":{"name":"Detection Engineer","handle":""},"defaultRule":true,"description":"Egress + traffic allowed using iptables","enabled":true,"expression":"exec.comm == \"iptables\" + \u0026\u0026 process.args in [r\".*OUTPUT.*((25[0-5]|(2[0-4]|1\\d|[1-9]|)\\d)\\.?\\b){4}.*ACCEPT\"] + \u0026\u0026 process.args not in [r\"(127\\.)|(10\\.)|(172\\.1[6-9]\\.)|(172\\.2[0-9]\\.)|(^172\\.3[0-1]\\.)|(192\\.168\\.)|(169\\.254\\.)\"]","filters":["os + == \"linux\""],"name":"iptables_egress_allowed","updateDate":1707493323000,"updater":{"name":"Detection + Engineer","handle":""}}},{"id":"def-000-but","type":"agent_rule","attributes":{"category":"Process + Activity","creationDate":1707493323000,"creator":{"name":"Detection Engineer","handle":""},"defaultRule":true,"description":"A + java process spawned a shell, shell utility, or HTTP utility","enabled":true,"expression":"(exec.file.path + in [ \"/bin/dash\",\n \"/usr/bin/dash\",\n \"/bin/sh\",\n \"/bin/static-sh\",\n \"/usr/bin/sh\",\n \"/bin/bash\",\n \"/usr/bin/bash\",\n \"/bin/bash-static\",\n \"/usr/bin/zsh\",\n \"/usr/bin/ash\",\n \"/usr/bin/csh\",\n \"/usr/bin/ksh\",\n \"/usr/bin/tcsh\",\n \"/usr/lib/initramfs-tools/bin/busybox\",\n \"/bin/busybox\",\n \"/usr/bin/fish\",\n \"/bin/ksh93\",\n \"/bin/rksh\",\n \"/bin/rksh93\",\n \"/bin/lksh\",\n \"/bin/mksh\",\n \"/bin/mksh-static\",\n \"/usr/bin/csharp\",\n \"/bin/posh\",\n \"/usr/bin/rc\",\n \"/bin/sash\",\n \"/usr/bin/yash\",\n \"/bin/zsh5\",\n \"/bin/zsh5-static\" + ] ||\n exec.comm in [\"wget\", \"curl\", \"lwp-download\"] ||\n exec.file.path + in [\"/bin/cat\",\"/bin/chgrp\",\"/bin/chmod\",\"/bin/chown\",\"/bin/cp\",\"/bin/date\",\"/bin/dd\",\"/bin/df\",\"/bin/dir\",\"/bin/echo\",\"/bin/ln\",\"/bin/ls\",\"/bin/mkdir\",\"/bin/mknod\",\"/bin/mktemp\",\"/bin/mv\",\"/bin/pwd\",\"/bin/readlink\",\"/bin/rm\",\"/bin/rmdir\",\"/bin/sleep\",\"/bin/stty\",\"/bin/sync\",\"/bin/touch\",\"/bin/uname\",\"/bin/vdir\",\"/usr/bin/arch\",\"/usr/bin/b2sum\",\"/usr/bin/base32\",\"/usr/bin/base64\",\"/usr/bin/basename\",\"/usr/bin/chcon\",\"/usr/bin/cksum\",\"/usr/bin/comm\",\"/usr/bin/csplit\",\"/usr/bin/cut\",\"/usr/bin/dircolors\",\"/usr/bin/dirname\",\"/usr/bin/du\",\"/usr/bin/env\",\"/usr/bin/expand\",\"/usr/bin/expr\",\"/usr/bin/factor\",\"/usr/bin/fmt\",\"/usr/bin/fold\",\"/usr/bin/groups\",\"/usr/bin/head\",\"/usr/bin/hostid\",\"/usr/bin/id\",\"/usr/bin/install\",\"/usr/bin/join\",\"/usr/bin/link\",\"/usr/bin/logname\",\"/usr/bin/md5sum\",\"/usr/bin/md5sum.textutils\",\"/usr/bin/mkfifo\",\"/usr/bin/nice\",\"/usr/bin/nl\",\"/usr/bin/nohup\",\"/usr/bin/nproc\",\"/usr/bin/numfmt\",\"/usr/bin/od\",\"/usr/bin/paste\",\"/usr/bin/pathchk\",\"/usr/bin/pinky\",\"/usr/bin/pr\",\"/usr/bin/printenv\",\"/usr/bin/printf\",\"/usr/bin/ptx\",\"/usr/bin/realpath\",\"/usr/bin/runcon\",\"/usr/bin/seq\",\"/usr/bin/sha1sum\",\"/usr/bin/sha224sum\",\"/usr/bin/sha256sum\",\"/usr/bin/sha384sum\",\"/usr/bin/sha512sum\",\"/usr/bin/shred\",\"/usr/bin/shuf\",\"/usr/bin/sort\",\"/usr/bin/split\",\"/usr/bin/stat\",\"/usr/bin/stdbuf\",\"/usr/bin/sum\",\"/usr/bin/tac\",\"/usr/bin/tail\",\"/usr/bin/tee\",\"/usr/bin/test\",\"/usr/bin/timeout\",\"/usr/bin/tr\",\"/usr/bin/truncate\",\"/usr/bin/tsort\",\"/usr/bin/tty\",\"/usr/bin/unexpand\",\"/usr/bin/uniq\",\"/usr/bin/unlink\",\"/usr/bin/users\",\"/usr/bin/wc\",\"/usr/bin/who\",\"/usr/bin/whoami\",\"/usr/sbin/chroot\"])\n\u0026\u0026 + process.parent.file.name == \"java\"","filters":["os == \"linux\""],"name":"java_shell_execution_parent","updateDate":1707493323000,"updater":{"name":"Detection + Engineer","handle":""}}},{"id":"def-000-mfu","type":"agent_rule","attributes":{"category":"Process + Activity","creationDate":1707493323000,"creator":{"name":"Detection Engineer","handle":""},"defaultRule":true,"description":"A + Jupyter notebook executed a shell","enabled":true,"expression":"(exec.file.name + in [\"cat\",\"chgrp\",\"chmod\",\"chown\",\"cp\",\"date\",\"dd\",\"df\",\"dir\",\"echo\",\"ln\",\"ls\",\"mkdir\",\"mknod\",\"mktemp\",\"mv\",\"pwd\",\"readlink\",\"rm\",\"rmdir\",\"sleep\",\"stty\",\"sync\",\"touch\",\"uname\",\"vdir\",\"arch\",\"b2sum\",\"base32\",\"base64\",\"basename\",\"chcon\",\"cksum\",\"comm\",\"csplit\",\"cut\",\"dircolors\",\"dirname\",\"du\",\"env\",\"expand\",\"expr\",\"factor\",\"fmt\",\"fold\",\"groups\",\"head\",\"hostid\",\"id\",\"install\",\"join\",\"link\",\"logname\",\"md5sum\",\"textutils\",\"mkfifo\",\"nice\",\"nl\",\"nohup\",\"nproc\",\"numfmt\",\"od\",\"paste\",\"pathchk\",\"pinky\",\"pr\",\"printenv\",\"printf\",\"ptx\",\"realpath\",\"runcon\",\"seq\",\"sha1sum\",\"sha224sum\",\"sha256sum\",\"sha384sum\",\"sha512sum\",\"shred\",\"shuf\",\"sort\",\"split\",\"stat\",\"stdbuf\",\"sum\",\"tac\",\"tail\",\"tee\",\"test\",\"timeout\",\"tr\",\"truncate\",\"tsort\",\"tty\",\"unexpand\",\"uniq\",\"unlink\",\"users\",\"wc\",\"who\",\"whoami\",\"chroot\"] + || exec.file.name in [\"wget\", \"curl\", \"lwp-download\"] || exec.file.name + in [\"dash\",\"sh\",\"static-sh\",\"sh\",\"bash\",\"bash\",\"bash-static\",\"zsh\",\"ash\",\"csh\",\"ksh\",\"tcsh\",\"busybox\",\"busybox\",\"fish\",\"ksh93\",\"rksh\",\"rksh93\",\"lksh\",\"mksh\",\"mksh-static\",\"csharp\",\"posh\",\"rc\",\"sash\",\"yash\",\"zsh5\",\"zsh5-static\"]) + \u0026\u0026 process.ancestors.comm in [\"jupyter-noteboo\", \"jupyter-lab\"]","filters":["os + == \"linux\""],"name":"jupyter_shell_execution","updateDate":1707493323000,"updater":{"name":"Detection + Engineer","handle":""}}},{"id":"0i7-z9o-zed","type":"agent_rule","attributes":{"category":"File + Activity","creationDate":1707493323000,"creator":{"name":"Detection Engineer","handle":""},"defaultRule":true,"description":"The + Kubernetes pod service account token was accessed","enabled":true,"expression":"open.file.path + in [~\"/var/run/secrets/kubernetes.io/serviceaccount/**\", ~\"/run/secrets/kubernetes.io/serviceaccount/**\"] + \u0026\u0026 open.file.name == \"token\" \u0026\u0026 process.file.path not + in [\"/opt/datadog-agent/embedded/bin/agent\", \"/opt/datadog-agent/embedded/bin/system-probe\", + \"/opt/datadog-agent/embedded/bin/security-agent\", \"/opt/datadog-agent/embedded/bin/process-agent\", + \"/opt/datadog-agent/bin/agent/agent\", \"/opt/datadog/apm/inject/auto_inject_runc\", + \"/usr/bin/dd-host-install\", \"/usr/bin/dd-host-container-install\", \"/usr/bin/dd-container-install\", + \"/opt/datadog-agent/bin/datadog-cluster-agent\"] \u0026\u0026 process.file.path + not in [\"/usr/bin/cilium-agent\", \"/coredns\", \"/usr/bin/cilium-operator\", + \"/manager\", \"/fluent-bit/bin/fluent-bit\", \"/usr/local/bin/cloud-node-manager\", + \"/secrets-store-csi\", \"/bin/secrets-store-csi-driver-provider-aws\", \"/usr/bin/calico-node\", + \"/opt/aws/amazon-cloudwatch-agent/bin/amazon-cloudwatch-agent\", \"/nginx-ingress-controller\", + \"/cluster-autoscaler\", \"/cluster-proportional-autoscaler\", \"/haproxy-ingress-controller\", + \"/kube-state-metrics\", \"/fluent-bit-gke-exporter\", \"/bin/external-secrets\", + \"/node-termination-handler\", \"/fluent-bit-gke-exporter\", \"/bin/vault\", + \"/usr/local/bin/kubectl\", \"/local-provisioner\", \"/usr/bin/gitlab-runner\", + \"/usr/local/bin/vaultd\", \"/usr/local/bin/trace-driveline-writer\", \"/usr/local/bin/registration-controller\", + \"/usr/local/bin/cluster-autoscaler\"] \u0026\u0026 process.ancestors.file.path + not in [\"/opt/datadog-agent/embedded/bin/agent\", \"/opt/datadog-agent/embedded/bin/system-probe\", + \"/opt/datadog-agent/embedded/bin/security-agent\", \"/opt/datadog-agent/embedded/bin/process-agent\", + \"/opt/datadog-agent/bin/agent/agent\", \"/opt/datadog/apm/inject/auto_inject_runc\", + \"/usr/bin/dd-host-install\", \"/usr/bin/dd-host-container-install\", \"/usr/bin/dd-container-install\", + \"/opt/datadog-agent/bin/datadog-cluster-agent\"]","filters":["os == \"linux\""],"name":"k8s_pod_service_account_token_accessed","updateDate":1707493323000,"updater":{"name":"Detection + Engineer","handle":""}}},{"id":"2dz-kyt-nme","type":"agent_rule","attributes":{"category":"File + Activity","creationDate":1707493323000,"creator":{"name":"Detection Engineer","handle":""},"defaultRule":true,"description":"A + new kernel module was added","enabled":true,"expression":"(\n (chmod.file.path + in [ ~\"/lib/modules/**\", ~\"/usr/lib/modules/**\" ])\n \u0026\u0026 process.file.path + not in [~\"/usr/bin/apt*\", \"/usr/bin/dpkg\", \"/usr/bin/rpm\", \"/usr/bin/unattended-upgrade\", + \"/usr/bin/npm\", ~\"/usr/bin/pip*\", \"/usr/bin/yum\", \"/sbin/apk\", \"/usr/lib/snapd/snapd\"]\n \u0026\u0026 + process.ancestors.file.path not in [~\"/usr/bin/apt*\", \"/usr/bin/dpkg\", \"/usr/bin/rpm\", + \"/usr/bin/unattended-upgrade\", \"/usr/bin/npm\", ~\"/usr/bin/pip*\", \"/usr/bin/yum\", + \"/sbin/apk\", \"/usr/lib/snapd/snapd\"] \u0026\u0026 process.ancestors.file.path + != \"/usr/bin/kmod\"\n) \u0026\u0026 chmod.file.destination.mode != chmod.file.mode","filters":["os + == \"linux\""],"name":"kernel_module_chmod","updateDate":1707493323000,"updater":{"name":"Detection + Engineer","handle":""}}},{"id":"94l-lhd-e33","type":"agent_rule","attributes":{"category":"File + Activity","creationDate":1707493323000,"creator":{"name":"Detection Engineer","handle":""},"defaultRule":true,"description":"A + new kernel module was added","enabled":true,"expression":"(\n (chown.file.path + in [ ~\"/lib/modules/**\", ~\"/usr/lib/modules/**\" ])\n \u0026\u0026 process.file.path + not in [~\"/usr/bin/apt*\", \"/usr/bin/dpkg\", \"/usr/bin/rpm\", \"/usr/bin/unattended-upgrade\", + \"/usr/bin/npm\", ~\"/usr/bin/pip*\", \"/usr/bin/yum\", \"/sbin/apk\", \"/usr/lib/snapd/snapd\"]\n \u0026\u0026 + process.ancestors.file.path not in [~\"/usr/bin/apt*\", \"/usr/bin/dpkg\", \"/usr/bin/rpm\", + \"/usr/bin/unattended-upgrade\", \"/usr/bin/npm\", ~\"/usr/bin/pip*\", \"/usr/bin/yum\", + \"/sbin/apk\", \"/usr/lib/snapd/snapd\"] \u0026\u0026 process.ancestors.file.path + != \"/usr/bin/kmod\"\n) \u0026\u0026 (chown.file.destination.uid != chown.file.uid + || chown.file.destination.gid != chown.file.gid)","filters":["os == \"linux\""],"name":"kernel_module_chown","updateDate":1707493323000,"updater":{"name":"Detection + Engineer","handle":""}}},{"id":"ucb-5zb-rmj","type":"agent_rule","attributes":{"category":"File + Activity","creationDate":1707493323000,"creator":{"name":"Detection Engineer","handle":""},"defaultRule":true,"description":"A + new kernel module was added","enabled":true,"expression":"(\n (link.file.path + in [ ~\"/lib/modules/**\", ~\"/usr/lib/modules/**\" ]\n || link.file.destination.path + in [ ~\"/lib/modules/**\", ~\"/usr/lib/modules/**\" ])\n \u0026\u0026 process.file.path + not in [~\"/usr/bin/apt*\", \"/usr/bin/dpkg\", \"/usr/bin/rpm\", \"/usr/bin/unattended-upgrade\", + \"/usr/bin/npm\", ~\"/usr/bin/pip*\", \"/usr/bin/yum\", \"/sbin/apk\", \"/usr/lib/snapd/snapd\"]\n \u0026\u0026 + process.ancestors.file.path not in [~\"/usr/bin/apt*\", \"/usr/bin/dpkg\", \"/usr/bin/rpm\", + \"/usr/bin/unattended-upgrade\", \"/usr/bin/npm\", ~\"/usr/bin/pip*\", \"/usr/bin/yum\", + \"/sbin/apk\", \"/usr/lib/snapd/snapd\"] \u0026\u0026 process.ancestors.file.path + != \"/usr/bin/kmod\"\n)","filters":["os == \"linux\""],"name":"kernel_module_link","updateDate":1707493323000,"updater":{"name":"Detection + Engineer","handle":""}}},{"id":"5t3-iiv-rv5","type":"agent_rule","attributes":{"category":"Kernel + Activity","creationDate":1707493323000,"creator":{"name":"Detection Engineer","handle":""},"defaultRule":true,"description":"A + kernel module was loaded","enabled":true,"expression":"load_module.name not + in [\"nf_tables\", \"iptable_filter\", \"ip6table_filter\", \"bpfilter\", \"ip6_tables\", + \"ip6table_nat\", \"nf_reject_ipv4\", \"ipt_REJECT\", \"iptable_raw\"] \u0026\u0026 + process.ancestors.file.name not in [~\"falcon*\", \"unattended-upgrade\", \"apt.systemd.daily\", + \"xtables-legacy-multi\", \"ssm-agent-worker\"]","filters":["os == \"linux\""],"name":"kernel_module_load","updateDate":1707493323000,"updater":{"name":"Detection + Engineer","handle":""}}},{"id":"dkb-9ud-0ca","type":"agent_rule","attributes":{"category":"Kernel + Activity","creationDate":1707493323000,"creator":{"name":"Detection Engineer","handle":""},"defaultRule":true,"description":"A + container loaded a new kernel module","enabled":true,"expression":"load_module.name + != \"\" \u0026\u0026 container.id !=\"\"","filters":["os == \"linux\""],"name":"kernel_module_load_container","updateDate":1707493323000,"updater":{"name":"Detection + Engineer","handle":""}}},{"id":"lrg-avx-x1k","type":"agent_rule","attributes":{"category":"Kernel + Activity","creationDate":1707493323000,"creator":{"name":"Detection Engineer","handle":""},"defaultRule":true,"description":"A + kernel module was loaded from memory","enabled":true,"expression":"load_module.loaded_from_memory + == true","filters":["os == \"linux\""],"name":"kernel_module_load_from_memory","updateDate":1707493323000,"updater":{"name":"Detection + Engineer","handle":""}}},{"id":"gx3-4a5-w9a","type":"agent_rule","attributes":{"category":"Kernel + Activity","creationDate":1707493323000,"creator":{"name":"Detection Engineer","handle":""},"defaultRule":true,"description":"A + kernel module was loaded from memory inside a container","enabled":true,"expression":"load_module.loaded_from_memory + == true \u0026\u0026 container.id !=\"\"","filters":["os == \"linux\""],"name":"kernel_module_load_from_memory_container","updateDate":1707493323000,"updater":{"name":"Detection + Engineer","handle":""}}},{"id":"56y-vsb-zqu","type":"agent_rule","attributes":{"category":"File + Activity","creationDate":1707493323000,"creator":{"name":"Detection Engineer","handle":""},"defaultRule":true,"description":"A + new kernel module was added","enabled":true,"expression":"(\n open.flags + \u0026 (O_CREAT|O_TRUNC|O_RDWR|O_WRONLY) \u003e 0 \u0026\u0026\n (open.file.path + in [ ~\"/lib/modules/**\", ~\"/usr/lib/modules/**\" ])\n \u0026\u0026 process.file.path + not in [~\"/usr/bin/apt*\", \"/usr/bin/dpkg\", \"/usr/bin/rpm\", \"/usr/bin/unattended-upgrade\", + \"/usr/bin/npm\", ~\"/usr/bin/pip*\", \"/usr/bin/yum\", \"/sbin/apk\", \"/usr/lib/snapd/snapd\"]\n \u0026\u0026 + process.ancestors.file.path not in [~\"/usr/bin/apt*\", \"/usr/bin/dpkg\", \"/usr/bin/rpm\", + \"/usr/bin/unattended-upgrade\", \"/usr/bin/npm\", ~\"/usr/bin/pip*\", \"/usr/bin/yum\", + \"/sbin/apk\", \"/usr/lib/snapd/snapd\"] \u0026\u0026 process.ancestors.file.path + != \"/usr/bin/kmod\"\n)","filters":["os == \"linux\""],"name":"kernel_module_open","updateDate":1707493323000,"updater":{"name":"Detection + Engineer","handle":""}}},{"id":"3i1-zpd-ycj","type":"agent_rule","attributes":{"category":"File + Activity","creationDate":1707493323000,"creator":{"name":"Detection Engineer","handle":""},"defaultRule":true,"description":"A + new kernel module was added","enabled":true,"expression":"(\n (rename.file.path + in [ ~\"/lib/modules/**\", ~\"/usr/lib/modules/**\" ]\n || rename.file.destination.path + in [ ~\"/lib/modules/**\", ~\"/usr/lib/modules/**\" ])\n \u0026\u0026 process.file.path + not in [~\"/usr/bin/apt*\", \"/usr/bin/dpkg\", \"/usr/bin/rpm\", \"/usr/bin/unattended-upgrade\", + \"/usr/bin/npm\", ~\"/usr/bin/pip*\", \"/usr/bin/yum\", \"/sbin/apk\", \"/usr/lib/snapd/snapd\"]\n \u0026\u0026 + process.ancestors.file.path not in [~\"/usr/bin/apt*\", \"/usr/bin/dpkg\", \"/usr/bin/rpm\", + \"/usr/bin/unattended-upgrade\", \"/usr/bin/npm\", ~\"/usr/bin/pip*\", \"/usr/bin/yum\", + \"/sbin/apk\", \"/usr/lib/snapd/snapd\"] \u0026\u0026 process.ancestors.file.path + != \"/usr/bin/kmod\"\n)","filters":["os == \"linux\""],"name":"kernel_module_rename","updateDate":1707493323000,"updater":{"name":"Detection + Engineer","handle":""}}},{"id":"20v-gdb-0ha","type":"agent_rule","attributes":{"category":"File + Activity","creationDate":1707493323000,"creator":{"name":"Detection Engineer","handle":""},"defaultRule":true,"description":"A + new kernel module was added","enabled":true,"expression":"(\n (unlink.file.path + in [ ~\"/lib/modules/**\", ~\"/usr/lib/modules/**\" ])\n \u0026\u0026 process.file.path + not in [~\"/usr/bin/apt*\", \"/usr/bin/dpkg\", \"/usr/bin/rpm\", \"/usr/bin/unattended-upgrade\", + \"/usr/bin/npm\", ~\"/usr/bin/pip*\", \"/usr/bin/yum\", \"/sbin/apk\", \"/usr/lib/snapd/snapd\"]\n \u0026\u0026 + process.ancestors.file.path not in [~\"/usr/bin/apt*\", \"/usr/bin/dpkg\", \"/usr/bin/rpm\", + \"/usr/bin/unattended-upgrade\", \"/usr/bin/npm\", ~\"/usr/bin/pip*\", \"/usr/bin/yum\", + \"/sbin/apk\", \"/usr/lib/snapd/snapd\"] \u0026\u0026 process.ancestors.file.path + != \"/usr/bin/kmod\"\n)","filters":["os == \"linux\""],"name":"kernel_module_unlink","updateDate":1707493323000,"updater":{"name":"Detection + Engineer","handle":""}}},{"id":"fyq-x5u-mv1","type":"agent_rule","attributes":{"category":"File + Activity","creationDate":1707493323000,"creator":{"name":"Detection Engineer","handle":""},"defaultRule":true,"description":"A + new kernel module was added","enabled":true,"expression":"(\n (utimes.file.path + in [ ~\"/lib/modules/**\", ~\"/usr/lib/modules/**\" ])\n \u0026\u0026 process.file.path + not in [~\"/usr/bin/apt*\", \"/usr/bin/dpkg\", \"/usr/bin/rpm\", \"/usr/bin/unattended-upgrade\", + \"/usr/bin/npm\", ~\"/usr/bin/pip*\", \"/usr/bin/yum\", \"/sbin/apk\", \"/usr/lib/snapd/snapd\"]\n \u0026\u0026 + process.ancestors.file.path not in [~\"/usr/bin/apt*\", \"/usr/bin/dpkg\", \"/usr/bin/rpm\", + \"/usr/bin/unattended-upgrade\", \"/usr/bin/npm\", ~\"/usr/bin/pip*\", \"/usr/bin/yum\", + \"/sbin/apk\", \"/usr/lib/snapd/snapd\"] \u0026\u0026 process.ancestors.file.path + != \"/usr/bin/kmod\"\n)","filters":["os == \"linux\""],"name":"kernel_module_utimes","updateDate":1707493323000,"updater":{"name":"Detection + Engineer","handle":""}}},{"id":"def-000-dpm","type":"agent_rule","attributes":{"category":"Process + Activity","creationDate":1707493323000,"creator":{"name":"Detection Engineer","handle":""},"defaultRule":true,"description":"A + process attempted to enable writing to model-specific registers","enabled":true,"expression":"exec.comm + == \"modprobe\" \u0026\u0026 process.args =~ \"*msr*allow_writes*\"","filters":["os + == \"linux\""],"name":"kernel_msr_write","updateDate":1707493323000,"updater":{"name":"Detection + Engineer","handle":""}}},{"id":"def-000-xv7","type":"agent_rule","attributes":{"category":"Process + Activity","creationDate":1707493323000,"creator":{"name":"Detection Engineer","handle":""},"defaultRule":true,"description":"Kernel + modules were listed using the kmod command","enabled":true,"expression":"exec.comm + == \"kmod\" \u0026\u0026 exec.args in [~\"*list*\"]","filters":["os == \"linux\""],"name":"kmod_list","updateDate":1707493323000,"updater":{"name":"Detection + Engineer","handle":""}}},{"id":"def-000-b7s","type":"agent_rule","attributes":{"category":"Network + Activity","creationDate":1707493323000,"creator":{"name":"Detection Engineer","handle":""},"defaultRule":true,"description":"Kubernetes + DNS enumeration","enabled":true,"expression":"dns.question.name == \"any.any.svc.cluster.local\" + \u0026\u0026 dns.question.type == SRV \u0026\u0026 container.id != \"\"","filters":["os + == \"linux\""],"name":"kubernetes_dns_enumeration","updateDate":1707493323000,"updater":{"name":"Detection + Engineer","handle":""}}},{"id":"j8a-wic-bvi","type":"agent_rule","attributes":{"category":"Process + Activity","creationDate":1707493323000,"creator":{"name":"Detection Engineer","handle":""},"defaultRule":true,"description":"The + LD_PRELOAD variable is populated by a link to a suspicious file directory","enabled":true,"expression":"exec.envs + in [~\"LD_PRELOAD=*/tmp/*\" ,~\"LD_PRELOAD=/dev/shm/*\" ]","filters":["os == + \"linux\""],"name":"ld_preload_unusual_library_path","updateDate":1707493323000,"updater":{"name":"Detection + Engineer","handle":""}}},{"id":"def-000-fbb","type":"agent_rule","attributes":{"category":"Kernel + Activity","creationDate":1707493323000,"creator":{"name":"Detection Engineer","handle":""},"defaultRule":true,"description":"Library + libpam.so hooked using eBPF","enabled":true,"expression":"bpf.cmd == BPF_MAP_CREATE + \u0026\u0026 process.args in [r\".*libpam.so.*\"]","filters":["os == \"linux\""],"name":"libpam_ebpf_hook","updateDate":1707493323000,"updater":{"name":"Detection + Engineer","handle":""}}},{"id":"def-000-j1b","type":"agent_rule","attributes":{"category":"Process + Activity","creationDate":1707493323000,"creator":{"name":"Detection Engineer","handle":""},"defaultRule":true,"description":"Looney + Tunables (CVE-2023-4911) exploit attempted","enabled":true,"expression":"exec.file.mode + \u0026 S_ISUID \u003e 0 \u0026\u0026 exec.file.uid == 0 \u0026\u0026 exec.uid + != 0 \u0026\u0026 exec.envs in [~\"*GLIBC_TUNABLES*\"]","filters":["os == \"linux\""],"name":"looney_tunables_exploit","updateDate":1707493323000,"updater":{"name":"Detection + Engineer","handle":""}}},{"id":"def-000-6ql","type":"agent_rule","attributes":{"category":"Process + Activity","creationDate":1707493323000,"creator":{"name":"Detection Engineer","handle":""},"defaultRule":true,"description":"memfd + object created","enabled":true,"expression":"exec.file.name =~ \"memfd*\" \u0026\u0026 + exec.file.path == \"\"","filters":["os == \"linux\""],"name":"memfd_create","updateDate":1707493323000,"updater":{"name":"Detection + Engineer","handle":""}}},{"id":"def-000-d1i","type":"agent_rule","attributes":{"category":"Process + Activity","creationDate":1707493323000,"creator":{"name":"Detection Engineer","handle":""},"defaultRule":true,"description":"Process + memory was dumped using the minidump function from comsvcs.dll","enabled":true,"expression":"exec.cmdline + =~ \"*MiniDump*\"","filters":["os == \"windows\""],"name":"minidump_usage","updateDate":1707493323000,"updater":{"name":"Detection + Engineer","handle":""}}},{"id":"caz-yrk-14e","type":"agent_rule","attributes":{"category":"Network + Activity","creationDate":1707493323000,"creator":{"name":"Detection Engineer","handle":""},"defaultRule":true,"description":"A + process resolved a DNS name associated with cryptomining activity","enabled":true,"expression":"dns.question.name + in [~\"*minexmr.com\", ~\"*nanopool.org\", ~\"*supportxmr.com\", ~\"*c3pool.com\", + ~\"*p2pool.io\", ~\"*ethermine.org\", ~\"*f2pool.com\", ~\"*poolin.me\", ~\"*rplant.xyz\"] + \u0026\u0026 process.file.name != \"\"","filters":["os == \"linux\""],"name":"mining_pool_lookup","updateDate":1707493323000,"updater":{"name":"Detection + Engineer","handle":""}}},{"id":"def-000-mxb","type":"agent_rule","attributes":{"category":"File + Activity","creationDate":1707493323000,"creator":{"name":"Detection Engineer","handle":""},"defaultRule":true,"description":"The + host file system was mounted in a container","enabled":true,"expression":"mount.source.path + == \"/\" \u0026\u0026 mount.fs_type != \"overlay\" \u0026\u0026 container.id + != \"\"","filters":["os == \"linux\""],"name":"mount_host_fs","updateDate":1707493323000,"updater":{"name":"Detection + Engineer","handle":""}}},{"id":"def-000-mr5","type":"agent_rule","attributes":{"category":"File + Activity","creationDate":1707493323000,"creator":{"name":"Detection Engineer","handle":""},"defaultRule":true,"description":"Process + hidden using mount","enabled":true,"expression":"mount.mountpoint.path =~ \"/proc/*\" + \u0026\u0026 process.file.name !~ \"runc*\"","filters":["os == \"linux\""],"name":"mount_proc_hide","updateDate":1707493323000,"updater":{"name":"Detection + Engineer","handle":""}}},{"id":"zfb-ixo-o4w","type":"agent_rule","attributes":{"category":"File + Activity","creationDate":1707493323000,"creator":{"name":"Detection Engineer","handle":""},"defaultRule":true,"description":"A + suspicious file was written by a network utility","enabled":true,"expression":"open.flags + \u0026 O_CREAT \u003e 0 \u0026\u0026 process.comm in [\"wget\", \"curl\", \"lwp-download\"]\n\u0026\u0026 + (\n (open.file.path =~ \"/tmp/**\" \u0026\u0026 open.file.name in [~\"*.sh\", + ~\"*.c\", ~\"*.so\", ~\"*.ko\"])\n || open.file.path in [~\"/usr/**\", ~\"/lib/**\", + ~\"/etc/**\", ~\"/var/tmp/**\", ~\"/dev/shm/**\"]\n)","filters":["os == \"linux\""],"name":"net_file_download","updateDate":1707493323000,"updater":{"name":"Detection + Engineer","handle":""}}},{"id":"sqi-q1z-onu","type":"agent_rule","attributes":{"category":"Process + Activity","creationDate":1707493323000,"creator":{"name":"Detection Engineer","handle":""},"defaultRule":true,"description":"Network + utility executed with suspicious URI","enabled":true,"expression":"exec.comm + in [\"wget\", \"curl\", \"lwp-download\"] \u0026\u0026 exec.args in [~\"*.php*\", + ~\"*.jpg*\"] ","filters":["os == \"linux\""],"name":"net_unusual_request","updateDate":1707493323000,"updater":{"name":"Detection + Engineer","handle":""}}},{"id":"7y2-ihu-hm2","type":"agent_rule","attributes":{"category":"Process + Activity","creationDate":1707493323000,"creator":{"name":"Detection Engineer","handle":""},"defaultRule":true,"description":"A + network utility was executed","enabled":true,"expression":"(exec.comm in [\"socat\", + \"dig\", \"nslookup\", \"host\", ~\"netcat*\", ~\"nc*\", \"ncat\"] ||\n exec.comm + in [\"wget\", \"curl\", \"lwp-download\"]) \u0026\u0026\ncontainer.id == \"\" + \u0026\u0026 exec.args not in [ ~\"*localhost*\", ~\"*127.0.0.1*\", ~\"*motd.ubuntu.com*\" + ]","filters":["os == \"linux\""],"name":"net_util","updateDate":1707493323000,"updater":{"name":"Detection + Engineer","handle":""}}},{"id":"a52-req-ghm","type":"agent_rule","attributes":{"category":"Process + Activity","creationDate":1707493323000,"creator":{"name":"Detection Engineer","handle":""},"defaultRule":true,"description":"Exfiltration + attempt via network utility","enabled":true,"expression":"exec.comm in [\"wget\", + \"curl\", \"lwp-download\"] \u0026\u0026 \nexec.args_options in [ ~\"post-file=*\", + ~\"post-data=*\", ~\"T=*\", ~\"d=@*\", ~\"upload-file=*\", ~\"F=file*\"] \u0026\u0026\nexec.args + not in [~\"*localhost*\", ~\"*127.0.0.1*\"]","filters":["os == \"linux\""],"name":"net_util_exfiltration","updateDate":1707493323000,"updater":{"name":"Detection + Engineer","handle":""}}},{"id":"w0z-64n-bss","type":"agent_rule","attributes":{"category":"Process + Activity","creationDate":1707493323000,"creator":{"name":"Detection Engineer","handle":""},"defaultRule":true,"description":"A + network utility was executed in a container","enabled":true,"expression":"(exec.comm + in [\"socat\", \"dig\", \"nslookup\", \"host\", ~\"netcat*\", ~\"nc*\", \"ncat\"] + ||\n exec.comm in [\"wget\", \"curl\", \"lwp-download\"]) \u0026\u0026\ncontainer.id + != \"\" \u0026\u0026 exec.args not in [ ~\"*localhost*\", ~\"*127.0.0.1*\", + ~\"*motd.ubuntu.com*\" ]","filters":["os == \"linux\""],"name":"net_util_in_container","updateDate":1707493323000,"updater":{"name":"Detection + Engineer","handle":""}}},{"id":"def-000-0ra","type":"agent_rule","attributes":{"category":"Process + Activity","creationDate":1707493323000,"creator":{"name":"Detection Engineer","handle":""},"defaultRule":true,"description":"A + network utility was executed in a container","enabled":true,"expression":"(exec.comm + in [\"socat\", \"dig\", \"nslookup\", \"host\", ~\"netcat*\", ~\"nc*\", \"ncat\"] + ||\n exec.comm in [\"wget\", \"curl\", \"lwp-download\"]) \u0026\u0026\ncontainer.id + != \"\" \u0026\u0026 exec.args not in [ ~\"*localhost*\", ~\"*127.0.0.1*\", + ~\"*motd.ubuntu.com*\" ] \u0026\u0026 container.created_at \u003e 90s","filters":["os + == \"linux\""],"name":"net_util_in_container_v2","updateDate":1707493323000,"updater":{"name":"Detection + Engineer","handle":""}}},{"id":"def-000-9rk","type":"agent_rule","attributes":{"category":"Process + Activity","creationDate":1707493323000,"creator":{"name":"Detection Engineer","handle":""},"defaultRule":true,"description":"Local + account groups were enumerated after container start up","enabled":true,"expression":"exec.file.name + in [\"tcpdump\", \"tshark\"]","filters":["os == \"linux\""],"name":"network_sniffing_tool","updateDate":1707493323000,"updater":{"name":"Detection + Engineer","handle":""}}},{"id":"xgw-28i-480","type":"agent_rule","attributes":{"category":"Process + Activity","creationDate":1707493323000,"creator":{"name":"Detection Engineer","handle":""},"defaultRule":true,"description":"A + container executed a new binary not found in the container image","enabled":true,"expression":"container.id + != \"\" \u0026\u0026 process.file.in_upper_layer \u0026\u0026 process.file.modification_time + \u003c 30s \u0026\u0026 exec.file.name != \"\"","filters":["os == \"linux\""],"name":"new_binary_execution_in_container","updateDate":1707493323000,"updater":{"name":"Detection + Engineer","handle":""}}},{"id":"mqh-lgo-brj","type":"agent_rule","attributes":{"category":"File + Activity","creationDate":1707493323000,"creator":{"name":"Detection Engineer","handle":""},"defaultRule":true,"description":"nsswitch + may have been modified without authorization","enabled":true,"expression":"(\n (chmod.file.path + in [ \"/etc/nsswitch.conf\" ])\n) \u0026\u0026 chmod.file.destination.mode != + chmod.file.mode \u0026\u0026 process.file.path not in [~\"/usr/bin/apt*\", \"/usr/bin/dpkg\", + \"/usr/bin/rpm\", \"/usr/bin/unattended-upgrade\", \"/usr/bin/containerd\", + \"/usr/local/bin/containerd\", \"/usr/bin/dockerd\", \"/usr/bin/npm\", ~\"/usr/bin/pip*\"]","filters":["os + == \"linux\""],"name":"nsswitch_conf_mod_chmod","updateDate":1707493323000,"updater":{"name":"Detection + Engineer","handle":""}}},{"id":"v2b-cd3-clr","type":"agent_rule","attributes":{"category":"File + Activity","creationDate":1707493323000,"creator":{"name":"Detection Engineer","handle":""},"defaultRule":true,"description":"nsswitch + may have been modified without authorization","enabled":true,"expression":"(\n (chown.file.path + in [ \"/etc/nsswitch.conf\" ])\n) \u0026\u0026 (chown.file.destination.uid != + chown.file.uid || chown.file.destination.gid != chown.file.gid) \u0026\u0026 + process.file.path not in [~\"/usr/bin/apt*\", \"/usr/bin/dpkg\", \"/usr/bin/rpm\", + \"/usr/bin/unattended-upgrade\", \"/usr/bin/containerd\", \"/usr/local/bin/containerd\", + \"/usr/bin/dockerd\", \"/usr/bin/npm\", ~\"/usr/bin/pip*\"]","filters":["os + == \"linux\""],"name":"nsswitch_conf_mod_chown","updateDate":1707493323000,"updater":{"name":"Detection + Engineer","handle":""}}},{"id":"wwc-6it-t7i","type":"agent_rule","attributes":{"category":"File + Activity","creationDate":1707493323000,"creator":{"name":"Detection Engineer","handle":""},"defaultRule":true,"description":"nsswitch + may have been modified without authorization","enabled":true,"expression":"(\n (link.file.path + in [ \"/etc/nsswitch.conf\" ]\n || link.file.destination.path in [ \"/etc/nsswitch.conf\" + ])\n)","filters":["os == \"linux\""],"name":"nsswitch_conf_mod_link","updateDate":1707493323000,"updater":{"name":"Detection + Engineer","handle":""}}},{"id":"e5h-onu-f7l","type":"agent_rule","attributes":{"category":"File + Activity","creationDate":1707493323000,"creator":{"name":"Detection Engineer","handle":""},"defaultRule":true,"description":"nsswitch + may have been modified without authorization","enabled":true,"expression":"(\n open.flags + \u0026 ((O_RDWR|O_WRONLY|O_CREAT)) \u003e 0 \u0026\u0026\n (open.file.path + in [ \"/etc/nsswitch.conf\" ])\n) \u0026\u0026 process.file.path not in [~\"/usr/bin/apt*\", + \"/usr/bin/dpkg\", \"/usr/bin/rpm\", \"/usr/bin/unattended-upgrade\", \"/usr/bin/containerd\", + \"/usr/local/bin/containerd\", \"/usr/bin/dockerd\", \"/usr/bin/npm\", ~\"/usr/bin/pip*\"]","filters":["os + == \"linux\""],"name":"nsswitch_conf_mod_open","updateDate":1707493323000,"updater":{"name":"Detection + Engineer","handle":""}}},{"id":"def-000-i9x","type":"agent_rule","attributes":{"category":"File + Activity","creationDate":1707493323000,"creator":{"name":"Detection Engineer","handle":""},"defaultRule":true,"description":"nsswitch + may have been modified without authorization","enabled":true,"expression":"(\n open.flags + \u0026 ((O_RDWR|O_WRONLY|O_CREAT)) \u003e 0 \u0026\u0026\n (open.file.path + in [ \"/etc/nsswitch.conf\" ])\n) \u0026\u0026 container.created_at \u003e 90s + \u0026\u0026 process.file.path not in [~\"/usr/bin/apt*\", \"/usr/bin/dpkg\", + \"/usr/bin/rpm\", \"/usr/bin/unattended-upgrade\", \"/usr/bin/containerd\", + \"/usr/local/bin/containerd\", \"/usr/bin/dockerd\", \"/usr/bin/npm\", ~\"/usr/bin/pip*\"]","filters":["os + == \"linux\""],"name":"nsswitch_conf_mod_open_v2","updateDate":1707493323000,"updater":{"name":"Detection + Engineer","handle":""}}},{"id":"sif-d9p-wzg","type":"agent_rule","attributes":{"category":"File + Activity","creationDate":1707493323000,"creator":{"name":"Detection Engineer","handle":""},"defaultRule":true,"description":"nsswitch + may have been modified without authorization","enabled":true,"expression":"(\n (rename.file.path + in [ \"/etc/nsswitch.conf\" ]\n || rename.file.destination.path in [ \"/etc/nsswitch.conf\" + ])\n)","filters":["os == \"linux\""],"name":"nsswitch_conf_mod_rename","updateDate":1707493323000,"updater":{"name":"Detection + Engineer","handle":""}}},{"id":"4mu-d2x-fyk","type":"agent_rule","attributes":{"category":"File + Activity","creationDate":1707493323000,"creator":{"name":"Detection Engineer","handle":""},"defaultRule":true,"description":"nsswitch + may have been modified without authorization","enabled":true,"expression":"(\n (unlink.file.path + in [ \"/etc/nsswitch.conf\" ])\n)","filters":["os == \"linux\""],"name":"nsswitch_conf_mod_unlink","updateDate":1707493323000,"updater":{"name":"Detection + Engineer","handle":""}}},{"id":"qt9-i99-q9p","type":"agent_rule","attributes":{"category":"File + Activity","creationDate":1707493323000,"creator":{"name":"Detection Engineer","handle":""},"defaultRule":true,"description":"nsswitch + may have been modified without authorization","enabled":true,"expression":"(\n (utimes.file.path + in [ \"/etc/nsswitch.conf\" ])\n)","filters":["os == \"linux\""],"name":"nsswitch_conf_mod_utimes","updateDate":1707493323000,"updater":{"name":"Detection + Engineer","handle":""}}},{"id":"def-000-d4i","type":"agent_rule","attributes":{"category":"Process + Activity","creationDate":1707493323000,"creator":{"name":"Detection Engineer","handle":""},"defaultRule":true,"description":"NTDS + file referenced in commandline","enabled":true,"expression":"exec.cmdline =~ + \"*ntds.dit*\"","filters":["os == \"windows\""],"name":"ntds_in_commandline","updateDate":1707493323000,"updater":{"name":"Detection + Engineer","handle":""}}},{"id":"def-000-49j","type":"agent_rule","attributes":{"category":"Process + Activity","creationDate":1707493323000,"creator":{"name":"Detection Engineer","handle":""},"defaultRule":true,"description":"A + known kubernetes pentesting tool has been executed","enabled":true,"expression":"(exec.file.name + in [ ~\"python*\" ] \u0026\u0026 (\"KubiScan.py\" in exec.argv || \"kubestriker\" + in exec.argv ) ) || exec.file.name in [ \"kubiscan\",\"kdigger\",\"kube-hunter\",\"rakkess\",\"peirates\",\"kubescape\",\"kubeaudit\",\"kube-linter\",\"stratus\",~\"botb-*\"]","filters":["os + == \"linux\""],"name":"offensive_k8s_tool","updateDate":1707493323000,"updater":{"name":"Detection + Engineer","handle":""}}},{"id":"4yt-ize-avz","type":"agent_rule","attributes":{"category":"Process + Activity","creationDate":1707493323000,"creator":{"name":"Detection Engineer","handle":""},"defaultRule":true,"description":"Omiagent + spawns a privileged child process","enabled":true,"expression":"exec.uid \u003e= + 0 \u0026\u0026 process.ancestors.file.name == \"omiagent\"","filters":["os == + \"linux\""],"name":"omigod","updateDate":1707493323000,"updater":{"name":"Detection + Engineer","handle":""}}},{"id":"def-000-tp8","type":"agent_rule","attributes":{"category":"File + Activity","creationDate":1707493323000,"creator":{"name":"Detection Engineer","handle":""},"defaultRule":true,"description":"A + process opened a model-specific register (MSR) configuration file","enabled":true,"expression":"open.file.path + == \"/sys/module/msr/parameters/allow_writes\" \u0026\u0026 open.flags \u0026 + O_CREAT|O_TRUNC|O_RDWR|O_WRONLY \u003e 0","filters":["os == \"linux\""],"name":"open_msr_writes","updateDate":1707493323000,"updater":{"name":"Detection + Engineer","handle":""}}},{"id":"m7d-vlh-3yq","type":"agent_rule","attributes":{"category":"Process + Activity","creationDate":1707493323000,"creator":{"name":"Detection Engineer","handle":""},"defaultRule":true,"description":"Package + management was detected in a container","enabled":true,"expression":"exec.file.path + in [~\"/usr/bin/apt*\", \"/usr/bin/dpkg\", \"/usr/bin/rpm\", \"/usr/bin/unattended-upgrade\", + \"/usr/bin/npm\", ~\"/usr/bin/pip*\", \"/usr/bin/yum\", \"/sbin/apk\", \"/usr/lib/snapd/snapd\"] + \u0026\u0026 container.id != \"\"","filters":["os == \"linux\""],"name":"package_management_in_container","updateDate":1707493323000,"updater":{"name":"Detection + Engineer","handle":""}}},{"id":"def-000-k6i","type":"agent_rule","attributes":{"category":"Process + Activity","creationDate":1707493323000,"creator":{"name":"Detection Engineer","handle":""},"defaultRule":true,"description":"Package + management was detected in a conatiner outside of container start_up","enabled":true,"expression":"exec.file.path + in [~\"/usr/bin/apt*\", \"/usr/bin/dpkg\", \"/usr/bin/rpm\", \"/usr/bin/unattended-upgrade\", + \"/usr/bin/npm\", ~\"/usr/bin/pip*\", \"/usr/bin/yum\", \"/sbin/apk\", \"/usr/lib/snapd/snapd\"] + \u0026\u0026 container.id != \"\" \u0026\u0026 container.created_at \u003e 90s","filters":["os + == \"linux\""],"name":"package_management_in_container_v2","updateDate":1707493323000,"updater":{"name":"Detection + Engineer","handle":""}}},{"id":"34t-hic-8cn","type":"agent_rule","attributes":{"category":"File + Activity","creationDate":1707493323000,"creator":{"name":"Detection Engineer","handle":""},"defaultRule":true,"description":"PAM + may have been modified without authorization","enabled":true,"expression":"(\n (chmod.file.path + in [ ~\"/etc/pam.d/**\", \"/etc/pam.conf\" ])\n) \u0026\u0026 chmod.file.destination.mode + != chmod.file.mode","filters":["os == \"linux\""],"name":"pam_modification_chmod","updateDate":1707493323000,"updater":{"name":"Detection + Engineer","handle":""}}},{"id":"pfu-dvh-e5w","type":"agent_rule","attributes":{"category":"File + Activity","creationDate":1707493323000,"creator":{"name":"Detection Engineer","handle":""},"defaultRule":true,"description":"PAM + may have been modified without authorization","enabled":true,"expression":"(\n (chown.file.path + in [ ~\"/etc/pam.d/**\", \"/etc/pam.conf\" ])\n) \u0026\u0026 (chown.file.destination.uid + != chown.file.uid || chown.file.destination.gid != chown.file.gid)","filters":["os + == \"linux\""],"name":"pam_modification_chown","updateDate":1707493323000,"updater":{"name":"Detection + Engineer","handle":""}}},{"id":"x7i-34j-1rv","type":"agent_rule","attributes":{"category":"File + Activity","creationDate":1707493323000,"creator":{"name":"Detection Engineer","handle":""},"defaultRule":true,"description":"PAM + may have been modified without authorization","enabled":true,"expression":"(\n (link.file.path + in [ ~\"/etc/pam.d/**\", \"/etc/pam.conf\" ]\n || link.file.destination.path + in [ ~\"/etc/pam.d/**\", \"/etc/pam.conf\" ])\n)","filters":["os == \"linux\""],"name":"pam_modification_link","updateDate":1707493323000,"updater":{"name":"Detection + Engineer","handle":""}}},{"id":"w7o-w48-j34","type":"agent_rule","attributes":{"category":"File + Activity","creationDate":1707493323000,"creator":{"name":"Detection Engineer","handle":""},"defaultRule":true,"description":"PAM + may have been modified without authorization","enabled":true,"expression":"(\n open.flags + \u0026 (O_CREAT|O_TRUNC|O_RDWR|O_WRONLY) \u003e 0 \u0026\u0026\n (open.file.path + in [ ~\"/etc/pam.d/**\", \"/etc/pam.conf\" ])\n)","filters":["os == \"linux\""],"name":"pam_modification_open","updateDate":1707493323000,"updater":{"name":"Detection + Engineer","handle":""}}},{"id":"wri-hx3-4n3","type":"agent_rule","attributes":{"category":"File + Activity","creationDate":1707493323000,"creator":{"name":"Detection Engineer","handle":""},"defaultRule":true,"description":"PAM + may have been modified without authorization","enabled":true,"expression":"(\n (rename.file.path + in [ ~\"/etc/pam.d/**\", \"/etc/pam.conf\" ]\n || rename.file.destination.path + in [ ~\"/etc/pam.d/**\", \"/etc/pam.conf\" ])\n)","filters":["os == \"linux\""],"name":"pam_modification_rename","updateDate":1707493323000,"updater":{"name":"Detection + Engineer","handle":""}}},{"id":"900-1sj-xhs","type":"agent_rule","attributes":{"category":"File + Activity","creationDate":1707493323000,"creator":{"name":"Detection Engineer","handle":""},"defaultRule":true,"description":"PAM + may have been modified without authorization","enabled":true,"expression":"(\n (unlink.file.path + in [ ~\"/etc/pam.d/**\", \"/etc/pam.conf\" ])\n)","filters":["os == \"linux\""],"name":"pam_modification_unlink","updateDate":1707493323000,"updater":{"name":"Detection + Engineer","handle":""}}},{"id":"pxk-42u-fga","type":"agent_rule","attributes":{"category":"File + Activity","creationDate":1707493323000,"creator":{"name":"Detection Engineer","handle":""},"defaultRule":true,"description":"PAM + may have been modified without authorization","enabled":true,"expression":"(\n (utimes.file.path + in [ ~\"/etc/pam.d/**\", \"/etc/pam.conf\" ])\n) \u0026\u0026 process.file.path + not in [~\"/usr/bin/apt*\", \"/usr/bin/dpkg\", \"/usr/bin/rpm\", \"/usr/bin/unattended-upgrade\", + \"/usr/bin/containerd\", \"/usr/local/bin/containerd\", \"/usr/bin/dockerd\", + \"/usr/bin/npm\", ~\"/usr/bin/pip*\"]","filters":["os == \"linux\""],"name":"pam_modification_utimes","updateDate":1707493323000,"updater":{"name":"Detection + Engineer","handle":""}}},{"id":"l2e-aka-bw6","type":"agent_rule","attributes":{"category":"Process + Activity","creationDate":1707493323000,"creator":{"name":"Detection Engineer","handle":""},"defaultRule":true,"description":"The + passwd or chpasswd utility was used to modify an account password","enabled":true,"expression":"exec.file.path + in [\"/usr/bin/passwd\", \"/usr/sbin/chpasswd\"] \u0026\u0026 exec.args_flags + not in [\"S\", \"status\"]","filters":["os == \"linux\""],"name":"passwd_execution","updateDate":1707493323000,"updater":{"name":"Detection + Engineer","handle":""}}},{"id":"460-gys-lqp","type":"agent_rule","attributes":{"category":"Network + Activity","creationDate":1707493323000,"creator":{"name":"Detection Engineer","handle":""},"defaultRule":true,"description":"A + DNS lookup was done for a pastebin-like site","enabled":true,"expression":"dns.question.name + in [\"pastebin.com\", \"ghostbin.com\", \"termbin.com\", \"klgrth.io\"] \u0026\u0026 + process.file.name != \"\"","filters":["os == \"linux\""],"name":"paste_site","updateDate":1707493323000,"updater":{"name":"Detection + Engineer","handle":""}}},{"id":"7vi-w5r-h15","type":"agent_rule","attributes":{"category":"File + Activity","creationDate":1707493323000,"creator":{"name":"Detection Engineer","handle":""},"defaultRule":true,"description":"Critical + system binaries may have been modified","enabled":true,"expression":"(\n (chmod.file.path + in [ ~\"/bin/*\", ~\"/sbin/*\", ~\"/usr/bin/*\", ~\"/usr/sbin/*\", ~\"/usr/local/bin/*\", + ~\"/usr/local/sbin/*\", ~\"/boot/**\" ])\n \u0026\u0026 process.file.path + not in [~\"/usr/bin/apt*\", \"/usr/bin/dpkg\", \"/usr/bin/rpm\", \"/usr/bin/unattended-upgrade\", + \"/usr/bin/containerd\", \"/usr/local/bin/containerd\", \"/usr/bin/dockerd\", + \"/usr/bin/npm\", ~\"/usr/bin/pip*\"]\n \u0026\u0026 process.ancestors.file.path + not in [~\"/usr/bin/apt*\", \"/usr/bin/dpkg\", \"/usr/bin/rpm\", \"/usr/bin/unattended-upgrade\", + \"/usr/bin/npm\", ~\"/usr/bin/pip*\", \"/usr/bin/yum\", \"/sbin/apk\", \"/usr/lib/snapd/snapd\"]\n) + \u0026\u0026 chmod.file.destination.mode != chmod.file.mode","filters":["os + == \"linux\""],"name":"pci_11_5_critical_binaries_chmod","updateDate":1707493323000,"updater":{"name":"Detection + Engineer","handle":""}}},{"id":"xiu-ghq-4zi","type":"agent_rule","attributes":{"category":"File + Activity","creationDate":1707493323000,"creator":{"name":"Detection Engineer","handle":""},"defaultRule":true,"description":"Critical + system binaries may have been modified","enabled":true,"expression":"(\n (chown.file.path + in [ ~\"/bin/*\", ~\"/sbin/*\", ~\"/usr/bin/*\", ~\"/usr/sbin/*\", ~\"/usr/local/bin/*\", + ~\"/usr/local/sbin/*\", ~\"/boot/**\" ])\n \u0026\u0026 process.file.path + not in [~\"/usr/bin/apt*\", \"/usr/bin/dpkg\", \"/usr/bin/rpm\", \"/usr/bin/unattended-upgrade\", + \"/usr/bin/containerd\", \"/usr/local/bin/containerd\", \"/usr/bin/dockerd\", + \"/usr/bin/npm\", ~\"/usr/bin/pip*\"]\n \u0026\u0026 process.ancestors.file.path + not in [~\"/usr/bin/apt*\", \"/usr/bin/dpkg\", \"/usr/bin/rpm\", \"/usr/bin/unattended-upgrade\", + \"/usr/bin/npm\", ~\"/usr/bin/pip*\", \"/usr/bin/yum\", \"/sbin/apk\", \"/usr/lib/snapd/snapd\"]\n) + \u0026\u0026 (chown.file.destination.uid != chown.file.uid || chown.file.destination.gid + != chown.file.gid)","filters":["os == \"linux\""],"name":"pci_11_5_critical_binaries_chown","updateDate":1707493323000,"updater":{"name":"Detection + Engineer","handle":""}}},{"id":"9ym-18v-5zi","type":"agent_rule","attributes":{"category":"File + Activity","creationDate":1707493323000,"creator":{"name":"Detection Engineer","handle":""},"defaultRule":true,"description":"Critical + system binaries may have been modified","enabled":true,"expression":"(\n (link.file.path + in [ ~\"/bin/*\", ~\"/sbin/*\", ~\"/usr/bin/*\", ~\"/usr/sbin/*\", ~\"/usr/local/bin/*\", + ~\"/usr/local/sbin/*\", ~\"/boot/**\" ]\n || link.file.destination.path in + [ ~\"/bin/*\", ~\"/sbin/*\", ~\"/usr/bin/*\", ~\"/usr/sbin/*\", ~\"/usr/local/bin/*\", + ~\"/usr/local/sbin/*\", ~\"/boot/**\" ])\n \u0026\u0026 process.file.path + not in [~\"/usr/bin/apt*\", \"/usr/bin/dpkg\", \"/usr/bin/rpm\", \"/usr/bin/unattended-upgrade\", + \"/usr/bin/containerd\", \"/usr/local/bin/containerd\", \"/usr/bin/dockerd\", + \"/usr/bin/npm\", ~\"/usr/bin/pip*\"]\n \u0026\u0026 process.ancestors.file.path + not in [~\"/usr/bin/apt*\", \"/usr/bin/dpkg\", \"/usr/bin/rpm\", \"/usr/bin/unattended-upgrade\", + \"/usr/bin/npm\", ~\"/usr/bin/pip*\", \"/usr/bin/yum\", \"/sbin/apk\", \"/usr/lib/snapd/snapd\"]\n)","filters":["os + == \"linux\""],"name":"pci_11_5_critical_binaries_link","updateDate":1707493323000,"updater":{"name":"Detection + Engineer","handle":""}}},{"id":"fpa-r6g-2em","type":"agent_rule","attributes":{"category":"File + Activity","creationDate":1707493323000,"creator":{"name":"Detection Engineer","handle":""},"defaultRule":true,"description":"Critical + system binaries may have been modified","enabled":true,"expression":"(\n open.flags + \u0026 (O_CREAT|O_TRUNC|O_RDWR|O_WRONLY) \u003e 0 \u0026\u0026\n open.file.path + in [ ~\"/bin/*\", ~\"/sbin/*\", ~\"/usr/bin/*\", ~\"/usr/sbin/*\", ~\"/usr/local/bin/*\", + ~\"/usr/local/sbin/*\", ~\"/boot/**\" ]\n \u0026\u0026 process.file.path + not in [~\"/usr/bin/apt*\", \"/usr/bin/dpkg\", \"/usr/bin/rpm\", \"/usr/bin/unattended-upgrade\", + \"/usr/bin/containerd\", \"/usr/local/bin/containerd\", \"/usr/bin/dockerd\", + \"/usr/bin/npm\", ~\"/usr/bin/pip*\"]\n \u0026\u0026 process.ancestors.file.path + not in [~\"/usr/bin/apt*\", \"/usr/bin/dpkg\", \"/usr/bin/rpm\", \"/usr/bin/unattended-upgrade\", + \"/usr/bin/npm\", ~\"/usr/bin/pip*\", \"/usr/bin/yum\", \"/sbin/apk\", \"/usr/lib/snapd/snapd\"]\n)","filters":["os + == \"linux\""],"name":"pci_11_5_critical_binaries_open","updateDate":1707493323000,"updater":{"name":"Detection + Engineer","handle":""}}},{"id":"def-000-y7j","type":"agent_rule","attributes":{"category":"File + Activity","creationDate":1707493323000,"creator":{"name":"Detection Engineer","handle":""},"defaultRule":true,"description":"Critical + system binaries may have been modified","enabled":true,"expression":"(\n open.flags + \u0026 (O_CREAT|O_TRUNC|O_RDWR|O_WRONLY) \u003e 0 \u0026\u0026\n open.file.path + in [ ~\"/bin/*\", ~\"/sbin/*\", ~\"/usr/bin/*\", ~\"/usr/sbin/*\", ~\"/usr/local/bin/*\", + ~\"/usr/local/sbin/*\", ~\"/boot/**\" ]\n \u0026\u0026 process.file.path + not in [~\"/usr/bin/apt*\", \"/usr/bin/dpkg\", \"/usr/bin/rpm\", \"/usr/bin/unattended-upgrade\", + \"/usr/bin/containerd\", \"/usr/local/bin/containerd\", \"/usr/bin/dockerd\", + \"/usr/bin/npm\", ~\"/usr/bin/pip*\"]\n \u0026\u0026 process.ancestors.file.path + not in [~\"/usr/bin/apt*\", \"/usr/bin/dpkg\", \"/usr/bin/rpm\", \"/usr/bin/unattended-upgrade\", + \"/usr/bin/npm\", ~\"/usr/bin/pip*\", \"/usr/bin/yum\", \"/sbin/apk\", \"/usr/lib/snapd/snapd\"]\n) + \u0026\u0026 container.created_at \u003e 90s","filters":["os == \"linux\""],"name":"pci_11_5_critical_binaries_open_v2","updateDate":1707493323000,"updater":{"name":"Detection + Engineer","handle":""}}},{"id":"9pu-mp3-xea","type":"agent_rule","attributes":{"category":"File + Activity","creationDate":1707493323000,"creator":{"name":"Detection Engineer","handle":""},"defaultRule":true,"description":"Critical + system binaries may have been modified","enabled":true,"expression":"(\n (rename.file.path + in [ ~\"/bin/*\", ~\"/sbin/*\", ~\"/usr/bin/*\", ~\"/usr/sbin/*\", ~\"/usr/local/bin/*\", + ~\"/usr/local/sbin/*\", ~\"/boot/**\" ]\n || rename.file.destination.path + in [ ~\"/bin/*\", ~\"/sbin/*\", ~\"/usr/bin/*\", ~\"/usr/sbin/*\", ~\"/usr/local/bin/*\", + ~\"/usr/local/sbin/*\", ~\"/boot/**\" ])\n \u0026\u0026 process.file.path + not in [~\"/usr/bin/apt*\", \"/usr/bin/dpkg\", \"/usr/bin/rpm\", \"/usr/bin/unattended-upgrade\", + \"/usr/bin/containerd\", \"/usr/local/bin/containerd\", \"/usr/bin/dockerd\", + \"/usr/bin/npm\", ~\"/usr/bin/pip*\"]\n \u0026\u0026 process.ancestors.file.path + not in [~\"/usr/bin/apt*\", \"/usr/bin/dpkg\", \"/usr/bin/rpm\", \"/usr/bin/unattended-upgrade\", + \"/usr/bin/npm\", ~\"/usr/bin/pip*\", \"/usr/bin/yum\", \"/sbin/apk\", \"/usr/lib/snapd/snapd\"]\n)","filters":["os + == \"linux\""],"name":"pci_11_5_critical_binaries_rename","updateDate":1707493323000,"updater":{"name":"Detection + Engineer","handle":""}}},{"id":"ssp-47a-p20","type":"agent_rule","attributes":{"category":"File + Activity","creationDate":1707493323000,"creator":{"name":"Detection Engineer","handle":""},"defaultRule":true,"description":"Critical + system binaries may have been modified","enabled":true,"expression":"(\n (unlink.file.path + in [ ~\"/bin/*\", ~\"/sbin/*\", ~\"/usr/bin/*\", ~\"/usr/sbin/*\", ~\"/usr/local/bin/*\", + ~\"/usr/local/sbin/*\", ~\"/boot/**\" ])\n \u0026\u0026 process.file.path + not in [~\"/usr/bin/apt*\", \"/usr/bin/dpkg\", \"/usr/bin/rpm\", \"/usr/bin/unattended-upgrade\", + \"/usr/bin/containerd\", \"/usr/local/bin/containerd\", \"/usr/bin/dockerd\", + \"/usr/bin/npm\", ~\"/usr/bin/pip*\"]\n \u0026\u0026 process.ancestors.file.path + not in [~\"/usr/bin/apt*\", \"/usr/bin/dpkg\", \"/usr/bin/rpm\", \"/usr/bin/unattended-upgrade\", + \"/usr/bin/npm\", ~\"/usr/bin/pip*\", \"/usr/bin/yum\", \"/sbin/apk\", \"/usr/lib/snapd/snapd\"]\n)","filters":["os + == \"linux\""],"name":"pci_11_5_critical_binaries_unlink","updateDate":1707493323000,"updater":{"name":"Detection + Engineer","handle":""}}},{"id":"q0u-s8m-8pd","type":"agent_rule","attributes":{"category":"File + Activity","creationDate":1707493323000,"creator":{"name":"Detection Engineer","handle":""},"defaultRule":true,"description":"Critical + system binaries may have been modified","enabled":true,"expression":"(\n (utimes.file.path + in [ ~\"/bin/*\", ~\"/sbin/*\", ~\"/usr/bin/*\", ~\"/usr/sbin/*\", ~\"/usr/local/bin/*\", + ~\"/usr/local/sbin/*\", ~\"/boot/**\" ])\n \u0026\u0026 process.file.path + not in [~\"/usr/bin/apt*\", \"/usr/bin/dpkg\", \"/usr/bin/rpm\", \"/usr/bin/unattended-upgrade\", + \"/usr/bin/containerd\", \"/usr/local/bin/containerd\", \"/usr/bin/dockerd\", + \"/usr/bin/npm\", ~\"/usr/bin/pip*\"]\n \u0026\u0026 process.ancestors.file.path + not in [~\"/usr/bin/apt*\", \"/usr/bin/dpkg\", \"/usr/bin/rpm\", \"/usr/bin/unattended-upgrade\", + \"/usr/bin/npm\", ~\"/usr/bin/pip*\", \"/usr/bin/yum\", \"/sbin/apk\", \"/usr/lib/snapd/snapd\"]\n)","filters":["os + == \"linux\""],"name":"pci_11_5_critical_binaries_utimes","updateDate":1707493323000,"updater":{"name":"Detection + Engineer","handle":""}}},{"id":"def-000-8j2","type":"agent_rule","attributes":{"category":"Process + Activity","creationDate":1707493323000,"creator":{"name":"Detection Engineer","handle":""},"defaultRule":true,"description":"A + web application spawned a shell or shell utility","enabled":true,"expression":"(exec.file.path + in [ \"/bin/dash\",\n \"/usr/bin/dash\",\n \"/bin/sh\",\n \"/bin/static-sh\",\n \"/usr/bin/sh\",\n \"/bin/bash\",\n \"/usr/bin/bash\",\n \"/bin/bash-static\",\n \"/usr/bin/zsh\",\n \"/usr/bin/ash\",\n \"/usr/bin/csh\",\n \"/usr/bin/ksh\",\n \"/usr/bin/tcsh\",\n \"/usr/lib/initramfs-tools/bin/busybox\",\n \"/bin/busybox\",\n \"/usr/bin/fish\",\n \"/bin/ksh93\",\n \"/bin/rksh\",\n \"/bin/rksh93\",\n \"/bin/lksh\",\n \"/bin/mksh\",\n \"/bin/mksh-static\",\n \"/usr/bin/csharp\",\n \"/bin/posh\",\n \"/usr/bin/rc\",\n \"/bin/sash\",\n \"/usr/bin/yash\",\n \"/bin/zsh5\",\n \"/bin/zsh5-static\" + ] || exec.comm in [\"wget\", \"curl\", \"lwp-download\"] || exec.file.path in + [\"/bin/cat\",\"/bin/chgrp\",\"/bin/chmod\",\"/bin/chown\",\"/bin/cp\",\"/bin/date\",\"/bin/dd\",\"/bin/df\",\"/bin/dir\",\"/bin/echo\",\"/bin/ln\",\"/bin/ls\",\"/bin/mkdir\",\"/bin/mknod\",\"/bin/mktemp\",\"/bin/mv\",\"/bin/pwd\",\"/bin/readlink\",\"/bin/rm\",\"/bin/rmdir\",\"/bin/sleep\",\"/bin/stty\",\"/bin/sync\",\"/bin/touch\",\"/bin/uname\",\"/bin/vdir\",\"/usr/bin/arch\",\"/usr/bin/b2sum\",\"/usr/bin/base32\",\"/usr/bin/base64\",\"/usr/bin/basename\",\"/usr/bin/chcon\",\"/usr/bin/cksum\",\"/usr/bin/comm\",\"/usr/bin/csplit\",\"/usr/bin/cut\",\"/usr/bin/dircolors\",\"/usr/bin/dirname\",\"/usr/bin/du\",\"/usr/bin/env\",\"/usr/bin/expand\",\"/usr/bin/expr\",\"/usr/bin/factor\",\"/usr/bin/fmt\",\"/usr/bin/fold\",\"/usr/bin/groups\",\"/usr/bin/head\",\"/usr/bin/hostid\",\"/usr/bin/id\",\"/usr/bin/install\",\"/usr/bin/join\",\"/usr/bin/link\",\"/usr/bin/logname\",\"/usr/bin/md5sum\",\"/usr/bin/md5sum.textutils\",\"/usr/bin/mkfifo\",\"/usr/bin/nice\",\"/usr/bin/nl\",\"/usr/bin/nohup\",\"/usr/bin/nproc\",\"/usr/bin/numfmt\",\"/usr/bin/od\",\"/usr/bin/paste\",\"/usr/bin/pathchk\",\"/usr/bin/pinky\",\"/usr/bin/pr\",\"/usr/bin/printenv\",\"/usr/bin/printf\",\"/usr/bin/ptx\",\"/usr/bin/realpath\",\"/usr/bin/runcon\",\"/usr/bin/seq\",\"/usr/bin/sha1sum\",\"/usr/bin/sha224sum\",\"/usr/bin/sha256sum\",\"/usr/bin/sha384sum\",\"/usr/bin/sha512sum\",\"/usr/bin/shred\",\"/usr/bin/shuf\",\"/usr/bin/sort\",\"/usr/bin/split\",\"/usr/bin/stat\",\"/usr/bin/stdbuf\",\"/usr/bin/sum\",\"/usr/bin/tac\",\"/usr/bin/tail\",\"/usr/bin/tee\",\"/usr/bin/test\",\"/usr/bin/timeout\",\"/usr/bin/tr\",\"/usr/bin/truncate\",\"/usr/bin/tsort\",\"/usr/bin/tty\",\"/usr/bin/unexpand\",\"/usr/bin/uniq\",\"/usr/bin/unlink\",\"/usr/bin/users\",\"/usr/bin/wc\",\"/usr/bin/who\",\"/usr/bin/whoami\",\"/usr/sbin/chroot\"]) + \u0026\u0026\n(process.parent.file.name in [\"apache2\", \"nginx\", ~\"tomcat*\", + \"httpd\"] || process.parent.file.name =~ \"php*\")","filters":["os == \"linux\""],"name":"potential_web_shell_parent","updateDate":1707493323000,"updater":{"name":"Detection + Engineer","handle":""}}},{"id":"def-000-oy4","type":"agent_rule","attributes":{"category":"Process + Activity","creationDate":1707493323000,"creator":{"name":"Detection Engineer","handle":""},"defaultRule":true,"description":"A + tool used to dump process memory has been executed","enabled":true,"expression":"exec.file.name + in [\"procmon.exe\",\"procdump.exe\"]","filters":["os == \"windows\""],"name":"procdump_execution","updateDate":1707493323000,"updater":{"name":"Detection + Engineer","handle":""}}},{"id":"def-000-oyv","type":"agent_rule","attributes":{"category":"Process + Activity","creationDate":1707493323000,"creator":{"name":"Detection Engineer","handle":""},"defaultRule":true,"description":"Processes + were listed using the ps command","enabled":true,"expression":"exec.comm == + \"ps\" \u0026\u0026 exec.argv not in [\"-p\", \"--pid\"] \u0026\u0026 process.ancestors.file.name + not in [\"qualys-cloud-agent\", \"amazon-ssm-agent\"] \u0026\u0026 process.parent.file.name + not in [\"rkhunter\", \"jspawnhelper\", ~\"vm-agent*\", \"PassengerAgent\", + \"node\", \"wdavdaemon\", \"chkrootkit\", \"tsagentd\", \"wazuh-modulesd\", + \"wdavdaemon\", \"talend-remote-engine-service\", \"check_procs\", \"newrelic-daemon\"]","filters":["os + == \"linux\""],"name":"ps_discovery","updateDate":1707493323000,"updater":{"name":"Detection + Engineer","handle":""}}},{"id":"pwu-7u7-iiq","type":"agent_rule","attributes":{"category":"Kernel + Activity","creationDate":1707493323000,"creator":{"name":"Detection Engineer","handle":""},"defaultRule":true,"description":"A + process uses an anti-debugging technique to block debuggers","enabled":true,"expression":"ptrace.request + == PTRACE_TRACEME \u0026\u0026 process.file.name != \"\"","filters":["os == + \"linux\""],"name":"ptrace_antidebug","updateDate":1707493323000,"updater":{"name":"Detection + Engineer","handle":""}}},{"id":"kpm-7kh-xz5","type":"agent_rule","attributes":{"category":"Kernel + Activity","creationDate":1707493323000,"creator":{"name":"Detection Engineer","handle":""},"defaultRule":true,"description":"A + process attempted to inject code into another process","enabled":true,"expression":"ptrace.request + == PTRACE_POKETEXT || ptrace.request == PTRACE_POKEDATA || ptrace.request == + PTRACE_POKEUSR","filters":["os == \"linux\""],"name":"ptrace_injection","updateDate":1707493323000,"updater":{"name":"Detection + Engineer","handle":""}}},{"id":"wpz-bim-6rb","type":"agent_rule","attributes":{"category":"Process + Activity","creationDate":1707493323000,"creator":{"name":"Detection Engineer","handle":""},"defaultRule":true,"description":"A + process was spawned with indicators of exploitation of CVE-2021-4034","enabled":true,"expression":"(exec.file.path + == \"/usr/bin/pkexec\" \u0026\u0026 exec.envs in [~\"*SHELL*\", ~\"*PATH*\"] + \u0026\u0026 exec.envs not in [~\"*DISPLAY*\", ~\"*DESKTOP_SESSION*\"] \u0026\u0026 + exec.uid != 0)","filters":["os == \"linux\""],"name":"pwnkit_privilege_escalation","updateDate":1707493323000,"updater":{"name":"Detection + Engineer","handle":""}}},{"id":"g7f-kfr-tdb","type":"agent_rule","attributes":{"category":"Process + Activity","creationDate":1707493323000,"creator":{"name":"Detection Engineer","handle":""},"defaultRule":true,"description":"Python + code was provided on the command line","enabled":true,"expression":"exec.file.name + == ~\"python*\" \u0026\u0026 exec.args_flags in [\"c\"] \u0026\u0026 exec.args + in [~\"*-c*SOCK_STREAM*\", ~\"*-c*subprocess*\", \"*-c*/bash*\", \"*-c*/bin/sh*\", + \"*-c*pty.spawn*\"] \u0026\u0026 exec.args !~ \"*setuptools*\"","filters":["os + == \"linux\""],"name":"python_cli_code","updateDate":1707493323000,"updater":{"name":"Detection + Engineer","handle":""}}},{"id":"def-000-do7","type":"agent_rule","attributes":{"category":"File + Activity","creationDate":1707493323000,"creator":{"name":"Detection Engineer","handle":""},"defaultRule":true,"description":"Possible + ransomware note created under common user directories","enabled":true,"expression":"open.flags + \u0026 O_CREAT \u003e 0\n\u0026\u0026 open.file.path in [~\"/home/**\", ~\"/root/**\", + ~\"/bin/**\", ~\"/usr/bin/**\", ~\"/opt/**\", ~\"/etc/**\", ~\"/var/log/**\", + ~\"/var/lib/log/**\", ~\"/var/backup/**\", ~\"/var/www/**\"]\n\u0026\u0026 open.file.name + in [r\"(?i).*(restore|recover|read|instruction|how_to|ransom|lock).*(your_|crypt|lock|file|ransom).*\"] + \u0026\u0026 open.file.name not in [r\".*\\.lock$\"]","filters":["os == \"linux\""],"name":"ransomware_note","updateDate":1707493323000,"updater":{"name":"Detection + Engineer","handle":""}}},{"id":"def-000-y27","type":"agent_rule","attributes":{"category":"File + Activity","creationDate":1707493323000,"creator":{"name":"Detection Engineer","handle":""},"defaultRule":true,"description":"RC + scripts modified","enabled":true,"expression":"(open.flags \u0026 (O_CREAT|O_TRUNC|O_RDWR|O_WRONLY) + \u003e 0 \u0026\u0026 (open.file.path in [\"/etc/rc.common\", \"/etc/rc.local\"])) + \u0026\u0026 process.ancestors.file.path not in [~\"/usr/bin/apt*\", \"/usr/bin/dpkg\", + \"/usr/bin/rpm\", \"/usr/bin/unattended-upgrade\", \"/usr/bin/npm\", ~\"/usr/bin/pip*\", + \"/usr/bin/yum\", \"/sbin/apk\", \"/usr/lib/snapd/snapd\"]","filters":["os == + \"linux\""],"name":"rc_scripts_modified","updateDate":1707493323000,"updater":{"name":"Detection + Engineer","handle":""}}},{"id":"def-000-qwm","type":"agent_rule","attributes":{"category":"File + Activity","creationDate":1707493323000,"creator":{"name":"Detection Engineer","handle":""},"defaultRule":true,"description":"The + kubeconfig file was accessed","enabled":true,"expression":"open.file.path in + [~\"/home/*/.kube/config\", \"/root/.kube/config\"]","filters":["os == \"linux\""],"name":"read_kubeconfig","updateDate":1707493323000,"updater":{"name":"Detection + Engineer","handle":""}}},{"id":"def-000-rhk","type":"agent_rule","attributes":{"category":"File + Activity","creationDate":1707493323000,"creator":{"name":"Detection Engineer","handle":""},"defaultRule":true,"description":"OS + information was read from the /etc/lsb-release file","enabled":true,"expression":"open.file.path + == \"/etc/lsb-release\" \u0026\u0026 open.flags \u0026 O_RDONLY \u003e 0","filters":["os + == \"linux\""],"name":"read_release_info","updateDate":1707493323000,"updater":{"name":"Detection + Engineer","handle":""}}},{"id":"def-000-npv","type":"agent_rule","attributes":{"category":"File + Activity","creationDate":1707493323000,"creator":{"name":"Detection Engineer","handle":""},"defaultRule":true,"description":"Detects + CVE-2022-0543","enabled":true,"expression":"(open.file.path =~ \"/usr/lib/x86_64-linux-gnu/*\" + \u0026\u0026 open.file.name in [\"libc-2.29.so\", \"libc-2.30.so\", \"libc-2.31.so\", + \"libc-2.32.so\", \"libc-2.33.so\", \"libc-2.34.so\", \"libc-2.35.so\", \"libc-2.36.so\", + \"libc-2.37.so\"]) \u0026\u0026 process.ancestors.comm in [\"redis-check-rdb\", + \"redis-server\"]","filters":["os == \"linux\""],"name":"redis_sandbox_escape","updateDate":1707493323000,"updater":{"name":"Detection + Engineer","handle":""}}},{"id":"def-000-wv3","type":"agent_rule","attributes":{"category":"File + Activity","creationDate":1707493323000,"creator":{"name":"Detection Engineer","handle":""},"defaultRule":true,"description":"Redis + module has been created","enabled":true,"expression":"(open.flags \u0026 (O_CREAT|O_TRUNC|O_RDWR|O_WRONLY) + \u003e 0 \u0026\u0026 open.file.path =~ \"/tmp/**\" \u0026\u0026 open.file.name + in [~\"*.rdb\", ~\"*.aof\", ~\"*.so\"]) \u0026\u0026 process.file.name in [\"redis-check-rdb\", + \"redis-server\"]","filters":["os == \"linux\""],"name":"redis_save_module","updateDate":1707493323000,"updater":{"name":"Detection + Engineer","handle":""}}},{"id":"tlu-qlm-1ow","type":"agent_rule","attributes":{"category":"File + Activity","creationDate":1707493323000,"creator":{"name":"Detection Engineer","handle":""},"defaultRule":true,"description":"The + runc binary was modified in a non-standard way","enabled":true,"expression":"open.file.path + in [\"/usr/bin/runc\", \"/usr/sbin/runc\", \"/usr/bin/docker-runc\"]\n\u0026\u0026 + open.flags \u0026 O_CREAT|O_TRUNC|O_RDWR|O_WRONLY \u003e 0\n\u0026\u0026 process.file.path + not in [~\"/usr/bin/apt*\", \"/usr/bin/dpkg\", \"/usr/bin/rpm\", \"/usr/bin/unattended-upgrade\", + \"/usr/bin/containerd\", \"/usr/local/bin/containerd\", \"/usr/bin/dockerd\", + \"/usr/bin/npm\", ~\"/usr/bin/pip*\"]\n\u0026\u0026 process.ancestors.file.path + not in [~\"/usr/bin/apt*\", \"/usr/bin/dpkg\", \"/usr/bin/rpm\", \"/usr/bin/unattended-upgrade\", + \"/usr/bin/npm\", ~\"/usr/bin/pip*\", \"/usr/bin/yum\", \"/sbin/apk\", \"/usr/lib/snapd/snapd\"]","filters":["os + == \"linux\""],"name":"runc_modification","updateDate":1707493323000,"updater":{"name":"Detection + Engineer","handle":""}}},{"id":"def-000-vqm","type":"agent_rule","attributes":{"category":"Process + Activity","creationDate":1707493323000,"creator":{"name":"Detection Engineer","handle":""},"defaultRule":true,"description":"A + scheduled task was created","enabled":true,"expression":"exec.file.name in [\"at.exe\",\"schtasks.exe\"]","filters":["os + == \"windows\""],"name":"scheduled_task_creation","updateDate":1707493323000,"updater":{"name":"Detection + Engineer","handle":""}}},{"id":"wgq-lg4-tas","type":"agent_rule","attributes":{"category":"Kernel + Activity","creationDate":1707493323000,"creator":{"name":"Detection Engineer","handle":""},"defaultRule":true,"description":"SELinux + enforcement status was disabled","enabled":true,"expression":"selinux.enforce.status + in [\"permissive\", \"disabled\"] \u0026\u0026 process.ancestors.args != ~\"*BECOME-SUCCESS*\"","filters":["os + == \"linux\""],"name":"selinux_disable_enforcement","updateDate":1707493323000,"updater":{"name":"Detection + Engineer","handle":""}}},{"id":"def-000-j45","type":"agent_rule","attributes":{"category":"Kernel + Activity","creationDate":1707493323000,"creator":{"name":"Detection Engineer","handle":""},"defaultRule":true,"description":"A + process is tracing privileged processes or sshd for possible credential dumping","enabled":true,"expression":"(ptrace.request + == PTRACE_PEEKTEXT || ptrace.request == PTRACE_PEEKDATA || ptrace.request == + PTRACE_PEEKUSR) \u0026\u0026 ptrace.tracee.euid == 0 \u0026\u0026 process.comm + not in [\"dlv\", \"dlv-linux-amd64\", \"strace\", \"gdb\", \"lldb-server\"]","filters":["os + == \"linux\""],"name":"sensitive_tracing","updateDate":1707493323000,"updater":{"name":"Detection + Engineer","handle":""}}},{"id":"def-000-uv8","type":"agent_rule","attributes":{"category":"Process + Activity","creationDate":1707493323000,"creator":{"name":"Detection Engineer","handle":""},"defaultRule":true,"description":"systemctl + used to stop a service","enabled":true,"expression":"exec.file.name == \"systemctl\" + \u0026\u0026 exec.args in [~\"*stop*\"]","filters":["os == \"linux\""],"name":"service_stop","updateDate":1707493323000,"updater":{"name":"Detection + Engineer","handle":""}}},{"id":"dfr-by9-sx8","type":"agent_rule","attributes":{"category":"File + Activity","creationDate":1707493323000,"creator":{"name":"Detection Engineer","handle":""},"defaultRule":true,"description":"Shell + History was Deleted","enabled":true,"expression":"(unlink.file.name =~ r\".([dbazfi]*sh)(_history)$\") + \u0026\u0026 process.comm not in [\"dockerd\", \"containerd\"]","filters":["os + == \"linux\""],"name":"shell_history_deleted","updateDate":1707493323000,"updater":{"name":"Detection + Engineer","handle":""}}},{"id":"dmf-a2c-odj","type":"agent_rule","attributes":{"category":"Process + Activity","creationDate":1707493323000,"creator":{"name":"Detection Engineer","handle":""},"defaultRule":true,"description":"A + symbolic link for shell history was created targeting /dev/null","enabled":true,"expression":"exec.comm + == \"ln\" \u0026\u0026 exec.args in [~\"*.*history*\", \"/dev/null\"]","filters":["os + == \"linux\""],"name":"shell_history_symlink","updateDate":1707493323000,"updater":{"name":"Detection + Engineer","handle":""}}},{"id":"v5x-8l4-d6a","type":"agent_rule","attributes":{"category":"File + Activity","creationDate":1707493323000,"creator":{"name":"Detection Engineer","handle":""},"defaultRule":true,"description":"Shell + History was Deleted","enabled":true,"expression":"open.flags \u0026 (O_CREAT|O_TRUNC|O_RDWR|O_WRONLY) + \u003e 0 \u0026\u0026 open.file.name =~ r\".([dbazfi]*sh)(_history)$\" \u0026\u0026 + open.file.path in [~\"/root/*\", ~\"/home/**\"] \u0026\u0026 process.file.name + == \"truncate\"","filters":["os == \"linux\""],"name":"shell_history_truncated","updateDate":1707493323000,"updater":{"name":"Detection + Engineer","handle":""}}},{"id":"def-000-fn2","type":"agent_rule","attributes":{"category":"Process + Activity","creationDate":1707493323000,"creator":{"name":"Detection Engineer","handle":""},"defaultRule":true,"description":"Shell + profile was modified","enabled":true,"expression":"open.file.path in [~\"/home/*/*profile\", + ~\"/home/*/*rc\"] \u0026\u0026 open.flags \u0026 ((O_CREAT|O_TRUNC|O_RDWR|O_WRONLY)) + \u003e 0","filters":["os == \"linux\""],"name":"shell_profile_modification","updateDate":1707493323000,"updater":{"name":"Detection + Engineer","handle":""}}},{"id":"htc-275-0wt","type":"agent_rule","attributes":{"category":"File + Activity","creationDate":1707493323000,"creator":{"name":"Detection Engineer","handle":""},"defaultRule":true,"description":"SSH + modified keys may have been modified","enabled":true,"expression":"(\n chmod.file.name + in [ \"authorized_keys\", \"authorized_keys2\" ] \u0026\u0026 (chmod.file.path + in [ ~\"/root/.ssh/*\", ~\"/home/*/.ssh/*\", ~\"/var/lib/*/.ssh/*\" ])\n) \u0026\u0026 + chmod.file.destination.mode != chmod.file.mode","filters":["os == \"linux\""],"name":"ssh_authorized_keys_chmod","updateDate":1707493323000,"updater":{"name":"Detection + Engineer","handle":""}}},{"id":"7q3-6aa-pix","type":"agent_rule","attributes":{"category":"File + Activity","creationDate":1707493323000,"creator":{"name":"Detection Engineer","handle":""},"defaultRule":true,"description":"SSH + modified keys may have been modified","enabled":true,"expression":"(\n chown.file.name + in [ \"authorized_keys\", \"authorized_keys2\" ] \u0026\u0026 (chown.file.path + in [ ~\"/root/.ssh/*\", ~\"/home/*/.ssh/*\", ~\"/var/lib/*/.ssh/*\" ])\n) \u0026\u0026 + (chown.file.destination.uid != chown.file.uid || chown.file.destination.gid + != chown.file.gid)","filters":["os == \"linux\""],"name":"ssh_authorized_keys_chown","updateDate":1707493323000,"updater":{"name":"Detection + Engineer","handle":""}}},{"id":"91f-pyq-54k","type":"agent_rule","attributes":{"category":"File + Activity","creationDate":1707493323000,"creator":{"name":"Detection Engineer","handle":""},"defaultRule":true,"description":"SSH + modified keys may have been modified","enabled":true,"expression":"(\n link.file.name + in [ \"authorized_keys\", \"authorized_keys2\" ] \u0026\u0026 (link.file.path + in [ ~\"/root/.ssh/*\", ~\"/home/*/.ssh/*\", ~\"/var/lib/*/.ssh/*\" ]\n || + link.file.destination.path in [ ~\"/root/.ssh/*\", ~\"/home/*/.ssh/*\", ~\"/var/lib/*/.ssh/*\" + ])\n)","filters":["os == \"linux\""],"name":"ssh_authorized_keys_link","updateDate":1707493323000,"updater":{"name":"Detection + Engineer","handle":""}}},{"id":"rpc-ji0-zfu","type":"agent_rule","attributes":{"category":"File + Activity","creationDate":1707493323000,"creator":{"name":"Detection Engineer","handle":""},"defaultRule":true,"description":"SSH + modified keys may have been modified","enabled":true,"expression":"(\n open.flags + \u0026 (O_CREAT|O_TRUNC|O_RDWR|O_WRONLY) \u003e 0 \u0026\u0026\n open.file.name + in [ \"authorized_keys\", \"authorized_keys2\" ] \u0026\u0026 (open.file.path + in [ ~\"/root/.ssh/*\", ~\"/home/*/.ssh/*\", ~\"/var/lib/*/.ssh/*\" ])\n)","filters":["os + == \"linux\""],"name":"ssh_authorized_keys_open","updateDate":1707493323000,"updater":{"name":"Detection + Engineer","handle":""}}},{"id":"def-000-qwu","type":"agent_rule","attributes":{"category":"File + Activity","creationDate":1707493323000,"creator":{"name":"Detection Engineer","handle":""},"defaultRule":true,"description":"SSH + modified keys may have been modified","enabled":true,"expression":"(\n open.flags + \u0026 (O_CREAT|O_TRUNC|O_RDWR|O_WRONLY) \u003e 0 \u0026\u0026\n open.file.name + in [ \"authorized_keys\", \"authorized_keys2\" ] \u0026\u0026 (open.file.path + in [ ~\"/root/.ssh/*\", ~\"/home/*/.ssh/*\", ~\"/var/lib/*/.ssh/*\" ])\n) \u0026\u0026 + container.created_at \u003e 90s","filters":["os == \"linux\""],"name":"ssh_authorized_keys_open_v2","updateDate":1707493323000,"updater":{"name":"Detection + Engineer","handle":""}}},{"id":"t5u-qdx-650","type":"agent_rule","attributes":{"category":"File + Activity","creationDate":1707493323000,"creator":{"name":"Detection Engineer","handle":""},"defaultRule":true,"description":"SSH + modified keys may have been modified","enabled":true,"expression":"(\n rename.file.name + in [ \"authorized_keys\", \"authorized_keys2\" ] \u0026\u0026 (rename.file.path + in [ ~\"/root/.ssh/*\", ~\"/home/*/.ssh/*\", ~\"/var/lib/*/.ssh/*\" ]\n || + rename.file.destination.path in [ ~\"/root/.ssh/*\", ~\"/home/*/.ssh/*\", ~\"/var/lib/*/.ssh/*\" + ])\n)","filters":["os == \"linux\""],"name":"ssh_authorized_keys_rename","updateDate":1707493323000,"updater":{"name":"Detection + Engineer","handle":""}}},{"id":"y0y-3gl-645","type":"agent_rule","attributes":{"category":"File + Activity","creationDate":1707493323000,"creator":{"name":"Detection Engineer","handle":""},"defaultRule":true,"description":"SSH + modified keys may have been modified","enabled":true,"expression":"(\n unlink.file.name + in [ \"authorized_keys\", \"authorized_keys2\" ] \u0026\u0026 (unlink.file.path + in [ ~\"/root/.ssh/*\", ~\"/home/*/.ssh/*\", ~\"/var/lib/*/.ssh/*\" ])\n)","filters":["os + == \"linux\""],"name":"ssh_authorized_keys_unlink","updateDate":1707493323000,"updater":{"name":"Detection + Engineer","handle":""}}},{"id":"hba-kfe-1xr","type":"agent_rule","attributes":{"category":"File + Activity","creationDate":1707493323000,"creator":{"name":"Detection Engineer","handle":""},"defaultRule":true,"description":"SSH + modified keys may have been modified","enabled":true,"expression":"(\n utimes.file.name + in [ \"authorized_keys\", \"authorized_keys2\" ] \u0026\u0026 (utimes.file.path + in [ ~\"/root/.ssh/*\", ~\"/home/*/.ssh/*\", ~\"/var/lib/*/.ssh/*\" ])\n)","filters":["os + == \"linux\""],"name":"ssh_authorized_keys_utimes","updateDate":1707493323000,"updater":{"name":"Detection + Engineer","handle":""}}},{"id":"def-000-o13","type":"agent_rule","attributes":{"category":"File + Activity","creationDate":1707493323000,"creator":{"name":"Detection Engineer","handle":""},"defaultRule":true,"description":"The + configuration directory for an ssh worm","enabled":true,"expression":"open.file.path + in [\"/root/.prng/*\", ~\"/home/*/.prng/*\", ~\"/root/.config/prng/*\", ~\"/home/*/.config/prng/*\"] + \u0026\u0026 open.flags \u0026 (O_CREAT|O_TRUNC|O_RDWR|O_WRONLY) \u003e 0","filters":["os + == \"linux\""],"name":"ssh_it_tool_config_write","updateDate":1707493323000,"updater":{"name":"Detection + Engineer","handle":""}}},{"id":"y5i-yxn-27t","type":"agent_rule","attributes":{"category":"File + Activity","creationDate":1707493323000,"creator":{"name":"Detection Engineer","handle":""},"defaultRule":true,"description":"SSL + certificates may have been tampered with","enabled":true,"expression":"(\n (chmod.file.path + in [ ~\"/etc/ssl/certs/**\", ~\"/etc/pki/**\" ])\n \u0026\u0026 process.file.path + not in [~\"/usr/bin/apt*\", \"/usr/bin/dpkg\", \"/usr/bin/rpm\", \"/usr/bin/unattended-upgrade\", + \"/usr/bin/npm\", ~\"/usr/bin/pip*\", \"/usr/bin/yum\", \"/sbin/apk\", \"/usr/lib/snapd/snapd\"]\n) + \u0026\u0026 chmod.file.mode != chmod.file.destination.mode\n\u0026\u0026 process.file.path + != \"/usr/sbin/update-ca-certificates\"\n\u0026\u0026 process.ancestors.file.path + != \"/usr/sbin/update-ca-certificates\"\n\u0026\u0026 process.ancestors.file.path + not in [~\"/usr/bin/apt*\", \"/usr/bin/dpkg\", \"/usr/bin/rpm\", \"/usr/bin/unattended-upgrade\", + \"/usr/bin/npm\", ~\"/usr/bin/pip*\", \"/usr/bin/yum\", \"/sbin/apk\", \"/usr/lib/snapd/snapd\"]\n\u0026\u0026 + process.file.name !~ \"runc*\"","filters":["os == \"linux\""],"name":"ssl_certificate_tampering_chmod","updateDate":1707493323000,"updater":{"name":"Detection + Engineer","handle":""}}},{"id":"kyr-sg6-us9","type":"agent_rule","attributes":{"category":"File + Activity","creationDate":1707493323000,"creator":{"name":"Detection Engineer","handle":""},"defaultRule":true,"description":"SSL + certificates may have been tampered with","enabled":true,"expression":"(\n (chown.file.path + in [ ~\"/etc/ssl/certs/**\", ~\"/etc/pki/**\" ])\n \u0026\u0026 process.file.path + not in [~\"/usr/bin/apt*\", \"/usr/bin/dpkg\", \"/usr/bin/rpm\", \"/usr/bin/unattended-upgrade\", + \"/usr/bin/npm\", ~\"/usr/bin/pip*\", \"/usr/bin/yum\", \"/sbin/apk\", \"/usr/lib/snapd/snapd\"]\n) + \u0026\u0026 (chown.file.destination.uid != chown.file.uid || chown.file.destination.gid + != chown.file.gid)\n\u0026\u0026 process.file.path != \"/usr/sbin/update-ca-certificates\"\n\u0026\u0026 + process.ancestors.file.path != \"/usr/sbin/update-ca-certificates\"\n\u0026\u0026 + process.ancestors.file.path not in [~\"/usr/bin/apt*\", \"/usr/bin/dpkg\", \"/usr/bin/rpm\", + \"/usr/bin/unattended-upgrade\", \"/usr/bin/npm\", ~\"/usr/bin/pip*\", \"/usr/bin/yum\", + \"/sbin/apk\", \"/usr/lib/snapd/snapd\"]\n\u0026\u0026 process.file.name !~ + \"runc*\"","filters":["os == \"linux\""],"name":"ssl_certificate_tampering_chown","updateDate":1707493323000,"updater":{"name":"Detection + Engineer","handle":""}}},{"id":"w6f-wte-i63","type":"agent_rule","attributes":{"category":"File + Activity","creationDate":1707493323000,"creator":{"name":"Detection Engineer","handle":""},"defaultRule":true,"description":"SSL + certificates may have been tampered with","enabled":true,"expression":"(\n (link.file.path + in [ ~\"/etc/ssl/certs/**\", ~\"/etc/pki/**\" ]\n || link.file.destination.path + in [ ~\"/etc/ssl/certs/**\", ~\"/etc/pki/**\" ])\n \u0026\u0026 process.file.path + not in [~\"/usr/bin/apt*\", \"/usr/bin/dpkg\", \"/usr/bin/rpm\", \"/usr/bin/unattended-upgrade\", + \"/usr/bin/npm\", ~\"/usr/bin/pip*\", \"/usr/bin/yum\", \"/sbin/apk\", \"/usr/lib/snapd/snapd\"]\n \u0026\u0026 + process.file.path != \"/usr/sbin/update-ca-certificates\"\n \u0026\u0026 + process.ancestors.file.path != \"/usr/sbin/update-ca-certificates\"\n \u0026\u0026 + process.ancestors.file.path not in [~\"/usr/bin/apt*\", \"/usr/bin/dpkg\", \"/usr/bin/rpm\", + \"/usr/bin/unattended-upgrade\", \"/usr/bin/npm\", ~\"/usr/bin/pip*\", \"/usr/bin/yum\", + \"/sbin/apk\", \"/usr/lib/snapd/snapd\"]\n \u0026\u0026 process.file.name + !~ \"runc*\"\n)","filters":["os == \"linux\""],"name":"ssl_certificate_tampering_link","updateDate":1707493323000,"updater":{"name":"Detection + Engineer","handle":""}}},{"id":"191-ty1-ede","type":"agent_rule","attributes":{"category":"File + Activity","creationDate":1707493323000,"creator":{"name":"Detection Engineer","handle":""},"defaultRule":true,"description":"SSL + certificates may have been tampered with","enabled":true,"expression":"(\n open.flags + \u0026 (O_CREAT|O_RDWR|O_WRONLY) \u003e 0 \u0026\u0026\n (open.file.path + in [ ~\"/etc/ssl/certs/**\", ~\"/etc/pki/**\" ])\n)\n\u0026\u0026 process.file.path + != \"/usr/sbin/update-ca-certificates\"\n\u0026\u0026 process.ancestors.file.path + != \"/usr/sbin/update-ca-certificates\"\n\u0026\u0026 process.ancestors.file.path + not in [~\"/usr/bin/apt*\", \"/usr/bin/dpkg\", \"/usr/bin/rpm\", \"/usr/bin/unattended-upgrade\", + \"/usr/bin/npm\", ~\"/usr/bin/pip*\", \"/usr/bin/yum\", \"/sbin/apk\", \"/usr/lib/snapd/snapd\"]\n\u0026\u0026 + process.file.name !~ \"runc*\"","filters":["os == \"linux\""],"name":"ssl_certificate_tampering_open","updateDate":1707493323000,"updater":{"name":"Detection + Engineer","handle":""}}},{"id":"def-000-qt6","type":"agent_rule","attributes":{"category":"File + Activity","creationDate":1707493323000,"creator":{"name":"Detection Engineer","handle":""},"defaultRule":true,"description":"SSL + certificates may have been tampered with","enabled":true,"expression":"(\n open.flags + \u0026 (O_CREAT|O_RDWR|O_WRONLY) \u003e 0 \u0026\u0026\n (open.file.path + in [ ~\"/etc/ssl/certs/**\", ~\"/etc/pki/**\" ])\n)\n\u0026\u0026 process.file.path + != \"/usr/sbin/update-ca-certificates\"\n\u0026\u0026 process.ancestors.file.path + != \"/usr/sbin/update-ca-certificates\"\n\u0026\u0026 process.ancestors.file.path + not in [~\"/usr/bin/apt*\", \"/usr/bin/dpkg\", \"/usr/bin/rpm\", \"/usr/bin/unattended-upgrade\", + \"/usr/bin/npm\", ~\"/usr/bin/pip*\", \"/usr/bin/yum\", \"/sbin/apk\", \"/usr/lib/snapd/snapd\"]\n\u0026\u0026 + process.file.name !~ \"runc*\"\n\u0026\u0026 container.created_at \u003e 90s","filters":["os + == \"linux\""],"name":"ssl_certificate_tampering_open_v2","updateDate":1707493323000,"updater":{"name":"Detection + Engineer","handle":""}}},{"id":"o5t-b08-86p","type":"agent_rule","attributes":{"category":"File + Activity","creationDate":1707493323000,"creator":{"name":"Detection Engineer","handle":""},"defaultRule":true,"description":"SSL + certificates may have been tampered with","enabled":true,"expression":"(\n (rename.file.path + in [ ~\"/etc/ssl/certs/**\", ~\"/etc/pki/**\" ]\n || rename.file.destination.path + in [ ~\"/etc/ssl/certs/**\", ~\"/etc/pki/**\" ])\n \u0026\u0026 process.file.path + not in [~\"/usr/bin/apt*\", \"/usr/bin/dpkg\", \"/usr/bin/rpm\", \"/usr/bin/unattended-upgrade\", + \"/usr/bin/npm\", ~\"/usr/bin/pip*\", \"/usr/bin/yum\", \"/sbin/apk\", \"/usr/lib/snapd/snapd\"]\n)\n\u0026\u0026 + process.file.path != \"/usr/sbin/update-ca-certificates\"\n\u0026\u0026 process.ancestors.file.path + != \"/usr/sbin/update-ca-certificates\"\n\u0026\u0026 process.ancestors.file.path + not in [~\"/usr/bin/apt*\", \"/usr/bin/dpkg\", \"/usr/bin/rpm\", \"/usr/bin/unattended-upgrade\", + \"/usr/bin/npm\", ~\"/usr/bin/pip*\", \"/usr/bin/yum\", \"/sbin/apk\", \"/usr/lib/snapd/snapd\"]\n\u0026\u0026 + process.file.name !~ \"runc*\"","filters":["os == \"linux\""],"name":"ssl_certificate_tampering_rename","updateDate":1707493323000,"updater":{"name":"Detection + Engineer","handle":""}}},{"id":"9y1-cbb-p03","type":"agent_rule","attributes":{"category":"File + Activity","creationDate":1707493323000,"creator":{"name":"Detection Engineer","handle":""},"defaultRule":true,"description":"SSL + certificates may have been tampered with","enabled":true,"expression":"(\n (unlink.file.path + in [ ~\"/etc/ssl/certs/**\" ])\n \u0026\u0026 process.file.path not in [~\"/usr/bin/apt*\", + \"/usr/bin/dpkg\", \"/usr/bin/rpm\", \"/usr/bin/unattended-upgrade\", \"/usr/bin/npm\", + ~\"/usr/bin/pip*\", \"/usr/bin/yum\", \"/sbin/apk\", \"/usr/lib/snapd/snapd\"]\n)\n\u0026\u0026 + process.file.path != \"/usr/sbin/update-ca-certificates\"\n\u0026\u0026 process.ancestors.file.path + != \"/usr/sbin/update-ca-certificates\"\n\u0026\u0026 process.ancestors.file.path + not in [~\"/usr/bin/apt*\", \"/usr/bin/dpkg\", \"/usr/bin/rpm\", \"/usr/bin/unattended-upgrade\", + \"/usr/bin/npm\", ~\"/usr/bin/pip*\", \"/usr/bin/yum\", \"/sbin/apk\", \"/usr/lib/snapd/snapd\"]\n\u0026\u0026 + process.file.name !~ \"runc*\"","filters":["os == \"linux\""],"name":"ssl_certificate_tampering_unlink","updateDate":1707493323000,"updater":{"name":"Detection + Engineer","handle":""}}},{"id":"ayv-hqe-lx8","type":"agent_rule","attributes":{"category":"File + Activity","creationDate":1707493323000,"creator":{"name":"Detection Engineer","handle":""},"defaultRule":true,"description":"SSL + certificates may have been tampered with","enabled":true,"expression":"(\n (utimes.file.path + in [ ~\"/etc/ssl/certs/**\" ])\n \u0026\u0026 process.file.path not in [~\"/usr/bin/apt*\", + \"/usr/bin/dpkg\", \"/usr/bin/rpm\", \"/usr/bin/unattended-upgrade\", \"/usr/bin/npm\", + ~\"/usr/bin/pip*\", \"/usr/bin/yum\", \"/sbin/apk\", \"/usr/lib/snapd/snapd\"]\n)\n\u0026\u0026 + process.file.path != \"/usr/sbin/update-ca-certificates\"\n\u0026\u0026 process.ancestors.file.path + != \"/usr/sbin/update-ca-certificates\"\n\u0026\u0026 process.ancestors.file.path + not in [~\"/usr/bin/apt*\", \"/usr/bin/dpkg\", \"/usr/bin/rpm\", \"/usr/bin/unattended-upgrade\", + \"/usr/bin/npm\", ~\"/usr/bin/pip*\", \"/usr/bin/yum\", \"/sbin/apk\", \"/usr/lib/snapd/snapd\"]\n\u0026\u0026 + process.file.name !~ \"runc*\"","filters":["os == \"linux\""],"name":"ssl_certificate_tampering_utimes","updateDate":1707493323000,"updater":{"name":"Detection + Engineer","handle":""}}},{"id":"def-000-crv","type":"agent_rule","attributes":{"category":"File + Activity","creationDate":1707493323000,"creator":{"name":"Detection Engineer","handle":""},"defaultRule":true,"description":"Sudoers + policy file may have been modified without authorization","enabled":true,"expression":"(\n (chmod.file.path + == \"/etc/sudoers\") \n) \u0026\u0026 chmod.file.destination.mode != chmod.file.mode + \u0026\u0026 process.ancestors.file.path not in [~\"/usr/bin/apt*\", \"/usr/bin/dpkg\", + \"/usr/bin/rpm\", \"/usr/bin/unattended-upgrade\", \"/usr/bin/npm\", ~\"/usr/bin/pip*\", + \"/usr/bin/yum\", \"/sbin/apk\", \"/usr/lib/snapd/snapd\"]","filters":["os == + \"linux\""],"name":"sudoers_policy_modified_chmod","updateDate":1707493323000,"updater":{"name":"Detection + Engineer","handle":""}}},{"id":"def-000-l8e","type":"agent_rule","attributes":{"category":"File + Activity","creationDate":1707493323000,"creator":{"name":"Detection Engineer","handle":""},"defaultRule":true,"description":"Sudoers + policy file may have been modified without authorization","enabled":true,"expression":"(\n (chown.file.path + == \"/etc/sudoers\")\n) \u0026\u0026 (chown.file.destination.uid != chown.file.uid + || chown.file.destination.gid != chown.file.gid)","filters":["os == \"linux\""],"name":"sudoers_policy_modified_chown","updateDate":1707493323000,"updater":{"name":"Detection + Engineer","handle":""}}},{"id":"def-000-myb","type":"agent_rule","attributes":{"category":"File + Activity","creationDate":1707493323000,"creator":{"name":"Detection Engineer","handle":""},"defaultRule":true,"description":"Sudoers + policy file may have been modified without authorization","enabled":true,"expression":"(\n (link.file.path + == \"/etc/sudoers\"\n || link.file.destination.path == \"/etc/sudoers\")\n)","filters":["os + == \"linux\""],"name":"sudoers_policy_modified_link","updateDate":1707493323000,"updater":{"name":"Detection + Engineer","handle":""}}},{"id":"def-000-mmo","type":"agent_rule","attributes":{"category":"File + Activity","creationDate":1707493323000,"creator":{"name":"Detection Engineer","handle":""},"defaultRule":true,"description":"Sudoers + policy file may have been modified without authorization","enabled":true,"expression":"\n(open.flags + \u0026 (O_CREAT|O_TRUNC|O_RDWR|O_WRONLY) \u003e 0 \u0026\u0026\n(open.file.path + == \"/etc/sudoers\")) \u0026\u0026 process.file.path not in [~\"/usr/bin/apt*\", + \"/usr/bin/dpkg\", \"/usr/bin/rpm\", \"/usr/bin/unattended-upgrade\", \"/usr/bin/npm\", + ~\"/usr/bin/pip*\", \"/usr/bin/yum\", \"/sbin/apk\", \"/usr/lib/snapd/snapd\"]","filters":["os + == \"linux\""],"name":"sudoers_policy_modified_open","updateDate":1707493323000,"updater":{"name":"Detection + Engineer","handle":""}}},{"id":"def-000-550","type":"agent_rule","attributes":{"category":"File + Activity","creationDate":1707493323000,"creator":{"name":"Detection Engineer","handle":""},"defaultRule":true,"description":"Sudoers + policy file may have been modified without authorization","enabled":true,"expression":"(\n (rename.file.path + == \"/etc/sudoers\"\n || rename.file.destination.path == \"/etc/sudoers\")\n)","filters":["os + == \"linux\""],"name":"sudoers_policy_modified_rename","updateDate":1707493323000,"updater":{"name":"Detection + Engineer","handle":""}}},{"id":"def-000-bxs","type":"agent_rule","attributes":{"category":"File + Activity","creationDate":1707493323000,"creator":{"name":"Detection Engineer","handle":""},"defaultRule":true,"description":"Sudoers + policy file may have been modified without authorization","enabled":true,"expression":"(\n (unlink.file.path + == \"/etc/sudoers\")\n)","filters":["os == \"linux\""],"name":"sudoers_policy_modified_unlink","updateDate":1707493323000,"updater":{"name":"Detection + Engineer","handle":""}}},{"id":"def-000-s07","type":"agent_rule","attributes":{"category":"File + Activity","creationDate":1707493323000,"creator":{"name":"Detection Engineer","handle":""},"defaultRule":true,"description":"Sudoers + policy file may have been modified without authorization","enabled":true,"expression":"(\n (utimes.file.path + == \"/etc/sudoers\")\n) \u0026\u0026 process.file.path not in [~\"/usr/bin/apt*\", + \"/usr/bin/dpkg\", \"/usr/bin/rpm\", \"/usr/bin/unattended-upgrade\", \"/usr/bin/containerd\", + \"/usr/local/bin/containerd\", \"/usr/bin/dockerd\", \"/usr/bin/npm\", ~\"/usr/bin/pip*\"]","filters":["os + == \"linux\""],"name":"sudoers_policy_modified_utimes","updateDate":1707493323000,"updater":{"name":"Detection + Engineer","handle":""}}},{"id":"def-000-5wh","type":"agent_rule","attributes":{"category":"Process + Activity","creationDate":1707493323000,"creator":{"name":"Detection Engineer","handle":""},"defaultRule":true,"description":"a + SUID file was executed","enabled":true,"expression":"(setuid.euid == 0 || setuid.uid == + 0) \u0026\u0026 process.file.mode \u0026 S_ISUID \u003e 0 \u0026\u0026 process.file.uid + == 0 \u0026\u0026 process.uid != 0 \u0026\u0026 process.file.path != \"/usr/bin/sudo\"","filters":["os + == \"linux\""],"name":"suid_file_execution","updateDate":1707493323000,"updater":{"name":"Detection + Engineer","handle":""}}},{"id":"def-000-4y4","type":"agent_rule","attributes":{"category":"Process + Activity","creationDate":1707493323000,"creator":{"name":"Detection Engineer","handle":""},"defaultRule":true,"description":"A + suspicious bitsadmin command has been executed","enabled":true,"expression":"exec.file.name + == \"bitsadmin.exe\" \u0026\u0026 exec.cmdline in [~\"*addfile*\", ~\"*create*\", + ~\"*resume*\"]","filters":["os == \"windows\""],"name":"suspicious_bitsadmin_usage","updateDate":1707493323000,"updater":{"name":"Detection + Engineer","handle":""}}},{"id":"afj-5sv-2wb","type":"agent_rule","attributes":{"category":"Process + Activity","creationDate":1707493323000,"creator":{"name":"Detection Engineer","handle":""},"defaultRule":true,"description":"A + container management utility was executed in a container","enabled":true,"expression":"exec.file.name + in [\"docker\", \"kubectl\"] \u0026\u0026 container.id != \"\"","filters":["os + == \"linux\""],"name":"suspicious_container_client","updateDate":1707493323000,"updater":{"name":"Detection + Engineer","handle":""}}},{"id":"def-000-2k6","type":"agent_rule","attributes":{"category":"Process + Activity","creationDate":1707493323000,"creator":{"name":"Detection Engineer","handle":""},"defaultRule":true,"description":"Suspicious + usage of ntdsutil","enabled":true,"expression":"exec.file.name == \"ntdsutil.exe\" + \u0026\u0026 exec.cmdline in [~\"*ntds*\", ~\"*create*\"]","filters":["os == + \"windows\""],"name":"suspicious_ntdsutil_usage","updateDate":1707493323000,"updater":{"name":"Detection + Engineer","handle":""}}},{"id":"def-000-zo8","type":"agent_rule","attributes":{"category":"Process + Activity","creationDate":1707493323000,"creator":{"name":"Detection Engineer","handle":""},"defaultRule":true,"description":"Recently + written or modified suid file has been executed","enabled":true,"expression":"((process.file.mode + \u0026 S_ISUID \u003e 0) \u0026\u0026 process.file.modification_time \u003c + 30s) \u0026\u0026 exec.file.name != \"\" \u0026\u0026 process.ancestors.file.path + not in [\"/opt/datadog-agent/embedded/bin/agent\", \"/opt/datadog-agent/embedded/bin/system-probe\", + \"/opt/datadog-agent/embedded/bin/security-agent\", \"/opt/datadog-agent/embedded/bin/process-agent\", + \"/opt/datadog-agent/bin/agent/agent\", \"/opt/datadog/apm/inject/auto_inject_runc\", + \"/usr/bin/dd-host-install\", \"/usr/bin/dd-host-container-install\", \"/usr/bin/dd-container-install\", + \"/opt/datadog-agent/bin/datadog-cluster-agent\"]","filters":["os == \"linux\""],"name":"suspicious_suid_execution","updateDate":1707493323000,"updater":{"name":"Detection + Engineer","handle":""}}},{"id":"48s-46n-g4w","type":"agent_rule","attributes":{"category":"File + Activity","creationDate":1707493323000,"creator":{"name":"Detection Engineer","handle":""},"defaultRule":true,"description":"A + service may have been modified without authorization","enabled":true,"expression":"(\n (chmod.file.path + in [ ~\"/lib/systemd/system/**\", ~\"/usr/lib/systemd/system/**\", ~\"/etc/systemd/system/**\" + ])\n \u0026\u0026 process.file.path not in [~\"/usr/bin/apt*\", \"/usr/bin/dpkg\", + \"/usr/bin/rpm\", \"/usr/bin/unattended-upgrade\", \"/usr/bin/npm\", ~\"/usr/bin/pip*\", + \"/usr/bin/yum\", \"/sbin/apk\", \"/usr/lib/snapd/snapd\"]\n) \u0026\u0026 chmod.file.destination.mode + != chmod.file.mode","filters":["os == \"linux\""],"name":"systemd_modification_chmod","updateDate":1707493323000,"updater":{"name":"Detection + Engineer","handle":""}}},{"id":"wwy-h4d-pwm","type":"agent_rule","attributes":{"category":"File + Activity","creationDate":1707493323000,"creator":{"name":"Detection Engineer","handle":""},"defaultRule":true,"description":"A + service may have been modified without authorization","enabled":true,"expression":"(\n (chown.file.path + in [ ~\"/lib/systemd/system/**\", ~\"/usr/lib/systemd/system/**\", ~\"/etc/systemd/system/**\" + ])\n \u0026\u0026 process.file.path not in [~\"/usr/bin/apt*\", \"/usr/bin/dpkg\", + \"/usr/bin/rpm\", \"/usr/bin/unattended-upgrade\", \"/usr/bin/npm\", ~\"/usr/bin/pip*\", + \"/usr/bin/yum\", \"/sbin/apk\", \"/usr/lib/snapd/snapd\"]\n) \u0026\u0026 (chown.file.destination.uid + != chown.file.uid || chown.file.destination.gid != chown.file.gid)","filters":["os + == \"linux\""],"name":"systemd_modification_chown","updateDate":1707493323000,"updater":{"name":"Detection + Engineer","handle":""}}},{"id":"64n-p6m-uq1","type":"agent_rule","attributes":{"category":"File + Activity","creationDate":1707493323000,"creator":{"name":"Detection Engineer","handle":""},"defaultRule":true,"description":"A + service may have been modified without authorization","enabled":true,"expression":"(\n (link.file.path + in [ ~\"/lib/systemd/system/**\", ~\"/usr/lib/systemd/system/**\", ~\"/etc/systemd/system/**\" + ]\n || link.file.destination.path in [ ~\"/lib/systemd/system/**\", ~\"/usr/lib/systemd/system/**\", + ~\"/etc/systemd/system/**\" ])\n \u0026\u0026 process.file.path not in [~\"/usr/bin/apt*\", + \"/usr/bin/dpkg\", \"/usr/bin/rpm\", \"/usr/bin/unattended-upgrade\", \"/usr/bin/npm\", + ~\"/usr/bin/pip*\", \"/usr/bin/yum\", \"/sbin/apk\", \"/usr/lib/snapd/snapd\"]\n)","filters":["os + == \"linux\""],"name":"systemd_modification_link","updateDate":1707493323000,"updater":{"name":"Detection + Engineer","handle":""}}},{"id":"7zw-qbm-y6d","type":"agent_rule","attributes":{"category":"File + Activity","creationDate":1707493323000,"creator":{"name":"Detection Engineer","handle":""},"defaultRule":true,"description":"A + service may have been modified without authorization","enabled":true,"expression":"(\n open.flags + \u0026 (O_CREAT|O_RDWR|O_WRONLY) \u003e 0 \u0026\u0026\n (open.file.path + in [ ~\"/lib/systemd/system/**\", ~\"/usr/lib/systemd/system/**\", ~\"/etc/systemd/system/**\" + ])\n \u0026\u0026 process.file.path not in [~\"/usr/bin/apt*\", \"/usr/bin/dpkg\", + \"/usr/bin/rpm\", \"/usr/bin/unattended-upgrade\", \"/usr/bin/npm\", ~\"/usr/bin/pip*\", + \"/usr/bin/yum\", \"/sbin/apk\", \"/usr/lib/snapd/snapd\"]\n)","filters":["os + == \"linux\""],"name":"systemd_modification_open","updateDate":1707493323000,"updater":{"name":"Detection + Engineer","handle":""}}},{"id":"prk-6q1-g0m","type":"agent_rule","attributes":{"category":"File + Activity","creationDate":1707493323000,"creator":{"name":"Detection Engineer","handle":""},"defaultRule":true,"description":"A + service may have been modified without authorization","enabled":true,"expression":"(\n (rename.file.path + in [ ~\"/lib/systemd/system/**\", ~\"/usr/lib/systemd/system/**\", ~\"/etc/systemd/system/**\" + ]\n || rename.file.destination.path in [ ~\"/lib/systemd/system/**\", ~\"/usr/lib/systemd/system/**\", + ~\"/etc/systemd/system/**\" ])\n \u0026\u0026 process.file.path not in [~\"/usr/bin/apt*\", + \"/usr/bin/dpkg\", \"/usr/bin/rpm\", \"/usr/bin/unattended-upgrade\", \"/usr/bin/npm\", + ~\"/usr/bin/pip*\", \"/usr/bin/yum\", \"/sbin/apk\", \"/usr/lib/snapd/snapd\"]\n)","filters":["os + == \"linux\""],"name":"systemd_modification_rename","updateDate":1707493323000,"updater":{"name":"Detection + Engineer","handle":""}}},{"id":"jlt-y4v-dax","type":"agent_rule","attributes":{"category":"File + Activity","creationDate":1707493323000,"creator":{"name":"Detection Engineer","handle":""},"defaultRule":true,"description":"A + service may have been modified without authorization","enabled":true,"expression":"(\n (unlink.file.path + in [ ~\"/lib/systemd/system/**\", ~\"/usr/lib/systemd/system/**\", ~\"/etc/systemd/system/**\" + ])\n \u0026\u0026 process.file.path not in [~\"/usr/bin/apt*\", \"/usr/bin/dpkg\", + \"/usr/bin/rpm\", \"/usr/bin/unattended-upgrade\", \"/usr/bin/npm\", ~\"/usr/bin/pip*\", + \"/usr/bin/yum\", \"/sbin/apk\", \"/usr/lib/snapd/snapd\"]\n)","filters":["os + == \"linux\""],"name":"systemd_modification_unlink","updateDate":1707493323000,"updater":{"name":"Detection + Engineer","handle":""}}},{"id":"yjj-o5q-x00","type":"agent_rule","attributes":{"category":"File + Activity","creationDate":1707493323000,"creator":{"name":"Detection Engineer","handle":""},"defaultRule":true,"description":"A + service may have been modified without authorization","enabled":true,"expression":"(\n (utimes.file.path + in [ ~\"/lib/systemd/system/**\", ~\"/usr/lib/systemd/system/**\", ~\"/etc/systemd/system/**\" + ])\n \u0026\u0026 process.file.path not in [~\"/usr/bin/apt*\", \"/usr/bin/dpkg\", + \"/usr/bin/rpm\", \"/usr/bin/unattended-upgrade\", \"/usr/bin/npm\", ~\"/usr/bin/pip*\", + \"/usr/bin/yum\", \"/sbin/apk\", \"/usr/lib/snapd/snapd\"]\n)","filters":["os + == \"linux\""],"name":"systemd_modification_utimes","updateDate":1707493323000,"updater":{"name":"Detection + Engineer","handle":""}}},{"id":"def-000-18q","type":"agent_rule","attributes":{"category":"Process + Activity","creationDate":1707493323000,"creator":{"name":"Detection Engineer","handle":""},"defaultRule":true,"description":"Tar + archive created","enabled":true,"expression":"exec.file.path == \"/usr/bin/tar\" + \u0026\u0026 exec.args_flags in [\"create\",\"c\"]","filters":["os == \"linux\""],"name":"tar_execution","updateDate":1707493323000,"updater":{"name":"Detection + Engineer","handle":""}}},{"id":"def-000-925","type":"agent_rule","attributes":{"category":"Process + Activity","creationDate":1707493323000,"creator":{"name":"Detection Engineer","handle":""},"defaultRule":true,"description":"A + shell with a TTY was executed in a container","enabled":true,"expression":"exec.file.path + in [ \"/bin/dash\",\n \"/usr/bin/dash\",\n \"/bin/sh\",\n \"/bin/static-sh\",\n \"/usr/bin/sh\",\n \"/bin/bash\",\n \"/usr/bin/bash\",\n \"/bin/bash-static\",\n \"/usr/bin/zsh\",\n \"/usr/bin/ash\",\n \"/usr/bin/csh\",\n \"/usr/bin/ksh\",\n \"/usr/bin/tcsh\",\n \"/usr/lib/initramfs-tools/bin/busybox\",\n \"/bin/busybox\",\n \"/usr/bin/fish\",\n \"/bin/ksh93\",\n \"/bin/rksh\",\n \"/bin/rksh93\",\n \"/bin/lksh\",\n \"/bin/mksh\",\n \"/bin/mksh-static\",\n \"/usr/bin/csharp\",\n \"/bin/posh\",\n \"/usr/bin/rc\",\n \"/bin/sash\",\n \"/usr/bin/yash\",\n \"/bin/zsh5\",\n \"/bin/zsh5-static\" + ] \u0026\u0026 process.tty_name != \"\" \u0026\u0026 process.container.id != + \"\"","filters":["os == \"linux\""],"name":"tty_shell_in_container","updateDate":1707493323000,"updater":{"name":"Detection + Engineer","handle":""}}},{"id":"def-000-hlr","type":"agent_rule","attributes":{"category":"Process + Activity","creationDate":1707493323000,"creator":{"name":"Detection Engineer","handle":""},"defaultRule":true,"description":"Tunneling + or port forwarding tool used","enabled":true,"expression":"((exec.comm == \"pivotnacci\" + || exec.comm == \"gost\") \u0026\u0026 process.args in [r\".*(-L|-C|-R).*\"]) + || (exec.comm in [\"ssh\", \"sshd\"] \u0026\u0026 process.args in [r\".*(-R|-L|-D|w).*\"] + \u0026\u0026 process.args in [r\"((25[0-5]|(2[0-4]|1\\d|[1-9])\\d)\\.?\\b){4}\"] + ) || (exec.comm == \"sshuttle\" \u0026\u0026 process.args in [r\".*(-r|--remote|-l|--listen).*\"]) + || (exec.comm == \"socat\" \u0026\u0026 process.args in [r\".*(TCP4-LISTEN:|SOCKS).*\"]) + || (exec.comm in [\"iodine\", \"iodined\", \"dnscat\", \"hans\", \"hans-ubuntu\", + \"ptunnel-ng\", \"ssf\", \"3proxy\", \"ngrok\"] \u0026\u0026 process.parent.comm + in [\"bash\", \"dash\", \"ash\", \"sh\", \"tcsh\", \"csh\", \"zsh\", \"ksh\", + \"fish\"])","filters":["os == \"linux\""],"name":"tunnel_traffic","updateDate":1707493323000,"updater":{"name":"Detection + Engineer","handle":""}}},{"id":"07y-k18-cih","type":"agent_rule","attributes":{"category":"Process + Activity","creationDate":1707493323000,"creator":{"name":"Detection Engineer","handle":""},"defaultRule":true,"description":"A + user was created via an interactive session","enabled":true,"expression":"exec.file.name + in [\"useradd\", \"newusers\", \"adduser\"] \u0026\u0026 exec.tty_name !=\"\" + \u0026\u0026 process.ancestors.file.path not in [~\"/usr/bin/apt*\", \"/usr/bin/dpkg\", + \"/usr/bin/rpm\", \"/usr/bin/unattended-upgrade\", \"/usr/bin/npm\", ~\"/usr/bin/pip*\", + \"/usr/bin/yum\", \"/sbin/apk\", \"/usr/lib/snapd/snapd\"] \u0026\u0026 exec.args_flags + not in [\"D\"]","filters":["os == \"linux\""],"name":"user_created_tty","updateDate":1707493323000,"updater":{"name":"Detection + Engineer","handle":""}}},{"id":"def-000-qem","type":"agent_rule","attributes":{"category":"Process + Activity","creationDate":1707493323000,"creator":{"name":"Detection Engineer","handle":""},"defaultRule":true,"description":"A + user was deleted via an interactive session","enabled":true,"expression":"exec.file.name + in [\"userdel\", \"deluser\"] \u0026\u0026 exec.tty_name !=\"\" \u0026\u0026 + process.ancestors.file.path not in [~\"/usr/bin/apt*\", \"/usr/bin/dpkg\", \"/usr/bin/rpm\", + \"/usr/bin/unattended-upgrade\", \"/usr/bin/npm\", ~\"/usr/bin/pip*\", \"/usr/bin/yum\", + \"/sbin/apk\", \"/usr/lib/snapd/snapd\"]","filters":["os == \"linux\""],"name":"user_deleted_tty","updateDate":1707493323000,"updater":{"name":"Detection + Engineer","handle":""}}},{"id":"def-000-vjv","type":"agent_rule","attributes":{"category":"Process + Activity","creationDate":1707493323000,"creator":{"name":"Detection Engineer","handle":""},"defaultRule":true,"description":"Command + executed via WMI","enabled":true,"expression":"exec.file.name in [~\"powershell*\",\"cmd.exe\"] + \u0026\u0026 process.parent.file.name == \"WmiPrvSE.exe\"","filters":["os == + \"windows\""],"name":"wmi_spawning_shell","updateDate":1707493323000,"updater":{"name":"Detection + Engineer","handle":""}}}]}' + code: 200 + duration: 0ms + headers: + Content-Type: + - application/json + status: 200 OK +version: 2 diff --git a/tests/scenarios/cassettes/TestScenarios/v2/Feature_Cloud_Workload_Security/Scenario_Get_all_Cloud_Workload_Security_Agent_rules_returns_OK_response.freeze b/tests/scenarios/cassettes/TestScenarios/v2/Feature_Cloud_Workload_Security/Scenario_Get_all_Cloud_Workload_Security_Agent_rules_returns_OK_response.freeze index c9a383b559e..6718e5385e3 100644 --- a/tests/scenarios/cassettes/TestScenarios/v2/Feature_Cloud_Workload_Security/Scenario_Get_all_Cloud_Workload_Security_Agent_rules_returns_OK_response.freeze +++ b/tests/scenarios/cassettes/TestScenarios/v2/Feature_Cloud_Workload_Security/Scenario_Get_all_Cloud_Workload_Security_Agent_rules_returns_OK_response.freeze @@ -1 +1 @@ -2022-05-12T09:51:24.499Z \ No newline at end of file +2024-03-08T14:19:13.469Z \ No newline at end of file diff --git a/tests/scenarios/cassettes/TestScenarios/v2/Feature_Cloud_Workload_Security/Scenario_Get_all_Cloud_Workload_Security_Agent_rules_returns_OK_response.yaml b/tests/scenarios/cassettes/TestScenarios/v2/Feature_Cloud_Workload_Security/Scenario_Get_all_Cloud_Workload_Security_Agent_rules_returns_OK_response.yaml index d6f7b0a505e..ba4c47dc58c 100644 --- a/tests/scenarios/cassettes/TestScenarios/v2/Feature_Cloud_Workload_Security/Scenario_Get_all_Cloud_Workload_Security_Agent_rules_returns_OK_response.yaml +++ b/tests/scenarios/cassettes/TestScenarios/v2/Feature_Cloud_Workload_Security/Scenario_Get_all_Cloud_Workload_Security_Agent_rules_returns_OK_response.yaml @@ -1,7 +1,7 @@ interactions: - request: body: | - {"data":{"attributes":{"description":"My Agent rule","enabled":true,"expression":"exec.file.name == \"sh\"","name":"testgetallcloudworkloadsecurityagentrulesreturnsokresponse1652349084"},"type":"agent_rule"}} + {"data":{"attributes":{"description":"My Agent rule","enabled":true,"expression":"exec.file.name == \"sh\"","name":"testgetallcloudworkloadsecurityagentrulesreturnsokresponse1709907553"},"type":"agent_rule"}} form: {} headers: Accept: @@ -12,14 +12,17 @@ interactions: method: POST url: https://api.datadoghq.com/api/v2/security_monitoring/cloud_workload_security/agent_rules response: - body: '{"data":{"attributes":{"category":"Process Activity","name":"testgetallcloudworkloadsecurityagentrulesreturnsokresponse1652349084","creator":{"handle":"frog@datadoghq.com","name":null},"description":"My - Agent rule","enabled":true,"defaultRule":false,"version":1,"updater":{"handle":"frog@datadoghq.com","name":null},"updateDate":1652349084949,"creationDate":1652349084949,"expression":"exec.file.name - == \"sh\""},"type":"agent_rule","id":"w3n-qy8-qud"}}' + body: '{"data":{"id":"gd2-ogg-fyk","attributes":{"version":1,"name":"testgetallcloudworkloadsecurityagentrulesreturnsokresponse1709907553","description":"My + Agent rule","expression":"exec.file.name == \"sh\"","category":"Process Activity","creationAuthorUuId":"cc32ddea-b5e4-11ec-93be-da7ad0900002","creationDate":1709907553752,"updateAuthorUuId":"cc32ddea-b5e4-11ec-93be-da7ad0900002","updateDate":1709907553752,"filters":["os + == \"linux\""],"actions":[],"agentConstraint":"","defaultRule":false,"enabled":true,"creator":{"name":"Malo + Le Goff","handle":"malo.legoff@datadoghq.com"},"updater":{"name":"Malo Le Goff","handle":"malo.legoff@datadoghq.com"}},"type":"agent_rule"}} + + ' code: 200 duration: 0ms headers: Content-Type: - - application/json;charset=utf-8 + - application/json status: 200 OK - request: body: '' @@ -31,772 +34,1035 @@ interactions: method: GET url: https://api.datadoghq.com/api/v2/security_monitoring/cloud_workload_security/agent_rules response: - body: '{"data":[{"attributes":{"category":"Process Activity","name":"testgetallcloudworkloadsecurityagentrulesreturnsokresponse1652349084","creator":{"handle":"frog@datadoghq.com","name":null},"description":"My - Agent rule","enabled":true,"defaultRule":false,"version":1,"updater":{"handle":"frog@datadoghq.com","name":null},"updateDate":1652349084949,"creationDate":1652349084949,"expression":"exec.file.name - == \"sh\""},"type":"agent_rule","id":"w3n-qy8-qud"},{"attributes":{"category":"Process - Activity","name":"new_binary_execution_in_container","creator":{"handle":"","name":""},"description":"A - container executed a new a binary not found in the container image","enabled":true,"defaultRule":true,"version":1,"updater":{"handle":"","name":""},"updateDate":1652129913862,"creationDate":1652129906455,"expression":"container.id - !=\"\" && !process.file.in_upper_layer && process.file.modification_time < 30s - && exec.file.name !=\"\""},"type":"agent_rule","id":"pwh-omk-qrr"},{"attributes":{"category":"Process - Activity","name":"testtypescriptgetallcloudworkloadsecurityagentrulesreturnsokresponse1652008845","creator":{"handle":"frog@datadoghq.com","name":null},"description":"My - Agent rule","enabled":true,"defaultRule":false,"version":1,"updater":{"handle":"frog@datadoghq.com","name":null},"updateDate":1652008845797,"creationDate":1652008845797,"expression":"exec.file.name - == \"sh\""},"type":"agent_rule","id":"ntj-rfs-mw3"},{"attributes":{"category":"Process - Activity","name":"testtypescriptupdateacloudworkloadsecurityagentrulereturnsokresponse1651997887","creator":{"handle":"frog@datadoghq.com","name":null},"description":"Test - Agent rule","enabled":true,"defaultRule":false,"version":2,"updater":{"handle":"frog@datadoghq.com","name":null},"updateDate":1651997888544,"creationDate":1651997888388,"expression":"exec.file.name - == \"sh\""},"type":"agent_rule","id":"dyn-u7u-v86"},{"attributes":{"category":"Process - Activity","name":"testtypescriptupdateacloudworkloadsecurityagentrulereturnsbadrequestresponse1651997886","creator":{"handle":"frog@datadoghq.com","name":null},"description":"My - Agent rule","enabled":true,"defaultRule":false,"version":1,"updater":{"handle":"frog@datadoghq.com","name":null},"updateDate":1651997887223,"creationDate":1651997887223,"expression":"exec.file.name - == \"sh\""},"type":"agent_rule","id":"mlg-yxw-uig"},{"attributes":{"category":"Process - Activity","name":"testtypescriptgetallcloudworkloadsecurityagentrulesreturnsokresponse1651997885","creator":{"handle":"frog@datadoghq.com","name":null},"description":"My - Agent rule","enabled":true,"defaultRule":false,"version":1,"updater":{"handle":"frog@datadoghq.com","name":null},"updateDate":1651997886363,"creationDate":1651997886363,"expression":"exec.file.name - == \"sh\""},"type":"agent_rule","id":"lq3-t6t-xng"},{"attributes":{"category":"Process - Activity","name":"testtypescriptgetacloudworkloadsecurityagentrulereturnsokresponse1651997885","creator":{"handle":"frog@datadoghq.com","name":null},"description":"My - Agent rule","enabled":true,"defaultRule":false,"version":1,"updater":{"handle":"frog@datadoghq.com","name":null},"updateDate":1651997885869,"creationDate":1651997885869,"expression":"exec.file.name - == \"sh\""},"type":"agent_rule","id":"1hp-hpr-4ez"},{"attributes":{"category":"Process - Activity","name":"testtypescriptdeleteacloudworkloadsecurityagentrulereturnsokresponse1651997884","creator":{"handle":"frog@datadoghq.com","name":null},"description":"My - Agent rule","enabled":true,"defaultRule":false,"version":1,"updater":{"handle":"frog@datadoghq.com","name":null},"updateDate":1651997884985,"creationDate":1651997884985,"expression":"exec.file.name - == \"sh\""},"type":"agent_rule","id":"mt3-pks-n5s"},{"attributes":{"category":"Process - Activity","name":"testtypescriptcreateacloudworkloadsecurityagentrulereturnsokresponse1651997883","creator":{"handle":"frog@datadoghq.com","name":null},"description":"Test - Agent rule","enabled":true,"defaultRule":false,"version":1,"updater":{"handle":"frog@datadoghq.com","name":null},"updateDate":1651997884150,"creationDate":1651997884150,"expression":"exec.file.name - == \"sh\""},"type":"agent_rule","id":"r4a-yvz-rj7"},{"attributes":{"category":"Process - Activity","name":"testtypescriptgetallcloudworkloadsecurityagentrulesreturnsokresponse1651943471","creator":{"handle":"frog@datadoghq.com","name":null},"description":"My - Agent rule","enabled":true,"defaultRule":false,"version":1,"updater":{"handle":"frog@datadoghq.com","name":null},"updateDate":1651943472022,"creationDate":1651943472022,"expression":"exec.file.name - == \"sh\""},"type":"agent_rule","id":"5k1-gwi-0aq"},{"attributes":{"category":"Process - Activity","name":"testtypescriptgetallcloudworkloadsecurityagentrulesreturnsokresponse1651915814","creator":{"handle":"frog@datadoghq.com","name":null},"description":"My - Agent rule","enabled":true,"defaultRule":false,"version":1,"updater":{"handle":"frog@datadoghq.com","name":null},"updateDate":1651915815493,"creationDate":1651915815493,"expression":"exec.file.name - == \"sh\""},"type":"agent_rule","id":"lkj-jnq-r6s"},{"attributes":{"category":"Process - Activity","name":"testtypescriptgetallcloudworkloadsecurityagentrulesreturnsokresponse1651912469","creator":{"handle":"frog@datadoghq.com","name":null},"description":"My - Agent rule","enabled":true,"defaultRule":false,"version":1,"updater":{"handle":"frog@datadoghq.com","name":null},"updateDate":1651912470539,"creationDate":1651912470539,"expression":"exec.file.name - == \"sh\""},"type":"agent_rule","id":"mbc-iwk-zpb"},{"attributes":{"category":"Process - Activity","name":"testtypescriptgetallcloudworkloadsecurityagentrulesreturnsokresponse1651867149","creator":{"handle":"frog@datadoghq.com","name":null},"description":"My - Agent rule","enabled":true,"defaultRule":false,"version":1,"updater":{"handle":"frog@datadoghq.com","name":null},"updateDate":1651867150336,"creationDate":1651867150336,"expression":"exec.file.name - == \"sh\""},"type":"agent_rule","id":"fzb-lli-m26"},{"attributes":{"category":"Process - Activity","name":"suspicious_container_client","creator":{"handle":"","name":""},"description":"A - container management utility was executed in a container","enabled":true,"defaultRule":true,"version":2,"updater":{"handle":"","name":""},"updateDate":1651671394200,"creationDate":1617722068555,"expression":"exec.file.name - in [\"docker\", \"kubectl\"] && container.id != \"\""},"type":"agent_rule","id":"9mk-xxe-lpw"},{"attributes":{"category":"Kernel - Activity","name":"kernel_module_load","creator":{"handle":"","name":""},"description":"A - kernel module was loaded","enabled":true,"defaultRule":true,"version":2,"updater":{"handle":"","name":""},"updateDate":1650371511244,"creationDate":1650293718458,"expression":"load_module.name - != \"\""},"type":"agent_rule","id":"f5y-pdn-pnj"},{"attributes":{"category":"Kernel - Activity","name":"new_kernel_module_audit","creator":{"handle":"","name":""},"description":"A - kernel module was loaded","enabled":true,"defaultRule":true,"version":2,"updater":{"handle":"","name":""},"updateDate":1650371511243,"creationDate":1650293718502,"expression":"load_module.name - != \"\""},"type":"agent_rule","id":"0dt-ev3-tgr"},{"attributes":{"category":"Kernel - Activity","name":"kernel_module_load_container","creator":{"handle":"","name":""},"description":"A - container loaded a new kernel module","enabled":true,"defaultRule":true,"version":2,"updater":{"handle":"","name":""},"updateDate":1650371511241,"creationDate":1650293718705,"expression":"load_module.name - != \"\" && container.id !=\"\""},"type":"agent_rule","id":"ieg-lmk-cgo"},{"attributes":{"category":"Kernel - Activity","name":"new_kernel_module_audit_container","creator":{"handle":"","name":""},"description":"A - kernel module was loaded","enabled":true,"defaultRule":true,"version":2,"updater":{"handle":"","name":""},"updateDate":1650371511240,"creationDate":1650293718457,"expression":"load_module.name - != \"\" && container.id !=\"\""},"type":"agent_rule","id":"rbg-5fp-tm8"},{"attributes":{"category":"Kernel - Activity","name":"ptrace_injection","creator":{"handle":"","name":""},"description":"A - process attempted to inject code into another process","enabled":true,"defaultRule":true,"version":1,"updater":{"handle":"","name":""},"updateDate":1650293789265,"creationDate":1650293718540,"expression":"ptrace.request - == PTRACE_POKETEXT || ptrace.request == PTRACE_POKEDATA || ptrace.request == - PTRACE_POKEUSR"},"type":"agent_rule","id":"lzx-kkv-at3"},{"attributes":{"category":"Kernel - Activity","name":"ptrace_antidebug","creator":{"handle":"","name":""},"description":"A - process uses an anti-debugging technique to block debuggers","enabled":true,"defaultRule":true,"version":1,"updater":{"handle":"","name":""},"updateDate":1650293789216,"creationDate":1650293718435,"expression":"ptrace.request - == PTRACE_TRACEME"},"type":"agent_rule","id":"hnh-eio-mow"},{"attributes":{"category":"Kernel - Activity","name":"kernel_module_load_from_memory","creator":{"handle":"","name":""},"description":"A - kernel module was loaded from memory","enabled":true,"defaultRule":true,"version":1,"updater":{"handle":"","name":""},"updateDate":1650293788996,"creationDate":1650293718630,"expression":"load_module.loaded_from_memory - == true"},"type":"agent_rule","id":"j3f-cie-47b"},{"attributes":{"category":"Kernel - Activity","name":"kernel_module_load_from_memory_container","creator":{"handle":"","name":""},"description":"A - kernel module was loaded from memory inside a container","enabled":true,"defaultRule":true,"version":1,"updater":{"handle":"","name":""},"updateDate":1650293788418,"creationDate":1650293718365,"expression":"load_module.loaded_from_memory - == true && container.id !=\"\""},"type":"agent_rule","id":"foo-pve-qbq"},{"attributes":{"category":"Process - Activity","name":"database_shell_execution","creator":{"handle":"","name":""},"description":"A - database application spawned a shell, shell utility, or HTTP utility","enabled":true,"defaultRule":true,"version":2,"updater":{"handle":"","name":""},"updateDate":1649256369233,"creationDate":1617722069155,"expression":"(exec.file.path - in [ \"/bin/dash\", \"/usr/bin/dash\",\n \"/bin/sh\", \"/bin/static-sh\", \"/usr/bin/sh\",\n \"/usr/bin/bash\",\n \"/bin/bash-static\",\n \"/usr/bin/zsh\",\n \"/usr/bin/ash\",\n \"/usr/bin/csh\",\n \"/usr/bin/ksh\",\n \"/usr/bin/tcsh\",\n \"/usr/lib/initramfs-tools/bin/busybox\",\n \"/bin/busybox\",\n \"/usr/bin/fish\",\n \"/bin/ksh93\",\n \"/bin/rksh\", - \"/bin/rksh93\",\n \"/bin/lksh\",\n \"/bin/mksh\", \"/bin/mksh-static\",\n \"/usr/bin/csharp\",\n \"/bin/posh\",\n \"/usr/bin/rc\",\n \"/bin/sash\",\n \"/usr/bin/yash\",\n \"/bin/zsh5\", - \"/bin/zsh5-static\" ] ||\n exec.file.path in [\"/usr/bin/wget\", \"/usr/bin/curl\"] - ||\n exec.file.path in [\"/bin/cat\",\"/bin/chgrp\",\"/bin/chmod\",\"/bin/chown\",\"/bin/cp\",\"/bin/date\",\"/bin/dd\",\"/bin/df\",\"/bin/dir\",\"/bin/echo\",\"/bin/ln\",\"/bin/ls\",\"/bin/mkdir\",\"/bin/mknod\",\"/bin/mktemp\",\"/bin/mv\",\"/bin/pwd\",\"/bin/readlink\",\"/bin/rm\",\"/bin/rmdir\",\"/bin/sleep\",\"/bin/stty\",\"/bin/sync\",\"/bin/touch\",\"/bin/uname\",\"/bin/vdir\",\"/usr/bin/arch\",\"/usr/bin/b2sum\",\"/usr/bin/base32\",\"/usr/bin/base64\",\"/usr/bin/basename\",\"/usr/bin/chcon\",\"/usr/bin/cksum\",\"/usr/bin/comm\",\"/usr/bin/csplit\",\"/usr/bin/cut\",\"/usr/bin/dircolors\",\"/usr/bin/dirname\",\"/usr/bin/du\",\"/usr/bin/env\",\"/usr/bin/expand\",\"/usr/bin/expr\",\"/usr/bin/factor\",\"/usr/bin/fmt\",\"/usr/bin/fold\",\"/usr/bin/groups\",\"/usr/bin/head\",\"/usr/bin/hostid\",\"/usr/bin/id\",\"/usr/bin/install\",\"/usr/bin/join\",\"/usr/bin/link\",\"/usr/bin/logname\",\"/usr/bin/md5sum\",\"/usr/bin/md5sum.textutils\",\"/usr/bin/mkfifo\",\"/usr/bin/nice\",\"/usr/bin/nl\",\"/usr/bin/nohup\",\"/usr/bin/nproc\",\"/usr/bin/numfmt\",\"/usr/bin/od\",\"/usr/bin/paste\",\"/usr/bin/pathchk\",\"/usr/bin/pinky\",\"/usr/bin/pr\",\"/usr/bin/printenv\",\"/usr/bin/printf\",\"/usr/bin/ptx\",\"/usr/bin/realpath\",\"/usr/bin/runcon\",\"/usr/bin/seq\",\"/usr/bin/sha1sum\",\"/usr/bin/sha224sum\",\"/usr/bin/sha256sum\",\"/usr/bin/sha384sum\",\"/usr/bin/sha512sum\",\"/usr/bin/shred\",\"/usr/bin/shuf\",\"/usr/bin/sort\",\"/usr/bin/split\",\"/usr/bin/stat\",\"/usr/bin/stdbuf\",\"/usr/bin/sum\",\"/usr/bin/tac\",\"/usr/bin/tail\",\"/usr/bin/tee\",\"/usr/bin/test\",\"/usr/bin/timeout\",\"/usr/bin/tr\",\"/usr/bin/truncate\",\"/usr/bin/tsort\",\"/usr/bin/tty\",\"/usr/bin/unexpand\",\"/usr/bin/uniq\",\"/usr/bin/unlink\",\"/usr/bin/users\",\"/usr/bin/wc\",\"/usr/bin/who\",\"/usr/bin/whoami\",\"/usr/sbin/chroot\"]) - &&\nprocess.ancestors.file.name in [\"mysqld\", \"mongod\", \"postgres\"] &&\n!(process.ancestors.file.name - == \"initdb\" &&\nexec.args == ~\"*locale -a*\")"},"type":"agent_rule","id":"phy-tco-k7w"},{"attributes":{"category":"Process - Activity","name":"potential_web_shell","creator":{"handle":"","name":""},"description":"A - webapp process (language engine or webserver) spawned a shell, shell utility, - or HTTP utility","enabled":true,"defaultRule":true,"version":5,"updater":{"handle":"","name":""},"updateDate":1648752302471,"creationDate":1642158535124,"expression":"(exec.file.path - in [ \"/bin/dash\", \"/usr/bin/dash\",\n \"/bin/sh\", \"/bin/static-sh\", \"/usr/bin/sh\",\n \"/usr/bin/bash\",\n \"/bin/bash-static\",\n \"/usr/bin/zsh\",\n \"/usr/bin/ash\",\n \"/usr/bin/csh\",\n \"/usr/bin/ksh\",\n \"/usr/bin/tcsh\",\n \"/usr/lib/initramfs-tools/bin/busybox\",\n \"/bin/busybox\",\n \"/usr/bin/fish\",\n \"/bin/ksh93\",\n \"/bin/rksh\", - \"/bin/rksh93\",\n \"/bin/lksh\",\n \"/bin/mksh\", \"/bin/mksh-static\",\n \"/usr/bin/csharp\",\n \"/bin/posh\",\n \"/usr/bin/rc\",\n \"/bin/sash\",\n \"/usr/bin/yash\",\n \"/bin/zsh5\", - \"/bin/zsh5-static\" ] || exec.file.path in [\"/usr/bin/wget\", \"/usr/bin/curl\"] - || exec.file.path in [\"/bin/cat\",\"/bin/chgrp\",\"/bin/chmod\",\"/bin/chown\",\"/bin/cp\",\"/bin/date\",\"/bin/dd\",\"/bin/df\",\"/bin/dir\",\"/bin/echo\",\"/bin/ln\",\"/bin/ls\",\"/bin/mkdir\",\"/bin/mknod\",\"/bin/mktemp\",\"/bin/mv\",\"/bin/pwd\",\"/bin/readlink\",\"/bin/rm\",\"/bin/rmdir\",\"/bin/sleep\",\"/bin/stty\",\"/bin/sync\",\"/bin/touch\",\"/bin/uname\",\"/bin/vdir\",\"/usr/bin/arch\",\"/usr/bin/b2sum\",\"/usr/bin/base32\",\"/usr/bin/base64\",\"/usr/bin/basename\",\"/usr/bin/chcon\",\"/usr/bin/cksum\",\"/usr/bin/comm\",\"/usr/bin/csplit\",\"/usr/bin/cut\",\"/usr/bin/dircolors\",\"/usr/bin/dirname\",\"/usr/bin/du\",\"/usr/bin/env\",\"/usr/bin/expand\",\"/usr/bin/expr\",\"/usr/bin/factor\",\"/usr/bin/fmt\",\"/usr/bin/fold\",\"/usr/bin/groups\",\"/usr/bin/head\",\"/usr/bin/hostid\",\"/usr/bin/id\",\"/usr/bin/install\",\"/usr/bin/join\",\"/usr/bin/link\",\"/usr/bin/logname\",\"/usr/bin/md5sum\",\"/usr/bin/md5sum.textutils\",\"/usr/bin/mkfifo\",\"/usr/bin/nice\",\"/usr/bin/nl\",\"/usr/bin/nohup\",\"/usr/bin/nproc\",\"/usr/bin/numfmt\",\"/usr/bin/od\",\"/usr/bin/paste\",\"/usr/bin/pathchk\",\"/usr/bin/pinky\",\"/usr/bin/pr\",\"/usr/bin/printenv\",\"/usr/bin/printf\",\"/usr/bin/ptx\",\"/usr/bin/realpath\",\"/usr/bin/runcon\",\"/usr/bin/seq\",\"/usr/bin/sha1sum\",\"/usr/bin/sha224sum\",\"/usr/bin/sha256sum\",\"/usr/bin/sha384sum\",\"/usr/bin/sha512sum\",\"/usr/bin/shred\",\"/usr/bin/shuf\",\"/usr/bin/sort\",\"/usr/bin/split\",\"/usr/bin/stat\",\"/usr/bin/stdbuf\",\"/usr/bin/sum\",\"/usr/bin/tac\",\"/usr/bin/tail\",\"/usr/bin/tee\",\"/usr/bin/test\",\"/usr/bin/timeout\",\"/usr/bin/tr\",\"/usr/bin/truncate\",\"/usr/bin/tsort\",\"/usr/bin/tty\",\"/usr/bin/unexpand\",\"/usr/bin/uniq\",\"/usr/bin/unlink\",\"/usr/bin/users\",\"/usr/bin/wc\",\"/usr/bin/who\",\"/usr/bin/whoami\",\"/usr/sbin/chroot\"]) - &&\n(process.ancestors.file.name in [~\"python2*\", ~\"python3*\", \"node\", - \"apache2\", \"nginx\", ~\"tomcat*\"] || process.ancestors.file.name =~ \"php*\") - &&\nprocess.ancestors.comm not in [\"pip3\", \"pip\", \"npm\"]"},"type":"agent_rule","id":"wmi-qbh-yyj"},{"attributes":{"category":"File - Activity","name":"dirty_pipe_attempt","creator":{"handle":"","name":""},"description":"Potential - Dirty pipe exploitation attempt","enabled":true,"defaultRule":true,"version":1,"updater":{"handle":"","name":""},"updateDate":1648564169932,"creationDate":1648564123603,"expression":"(splice.pipe_entry_flag - & PIPE_BUF_FLAG_CAN_MERGE) != 0 && (splice.pipe_exit_flag & PIPE_BUF_FLAG_CAN_MERGE) - == 0"},"type":"agent_rule","id":"jx4-pkv-247"},{"attributes":{"category":"File - Activity","name":"dirty_pipe_exploitation","creator":{"handle":"","name":""},"description":"Potential - Dirty pipe exploitation","enabled":true,"defaultRule":true,"version":1,"updater":{"handle":"","name":""},"updateDate":1648564169488,"creationDate":1648564123563,"expression":"(splice.pipe_exit_flag - & PIPE_BUF_FLAG_CAN_MERGE) > 0"},"type":"agent_rule","id":"aux-r7v-odv"},{"attributes":{"category":"Process - Activity","name":"example_agent_rule","creator":{"handle":"frog@datadoghq.com","name":null},"description":"An - example agent rule generated in terraform","enabled":true,"defaultRule":false,"version":3,"updater":{"handle":"frog@datadoghq.com","name":null},"updateDate":1647036377676,"creationDate":1647036168203,"expression":"exec.file.name - == \"java\""},"type":"agent_rule","id":"irg-o45-pxz"},{"attributes":{"category":"Process - Activity","name":"net_util_in_container","creator":{"handle":"","name":""},"description":"A - network utility was executed from a suspicious location in a container","enabled":true,"defaultRule":true,"version":3,"updater":{"handle":"","name":""},"updateDate":1646838764572,"creationDate":1617722068439,"expression":"(exec.file.path - in [\"/usr/bin/socat\", \"/usr/bin/dig\", \"/usr/bin/nslookup\", \"/usr/bin/netcat\", - \"/usr/bin/nc\"] ||\n exec.file.path in [\"/usr/bin/wget\", \"/usr/bin/curl\"]) - &&\ncontainer.id != \"\" && (exec.args not in [ ~\"*localhost*\", ~\"*127.0.0.1*\", - ~\"*motd.ubuntu.com*\" ] || process.ancestors.comm != \"50-motd-news\") && process.ancestors.file.path - in [ ~\"/tmp/**\", ~\"/var/tmp/**\", ~\"/home/**\", ~\"/run/user/**\" ]"},"type":"agent_rule","id":"ifl-wfe-sch"},{"attributes":{"category":"Process - Activity","name":"net_util","creator":{"handle":"","name":""},"description":"A - network utility was executed from a suspicious location","enabled":true,"defaultRule":true,"version":1,"updater":{"handle":"","name":""},"updateDate":1645196276088,"creationDate":1642158534952,"expression":"(exec.file.path - in [\"/usr/bin/socat\", \"/usr/bin/dig\", \"/usr/bin/nslookup\", \"/usr/bin/netcat\", - \"/usr/bin/nc\"] ||\n exec.file.path in [\"/usr/bin/wget\", \"/usr/bin/curl\"]) - &&\ncontainer.id == \"\" && (exec.args not in [ ~\"*localhost*\", ~\"*127.0.0.1*\", - ~\"*motd.ubuntu.com*\" ] || process.ancestors.comm != \"50-motd-news\") && process.ancestors.file.path - in [ ~\"/tmp/**\", ~\"/var/tmp/**\", ~\"/home/**\", ~\"/run/user/**\" ]"},"type":"agent_rule","id":"3lt-gov-2yu"},{"attributes":{"category":"Process - Activity","name":"pwnkit_privilege_escalation","creator":{"handle":"","name":""},"description":"A - process was spawned with indicators of exploitation of CVE-2021-4034","enabled":true,"defaultRule":true,"version":1,"updater":{"handle":"","name":""},"updateDate":1643639115768,"creationDate":1643639113864,"expression":"(exec.file.path - == \"/usr/bin/pkexec\" && exec.envs in [~\"*SHELL*\", ~\"*PATH*\"] && exec.uid - != 0)"},"type":"agent_rule","id":"vri-cjo-ywh"},{"attributes":{"category":"Process - Activity","name":"tf_TestAccDatadogCloudWorkloadSecurityAgentRule_local_1643392923","creator":{"handle":"frog@datadoghq.com","name":null},"description":"an - agent rule","enabled":true,"defaultRule":false,"version":1,"updater":{"handle":"frog@datadoghq.com","name":null},"updateDate":1643392938634,"creationDate":1643392938634,"expression":"exec.file.name - == \"java\""},"type":"agent_rule","id":"rsy-7jg-hqm"},{"attributes":{"category":"Process - Activity","name":"tf_TestAccDatadogCloudWorkloadSecurityAgentRule_local_1643392903","creator":{"handle":"frog@datadoghq.com","name":null},"description":"an - agent rule","enabled":true,"defaultRule":false,"version":1,"updater":{"handle":"frog@datadoghq.com","name":null},"updateDate":1643392919175,"creationDate":1643392919175,"expression":"exec.file.name - == \"java\""},"type":"agent_rule","id":"m39-rre-anw"},{"attributes":{"category":"Process - Activity","name":"tf_TestAccDatadogCloudWorkloadSecurityAgentRule_local_1643392885","creator":{"handle":"frog@datadoghq.com","name":null},"description":"an - agent rule","enabled":true,"defaultRule":false,"version":1,"updater":{"handle":"frog@datadoghq.com","name":null},"updateDate":1643392899126,"creationDate":1643392899126,"expression":"exec.file.name - == \"java\""},"type":"agent_rule","id":"4wd-unc-xof"},{"attributes":{"category":"Process - Activity","name":"tf_TestAccDatadogCloudWorkloadSecurityAgentRule_local_1643392458","creator":{"handle":"frog@datadoghq.com","name":null},"description":"an - agent rule","enabled":true,"defaultRule":false,"version":1,"updater":{"handle":"frog@datadoghq.com","name":null},"updateDate":1643392475857,"creationDate":1643392475857,"expression":"exec.file.name - == \"java\""},"type":"agent_rule","id":"jhk-qpj-jlt"},{"attributes":{"category":"Process - Activity","name":"tf_TestAccDatadogCloudWorkloadSecurityAgentRule_local_1643392438","creator":{"handle":"frog@datadoghq.com","name":null},"description":"an - agent rule","enabled":true,"defaultRule":false,"version":1,"updater":{"handle":"frog@datadoghq.com","name":null},"updateDate":1643392453588,"creationDate":1643392453588,"expression":"exec.file.name - == \"java\""},"type":"agent_rule","id":"ruf-aic-d4j"},{"attributes":{"category":"Process - Activity","name":"tf_TestAccDatadogCloudWorkloadSecurityAgentRule_local_1643392419","creator":{"handle":"frog@datadoghq.com","name":null},"description":"an - agent rule","enabled":true,"defaultRule":false,"version":1,"updater":{"handle":"frog@datadoghq.com","name":null},"updateDate":1643392434263,"creationDate":1643392434263,"expression":"exec.file.name - == \"java\""},"type":"agent_rule","id":"jtf-zrn-0ph"},{"attributes":{"category":"Process - Activity","name":"tf_TestAccDatadogCloudWorkloadSecurityAgentRule_local_1643392026","creator":{"handle":"frog@datadoghq.com","name":null},"description":"an - agent rule","enabled":true,"defaultRule":false,"version":1,"updater":{"handle":"frog@datadoghq.com","name":null},"updateDate":1643392042558,"creationDate":1643392042558,"expression":"exec.file.name - == \"java\""},"type":"agent_rule","id":"ijz-1cz-bms"},{"attributes":{"category":"Process - Activity","name":"tf_TestAccDatadogCloudWorkloadSecurityAgentRule_local_1643392003","creator":{"handle":"frog@datadoghq.com","name":null},"description":"an - agent rule","enabled":true,"defaultRule":false,"version":1,"updater":{"handle":"frog@datadoghq.com","name":null},"updateDate":1643392021741,"creationDate":1643392021741,"expression":"exec.file.name - == \"java\""},"type":"agent_rule","id":"21m-gs8-p43"},{"attributes":{"category":"Process - Activity","name":"tf_TestAccDatadogCloudWorkloadSecurityAgentRule_local_1643391983","creator":{"handle":"frog@datadoghq.com","name":null},"description":"an - agent rule","enabled":true,"defaultRule":false,"version":1,"updater":{"handle":"frog@datadoghq.com","name":null},"updateDate":1643391998597,"creationDate":1643391998597,"expression":"exec.file.name - == \"java\""},"type":"agent_rule","id":"in7-ydq-pbw"},{"attributes":{"category":"Process - Activity","name":"tf_TestAccDatadogCloudWorkloadSecurityAgentRule_local_1643391729","creator":{"handle":"frog@datadoghq.com","name":null},"description":"an - agent rule","enabled":true,"defaultRule":false,"version":1,"updater":{"handle":"frog@datadoghq.com","name":null},"updateDate":1643391745920,"creationDate":1643391745920,"expression":"exec.file.name - == \"java\""},"type":"agent_rule","id":"v8v-sem-rmg"},{"attributes":{"category":"Process - Activity","name":"tf_TestAccDatadogCloudWorkloadSecurityAgentRule_local_1643391707","creator":{"handle":"frog@datadoghq.com","name":null},"description":"an - agent rule","enabled":true,"defaultRule":false,"version":1,"updater":{"handle":"frog@datadoghq.com","name":null},"updateDate":1643391725233,"creationDate":1643391725233,"expression":"exec.file.name - == \"java\""},"type":"agent_rule","id":"kox-qtp-cbn"},{"attributes":{"category":"Process - Activity","name":"tf_TestAccDatadogCloudWorkloadSecurityAgentRule_local_1643391687","creator":{"handle":"frog@datadoghq.com","name":null},"description":"an - agent rule","enabled":true,"defaultRule":false,"version":1,"updater":{"handle":"frog@datadoghq.com","name":null},"updateDate":1643391702920,"creationDate":1643391702920,"expression":"exec.file.name - == \"java\""},"type":"agent_rule","id":"thp-evn-3gr"},{"attributes":{"category":"Process - Activity","name":"tf_TestAccDatadogCloudWorkloadSecurityAgentRulesDatasource_local_1643390432","creator":{"handle":"frog@datadoghq.com","name":null},"description":"an - agent rule","enabled":true,"defaultRule":false,"version":1,"updater":{"handle":"frog@datadoghq.com","name":null},"updateDate":1643390450706,"creationDate":1643390450706,"expression":"exec.file.name - == \"go\""},"type":"agent_rule","id":"hx6-v0z-9gk"},{"attributes":{"category":"Process - Activity","name":"tf_TestAccDatadogCloudWorkloadSecurityAgentRulesDatasource_local_1643390410","creator":{"handle":"frog@datadoghq.com","name":null},"description":"an - agent rule","enabled":true,"defaultRule":false,"version":1,"updater":{"handle":"frog@datadoghq.com","name":null},"updateDate":1643390427444,"creationDate":1643390427444,"expression":"exec.file.name - == \"go\""},"type":"agent_rule","id":"n8j-9n3-urm"},{"attributes":{"category":"Process - Activity","name":"tf_TestAccDatadogCloudWorkloadSecurityAgentRulesDatasource_local_1643390389","creator":{"handle":"frog@datadoghq.com","name":null},"description":"an - agent rule","enabled":true,"defaultRule":false,"version":1,"updater":{"handle":"frog@datadoghq.com","name":null},"updateDate":1643390405807,"creationDate":1643390405807,"expression":"exec.file.name - == \"go\""},"type":"agent_rule","id":"tkl-mjf-is5"},{"attributes":{"category":"Process - Activity","name":"tf_TestAccDatadogCloudWorkloadSecurityAgentRule_local_1643390151","creator":{"handle":"frog@datadoghq.com","name":null},"description":"an - agent rule","enabled":true,"defaultRule":false,"version":1,"updater":{"handle":"frog@datadoghq.com","name":null},"updateDate":1643390171673,"creationDate":1643390171673,"expression":"exec.file.name - == \"java\""},"type":"agent_rule","id":"up2-fhh-bc8"},{"attributes":{"category":"Process - Activity","name":"tf_TestAccDatadogCloudWorkloadSecurityAgentRule_local_1643390130","creator":{"handle":"frog@datadoghq.com","name":null},"description":"an - agent rule","enabled":true,"defaultRule":false,"version":1,"updater":{"handle":"frog@datadoghq.com","name":null},"updateDate":1643390147278,"creationDate":1643390147278,"expression":"exec.file.name - == \"java\""},"type":"agent_rule","id":"vdu-0rd-lnj"},{"attributes":{"category":"Process - Activity","name":"tf_TestAccDatadogCloudWorkloadSecurityAgentRule_local_1643390108","creator":{"handle":"frog@datadoghq.com","name":null},"description":"an - agent rule","enabled":true,"defaultRule":false,"version":1,"updater":{"handle":"frog@datadoghq.com","name":null},"updateDate":1643390124588,"creationDate":1643390124588,"expression":"exec.file.name - == \"java\""},"type":"agent_rule","id":"dfb-wz2-0ka"},{"attributes":{"category":"Process - Activity","name":"tf_TestAccDatadogCloudWorkloadSecurityAgentRule_local_1643389977","creator":{"handle":"frog@datadoghq.com","name":null},"description":"an - agent rule","enabled":true,"defaultRule":false,"version":1,"updater":{"handle":"frog@datadoghq.com","name":null},"updateDate":1643389998703,"creationDate":1643389998703,"expression":"exec.file.name - == \"java\""},"type":"agent_rule","id":"7vz-wdj-vwc"},{"attributes":{"category":"Process - Activity","name":"tf_TestAccDatadogCloudWorkloadSecurityAgentRulesDatasource_local_1643389955","creator":{"handle":"frog@datadoghq.com","name":null},"description":"an - agent rule","enabled":true,"defaultRule":false,"version":1,"updater":{"handle":"frog@datadoghq.com","name":null},"updateDate":1643389972825,"creationDate":1643389972825,"expression":"exec.file.name - == \"go\""},"type":"agent_rule","id":"qls-upn-1vc"},{"attributes":{"category":"Process - Activity","name":"tf_TestAccDatadogCloudWorkloadSecurityAgentRule_local_1643389931","creator":{"handle":"frog@datadoghq.com","name":null},"description":"an - agent rule","enabled":true,"defaultRule":false,"version":1,"updater":{"handle":"frog@datadoghq.com","name":null},"updateDate":1643389950224,"creationDate":1643389950224,"expression":"exec.file.name - == \"java\""},"type":"agent_rule","id":"rxo-lya-bqu"},{"attributes":{"category":"Process - Activity","name":"tf_TestAccDatadogCloudWorkloadSecurityAgentRulesDatasource_local_1643389911","creator":{"handle":"frog@datadoghq.com","name":null},"description":"an - agent rule","enabled":true,"defaultRule":false,"version":1,"updater":{"handle":"frog@datadoghq.com","name":null},"updateDate":1643389929035,"creationDate":1643389929035,"expression":"exec.file.name - == \"go\""},"type":"agent_rule","id":"dm3-ip4-rza"},{"attributes":{"category":"Process - Activity","name":"tf_TestAccDatadogCloudWorkloadSecurityAgentRule_local_1643389756","creator":{"handle":"frog@datadoghq.com","name":null},"description":"an - agent rule","enabled":true,"defaultRule":false,"version":1,"updater":{"handle":"frog@datadoghq.com","name":null},"updateDate":1643389773436,"creationDate":1643389773436,"expression":"exec.file.name - == \"java\""},"type":"agent_rule","id":"rzs-ccq-4qm"},{"attributes":{"category":"Process - Activity","name":"tf_TestAccDatadogCloudWorkloadSecurityAgentRule_local_1643389685","creator":{"handle":"frog@datadoghq.com","name":null},"description":"an - agent rule","enabled":true,"defaultRule":false,"version":1,"updater":{"handle":"frog@datadoghq.com","name":null},"updateDate":1643389706550,"creationDate":1643389706550,"expression":"exec.file.name - == \"java\""},"type":"agent_rule","id":"wa9-zm8-8ds"},{"attributes":{"category":"Process - Activity","name":"tf_TestAccDatadogCloudWorkloadSecurityAgentRule_local_1643389627","creator":{"handle":"frog@datadoghq.com","name":null},"description":"an - agent rule","enabled":true,"defaultRule":false,"version":1,"updater":{"handle":"frog@datadoghq.com","name":null},"updateDate":1643389645597,"creationDate":1643389645597,"expression":"exec.file.name - == \"java\""},"type":"agent_rule","id":"alm-sgy-vz3"},{"attributes":{"category":"Process - Activity","name":"tf_TestAccDatadogCloudWorkloadSecurityAgentRulesDatasource_local_1643389553","creator":{"handle":"frog@datadoghq.com","name":null},"description":"an - agent rule","enabled":true,"defaultRule":false,"version":1,"updater":{"handle":"frog@datadoghq.com","name":null},"updateDate":1643389575084,"creationDate":1643389575084,"expression":"exec.file.name - == \"go\""},"type":"agent_rule","id":"dls-vo9-rqx"},{"attributes":{"category":"Process - Activity","name":"tf_TestAccDatadogCloudWorkloadSecurityAgentRule_local_1643389530","creator":{"handle":"frog@datadoghq.com","name":null},"description":"an - agent rule","enabled":true,"defaultRule":false,"version":1,"updater":{"handle":"frog@datadoghq.com","name":null},"updateDate":1643389549031,"creationDate":1643389549031,"expression":"exec.file.name - == \"java\""},"type":"agent_rule","id":"fyz-u20-nvn"},{"attributes":{"category":"Process - Activity","name":"tf_TestAccDatadogCloudWorkloadSecurityAgentRulesDatasource_local_1643389507","creator":{"handle":"frog@datadoghq.com","name":null},"description":"an - agent rule","enabled":true,"defaultRule":false,"version":1,"updater":{"handle":"frog@datadoghq.com","name":null},"updateDate":1643389523942,"creationDate":1643389523942,"expression":"exec.file.name - == \"go\""},"type":"agent_rule","id":"nqv-0et-fcj"},{"attributes":{"category":"Process - Activity","name":"tf_TestAccDatadogCloudWorkloadSecurityAgentRule_local_1643389484","creator":{"handle":"frog@datadoghq.com","name":null},"description":"an - agent rule","enabled":true,"defaultRule":false,"version":1,"updater":{"handle":"frog@datadoghq.com","name":null},"updateDate":1643389502800,"creationDate":1643389502800,"expression":"exec.file.name - == \"java\""},"type":"agent_rule","id":"u7v-36z-wue"},{"attributes":{"category":"Process - Activity","name":"tf_TestAccDatadogCloudWorkloadSecurityAgentRulesDatasource_local_1643389460","creator":{"handle":"frog@datadoghq.com","name":null},"description":"an - agent rule","enabled":true,"defaultRule":false,"version":1,"updater":{"handle":"frog@datadoghq.com","name":null},"updateDate":1643389479547,"creationDate":1643389479547,"expression":"exec.file.name - == \"go\""},"type":"agent_rule","id":"y2z-ffa-zys"},{"attributes":{"category":"Process - Activity","name":"tf_TestAccDatadogCloudWorkloadSecurityAgentRulesDatasource_local_1643389411","creator":{"handle":"frog@datadoghq.com","name":null},"description":"an - agent rule","enabled":true,"defaultRule":false,"version":1,"updater":{"handle":"frog@datadoghq.com","name":null},"updateDate":1643389428402,"creationDate":1643389428402,"expression":"exec.file.name - == \"go\""},"type":"agent_rule","id":"cym-1zi-nnd"},{"attributes":{"category":"Process - Activity","name":"tf_TestAccDatadogCloudWorkloadSecurityAgentRule_local_1643389389","creator":{"handle":"frog@datadoghq.com","name":null},"description":"an - agent rule","enabled":true,"defaultRule":false,"version":1,"updater":{"handle":"frog@datadoghq.com","name":null},"updateDate":1643389406698,"creationDate":1643389406698,"expression":"exec.file.name - == \"java\""},"type":"agent_rule","id":"ip9-wgt-q3k"},{"attributes":{"category":"Process - Activity","name":"tf_TestAccDatadogCloudWorkloadSecurityAgentRulesDatasource_local_1643389363","creator":{"handle":"frog@datadoghq.com","name":null},"description":"an - agent rule","enabled":true,"defaultRule":false,"version":1,"updater":{"handle":"frog@datadoghq.com","name":null},"updateDate":1643389381751,"creationDate":1643389381751,"expression":"exec.file.name - == \"go\""},"type":"agent_rule","id":"t9d-zbo-2nw"},{"attributes":{"category":"Process - Activity","name":"tf_TestAccDatadogCloudWorkloadSecurityAgentRule_local_1643389339","creator":{"handle":"frog@datadoghq.com","name":null},"description":"an - agent rule","enabled":true,"defaultRule":false,"version":1,"updater":{"handle":"frog@datadoghq.com","name":null},"updateDate":1643389356453,"creationDate":1643389356453,"expression":"exec.file.name - == \"java\""},"type":"agent_rule","id":"kaw-0h7-dji"},{"attributes":{"category":"Process - Activity","name":"tf_TestAccDatadogCloudWorkloadSecurityAgentRulesDatasource_local_1643389317","creator":{"handle":"frog@datadoghq.com","name":null},"description":"an - agent rule","enabled":true,"defaultRule":false,"version":1,"updater":{"handle":"frog@datadoghq.com","name":null},"updateDate":1643389335243,"creationDate":1643389335243,"expression":"exec.file.name - == \"go\""},"type":"agent_rule","id":"m4i-otg-jnj"},{"attributes":{"category":"Process - Activity","name":"tf_TestAccDatadogCloudWorkloadSecurityAgentRule_local_1643389210","creator":{"handle":"frog@datadoghq.com","name":null},"description":"an - agent rule","enabled":true,"defaultRule":false,"version":1,"updater":{"handle":"frog@datadoghq.com","name":null},"updateDate":1643389226802,"creationDate":1643389226802,"expression":"exec.file.name - == \"java\""},"type":"agent_rule","id":"heh-lnh-xwm"},{"attributes":{"category":"Process - Activity","name":"tf_TestAccDatadogCloudWorkloadSecurityAgentRulesDatasource_local_1643389186","creator":{"handle":"frog@datadoghq.com","name":null},"description":"an - agent rule","enabled":true,"defaultRule":false,"version":1,"updater":{"handle":"frog@datadoghq.com","name":null},"updateDate":1643389204108,"creationDate":1643389204108,"expression":"exec.file.name - == \"go\""},"type":"agent_rule","id":"cwa-5rh-qtd"},{"attributes":{"category":"Process - Activity","name":"tf_TestAccDatadogCloudWorkloadSecurityAgentRule_local_1643389165","creator":{"handle":"frog@datadoghq.com","name":null},"description":"an - agent rule","enabled":true,"defaultRule":false,"version":1,"updater":{"handle":"frog@datadoghq.com","name":null},"updateDate":1643389181761,"creationDate":1643389181761,"expression":"exec.file.name - == \"java\""},"type":"agent_rule","id":"e5l-xtx-hmi"},{"attributes":{"category":"Process - Activity","name":"tf_TestAccDatadogCloudWorkloadSecurityAgentRulesDatasource_local_1643389136","creator":{"handle":"frog@datadoghq.com","name":null},"description":"an - agent rule","enabled":true,"defaultRule":false,"version":1,"updater":{"handle":"frog@datadoghq.com","name":null},"updateDate":1643389155207,"creationDate":1643389155207,"expression":"exec.file.name - == \"go\""},"type":"agent_rule","id":"ebx-lyj-r3a"},{"attributes":{"category":"Process - Activity","name":"tf_TestAccDatadogCloudWorkloadSecurityAgentRule_local_1643389111","creator":{"handle":"frog@datadoghq.com","name":null},"description":"an - agent rule","enabled":true,"defaultRule":false,"version":1,"updater":{"handle":"frog@datadoghq.com","name":null},"updateDate":1643389130549,"creationDate":1643389130549,"expression":"exec.file.name - == \"java\""},"type":"agent_rule","id":"xac-4if-49b"},{"attributes":{"category":"Process - Activity","name":"tf_TestAccDatadogCloudWorkloadSecurityAgentRulesDatasource_local_1643389088","creator":{"handle":"frog@datadoghq.com","name":null},"description":"an - agent rule","enabled":true,"defaultRule":false,"version":1,"updater":{"handle":"frog@datadoghq.com","name":null},"updateDate":1643389106392,"creationDate":1643389106392,"expression":"exec.file.name - == \"go\""},"type":"agent_rule","id":"dh6-bdu-8v0"},{"attributes":{"category":"Process - Activity","name":"tf_TestAccDatadogCloudWorkloadSecurityAgentRule_local_1643388939","creator":{"handle":"frog@datadoghq.com","name":null},"description":"an - agent rule","enabled":true,"defaultRule":false,"version":1,"updater":{"handle":"frog@datadoghq.com","name":null},"updateDate":1643388960762,"creationDate":1643388960762,"expression":"exec.file.name - == \"java\""},"type":"agent_rule","id":"hkd-6dr-ify"},{"attributes":{"category":"Process - Activity","name":"tf_TestAccDatadogCloudWorkloadSecurityAgentRulesDatasource_local_1643388912","creator":{"handle":"frog@datadoghq.com","name":null},"description":"an - agent rule","enabled":true,"defaultRule":false,"version":1,"updater":{"handle":"frog@datadoghq.com","name":null},"updateDate":1643388931383,"creationDate":1643388931383,"expression":"exec.file.name - == \"go\""},"type":"agent_rule","id":"bsx-fod-0xj"},{"attributes":{"category":"Process - Activity","name":"tf_TestAccDatadogCloudWorkloadSecurityAgentRule_local_1643388890","creator":{"handle":"frog@datadoghq.com","name":null},"description":"an - agent rule","enabled":true,"defaultRule":false,"version":1,"updater":{"handle":"frog@datadoghq.com","name":null},"updateDate":1643388907818,"creationDate":1643388907818,"expression":"exec.file.name - == \"java\""},"type":"agent_rule","id":"8jt-x9p-yoy"},{"attributes":{"category":"Process - Activity","name":"tf_TestAccDatadogCloudWorkloadSecurityAgentRulesDatasource_local_1643388866","creator":{"handle":"frog@datadoghq.com","name":null},"description":"an - agent rule","enabled":true,"defaultRule":false,"version":1,"updater":{"handle":"frog@datadoghq.com","name":null},"updateDate":1643388883010,"creationDate":1643388883010,"expression":"exec.file.name - == \"go\""},"type":"agent_rule","id":"rhd-qao-dub"},{"attributes":{"category":"Process - Activity","name":"tf_TestAccDatadogCloudWorkloadSecurityAgentRule_local_1643388847","creator":{"handle":"frog@datadoghq.com","name":null},"description":"an - agent rule","enabled":true,"defaultRule":false,"version":1,"updater":{"handle":"frog@datadoghq.com","name":null},"updateDate":1643388862340,"creationDate":1643388862340,"expression":"exec.file.name - == \"java\""},"type":"agent_rule","id":"j0f-fhi-ab7"},{"attributes":{"category":"Process - Activity","name":"tf_TestAccDatadogCloudWorkloadSecurityAgentRulesDatasource_local_1643388825","creator":{"handle":"frog@datadoghq.com","name":null},"description":"an - agent rule","enabled":true,"defaultRule":false,"version":1,"updater":{"handle":"frog@datadoghq.com","name":null},"updateDate":1643388843151,"creationDate":1643388843151,"expression":"exec.file.name - == \"go\""},"type":"agent_rule","id":"rvn-u2c-xm4"},{"attributes":{"category":"Process - Activity","name":"tf_TestAccDatadogCloudWorkloadSecurityAgentRule_local_1643388726","creator":{"handle":"frog@datadoghq.com","name":null},"description":"an - agent rule","enabled":true,"defaultRule":false,"version":1,"updater":{"handle":"frog@datadoghq.com","name":null},"updateDate":1643388744863,"creationDate":1643388744863,"expression":"exec.file.name - == \"java\""},"type":"agent_rule","id":"ldn-agb-3fl"},{"attributes":{"category":"Process - Activity","name":"tf_TestAccDatadogCloudWorkloadSecurityAgentRulesDatasource_local_1643388700","creator":{"handle":"frog@datadoghq.com","name":null},"description":"an - agent rule","enabled":true,"defaultRule":false,"version":1,"updater":{"handle":"frog@datadoghq.com","name":null},"updateDate":1643388719895,"creationDate":1643388719895,"expression":"exec.file.name - == \"go\""},"type":"agent_rule","id":"cyr-g7t-to0"},{"attributes":{"category":"Process - Activity","name":"tf_TestAccDatadogCloudWorkloadSecurityAgentRule_local_1643388666","creator":{"handle":"frog@datadoghq.com","name":null},"description":"an - agent rule","enabled":true,"defaultRule":false,"version":1,"updater":{"handle":"frog@datadoghq.com","name":null},"updateDate":1643388693095,"creationDate":1643388693095,"expression":"exec.file.name - == \"java\""},"type":"agent_rule","id":"wnm-xkk-mat"},{"attributes":{"category":"Process - Activity","name":"tf_TestAccDatadogCloudWorkloadSecurityAgentRule_local_1643388257","creator":{"handle":"frog@datadoghq.com","name":null},"description":"an - agent rule","enabled":true,"defaultRule":false,"version":1,"updater":{"handle":"frog@datadoghq.com","name":null},"updateDate":1643388275282,"creationDate":1643388275282,"expression":"exec.file.name - == \"java\""},"type":"agent_rule","id":"moo-kuq-zbt"},{"attributes":{"category":"Process - Activity","name":"tf_TestAccDatadogCloudWorkloadSecurityAgentRulesDatasource_local_1643388230","creator":{"handle":"frog@datadoghq.com","name":null},"description":"an - agent rule","enabled":true,"defaultRule":false,"version":1,"updater":{"handle":"frog@datadoghq.com","name":null},"updateDate":1643388250051,"creationDate":1643388250051,"expression":"exec.file.name - == \"go\""},"type":"agent_rule","id":"wzs-moc-ji9"},{"attributes":{"category":"Process - Activity","name":"tf_TestAccDatadogCloudWorkloadSecurityAgentRule_local_1643388208","creator":{"handle":"frog@datadoghq.com","name":null},"description":"an - agent rule","enabled":true,"defaultRule":false,"version":1,"updater":{"handle":"frog@datadoghq.com","name":null},"updateDate":1643388226579,"creationDate":1643388226579,"expression":"exec.file.name - == \"java\""},"type":"agent_rule","id":"uw2-d3y-5h6"},{"attributes":{"category":"Process - Activity","name":"tf_TestAccDatadogCloudWorkloadSecurityAgentRulesDatasource_local_1643388182","creator":{"handle":"frog@datadoghq.com","name":null},"description":"an - agent rule","enabled":true,"defaultRule":false,"version":1,"updater":{"handle":"frog@datadoghq.com","name":null},"updateDate":1643388201323,"creationDate":1643388201323,"expression":"exec.file.name - == \"go\""},"type":"agent_rule","id":"fez-txs-qf9"},{"attributes":{"category":"Process - Activity","name":"tf_TestAccDatadogCloudWorkloadSecurityAgentRule_local_1643388161","creator":{"handle":"frog@datadoghq.com","name":null},"description":"an - agent rule","enabled":true,"defaultRule":false,"version":1,"updater":{"handle":"frog@datadoghq.com","name":null},"updateDate":1643388177724,"creationDate":1643388177724,"expression":"exec.file.name - == \"java\""},"type":"agent_rule","id":"fga-mna-xej"},{"attributes":{"category":"Process - Activity","name":"tf_TestAccDatadogCloudWorkloadSecurityAgentRulesDatasource_local_1643388137","creator":{"handle":"frog@datadoghq.com","name":null},"description":"an - agent rule","enabled":true,"defaultRule":false,"version":1,"updater":{"handle":"frog@datadoghq.com","name":null},"updateDate":1643388157048,"creationDate":1643388157048,"expression":"exec.file.name - == \"go\""},"type":"agent_rule","id":"iyn-7sl-swn"},{"attributes":{"category":"Process - Activity","name":"tf_TestAccDatadogCloudWorkloadSecurityAgentRulesDatasource_local_1643387992","creator":{"handle":"frog@datadoghq.com","name":null},"description":"an - agent rule","enabled":true,"defaultRule":false,"version":1,"updater":{"handle":"frog@datadoghq.com","name":null},"updateDate":1643388010676,"creationDate":1643388010676,"expression":"exec.file.name - == \"java\""},"type":"agent_rule","id":"p3w-qyi-pbo"},{"attributes":{"category":"Process - Activity","name":"tf_TestAccDatadogCloudWorkloadSecurityAgentRule_local_1643387579","creator":{"handle":"frog@datadoghq.com","name":null},"description":"an - agent rule","enabled":true,"defaultRule":false,"version":1,"updater":{"handle":"frog@datadoghq.com","name":null},"updateDate":1643387597089,"creationDate":1643387597089,"expression":"exec.file.name - == \"java\""},"type":"agent_rule","id":"yyt-sfa-fck"},{"attributes":{"category":"Process - Activity","name":"tf_TestAccDatadogCloudWorkloadSecurityAgentRulesDatasource_local_1643387554","creator":{"handle":"frog@datadoghq.com","name":null},"description":"an - agent rule","enabled":true,"defaultRule":false,"version":1,"updater":{"handle":"frog@datadoghq.com","name":null},"updateDate":1643387573023,"creationDate":1643387573023,"expression":"exec.file.name - == \"java\""},"type":"agent_rule","id":"5z7-fqq-siu"},{"attributes":{"category":"Process - Activity","name":"tf_TestAccDatadogCloudWorkloadSecurityAgentRule_local_1643387531","creator":{"handle":"frog@datadoghq.com","name":null},"description":"an - agent rule","enabled":true,"defaultRule":false,"version":1,"updater":{"handle":"frog@datadoghq.com","name":null},"updateDate":1643387549793,"creationDate":1643387549793,"expression":"exec.file.name - == \"java\""},"type":"agent_rule","id":"ivz-amj-yl7"},{"attributes":{"category":"Process - Activity","name":"tf_TestAccDatadogCloudWorkloadSecurityAgentRulesDatasource_local_1643387505","creator":{"handle":"frog@datadoghq.com","name":null},"description":"an - agent rule","enabled":true,"defaultRule":false,"version":1,"updater":{"handle":"frog@datadoghq.com","name":null},"updateDate":1643387524178,"creationDate":1643387524178,"expression":"exec.file.name - == \"java\""},"type":"agent_rule","id":"lyv-3xn-qch"},{"attributes":{"category":"Process - Activity","name":"tf_TestAccDatadogCloudWorkloadSecurityAgentRule_local_1643387484","creator":{"handle":"frog@datadoghq.com","name":null},"description":"an - agent rule","enabled":true,"defaultRule":false,"version":1,"updater":{"handle":"frog@datadoghq.com","name":null},"updateDate":1643387500298,"creationDate":1643387500298,"expression":"exec.file.name - == \"java\""},"type":"agent_rule","id":"fpt-c7o-ipx"},{"attributes":{"category":"Process - Activity","name":"tf_TestAccDatadogCloudWorkloadSecurityAgentRulesDatasource_local_1643387461","creator":{"handle":"frog@datadoghq.com","name":null},"description":"an - agent rule","enabled":true,"defaultRule":false,"version":1,"updater":{"handle":"frog@datadoghq.com","name":null},"updateDate":1643387480011,"creationDate":1643387480011,"expression":"exec.file.name - == \"java\""},"type":"agent_rule","id":"tap-fek-5kw"},{"attributes":{"category":"Process - Activity","name":"tf_TestAccDatadogCloudWorkloadSecurityAgentRule_local_1643387148","creator":{"handle":"frog@datadoghq.com","name":null},"description":"an - agent rule","enabled":true,"defaultRule":false,"version":1,"updater":{"handle":"frog@datadoghq.com","name":null},"updateDate":1643387165931,"creationDate":1643387165931,"expression":"exec.file.name - == \"java\""},"type":"agent_rule","id":"u7b-x0z-cbe"},{"attributes":{"category":"Process - Activity","name":"tf_TestAccDatadogCloudWorkloadSecurityAgentRulesDatasource_local_1643387120","creator":{"handle":"frog@datadoghq.com","name":null},"description":"an - agent rule","enabled":true,"defaultRule":false,"version":1,"updater":{"handle":"frog@datadoghq.com","name":null},"updateDate":1643387141298,"creationDate":1643387141298,"expression":"exec.file.name - == \"java\""},"type":"agent_rule","id":"hhe-gcm-vjl"},{"attributes":{"category":"Process - Activity","name":"tf_TestAccDatadogCloudWorkloadSecurityAgentRule_local_1643387090","creator":{"handle":"frog@datadoghq.com","name":null},"description":"an - agent rule","enabled":true,"defaultRule":false,"version":1,"updater":{"handle":"frog@datadoghq.com","name":null},"updateDate":1643387114912,"creationDate":1643387114912,"expression":"exec.file.name - == \"java\""},"type":"agent_rule","id":"nt9-5fe-de1"},{"attributes":{"category":"Process - Activity","name":"tf_TestAccDatadogCloudWorkloadSecurityAgentRulesDatasource_local_1643387063","creator":{"handle":"frog@datadoghq.com","name":null},"description":"an - agent rule","enabled":true,"defaultRule":false,"version":1,"updater":{"handle":"frog@datadoghq.com","name":null},"updateDate":1643387082695,"creationDate":1643387082695,"expression":"exec.file.name - == \"java\""},"type":"agent_rule","id":"pj0-bcy-euh"},{"attributes":{"category":"Process - Activity","name":"tf_TestAccDatadogCloudWorkloadSecurityAgentRule_local_1643387039","creator":{"handle":"frog@datadoghq.com","name":null},"description":"an - agent rule","enabled":true,"defaultRule":false,"version":1,"updater":{"handle":"frog@datadoghq.com","name":null},"updateDate":1643387057879,"creationDate":1643387057879,"expression":"exec.file.name - == \"java\""},"type":"agent_rule","id":"rm5-px4-iua"},{"attributes":{"category":"Process - Activity","name":"tf_TestAccDatadogCloudWorkloadSecurityAgentRulesDatasource_local_1643387014","creator":{"handle":"frog@datadoghq.com","name":null},"description":"an - agent rule","enabled":true,"defaultRule":false,"version":1,"updater":{"handle":"frog@datadoghq.com","name":null},"updateDate":1643387032689,"creationDate":1643387032689,"expression":"exec.file.name - == \"java\""},"type":"agent_rule","id":"cqz-7pc-ajz"},{"attributes":{"category":"Process - Activity","name":"tf_TestAccDatadogCloudWorkloadSecurityAgentRule_local_1643386909","creator":{"handle":"frog@datadoghq.com","name":null},"description":"an - agent rule","enabled":true,"defaultRule":false,"version":1,"updater":{"handle":"frog@datadoghq.com","name":null},"updateDate":1643386926682,"creationDate":1643386926682,"expression":"exec.file.name - == \"java\""},"type":"agent_rule","id":"hot-prj-df5"},{"attributes":{"category":"Process - Activity","name":"tf_TestAccDatadogCloudWorkloadSecurityAgentRulesDatasource_local_1643386882","creator":{"handle":"frog@datadoghq.com","name":null},"description":"an - agent rule","enabled":true,"defaultRule":false,"version":1,"updater":{"handle":"frog@datadoghq.com","name":null},"updateDate":1643386901939,"creationDate":1643386901939,"expression":"exec.file.name - == \"java\""},"type":"agent_rule","id":"q7n-lvv-4au"},{"attributes":{"category":"Process - Activity","name":"tf_TestAccDatadogCloudWorkloadSecurityAgentRule_local_1643386858","creator":{"handle":"frog@datadoghq.com","name":null},"description":"an - agent rule","enabled":true,"defaultRule":false,"version":1,"updater":{"handle":"frog@datadoghq.com","name":null},"updateDate":1643386877222,"creationDate":1643386877222,"expression":"exec.file.name - == \"java\""},"type":"agent_rule","id":"gly-5wu-uny"},{"attributes":{"category":"Process - Activity","name":"tf_TestAccDatadogCloudWorkloadSecurityAgentRulesDatasource_local_1643386831","creator":{"handle":"frog@datadoghq.com","name":null},"description":"an - agent rule","enabled":true,"defaultRule":false,"version":1,"updater":{"handle":"frog@datadoghq.com","name":null},"updateDate":1643386850558,"creationDate":1643386850558,"expression":"exec.file.name - == \"java\""},"type":"agent_rule","id":"umz-fjl-7qq"},{"attributes":{"category":"Process - Activity","name":"tf_TestAccDatadogCloudWorkloadSecurityAgentRule_local_1643386809","creator":{"handle":"frog@datadoghq.com","name":null},"description":"an - agent rule","enabled":true,"defaultRule":false,"version":1,"updater":{"handle":"frog@datadoghq.com","name":null},"updateDate":1643386826170,"creationDate":1643386826170,"expression":"exec.file.name - == \"java\""},"type":"agent_rule","id":"spq-5f8-isw"},{"attributes":{"category":"Process - Activity","name":"tf_TestAccDatadogCloudWorkloadSecurityAgentRulesDatasource_local_1643386786","creator":{"handle":"frog@datadoghq.com","name":null},"description":"an - agent rule","enabled":true,"defaultRule":false,"version":1,"updater":{"handle":"frog@datadoghq.com","name":null},"updateDate":1643386804704,"creationDate":1643386804704,"expression":"exec.file.name - == \"java\""},"type":"agent_rule","id":"dul-hdz-xmo"},{"attributes":{"category":"Process - Activity","name":"tf_TestAccDatadogCloudWorkloadSecurityAgentRule_local_1643386742","creator":{"handle":"frog@datadoghq.com","name":null},"description":"an - agent rule","enabled":true,"defaultRule":false,"version":1,"updater":{"handle":"frog@datadoghq.com","name":null},"updateDate":1643386762229,"creationDate":1643386762229,"expression":"exec.file.name - == \"java\""},"type":"agent_rule","id":"n94-q2a-co9"},{"attributes":{"category":"Process - Activity","name":"tf_TestAccDatadogCloudWorkloadSecurityAgentRulesDatasource_local_1643386718","creator":{"handle":"frog@datadoghq.com","name":null},"description":"an - agent rule","enabled":true,"defaultRule":false,"version":1,"updater":{"handle":"frog@datadoghq.com","name":null},"updateDate":1643386735946,"creationDate":1643386735946,"expression":"exec.file.name - == \"java\""},"type":"agent_rule","id":"x1n-wra-hdt"},{"attributes":{"category":"Process - Activity","name":"tf_TestAccDatadogCloudWorkloadSecurityAgentRule_local_1643386695","creator":{"handle":"frog@datadoghq.com","name":null},"description":"an - agent rule","enabled":true,"defaultRule":false,"version":1,"updater":{"handle":"frog@datadoghq.com","name":null},"updateDate":1643386713348,"creationDate":1643386713348,"expression":"exec.file.name - == \"java\""},"type":"agent_rule","id":"kgt-kcc-tnu"},{"attributes":{"category":"Process - Activity","name":"tf_TestAccDatadogCloudWorkloadSecurityAgentRule_local_1643386657","creator":{"handle":"frog@datadoghq.com","name":null},"description":"an - agent rule","enabled":true,"defaultRule":false,"version":1,"updater":{"handle":"frog@datadoghq.com","name":null},"updateDate":1643386674573,"creationDate":1643386674573,"expression":"exec.file.name - == \"java\""},"type":"agent_rule","id":"znp-dul-gcj"},{"attributes":{"category":"Process - Activity","name":"apparmor_modified_tty","creator":{"handle":"","name":""},"description":"AppArmor - Profile Modified","enabled":true,"defaultRule":true,"version":1,"updater":{"handle":"","name":""},"updateDate":1636729678630,"creationDate":1627392836162,"expression":"exec.file.name - in [\"aa-disable\", \"aa-complain\", \"aa-audit\"] && exec.tty_name !=\"\""},"type":"agent_rule","id":"ki7-koc-icf"},{"attributes":{"category":"File - Activity","name":"pci_11_5_critical_binaries_chmod","creator":{"handle":"","name":""},"description":"Critical - System Binaries","enabled":true,"defaultRule":true,"version":4,"updater":{"handle":"","name":""},"updateDate":1636729678212,"creationDate":1606142933669,"expression":"(\n (chmod.file.path + body: '{"data":[{"id":"gd2-ogg-fyk","attributes":{"version":1,"name":"testgetallcloudworkloadsecurityagentrulesreturnsokresponse1709907553","description":"My + Agent rule","expression":"exec.file.name == \"sh\"","category":"Process Activity","creationAuthorUuId":"cc32ddea-b5e4-11ec-93be-da7ad0900002","creationDate":1709907553752,"updateAuthorUuId":"cc32ddea-b5e4-11ec-93be-da7ad0900002","updateDate":1709907553752,"filters":["os + == \"linux\""],"actions":[],"agentConstraint":"","enabled":true,"defaultRule":false,"creator":{"name":"Malo + Le Goff","handle":"malo.legoff@datadoghq.com"},"updater":{"name":"Malo Le Goff","handle":"malo.legoff@datadoghq.com"}},"type":"agent_rule"},{"id":"g5j-9l5-phu","attributes":{"version":11,"name":"cryptominer_args","description":"A + process launched with arguments associated with cryptominers","expression":"exec.args_flags + in [\"cpu-priority\", \"donate-level\", ~\"randomx-1gb-pages\"] || exec.args + in [~\"*stratum+tcp*\", ~\"*stratum+ssl*\", ~\"*stratum1+tcp*\", ~\"*stratum1+ssl*\", + ~\"*stratum2+tcp*\", ~\"*stratum2+ssl*\", ~\"*nicehash*\", ~\"*yespower*\"]","category":"Process + Activity","creationDate":0,"updateAuthorUuId":"3c3ddadd-9ceb-11ed-b5f9-b6e96f801924","updateDate":1709241156082,"filters":["os + == \"linux\""],"actions":[],"agentConstraint":"","enabled":false,"defaultRule":true,"creator":{"name":"","handle":""},"updater":{"name":"Daniel + Zhou","handle":"daniel.zhou@datadoghq.com"}},"type":"agent_rule"},{"id":"ya1-tzs-p2g","attributes":{"version":2,"name":"tde_malware_ransomware_notes_written","description":"A + possible ransomware note created under common user directories","expression":"open.file.path + in [~\"/home/**\", ~\"/root/**\", ~\"/bin/**\", ~\"/usr/bin/**\", ~\"/opt/**\", + ~\"/etc/**\", ~\"/var/log/**\", ~\"/var/lib/log/**\", ~\"/var/backup/**\", ~\"/var/www/**\"] + && open.file.name in [r\".*(restore|recovery|readme|instruction|how_to|ransom).*\", + r\".*(your_|crypt|lock|important).*\\.txt$\"]","category":"File Activity","creationAuthorUuId":"9b3398f3-af79-49aa-b643-8a607ee6f848","creationDate":1703167436145,"updateAuthorUuId":"9b3398f3-af79-49aa-b643-8a607ee6f848","updateDate":1708536266340,"filters":["os + == \"linux\""],"actions":[],"agentConstraint":"","enabled":true,"defaultRule":false,"creator":{"name":"Threat + Detection Engineering CI/CD","handle":"9b3398f3-af79-49aa-b643-8a607ee6f848"},"updater":{"name":"Threat + Detection Engineering CI/CD","handle":"9b3398f3-af79-49aa-b643-8a607ee6f848"}},"type":"agent_rule"},{"id":"xn0-ede-cwo","attributes":{"version":1,"name":"tde_nsenter_pid1_detection","description":"nsenter + used in container to execute code on the OS PID1","expression":"exec.file.name + == \"nsenter\" && exec.args_options in [\"target=1\", \"t=1\"] && container.id + !=\"\"","category":"Process Activity","creationAuthorUuId":"9b3398f3-af79-49aa-b643-8a607ee6f848","creationDate":1707329054174,"updateAuthorUuId":"9b3398f3-af79-49aa-b643-8a607ee6f848","updateDate":1707329054174,"filters":["os + == \"linux\""],"actions":[],"agentConstraint":"","enabled":true,"defaultRule":false,"creator":{"name":"Threat + Detection Engineering CI/CD","handle":"9b3398f3-af79-49aa-b643-8a607ee6f848"},"updater":{"name":"Threat + Detection Engineering CI/CD","handle":"9b3398f3-af79-49aa-b643-8a607ee6f848"}},"type":"agent_rule"},{"id":"wyh-nt8-y0o","attributes":{"version":1,"name":"tde_red_team_domains_used","description":"Connection + to red team domain","expression":"dns.question.name in [~\"*.interact.sh\" , + ~\"*.oast.pro\" , ~\"*.oast.live\" , ~\"*.oast.site\" , ~\"*.oast.online\" , + ~\"*.oast.fun\" , ~\"*.oast.me\" , ~\"*.burpcollaborator.net\" , ~\"*.oastify.com\" + , ~\"*canarytokens.com\" , ~\"*.requestbin.net\" , ~\"*.dnslog.cn\"]","category":"Network + Activity","creationAuthorUuId":"9b3398f3-af79-49aa-b643-8a607ee6f848","creationDate":1705421116371,"updateAuthorUuId":"9b3398f3-af79-49aa-b643-8a607ee6f848","updateDate":1705421116371,"filters":["os + == \"linux\""],"actions":[],"agentConstraint":"","enabled":true,"defaultRule":false,"creator":{"name":"Threat + Detection Engineering CI/CD","handle":"9b3398f3-af79-49aa-b643-8a607ee6f848"},"updater":{"name":"Threat + Detection Engineering CI/CD","handle":"9b3398f3-af79-49aa-b643-8a607ee6f848"}},"type":"agent_rule"},{"id":"mua-npg-7n2","attributes":{"version":1,"name":"looney_tunables_exploit","description":"Looney + Tunables (CVE-2023-4911) exploit attempted","expression":"exec.file.mode & S_ISUID + > 0 && exec.file.uid == 0 && exec.uid != 0 && exec.envs in [~\"*GLIBC_TUNABLES*\"]","category":"Process + Activity","creationDate":0,"updateDate":1704404434303,"filters":["os == \"linux\""],"actions":[],"agentConstraint":"","enabled":true,"defaultRule":true,"creator":{"name":"","handle":""},"updater":{"name":"","handle":""}},"type":"agent_rule"},{"id":"afy-gnp-rfp","attributes":{"version":1,"name":"kernel_msr_write","description":"A + process attempted to enable writing to model-specific registers","expression":"exec.comm + == \"modprobe\" && process.args =~ \"*msr*allow_writes*\"","category":"Process + Activity","creationDate":0,"updateDate":1704404434302,"filters":["os == \"linux\""],"actions":[],"agentConstraint":"","enabled":true,"defaultRule":true,"creator":{"name":"","handle":""},"updater":{"name":"","handle":""}},"type":"agent_rule"},{"id":"qew-m41-jfc","attributes":{"version":1,"name":"ransomware_note","description":"Possible + ransomware note created under common user directories","expression":"open.flags + & O_CREAT > 0 && open.file.path in [~\"/home/**\", ~\"/root/**\", ~\"/bin/**\", + ~\"/usr/bin/**\", ~\"/opt/**\", ~\"/etc/**\", ~\"/var/log/**\", ~\"/var/lib/log/**\", + ~\"/var/backup/**\", ~\"/var/www/**\"] && open.file.name in [r\"(?i).*(restore|recovery|readme|instruction|how_to|ransom).*|.*(your_|crypt|lock|important).*\\.txt$\"] + && open.file.name != \"README.md\"","category":"File Activity","creationDate":0,"updateDate":1704404434302,"filters":["os + == \"linux\""],"actions":[],"agentConstraint":"","enabled":true,"defaultRule":true,"creator":{"name":"","handle":""},"updater":{"name":"","handle":""}},"type":"agent_rule"},{"id":"mwt-r43-san","attributes":{"version":1,"name":"sensitive_tracing","description":"A + process is tracing privileged processes or sshd for possible credential dumping","expression":"(ptrace.request + == PTRACE_PEEKTEXT || ptrace.request == PTRACE_PEEKDATA || ptrace.request == + PTRACE_PEEKUSR) && ptrace.tracee.euid == 0 && process.comm not in [\"dlv\", + \"dlv-linux-amd64\", \"strace\", \"gdb\", \"lldb-server\"]","category":"Kernel + Activity","creationDate":0,"updateDate":1704404434302,"filters":["os == \"linux\""],"actions":[],"agentConstraint":"","enabled":true,"defaultRule":true,"creator":{"name":"","handle":""},"updater":{"name":"","handle":""}},"type":"agent_rule"},{"id":"ul7-jol-1bw","attributes":{"version":1,"name":"cryptominer_envs","description":"Process + environment variables match cryptocurrency miner","expression":"exec.envs in + [~\"*POOL_USER*\", ~\"*POOL_URL*\", ~\"*POOL_PASS*\", ~\"*DONATE_LEVEL*\"]","category":"Process + Activity","creationDate":0,"updateDate":1704404426851,"filters":["os == \"linux\""],"actions":[],"agentConstraint":"","enabled":true,"defaultRule":true,"creator":{"name":"","handle":""},"updater":{"name":"","handle":""}},"type":"agent_rule"},{"id":"dqg-wa2-0oi","attributes":{"version":1,"name":"procdump_execution","description":"A + tool used to dump process memory has been executed","expression":"exec.file.name + in [\"procmon.exe\",\"procdump.exe\"]","category":"Process Activity","creationDate":0,"updateDate":1704404425515,"filters":["os + == \"windows\""],"actions":[],"agentConstraint":"","enabled":true,"defaultRule":true,"creator":{"name":"","handle":""},"updater":{"name":"","handle":""}},"type":"agent_rule"},{"id":"csf-k3c-qka","attributes":{"version":1,"name":"minidump_usage","description":"Process + memory was dumped using the minidump function from comsvcs.dll","expression":"exec.cmdline + =~ \"*MiniDump*\"","category":"Process Activity","creationDate":0,"updateDate":1704404425504,"filters":["os + == \"windows\""],"actions":[],"agentConstraint":"","enabled":true,"defaultRule":true,"creator":{"name":"","handle":""},"updater":{"name":"","handle":""}},"type":"agent_rule"},{"id":"ghp-mfr-1qz","attributes":{"version":1,"name":"tunnel_traffic","description":"Tunneling + or port forwarding tool used","expression":"((exec.comm == \"pivotnacci\" || + exec.comm == \"gost\") && process.args in [r\".*(-L|-C|-R).*\"]) || (exec.comm + in [\"ssh\", \"sshd\"] && process.args in [r\".*(-R|-L|-D|w).*\"] && process.args + in [r\"((25[0-5]|(2[0-4]|1\\d|[1-9])\\d)\\.?\\b){4}\"] ) || (exec.comm == \"sshuttle\" + && process.args in [r\".*(-r|--remote|-l|--listen).*\"]) || (exec.comm == \"socat\" + && process.args in [r\".*(TCP4-LISTEN:|SOCKS).*\"]) || (exec.comm in [\"iodine\", + \"iodined\", \"dnscat\", \"hans\", \"hans-ubuntu\", \"ptunnel-ng\", \"ssf\", + \"3proxy\", \"ngrok\"] && process.parent.comm in [\"bash\", \"dash\", \"ash\", + \"sh\", \"tcsh\", \"csh\", \"zsh\", \"ksh\", \"fish\"])","category":"Process + Activity","creationDate":0,"updateDate":1704404425504,"filters":["os == \"linux\""],"actions":[],"agentConstraint":"","enabled":true,"defaultRule":true,"creator":{"name":"","handle":""},"updater":{"name":"","handle":""}},"type":"agent_rule"},{"id":"uhr-n6q-lvh","attributes":{"version":1,"name":"iptables_egress_allowed","description":"Egress + traffic allowed using iptables","expression":"exec.comm == \"iptables\" && process.args + in [r\".*OUTPUT.*((25[0-5]|(2[0-4]|1\\d|[1-9]|)\\d)\\.?\\b){4}.*ACCEPT\"] && + process.args not in [r\"(127\\.)|(10\\.)|(172\\.1[6-9]\\.)|(172\\.2[0-9]\\.)|(^172\\.3[0-1]\\.)|(192\\.168\\.)|(169\\.254\\.)\"]","category":"Process + Activity","creationDate":0,"updateDate":1704404424741,"filters":["os == \"linux\""],"actions":[],"agentConstraint":"","enabled":true,"defaultRule":true,"creator":{"name":"","handle":""},"updater":{"name":"","handle":""}},"type":"agent_rule"},{"id":"642-j0s-psf","attributes":{"version":1,"name":"libpam_ebpf_hook","description":"Library + libpam.so hooked using eBPF","expression":"bpf.cmd == BPF_MAP_CREATE && process.args + in [r\".*libpam.so.*\"]","category":"Kernel Activity","creationDate":0,"updateDate":1704404424739,"filters":["os + == \"linux\""],"actions":[],"agentConstraint":"","enabled":true,"defaultRule":true,"creator":{"name":"","handle":""},"updater":{"name":"","handle":""}},"type":"agent_rule"},{"id":"u8d-fot-gin","attributes":{"version":1,"name":"wmi_spawning_shell","description":"Command + executed via WMI","expression":"exec.file.name in [~\"powershell*\",\"cmd.exe\"] + && process.parent.file.name == \"WmiPrvSE.exe\"","category":"Process Activity","creationDate":0,"updateDate":1704404424705,"filters":["os + == \"windows\""],"actions":[],"agentConstraint":"","enabled":true,"defaultRule":true,"creator":{"name":"","handle":""},"updater":{"name":"","handle":""}},"type":"agent_rule"},{"id":"17k-2xh-ie2","attributes":{"version":1,"name":"crackmap_exec_executed","description":"Known + offensive tool crackmap exec executed","expression":"exec.cmdline in [~\"*crackmapexec*\", + ~\"*cme*\"]","category":"Process Activity","creationDate":0,"updateDate":1704404424475,"filters":["os + == \"windows\""],"actions":[],"agentConstraint":"","enabled":true,"defaultRule":true,"creator":{"name":"","handle":""},"updater":{"name":"","handle":""}},"type":"agent_rule"},{"id":"45j-2y7-vyd","attributes":{"version":1,"name":"chatroom_request","description":"A + newly created file contacted a chatroom domain","expression":"dns.question.name + in [\"discord.com\", \"api.telegram.org\", \"cdn.discordapp.com\"] && process.file.in_upper_layer + && process.file.change_time < 60s","category":"Network Activity","creationDate":0,"updateDate":1704404424472,"filters":["os + == \"linux\""],"actions":[],"agentConstraint":"","enabled":true,"defaultRule":true,"creator":{"name":"","handle":""},"updater":{"name":"","handle":""}},"type":"agent_rule"},{"id":"ecn-u6p-nqz","attributes":{"version":1,"name":"suspicious_bitsadmin_usage","description":"A + suspicious bitsadmin command has been executed","expression":"exec.file.name + == \"bitsadmin.exe\" && exec.cmdline in [~\"*addfile*\", ~\"*create*\", ~\"*resume*\"]","category":"Process + Activity","creationDate":0,"updateDate":1704404424472,"filters":["os == \"windows\""],"actions":[],"agentConstraint":"","enabled":true,"defaultRule":true,"creator":{"name":"","handle":""},"updater":{"name":"","handle":""}},"type":"agent_rule"},{"id":"xcs-z8z-hx3","attributes":{"version":1,"name":"ntds_in_commandline","description":"NTDS + file referenced in commandline","expression":"exec.cmdline =~ \"*ntds.dit*\"","category":"Process + Activity","creationDate":0,"updateDate":1704404424468,"filters":["os == \"windows\""],"actions":[],"agentConstraint":"","enabled":true,"defaultRule":true,"creator":{"name":"","handle":""},"updater":{"name":"","handle":""}},"type":"agent_rule"},{"id":"l7e-zmy-5pd","attributes":{"version":1,"name":"scheduled_task_creation","description":"A + scheduled task was created","expression":"exec.file.name in [\"at.exe\",\"schtasks.exe\"]","category":"Process + Activity","creationDate":0,"updateDate":1704404424467,"filters":["os == \"windows\""],"actions":[],"agentConstraint":"","enabled":true,"defaultRule":true,"creator":{"name":"","handle":""},"updater":{"name":"","handle":""}},"type":"agent_rule"},{"id":"i8x-ujp-ueg","attributes":{"version":1,"name":"delete_system_log","description":"A + process deleted common system log files","expression":"unlink.file.path in [\"/var/run/utmp\", + \"/var/log/wtmp\", \"/var/log/btmp\", \"/var/log/lastlog\", \"/var/log/faillog\", + \"/var/log/syslog\", \"/var/log/messages\", \"/var/log/secure\", \"/var/log/auth.log\", + \"/var/log/boot.log\", \"/var/log/kern.log\"] && process.comm not in [\"dockerd\", + \"containerd\"]","category":"File Activity","creationDate":0,"updateDate":1704404424465,"filters":["os + == \"linux\""],"actions":[],"agentConstraint":"","enabled":true,"defaultRule":true,"creator":{"name":"","handle":""},"updater":{"name":"","handle":""}},"type":"agent_rule"},{"id":"xns-u7l-cxs","attributes":{"version":1,"name":"certutil_usage","description":"Certutil + was executed to transmit or decode a potentially malicious file","expression":"exec.file.name + == \"certutil.exe\" && ((exec.cmdline =~ \"*urlcache*\" && exec.cmdline =~ \"*split*\") + || exec.cmdline =~ \"*decode*\")","category":"Process Activity","creationDate":0,"updateDate":1704404424457,"filters":["os + == \"windows\""],"actions":[],"agentConstraint":"","enabled":true,"defaultRule":true,"creator":{"name":"","handle":""},"updater":{"name":"","handle":""}},"type":"agent_rule"},{"id":"hxr-rjo-6am","attributes":{"version":1,"name":"open_msr_writes","description":"A + process opened a model-specific register (MSR) configuration file","expression":"open.file.path + == \"/sys/module/msr/parameters/allow_writes\" && open.flags & O_CREAT|O_TRUNC|O_RDWR|O_WRONLY + > 0","category":"File Activity","creationDate":0,"updateDate":1704404424453,"filters":["os + == \"linux\""],"actions":[],"agentConstraint":"","enabled":true,"defaultRule":true,"creator":{"name":"","handle":""},"updater":{"name":"","handle":""}},"type":"agent_rule"},{"id":"jzh-eac-blf","attributes":{"version":1,"name":"exec_wrmsr","description":"The + wrmsr program executed","expression":"exec.comm == \"wrmsr\"","category":"Process + Activity","creationDate":0,"updateDate":1704404424444,"filters":["os == \"linux\""],"actions":[],"agentConstraint":"","enabled":true,"defaultRule":true,"creator":{"name":"","handle":""},"updater":{"name":"","handle":""}},"type":"agent_rule"},{"id":"mdd-iec-z0k","attributes":{"version":14,"name":"database_shell_execution","description":"A + database application spawned a shell, shell utility, or HTTP utility","expression":"(exec.file.path + in [ \"/bin/dash\",\n \"/usr/bin/dash\",\n \"/bin/sh\",\n \"/bin/static-sh\",\n \"/usr/bin/sh\",\n \"/bin/bash\",\n \"/usr/bin/bash\",\n \"/bin/bash-static\",\n \"/usr/bin/zsh\",\n \"/usr/bin/ash\",\n \"/usr/bin/csh\",\n \"/usr/bin/ksh\",\n \"/usr/bin/tcsh\",\n \"/usr/lib/initramfs-tools/bin/busybox\",\n \"/bin/busybox\",\n \"/usr/bin/fish\",\n \"/bin/ksh93\",\n \"/bin/rksh\",\n \"/bin/rksh93\",\n \"/bin/lksh\",\n \"/bin/mksh\",\n \"/bin/mksh-static\",\n \"/usr/bin/csharp\",\n \"/bin/posh\",\n \"/usr/bin/rc\",\n \"/bin/sash\",\n \"/usr/bin/yash\",\n \"/bin/zsh5\",\n \"/bin/zsh5-static\" + ] ||\n exec.comm in [\"wget\", \"curl\", \"lwp-download\"] ||\n exec.file.path + in [\"/bin/cat\",\"/bin/chgrp\",\"/bin/chmod\",\"/bin/chown\",\"/bin/cp\",\"/bin/date\",\"/bin/dd\",\"/bin/df\",\"/bin/dir\",\"/bin/echo\",\"/bin/ln\",\"/bin/ls\",\"/bin/mkdir\",\"/bin/mknod\",\"/bin/mktemp\",\"/bin/mv\",\"/bin/pwd\",\"/bin/readlink\",\"/bin/rm\",\"/bin/rmdir\",\"/bin/sleep\",\"/bin/stty\",\"/bin/sync\",\"/bin/touch\",\"/bin/uname\",\"/bin/vdir\",\"/usr/bin/arch\",\"/usr/bin/b2sum\",\"/usr/bin/base32\",\"/usr/bin/base64\",\"/usr/bin/basename\",\"/usr/bin/chcon\",\"/usr/bin/cksum\",\"/usr/bin/comm\",\"/usr/bin/csplit\",\"/usr/bin/cut\",\"/usr/bin/dircolors\",\"/usr/bin/dirname\",\"/usr/bin/du\",\"/usr/bin/env\",\"/usr/bin/expand\",\"/usr/bin/expr\",\"/usr/bin/factor\",\"/usr/bin/fmt\",\"/usr/bin/fold\",\"/usr/bin/groups\",\"/usr/bin/head\",\"/usr/bin/hostid\",\"/usr/bin/id\",\"/usr/bin/install\",\"/usr/bin/join\",\"/usr/bin/link\",\"/usr/bin/logname\",\"/usr/bin/md5sum\",\"/usr/bin/md5sum.textutils\",\"/usr/bin/mkfifo\",\"/usr/bin/nice\",\"/usr/bin/nl\",\"/usr/bin/nohup\",\"/usr/bin/nproc\",\"/usr/bin/numfmt\",\"/usr/bin/od\",\"/usr/bin/paste\",\"/usr/bin/pathchk\",\"/usr/bin/pinky\",\"/usr/bin/pr\",\"/usr/bin/printenv\",\"/usr/bin/printf\",\"/usr/bin/ptx\",\"/usr/bin/realpath\",\"/usr/bin/runcon\",\"/usr/bin/seq\",\"/usr/bin/sha1sum\",\"/usr/bin/sha224sum\",\"/usr/bin/sha256sum\",\"/usr/bin/sha384sum\",\"/usr/bin/sha512sum\",\"/usr/bin/shred\",\"/usr/bin/shuf\",\"/usr/bin/sort\",\"/usr/bin/split\",\"/usr/bin/stat\",\"/usr/bin/stdbuf\",\"/usr/bin/sum\",\"/usr/bin/tac\",\"/usr/bin/tail\",\"/usr/bin/tee\",\"/usr/bin/test\",\"/usr/bin/timeout\",\"/usr/bin/tr\",\"/usr/bin/truncate\",\"/usr/bin/tsort\",\"/usr/bin/tty\",\"/usr/bin/unexpand\",\"/usr/bin/uniq\",\"/usr/bin/unlink\",\"/usr/bin/users\",\"/usr/bin/wc\",\"/usr/bin/who\",\"/usr/bin/whoami\",\"/usr/sbin/chroot\"]) + &&\nprocess.parent.file.name in [\"mysqld\", \"mongod\", \"postgres\"] &&\n!(process.parent.file.name + == \"initdb\" &&\nexec.args == \"-c locale -a\") &&\n!(process.parent.file.name + == \"postgres\" &&\nexec.args == ~\"*pg_wal*\")","category":"Process Activity","creationDate":1617722069155,"updateDate":1704404408433,"filters":["os + == \"linux\""],"actions":[],"agentConstraint":"","enabled":true,"defaultRule":true,"creator":{"name":"","handle":""},"updater":{"name":"","handle":""}},"type":"agent_rule"},{"id":"wic-due-xxn","attributes":{"version":2,"name":"pci_11_5_critical_binaries_open_v2","description":"Critical + system binaries may have been modified","expression":"(\n open.flags & (O_CREAT|O_TRUNC|O_RDWR|O_WRONLY) + > 0 &&\n open.file.path in [ ~\"/bin/*\", ~\"/sbin/*\", ~\"/usr/bin/*\", + ~\"/usr/sbin/*\", ~\"/usr/local/bin/*\", ~\"/usr/local/sbin/*\", ~\"/boot/**\" + ]\n && process.file.path not in [~\"/usr/bin/apt*\", \"/usr/bin/dpkg\", \"/usr/bin/rpm\", + \"/usr/bin/unattended-upgrade\", \"/usr/bin/containerd\", \"/usr/local/bin/containerd\", + \"/usr/bin/dockerd\", \"/usr/bin/npm\", ~\"/usr/bin/pip*\"]\n && process.ancestors.file.path + not in [~\"/usr/bin/apt*\", \"/usr/bin/dpkg\", \"/usr/bin/rpm\", \"/usr/bin/unattended-upgrade\", + \"/usr/bin/npm\", ~\"/usr/bin/pip*\", \"/usr/bin/yum\", \"/sbin/apk\", \"/usr/lib/snapd/snapd\"]\n) + && container.created_at > 90s","category":"File Activity","creationDate":0,"updateDate":1704404408077,"filters":["os + == \"linux\""],"actions":[],"agentConstraint":"","enabled":true,"defaultRule":true,"creator":{"name":"","handle":""},"updater":{"name":"","handle":""}},"type":"agent_rule"},{"id":"ie9-9ii-vjx","attributes":{"version":18,"name":"nsswitch_conf_mod_chmod","description":"nsswitch + may have been modified without authorization","expression":"(\n (chmod.file.path + in [ \"/etc/nsswitch.conf\" ])\n) && chmod.file.destination.mode != chmod.file.mode + && process.file.path not in [~\"/usr/bin/apt*\", \"/usr/bin/dpkg\", \"/usr/bin/rpm\", + \"/usr/bin/unattended-upgrade\", \"/usr/bin/containerd\", \"/usr/local/bin/containerd\", + \"/usr/bin/dockerd\", \"/usr/bin/npm\", ~\"/usr/bin/pip*\"]","category":"File + Activity","creationDate":1606142958657,"updateDate":1704404407750,"filters":["os + == \"linux\""],"actions":[],"agentConstraint":"","enabled":true,"defaultRule":true,"creator":{"name":"","handle":""},"updater":{"name":"","handle":""}},"type":"agent_rule"},{"id":"1ez-rlj-tiq","attributes":{"version":2,"name":"nsswitch_conf_mod_open_v2","description":"nsswitch + may have been modified without authorization","expression":"(\n open.flags + & ((O_RDWR|O_WRONLY|O_CREAT)) > 0 &&\n (open.file.path in [ \"/etc/nsswitch.conf\" + ])\n) && container.created_at > 90s && process.file.path not in [~\"/usr/bin/apt*\", + \"/usr/bin/dpkg\", \"/usr/bin/rpm\", \"/usr/bin/unattended-upgrade\", \"/usr/bin/containerd\", + \"/usr/local/bin/containerd\", \"/usr/bin/dockerd\", \"/usr/bin/npm\", ~\"/usr/bin/pip*\"]","category":"File + Activity","creationDate":0,"updateDate":1704404407660,"filters":["os == \"linux\""],"actions":[],"agentConstraint":"","enabled":true,"defaultRule":true,"creator":{"name":"","handle":""},"updater":{"name":"","handle":""}},"type":"agent_rule"},{"id":"oi0-rk3-alq","attributes":{"version":2,"name":"ssl_certificate_tampering_open_v2","description":"SSL + certificates may have been tampered with","expression":"(\n open.flags & + (O_CREAT|O_RDWR|O_WRONLY) > 0 &&\n (open.file.path in [ ~\"/etc/ssl/certs/**\", + ~\"/etc/pki/**\" ])\n)\n&& process.file.path != \"/usr/sbin/update-ca-certificates\"\n&& + process.ancestors.file.path != \"/usr/sbin/update-ca-certificates\"\n&& process.ancestors.file.path + not in [~\"/usr/bin/apt*\", \"/usr/bin/dpkg\", \"/usr/bin/rpm\", \"/usr/bin/unattended-upgrade\", + \"/usr/bin/npm\", ~\"/usr/bin/pip*\", \"/usr/bin/yum\", \"/sbin/apk\", \"/usr/lib/snapd/snapd\"]\n&& + process.file.name !~ \"runc*\"\n&& container.created_at > 90s","category":"File + Activity","creationDate":0,"updateDate":1704404407651,"filters":["os == \"linux\""],"actions":[],"agentConstraint":"","enabled":true,"defaultRule":true,"creator":{"name":"","handle":""},"updater":{"name":"","handle":""}},"type":"agent_rule"},{"id":"vzp-pj6-nlx","attributes":{"version":19,"name":"nsswitch_conf_mod_chown","description":"nsswitch + may have been modified without authorization","expression":"(\n (chown.file.path + in [ \"/etc/nsswitch.conf\" ])\n) && (chown.file.destination.uid != chown.file.uid + || chown.file.destination.gid != chown.file.gid) && process.file.path not in + [~\"/usr/bin/apt*\", \"/usr/bin/dpkg\", \"/usr/bin/rpm\", \"/usr/bin/unattended-upgrade\", + \"/usr/bin/containerd\", \"/usr/local/bin/containerd\", \"/usr/bin/dockerd\", + \"/usr/bin/npm\", ~\"/usr/bin/pip*\"]","category":"File Activity","creationDate":1606142958657,"updateDate":1704404407506,"filters":["os + == \"linux\""],"actions":[],"agentConstraint":"","enabled":true,"defaultRule":true,"creator":{"name":"","handle":""},"updater":{"name":"","handle":""}},"type":"agent_rule"},{"id":"wbw-rqf-s3a","attributes":{"version":18,"name":"nsswitch_conf_mod_open","description":"nsswitch + may have been modified without authorization","expression":"(\n open.flags + & ((O_RDWR|O_WRONLY|O_CREAT)) > 0 &&\n (open.file.path in [ \"/etc/nsswitch.conf\" + ])\n) && process.file.path not in [~\"/usr/bin/apt*\", \"/usr/bin/dpkg\", \"/usr/bin/rpm\", + \"/usr/bin/unattended-upgrade\", \"/usr/bin/containerd\", \"/usr/local/bin/containerd\", + \"/usr/bin/dockerd\", \"/usr/bin/npm\", ~\"/usr/bin/pip*\"]","category":"File + Activity","creationDate":1606142958657,"updateDate":1704404407503,"filters":["os + == \"linux\""],"actions":[],"agentConstraint":"","enabled":true,"defaultRule":true,"creator":{"name":"","handle":""},"updater":{"name":"","handle":""}},"type":"agent_rule"},{"id":"vkp-n2c-4el","attributes":{"version":3,"name":"credential_modified_open_v2","description":"Sensitive + credential files were modified using a non-standard tool","expression":"(\n open.flags + & ((O_CREAT|O_RDWR|O_WRONLY|O_TRUNC)) > 0 &&\n (open.file.path in [ \"/etc/shadow\", + \"/etc/gshadow\" ])\n && process.file.path not in [ \"/sbin/vipw\", \"/usr/sbin/vipw\", + \"/sbin/vigr\", \"/usr/sbin/vigr\", \"/usr/bin/containerd\", \"/usr/local/bin/containerd\", + \"/usr/bin/dockerd\", \"/usr/local/bin/dockerd\", \"/usr/sbin/groupadd\", \"/usr/sbin/useradd\", + \"/usr/sbin/usermod\", \"/usr/sbin/userdel\", \"/usr/bin/gpasswd\", \"/usr/bin/chage\", + \"/usr/sbin/chpasswd\", \"/usr/bin/passwd\" ]\n && process.ancestors.file.path + not in [~\"/usr/bin/apt*\", \"/usr/bin/dpkg\", \"/usr/bin/rpm\", \"/usr/bin/unattended-upgrade\", + \"/usr/bin/npm\", ~\"/usr/bin/pip*\", \"/usr/bin/yum\", \"/sbin/apk\", \"/usr/lib/snapd/snapd\"]\n) + && container.created_at > 90s","category":"File Activity","creationDate":0,"updateDate":1704404407503,"filters":["os + == \"linux\""],"actions":[],"agentConstraint":"","enabled":true,"defaultRule":true,"creator":{"name":"","handle":""},"updater":{"name":"","handle":""}},"type":"agent_rule"},{"id":"ir2-b4s-gfn","attributes":{"version":3,"name":"ssh_authorized_keys_open_v2","description":"SSH + modified keys may have been modified","expression":"(\n open.flags & (O_CREAT|O_TRUNC|O_RDWR|O_WRONLY) + > 0 &&\n open.file.name in [ \"authorized_keys\", \"authorized_keys2\" ] + && (open.file.path in [ ~\"/root/.ssh/*\", ~\"/home/*/.ssh/*\", ~\"/var/lib/*/.ssh/*\" + ])\n) && container.created_at > 90s","category":"File Activity","creationDate":0,"updateDate":1704404407501,"filters":["os + == \"linux\""],"actions":[],"agentConstraint":"","enabled":true,"defaultRule":true,"creator":{"name":"","handle":""},"updater":{"name":"","handle":""}},"type":"agent_rule"},{"id":"c2x-vcd-5b4","attributes":{"version":3,"name":"package_management_in_container_v2","description":"Package + management was detected in a conatiner outside of container start_up","expression":"exec.file.path + in [~\"/usr/bin/apt*\", \"/usr/bin/dpkg\", \"/usr/bin/rpm\", \"/usr/bin/unattended-upgrade\", + \"/usr/bin/npm\", ~\"/usr/bin/pip*\", \"/usr/bin/yum\", \"/sbin/apk\", \"/usr/lib/snapd/snapd\"] + && container.id != \"\" && container.created_at > 90s","category":"Process Activity","creationDate":0,"updateDate":1704404407500,"filters":["os + == \"linux\""],"actions":[],"agentConstraint":"","enabled":true,"defaultRule":true,"creator":{"name":"","handle":""},"updater":{"name":"","handle":""}},"type":"agent_rule"},{"id":"nmo-zeb-pga","attributes":{"version":3,"name":"suspicious_suid_execution","description":"Recently + written or modified suid file has been executed","expression":"((process.file.mode + & S_ISUID > 0) && process.file.modification_time < 30s) && exec.file.name != + \"\" && process.ancestors.file.path not in [\"/opt/datadog-agent/embedded/bin/agent\", + \"/opt/datadog-agent/embedded/bin/system-probe\", \"/opt/datadog-agent/embedded/bin/security-agent\", + \"/opt/datadog-agent/embedded/bin/process-agent\", \"/opt/datadog-agent/bin/agent/agent\", + \"/opt/datadog/apm/inject/auto_inject_runc\", \"/usr/bin/dd-host-install\", + \"/usr/bin/dd-host-container-install\", \"/usr/bin/dd-container-install\", \"/opt/datadog-agent/bin/datadog-cluster-agent\"]","category":"Process + Activity","creationDate":0,"updateDate":1704404407500,"filters":["os == \"linux\""],"actions":[],"agentConstraint":"","enabled":true,"defaultRule":true,"creator":{"name":"","handle":""},"updater":{"name":"","handle":""}},"type":"agent_rule"},{"id":"crl-kkv-3cm","attributes":{"version":3,"name":"tde_testing_tampering","description":"testing + only","expression":"exec.comm == \"abcdefgh\"","category":"Process Activity","creationAuthorUuId":"9b3398f3-af79-49aa-b643-8a607ee6f848","creationDate":1703684038882,"updateAuthorUuId":"9b3398f3-af79-49aa-b643-8a607ee6f848","updateDate":1704280473848,"filters":["os + == \"linux\""],"actions":[],"agentConstraint":"","enabled":true,"defaultRule":false,"creator":{"name":"Threat + Detection Engineering CI/CD","handle":"9b3398f3-af79-49aa-b643-8a607ee6f848"},"updater":{"name":"Threat + Detection Engineering CI/CD","handle":"9b3398f3-af79-49aa-b643-8a607ee6f848"}},"type":"agent_rule"},{"id":"s6d-kk2-xoh","attributes":{"version":1,"name":"tde_malware_tunneling_and_port_forwarding_technique_used","description":"Tunneling + and port forwarding tool used","expression":"((exec.comm == \"pivotnacci\" || + exec.comm == \"gost\") && process.args in [r\".*(-L|-C|-R).*\"])||(exec.comm + in [\"ssh\", \"sshd\"] && process.args in [r\".*(-R|-L|-D|w).*\"] && process.args + in [r\"((25[0-5]|(2[0-4]|1\\d|[1-9])\\d)\\.?\\b){4}\"] ) || (exec.comm == \"sshuttle\" + && process.args in [r\".*(-r|--remote|-l|--listen).*\"]) || (exec.comm == \"socat\" + && process.args in [r\".*(TCP4-LISTEN:|SOCKS).*\"]) || (exec.comm in [\"iodine\", + \"iodined\", \"dnscat\", \"hans\", \"hans-ubuntu\", \"ptunnel-ng\", \"ssf\", + \"3proxy\", \"ngrok\"] && process.parent.comm in [\"bash\", \"dash\", \"ash\", + \"sh\", \"tcsh\", \"csh\", \"zsh\", \"ksh\", \"fish\"])","category":"Process + Activity","creationAuthorUuId":"9b3398f3-af79-49aa-b643-8a607ee6f848","creationDate":1703183027074,"updateAuthorUuId":"9b3398f3-af79-49aa-b643-8a607ee6f848","updateDate":1703183027074,"filters":["os + == \"linux\""],"actions":[],"agentConstraint":"","enabled":true,"defaultRule":false,"creator":{"name":"Threat + Detection Engineering CI/CD","handle":"9b3398f3-af79-49aa-b643-8a607ee6f848"},"updater":{"name":"Threat + Detection Engineering CI/CD","handle":"9b3398f3-af79-49aa-b643-8a607ee6f848"}},"type":"agent_rule"},{"id":"iqa-7wg-rxt","attributes":{"version":1,"name":"tde_malware_privileged_processes_or_sshd_traced","description":"A + process is tracing privileged processes or sshd for possible credential dumping","expression":"((ptrace.tracee.euid==0 + && ptrace.tracee.uid ==0)||ptrace.tracee.comm in [~\"*sshd*\"]) && process.comm + not in [\"dlv\"]","category":"Kernel Activity","creationAuthorUuId":"9b3398f3-af79-49aa-b643-8a607ee6f848","creationDate":1703180056299,"updateAuthorUuId":"9b3398f3-af79-49aa-b643-8a607ee6f848","updateDate":1703180056299,"filters":["os + == \"linux\""],"actions":[],"agentConstraint":"","enabled":true,"defaultRule":false,"creator":{"name":"Threat + Detection Engineering CI/CD","handle":"9b3398f3-af79-49aa-b643-8a607ee6f848"},"updater":{"name":"Threat + Detection Engineering CI/CD","handle":"9b3398f3-af79-49aa-b643-8a607ee6f848"}},"type":"agent_rule"},{"id":"w8h-hbp-12m","attributes":{"version":1,"name":"tde_malware_system_logs_deleted","description":"A + process deleted common system log files","expression":"unlink.file.path in [\"/var/run/utmp\", + \"/var/log/wtmp\", \"/var/log/btmp\", \"/var/log/lastlog\", \"/var/log/faillog\", + \"/var/log/syslog\", \"/var/log/messages\", \"/var/log/secure\", \"/var/log/auth.log\", + \"/var/log/boot.log\", \"/var/log/kern.log\"] && process.comm !=\"dockerd\"","category":"File + Activity","creationAuthorUuId":"9b3398f3-af79-49aa-b643-8a607ee6f848","creationDate":1703178864120,"updateAuthorUuId":"9b3398f3-af79-49aa-b643-8a607ee6f848","updateDate":1703178864120,"filters":["os + == \"linux\""],"actions":[],"agentConstraint":"","enabled":true,"defaultRule":false,"creator":{"name":"Threat + Detection Engineering CI/CD","handle":"9b3398f3-af79-49aa-b643-8a607ee6f848"},"updater":{"name":"Threat + Detection Engineering CI/CD","handle":"9b3398f3-af79-49aa-b643-8a607ee6f848"}},"type":"agent_rule"},{"id":"wxv-xlp-34y","attributes":{"version":1,"name":"tde_malware_files_with_extensions_created","description":"Multiple + files with extensions created under common user directories","expression":"rename.file.path + in [~\"/home/**\", ~\"/root/**\", ~\"/bin/**\", ~\"/usr/bin/**\", ~\"/var/log/**\", + ~\"/var/lib/log/**\", ~\"/var/backup/*\", ~\"/var/www/**\"] && rename.file.destination.name + in [r\"\\.[0-9a-z]+$\"] && rename.file.destination.name not in [r\".*\\.(lock|dbtmp|log|journal|ini|sh|json|yml|tmp|snap|txt|pyc|stat|hcl|[0-9])+$\"] + && process.comm not in [\"python\",\"python3\",\"agent\",\"security-agent\",\"kubectl\",\"kubelet\",\"datadog-cluster\"]","category":"File + Activity","creationAuthorUuId":"9b3398f3-af79-49aa-b643-8a607ee6f848","creationDate":1703174626572,"updateAuthorUuId":"9b3398f3-af79-49aa-b643-8a607ee6f848","updateDate":1703174626572,"filters":["os + == \"linux\""],"actions":[],"agentConstraint":"","enabled":true,"defaultRule":false,"creator":{"name":"Threat + Detection Engineering CI/CD","handle":"9b3398f3-af79-49aa-b643-8a607ee6f848"},"updater":{"name":"Threat + Detection Engineering CI/CD","handle":"9b3398f3-af79-49aa-b643-8a607ee6f848"}},"type":"agent_rule"},{"id":"3fl-m83-qqt","attributes":{"version":1,"name":"tde_malware_proxychains_executed","description":"Proxychaining + technique used","expression":"exec.comm == \"proxychains\"","category":"Process + Activity","creationAuthorUuId":"9b3398f3-af79-49aa-b643-8a607ee6f848","creationDate":1703171141223,"updateAuthorUuId":"9b3398f3-af79-49aa-b643-8a607ee6f848","updateDate":1703171141223,"filters":["os + == \"linux\""],"actions":[],"agentConstraint":"","enabled":true,"defaultRule":false,"creator":{"name":"Threat + Detection Engineering CI/CD","handle":"9b3398f3-af79-49aa-b643-8a607ee6f848"},"updater":{"name":"Threat + Detection Engineering CI/CD","handle":"9b3398f3-af79-49aa-b643-8a607ee6f848"}},"type":"agent_rule"},{"id":"gha-zgq-l5p","attributes":{"version":1,"name":"tde_malware_egress_traffic_allowed_iptables","description":"iptables + used to allow egress traffic","expression":"exec.comm == \"iptables\" && process.args + in [r\".*OUTPUT.*((25[0-5]|(2[0-4]|1\\d|[1-9]|)\\d)\\.?\\b){4}.*ACCEPT\"] && + process.args not in [r\"(127\\.)|(10\\.)|(172\\.1[6-9]\\.)|(172\\.2[0-9]\\.)|(172\\.3[0-1]|\\.)|(192\\.168\\.)|(169\\.254\\.)\"]","category":"Process + Activity","creationAuthorUuId":"9b3398f3-af79-49aa-b643-8a607ee6f848","creationDate":1703167436195,"updateAuthorUuId":"9b3398f3-af79-49aa-b643-8a607ee6f848","updateDate":1703167436195,"filters":["os + == \"linux\""],"actions":[],"agentConstraint":"","enabled":true,"defaultRule":false,"creator":{"name":"Threat + Detection Engineering CI/CD","handle":"9b3398f3-af79-49aa-b643-8a607ee6f848"},"updater":{"name":"Threat + Detection Engineering CI/CD","handle":"9b3398f3-af79-49aa-b643-8a607ee6f848"}},"type":"agent_rule"},{"id":"n9z-ini-wrv","attributes":{"version":1,"name":"tde_malware_kernel_module_loaded_from_tmp","description":"Kernel + module loaded from common tmp directories","expression":"load_module.file.path + in [ ~\"/tmp/**\", ~\"/var/tmp/**\" ]","category":"Kernel Activity","creationAuthorUuId":"9b3398f3-af79-49aa-b643-8a607ee6f848","creationDate":1703167436172,"updateAuthorUuId":"9b3398f3-af79-49aa-b643-8a607ee6f848","updateDate":1703167436172,"filters":["os + == \"linux\""],"actions":[],"agentConstraint":"","enabled":true,"defaultRule":false,"creator":{"name":"Threat + Detection Engineering CI/CD","handle":"9b3398f3-af79-49aa-b643-8a607ee6f848"},"updater":{"name":"Threat + Detection Engineering CI/CD","handle":"9b3398f3-af79-49aa-b643-8a607ee6f848"}},"type":"agent_rule"},{"id":"4jr-tig-mue","attributes":{"version":1,"name":"tde_malware_libpam_hooked_using_ebpf","description":"Libpam.so + library hooked using ebpf","expression":"bpf.cmd == BPF_MAP_CREATE && process.args + in [r\".*libpam.so.*\"]","category":"Kernel Activity","creationAuthorUuId":"9b3398f3-af79-49aa-b643-8a607ee6f848","creationDate":1703160289438,"updateAuthorUuId":"9b3398f3-af79-49aa-b643-8a607ee6f848","updateDate":1703160289438,"filters":["os + == \"linux\""],"actions":[],"agentConstraint":"","enabled":true,"defaultRule":false,"creator":{"name":"Threat + Detection Engineering CI/CD","handle":"9b3398f3-af79-49aa-b643-8a607ee6f848"},"updater":{"name":"Threat + Detection Engineering CI/CD","handle":"9b3398f3-af79-49aa-b643-8a607ee6f848"}},"type":"agent_rule"},{"id":"f24-lwh-8pz","attributes":{"version":3,"name":"ps_discovery","description":"Processes + were listed using the ps command","expression":"exec.comm == \"ps\" && exec.argv + not in [\"-p\", \"--pid\"] && process.ancestors.file.name not in [\"qualys-cloud-agent\", + \"amazon-ssm-agent\"]","category":"Process Activity","creationDate":0,"updateAuthorUuId":"309c6bc6-6e68-11ec-b3fe-da7ad0900002","updateDate":1702489222385,"filters":[],"actions":[],"agentConstraint":"","enabled":false,"defaultRule":true,"creator":{"name":"","handle":""},"updater":{"name":"Matt + Mills","handle":"matt.mills@datadoghq.com"}},"type":"agent_rule"},{"id":"esa-kku-q4m","attributes":{"version":8,"name":"common_net_intrusion_util","description":"A + network utility (nmap) commonly used in intrusion attacks was executed","expression":"exec.file.name + in [\"nmap\", \"masscan\", \"fping\", \"zgrab\", \"zgrab2\", \"rustscan\", \"pnscan\"] + && exec.args_flags not in [\"V\", \"version\"]","category":"Process Activity","creationDate":0,"updateAuthorUuId":"de54768c-eb9f-11e9-a77a-cb84d47a0c16","updateDate":1700488339815,"filters":["os + == \"linux\""],"actions":[],"agentConstraint":"","enabled":false,"defaultRule":true,"creator":{"name":"","handle":""},"updater":{"name":"C\u00e9cile + Guyon","handle":"cecile.guyon@datadoghq.com"}},"type":"agent_rule"},{"id":"ll4-n4d-zsq","attributes":{"version":8,"name":"k8s_pod_service_account_token_accessed","description":"The + Kubernetes pod service account token was accessed","expression":"open.file.path + in [~\"/var/run/secrets/kubernetes.io/serviceaccount/**\", ~\"/run/secrets/kubernetes.io/serviceaccount/**\"] + && open.file.name == \"token\" && process.file.path not in [\"/opt/datadog-agent/embedded/bin/agent\", + \"/opt/datadog-agent/embedded/bin/system-probe\", \"/opt/datadog-agent/embedded/bin/security-agent\", + \"/opt/datadog-agent/embedded/bin/process-agent\", \"/opt/datadog-agent/bin/agent/agent\", + \"/opt/datadog/apm/inject/auto_inject_runc\", \"/usr/bin/dd-host-install\", + \"/usr/bin/dd-host-container-install\", \"/usr/bin/dd-container-install\", \"/opt/datadog-agent/bin/datadog-cluster-agent\"] + && process.file.path not in [\"/usr/bin/cilium-agent\", \"/coredns\", \"/usr/bin/cilium-operator\", + \"/manager\", \"/fluent-bit/bin/fluent-bit\", \"/usr/local/bin/cloud-node-manager\", + \"/secrets-store-csi\", \"/bin/secrets-store-csi-driver-provider-aws\", \"/usr/bin/calico-node\", + \"/opt/aws/amazon-cloudwatch-agent/bin/amazon-cloudwatch-agent\", \"/nginx-ingress-controller\", + \"/cluster-autoscaler\", \"/cluster-proportional-autoscaler\", \"/haproxy-ingress-controller\", + \"/kube-state-metrics\", \"/fluent-bit-gke-exporter\", \"/bin/external-secrets\", + \"/node-termination-handler\", \"/fluent-bit-gke-exporter\"] && process.ancestors.file.path + not in [\"/opt/datadog-agent/embedded/bin/agent\", \"/opt/datadog-agent/embedded/bin/system-probe\", + \"/opt/datadog-agent/embedded/bin/security-agent\", \"/opt/datadog-agent/embedded/bin/process-agent\", + \"/opt/datadog-agent/bin/agent/agent\", \"/opt/datadog/apm/inject/auto_inject_runc\", + \"/usr/bin/dd-host-install\", \"/usr/bin/dd-host-container-install\", \"/usr/bin/dd-container-install\", + \"/opt/datadog-agent/bin/datadog-cluster-agent\"]","category":"File Activity","creationDate":0,"updateDate":1699614647574,"filters":["os + == \"linux\""],"actions":[],"agentConstraint":"","enabled":true,"defaultRule":true,"creator":{"name":"","handle":""},"updater":{"name":"","handle":""}},"type":"agent_rule"},{"id":"o5b-3eb-em5","attributes":{"version":4,"name":"interactive_shell_in_container","description":"An + interactive shell was started inside of a container","expression":"exec.file.path + in [ \"/bin/dash\",\n \"/usr/bin/dash\",\n \"/bin/sh\",\n \"/bin/static-sh\",\n \"/usr/bin/sh\",\n \"/bin/bash\",\n \"/usr/bin/bash\",\n \"/bin/bash-static\",\n \"/usr/bin/zsh\",\n \"/usr/bin/ash\",\n \"/usr/bin/csh\",\n \"/usr/bin/ksh\",\n \"/usr/bin/tcsh\",\n \"/usr/lib/initramfs-tools/bin/busybox\",\n \"/bin/busybox\",\n \"/usr/bin/fish\",\n \"/bin/ksh93\",\n \"/bin/rksh\",\n \"/bin/rksh93\",\n \"/bin/lksh\",\n \"/bin/mksh\",\n \"/bin/mksh-static\",\n \"/usr/bin/csharp\",\n \"/bin/posh\",\n \"/usr/bin/rc\",\n \"/bin/sash\",\n \"/usr/bin/yash\",\n \"/bin/zsh5\",\n \"/bin/zsh5-static\" + ] && exec.args_flags in [\"i\"] && container.id !=\"\"","category":"Process + Activity","creationDate":1627392835654,"updateDate":1699614634532,"filters":["os + == \"linux\""],"actions":[],"agentConstraint":"","enabled":true,"defaultRule":true,"creator":{"name":"","handle":""},"updater":{"name":"","handle":""}},"type":"agent_rule"},{"id":"pm7-0bt-lbp","attributes":{"version":19,"name":"ssh_authorized_keys_unlink","description":"SSH + modified keys may have been modified","expression":"(\n unlink.file.name + in [ \"authorized_keys\", \"authorized_keys2\" ] && (unlink.file.path in [ ~\"/root/.ssh/*\", + ~\"/home/*/.ssh/*\", ~\"/var/lib/*/.ssh/*\" ])\n)","category":"File Activity","creationDate":1642158535302,"updateDate":1699614632218,"filters":["os + == \"linux\""],"actions":[],"agentConstraint":"","enabled":true,"defaultRule":true,"creator":{"name":"","handle":""},"updater":{"name":"","handle":""}},"type":"agent_rule"},{"id":"6ss-gx0-o0l","attributes":{"version":2,"name":"exec_lsmod","description":"Kernel + modules were listed using the lsmod command","expression":"exec.comm == \"lsmod\"","category":"Process + Activity","creationDate":0,"updateDate":1699614632049,"filters":["os == \"linux\""],"actions":[],"agentConstraint":"","enabled":true,"defaultRule":true,"creator":{"name":"","handle":""},"updater":{"name":"","handle":""}},"type":"agent_rule"},{"id":"bay-wrp-htk","attributes":{"version":2,"name":"omigod","description":"Omiagent + spawns a privileged child process","expression":"exec.uid >= 0 && process.ancestors.file.name + == \"omiagent\"","category":"Process Activity","creationDate":1636729662305,"updateDate":1699614629763,"filters":["os + == \"linux\""],"actions":[],"agentConstraint":"","enabled":true,"defaultRule":true,"creator":{"name":"","handle":""},"updater":{"name":"","handle":""}},"type":"agent_rule"},{"id":"5vv-6pw-c3z","attributes":{"version":2,"name":"exec_whoami","description":"The + whoami command was executed","expression":"exec.comm == \"whoami\"","category":"Process + Activity","creationDate":0,"updateDate":1699614622203,"filters":["os == \"linux\""],"actions":[],"agentConstraint":"","enabled":true,"defaultRule":true,"creator":{"name":"","handle":""},"updater":{"name":"","handle":""}},"type":"agent_rule"},{"id":"lb9-6hv-6k2","attributes":{"version":22,"name":"systemd_modification_utimes","description":"A + service may have been modified without authorization","expression":"(\n (utimes.file.path + in [ ~\"/lib/systemd/system/**\", ~\"/usr/lib/systemd/system/**\", ~\"/etc/systemd/system/**\" + ])\n && process.file.path not in [~\"/usr/bin/apt*\", \"/usr/bin/dpkg\", + \"/usr/bin/rpm\", \"/usr/bin/unattended-upgrade\", \"/usr/bin/npm\", ~\"/usr/bin/pip*\", + \"/usr/bin/yum\", \"/sbin/apk\", \"/usr/lib/snapd/snapd\"]\n)","category":"File + Activity","creationDate":0,"updateDate":1699614620744,"filters":["os == \"linux\""],"actions":[],"agentConstraint":"","enabled":true,"defaultRule":true,"creator":{"name":"","handle":""},"updater":{"name":"","handle":""}},"type":"agent_rule"},{"id":"u8t-ums-bdn","attributes":{"version":9,"name":"suspicious_container_client","description":"A + container management utility was executed in a container","expression":"exec.file.name + in [\"docker\", \"kubectl\"] && container.id != \"\"","category":"Process Activity","creationDate":1617722068555,"updateDate":1699614618370,"filters":["os + == \"linux\""],"actions":[],"agentConstraint":"","enabled":true,"defaultRule":true,"creator":{"name":"","handle":""},"updater":{"name":"","handle":""}},"type":"agent_rule"},{"id":"3kb-bma-rya","attributes":{"version":4,"name":"auditd_config_modified","description":"The + auditd configuration file was modified without using auditctl","expression":"open.file.path + == \"/etc/audit/auditd.conf\" && open.flags & (O_CREAT|O_TRUNC|O_RDWR|O_WRONLY) + > 0 && process.file.name != \"auditctl\"","category":"File Activity","creationDate":0,"updateDate":1699614615388,"filters":["os + == \"linux\""],"actions":[],"agentConstraint":"","enabled":true,"defaultRule":true,"creator":{"name":"","handle":""},"updater":{"name":"","handle":""}},"type":"agent_rule"},{"id":"lag-ggh-k1o","attributes":{"version":2,"name":"network_sniffing_tool","description":"Local + account groups were enumerated after container start up","expression":"exec.file.name + in [\"tcpdump\", \"tshark\"]","category":"Process Activity","creationDate":0,"updateDate":1699614614908,"filters":["os + == \"linux\""],"actions":[],"agentConstraint":"","enabled":true,"defaultRule":true,"creator":{"name":"","handle":""},"updater":{"name":"","handle":""}},"type":"agent_rule"},{"id":"o4t-6hb-gsb","attributes":{"version":22,"name":"systemd_modification_unlink","description":"A + service may have been modified without authorization","expression":"(\n (unlink.file.path + in [ ~\"/lib/systemd/system/**\", ~\"/usr/lib/systemd/system/**\", ~\"/etc/systemd/system/**\" + ])\n && process.file.path not in [~\"/usr/bin/apt*\", \"/usr/bin/dpkg\", + \"/usr/bin/rpm\", \"/usr/bin/unattended-upgrade\", \"/usr/bin/npm\", ~\"/usr/bin/pip*\", + \"/usr/bin/yum\", \"/sbin/apk\", \"/usr/lib/snapd/snapd\"]\n)","category":"File + Activity","creationDate":0,"updateDate":1699614614159,"filters":["os == \"linux\""],"actions":[],"agentConstraint":"","enabled":true,"defaultRule":true,"creator":{"name":"","handle":""},"updater":{"name":"","handle":""}},"type":"agent_rule"},{"id":"cp9-wqy-ie5","attributes":{"version":19,"name":"ssh_authorized_keys_rename","description":"SSH + modified keys may have been modified","expression":"(\n rename.file.name + in [ \"authorized_keys\", \"authorized_keys2\" ] && (rename.file.path in [ ~\"/root/.ssh/*\", + ~\"/home/*/.ssh/*\", ~\"/var/lib/*/.ssh/*\" ]\n || rename.file.destination.path + in [ ~\"/root/.ssh/*\", ~\"/home/*/.ssh/*\", ~\"/var/lib/*/.ssh/*\" ])\n)","category":"File + Activity","creationDate":1642158535225,"updateDate":1699614610736,"filters":["os + == \"linux\""],"actions":[],"agentConstraint":"","enabled":true,"defaultRule":true,"creator":{"name":"","handle":""},"updater":{"name":"","handle":""}},"type":"agent_rule"},{"id":"mmd-hm9-nul","attributes":{"version":28,"name":"pci_11_5_critical_binaries_unlink","description":"Critical + system binaries may have been modified","expression":"(\n (unlink.file.path in [ ~\"/bin/*\", ~\"/sbin/*\", ~\"/usr/bin/*\", ~\"/usr/sbin/*\", ~\"/usr/local/bin/*\", - ~\"/usr/local/sbin/*\", ~\"/boot/*\" ])\n && process.file.path not in [\"/usr/bin/apt\", - \"/usr/bin/apt-get\", \"/usr/bin/apt-config\", \"/usr/bin/dpkg\", \"/usr/bin/aptitude-curses\", - \"/usr/bin/rpm\", \"/usr/bin/unattended-upgrade\"]\n && process.ancestors.file.path - not in [\"/usr/bin/apt\", \"/usr/bin/apt-get\", \"/usr/bin/apt-config\", \"/usr/bin/dpkg\", - \"/usr/bin/aptitude-curses\", \"/usr/bin/rpm\", \"/usr/bin/unattended-upgrade\"]\n) - && chmod.mode != chmod.file.mode"},"type":"agent_rule","id":"kzh-5hn-edg"},{"attributes":{"category":"File - Activity","name":"pci_11_5_critical_binaries_chown","creator":{"handle":"","name":""},"description":"Critical - System Binaries","enabled":true,"defaultRule":true,"version":4,"updater":{"handle":"","name":""},"updateDate":1636729678212,"creationDate":1606142933669,"expression":"(\n (chown.file.path + ~\"/usr/local/sbin/*\", ~\"/boot/**\" ])\n && process.file.path not in [~\"/usr/bin/apt*\", + \"/usr/bin/dpkg\", \"/usr/bin/rpm\", \"/usr/bin/unattended-upgrade\", \"/usr/bin/containerd\", + \"/usr/local/bin/containerd\", \"/usr/bin/dockerd\", \"/usr/bin/npm\", ~\"/usr/bin/pip*\"]\n && + process.ancestors.file.path not in [~\"/usr/bin/apt*\", \"/usr/bin/dpkg\", \"/usr/bin/rpm\", + \"/usr/bin/unattended-upgrade\", \"/usr/bin/npm\", ~\"/usr/bin/pip*\", \"/usr/bin/yum\", + \"/sbin/apk\", \"/usr/lib/snapd/snapd\"]\n)","category":"File Activity","creationDate":1642158535384,"updateDate":1699614610678,"filters":["os + == \"linux\""],"actions":[],"agentConstraint":"","enabled":true,"defaultRule":true,"creator":{"name":"","handle":""},"updater":{"name":"","handle":""}},"type":"agent_rule"},{"id":"sjc-t7h-y3g","attributes":{"version":2,"name":"sudoers_policy_modified_open","description":"Sudoers + policy file may have been modified without authorization","expression":"\n(open.flags + & (O_CREAT|O_TRUNC|O_RDWR|O_WRONLY) > 0 &&\n(open.file.path == \"/etc/sudoers\")) + && process.file.path not in [~\"/usr/bin/apt*\", \"/usr/bin/dpkg\", \"/usr/bin/rpm\", + \"/usr/bin/unattended-upgrade\", \"/usr/bin/npm\", ~\"/usr/bin/pip*\", \"/usr/bin/yum\", + \"/sbin/apk\", \"/usr/lib/snapd/snapd\"]","category":"File Activity","creationDate":0,"updateDate":1699614610658,"filters":["os + == \"linux\""],"actions":[],"agentConstraint":"","enabled":true,"defaultRule":true,"creator":{"name":"","handle":""},"updater":{"name":"","handle":""}},"type":"agent_rule"},{"id":"wty-l8v-uum","attributes":{"version":22,"name":"systemd_modification_open","description":"A + service may have been modified without authorization","expression":"(\n open.flags + & (O_CREAT|O_RDWR|O_WRONLY) > 0 &&\n (open.file.path in [ ~\"/lib/systemd/system/**\", + ~\"/usr/lib/systemd/system/**\", ~\"/etc/systemd/system/**\" ])\n && process.file.path + not in [~\"/usr/bin/apt*\", \"/usr/bin/dpkg\", \"/usr/bin/rpm\", \"/usr/bin/unattended-upgrade\", + \"/usr/bin/npm\", ~\"/usr/bin/pip*\", \"/usr/bin/yum\", \"/sbin/apk\", \"/usr/lib/snapd/snapd\"]\n)","category":"File + Activity","creationDate":1642158534936,"updateDate":1699614610639,"filters":["os + == \"linux\""],"actions":[],"agentConstraint":"","enabled":true,"defaultRule":true,"creator":{"name":"","handle":""},"updater":{"name":"","handle":""}},"type":"agent_rule"},{"id":"1fj-fmh-6kw","attributes":{"version":4,"name":"compile_after_delivery","description":"A + compiler wrote a suspicious file in a container","expression":"open.flags & + O_CREAT > 0\n&& (\n (open.file.path =~ \"/tmp/**\" && open.file.name in [~\"*.ko\", + ~\".*\"])\n || open.file.path in [~\"/var/tmp/**\", ~\"/dev/shm/**\", ~\"/root/**\", + ~\"*/bin/*\", ~\"/usr/local/lib/**\"]\n)\n&& (process.comm in [\"javac\", \"clang\", + \"gcc\",\"bcc\"] || process.ancestors.comm in [\"javac\", \"clang\", \"gcc\",\"bcc\"])\n&& + process.file.name not in [\"pip\", ~\"python*\"]\n&& container.id != \"\"","category":"File + Activity","creationDate":0,"updateAuthorUuId":"82ba1758-696c-11ea-828d-fb376ef71e70","updateDate":1699614610524,"filters":["os + == \"linux\""],"actions":[],"agentConstraint":"","enabled":true,"defaultRule":true,"creator":{"name":"","handle":""},"updater":{"name":"","handle":""}},"type":"agent_rule"},{"id":"qox-gue-mq8","attributes":{"version":3,"name":"pwnkit_privilege_escalation","description":"A + process was spawned with indicators of exploitation of CVE-2021-4034","expression":"(exec.file.path + == \"/usr/bin/pkexec\" && exec.envs in [~\"*SHELL*\", ~\"*PATH*\"] && exec.envs + not in [~\"*DISPLAY*\", ~\"*DESKTOP_SESSION*\"] && exec.uid != 0)","category":"Process + Activity","creationDate":1643639113864,"updateDate":1699614610455,"filters":["os + == \"linux\""],"actions":[],"agentConstraint":"","enabled":true,"defaultRule":true,"creator":{"name":"","handle":""},"updater":{"name":"","handle":""}},"type":"agent_rule"},{"id":"dlp-tcr-jju","attributes":{"version":2,"name":"kmod_list","description":"Kernel + modules were listed using the kmod command","expression":"exec.comm == \"kmod\" + && exec.args in [~\"*list*\"]","category":"Process Activity","creationDate":0,"updateDate":1699614610436,"filters":["os + == \"linux\""],"actions":[],"agentConstraint":"","enabled":true,"defaultRule":true,"creator":{"name":"","handle":""},"updater":{"name":"","handle":""}},"type":"agent_rule"},{"id":"knr-3tx-cl8","attributes":{"version":2,"name":"java_shell_execution_parent","description":"A + java process spawned a shell, shell utility, or HTTP utility","expression":"(exec.file.path + in [ \"/bin/dash\",\n \"/usr/bin/dash\",\n \"/bin/sh\",\n \"/bin/static-sh\",\n \"/usr/bin/sh\",\n \"/bin/bash\",\n \"/usr/bin/bash\",\n \"/bin/bash-static\",\n \"/usr/bin/zsh\",\n \"/usr/bin/ash\",\n \"/usr/bin/csh\",\n \"/usr/bin/ksh\",\n \"/usr/bin/tcsh\",\n \"/usr/lib/initramfs-tools/bin/busybox\",\n \"/bin/busybox\",\n \"/usr/bin/fish\",\n \"/bin/ksh93\",\n \"/bin/rksh\",\n \"/bin/rksh93\",\n \"/bin/lksh\",\n \"/bin/mksh\",\n \"/bin/mksh-static\",\n \"/usr/bin/csharp\",\n \"/bin/posh\",\n \"/usr/bin/rc\",\n \"/bin/sash\",\n \"/usr/bin/yash\",\n \"/bin/zsh5\",\n \"/bin/zsh5-static\" + ] ||\n exec.comm in [\"wget\", \"curl\", \"lwp-download\"] ||\n exec.file.path + in [\"/bin/cat\",\"/bin/chgrp\",\"/bin/chmod\",\"/bin/chown\",\"/bin/cp\",\"/bin/date\",\"/bin/dd\",\"/bin/df\",\"/bin/dir\",\"/bin/echo\",\"/bin/ln\",\"/bin/ls\",\"/bin/mkdir\",\"/bin/mknod\",\"/bin/mktemp\",\"/bin/mv\",\"/bin/pwd\",\"/bin/readlink\",\"/bin/rm\",\"/bin/rmdir\",\"/bin/sleep\",\"/bin/stty\",\"/bin/sync\",\"/bin/touch\",\"/bin/uname\",\"/bin/vdir\",\"/usr/bin/arch\",\"/usr/bin/b2sum\",\"/usr/bin/base32\",\"/usr/bin/base64\",\"/usr/bin/basename\",\"/usr/bin/chcon\",\"/usr/bin/cksum\",\"/usr/bin/comm\",\"/usr/bin/csplit\",\"/usr/bin/cut\",\"/usr/bin/dircolors\",\"/usr/bin/dirname\",\"/usr/bin/du\",\"/usr/bin/env\",\"/usr/bin/expand\",\"/usr/bin/expr\",\"/usr/bin/factor\",\"/usr/bin/fmt\",\"/usr/bin/fold\",\"/usr/bin/groups\",\"/usr/bin/head\",\"/usr/bin/hostid\",\"/usr/bin/id\",\"/usr/bin/install\",\"/usr/bin/join\",\"/usr/bin/link\",\"/usr/bin/logname\",\"/usr/bin/md5sum\",\"/usr/bin/md5sum.textutils\",\"/usr/bin/mkfifo\",\"/usr/bin/nice\",\"/usr/bin/nl\",\"/usr/bin/nohup\",\"/usr/bin/nproc\",\"/usr/bin/numfmt\",\"/usr/bin/od\",\"/usr/bin/paste\",\"/usr/bin/pathchk\",\"/usr/bin/pinky\",\"/usr/bin/pr\",\"/usr/bin/printenv\",\"/usr/bin/printf\",\"/usr/bin/ptx\",\"/usr/bin/realpath\",\"/usr/bin/runcon\",\"/usr/bin/seq\",\"/usr/bin/sha1sum\",\"/usr/bin/sha224sum\",\"/usr/bin/sha256sum\",\"/usr/bin/sha384sum\",\"/usr/bin/sha512sum\",\"/usr/bin/shred\",\"/usr/bin/shuf\",\"/usr/bin/sort\",\"/usr/bin/split\",\"/usr/bin/stat\",\"/usr/bin/stdbuf\",\"/usr/bin/sum\",\"/usr/bin/tac\",\"/usr/bin/tail\",\"/usr/bin/tee\",\"/usr/bin/test\",\"/usr/bin/timeout\",\"/usr/bin/tr\",\"/usr/bin/truncate\",\"/usr/bin/tsort\",\"/usr/bin/tty\",\"/usr/bin/unexpand\",\"/usr/bin/uniq\",\"/usr/bin/unlink\",\"/usr/bin/users\",\"/usr/bin/wc\",\"/usr/bin/who\",\"/usr/bin/whoami\",\"/usr/sbin/chroot\"])\n&& + process.parent.file.name == \"java\"","category":"Process Activity","creationDate":0,"updateDate":1699614610329,"filters":["os + == \"linux\""],"actions":[],"agentConstraint":"","enabled":true,"defaultRule":true,"creator":{"name":"","handle":""},"updater":{"name":"","handle":""}},"type":"agent_rule"},{"id":"r8w-red-u4k","attributes":{"version":2,"name":"kernel_module_load_from_memory","description":"A + kernel module was loaded from memory","expression":"load_module.loaded_from_memory + == true","category":"Kernel Activity","creationDate":1650293718630,"updateDate":1699614610258,"filters":["os + == \"linux\""],"actions":[],"agentConstraint":"","enabled":true,"defaultRule":true,"creator":{"name":"","handle":""},"updater":{"name":"","handle":""}},"type":"agent_rule"},{"id":"jnv-fq4-f23","attributes":{"version":2,"name":"sudoers_policy_modified_chmod","description":"Sudoers + policy file may have been modified without authorization","expression":"(\n (chmod.file.path + == \"/etc/sudoers\") \n) && chmod.file.destination.mode != chmod.file.mode && + process.ancestors.file.path not in [~\"/usr/bin/apt*\", \"/usr/bin/dpkg\", \"/usr/bin/rpm\", + \"/usr/bin/unattended-upgrade\", \"/usr/bin/npm\", ~\"/usr/bin/pip*\", \"/usr/bin/yum\", + \"/sbin/apk\", \"/usr/lib/snapd/snapd\"]","category":"File Activity","creationDate":0,"updateDate":1699614610235,"filters":["os + == \"linux\""],"actions":[],"agentConstraint":"","enabled":true,"defaultRule":true,"creator":{"name":"","handle":""},"updater":{"name":"","handle":""}},"type":"agent_rule"},{"id":"ji5-8o4-btp","attributes":{"version":2,"name":"kubernetes_dns_enumeration","description":"Kubernetes + DNS enumeration","expression":"dns.question.name == \"any.any.svc.cluster.local\" + && dns.question.type == SRV && container.id != \"\"","category":"Network Activity","creationDate":0,"updateDate":1699614610050,"filters":["os + == \"linux\""],"actions":[],"agentConstraint":"","enabled":true,"defaultRule":true,"creator":{"name":"","handle":""},"updater":{"name":"","handle":""}},"type":"agent_rule"},{"id":"3j1-wdg-qsg","attributes":{"version":28,"name":"pci_11_5_critical_binaries_open","description":"Critical + system binaries may have been modified","expression":"(\n open.flags & (O_CREAT|O_TRUNC|O_RDWR|O_WRONLY) + > 0 &&\n open.file.path in [ ~\"/bin/*\", ~\"/sbin/*\", ~\"/usr/bin/*\", + ~\"/usr/sbin/*\", ~\"/usr/local/bin/*\", ~\"/usr/local/sbin/*\", ~\"/boot/**\" + ]\n && process.file.path not in [~\"/usr/bin/apt*\", \"/usr/bin/dpkg\", \"/usr/bin/rpm\", + \"/usr/bin/unattended-upgrade\", \"/usr/bin/containerd\", \"/usr/local/bin/containerd\", + \"/usr/bin/dockerd\", \"/usr/bin/npm\", ~\"/usr/bin/pip*\"]\n && process.ancestors.file.path + not in [~\"/usr/bin/apt*\", \"/usr/bin/dpkg\", \"/usr/bin/rpm\", \"/usr/bin/unattended-upgrade\", + \"/usr/bin/npm\", ~\"/usr/bin/pip*\", \"/usr/bin/yum\", \"/sbin/apk\", \"/usr/lib/snapd/snapd\"]\n)","category":"File + Activity","creationDate":1642158535263,"updateDate":1699614610036,"filters":["os + == \"linux\""],"actions":[],"agentConstraint":"","enabled":true,"defaultRule":true,"creator":{"name":"","handle":""},"updater":{"name":"","handle":""}},"type":"agent_rule"},{"id":"vaz-icd-nel","attributes":{"version":2,"name":"net_file_download","description":"A + suspicious file was written by a network utility","expression":"open.flags & + O_CREAT > 0 && process.comm in [\"wget\", \"curl\", \"lwp-download\"]\n&& (\n (open.file.path + =~ \"/tmp/**\" && open.file.name in [~\"*.sh\", ~\"*.c\", ~\"*.so\", ~\"*.ko\"])\n || + open.file.path in [~\"/usr/**\", ~\"/lib/**\", ~\"/etc/**\", ~\"/var/tmp/**\", + ~\"/dev/shm/**\"]\n)","category":"File Activity","creationDate":0,"updateDate":1699614609925,"filters":["os + == \"linux\""],"actions":[],"agentConstraint":"","enabled":true,"defaultRule":true,"creator":{"name":"","handle":""},"updater":{"name":"","handle":""}},"type":"agent_rule"},{"id":"hir-1j3-tsx","attributes":{"version":20,"name":"ssh_authorized_keys_chown","description":"SSH + modified keys may have been modified","expression":"(\n chown.file.name in + [ \"authorized_keys\", \"authorized_keys2\" ] && (chown.file.path in [ ~\"/root/.ssh/*\", + ~\"/home/*/.ssh/*\", ~\"/var/lib/*/.ssh/*\" ])\n) && (chown.file.destination.uid + != chown.file.uid || chown.file.destination.gid != chown.file.gid)","category":"File + Activity","creationDate":1642158534934,"updateDate":1699614609845,"filters":["os + == \"linux\""],"actions":[],"agentConstraint":"","enabled":true,"defaultRule":true,"creator":{"name":"","handle":""},"updater":{"name":"","handle":""}},"type":"agent_rule"},{"id":"mag-ijd-ucx","attributes":{"version":2,"name":"sudoers_policy_modified_utimes","description":"Sudoers + policy file may have been modified without authorization","expression":"(\n (utimes.file.path + == \"/etc/sudoers\")\n) && process.file.path not in [~\"/usr/bin/apt*\", \"/usr/bin/dpkg\", + \"/usr/bin/rpm\", \"/usr/bin/unattended-upgrade\", \"/usr/bin/containerd\", + \"/usr/local/bin/containerd\", \"/usr/bin/dockerd\", \"/usr/bin/npm\", ~\"/usr/bin/pip*\"]","category":"File + Activity","creationDate":0,"updateDate":1699614609831,"filters":["os == \"linux\""],"actions":[],"agentConstraint":"","enabled":true,"defaultRule":true,"creator":{"name":"","handle":""},"updater":{"name":"","handle":""}},"type":"agent_rule"},{"id":"yq3-x9w-n3j","attributes":{"version":2,"name":"tar_execution","description":"Tar + archive created","expression":"exec.file.path == \"/usr/bin/tar\" && exec.args_flags + in [\"create\",\"c\"]","category":"Process Activity","creationDate":0,"updateDate":1699614609831,"filters":["os + == \"linux\""],"actions":[],"agentConstraint":"","enabled":true,"defaultRule":true,"creator":{"name":"","handle":""},"updater":{"name":"","handle":""}},"type":"agent_rule"},{"id":"sfh-mqa-shl","attributes":{"version":24,"name":"ssl_certificate_tampering_chown","description":"SSL + certificates may have been tampered with","expression":"(\n (chown.file.path + in [ ~\"/etc/ssl/certs/**\", ~\"/etc/pki/**\" ])\n && process.file.path not + in [~\"/usr/bin/apt*\", \"/usr/bin/dpkg\", \"/usr/bin/rpm\", \"/usr/bin/unattended-upgrade\", + \"/usr/bin/npm\", ~\"/usr/bin/pip*\", \"/usr/bin/yum\", \"/sbin/apk\", \"/usr/lib/snapd/snapd\"]\n) + && (chown.file.destination.uid != chown.file.uid || chown.file.destination.gid + != chown.file.gid)\n&& process.file.path != \"/usr/sbin/update-ca-certificates\"\n&& + process.ancestors.file.path != \"/usr/sbin/update-ca-certificates\"\n&& process.ancestors.file.path + not in [~\"/usr/bin/apt*\", \"/usr/bin/dpkg\", \"/usr/bin/rpm\", \"/usr/bin/unattended-upgrade\", + \"/usr/bin/npm\", ~\"/usr/bin/pip*\", \"/usr/bin/yum\", \"/sbin/apk\", \"/usr/lib/snapd/snapd\"]\n&& + process.file.name !~ \"runc*\"","category":"File Activity","creationDate":1642158535153,"updateDate":1699614609662,"filters":["os + == \"linux\""],"actions":[],"agentConstraint":"","enabled":true,"defaultRule":true,"creator":{"name":"","handle":""},"updater":{"name":"","handle":""}},"type":"agent_rule"},{"id":"f6g-gbx-9l6","attributes":{"version":4,"name":"auditd_rule_file_modified","description":"The + auditd rules file was modified without using auditctl","expression":"open.file.path + in [\"/etc/audit/rules.d/audit.rules\", \"/etc/audit/audit.rules\"] && open.flags + & (O_CREAT|O_TRUNC|O_RDWR|O_WRONLY) > 0 && process.file.name != \"auditctl\"","category":"File + Activity","creationDate":0,"updateDate":1699614609625,"filters":["os == \"linux\""],"actions":[],"agentConstraint":"","enabled":true,"defaultRule":true,"creator":{"name":"","handle":""},"updater":{"name":"","handle":""}},"type":"agent_rule"},{"id":"ysi-0bm-8tc","attributes":{"version":34,"name":"kernel_module_chmod","description":"A + new kernel module was added","expression":"(\n (chmod.file.path in [ ~\"/lib/modules/**\", + ~\"/usr/lib/modules/**\" ])\n && process.file.path not in [~\"/usr/bin/apt*\", + \"/usr/bin/dpkg\", \"/usr/bin/rpm\", \"/usr/bin/unattended-upgrade\", \"/usr/bin/npm\", + ~\"/usr/bin/pip*\", \"/usr/bin/yum\", \"/sbin/apk\", \"/usr/lib/snapd/snapd\"]\n && + process.ancestors.file.path not in [~\"/usr/bin/apt*\", \"/usr/bin/dpkg\", \"/usr/bin/rpm\", + \"/usr/bin/unattended-upgrade\", \"/usr/bin/npm\", ~\"/usr/bin/pip*\", \"/usr/bin/yum\", + \"/sbin/apk\", \"/usr/lib/snapd/snapd\"] && process.ancestors.file.path != \"/usr/bin/kmod\"\n) + && chmod.file.destination.mode != chmod.file.mode","category":"File Activity","creationDate":1642158535040,"updateDate":1699614609526,"filters":["os + == \"linux\""],"actions":[],"agentConstraint":"","enabled":true,"defaultRule":true,"creator":{"name":"","handle":""},"updater":{"name":"","handle":""}},"type":"agent_rule"},{"id":"0sl-ako-4w6","attributes":{"version":24,"name":"ssl_certificate_tampering_utimes","description":"SSL + certificates may have been tampered with","expression":"(\n (utimes.file.path + in [ ~\"/etc/ssl/certs/**\" ])\n && process.file.path not in [~\"/usr/bin/apt*\", + \"/usr/bin/dpkg\", \"/usr/bin/rpm\", \"/usr/bin/unattended-upgrade\", \"/usr/bin/npm\", + ~\"/usr/bin/pip*\", \"/usr/bin/yum\", \"/sbin/apk\", \"/usr/lib/snapd/snapd\"]\n)\n&& + process.file.path != \"/usr/sbin/update-ca-certificates\"\n&& process.ancestors.file.path + != \"/usr/sbin/update-ca-certificates\"\n&& process.ancestors.file.path not + in [~\"/usr/bin/apt*\", \"/usr/bin/dpkg\", \"/usr/bin/rpm\", \"/usr/bin/unattended-upgrade\", + \"/usr/bin/npm\", ~\"/usr/bin/pip*\", \"/usr/bin/yum\", \"/sbin/apk\", \"/usr/lib/snapd/snapd\"]\n&& + process.file.name !~ \"runc*\"","category":"File Activity","creationDate":0,"updateDate":1699614609522,"filters":["os + == \"linux\""],"actions":[],"agentConstraint":"","enabled":true,"defaultRule":true,"creator":{"name":"","handle":""},"updater":{"name":"","handle":""}},"type":"agent_rule"},{"id":"4ec-mzv-u5g","attributes":{"version":5,"name":"kernel_module_load","description":"A + kernel module was loaded","expression":"load_module.name not in [\"nf_tables\", + \"iptable_filter\", \"ip6table_filter\", \"bpfilter\", \"ip6_tables\", \"ip6table_nat\", + \"nf_reject_ipv4\", \"ipt_REJECT\", \"iptable_raw\"] && process.ancestors.file.name + not in [~\"falcon*\", \"unattended-upgrade\", \"apt.systemd.daily\", \"xtables-legacy-multi\", + \"ssm-agent-worker\"]","category":"Kernel Activity","creationDate":1650293718458,"updateDate":1699614609521,"filters":["os + == \"linux\""],"actions":[],"agentConstraint":"","enabled":true,"defaultRule":true,"creator":{"name":"","handle":""},"updater":{"name":"","handle":""}},"type":"agent_rule"},{"id":"kik-wm5-my4","attributes":{"version":5,"name":"dynamic_linker_config_unlink","description":"A + process unlinked a dynamic linker config file","expression":"unlink.file.path + in [\"/etc/ld.so.preload\", \"/etc/ld.so.conf\", ~\"/etc/ld.so.conf.d/*.conf\"] + && process.file.path not in [~\"/usr/bin/apt*\", \"/usr/bin/dpkg\", \"/usr/bin/rpm\", + \"/usr/bin/unattended-upgrade\", \"/usr/bin/npm\", ~\"/usr/bin/pip*\", \"/usr/bin/yum\", + \"/sbin/apk\", \"/usr/lib/snapd/snapd\"]","category":"File Activity","creationDate":0,"updateDate":1699614609521,"filters":["os + == \"linux\""],"actions":[],"agentConstraint":"","enabled":true,"defaultRule":true,"creator":{"name":"","handle":""},"updater":{"name":"","handle":""}},"type":"agent_rule"},{"id":"tji-eua-ery","attributes":{"version":2,"name":"sudoers_policy_modified_rename","description":"Sudoers + policy file may have been modified without authorization","expression":"(\n (rename.file.path + == \"/etc/sudoers\"\n || rename.file.destination.path == \"/etc/sudoers\")\n)","category":"File + Activity","creationDate":0,"updateDate":1699614609520,"filters":["os == \"linux\""],"actions":[],"agentConstraint":"","enabled":true,"defaultRule":true,"creator":{"name":"","handle":""},"updater":{"name":"","handle":""}},"type":"agent_rule"},{"id":"bpi-apd-1ad","attributes":{"version":1,"name":"offensive_k8s_tool","description":"A + known kubernetes pentesting tool has been executed","expression":"(exec.file.name + in [ ~\"python*\" ] && (\"KubiScan.py\" in exec.argv || \"kubestriker\" in exec.argv + ) ) || exec.file.name in [ \"kubiscan\",\"kdigger\",\"kube-hunter\",\"rakkess\",\"peirates\",\"kubescape\",\"kubeaudit\",\"kube-linter\",\"stratus\",~\"botb-*\"]","category":"Process + Activity","creationDate":0,"updateDate":1699605542656,"filters":[],"actions":[],"agentConstraint":"","enabled":true,"defaultRule":true,"creator":{"name":"","handle":""},"updater":{"name":"","handle":""}},"type":"agent_rule"},{"id":"rcz-xwn-5lq","attributes":{"version":1,"name":"redis_save_module","description":"Redis + module has been created","expression":"(open.flags & (O_CREAT|O_TRUNC|O_RDWR|O_WRONLY) + > 0 && open.file.path =~ \"/tmp/**\" && open.file.name in [~\"*.rdb\", ~\"*.aof\", + ~\"*.so\"]) && process.file.name in [\"redis-check-rdb\", \"redis-server\"]","category":"File + Activity","creationDate":0,"updateDate":1699605540650,"filters":[],"actions":[],"agentConstraint":"","enabled":true,"defaultRule":true,"creator":{"name":"","handle":""},"updater":{"name":"","handle":""}},"type":"agent_rule"},{"id":"oit-dq6-jtz","attributes":{"version":4,"name":"net_util_exfiltration","description":"Exfiltration + attempt via network utility","expression":"exec.comm in [\"wget\", \"curl\", + \"lwp-download\"] && \nexec.args_options in [ ~\"post-file=*\", ~\"post-data=*\", + ~\"T=*\", ~\"d=@*\", ~\"upload-file=*\", ~\"F=file*\"] &&\nexec.args not in + [~\"*localhost*\", ~\"*127.0.0.1*\"]","category":"Process Activity","creationDate":0,"updateDate":1699605533426,"filters":["os + == \"linux\""],"actions":[],"agentConstraint":"","enabled":true,"defaultRule":true,"creator":{"name":"","handle":""},"updater":{"name":"","handle":""}},"type":"agent_rule"},{"id":"wos-cqg-alj","attributes":{"version":27,"name":"pci_11_5_critical_binaries_rename","description":"Critical + system binaries may have been modified","expression":"(\n (rename.file.path in [ ~\"/bin/*\", ~\"/sbin/*\", ~\"/usr/bin/*\", ~\"/usr/sbin/*\", ~\"/usr/local/bin/*\", - ~\"/usr/local/sbin/*\", ~\"/boot/*\" ])\n && process.file.path not in [\"/usr/bin/apt\", - \"/usr/bin/apt-get\", \"/usr/bin/apt-config\", \"/usr/bin/dpkg\", \"/usr/bin/aptitude-curses\", - \"/usr/bin/rpm\", \"/usr/bin/unattended-upgrade\"]\n && process.ancestors.file.path - not in [\"/usr/bin/apt\", \"/usr/bin/apt-get\", \"/usr/bin/apt-config\", \"/usr/bin/dpkg\", - \"/usr/bin/aptitude-curses\", \"/usr/bin/rpm\", \"/usr/bin/unattended-upgrade\"]\n) - && (chown.uid != chown.file.uid || chown.gid != chown.file.gid)"},"type":"agent_rule","id":"yly-big-wfq"},{"attributes":{"category":"File - Activity","name":"pci_11_5_critical_binaries_link","creator":{"handle":"","name":""},"description":"Critical - System Binaries","enabled":true,"defaultRule":true,"version":4,"updater":{"handle":"","name":""},"updateDate":1636729678212,"creationDate":1606142933669,"expression":"(\n (link.file.path + ~\"/usr/local/sbin/*\", ~\"/boot/**\" ]\n || rename.file.destination.path in [ ~\"/bin/*\", ~\"/sbin/*\", ~\"/usr/bin/*\", ~\"/usr/sbin/*\", ~\"/usr/local/bin/*\", - ~\"/usr/local/sbin/*\", ~\"/boot/*\" ]\n || link.file.destination.path in - [ ~\"/bin/*\", ~\"/sbin/*\", ~\"/usr/bin/*\", ~\"/usr/sbin/*\", ~\"/usr/local/bin/*\", - ~\"/usr/local/sbin/*\", ~\"/boot/*\" ])\n && process.file.path not in [\"/usr/bin/apt\", - \"/usr/bin/apt-get\", \"/usr/bin/apt-config\", \"/usr/bin/dpkg\", \"/usr/bin/aptitude-curses\", - \"/usr/bin/rpm\", \"/usr/bin/unattended-upgrade\"]\n && process.ancestors.file.path - not in [\"/usr/bin/apt\", \"/usr/bin/apt-get\", \"/usr/bin/apt-config\", \"/usr/bin/dpkg\", - \"/usr/bin/aptitude-curses\", \"/usr/bin/rpm\", \"/usr/bin/unattended-upgrade\"]\n)"},"type":"agent_rule","id":"rm1-b8h-cec"},{"attributes":{"category":"File - Activity","name":"pci_11_5_critical_binaries_rename","creator":{"handle":"","name":""},"description":"Critical - System Binaries","enabled":true,"defaultRule":true,"version":4,"updater":{"handle":"","name":""},"updateDate":1636729678212,"creationDate":1606142933669,"expression":"(\n (rename.file.path + ~\"/usr/local/sbin/*\", ~\"/boot/**\" ])\n && process.file.path not in [~\"/usr/bin/apt*\", + \"/usr/bin/dpkg\", \"/usr/bin/rpm\", \"/usr/bin/unattended-upgrade\", \"/usr/bin/containerd\", + \"/usr/local/bin/containerd\", \"/usr/bin/dockerd\", \"/usr/bin/npm\", ~\"/usr/bin/pip*\"]\n && + process.ancestors.file.path not in [~\"/usr/bin/apt*\", \"/usr/bin/dpkg\", \"/usr/bin/rpm\", + \"/usr/bin/unattended-upgrade\", \"/usr/bin/npm\", ~\"/usr/bin/pip*\", \"/usr/bin/yum\", + \"/sbin/apk\", \"/usr/lib/snapd/snapd\"]\n)","category":"File Activity","creationDate":1642158535169,"updateDate":1699605533116,"filters":[],"actions":[],"agentConstraint":"","enabled":true,"defaultRule":true,"creator":{"name":"","handle":""},"updater":{"name":"","handle":""}},"type":"agent_rule"},{"id":"1bt-oqb-nhw","attributes":{"version":27,"name":"pci_11_5_critical_binaries_link","description":"Critical + system binaries may have been modified","expression":"(\n (link.file.path in [ ~\"/bin/*\", ~\"/sbin/*\", ~\"/usr/bin/*\", ~\"/usr/sbin/*\", ~\"/usr/local/bin/*\", - ~\"/usr/local/sbin/*\", ~\"/boot/*\" ]\n || rename.file.destination.path + ~\"/usr/local/sbin/*\", ~\"/boot/**\" ]\n || link.file.destination.path in + [ ~\"/bin/*\", ~\"/sbin/*\", ~\"/usr/bin/*\", ~\"/usr/sbin/*\", ~\"/usr/local/bin/*\", + ~\"/usr/local/sbin/*\", ~\"/boot/**\" ])\n && process.file.path not in [~\"/usr/bin/apt*\", + \"/usr/bin/dpkg\", \"/usr/bin/rpm\", \"/usr/bin/unattended-upgrade\", \"/usr/bin/containerd\", + \"/usr/local/bin/containerd\", \"/usr/bin/dockerd\", \"/usr/bin/npm\", ~\"/usr/bin/pip*\"]\n && + process.ancestors.file.path not in [~\"/usr/bin/apt*\", \"/usr/bin/dpkg\", \"/usr/bin/rpm\", + \"/usr/bin/unattended-upgrade\", \"/usr/bin/npm\", ~\"/usr/bin/pip*\", \"/usr/bin/yum\", + \"/sbin/apk\", \"/usr/lib/snapd/snapd\"]\n)","category":"File Activity","creationDate":1642158535044,"updateDate":1699605533055,"filters":[],"actions":[],"agentConstraint":"","enabled":true,"defaultRule":true,"creator":{"name":"","handle":""},"updater":{"name":"","handle":""}},"type":"agent_rule"},{"id":"f1p-4uk-ji9","attributes":{"version":2,"name":"selinux_disable_enforcement","description":"SELinux + enforcement status was disabled","expression":"selinux.enforce.status in [\"permissive\", + \"disabled\"] && process.ancestors.args != ~\"*BECOME-SUCCESS*\"","category":"Kernel + Activity","creationDate":1635332067172,"updateDate":1699605533031,"filters":[],"actions":[],"agentConstraint":"","enabled":true,"defaultRule":true,"creator":{"name":"","handle":""},"updater":{"name":"","handle":""}},"type":"agent_rule"},{"id":"ewk-kr1-m8w","attributes":{"version":6,"name":"runc_modification","description":"The + runc binary was modified in a non-standard way","expression":"open.file.path + in [\"/usr/bin/runc\", \"/usr/sbin/runc\", \"/usr/bin/docker-runc\"]\n&& open.flags + & O_CREAT|O_TRUNC|O_RDWR|O_WRONLY > 0\n&& process.file.path not in [~\"/usr/bin/apt*\", + \"/usr/bin/dpkg\", \"/usr/bin/rpm\", \"/usr/bin/unattended-upgrade\", \"/usr/bin/containerd\", + \"/usr/local/bin/containerd\", \"/usr/bin/dockerd\", \"/usr/bin/npm\", ~\"/usr/bin/pip*\"]\n&& + process.ancestors.file.path not in [~\"/usr/bin/apt*\", \"/usr/bin/dpkg\", \"/usr/bin/rpm\", + \"/usr/bin/unattended-upgrade\", \"/usr/bin/npm\", ~\"/usr/bin/pip*\", \"/usr/bin/yum\", + \"/sbin/apk\", \"/usr/lib/snapd/snapd\"]","category":"File Activity","creationDate":1627392837049,"updateDate":1699605532961,"filters":[],"actions":[],"agentConstraint":"","enabled":true,"defaultRule":true,"creator":{"name":"","handle":""},"updater":{"name":"","handle":""}},"type":"agent_rule"},{"id":"4ym-hxb-nfc","attributes":{"version":27,"name":"pci_11_5_critical_binaries_utimes","description":"Critical + system binaries may have been modified","expression":"(\n (utimes.file.path in [ ~\"/bin/*\", ~\"/sbin/*\", ~\"/usr/bin/*\", ~\"/usr/sbin/*\", ~\"/usr/local/bin/*\", - ~\"/usr/local/sbin/*\", ~\"/boot/*\" ])\n && process.file.path not in [\"/usr/bin/apt\", - \"/usr/bin/apt-get\", \"/usr/bin/apt-config\", \"/usr/bin/dpkg\", \"/usr/bin/aptitude-curses\", - \"/usr/bin/rpm\", \"/usr/bin/unattended-upgrade\"]\n && process.ancestors.file.path - not in [\"/usr/bin/apt\", \"/usr/bin/apt-get\", \"/usr/bin/apt-config\", \"/usr/bin/dpkg\", - \"/usr/bin/aptitude-curses\", \"/usr/bin/rpm\", \"/usr/bin/unattended-upgrade\"]\n)"},"type":"agent_rule","id":"1vg-wvn-jeo"},{"attributes":{"category":"File - Activity","name":"pci_11_5_critical_binaries_open","creator":{"handle":"","name":""},"description":"Critical - System Binaries","enabled":true,"defaultRule":true,"version":4,"updater":{"handle":"","name":""},"updateDate":1636729678212,"creationDate":1606142933669,"expression":"(\n open.flags - & (O_CREAT|O_TRUNC|O_RDWR|O_WRONLY) > 0 &&\n (open.file.path in [ ~\"/bin/*\", - ~\"/sbin/*\", ~\"/usr/bin/*\", ~\"/usr/sbin/*\", ~\"/usr/local/bin/*\", ~\"/usr/local/sbin/*\", - ~\"/boot/*\" ])\n && process.file.path not in [\"/usr/bin/apt\", \"/usr/bin/apt-get\", - \"/usr/bin/apt-config\", \"/usr/bin/dpkg\", \"/usr/bin/aptitude-curses\", \"/usr/bin/rpm\", - \"/usr/bin/unattended-upgrade\"]\n && process.ancestors.file.path not in - [\"/usr/bin/apt\", \"/usr/bin/apt-get\", \"/usr/bin/apt-config\", \"/usr/bin/dpkg\", - \"/usr/bin/aptitude-curses\", \"/usr/bin/rpm\", \"/usr/bin/unattended-upgrade\"]\n)"},"type":"agent_rule","id":"tmh-now-e61"},{"attributes":{"category":"File - Activity","name":"pci_11_5_critical_binaries_unlink","creator":{"handle":"","name":""},"description":"Critical - System Binaries","enabled":true,"defaultRule":true,"version":4,"updater":{"handle":"","name":""},"updateDate":1636729678212,"creationDate":1606142933669,"expression":"(\n (unlink.file.path + ~\"/usr/local/sbin/*\", ~\"/boot/**\" ])\n && process.file.path not in [~\"/usr/bin/apt*\", + \"/usr/bin/dpkg\", \"/usr/bin/rpm\", \"/usr/bin/unattended-upgrade\", \"/usr/bin/containerd\", + \"/usr/local/bin/containerd\", \"/usr/bin/dockerd\", \"/usr/bin/npm\", ~\"/usr/bin/pip*\"]\n && + process.ancestors.file.path not in [~\"/usr/bin/apt*\", \"/usr/bin/dpkg\", \"/usr/bin/rpm\", + \"/usr/bin/unattended-upgrade\", \"/usr/bin/npm\", ~\"/usr/bin/pip*\", \"/usr/bin/yum\", + \"/sbin/apk\", \"/usr/lib/snapd/snapd\"]\n)","category":"File Activity","creationDate":1642158535079,"updateDate":1699605532927,"filters":[],"actions":[],"agentConstraint":"","enabled":true,"defaultRule":true,"creator":{"name":"","handle":""},"updater":{"name":"","handle":""}},"type":"agent_rule"},{"id":"39x-fmc-9sw","attributes":{"version":27,"name":"pci_11_5_critical_binaries_chown","description":"Critical + system binaries may have been modified","expression":"(\n (chown.file.path in [ ~\"/bin/*\", ~\"/sbin/*\", ~\"/usr/bin/*\", ~\"/usr/sbin/*\", ~\"/usr/local/bin/*\", - ~\"/usr/local/sbin/*\", ~\"/boot/*\" ])\n && process.file.path not in [\"/usr/bin/apt\", - \"/usr/bin/apt-get\", \"/usr/bin/apt-config\", \"/usr/bin/dpkg\", \"/usr/bin/aptitude-curses\", - \"/usr/bin/rpm\", \"/usr/bin/unattended-upgrade\"]\n && process.ancestors.file.path - not in [\"/usr/bin/apt\", \"/usr/bin/apt-get\", \"/usr/bin/apt-config\", \"/usr/bin/dpkg\", - \"/usr/bin/aptitude-curses\", \"/usr/bin/rpm\", \"/usr/bin/unattended-upgrade\"]\n)"},"type":"agent_rule","id":"mhl-gkn-bun"},{"attributes":{"category":"File - Activity","name":"pci_11_5_critical_binaries_utimes","creator":{"handle":"","name":""},"description":"Critical - System Binaries","enabled":true,"defaultRule":true,"version":4,"updater":{"handle":"","name":""},"updateDate":1636729678212,"creationDate":1606142933669,"expression":"(\n (utimes.file.path + ~\"/usr/local/sbin/*\", ~\"/boot/**\" ])\n && process.file.path not in [~\"/usr/bin/apt*\", + \"/usr/bin/dpkg\", \"/usr/bin/rpm\", \"/usr/bin/unattended-upgrade\", \"/usr/bin/containerd\", + \"/usr/local/bin/containerd\", \"/usr/bin/dockerd\", \"/usr/bin/npm\", ~\"/usr/bin/pip*\"]\n && + process.ancestors.file.path not in [~\"/usr/bin/apt*\", \"/usr/bin/dpkg\", \"/usr/bin/rpm\", + \"/usr/bin/unattended-upgrade\", \"/usr/bin/npm\", ~\"/usr/bin/pip*\", \"/usr/bin/yum\", + \"/sbin/apk\", \"/usr/lib/snapd/snapd\"]\n) && (chown.file.destination.uid != + chown.file.uid || chown.file.destination.gid != chown.file.gid)","category":"File + Activity","creationDate":1642158535097,"updateDate":1699605532862,"filters":[],"actions":[],"agentConstraint":"","enabled":true,"defaultRule":true,"creator":{"name":"","handle":""},"updater":{"name":"","handle":""}},"type":"agent_rule"},{"id":"3xp-uvx-hxk","attributes":{"version":13,"name":"apparmor_modified_tty","description":"An + AppArmor profile was modified in an interactive session","expression":"exec.file.name + in [\"aa-disable\", \"aa-complain\", \"aa-audit\"] && exec.tty_name !=\"\"","category":"Process + Activity","creationDate":1627392836162,"updateAuthorUuId":"f4183a42-8a64-11ea-93df-c318904b3ca4","updateDate":1699605532856,"filters":["os + == \"linux\""],"actions":[],"agentConstraint":"","enabled":true,"defaultRule":true,"creator":{"name":"","handle":""},"updater":{"name":"","handle":""}},"type":"agent_rule"},{"id":"v4a-bat-ppk","attributes":{"version":27,"name":"pci_11_5_critical_binaries_chmod","description":"Critical + system binaries may have been modified","expression":"(\n (chmod.file.path in [ ~\"/bin/*\", ~\"/sbin/*\", ~\"/usr/bin/*\", ~\"/usr/sbin/*\", ~\"/usr/local/bin/*\", - ~\"/usr/local/sbin/*\", ~\"/boot/*\" ])\n && process.file.path not in [\"/usr/bin/apt\", - \"/usr/bin/apt-get\", \"/usr/bin/apt-config\", \"/usr/bin/dpkg\", \"/usr/bin/aptitude-curses\", - \"/usr/bin/rpm\", \"/usr/bin/unattended-upgrade\"]\n && process.ancestors.file.path - not in [\"/usr/bin/apt\", \"/usr/bin/apt-get\", \"/usr/bin/apt-config\", \"/usr/bin/dpkg\", - \"/usr/bin/aptitude-curses\", \"/usr/bin/rpm\", \"/usr/bin/unattended-upgrade\"]\n)"},"type":"agent_rule","id":"6ef-efv-07c"},{"attributes":{"category":"File - Activity","name":"systemd_modification_chmod","creator":{"handle":"","name":""},"description":"Systemd - Modification","enabled":true,"defaultRule":true,"version":4,"updater":{"handle":"","name":""},"updateDate":1636729678140,"creationDate":1606142929241,"expression":"(\n (chmod.file.path - in [ ~\"/lib/systemd/system/*\", ~\"/usr/lib/systemd/system/*\", ~\"/etc/systemd/system/*\" - ])\n && process.file.path not in [\"/usr/bin/apt\", \"/usr/bin/apt-get\", - \"/usr/bin/apt-config\", \"/usr/bin/dpkg\", \"/usr/bin/aptitude-curses\", \"/usr/bin/rpm\", - \"/usr/bin/unattended-upgrade\"]\n) && chmod.mode != chmod.file.mode"},"type":"agent_rule","id":"kuu-k1s-gqz"},{"attributes":{"category":"File - Activity","name":"systemd_modification_chown","creator":{"handle":"","name":""},"description":"Systemd - Modification","enabled":true,"defaultRule":true,"version":4,"updater":{"handle":"","name":""},"updateDate":1636729678140,"creationDate":1606142929241,"expression":"(\n (chown.file.path - in [ ~\"/lib/systemd/system/*\", ~\"/usr/lib/systemd/system/*\", ~\"/etc/systemd/system/*\" - ])\n && process.file.path not in [\"/usr/bin/apt\", \"/usr/bin/apt-get\", - \"/usr/bin/apt-config\", \"/usr/bin/dpkg\", \"/usr/bin/aptitude-curses\", \"/usr/bin/rpm\", - \"/usr/bin/unattended-upgrade\"]\n) && (chown.uid != chown.file.uid || chown.gid - != chown.file.gid)"},"type":"agent_rule","id":"qdc-oqx-zsx"},{"attributes":{"category":"File - Activity","name":"systemd_modification_link","creator":{"handle":"","name":""},"description":"Systemd - Modification","enabled":true,"defaultRule":true,"version":4,"updater":{"handle":"","name":""},"updateDate":1636729678140,"creationDate":1606142929241,"expression":"(\n (link.file.path - in [ ~\"/lib/systemd/system/*\", ~\"/usr/lib/systemd/system/*\", ~\"/etc/systemd/system/*\" - ]\n || link.file.destination.path in [ ~\"/lib/systemd/system/*\", ~\"/usr/lib/systemd/system/*\", - ~\"/etc/systemd/system/*\" ])\n && process.file.path not in [\"/usr/bin/apt\", - \"/usr/bin/apt-get\", \"/usr/bin/apt-config\", \"/usr/bin/dpkg\", \"/usr/bin/aptitude-curses\", - \"/usr/bin/rpm\", \"/usr/bin/unattended-upgrade\"]\n)"},"type":"agent_rule","id":"bgs-kbk-xkh"},{"attributes":{"category":"File - Activity","name":"systemd_modification_rename","creator":{"handle":"","name":""},"description":"Systemd - Modification","enabled":true,"defaultRule":true,"version":4,"updater":{"handle":"","name":""},"updateDate":1636729678140,"creationDate":1606142929241,"expression":"(\n (rename.file.path - in [ ~\"/lib/systemd/system/*\", ~\"/usr/lib/systemd/system/*\", ~\"/etc/systemd/system/*\" - ]\n || rename.file.destination.path in [ ~\"/lib/systemd/system/*\", ~\"/usr/lib/systemd/system/*\", - ~\"/etc/systemd/system/*\" ])\n && process.file.path not in [\"/usr/bin/apt\", - \"/usr/bin/apt-get\", \"/usr/bin/apt-config\", \"/usr/bin/dpkg\", \"/usr/bin/aptitude-curses\", - \"/usr/bin/rpm\", \"/usr/bin/unattended-upgrade\"]\n)"},"type":"agent_rule","id":"rek-wb4-s7y"},{"attributes":{"category":"File - Activity","name":"systemd_modification_open","creator":{"handle":"","name":""},"description":"Systemd - Modification","enabled":true,"defaultRule":true,"version":4,"updater":{"handle":"","name":""},"updateDate":1636729678140,"creationDate":1606142929241,"expression":"(\n open.flags - & (O_CREAT|O_RDWR|O_WRONLY) > 0 &&\n (open.file.path in [ ~\"/lib/systemd/system/*\", - ~\"/usr/lib/systemd/system/*\", ~\"/etc/systemd/system/*\" ])\n && process.file.path - not in [\"/usr/bin/apt\", \"/usr/bin/apt-get\", \"/usr/bin/apt-config\", \"/usr/bin/dpkg\", - \"/usr/bin/aptitude-curses\", \"/usr/bin/rpm\", \"/usr/bin/unattended-upgrade\"]\n)"},"type":"agent_rule","id":"nlp-lzc-rcf"},{"attributes":{"category":"File - Activity","name":"systemd_modification_unlink","creator":{"handle":"","name":""},"description":"Systemd - Modification","enabled":true,"defaultRule":true,"version":4,"updater":{"handle":"","name":""},"updateDate":1636729678140,"creationDate":1606142929241,"expression":"(\n (unlink.file.path - in [ ~\"/lib/systemd/system/*\", ~\"/usr/lib/systemd/system/*\", ~\"/etc/systemd/system/*\" - ])\n && process.file.path not in [\"/usr/bin/apt\", \"/usr/bin/apt-get\", - \"/usr/bin/apt-config\", \"/usr/bin/dpkg\", \"/usr/bin/aptitude-curses\", \"/usr/bin/rpm\", - \"/usr/bin/unattended-upgrade\"]\n)"},"type":"agent_rule","id":"kxs-kt6-5gt"},{"attributes":{"category":"File - Activity","name":"systemd_modification_utimes","creator":{"handle":"","name":""},"description":"Systemd - Modification","enabled":true,"defaultRule":true,"version":4,"updater":{"handle":"","name":""},"updateDate":1636729678140,"creationDate":1606142929241,"expression":"(\n (utimes.file.path - in [ ~\"/lib/systemd/system/*\", ~\"/usr/lib/systemd/system/*\", ~\"/etc/systemd/system/*\" - ])\n && process.file.path not in [\"/usr/bin/apt\", \"/usr/bin/apt-get\", - \"/usr/bin/apt-config\", \"/usr/bin/dpkg\", \"/usr/bin/aptitude-curses\", \"/usr/bin/rpm\", - \"/usr/bin/unattended-upgrade\"]\n)"},"type":"agent_rule","id":"t8w-eul-chf"},{"attributes":{"category":"File - Activity","name":"credential_modified_chmod","creator":{"handle":"","name":""},"description":"Either - /etc/shadow/ or /etc/gshadow was modified by a non-standard tool","enabled":true,"defaultRule":true,"version":7,"updater":{"handle":"","name":""},"updateDate":1636729662623,"creationDate":1598516746271,"expression":"(\n (chmod.file.path + ~\"/usr/local/sbin/*\", ~\"/boot/**\" ])\n && process.file.path not in [~\"/usr/bin/apt*\", + \"/usr/bin/dpkg\", \"/usr/bin/rpm\", \"/usr/bin/unattended-upgrade\", \"/usr/bin/containerd\", + \"/usr/local/bin/containerd\", \"/usr/bin/dockerd\", \"/usr/bin/npm\", ~\"/usr/bin/pip*\"]\n && + process.ancestors.file.path not in [~\"/usr/bin/apt*\", \"/usr/bin/dpkg\", \"/usr/bin/rpm\", + \"/usr/bin/unattended-upgrade\", \"/usr/bin/npm\", ~\"/usr/bin/pip*\", \"/usr/bin/yum\", + \"/sbin/apk\", \"/usr/lib/snapd/snapd\"]\n) && chmod.file.destination.mode != + chmod.file.mode","category":"File Activity","creationDate":1642158535079,"updateDate":1699605532822,"filters":[],"actions":[],"agentConstraint":"","enabled":true,"defaultRule":true,"creator":{"name":"","handle":""},"updater":{"name":"","handle":""}},"type":"agent_rule"},{"id":"ylg-dxo-yuk","attributes":{"version":2,"name":"rc_scripts_modified","description":"RC + scripts modified","expression":"(open.flags & (O_CREAT|O_TRUNC|O_RDWR|O_WRONLY) + > 0 && (open.file.path in [\"/etc/rc.common\", \"/etc/rc.local\"])) && process.ancestors.file.path + not in [~\"/usr/bin/apt*\", \"/usr/bin/dpkg\", \"/usr/bin/rpm\", \"/usr/bin/unattended-upgrade\", + \"/usr/bin/npm\", ~\"/usr/bin/pip*\", \"/usr/bin/yum\", \"/sbin/apk\", \"/usr/lib/snapd/snapd\"]","category":"File + Activity","creationDate":0,"updateDate":1699605532814,"filters":[],"actions":[],"agentConstraint":"","enabled":true,"defaultRule":true,"creator":{"name":"","handle":""},"updater":{"name":"","handle":""}},"type":"agent_rule"},{"id":"mal-nic-u3y","attributes":{"version":3,"name":"Deno_unauthorized_subprocess_created","description":"Unauthorized + subprocess created by deno runtime","expression":"exec.comm !=\"\" && process.ancestors.comm==\"deno\" + && process.ancestors.args not in [r\".*(allow-run|-A|allow-all).*\"]","category":"Process + Activity","creationAuthorUuId":"9b3398f3-af79-49aa-b643-8a607ee6f848","creationDate":1691743022082,"updateAuthorUuId":"9b3398f3-af79-49aa-b643-8a607ee6f848","updateDate":1692012153553,"filters":[],"actions":[],"agentConstraint":"","enabled":true,"defaultRule":false,"creator":{"name":"Threat + Detection Engineering CI/CD","handle":"9b3398f3-af79-49aa-b643-8a607ee6f848"},"updater":{"name":"Threat + Detection Engineering CI/CD","handle":"9b3398f3-af79-49aa-b643-8a607ee6f848"}},"type":"agent_rule"},{"id":"cwq-z6j-igp","attributes":{"version":2,"name":"Deno_unauthorized_network_access_performed","description":"Unauthorized + network access by deno runtime","expression":"bind.addr.family>=0 && process.comm==\"deno\" + && process.args not in [r\".*(allow-net|allow-ffi|-A|allow-all).*\"]","category":"Kernel + Activity","creationAuthorUuId":"9b3398f3-af79-49aa-b643-8a607ee6f848","creationDate":1691743022106,"updateAuthorUuId":"9b3398f3-af79-49aa-b643-8a607ee6f848","updateDate":1692012153529,"filters":[],"actions":[],"agentConstraint":"","enabled":true,"defaultRule":false,"creator":{"name":"Threat + Detection Engineering CI/CD","handle":"9b3398f3-af79-49aa-b643-8a607ee6f848"},"updater":{"name":"Threat + Detection Engineering CI/CD","handle":"9b3398f3-af79-49aa-b643-8a607ee6f848"}},"type":"agent_rule"},{"id":"hfc-a0c-8yl","attributes":{"version":1,"name":"executable_bit_added","description":"The + executable bit was added to a newly created file","expression":"chmod.file.in_upper_layer + &&\nchmod.file.change_time < 30s &&\ncontainer.id != \"\" &&\nchmod.file.destination.mode + != chmod.file.mode &&\nchmod.file.destination.mode & S_IXUSR|S_IXGRP|S_IXOTH + > 0 &&\nprocess.argv in [\"+x\"]","category":"File Activity","creationDate":0,"updateDate":1690311003102,"filters":[],"actions":[],"agentConstraint":"","enabled":true,"defaultRule":true,"creator":{"name":"","handle":""},"updater":{"name":"","handle":""}},"type":"agent_rule"},{"id":"osi-fya-a5p","attributes":{"version":19,"name":"ssh_authorized_keys_link","description":"SSH + modified keys may have been modified","expression":"(\n link.file.name in + [ \"authorized_keys\", \"authorized_keys2\" ] && (link.file.path in [ ~\"/root/.ssh/*\", + ~\"/home/*/.ssh/*\", ~\"/var/lib/*/.ssh/*\" ]\n || link.file.destination.path + in [ ~\"/root/.ssh/*\", ~\"/home/*/.ssh/*\", ~\"/var/lib/*/.ssh/*\" ])\n)","category":"File + Activity","creationDate":1642158535286,"updateDate":1690311003028,"filters":[],"actions":[],"agentConstraint":"","enabled":true,"defaultRule":true,"creator":{"name":"","handle":""},"updater":{"name":"","handle":""}},"type":"agent_rule"},{"id":"o5j-dvu-sdy","attributes":{"version":19,"name":"ssh_authorized_keys_utimes","description":"SSH + modified keys may have been modified","expression":"(\n utimes.file.name + in [ \"authorized_keys\", \"authorized_keys2\" ] && (utimes.file.path in [ ~\"/root/.ssh/*\", + ~\"/home/*/.ssh/*\", ~\"/var/lib/*/.ssh/*\" ])\n)","category":"File Activity","creationDate":1642158535278,"updateDate":1690311003028,"filters":[],"actions":[],"agentConstraint":"","enabled":true,"defaultRule":true,"creator":{"name":"","handle":""},"updater":{"name":"","handle":""}},"type":"agent_rule"},{"id":"rut-8bg-ycb","attributes":{"version":31,"name":"credential_modified_utimes","description":"Sensitive + credential files were modified using a non-standard tool","expression":"(\n (utimes.file.path in [ \"/etc/shadow\", \"/etc/gshadow\" ])\n && process.file.path not in [ - \"/sbin/vipw\", \"/usr/sbin/vipw\", \"/sbin/vigr\", \"/usr/sbin/vigr\" ]\n && - process.ancestors.file.path not in [\"/usr/bin/apt\", \"/usr/bin/apt-get\", - \"/usr/bin/apt-config\", \"/usr/bin/dpkg\", \"/usr/bin/aptitude-curses\", \"/usr/bin/rpm\", - \"/usr/bin/unattended-upgrade\"]\n) && chmod.mode != chmod.file.mode"},"type":"agent_rule","id":"4fh-bb7-747"},{"attributes":{"category":"File - Activity","name":"credential_modified_chown","creator":{"handle":"","name":""},"description":"Either - /etc/shadow/ or /etc/gshadow was modified by a non-standard tool","enabled":true,"defaultRule":true,"version":7,"updater":{"handle":"","name":""},"updateDate":1636729662623,"creationDate":1598516746271,"expression":"(\n (chown.file.path - in [ \"/etc/shadow\", \"/etc/gshadow\" ])\n && process.file.path not in [ - \"/sbin/vipw\", \"/usr/sbin/vipw\", \"/sbin/vigr\", \"/usr/sbin/vigr\" ]\n && - process.ancestors.file.path not in [\"/usr/bin/apt\", \"/usr/bin/apt-get\", - \"/usr/bin/apt-config\", \"/usr/bin/dpkg\", \"/usr/bin/aptitude-curses\", \"/usr/bin/rpm\", - \"/usr/bin/unattended-upgrade\"]\n) && (chown.uid != chown.file.uid || chown.gid - != chown.file.gid)"},"type":"agent_rule","id":"eoy-4fe-q7q"},{"attributes":{"category":"File - Activity","name":"credential_modified_link","creator":{"handle":"","name":""},"description":"Either - /etc/shadow/ or /etc/gshadow was modified by a non-standard tool","enabled":true,"defaultRule":true,"version":7,"updater":{"handle":"","name":""},"updateDate":1636729662623,"creationDate":1598516746271,"expression":"(\n (link.file.path - in [ \"/etc/shadow\", \"/etc/gshadow\" ]\n || link.file.destination.path + \"/sbin/vipw\", \"/usr/sbin/vipw\", \"/sbin/vigr\", \"/usr/sbin/vigr\", \"/usr/bin/containerd\", + \"/usr/local/bin/containerd\", \"/usr/bin/dockerd\", \"/usr/local/bin/dockerd\", + \"/usr/sbin/groupadd\", \"/usr/sbin/useradd\", \"/usr/sbin/usermod\", \"/usr/sbin/userdel\", + \"/usr/bin/gpasswd\", \"/usr/bin/chage\", \"/usr/sbin/chpasswd\", \"/usr/bin/passwd\" + ]\n && process.ancestors.file.path not in [~\"/usr/bin/apt*\", \"/usr/bin/dpkg\", + \"/usr/bin/rpm\", \"/usr/bin/unattended-upgrade\", \"/usr/bin/npm\", ~\"/usr/bin/pip*\", + \"/usr/bin/yum\", \"/sbin/apk\", \"/usr/lib/snapd/snapd\"]\n)","category":"File + Activity","creationDate":1642158535200,"updateDate":1690311003028,"filters":[],"actions":[],"agentConstraint":"","enabled":true,"defaultRule":true,"creator":{"name":"","handle":""},"updater":{"name":"","handle":""}},"type":"agent_rule"},{"id":"qka-g4s-khh","attributes":{"version":19,"name":"ssh_authorized_keys_open","description":"SSH + modified keys may have been modified","expression":"(\n open.flags & (O_CREAT|O_TRUNC|O_RDWR|O_WRONLY) + > 0 &&\n open.file.name in [ \"authorized_keys\", \"authorized_keys2\" ] + && (open.file.path in [ ~\"/root/.ssh/*\", ~\"/home/*/.ssh/*\", ~\"/var/lib/*/.ssh/*\" + ])\n)","category":"File Activity","creationDate":1642158534864,"updateDate":1690311003028,"filters":[],"actions":[],"agentConstraint":"","enabled":true,"defaultRule":true,"creator":{"name":"","handle":""},"updater":{"name":"","handle":""}},"type":"agent_rule"},{"id":"g5n-jhl-zge","attributes":{"version":17,"name":"pam_modification_rename","description":"PAM + may have been modified without authorization","expression":"(\n (rename.file.path + in [ ~\"/etc/pam.d/**\", \"/etc/pam.conf\" ]\n || rename.file.destination.path + in [ ~\"/etc/pam.d/**\", \"/etc/pam.conf\" ])\n)","category":"File Activity","creationDate":1606142936138,"updateDate":1690311003028,"filters":[],"actions":[],"agentConstraint":"","enabled":true,"defaultRule":true,"creator":{"name":"","handle":""},"updater":{"name":"","handle":""}},"type":"agent_rule"},{"id":"xrg-evq-ka5","attributes":{"version":17,"name":"pam_modification_unlink","description":"PAM + may have been modified without authorization","expression":"(\n (unlink.file.path + in [ ~\"/etc/pam.d/**\", \"/etc/pam.conf\" ])\n)","category":"File Activity","creationDate":1606142936138,"updateDate":1690311003028,"filters":[],"actions":[],"agentConstraint":"","enabled":true,"defaultRule":true,"creator":{"name":"","handle":""},"updater":{"name":"","handle":""}},"type":"agent_rule"},{"id":"nnu-ch5-3gm","attributes":{"version":1,"name":"deploy_priv_container","description":"A + privileged container was created","expression":"exec.file.name != \"\" && container.created_at + < 1s && process.cap_permitted & CAP_SYS_ADMIN > 0","category":"Process Activity","creationDate":0,"updateDate":1688748464067,"filters":[],"actions":[],"agentConstraint":"","enabled":true,"defaultRule":true,"creator":{"name":"","handle":""},"updater":{"name":"","handle":""}},"type":"agent_rule"},{"id":"6ln-wqy-y8b","attributes":{"version":1,"name":"net_util_in_container_v2","description":"A + network utility was executed in a container","expression":"(exec.comm in [\"socat\", + \"dig\", \"nslookup\", \"host\", ~\"netcat*\", ~\"nc*\", \"ncat\"] ||\n exec.comm + in [\"wget\", \"curl\", \"lwp-download\"]) &&\ncontainer.id != \"\" && exec.args + not in [ ~\"*localhost*\", ~\"*127.0.0.1*\", ~\"*motd.ubuntu.com*\" ] && container.created_at + > 180s","category":"Process Activity","creationDate":0,"updateDate":1688748463994,"filters":[],"actions":[],"agentConstraint":"","enabled":true,"defaultRule":true,"creator":{"name":"","handle":""},"updater":{"name":"","handle":""}},"type":"agent_rule"},{"id":"hmy-il6-bk5","attributes":{"version":1,"name":"hidden_file_executed","description":"A + hidden file was executed in a suspicious folder","expression":"exec.file.name + =~ \".*\" && exec.file.path in [~\"/home/**\", ~\"/tmp/**\", ~\"/var/tmp/**\", + ~\"/dev/shm/**\"]","category":"Process Activity","creationDate":0,"updateDate":1688748463951,"filters":[],"actions":[],"agentConstraint":"","enabled":true,"defaultRule":true,"creator":{"name":"","handle":""},"updater":{"name":"","handle":""}},"type":"agent_rule"},{"id":"iwa-79s-pb3","attributes":{"version":1,"name":"shell_profile_modification","description":"Shell + profile was modified","expression":"open.file.path in [~\"/home/*/*profile\", + ~\"/home/*/*rc\"] && open.flags & ((O_CREAT|O_TRUNC|O_RDWR|O_WRONLY)) > 0","category":"File + Activity","creationDate":0,"updateDate":1688748463951,"filters":[],"actions":[],"agentConstraint":"","enabled":true,"defaultRule":true,"creator":{"name":"","handle":""},"updater":{"name":"","handle":""}},"type":"agent_rule"},{"id":"mr2-bwg-0jr","attributes":{"version":1,"name":"suid_file_execution","description":"a + SUID file was executed","expression":"(setuid.euid == 0 || setuid.uid == 0) && + process.file.mode & S_ISUID > 0 && process.file.uid == 0 && process.uid != + 0 && process.file.path != \"/usr/bin/sudo\"","category":"File Activity","creationDate":0,"updateDate":1688748463947,"filters":[],"actions":[],"agentConstraint":"","enabled":true,"defaultRule":true,"creator":{"name":"","handle":""},"updater":{"name":"","handle":""}},"type":"agent_rule"},{"id":"zdz-pje-kbg","attributes":{"version":4,"name":"python_cli_code","description":"Python + code was provided on the command line","expression":"exec.file.name == ~\"python*\" + && exec.args_flags in [\"c\"] && exec.args in [~\"*-c*SOCK_STREAM*\", ~\"*-c*subprocess*\", + \"*-c*/bash*\", \"*-c*/bin/sh*\", \"*-c*pty.spawn*\"] && exec.args !~ \"*setuptools*\"","category":"Process + Activity","creationDate":0,"updateDate":1688748460425,"filters":[],"actions":[],"agentConstraint":"","enabled":true,"defaultRule":true,"creator":{"name":"","handle":""},"updater":{"name":"","handle":""}},"type":"agent_rule"},{"id":"doi-13m-kzx","attributes":{"version":1,"name":"kubernetes_offensive_tool_executed","description":"Kubernetes + offensive tool executed","expression":"(exec.file.name in [ ~\"python*\" ] && + (\"KubiScan.py\" in exec.argv || \"kubestriker\" in exec.argv )) || exec.file.name + in [\"kubiscan\",\"kdigger\",\"kube-hunter\",\"rakkess\",\"peirates\",\"kubescape\",\"kubeaudit\",\"kube-linter\",\"stratus\",~\"botb-*\"]","category":"Process + Activity","creationAuthorUuId":"9b3398f3-af79-49aa-b643-8a607ee6f848","creationDate":1688462439963,"updateAuthorUuId":"9b3398f3-af79-49aa-b643-8a607ee6f848","updateDate":1688462439963,"filters":[],"actions":[],"agentConstraint":"","enabled":true,"defaultRule":false,"creator":{"name":"Threat + Detection Engineering CI/CD","handle":"9b3398f3-af79-49aa-b643-8a607ee6f848"},"updater":{"name":"Threat + Detection Engineering CI/CD","handle":"9b3398f3-af79-49aa-b643-8a607ee6f848"}},"type":"agent_rule"},{"id":"nrd-9be-wnm","attributes":{"version":9,"name":"compiler_in_container","description":"Compiler + Executed in Container","expression":"(exec.file.name in [\"javac\", \"clang\", + \"gcc\",\"bcc\"] || (exec.file.name == \"go\" && exec.args in [~\"*build*\", + ~\"*run*\"])) && container.id !=\"\" && process.ancestors.file.path != \"/usr/bin/cilium-agent\"","category":"Process + Activity","creationDate":1627392836759,"updateAuthorUuId":"9d3a4eb0-1e67-11ed-b20c-da7ad0900002","updateDate":1685978095211,"filters":[],"actions":[],"agentConstraint":"","enabled":true,"defaultRule":true,"creator":{"name":"","handle":""},"updater":{"name":"John + Murray","handle":"john.murray@datadoghq.com"}},"type":"agent_rule"},{"id":"jea-2m4-kyy","attributes":{"version":1,"name":"curl_docker_socket","description":"The + Docker socket was referenced in a cURL command","expression":"exec.file.name + == \"curl\" && exec.args_flags in [\"unix-socket\"] && exec.args in [\"*docker.sock*\"] + && container.id != \"\"","category":"Process Activity","creationDate":0,"updateDate":1684184973805,"filters":[],"actions":[],"agentConstraint":"","enabled":true,"defaultRule":true,"creator":{"name":"","handle":""},"updater":{"name":"","handle":""}},"type":"agent_rule"},{"id":"i1f-7yg-x6s","attributes":{"version":1,"name":"sudoers_policy_modified_link","description":"Sudoers + policy file may have been modified without authorization","expression":"(\n (link.file.path + == \"/etc/sudoers\"\n || link.file.destination.path == \"/etc/sudoers\")\n)","category":"File + Activity","creationDate":0,"updateDate":1684184973412,"filters":[],"actions":[],"agentConstraint":"","enabled":true,"defaultRule":true,"creator":{"name":"","handle":""},"updater":{"name":"","handle":""}},"type":"agent_rule"},{"id":"r5j-bb3-dmf","attributes":{"version":1,"name":"read_release_info","description":"OS + information was read from the /etc/lsb-release file","expression":"open.file.path + == \"/etc/lsb-release\" && open.flags & O_RDONLY > 0","category":"File Activity","creationDate":0,"updateDate":1684184973295,"filters":[],"actions":[],"agentConstraint":"","enabled":true,"defaultRule":true,"creator":{"name":"","handle":""},"updater":{"name":"","handle":""}},"type":"agent_rule"},{"id":"98m-cex-egg","attributes":{"version":1,"name":"user_deleted_tty","description":"A + user was deleted via an interactive session","expression":"exec.file.name in + [\"userdel\", \"deluser\"] && exec.tty_name !=\"\" && process.ancestors.file.path + not in [~\"/usr/bin/apt*\", \"/usr/bin/dpkg\", \"/usr/bin/rpm\", \"/usr/bin/unattended-upgrade\", + \"/usr/bin/npm\", ~\"/usr/bin/pip*\", \"/usr/bin/yum\", \"/sbin/apk\", \"/usr/lib/snapd/snapd\"]","category":"Process + Activity","creationDate":0,"updateDate":1684184973238,"filters":[],"actions":[],"agentConstraint":"","enabled":true,"defaultRule":true,"creator":{"name":"","handle":""},"updater":{"name":"","handle":""}},"type":"agent_rule"},{"id":"luc-at7-mvw","attributes":{"version":1,"name":"sudoers_policy_modified_chown","description":"Sudoers + policy file may have been modified without authorization","expression":"(\n (chown.file.path + == \"/etc/sudoers\")\n) && (chown.file.destination.uid != chown.file.uid || + chown.file.destination.gid != chown.file.gid)","category":"File Activity","creationDate":0,"updateDate":1684184973211,"filters":[],"actions":[],"agentConstraint":"","enabled":true,"defaultRule":true,"creator":{"name":"","handle":""},"updater":{"name":"","handle":""}},"type":"agent_rule"},{"id":"8qc-61h-epb","attributes":{"version":1,"name":"sudoers_policy_modified_unlink","description":"Sudoers + policy file may have been modified without authorization","expression":"(\n (unlink.file.path + == \"/etc/sudoers\")\n)","category":"File Activity","creationDate":0,"updateDate":1684184973209,"filters":[],"actions":[],"agentConstraint":"","enabled":true,"defaultRule":true,"creator":{"name":"","handle":""},"updater":{"name":"","handle":""}},"type":"agent_rule"},{"id":"2np-cy4-jad","attributes":{"version":1,"name":"service_stop","description":"systemctl + used to stop a service","expression":"exec.file.name == \"systemctl\" && exec.args + in [~\"*stop*\"]","category":"Process Activity","creationDate":0,"updateDate":1684184973206,"filters":[],"actions":[],"agentConstraint":"","enabled":true,"defaultRule":true,"creator":{"name":"","handle":""},"updater":{"name":"","handle":""}},"type":"agent_rule"},{"id":"azw-asm-uwe","attributes":{"version":1,"name":"read_kubeconfig","description":"The + kubeconfig file was accessed","expression":"open.file.path in [~\"/home/*/.kube/config\", + \"/root/.kube/config\"]","category":"File Activity","creationDate":0,"updateDate":1684184973196,"filters":[],"actions":[],"agentConstraint":"","enabled":true,"defaultRule":true,"creator":{"name":"","handle":""},"updater":{"name":"","handle":""}},"type":"agent_rule"},{"id":"qp4-oog-vwu","attributes":{"version":1,"name":"jupyterhub_shell","description":"A + shell command was executed from a JupyterHub code cell","expression":"exec.file.path + == \"/usr/bin/bash\" && process.ancestors.comm == \"jupyterhub-sing\"","category":"Process + Activity","creationAuthorUuId":"9b3398f3-af79-49aa-b643-8a607ee6f848","creationDate":1682687626099,"updateAuthorUuId":"9b3398f3-af79-49aa-b643-8a607ee6f848","updateDate":1682687626099,"filters":[],"actions":[],"agentConstraint":"","enabled":true,"defaultRule":false,"creator":{"name":"Threat + Detection Engineering CI/CD","handle":"9b3398f3-af79-49aa-b643-8a607ee6f848"},"updater":{"name":"Threat + Detection Engineering CI/CD","handle":"9b3398f3-af79-49aa-b643-8a607ee6f848"}},"type":"agent_rule"},{"id":"k2h-ntz-zno","attributes":{"version":3,"name":"auditctl_usage","description":"The + auditctl command was used to modify auditd","expression":"exec.file.name == + \"auditctl\"","category":"Process Activity","creationDate":0,"updateDate":1681806567456,"filters":[],"actions":[],"agentConstraint":"","enabled":true,"defaultRule":true,"creator":{"name":"","handle":""},"updater":{"name":"Cl\u00e9ment + Kuzniewycz","handle":"clement.kuzniewycz@datadoghq.com"}},"type":"agent_rule"},{"id":"fft-hfp-fuu","attributes":{"version":7,"name":"aws_eks_service_account_token_accessed","description":"The + AWS EKS service account token was accessed","expression":"open.file.path =~ + \"/var/run/secrets/eks.amazonaws.com/serviceaccount/**\" && open.file.name == + \"token\" && process.file.path not in [\"/opt/datadog-agent/embedded/bin/agent\", + \"/opt/datadog-agent/embedded/bin/system-probe\", \"/opt/datadog-agent/embedded/bin/security-agent\", + \"/opt/datadog-agent/embedded/bin/process-agent\", \"/opt/datadog-agent/bin/agent/agent\", + \"/opt/datadog/apm/inject/auto_inject_runc\", \"/usr/bin/dd-host-install\", + \"/usr/bin/dd-host-container-install\", \"/usr/bin/dd-container-install\", \"/opt/datadog-agent/bin/datadog-cluster-agent\"]","category":"File + Activity","creationDate":0,"updateDate":1681806564733,"filters":[],"actions":[],"agentConstraint":"","enabled":true,"defaultRule":true,"creator":{"name":"","handle":""},"updater":{"name":"Cl\u00e9ment + Kuzniewycz","handle":"clement.kuzniewycz@datadoghq.com"}},"type":"agent_rule"},{"id":"ucr-akl-jgo","attributes":{"version":3,"name":"aws_imds","description":"An + AWS IMDS was called via a network utility","expression":"exec.comm in [\"wget\", + \"curl\", \"lwp-download\"] && exec.args in [~\"*169.254.169.254/latest/meta-data/iam/security-credentials/*\", + \"*169.254.170.2$AWS_CONTAINER_CREDENTIALS_RELATIVE_URI\", ~\"*169.254.170.2/*/credentials?id=*\"]","category":"Process + Activity","creationDate":0,"updateDate":1681806563896,"filters":[],"actions":[],"agentConstraint":"","enabled":true,"defaultRule":true,"creator":{"name":"","handle":""},"updater":{"name":"Cl\u00e9ment + Kuzniewycz","handle":"clement.kuzniewycz@datadoghq.com"}},"type":"agent_rule"},{"id":"p6d-hln-r9c","attributes":{"version":23,"name":"ssl_certificate_tampering_chmod","description":"SSL + certificates may have been tampered with","expression":"(\n (chmod.file.path + in [ ~\"/etc/ssl/certs/**\", ~\"/etc/pki/**\" ])\n && process.file.path not + in [~\"/usr/bin/apt*\", \"/usr/bin/dpkg\", \"/usr/bin/rpm\", \"/usr/bin/unattended-upgrade\", + \"/usr/bin/npm\", ~\"/usr/bin/pip*\", \"/usr/bin/yum\", \"/sbin/apk\", \"/usr/lib/snapd/snapd\"]\n) + && chmod.file.mode != chmod.file.destination.mode\n&& process.file.path != \"/usr/sbin/update-ca-certificates\"\n&& + process.ancestors.file.path != \"/usr/sbin/update-ca-certificates\"\n&& process.ancestors.file.path + not in [~\"/usr/bin/apt*\", \"/usr/bin/dpkg\", \"/usr/bin/rpm\", \"/usr/bin/unattended-upgrade\", + \"/usr/bin/npm\", ~\"/usr/bin/pip*\", \"/usr/bin/yum\", \"/sbin/apk\", \"/usr/lib/snapd/snapd\"]\n&& + process.file.name !~ \"runc*\"","category":"File Activity","creationDate":1642158535314,"updateDate":1681490426484,"filters":[],"actions":[],"agentConstraint":"","enabled":true,"defaultRule":true,"creator":{"name":"","handle":""},"updater":{"name":"","handle":""}},"type":"agent_rule"},{"id":"9e8-rvn-6hv","attributes":{"version":23,"name":"ssl_certificate_tampering_unlink","description":"SSL + certificates may have been tampered with","expression":"(\n (unlink.file.path + in [ ~\"/etc/ssl/certs/**\" ])\n && process.file.path not in [~\"/usr/bin/apt*\", + \"/usr/bin/dpkg\", \"/usr/bin/rpm\", \"/usr/bin/unattended-upgrade\", \"/usr/bin/npm\", + ~\"/usr/bin/pip*\", \"/usr/bin/yum\", \"/sbin/apk\", \"/usr/lib/snapd/snapd\"]\n)\n&& + process.file.path != \"/usr/sbin/update-ca-certificates\"\n&& process.ancestors.file.path + != \"/usr/sbin/update-ca-certificates\"\n&& process.ancestors.file.path not + in [~\"/usr/bin/apt*\", \"/usr/bin/dpkg\", \"/usr/bin/rpm\", \"/usr/bin/unattended-upgrade\", + \"/usr/bin/npm\", ~\"/usr/bin/pip*\", \"/usr/bin/yum\", \"/sbin/apk\", \"/usr/lib/snapd/snapd\"]\n&& + process.file.name !~ \"runc*\"","category":"File Activity","creationDate":1642158535055,"updateDate":1681490425998,"filters":[],"actions":[],"agentConstraint":"","enabled":true,"defaultRule":true,"creator":{"name":"","handle":""},"updater":{"name":"","handle":""}},"type":"agent_rule"},{"id":"rim-3ys-upw","attributes":{"version":3,"name":"dynamic_linker_config_write","description":"A + process wrote to a dynamic linker config file","expression":"open.file.path + in [\"/etc/ld.so.preload\", \"/etc/ld.so.conf\", \"/etc/ld.so.conf.d/*.conf\"] + && open.flags & (O_CREAT|O_TRUNC|O_RDWR|O_WRONLY) > 0 && process.file.path not + in [~\"/usr/bin/apt*\", \"/usr/bin/dpkg\", \"/usr/bin/rpm\", \"/usr/bin/unattended-upgrade\", + \"/usr/bin/containerd\", \"/usr/local/bin/containerd\", \"/usr/bin/dockerd\", + \"/usr/bin/npm\", ~\"/usr/bin/pip*\"] && process.ancestors.file.path not in + [\"/opt/datadog-agent/embedded/bin/agent\", \"/opt/datadog-agent/embedded/bin/system-probe\", + \"/opt/datadog-agent/embedded/bin/security-agent\", \"/opt/datadog-agent/embedded/bin/process-agent\", + \"/opt/datadog-agent/bin/agent/agent\", \"/opt/datadog/apm/inject/auto_inject_runc\", + \"/usr/bin/dd-host-install\", \"/usr/bin/dd-host-container-install\", \"/usr/bin/dd-container-install\", + \"/opt/datadog-agent/bin/datadog-cluster-agent\"]","category":"File Activity","creationDate":0,"updateDate":1681490425873,"filters":[],"actions":[],"agentConstraint":"","enabled":true,"defaultRule":true,"creator":{"name":"","handle":""},"updater":{"name":"","handle":""}},"type":"agent_rule"},{"id":"twt-qsc-twv","attributes":{"version":23,"name":"ssl_certificate_tampering_link","description":"SSL + certificates may have been tampered with","expression":"(\n (link.file.path + in [ ~\"/etc/ssl/certs/**\", ~\"/etc/pki/**\" ]\n || link.file.destination.path + in [ ~\"/etc/ssl/certs/**\", ~\"/etc/pki/**\" ])\n && process.file.path not + in [~\"/usr/bin/apt*\", \"/usr/bin/dpkg\", \"/usr/bin/rpm\", \"/usr/bin/unattended-upgrade\", + \"/usr/bin/npm\", ~\"/usr/bin/pip*\", \"/usr/bin/yum\", \"/sbin/apk\", \"/usr/lib/snapd/snapd\"]\n && + process.file.path != \"/usr/sbin/update-ca-certificates\"\n && process.ancestors.file.path + != \"/usr/sbin/update-ca-certificates\"\n && process.ancestors.file.path + not in [~\"/usr/bin/apt*\", \"/usr/bin/dpkg\", \"/usr/bin/rpm\", \"/usr/bin/unattended-upgrade\", + \"/usr/bin/npm\", ~\"/usr/bin/pip*\", \"/usr/bin/yum\", \"/sbin/apk\", \"/usr/lib/snapd/snapd\"]\n && + process.file.name !~ \"runc*\"\n)","category":"File Activity","creationDate":1642158535139,"updateDate":1681490425573,"filters":[],"actions":[],"agentConstraint":"","enabled":true,"defaultRule":true,"creator":{"name":"","handle":""},"updater":{"name":"","handle":""}},"type":"agent_rule"},{"id":"1n2-xpg-6nx","attributes":{"version":23,"name":"ssl_certificate_tampering_open","description":"SSL + certificates may have been tampered with","expression":"(\n open.flags & + (O_CREAT|O_RDWR|O_WRONLY) > 0 &&\n (open.file.path in [ ~\"/etc/ssl/certs/**\", + ~\"/etc/pki/**\" ])\n)\n&& process.file.path != \"/usr/sbin/update-ca-certificates\"\n&& + process.ancestors.file.path != \"/usr/sbin/update-ca-certificates\"\n&& process.ancestors.file.path + not in [~\"/usr/bin/apt*\", \"/usr/bin/dpkg\", \"/usr/bin/rpm\", \"/usr/bin/unattended-upgrade\", + \"/usr/bin/npm\", ~\"/usr/bin/pip*\", \"/usr/bin/yum\", \"/sbin/apk\", \"/usr/lib/snapd/snapd\"]\n&& + process.file.name !~ \"runc*\"","category":"File Activity","creationDate":0,"updateDate":1681490425289,"filters":[],"actions":[],"agentConstraint":"","enabled":true,"defaultRule":true,"creator":{"name":"","handle":""},"updater":{"name":"","handle":""}},"type":"agent_rule"},{"id":"uot-9ro-hpp","attributes":{"version":2,"name":"shell_history_deleted","description":"Shell + History was Deleted","expression":"(unlink.file.name =~ r\".([dbazfi]*sh)(_history)$\") + && process.comm not in [\"dockerd\", \"containerd\"]","category":"File Activity","creationDate":0,"updateDate":1681490425280,"filters":[],"actions":[],"agentConstraint":"","enabled":true,"defaultRule":true,"creator":{"name":"","handle":""},"updater":{"name":"","handle":""}},"type":"agent_rule"},{"id":"jxj-xnb-lua","attributes":{"version":3,"name":"shell_history_truncated","description":"Shell + History was Deleted","expression":"open.flags & (O_CREAT|O_TRUNC|O_RDWR|O_WRONLY) + > 0 && open.file.name =~ r\".([dbazfi]*sh)(_history)$\" && open.file.path in + [~\"/root/*\", ~\"/home/**\"] && process.file.name == \"truncate\"","category":"File + Activity","creationDate":0,"updateDate":1681490425220,"filters":[],"actions":[],"agentConstraint":"","enabled":true,"defaultRule":true,"creator":{"name":"","handle":""},"updater":{"name":"","handle":""}},"type":"agent_rule"},{"id":"gur-w5f-2kn","attributes":{"version":23,"name":"ssl_certificate_tampering_rename","description":"SSL + certificates may have been tampered with","expression":"(\n (rename.file.path + in [ ~\"/etc/ssl/certs/**\", ~\"/etc/pki/**\" ]\n || rename.file.destination.path + in [ ~\"/etc/ssl/certs/**\", ~\"/etc/pki/**\" ])\n && process.file.path not + in [~\"/usr/bin/apt*\", \"/usr/bin/dpkg\", \"/usr/bin/rpm\", \"/usr/bin/unattended-upgrade\", + \"/usr/bin/npm\", ~\"/usr/bin/pip*\", \"/usr/bin/yum\", \"/sbin/apk\", \"/usr/lib/snapd/snapd\"]\n)\n&& + process.file.path != \"/usr/sbin/update-ca-certificates\"\n&& process.ancestors.file.path + != \"/usr/sbin/update-ca-certificates\"\n&& process.ancestors.file.path not + in [~\"/usr/bin/apt*\", \"/usr/bin/dpkg\", \"/usr/bin/rpm\", \"/usr/bin/unattended-upgrade\", + \"/usr/bin/npm\", ~\"/usr/bin/pip*\", \"/usr/bin/yum\", \"/sbin/apk\", \"/usr/lib/snapd/snapd\"]\n&& + process.file.name !~ \"runc*\"","category":"File Activity","creationDate":1642158535082,"updateDate":1681490425217,"filters":[],"actions":[],"agentConstraint":"","enabled":true,"defaultRule":true,"creator":{"name":"","handle":""},"updater":{"name":"","handle":""}},"type":"agent_rule"},{"id":"jiu-wmv-ig0","attributes":{"version":35,"name":"credential_modified_chmod","description":"Sensitive + credential files were modified using a non-standard tool","expression":"(\n (chmod.file.path in [ \"/etc/shadow\", \"/etc/gshadow\" ])\n && process.file.path not in [ - \"/sbin/vipw\", \"/usr/sbin/vipw\", \"/sbin/vigr\", \"/usr/sbin/vigr\" ]\n && - process.ancestors.file.path not in [\"/usr/bin/apt\", \"/usr/bin/apt-get\", - \"/usr/bin/apt-config\", \"/usr/bin/dpkg\", \"/usr/bin/aptitude-curses\", \"/usr/bin/rpm\", - \"/usr/bin/unattended-upgrade\"]\n)"},"type":"agent_rule","id":"r5z-tke-sjm"},{"attributes":{"category":"File - Activity","name":"credential_modified_rename","creator":{"handle":"","name":""},"description":"Either - /etc/shadow/ or /etc/gshadow was modified by a non-standard tool","enabled":true,"defaultRule":true,"version":7,"updater":{"handle":"","name":""},"updateDate":1636729662623,"creationDate":1598516746271,"expression":"(\n (rename.file.path + \"/sbin/vipw\", \"/usr/sbin/vipw\", \"/sbin/vigr\", \"/usr/sbin/vigr\", \"/usr/bin/containerd\", + \"/usr/local/bin/containerd\", \"/usr/bin/dockerd\", \"/usr/local/bin/dockerd\", + \"/usr/sbin/groupadd\", \"/usr/sbin/useradd\", \"/usr/sbin/usermod\", \"/usr/sbin/userdel\", + \"/usr/bin/gpasswd\", \"/usr/bin/chage\", \"/usr/sbin/chpasswd\", \"/usr/bin/passwd\" + ]\n && process.ancestors.file.path not in [~\"/usr/bin/apt*\", \"/usr/bin/dpkg\", + \"/usr/bin/rpm\", \"/usr/bin/unattended-upgrade\", \"/usr/bin/npm\", ~\"/usr/bin/pip*\", + \"/usr/bin/yum\", \"/sbin/apk\", \"/usr/lib/snapd/snapd\"]\n) && chmod.file.destination.mode + != chmod.file.mode","category":"File Activity","creationDate":1642158535177,"updateDate":1678909084442,"filters":[],"actions":[],"agentConstraint":"","enabled":false,"defaultRule":true,"creator":{"name":"","handle":""},"updater":{"name":"Nick + Allen","handle":"nick.allen@datadoghq.com"}},"type":"agent_rule"},{"id":"bg2-noz-ouf","attributes":{"version":6,"name":"dirty_pipe_attempt","description":"Potential + Dirty pipe exploitation attempt","expression":"(splice.pipe_entry_flag & PIPE_BUF_FLAG_CAN_MERGE) + != 0 && (splice.pipe_exit_flag & PIPE_BUF_FLAG_CAN_MERGE) == 0 && (process.uid + != 0 && process.gid != 0)","category":"File Activity","creationDate":1648564123603,"updateDate":1678308032425,"filters":[],"actions":[],"agentConstraint":"","enabled":true,"defaultRule":true,"creator":{"name":"","handle":""},"updater":{"name":"Alexander + Daskalov","handle":"alexander.daskalov@datadoghq.com"}},"type":"agent_rule"},{"id":"ydj-k3d-kh3","attributes":{"version":4,"name":"ip_check_domain","description":"A + DNS lookup was done for a IP check service","expression":"dns.question.name + in [\"icanhazip.com\", \"ip-api.com\", \"myip.opendns.com\", \"checkip.amazonaws.com\", + \"whatismyip.akamai.com\"] && process.file.name != \"\"","category":"Network + Activity","creationDate":1648643213312,"updateDate":1678307295173,"filters":[],"actions":[],"agentConstraint":"","enabled":true,"defaultRule":true,"creator":{"name":"","handle":""},"updater":{"name":"Alexander + Daskalov","handle":"alexander.daskalov@datadoghq.com"}},"type":"agent_rule"},{"id":"i64-vlz-y6u","attributes":{"version":22,"name":"systemd_modification_chmod","description":"A + service may have been modified without authorization","expression":"(\n (chmod.file.path + in [ ~\"/lib/systemd/system/**\", ~\"/usr/lib/systemd/system/**\", ~\"/etc/systemd/system/**\" + ])\n && process.file.path not in [~\"/usr/bin/apt*\", \"/usr/bin/dpkg\", + \"/usr/bin/rpm\", \"/usr/bin/unattended-upgrade\", \"/usr/bin/npm\", ~\"/usr/bin/pip*\", + \"/usr/bin/yum\", \"/sbin/apk\", \"/usr/lib/snapd/snapd\"]\n) && chmod.file.destination.mode + != chmod.file.mode","category":"File Activity","creationDate":1642158535224,"updateDate":1677793411681,"filters":[],"actions":[],"agentConstraint":"","enabled":true,"defaultRule":true,"creator":{"name":"","handle":""},"updater":{"name":"","handle":""}},"type":"agent_rule"},{"id":"69h-fh3-8gd","attributes":{"version":1,"name":"tty_shell_in_container","description":"A + shell with a TTY was executed in a container","expression":"exec.file.path in + [ \"/bin/dash\",\n \"/usr/bin/dash\",\n \"/bin/sh\",\n \"/bin/static-sh\",\n \"/usr/bin/sh\",\n \"/bin/bash\",\n \"/usr/bin/bash\",\n \"/bin/bash-static\",\n \"/usr/bin/zsh\",\n \"/usr/bin/ash\",\n \"/usr/bin/csh\",\n \"/usr/bin/ksh\",\n \"/usr/bin/tcsh\",\n \"/usr/lib/initramfs-tools/bin/busybox\",\n \"/bin/busybox\",\n \"/usr/bin/fish\",\n \"/bin/ksh93\",\n \"/bin/rksh\",\n \"/bin/rksh93\",\n \"/bin/lksh\",\n \"/bin/mksh\",\n \"/bin/mksh-static\",\n \"/usr/bin/csharp\",\n \"/bin/posh\",\n \"/usr/bin/rc\",\n \"/bin/sash\",\n \"/usr/bin/yash\",\n \"/bin/zsh5\",\n \"/bin/zsh5-static\" + ] && process.tty_name != \"\" && process.container.id != \"\"","category":"Process + Activity","creationDate":0,"updateDate":1677793400846,"filters":[],"actions":[],"agentConstraint":"","enabled":true,"defaultRule":true,"creator":{"name":"","handle":""},"updater":{"name":"","handle":""}},"type":"agent_rule"},{"id":"ygs-aya-gxb","attributes":{"version":1,"name":"redis_sandbox_escape","description":"Detects + CVE-2022-0543","expression":"(open.file.path =~ \"/usr/lib/x86_64-linux-gnu/*\" + && open.file.name in [\"libc-2.29.so\", \"libc-2.30.so\", \"libc-2.31.so\", + \"libc-2.32.so\", \"libc-2.33.so\", \"libc-2.34.so\", \"libc-2.35.so\", \"libc-2.36.so\", + \"libc-2.37.so\"]) && process.ancestors.comm in [\"redis-check-rdb\", \"redis-server\"]","category":"File + Activity","creationDate":0,"updateDate":1677793399338,"filters":[],"actions":[],"agentConstraint":"","enabled":true,"defaultRule":true,"creator":{"name":"","handle":""},"updater":{"name":"","handle":""}},"type":"agent_rule"},{"id":"h2l-v6b-akf","attributes":{"version":1,"name":"base64_decode","description":"The + base64 command was used to decode information","expression":"exec.file.name + == \"base64\" && exec.args_flags in [\"d\"]","category":"Process Activity","creationDate":0,"updateDate":1677793399280,"filters":[],"actions":[],"agentConstraint":"","enabled":true,"defaultRule":true,"creator":{"name":"","handle":""},"updater":{"name":"","handle":""}},"type":"agent_rule"},{"id":"jvq-pxe-ygn","attributes":{"version":21,"name":"systemd_modification_rename","description":"A + service may have been modified without authorization","expression":"(\n (rename.file.path + in [ ~\"/lib/systemd/system/**\", ~\"/usr/lib/systemd/system/**\", ~\"/etc/systemd/system/**\" + ]\n || rename.file.destination.path in [ ~\"/lib/systemd/system/**\", ~\"/usr/lib/systemd/system/**\", + ~\"/etc/systemd/system/**\" ])\n && process.file.path not in [~\"/usr/bin/apt*\", + \"/usr/bin/dpkg\", \"/usr/bin/rpm\", \"/usr/bin/unattended-upgrade\", \"/usr/bin/npm\", + ~\"/usr/bin/pip*\", \"/usr/bin/yum\", \"/sbin/apk\", \"/usr/lib/snapd/snapd\"]\n)","category":"File + Activity","creationDate":0,"updateDate":1677793384295,"filters":[],"actions":[],"agentConstraint":"","enabled":true,"defaultRule":true,"creator":{"name":"","handle":""},"updater":{"name":"","handle":""}},"type":"agent_rule"},{"id":"esw-xou-pwg","attributes":{"version":11,"name":"package_management_in_container","description":"Package + management was detected in a container","expression":"exec.file.path in [~\"/usr/bin/apt*\", + \"/usr/bin/dpkg\", \"/usr/bin/rpm\", \"/usr/bin/unattended-upgrade\", \"/usr/bin/npm\", + ~\"/usr/bin/pip*\", \"/usr/bin/yum\", \"/sbin/apk\", \"/usr/lib/snapd/snapd\"] + && container.id != \"\"","category":"Process Activity","creationDate":1617722067648,"updateDate":1677793383505,"filters":[],"actions":[],"agentConstraint":"","enabled":true,"defaultRule":true,"creator":{"name":"","handle":""},"updater":{"name":"","handle":""}},"type":"agent_rule"},{"id":"0yf-x4j-zbg","attributes":{"version":6,"name":"user_created_tty","description":"A + user was created via an interactive session","expression":"exec.file.name in + [\"useradd\", \"newusers\", \"adduser\"] && exec.tty_name !=\"\" && process.ancestors.file.path + not in [~\"/usr/bin/apt*\", \"/usr/bin/dpkg\", \"/usr/bin/rpm\", \"/usr/bin/unattended-upgrade\", + \"/usr/bin/npm\", ~\"/usr/bin/pip*\", \"/usr/bin/yum\", \"/sbin/apk\", \"/usr/lib/snapd/snapd\"] + && exec.args_flags not in [\"D\"]","category":"Process Activity","creationDate":1627392836979,"updateDate":1677793382984,"filters":[],"actions":[],"agentConstraint":"","enabled":true,"defaultRule":true,"creator":{"name":"","handle":""},"updater":{"name":"","handle":""}},"type":"agent_rule"},{"id":"7nm-5gf-ghj","attributes":{"version":3,"name":"new_binary_execution_in_container","description":"A + container executed a new binary not found in the container image","expression":"container.id + != \"\" && process.file.in_upper_layer && process.file.modification_time < 30s + && exec.file.name != \"\"","category":"Process Activity","creationDate":1652129906455,"updateDate":1677793380182,"filters":[],"actions":[],"agentConstraint":"","enabled":true,"defaultRule":true,"creator":{"name":"","handle":""},"updater":{"name":"","handle":""}},"type":"agent_rule"},{"id":"wib-i2s-0eb","attributes":{"version":17,"name":"pam_modification_utimes","description":"PAM + may have been modified without authorization","expression":"(\n (utimes.file.path + in [ ~\"/etc/pam.d/**\", \"/etc/pam.conf\" ])\n) && process.file.path not in + [~\"/usr/bin/apt*\", \"/usr/bin/dpkg\", \"/usr/bin/rpm\", \"/usr/bin/unattended-upgrade\", + \"/usr/bin/containerd\", \"/usr/local/bin/containerd\", \"/usr/bin/dockerd\", + \"/usr/bin/npm\", ~\"/usr/bin/pip*\"]","category":"File Activity","creationDate":1606142936138,"updateDate":1677793376369,"filters":[],"actions":[],"agentConstraint":"","enabled":true,"defaultRule":true,"creator":{"name":"","handle":""},"updater":{"name":"","handle":""}},"type":"agent_rule"},{"id":"d1p-2un-5ay","attributes":{"version":21,"name":"systemd_modification_link","description":"A + service may have been modified without authorization","expression":"(\n (link.file.path + in [ ~\"/lib/systemd/system/**\", ~\"/usr/lib/systemd/system/**\", ~\"/etc/systemd/system/**\" + ]\n || link.file.destination.path in [ ~\"/lib/systemd/system/**\", ~\"/usr/lib/systemd/system/**\", + ~\"/etc/systemd/system/**\" ])\n && process.file.path not in [~\"/usr/bin/apt*\", + \"/usr/bin/dpkg\", \"/usr/bin/rpm\", \"/usr/bin/unattended-upgrade\", \"/usr/bin/npm\", + ~\"/usr/bin/pip*\", \"/usr/bin/yum\", \"/sbin/apk\", \"/usr/lib/snapd/snapd\"]\n)","category":"File + Activity","creationDate":0,"updateDate":1677793376080,"filters":[],"actions":[],"agentConstraint":"","enabled":true,"defaultRule":true,"creator":{"name":"","handle":""},"updater":{"name":"","handle":""}},"type":"agent_rule"},{"id":"aic-m2b-kbp","attributes":{"version":22,"name":"systemd_modification_chown","description":"A + service may have been modified without authorization","expression":"(\n (chown.file.path + in [ ~\"/lib/systemd/system/**\", ~\"/usr/lib/systemd/system/**\", ~\"/etc/systemd/system/**\" + ])\n && process.file.path not in [~\"/usr/bin/apt*\", \"/usr/bin/dpkg\", + \"/usr/bin/rpm\", \"/usr/bin/unattended-upgrade\", \"/usr/bin/npm\", ~\"/usr/bin/pip*\", + \"/usr/bin/yum\", \"/sbin/apk\", \"/usr/lib/snapd/snapd\"]\n) && (chown.file.destination.uid + != chown.file.uid || chown.file.destination.gid != chown.file.gid)","category":"File + Activity","creationDate":0,"updateDate":1677793375206,"filters":[],"actions":[],"agentConstraint":"","enabled":true,"defaultRule":true,"creator":{"name":"","handle":""},"updater":{"name":"","handle":""}},"type":"agent_rule"},{"id":"rxa-v6v-oyz","attributes":{"version":31,"name":"credential_modified_rename","description":"Sensitive + credential files were modified using a non-standard tool","expression":"(\n (rename.file.path in [ \"/etc/shadow\", \"/etc/gshadow\" ]\n || rename.file.destination.path in [ \"/etc/shadow\", \"/etc/gshadow\" ])\n && process.file.path not in [ - \"/sbin/vipw\", \"/usr/sbin/vipw\", \"/sbin/vigr\", \"/usr/sbin/vigr\" ]\n && - process.ancestors.file.path not in [\"/usr/bin/apt\", \"/usr/bin/apt-get\", - \"/usr/bin/apt-config\", \"/usr/bin/dpkg\", \"/usr/bin/aptitude-curses\", \"/usr/bin/rpm\", - \"/usr/bin/unattended-upgrade\"]\n)"},"type":"agent_rule","id":"ac4-asc-qi4"},{"attributes":{"category":"File - Activity","name":"credential_modified_open","creator":{"handle":"","name":""},"description":"Either - /etc/shadow/ or /etc/gshadow was modified by a non-standard tool","enabled":true,"defaultRule":true,"version":7,"updater":{"handle":"","name":""},"updateDate":1636729662623,"creationDate":1598516746271,"expression":"(\n open.flags - & ((O_CREAT|O_RDWR|O_WRONLY|O_TRUNC)) > 0 &&\n (open.file.path in [ \"/etc/shadow\", - \"/etc/gshadow\" ])\n && process.file.path not in [ \"/sbin/vipw\", \"/usr/sbin/vipw\", - \"/sbin/vigr\", \"/usr/sbin/vigr\" ]\n && process.ancestors.file.path not - in [\"/usr/bin/apt\", \"/usr/bin/apt-get\", \"/usr/bin/apt-config\", \"/usr/bin/dpkg\", - \"/usr/bin/aptitude-curses\", \"/usr/bin/rpm\", \"/usr/bin/unattended-upgrade\"]\n)"},"type":"agent_rule","id":"cne-1ft-bei"},{"attributes":{"category":"File - Activity","name":"credential_modified_unlink","creator":{"handle":"","name":""},"description":"Either - /etc/shadow/ or /etc/gshadow was modified by a non-standard tool","enabled":true,"defaultRule":true,"version":7,"updater":{"handle":"","name":""},"updateDate":1636729662623,"creationDate":1598516746271,"expression":"(\n (unlink.file.path + \"/sbin/vipw\", \"/usr/sbin/vipw\", \"/sbin/vigr\", \"/usr/sbin/vigr\", \"/usr/bin/containerd\", + \"/usr/local/bin/containerd\", \"/usr/bin/dockerd\", \"/usr/local/bin/dockerd\", + \"/usr/sbin/groupadd\", \"/usr/sbin/useradd\", \"/usr/sbin/usermod\", \"/usr/sbin/userdel\", + \"/usr/bin/gpasswd\", \"/usr/bin/chage\", \"/usr/sbin/chpasswd\", \"/usr/bin/passwd\" + ]\n && process.ancestors.file.path not in [~\"/usr/bin/apt*\", \"/usr/bin/dpkg\", + \"/usr/bin/rpm\", \"/usr/bin/unattended-upgrade\", \"/usr/bin/npm\", ~\"/usr/bin/pip*\", + \"/usr/bin/yum\", \"/sbin/apk\", \"/usr/lib/snapd/snapd\"]\n)","category":"File + Activity","creationDate":1642158535356,"updateDate":1677793375033,"filters":[],"actions":[],"agentConstraint":"","enabled":true,"defaultRule":true,"creator":{"name":"","handle":""},"updater":{"name":"","handle":""}},"type":"agent_rule"},{"id":"tys-u1m-rgt","attributes":{"version":33,"name":"kernel_module_chown","description":"A + new kernel module was added","expression":"(\n (chown.file.path in [ ~\"/lib/modules/**\", + ~\"/usr/lib/modules/**\" ])\n && process.file.path not in [~\"/usr/bin/apt*\", + \"/usr/bin/dpkg\", \"/usr/bin/rpm\", \"/usr/bin/unattended-upgrade\", \"/usr/bin/npm\", + ~\"/usr/bin/pip*\", \"/usr/bin/yum\", \"/sbin/apk\", \"/usr/lib/snapd/snapd\"]\n && + process.ancestors.file.path not in [~\"/usr/bin/apt*\", \"/usr/bin/dpkg\", \"/usr/bin/rpm\", + \"/usr/bin/unattended-upgrade\", \"/usr/bin/npm\", ~\"/usr/bin/pip*\", \"/usr/bin/yum\", + \"/sbin/apk\", \"/usr/lib/snapd/snapd\"] && process.ancestors.file.path != \"/usr/bin/kmod\"\n) + && (chown.file.destination.uid != chown.file.uid || chown.file.destination.gid + != chown.file.gid)","category":"File Activity","creationDate":1598516746168,"updateDate":1677793374885,"filters":[],"actions":[],"agentConstraint":"","enabled":true,"defaultRule":true,"creator":{"name":"","handle":""},"updater":{"name":"","handle":""}},"type":"agent_rule"},{"id":"hzz-0oh-mji","attributes":{"version":32,"name":"kernel_module_utimes","description":"A + new kernel module was added","expression":"(\n (utimes.file.path in [ ~\"/lib/modules/**\", + ~\"/usr/lib/modules/**\" ])\n && process.file.path not in [~\"/usr/bin/apt*\", + \"/usr/bin/dpkg\", \"/usr/bin/rpm\", \"/usr/bin/unattended-upgrade\", \"/usr/bin/npm\", + ~\"/usr/bin/pip*\", \"/usr/bin/yum\", \"/sbin/apk\", \"/usr/lib/snapd/snapd\"]\n && + process.ancestors.file.path not in [~\"/usr/bin/apt*\", \"/usr/bin/dpkg\", \"/usr/bin/rpm\", + \"/usr/bin/unattended-upgrade\", \"/usr/bin/npm\", ~\"/usr/bin/pip*\", \"/usr/bin/yum\", + \"/sbin/apk\", \"/usr/lib/snapd/snapd\"] && process.ancestors.file.path != \"/usr/bin/kmod\"\n)","category":"File + Activity","creationDate":1598516746168,"updateDate":1677793374395,"filters":[],"actions":[],"agentConstraint":"","enabled":true,"defaultRule":true,"creator":{"name":"","handle":""},"updater":{"name":"","handle":""}},"type":"agent_rule"},{"id":"om1-5ch-5sf","attributes":{"version":32,"name":"kernel_module_unlink","description":"A + new kernel module was added","expression":"(\n (unlink.file.path in [ ~\"/lib/modules/**\", + ~\"/usr/lib/modules/**\" ])\n && process.file.path not in [~\"/usr/bin/apt*\", + \"/usr/bin/dpkg\", \"/usr/bin/rpm\", \"/usr/bin/unattended-upgrade\", \"/usr/bin/npm\", + ~\"/usr/bin/pip*\", \"/usr/bin/yum\", \"/sbin/apk\", \"/usr/lib/snapd/snapd\"]\n && + process.ancestors.file.path not in [~\"/usr/bin/apt*\", \"/usr/bin/dpkg\", \"/usr/bin/rpm\", + \"/usr/bin/unattended-upgrade\", \"/usr/bin/npm\", ~\"/usr/bin/pip*\", \"/usr/bin/yum\", + \"/sbin/apk\", \"/usr/lib/snapd/snapd\"] && process.ancestors.file.path != \"/usr/bin/kmod\"\n)","category":"File + Activity","creationDate":1598516746168,"updateDate":1677793372622,"filters":[],"actions":[],"agentConstraint":"","enabled":true,"defaultRule":true,"creator":{"name":"","handle":""},"updater":{"name":"","handle":""}},"type":"agent_rule"},{"id":"wwu-ysx-rm7","attributes":{"version":32,"name":"kernel_module_rename","description":"A + new kernel module was added","expression":"(\n (rename.file.path in [ ~\"/lib/modules/**\", + ~\"/usr/lib/modules/**\" ]\n || rename.file.destination.path in [ ~\"/lib/modules/**\", + ~\"/usr/lib/modules/**\" ])\n && process.file.path not in [~\"/usr/bin/apt*\", + \"/usr/bin/dpkg\", \"/usr/bin/rpm\", \"/usr/bin/unattended-upgrade\", \"/usr/bin/npm\", + ~\"/usr/bin/pip*\", \"/usr/bin/yum\", \"/sbin/apk\", \"/usr/lib/snapd/snapd\"]\n && + process.ancestors.file.path not in [~\"/usr/bin/apt*\", \"/usr/bin/dpkg\", \"/usr/bin/rpm\", + \"/usr/bin/unattended-upgrade\", \"/usr/bin/npm\", ~\"/usr/bin/pip*\", \"/usr/bin/yum\", + \"/sbin/apk\", \"/usr/lib/snapd/snapd\"] && process.ancestors.file.path != \"/usr/bin/kmod\"\n)","category":"File + Activity","creationDate":1642158535229,"updateDate":1677793372373,"filters":[],"actions":[],"agentConstraint":"","enabled":true,"defaultRule":true,"creator":{"name":"","handle":""},"updater":{"name":"","handle":""}},"type":"agent_rule"},{"id":"rza-8h3-4lj","attributes":{"version":32,"name":"credential_modified_chown","description":"Sensitive + credential files were modified using a non-standard tool","expression":"(\n (chown.file.path in [ \"/etc/shadow\", \"/etc/gshadow\" ])\n && process.file.path not in [ - \"/sbin/vipw\", \"/usr/sbin/vipw\", \"/sbin/vigr\", \"/usr/sbin/vigr\" ]\n && - process.ancestors.file.path not in [\"/usr/bin/apt\", \"/usr/bin/apt-get\", - \"/usr/bin/apt-config\", \"/usr/bin/dpkg\", \"/usr/bin/aptitude-curses\", \"/usr/bin/rpm\", - \"/usr/bin/unattended-upgrade\"]\n)"},"type":"agent_rule","id":"ay7-jkz-rda"},{"attributes":{"category":"File - Activity","name":"credential_modified_utimes","creator":{"handle":"","name":""},"description":"Either - /etc/shadow/ or /etc/gshadow was modified by a non-standard tool","enabled":true,"defaultRule":true,"version":7,"updater":{"handle":"","name":""},"updateDate":1636729662623,"creationDate":1598516746271,"expression":"(\n (utimes.file.path + \"/sbin/vipw\", \"/usr/sbin/vipw\", \"/sbin/vigr\", \"/usr/sbin/vigr\", \"/usr/bin/containerd\", + \"/usr/local/bin/containerd\", \"/usr/bin/dockerd\", \"/usr/local/bin/dockerd\", + \"/usr/sbin/groupadd\", \"/usr/sbin/useradd\", \"/usr/sbin/usermod\", \"/usr/sbin/userdel\", + \"/usr/bin/gpasswd\", \"/usr/bin/chage\", \"/usr/sbin/chpasswd\", \"/usr/bin/passwd\" + ]\n && process.ancestors.file.path not in [~\"/usr/bin/apt*\", \"/usr/bin/dpkg\", + \"/usr/bin/rpm\", \"/usr/bin/unattended-upgrade\", \"/usr/bin/npm\", ~\"/usr/bin/pip*\", + \"/usr/bin/yum\", \"/sbin/apk\", \"/usr/lib/snapd/snapd\"]\n) && (chown.file.destination.uid + != chown.file.uid || chown.file.destination.gid != chown.file.gid)","category":"File + Activity","creationDate":1642158534952,"updateDate":1677793372165,"filters":[],"actions":[],"agentConstraint":"","enabled":true,"defaultRule":true,"creator":{"name":"","handle":""},"updater":{"name":"","handle":""}},"type":"agent_rule"},{"id":"s17-cle-cuf","attributes":{"version":31,"name":"credential_modified_link","description":"Sensitive + credential files were modified using a non-standard tool","expression":"(\n (link.file.path + in [ \"/etc/shadow\", \"/etc/gshadow\" ]\n || link.file.destination.path in [ \"/etc/shadow\", \"/etc/gshadow\" ])\n && process.file.path not in [ - \"/sbin/vipw\", \"/usr/sbin/vipw\", \"/sbin/vigr\", \"/usr/sbin/vigr\" ]\n && - process.ancestors.file.path not in [\"/usr/bin/apt\", \"/usr/bin/apt-get\", - \"/usr/bin/apt-config\", \"/usr/bin/dpkg\", \"/usr/bin/aptitude-curses\", \"/usr/bin/rpm\", - \"/usr/bin/unattended-upgrade\"]\n)"},"type":"agent_rule","id":"psd-3el-h33"},{"attributes":{"category":"File - Activity","name":"runc_modification","creator":{"handle":"","name":""},"description":"Runc - Binary Modified","enabled":true,"defaultRule":true,"version":1,"updater":{"handle":"","name":""},"updateDate":1636729662517,"creationDate":1627392837049,"expression":"open.file.path - in [\"/usr/bin/runc\", \"/usr/sbin/runc\", \"/usr/bin/docker-runc\"]\n&& open.flags - & O_CREAT|O_TRUNC|O_RDWR|O_WRONLY > 0\n&& process.file.path not in [\"/usr/bin/apt\", - \"/usr/bin/apt-get\", \"/usr/bin/apt-config\", \"/usr/bin/dpkg\", \"/usr/bin/aptitude-curses\", - \"/usr/bin/rpm\", \"/usr/bin/unattended-upgrade\"]\n&& process.ancestors.file.path - not in [\"/usr/bin/apt\", \"/usr/bin/apt-get\", \"/usr/bin/apt-config\", \"/usr/bin/dpkg\", - \"/usr/bin/aptitude-curses\", \"/usr/bin/rpm\", \"/usr/bin/unattended-upgrade\"]"},"type":"agent_rule","id":"qng-psi-j15"},{"attributes":{"category":"Process - Activity","name":"user_created_tty","creator":{"handle":"","name":""},"description":"User - Created Interactively","enabled":true,"defaultRule":true,"version":1,"updater":{"handle":"","name":""},"updateDate":1636729662452,"creationDate":1627392836979,"expression":"exec.file.name - in [\"useradd\", \"newusers\"] && exec.tty_name !=\"\""},"type":"agent_rule","id":"asy-mod-zmt"},{"attributes":{"category":"File - Activity","name":"ssl_certificate_tampering_chmod","creator":{"handle":"","name":""},"description":"SSL - Certificate Tampering","enabled":true,"defaultRule":true,"version":4,"updater":{"handle":"","name":""},"updateDate":1636729662415,"creationDate":1606142980369,"expression":"(\n (chmod.file.path - in [ ~\"/etc/ssl/certs/*\" ])\n && process.file.path not in [\"/usr/bin/apt\", - \"/usr/bin/apt-get\", \"/usr/bin/apt-config\", \"/usr/bin/dpkg\", \"/usr/bin/aptitude-curses\", - \"/usr/bin/rpm\", \"/usr/bin/unattended-upgrade\"]\n) && chmod.mode != chmod.file.mode"},"type":"agent_rule","id":"ybu-yya-acz"},{"attributes":{"category":"File - Activity","name":"ssl_certificate_tampering_chown","creator":{"handle":"","name":""},"description":"SSL - Certificate Tampering","enabled":true,"defaultRule":true,"version":4,"updater":{"handle":"","name":""},"updateDate":1636729662415,"creationDate":1606142980369,"expression":"(\n (chown.file.path - in [ ~\"/etc/ssl/certs/*\" ])\n && process.file.path not in [\"/usr/bin/apt\", - \"/usr/bin/apt-get\", \"/usr/bin/apt-config\", \"/usr/bin/dpkg\", \"/usr/bin/aptitude-curses\", - \"/usr/bin/rpm\", \"/usr/bin/unattended-upgrade\"]\n) && (chown.uid != chown.file.uid - || chown.gid != chown.file.gid)"},"type":"agent_rule","id":"ohe-vlf-t2h"},{"attributes":{"category":"File - Activity","name":"ssl_certificate_tampering_link","creator":{"handle":"","name":""},"description":"SSL - Certificate Tampering","enabled":true,"defaultRule":true,"version":4,"updater":{"handle":"","name":""},"updateDate":1636729662415,"creationDate":1606142980369,"expression":"(\n (link.file.path - in [ ~\"/etc/ssl/certs/*\" ]\n || link.file.destination.path in [ ~\"/etc/ssl/certs/*\" - ])\n && process.file.path not in [\"/usr/bin/apt\", \"/usr/bin/apt-get\", - \"/usr/bin/apt-config\", \"/usr/bin/dpkg\", \"/usr/bin/aptitude-curses\", \"/usr/bin/rpm\", - \"/usr/bin/unattended-upgrade\"]\n)"},"type":"agent_rule","id":"7nq-ugi-gu1"},{"attributes":{"category":"File - Activity","name":"ssl_certificate_tampering_rename","creator":{"handle":"","name":""},"description":"SSL - Certificate Tampering","enabled":true,"defaultRule":true,"version":4,"updater":{"handle":"","name":""},"updateDate":1636729662415,"creationDate":1606142980369,"expression":"(\n (rename.file.path - in [ ~\"/etc/ssl/certs/*\" ]\n || rename.file.destination.path in [ ~\"/etc/ssl/certs/*\" - ])\n && process.file.path not in [\"/usr/bin/apt\", \"/usr/bin/apt-get\", - \"/usr/bin/apt-config\", \"/usr/bin/dpkg\", \"/usr/bin/aptitude-curses\", \"/usr/bin/rpm\", - \"/usr/bin/unattended-upgrade\"]\n)"},"type":"agent_rule","id":"qzs-yvl-f4t"},{"attributes":{"category":"File - Activity","name":"ssl_certificate_tampering_open","creator":{"handle":"","name":""},"description":"SSL - Certificate Tampering","enabled":true,"defaultRule":true,"version":4,"updater":{"handle":"","name":""},"updateDate":1636729662415,"creationDate":1606142980369,"expression":"(\n open.flags - & (O_CREAT|O_RDWR|O_WRONLY) > 0 &&\n (open.file.path in [ ~\"/etc/ssl/certs/*\" - ])\n && process.file.path not in [\"/usr/bin/apt\", \"/usr/bin/apt-get\", - \"/usr/bin/apt-config\", \"/usr/bin/dpkg\", \"/usr/bin/aptitude-curses\", \"/usr/bin/rpm\", - \"/usr/bin/unattended-upgrade\"]\n)"},"type":"agent_rule","id":"2p0-3i2-b4y"},{"attributes":{"category":"File - Activity","name":"ssl_certificate_tampering_unlink","creator":{"handle":"","name":""},"description":"SSL - Certificate Tampering","enabled":true,"defaultRule":true,"version":4,"updater":{"handle":"","name":""},"updateDate":1636729662415,"creationDate":1606142980369,"expression":"(\n (unlink.file.path - in [ ~\"/etc/ssl/certs/*\" ])\n && process.file.path not in [\"/usr/bin/apt\", - \"/usr/bin/apt-get\", \"/usr/bin/apt-config\", \"/usr/bin/dpkg\", \"/usr/bin/aptitude-curses\", - \"/usr/bin/rpm\", \"/usr/bin/unattended-upgrade\"]\n)"},"type":"agent_rule","id":"jin-icc-lpi"},{"attributes":{"category":"File - Activity","name":"ssl_certificate_tampering_utimes","creator":{"handle":"","name":""},"description":"SSL - Certificate Tampering","enabled":true,"defaultRule":true,"version":4,"updater":{"handle":"","name":""},"updateDate":1636729662415,"creationDate":1606142980369,"expression":"(\n (utimes.file.path - in [ ~\"/etc/ssl/certs/*\" ])\n && process.file.path not in [\"/usr/bin/apt\", - \"/usr/bin/apt-get\", \"/usr/bin/apt-config\", \"/usr/bin/dpkg\", \"/usr/bin/aptitude-curses\", - \"/usr/bin/rpm\", \"/usr/bin/unattended-upgrade\"]\n)"},"type":"agent_rule","id":"w07-amm-bxr"},{"attributes":{"category":"File - Activity","name":"kernel_module_chmod","creator":{"handle":"","name":""},"description":"A - kernel module was added to /lib/modules/","enabled":true,"defaultRule":true,"version":7,"updater":{"handle":"","name":""},"updateDate":1636729662391,"creationDate":1598516746168,"expression":"(\n (chmod.file.path - in [ ~\"/lib/modules/*\", ~\"/usr/lib/modules/*\" ])\n && process.file.path - not in [\"/usr/bin/apt\", \"/usr/bin/apt-get\", \"/usr/bin/apt-config\", \"/usr/bin/dpkg\", - \"/usr/bin/aptitude-curses\", \"/usr/bin/rpm\", \"/usr/bin/unattended-upgrade\"]\n && - process.ancestors.file.path not in [\"/usr/bin/apt\", \"/usr/bin/apt-get\", - \"/usr/bin/apt-config\", \"/usr/bin/dpkg\", \"/usr/bin/aptitude-curses\", \"/usr/bin/rpm\", - \"/usr/bin/unattended-upgrade\"] && process.ancestors.file.path != \"/usr/bin/kmod\"\n) - && chmod.mode != chmod.file.mode"},"type":"agent_rule","id":"avt-p2e-fyc"},{"attributes":{"category":"File - Activity","name":"kernel_module_chown","creator":{"handle":"","name":""},"description":"A - kernel module was added to /lib/modules/","enabled":true,"defaultRule":true,"version":7,"updater":{"handle":"","name":""},"updateDate":1636729662391,"creationDate":1598516746168,"expression":"(\n (chown.file.path - in [ ~\"/lib/modules/*\", ~\"/usr/lib/modules/*\" ])\n && process.file.path - not in [\"/usr/bin/apt\", \"/usr/bin/apt-get\", \"/usr/bin/apt-config\", \"/usr/bin/dpkg\", - \"/usr/bin/aptitude-curses\", \"/usr/bin/rpm\", \"/usr/bin/unattended-upgrade\"]\n && - process.ancestors.file.path not in [\"/usr/bin/apt\", \"/usr/bin/apt-get\", - \"/usr/bin/apt-config\", \"/usr/bin/dpkg\", \"/usr/bin/aptitude-curses\", \"/usr/bin/rpm\", - \"/usr/bin/unattended-upgrade\"] && process.ancestors.file.path != \"/usr/bin/kmod\"\n) - && (chown.uid != chown.file.uid || chown.gid != chown.file.gid)"},"type":"agent_rule","id":"cd0-w8q-vl4"},{"attributes":{"category":"File - Activity","name":"kernel_module_link","creator":{"handle":"","name":""},"description":"A - kernel module was added to /lib/modules/","enabled":true,"defaultRule":true,"version":7,"updater":{"handle":"","name":""},"updateDate":1636729662391,"creationDate":1598516746168,"expression":"(\n (link.file.path - in [ ~\"/lib/modules/*\", ~\"/usr/lib/modules/*\" ]\n || link.file.destination.path - in [ ~\"/lib/modules/*\", ~\"/usr/lib/modules/*\" ])\n && process.file.path - not in [\"/usr/bin/apt\", \"/usr/bin/apt-get\", \"/usr/bin/apt-config\", \"/usr/bin/dpkg\", - \"/usr/bin/aptitude-curses\", \"/usr/bin/rpm\", \"/usr/bin/unattended-upgrade\"]\n && - process.ancestors.file.path not in [\"/usr/bin/apt\", \"/usr/bin/apt-get\", - \"/usr/bin/apt-config\", \"/usr/bin/dpkg\", \"/usr/bin/aptitude-curses\", \"/usr/bin/rpm\", - \"/usr/bin/unattended-upgrade\"] && process.ancestors.file.path != \"/usr/bin/kmod\"\n)"},"type":"agent_rule","id":"ec9-vff-7ni"},{"attributes":{"category":"File - Activity","name":"kernel_module_rename","creator":{"handle":"","name":""},"description":"A - kernel module was added to /lib/modules/","enabled":true,"defaultRule":true,"version":7,"updater":{"handle":"","name":""},"updateDate":1636729662391,"creationDate":1598516746168,"expression":"(\n (rename.file.path - in [ ~\"/lib/modules/*\", ~\"/usr/lib/modules/*\" ]\n || rename.file.destination.path - in [ ~\"/lib/modules/*\", ~\"/usr/lib/modules/*\" ])\n && process.file.path - not in [\"/usr/bin/apt\", \"/usr/bin/apt-get\", \"/usr/bin/apt-config\", \"/usr/bin/dpkg\", - \"/usr/bin/aptitude-curses\", \"/usr/bin/rpm\", \"/usr/bin/unattended-upgrade\"]\n && - process.ancestors.file.path not in [\"/usr/bin/apt\", \"/usr/bin/apt-get\", - \"/usr/bin/apt-config\", \"/usr/bin/dpkg\", \"/usr/bin/aptitude-curses\", \"/usr/bin/rpm\", - \"/usr/bin/unattended-upgrade\"] && process.ancestors.file.path != \"/usr/bin/kmod\"\n)"},"type":"agent_rule","id":"mpb-1rj-dv6"},{"attributes":{"category":"File - Activity","name":"kernel_module_open","creator":{"handle":"","name":""},"description":"A - kernel module was added to /lib/modules/","enabled":true,"defaultRule":true,"version":7,"updater":{"handle":"","name":""},"updateDate":1636729662391,"creationDate":1598516746168,"expression":"(\n open.flags - & (O_CREAT|O_TRUNC|O_RDWR|O_WRONLY) > 0 &&\n (open.file.path in [ ~\"/lib/modules/*\", - ~\"/usr/lib/modules/*\" ])\n && process.file.path not in [\"/usr/bin/apt\", - \"/usr/bin/apt-get\", \"/usr/bin/apt-config\", \"/usr/bin/dpkg\", \"/usr/bin/aptitude-curses\", - \"/usr/bin/rpm\", \"/usr/bin/unattended-upgrade\"]\n && process.ancestors.file.path - not in [\"/usr/bin/apt\", \"/usr/bin/apt-get\", \"/usr/bin/apt-config\", \"/usr/bin/dpkg\", - \"/usr/bin/aptitude-curses\", \"/usr/bin/rpm\", \"/usr/bin/unattended-upgrade\"] - && process.ancestors.file.path != \"/usr/bin/kmod\"\n)"},"type":"agent_rule","id":"xye-pfo-y0r"},{"attributes":{"category":"File - Activity","name":"kernel_module_unlink","creator":{"handle":"","name":""},"description":"A - kernel module was added to /lib/modules/","enabled":true,"defaultRule":true,"version":7,"updater":{"handle":"","name":""},"updateDate":1636729662391,"creationDate":1598516746168,"expression":"(\n (unlink.file.path - in [ ~\"/lib/modules/*\", ~\"/usr/lib/modules/*\" ])\n && process.file.path - not in [\"/usr/bin/apt\", \"/usr/bin/apt-get\", \"/usr/bin/apt-config\", \"/usr/bin/dpkg\", - \"/usr/bin/aptitude-curses\", \"/usr/bin/rpm\", \"/usr/bin/unattended-upgrade\"]\n && - process.ancestors.file.path not in [\"/usr/bin/apt\", \"/usr/bin/apt-get\", - \"/usr/bin/apt-config\", \"/usr/bin/dpkg\", \"/usr/bin/aptitude-curses\", \"/usr/bin/rpm\", - \"/usr/bin/unattended-upgrade\"] && process.ancestors.file.path != \"/usr/bin/kmod\"\n)"},"type":"agent_rule","id":"c4t-pxu-ixk"},{"attributes":{"category":"File - Activity","name":"kernel_module_utimes","creator":{"handle":"","name":""},"description":"A - kernel module was added to /lib/modules/","enabled":true,"defaultRule":true,"version":7,"updater":{"handle":"","name":""},"updateDate":1636729662391,"creationDate":1598516746168,"expression":"(\n (utimes.file.path - in [ ~\"/lib/modules/*\", ~\"/usr/lib/modules/*\" ])\n && process.file.path - not in [\"/usr/bin/apt\", \"/usr/bin/apt-get\", \"/usr/bin/apt-config\", \"/usr/bin/dpkg\", - \"/usr/bin/aptitude-curses\", \"/usr/bin/rpm\", \"/usr/bin/unattended-upgrade\"]\n && - process.ancestors.file.path not in [\"/usr/bin/apt\", \"/usr/bin/apt-get\", - \"/usr/bin/apt-config\", \"/usr/bin/dpkg\", \"/usr/bin/aptitude-curses\", \"/usr/bin/rpm\", - \"/usr/bin/unattended-upgrade\"] && process.ancestors.file.path != \"/usr/bin/kmod\"\n)"},"type":"agent_rule","id":"fpw-paa-smb"},{"attributes":{"category":"Process - Activity","name":"compiler_in_container","creator":{"handle":"","name":""},"description":"Compiler - Executed in Container","enabled":true,"defaultRule":true,"version":1,"updater":{"handle":"","name":""},"updateDate":1636729662344,"creationDate":1627392836759,"expression":"(exec.file.name - in [\"javac\", \"clang\", \"gcc\",\"bcc\"] || (exec.file.name == \"go\" && exec.args - in [~\"*build*\", ~\"*run*\"])) && container.id !=\"\" && process.ancestors.file.path - != \"/usr/bin/cilium-agent\""},"type":"agent_rule","id":"ily-tsr-dtj"},{"attributes":{"category":"Process - Activity","name":"package_management_in_container","creator":{"handle":"","name":""},"description":"Package - management in container","enabled":true,"defaultRule":true,"version":2,"updater":{"handle":"","name":""},"updateDate":1636729662123,"creationDate":1617722067648,"expression":"exec.file.path - in [\"/usr/bin/apt\", \"/usr/bin/apt-get\", \"/usr/bin/apt-config\", \"/usr/bin/dpkg\", - \"/usr/bin/aptitude-curses\", \"/usr/bin/rpm\", \"/usr/bin/unattended-upgrade\"] - && container.id != \"\""},"type":"agent_rule","id":"3tj-btx-kvo"},{"attributes":{"category":"Kernel - Activity","name":"selinux_disable_enforcement","creator":{"handle":"","name":""},"description":"SELinux - enforcement status was disabled","enabled":true,"defaultRule":true,"version":1,"updater":{"handle":"","name":""},"updateDate":1635332067172,"creationDate":1635332067172,"expression":"selinux.enforce.status - in [\"permissive\", \"disabled\"]"},"type":"agent_rule","id":"je9-er4-njy"},{"attributes":{"category":"Process - Activity","name":"aws_metadata_service","creator":{"handle":"","name":""},"description":"EC2 - Instance Metadata Service Accessed via Network Utility","enabled":true,"defaultRule":true,"version":1,"updater":{"handle":"","name":""},"updateDate":1629226276630,"creationDate":1627392836096,"expression":"exec.file.path - in [\"/usr/bin/wget\", \"/usr/bin/curl\"] && exec.args in [~\"*169.254.169.254*\"]"},"type":"agent_rule","id":"jl5-wjt-58e"},{"attributes":{"category":"File - Activity","name":"cron_at_job_creation_chmod","creator":{"handle":"","name":""},"description":"Cron - AT Job Creation","enabled":true,"defaultRule":true,"version":4,"updater":{"handle":"","name":""},"updateDate":1628512222418,"creationDate":1606142961130,"expression":"(\n (chmod.file.path - in [ ~\"/var/spool/cron/*\" ])\n && process.file.path not in [ \"/usr/bin/at\", - \"/usr/bin/crontab\" ]\n) && chmod.mode != chmod.file.mode"},"type":"agent_rule","id":"ipa-v3l-kt6"},{"attributes":{"category":"File - Activity","name":"cron_at_job_creation_chown","creator":{"handle":"","name":""},"description":"Cron - AT Job Creation","enabled":true,"defaultRule":true,"version":4,"updater":{"handle":"","name":""},"updateDate":1628512222418,"creationDate":1606142961130,"expression":"(\n (chown.file.path - in [ ~\"/var/spool/cron/*\" ])\n && process.file.path not in [ \"/usr/bin/at\", - \"/usr/bin/crontab\" ]\n) && (chown.uid != chown.file.uid || chown.gid != chown.file.gid)"},"type":"agent_rule","id":"3xl-qds-f0e"},{"attributes":{"category":"File - Activity","name":"cron_at_job_creation_link","creator":{"handle":"","name":""},"description":"Cron - AT Job Creation","enabled":true,"defaultRule":true,"version":4,"updater":{"handle":"","name":""},"updateDate":1628512222418,"creationDate":1606142961130,"expression":"(\n (link.file.path - in [ ~\"/var/spool/cron/*\" ]\n || link.file.destination.path in [ ~\"/var/spool/cron/*\" - ])\n && process.file.path not in [ \"/usr/bin/at\", \"/usr/bin/crontab\" - ]\n)"},"type":"agent_rule","id":"0gu-pqy-o1a"},{"attributes":{"category":"File - Activity","name":"cron_at_job_creation_rename","creator":{"handle":"","name":""},"description":"Cron - AT Job Creation","enabled":true,"defaultRule":true,"version":4,"updater":{"handle":"","name":""},"updateDate":1628512222418,"creationDate":1606142961130,"expression":"(\n (rename.file.path - in [ ~\"/var/spool/cron/*\" ]\n || rename.file.destination.path in [ ~\"/var/spool/cron/*\" - ])\n && process.file.path not in [ \"/usr/bin/at\", \"/usr/bin/crontab\" - ]\n)"},"type":"agent_rule","id":"cmu-g58-cau"},{"attributes":{"category":"File - Activity","name":"cron_at_job_creation_open","creator":{"handle":"","name":""},"description":"Cron - AT Job Creation","enabled":true,"defaultRule":true,"version":4,"updater":{"handle":"","name":""},"updateDate":1628512222418,"creationDate":1606142961130,"expression":"(\n open.flags - & (O_CREAT|O_RDWR|O_WRONLY) > 0 &&\n (open.file.path in [ ~\"/var/spool/cron/*\" - ])\n && process.file.path not in [ \"/usr/bin/at\", \"/usr/bin/crontab\" - ]\n)"},"type":"agent_rule","id":"onm-dqu-jly"},{"attributes":{"category":"File - Activity","name":"cron_at_job_creation_unlink","creator":{"handle":"","name":""},"description":"Cron - AT Job Creation","enabled":true,"defaultRule":true,"version":4,"updater":{"handle":"","name":""},"updateDate":1628512222418,"creationDate":1606142961130,"expression":"(\n (unlink.file.path - in [ ~\"/var/spool/cron/*\" ])\n && process.file.path not in [ \"/usr/bin/at\", - \"/usr/bin/crontab\" ]\n)"},"type":"agent_rule","id":"atu-tci-bjn"},{"attributes":{"category":"File - Activity","name":"cron_at_job_creation_utimes","creator":{"handle":"","name":""},"description":"Cron - AT Job Creation","enabled":true,"defaultRule":true,"version":4,"updater":{"handle":"","name":""},"updateDate":1628512222418,"creationDate":1606142961130,"expression":"(\n (utimes.file.path - in [ ~\"/var/spool/cron/*\" ])\n && process.file.path not in [ \"/usr/bin/at\", - \"/usr/bin/crontab\" ]\n)"},"type":"agent_rule","id":"ygn-d8o-ncr"},{"attributes":{"category":"File - Activity","name":"nsswitch_conf_mod_chmod","creator":{"handle":"","name":""},"description":"Nsswitch - Configuration Modified","enabled":true,"defaultRule":true,"version":3,"updater":{"handle":"","name":""},"updateDate":1628512222322,"creationDate":1606142958657,"expression":"(\n (chmod.file.path - in [ \"/etc/nsswitch.conf\" ])\n) && chmod.mode != chmod.file.mode"},"type":"agent_rule","id":"ki2-nwj-sot"},{"attributes":{"category":"File - Activity","name":"nsswitch_conf_mod_chown","creator":{"handle":"","name":""},"description":"Nsswitch - Configuration Modified","enabled":true,"defaultRule":true,"version":3,"updater":{"handle":"","name":""},"updateDate":1628512222322,"creationDate":1606142958657,"expression":"(\n (chown.file.path - in [ \"/etc/nsswitch.conf\" ])\n) && (chown.uid != chown.file.uid || chown.gid - != chown.file.gid)"},"type":"agent_rule","id":"nyc-gfz-yr5"},{"attributes":{"category":"File - Activity","name":"nsswitch_conf_mod_link","creator":{"handle":"","name":""},"description":"Nsswitch - Configuration Modified","enabled":true,"defaultRule":true,"version":3,"updater":{"handle":"","name":""},"updateDate":1628512222322,"creationDate":1606142958657,"expression":"(\n (link.file.path - in [ \"/etc/nsswitch.conf\" ]\n || link.file.destination.path in [ \"/etc/nsswitch.conf\" - ])\n)"},"type":"agent_rule","id":"8ol-dkr-aml"},{"attributes":{"category":"File - Activity","name":"nsswitch_conf_mod_rename","creator":{"handle":"","name":""},"description":"Nsswitch - Configuration Modified","enabled":true,"defaultRule":true,"version":3,"updater":{"handle":"","name":""},"updateDate":1628512222322,"creationDate":1606142958657,"expression":"(\n (rename.file.path - in [ \"/etc/nsswitch.conf\" ]\n || rename.file.destination.path in [ \"/etc/nsswitch.conf\" - ])\n)"},"type":"agent_rule","id":"pkn-azw-qia"},{"attributes":{"category":"File - Activity","name":"nsswitch_conf_mod_open","creator":{"handle":"","name":""},"description":"Nsswitch - Configuration Modified","enabled":true,"defaultRule":true,"version":3,"updater":{"handle":"","name":""},"updateDate":1628512222322,"creationDate":1606142958657,"expression":"(\n open.flags - & ((O_RDWR|O_WRONLY|O_CREAT)) > 0 &&\n (open.file.path in [ \"/etc/nsswitch.conf\" - ])\n)"},"type":"agent_rule","id":"fdf-wvb-c3k"},{"attributes":{"category":"File - Activity","name":"nsswitch_conf_mod_unlink","creator":{"handle":"","name":""},"description":"Nsswitch - Configuration Modified","enabled":true,"defaultRule":true,"version":3,"updater":{"handle":"","name":""},"updateDate":1628512222322,"creationDate":1606142958657,"expression":"(\n (unlink.file.path - in [ \"/etc/nsswitch.conf\" ])\n)"},"type":"agent_rule","id":"wpt-ba8-mpd"},{"attributes":{"category":"File - Activity","name":"nsswitch_conf_mod_utimes","creator":{"handle":"","name":""},"description":"Nsswitch - Configuration Modified","enabled":true,"defaultRule":true,"version":3,"updater":{"handle":"","name":""},"updateDate":1628512222322,"creationDate":1606142958657,"expression":"(\n (utimes.file.path - in [ \"/etc/nsswitch.conf\" ])\n)"},"type":"agent_rule","id":"7ud-d2o-qgo"},{"attributes":{"category":"File - Activity","name":"ssh_authorized_keys_chmod","creator":{"handle":"","name":""},"description":"SSH - Authorized Keys Modified","enabled":true,"defaultRule":true,"version":3,"updater":{"handle":"","name":""},"updateDate":1628512221784,"creationDate":1606142954844,"expression":"(\n chmod.file.name - == \"authorized_keys\" && (chmod.file.path in [ ~\"*/.ssh/*\" ])\n) && chmod.mode - != chmod.file.mode"},"type":"agent_rule","id":"vqc-lta-u8c"},{"attributes":{"category":"File - Activity","name":"ssh_authorized_keys_chown","creator":{"handle":"","name":""},"description":"SSH - Authorized Keys Modified","enabled":true,"defaultRule":true,"version":3,"updater":{"handle":"","name":""},"updateDate":1628512221784,"creationDate":1606142954844,"expression":"(\n chown.file.name - == \"authorized_keys\" && (chown.file.path in [ ~\"*/.ssh/*\" ])\n) && (chown.uid - != chown.file.uid || chown.gid != chown.file.gid)"},"type":"agent_rule","id":"ien-7aw-blw"},{"attributes":{"category":"File - Activity","name":"ssh_authorized_keys_link","creator":{"handle":"","name":""},"description":"SSH - Authorized Keys Modified","enabled":true,"defaultRule":true,"version":3,"updater":{"handle":"","name":""},"updateDate":1628512221784,"creationDate":1606142954844,"expression":"(\n link.file.name - == \"authorized_keys\" && (link.file.path in [ ~\"*/.ssh/*\" ]\n || link.file.destination.path - in [ ~\"*/.ssh/*\" ])\n)"},"type":"agent_rule","id":"za8-uxc-jxk"},{"attributes":{"category":"File - Activity","name":"ssh_authorized_keys_rename","creator":{"handle":"","name":""},"description":"SSH - Authorized Keys Modified","enabled":true,"defaultRule":true,"version":3,"updater":{"handle":"","name":""},"updateDate":1628512221784,"creationDate":1606142954844,"expression":"(\n rename.file.name - == \"authorized_keys\" && (rename.file.path in [ ~\"*/.ssh/*\" ]\n || rename.file.destination.path - in [ ~\"*/.ssh/*\" ])\n)"},"type":"agent_rule","id":"tiz-yss-zhq"},{"attributes":{"category":"File - Activity","name":"ssh_authorized_keys_open","creator":{"handle":"","name":""},"description":"SSH - Authorized Keys Modified","enabled":true,"defaultRule":true,"version":3,"updater":{"handle":"","name":""},"updateDate":1628512221784,"creationDate":1606142954844,"expression":"(\n open.flags - & (O_CREAT|O_TRUNC|O_RDWR|O_WRONLY) > 0 &&\n open.file.name == \"authorized_keys\" - && (open.file.path in [ ~\"*/.ssh/*\" ])\n)"},"type":"agent_rule","id":"nej-iw4-adk"},{"attributes":{"category":"File - Activity","name":"ssh_authorized_keys_unlink","creator":{"handle":"","name":""},"description":"SSH - Authorized Keys Modified","enabled":true,"defaultRule":true,"version":3,"updater":{"handle":"","name":""},"updateDate":1628512221784,"creationDate":1606142954844,"expression":"(\n unlink.file.name - == \"authorized_keys\" && (unlink.file.path in [ ~\"*/.ssh/*\" ])\n)"},"type":"agent_rule","id":"apr-zj4-ee1"},{"attributes":{"category":"File - Activity","name":"ssh_authorized_keys_utimes","creator":{"handle":"","name":""},"description":"SSH - Authorized Keys Modified","enabled":true,"defaultRule":true,"version":3,"updater":{"handle":"","name":""},"updateDate":1628512221784,"creationDate":1606142954844,"expression":"(\n utimes.file.name - == \"authorized_keys\" && (utimes.file.path in [ ~\"*/.ssh/*\" ])\n)"},"type":"agent_rule","id":"yhq-etl-wr6"},{"attributes":{"category":"File - Activity","name":"pam_modification_chmod","creator":{"handle":"","name":""},"description":"PAM - Configuration Files Modification","enabled":true,"defaultRule":true,"version":3,"updater":{"handle":"","name":""},"updateDate":1628512221276,"creationDate":1606142936138,"expression":"(\n (chmod.file.path - in [ ~\"/etc/pam.d/*\", \"/etc/pam.conf\" ])\n) && chmod.mode != chmod.file.mode"},"type":"agent_rule","id":"12k-ui3-z4h"},{"attributes":{"category":"File - Activity","name":"pam_modification_chown","creator":{"handle":"","name":""},"description":"PAM - Configuration Files Modification","enabled":true,"defaultRule":true,"version":3,"updater":{"handle":"","name":""},"updateDate":1628512221276,"creationDate":1606142936138,"expression":"(\n (chown.file.path - in [ ~\"/etc/pam.d/*\", \"/etc/pam.conf\" ])\n) && (chown.uid != chown.file.uid - || chown.gid != chown.file.gid)"},"type":"agent_rule","id":"fak-u9s-pac"},{"attributes":{"category":"File - Activity","name":"pam_modification_link","creator":{"handle":"","name":""},"description":"PAM - Configuration Files Modification","enabled":true,"defaultRule":true,"version":3,"updater":{"handle":"","name":""},"updateDate":1628512221276,"creationDate":1606142936138,"expression":"(\n (link.file.path - in [ ~\"/etc/pam.d/*\", \"/etc/pam.conf\" ]\n || link.file.destination.path - in [ ~\"/etc/pam.d/*\", \"/etc/pam.conf\" ])\n)"},"type":"agent_rule","id":"m8i-uhr-aoq"},{"attributes":{"category":"File - Activity","name":"pam_modification_rename","creator":{"handle":"","name":""},"description":"PAM - Configuration Files Modification","enabled":true,"defaultRule":true,"version":3,"updater":{"handle":"","name":""},"updateDate":1628512221276,"creationDate":1606142936138,"expression":"(\n (rename.file.path - in [ ~\"/etc/pam.d/*\", \"/etc/pam.conf\" ]\n || rename.file.destination.path - in [ ~\"/etc/pam.d/*\", \"/etc/pam.conf\" ])\n)"},"type":"agent_rule","id":"2fy-aqt-8mz"},{"attributes":{"category":"File - Activity","name":"pam_modification_open","creator":{"handle":"","name":""},"description":"PAM - Configuration Files Modification","enabled":true,"defaultRule":true,"version":3,"updater":{"handle":"","name":""},"updateDate":1628512221276,"creationDate":1606142936138,"expression":"(\n open.flags - & (O_CREAT|O_TRUNC|O_RDWR|O_WRONLY) > 0 &&\n (open.file.path in [ ~\"/etc/pam.d/*\", - \"/etc/pam.conf\" ])\n)"},"type":"agent_rule","id":"adl-qjr-lyg"},{"attributes":{"category":"File - Activity","name":"pam_modification_unlink","creator":{"handle":"","name":""},"description":"PAM - Configuration Files Modification","enabled":true,"defaultRule":true,"version":3,"updater":{"handle":"","name":""},"updateDate":1628512221276,"creationDate":1606142936138,"expression":"(\n (unlink.file.path - in [ ~\"/etc/pam.d/*\", \"/etc/pam.conf\" ])\n)"},"type":"agent_rule","id":"ei7-n5e-rvv"},{"attributes":{"category":"File - Activity","name":"pam_modification_utimes","creator":{"handle":"","name":""},"description":"PAM - Configuration Files Modification","enabled":true,"defaultRule":true,"version":3,"updater":{"handle":"","name":""},"updateDate":1628512221276,"creationDate":1606142936138,"expression":"(\n (utimes.file.path - in [ ~\"/etc/pam.d/*\", \"/etc/pam.conf\" ])\n)"},"type":"agent_rule","id":"ohp-ags-xpk"},{"attributes":{"category":"Process - Activity","name":"passwd_execution","creator":{"handle":"","name":""},"description":"Passwd - utility executed","enabled":true,"defaultRule":true,"version":1,"updater":{"handle":"","name":""},"updateDate":1627913197013,"creationDate":1617722068383,"expression":"exec.file.path - == \"/usr/bin/passwd\""},"type":"agent_rule","id":"ejk-rbu-v9x"},{"attributes":{"category":"Process - Activity","name":"java_shell_execution","creator":{"handle":"","name":""},"description":"Java - process spawned shell/utility","enabled":true,"defaultRule":true,"version":1,"updater":{"handle":"","name":""},"updateDate":1627913196085,"creationDate":1617722069224,"expression":"(exec.file.path - in [ \"/bin/dash\", \"/usr/bin/dash\",\n \"/bin/sh\", \"/bin/static-sh\", \"/usr/bin/sh\",\n \"/usr/bin/bash\",\n \"/bin/bash-static\",\n \"/usr/bin/zsh\",\n \"/usr/bin/ash\",\n \"/usr/bin/csh\",\n \"/usr/bin/ksh\",\n \"/usr/bin/tcsh\",\n \"/usr/lib/initramfs-tools/bin/busybox\",\n \"/bin/busybox\",\n \"/usr/bin/fish\",\n \"/bin/ksh93\",\n \"/bin/rksh\", - \"/bin/rksh93\",\n \"/bin/lksh\",\n \"/bin/mksh\", \"/bin/mksh-static\",\n \"/usr/bin/csharp\",\n \"/bin/posh\",\n \"/usr/bin/rc\",\n \"/bin/sash\",\n \"/usr/bin/yash\",\n \"/bin/zsh5\", - \"/bin/zsh5-static\" ] ||\n exec.file.path in [\"/usr/bin/wget\", \"/usr/bin/curl\"] - ||\n exec.file.path in [\"/bin/cat\",\"/bin/chgrp\",\"/bin/chmod\",\"/bin/chown\",\"/bin/cp\",\"/bin/date\",\"/bin/dd\",\"/bin/df\",\"/bin/dir\",\"/bin/echo\",\"/bin/ln\",\"/bin/ls\",\"/bin/mkdir\",\"/bin/mknod\",\"/bin/mktemp\",\"/bin/mv\",\"/bin/pwd\",\"/bin/readlink\",\"/bin/rm\",\"/bin/rmdir\",\"/bin/sleep\",\"/bin/stty\",\"/bin/sync\",\"/bin/touch\",\"/bin/uname\",\"/bin/vdir\",\"/usr/bin/arch\",\"/usr/bin/b2sum\",\"/usr/bin/base32\",\"/usr/bin/base64\",\"/usr/bin/basename\",\"/usr/bin/chcon\",\"/usr/bin/cksum\",\"/usr/bin/comm\",\"/usr/bin/csplit\",\"/usr/bin/cut\",\"/usr/bin/dircolors\",\"/usr/bin/dirname\",\"/usr/bin/du\",\"/usr/bin/env\",\"/usr/bin/expand\",\"/usr/bin/expr\",\"/usr/bin/factor\",\"/usr/bin/fmt\",\"/usr/bin/fold\",\"/usr/bin/groups\",\"/usr/bin/head\",\"/usr/bin/hostid\",\"/usr/bin/id\",\"/usr/bin/install\",\"/usr/bin/join\",\"/usr/bin/link\",\"/usr/bin/logname\",\"/usr/bin/md5sum\",\"/usr/bin/md5sum.textutils\",\"/usr/bin/mkfifo\",\"/usr/bin/nice\",\"/usr/bin/nl\",\"/usr/bin/nohup\",\"/usr/bin/nproc\",\"/usr/bin/numfmt\",\"/usr/bin/od\",\"/usr/bin/paste\",\"/usr/bin/pathchk\",\"/usr/bin/pinky\",\"/usr/bin/pr\",\"/usr/bin/printenv\",\"/usr/bin/printf\",\"/usr/bin/ptx\",\"/usr/bin/realpath\",\"/usr/bin/runcon\",\"/usr/bin/seq\",\"/usr/bin/sha1sum\",\"/usr/bin/sha224sum\",\"/usr/bin/sha256sum\",\"/usr/bin/sha384sum\",\"/usr/bin/sha512sum\",\"/usr/bin/shred\",\"/usr/bin/shuf\",\"/usr/bin/sort\",\"/usr/bin/split\",\"/usr/bin/stat\",\"/usr/bin/stdbuf\",\"/usr/bin/sum\",\"/usr/bin/tac\",\"/usr/bin/tail\",\"/usr/bin/tee\",\"/usr/bin/test\",\"/usr/bin/timeout\",\"/usr/bin/tr\",\"/usr/bin/truncate\",\"/usr/bin/tsort\",\"/usr/bin/tty\",\"/usr/bin/unexpand\",\"/usr/bin/uniq\",\"/usr/bin/unlink\",\"/usr/bin/users\",\"/usr/bin/wc\",\"/usr/bin/who\",\"/usr/bin/whoami\",\"/usr/sbin/chroot\"])\n&& - process.ancestors.file.name == \"java\""},"type":"agent_rule","id":"pej-frv-8lb"},{"attributes":{"category":"Process - Activity","name":"common_net_intrusion_util","creator":{"handle":"","name":""},"description":"Nmap - Execution Detected","enabled":true,"defaultRule":true,"version":1,"updater":{"handle":"","name":""},"updateDate":1627913195813,"creationDate":1617722067554,"expression":"exec.file.path - == \"/usr/bin/nmap\""},"type":"agent_rule","id":"yiy-mba-pny"}]}' + \"/sbin/vipw\", \"/usr/sbin/vipw\", \"/sbin/vigr\", \"/usr/sbin/vigr\", \"/usr/bin/containerd\", + \"/usr/local/bin/containerd\", \"/usr/bin/dockerd\", \"/usr/local/bin/dockerd\", + \"/usr/sbin/groupadd\", \"/usr/sbin/useradd\", \"/usr/sbin/usermod\", \"/usr/sbin/userdel\", + \"/usr/bin/gpasswd\", \"/usr/bin/chage\", \"/usr/sbin/chpasswd\", \"/usr/bin/passwd\" + ]\n && process.ancestors.file.path not in [~\"/usr/bin/apt*\", \"/usr/bin/dpkg\", + \"/usr/bin/rpm\", \"/usr/bin/unattended-upgrade\", \"/usr/bin/npm\", ~\"/usr/bin/pip*\", + \"/usr/bin/yum\", \"/sbin/apk\", \"/usr/lib/snapd/snapd\"]\n)","category":"File + Activity","creationDate":1642158535271,"updateDate":1677793372149,"filters":[],"actions":[],"agentConstraint":"","enabled":true,"defaultRule":true,"creator":{"name":"","handle":""},"updater":{"name":"","handle":""}},"type":"agent_rule"},{"id":"ty2-qc4-drd","attributes":{"version":32,"name":"kernel_module_link","description":"A + new kernel module was added","expression":"(\n (link.file.path in [ ~\"/lib/modules/**\", + ~\"/usr/lib/modules/**\" ]\n || link.file.destination.path in [ ~\"/lib/modules/**\", + ~\"/usr/lib/modules/**\" ])\n && process.file.path not in [~\"/usr/bin/apt*\", + \"/usr/bin/dpkg\", \"/usr/bin/rpm\", \"/usr/bin/unattended-upgrade\", \"/usr/bin/npm\", + ~\"/usr/bin/pip*\", \"/usr/bin/yum\", \"/sbin/apk\", \"/usr/lib/snapd/snapd\"]\n && + process.ancestors.file.path not in [~\"/usr/bin/apt*\", \"/usr/bin/dpkg\", \"/usr/bin/rpm\", + \"/usr/bin/unattended-upgrade\", \"/usr/bin/npm\", ~\"/usr/bin/pip*\", \"/usr/bin/yum\", + \"/sbin/apk\", \"/usr/lib/snapd/snapd\"] && process.ancestors.file.path != \"/usr/bin/kmod\"\n)","category":"File + Activity","creationDate":1642158535200,"updateDate":1677793372103,"filters":[],"actions":[],"agentConstraint":"","enabled":true,"defaultRule":true,"creator":{"name":"","handle":""},"updater":{"name":"","handle":""}},"type":"agent_rule"},{"id":"hsk-ug8-fu7","attributes":{"version":32,"name":"kernel_module_open","description":"A + new kernel module was added","expression":"(\n open.flags & (O_CREAT|O_TRUNC|O_RDWR|O_WRONLY) + > 0 &&\n (open.file.path in [ ~\"/lib/modules/**\", ~\"/usr/lib/modules/**\" + ])\n && process.file.path not in [~\"/usr/bin/apt*\", \"/usr/bin/dpkg\", + \"/usr/bin/rpm\", \"/usr/bin/unattended-upgrade\", \"/usr/bin/npm\", ~\"/usr/bin/pip*\", + \"/usr/bin/yum\", \"/sbin/apk\", \"/usr/lib/snapd/snapd\"]\n && process.ancestors.file.path + not in [~\"/usr/bin/apt*\", \"/usr/bin/dpkg\", \"/usr/bin/rpm\", \"/usr/bin/unattended-upgrade\", + \"/usr/bin/npm\", ~\"/usr/bin/pip*\", \"/usr/bin/yum\", \"/sbin/apk\", \"/usr/lib/snapd/snapd\"] + && process.ancestors.file.path != \"/usr/bin/kmod\"\n)","category":"File Activity","creationDate":1598516746168,"updateDate":1677793371891,"filters":[],"actions":[],"agentConstraint":"","enabled":true,"defaultRule":true,"creator":{"name":"","handle":""},"updater":{"name":"","handle":""}},"type":"agent_rule"},{"id":"rme-dmd-trz","attributes":{"version":31,"name":"credential_modified_unlink","description":"Sensitive + credential files were modified using a non-standard tool","expression":"(\n (unlink.file.path + in [ \"/etc/shadow\", \"/etc/gshadow\" ])\n && process.file.path not in [ + \"/sbin/vipw\", \"/usr/sbin/vipw\", \"/sbin/vigr\", \"/usr/sbin/vigr\", \"/usr/bin/containerd\", + \"/usr/local/bin/containerd\", \"/usr/bin/dockerd\", \"/usr/local/bin/dockerd\", + \"/usr/sbin/groupadd\", \"/usr/sbin/useradd\", \"/usr/sbin/usermod\", \"/usr/sbin/userdel\", + \"/usr/bin/gpasswd\", \"/usr/bin/chage\", \"/usr/sbin/chpasswd\", \"/usr/bin/passwd\" + ]\n && process.ancestors.file.path not in [~\"/usr/bin/apt*\", \"/usr/bin/dpkg\", + \"/usr/bin/rpm\", \"/usr/bin/unattended-upgrade\", \"/usr/bin/npm\", ~\"/usr/bin/pip*\", + \"/usr/bin/yum\", \"/sbin/apk\", \"/usr/lib/snapd/snapd\"]\n)","category":"File + Activity","creationDate":1642158535113,"updateDate":1677793371890,"filters":[],"actions":[],"agentConstraint":"","enabled":true,"defaultRule":true,"creator":{"name":"","handle":""},"updater":{"name":"","handle":""}},"type":"agent_rule"},{"id":"bya-q5x-vjt","attributes":{"version":24,"name":"cron_at_job_creation_rename","description":"An + unauthorized job was added to cron scheduling","expression":"(\n (rename.file.path + in [ ~\"/var/spool/cron/**\", ~\"/etc/cron.*/**\", ~\"/etc/crontab\" ]\n || + rename.file.destination.path in [ ~\"/var/spool/cron/**\", ~\"/etc/cron.*/**\", + ~\"/etc/crontab\" ])\n && process.file.path not in [ \"/usr/bin/at\", \"/usr/bin/crontab\" + ]\n)\n&& process.file.path not in [~\"/usr/bin/apt*\", \"/usr/bin/dpkg\", \"/usr/bin/rpm\", + \"/usr/bin/unattended-upgrade\", \"/usr/bin/containerd\", \"/usr/local/bin/containerd\", + \"/usr/bin/dockerd\", \"/usr/bin/npm\", ~\"/usr/bin/pip*\"]","category":"File + Activity","creationDate":1606142961130,"updateDate":1674486419017,"filters":[],"actions":[],"agentConstraint":"","enabled":false,"defaultRule":true,"creator":{"name":"","handle":""},"updater":{"name":"","handle":""}},"type":"agent_rule"},{"id":"6p8-mws-jmo","attributes":{"version":1,"name":"potential_web_shell_parent","description":"A + web application spawned a shell or shell utility","expression":"(exec.file.path + in [ \"/bin/dash\",\n \"/usr/bin/dash\",\n \"/bin/sh\",\n \"/bin/static-sh\",\n \"/usr/bin/sh\",\n \"/bin/bash\",\n \"/usr/bin/bash\",\n \"/bin/bash-static\",\n \"/usr/bin/zsh\",\n \"/usr/bin/ash\",\n \"/usr/bin/csh\",\n \"/usr/bin/ksh\",\n \"/usr/bin/tcsh\",\n \"/usr/lib/initramfs-tools/bin/busybox\",\n \"/bin/busybox\",\n \"/usr/bin/fish\",\n \"/bin/ksh93\",\n \"/bin/rksh\",\n \"/bin/rksh93\",\n \"/bin/lksh\",\n \"/bin/mksh\",\n \"/bin/mksh-static\",\n \"/usr/bin/csharp\",\n \"/bin/posh\",\n \"/usr/bin/rc\",\n \"/bin/sash\",\n \"/usr/bin/yash\",\n \"/bin/zsh5\",\n \"/bin/zsh5-static\" + ] || exec.comm in [\"wget\", \"curl\", \"lwp-download\"] || exec.file.path in + [\"/bin/cat\",\"/bin/chgrp\",\"/bin/chmod\",\"/bin/chown\",\"/bin/cp\",\"/bin/date\",\"/bin/dd\",\"/bin/df\",\"/bin/dir\",\"/bin/echo\",\"/bin/ln\",\"/bin/ls\",\"/bin/mkdir\",\"/bin/mknod\",\"/bin/mktemp\",\"/bin/mv\",\"/bin/pwd\",\"/bin/readlink\",\"/bin/rm\",\"/bin/rmdir\",\"/bin/sleep\",\"/bin/stty\",\"/bin/sync\",\"/bin/touch\",\"/bin/uname\",\"/bin/vdir\",\"/usr/bin/arch\",\"/usr/bin/b2sum\",\"/usr/bin/base32\",\"/usr/bin/base64\",\"/usr/bin/basename\",\"/usr/bin/chcon\",\"/usr/bin/cksum\",\"/usr/bin/comm\",\"/usr/bin/csplit\",\"/usr/bin/cut\",\"/usr/bin/dircolors\",\"/usr/bin/dirname\",\"/usr/bin/du\",\"/usr/bin/env\",\"/usr/bin/expand\",\"/usr/bin/expr\",\"/usr/bin/factor\",\"/usr/bin/fmt\",\"/usr/bin/fold\",\"/usr/bin/groups\",\"/usr/bin/head\",\"/usr/bin/hostid\",\"/usr/bin/id\",\"/usr/bin/install\",\"/usr/bin/join\",\"/usr/bin/link\",\"/usr/bin/logname\",\"/usr/bin/md5sum\",\"/usr/bin/md5sum.textutils\",\"/usr/bin/mkfifo\",\"/usr/bin/nice\",\"/usr/bin/nl\",\"/usr/bin/nohup\",\"/usr/bin/nproc\",\"/usr/bin/numfmt\",\"/usr/bin/od\",\"/usr/bin/paste\",\"/usr/bin/pathchk\",\"/usr/bin/pinky\",\"/usr/bin/pr\",\"/usr/bin/printenv\",\"/usr/bin/printf\",\"/usr/bin/ptx\",\"/usr/bin/realpath\",\"/usr/bin/runcon\",\"/usr/bin/seq\",\"/usr/bin/sha1sum\",\"/usr/bin/sha224sum\",\"/usr/bin/sha256sum\",\"/usr/bin/sha384sum\",\"/usr/bin/sha512sum\",\"/usr/bin/shred\",\"/usr/bin/shuf\",\"/usr/bin/sort\",\"/usr/bin/split\",\"/usr/bin/stat\",\"/usr/bin/stdbuf\",\"/usr/bin/sum\",\"/usr/bin/tac\",\"/usr/bin/tail\",\"/usr/bin/tee\",\"/usr/bin/test\",\"/usr/bin/timeout\",\"/usr/bin/tr\",\"/usr/bin/truncate\",\"/usr/bin/tsort\",\"/usr/bin/tty\",\"/usr/bin/unexpand\",\"/usr/bin/uniq\",\"/usr/bin/unlink\",\"/usr/bin/users\",\"/usr/bin/wc\",\"/usr/bin/who\",\"/usr/bin/whoami\",\"/usr/sbin/chroot\"]) + &&\n(process.parent.file.name in [\"apache2\", \"nginx\", ~\"tomcat*\", \"httpd\"] + || process.parent.file.name =~ \"php*\")","category":"Process Activity","creationDate":0,"updateDate":1674486410462,"filters":[],"actions":[],"agentConstraint":"","enabled":true,"defaultRule":true,"creator":{"name":"","handle":""},"updater":{"name":"","handle":""}},"type":"agent_rule"},{"id":"c3b-qwh-lwy","attributes":{"version":1,"name":"mount_host_fs","description":"The + host file system was mounted in a container","expression":"mount.source.path + == \"/\" && mount.fs_type != \"overlay\" && container.id != \"\"","category":"File + Activity","creationDate":0,"updateDate":1674486409763,"filters":[],"actions":[],"agentConstraint":"","enabled":true,"defaultRule":true,"creator":{"name":"","handle":""},"updater":{"name":"","handle":""}},"type":"agent_rule"},{"id":"mfw-adh-mba","attributes":{"version":1,"name":"memfd_create","description":"memfd + object created","expression":"exec.file.name =~ \"memfd*\" && exec.file.path + == \"\"","category":"Process Activity","creationDate":0,"updateDate":1674486409582,"filters":[],"actions":[],"agentConstraint":"","enabled":true,"defaultRule":true,"creator":{"name":"","handle":""},"updater":{"name":"","handle":""}},"type":"agent_rule"},{"id":"ylo-d9p-7e2","attributes":{"version":25,"name":"cron_at_job_creation_chmod","description":"An + unauthorized job was added to cron scheduling","expression":"(\n (chmod.file.path + in [ ~\"/var/spool/cron/**\", ~\"/etc/cron.*/**\", ~\"/etc/crontab\" ])\n && + process.file.path not in [ \"/usr/bin/at\", \"/usr/bin/crontab\" ]\n) && chmod.file.destination.mode + != chmod.file.mode\n&& process.file.path not in [~\"/usr/bin/apt*\", \"/usr/bin/dpkg\", + \"/usr/bin/rpm\", \"/usr/bin/unattended-upgrade\", \"/usr/bin/containerd\", + \"/usr/local/bin/containerd\", \"/usr/bin/dockerd\", \"/usr/bin/npm\", ~\"/usr/bin/pip*\"]","category":"File + Activity","creationDate":1606142961130,"updateDate":1674486392555,"filters":[],"actions":[],"agentConstraint":"","enabled":false,"defaultRule":true,"creator":{"name":"","handle":""},"updater":{"name":"","handle":""}},"type":"agent_rule"},{"id":"zwi-z69-wxv","attributes":{"version":25,"name":"cron_at_job_creation_chown","description":"An + unauthorized job was added to cron scheduling","expression":"(\n (chown.file.path + in [ ~\"/var/spool/cron/**\", ~\"/etc/cron.*/**\", ~\"/etc/crontab\" ])\n && + process.file.path not in [ \"/usr/bin/at\", \"/usr/bin/crontab\" ]\n) && (chown.file.destination.uid + != chown.file.uid || chown.file.destination.gid != chown.file.gid)\n&& process.file.path + not in [~\"/usr/bin/apt*\", \"/usr/bin/dpkg\", \"/usr/bin/rpm\", \"/usr/bin/unattended-upgrade\", + \"/usr/bin/containerd\", \"/usr/local/bin/containerd\", \"/usr/bin/dockerd\", + \"/usr/bin/npm\", ~\"/usr/bin/pip*\"]","category":"File Activity","creationDate":1606142961130,"updateDate":1674486392076,"filters":[],"actions":[],"agentConstraint":"","enabled":false,"defaultRule":true,"creator":{"name":"","handle":""},"updater":{"name":"","handle":""}},"type":"agent_rule"},{"id":"abd-4hy-aep","attributes":{"version":25,"name":"cron_at_job_creation_utimes","description":"An + unauthorized job was added to cron scheduling","expression":"(\n (utimes.file.path + in [ ~\"/var/spool/cron/**\", ~\"/etc/cron.*/**\", ~\"/etc/crontab\" ])\n && + process.file.path not in [ \"/usr/bin/at\", \"/usr/bin/crontab\" ]\n)\n&& process.file.path + not in [~\"/usr/bin/apt*\", \"/usr/bin/dpkg\", \"/usr/bin/rpm\", \"/usr/bin/unattended-upgrade\", + \"/usr/bin/containerd\", \"/usr/local/bin/containerd\", \"/usr/bin/dockerd\", + \"/usr/bin/npm\", ~\"/usr/bin/pip*\"]","category":"File Activity","creationDate":1606142961130,"updateDate":1674486391087,"filters":[],"actions":[],"agentConstraint":"","enabled":false,"defaultRule":true,"creator":{"name":"","handle":""},"updater":{"name":"","handle":""}},"type":"agent_rule"},{"id":"kft-h30-mqm","attributes":{"version":25,"name":"cron_at_job_creation_unlink","description":"An + unauthorized job was added to cron scheduling","expression":"(\n (unlink.file.path + in [ ~\"/var/spool/cron/**\", ~\"/etc/cron.*/**\", ~\"/etc/crontab\" ])\n && + process.file.path not in [ \"/usr/bin/at\", \"/usr/bin/crontab\" ]\n)\n&& process.file.path + not in [~\"/usr/bin/apt*\", \"/usr/bin/dpkg\", \"/usr/bin/rpm\", \"/usr/bin/unattended-upgrade\", + \"/usr/bin/containerd\", \"/usr/local/bin/containerd\", \"/usr/bin/dockerd\", + \"/usr/bin/npm\", ~\"/usr/bin/pip*\"]","category":"File Activity","creationDate":1606142961130,"updateDate":1674486390957,"filters":[],"actions":[],"agentConstraint":"","enabled":false,"defaultRule":true,"creator":{"name":"","handle":""},"updater":{"name":"","handle":""}},"type":"agent_rule"},{"id":"xda-xrq-k9e","attributes":{"version":25,"name":"cron_at_job_creation_open","description":"An + unauthorized job was added to cron scheduling","expression":"(\n open.flags + & (O_CREAT|O_RDWR|O_WRONLY) > 0 &&\n (open.file.path in [ ~\"/var/spool/cron/**\", + ~\"/etc/cron.*/**\", ~\"/etc/crontab\" ])\n && process.file.path not in [ + \"/usr/bin/at\", \"/usr/bin/crontab\" ]\n)\n&& process.file.path not in [~\"/usr/bin/apt*\", + \"/usr/bin/dpkg\", \"/usr/bin/rpm\", \"/usr/bin/unattended-upgrade\", \"/usr/bin/containerd\", + \"/usr/local/bin/containerd\", \"/usr/bin/dockerd\", \"/usr/bin/npm\", ~\"/usr/bin/pip*\"]","category":"File + Activity","creationDate":1606142961130,"updateDate":1674486390712,"filters":[],"actions":[],"agentConstraint":"","enabled":false,"defaultRule":true,"creator":{"name":"","handle":""},"updater":{"name":"","handle":""}},"type":"agent_rule"},{"id":"vxt-pdr-0cl","attributes":{"version":25,"name":"cron_at_job_creation_link","description":"An + unauthorized job was added to cron scheduling","expression":"(\n (link.file.path + in [ ~\"/var/spool/cron/**\", ~\"/etc/cron.*/**\", ~\"/etc/crontab\" ]\n || + link.file.destination.path in [ ~\"/var/spool/cron/**\", ~\"/etc/cron.*/**\", + ~\"/etc/crontab\" ])\n && process.file.path not in [ \"/usr/bin/at\", \"/usr/bin/crontab\" + ]\n)\n&& process.file.path not in [~\"/usr/bin/apt*\", \"/usr/bin/dpkg\", \"/usr/bin/rpm\", + \"/usr/bin/unattended-upgrade\", \"/usr/bin/containerd\", \"/usr/local/bin/containerd\", + \"/usr/bin/dockerd\", \"/usr/bin/npm\", ~\"/usr/bin/pip*\"]","category":"File + Activity","creationDate":1606142961130,"updateDate":1674486390691,"filters":[],"actions":[],"agentConstraint":"","enabled":false,"defaultRule":true,"creator":{"name":"","handle":""},"updater":{"name":"","handle":""}},"type":"agent_rule"},{"id":"z01-5m6-bbi","attributes":{"version":1,"name":"gcp_imds","description":"An + GCP IMDS was called via a network utility","expression":"exec.comm in [\"wget\", + \"curl\", \"lwp-download\"] && exec.args in [~\"*metadata.google.internal/computeMetadata/v1/instance/service-accounts/default/token\", + ~\"*169.254.169.254/computeMetadata/v1/instance/service-accounts/default/token\"]","category":"Process + Activity","creationDate":0,"updateDate":1670604148337,"filters":[],"actions":[],"agentConstraint":"","enabled":true,"defaultRule":true,"creator":{"name":"","handle":""},"updater":{"name":"","handle":""}},"type":"agent_rule"},{"id":"tez-7by-uke","attributes":{"version":1,"name":"azure_imds","description":"An + Azure IMDS was called via a network utility","expression":"exec.comm in [\"wget\", + \"curl\", \"lwp-download\"] && exec.args in [~\"*169.254.169.254/metadata/identity/oauth2/token?api-version=*\"]","category":"Process + Activity","creationDate":0,"updateDate":1670604148316,"filters":[],"actions":[],"agentConstraint":"","enabled":true,"defaultRule":true,"creator":{"name":"","handle":""},"updater":{"name":"","handle":""}},"type":"agent_rule"},{"id":"fcs-rzj-p0a","attributes":{"version":1,"name":"net_unusual_request","description":"Network + utility executed with suspicious URI","expression":"exec.comm in [\"wget\", + \"curl\", \"lwp-download\"] && exec.args in [~\"*.php*\", ~\"*.jpg*\"] ","category":"Process + Activity","creationDate":0,"updateDate":1670604148316,"filters":[],"actions":[],"agentConstraint":"","enabled":true,"defaultRule":true,"creator":{"name":"","handle":""},"updater":{"name":"","handle":""}},"type":"agent_rule"},{"id":"u4x-0kv-jq1","attributes":{"version":2,"name":"ptrace_antidebug","description":"A + process uses an anti-debugging technique to block debuggers","expression":"ptrace.request + == PTRACE_TRACEME && process.file.name != \"\"","category":"Kernel Activity","creationDate":1650293718435,"updateDate":1670604142703,"filters":[],"actions":[],"agentConstraint":"","enabled":true,"defaultRule":true,"creator":{"name":"","handle":""},"updater":{"name":"","handle":""}},"type":"agent_rule"},{"id":"hyc-d0a-iat","attributes":{"version":9,"name":"passwd_execution","description":"The + passwd or chpasswd utility was used to modify an account password","expression":"exec.file.path + in [\"/usr/bin/passwd\", \"/usr/sbin/chpasswd\"] && exec.args_flags not in [\"S\", + \"status\"]","category":"Process Activity","creationDate":1617722068383,"updateDate":1666888149907,"filters":[],"actions":[],"agentConstraint":"","enabled":true,"defaultRule":true,"creator":{"name":"","handle":""},"updater":{"name":"","handle":""}},"type":"agent_rule"},{"id":"vls-ztk-8p0","attributes":{"version":2,"name":"dirty_pipe_exploitation","description":"Potential + Dirty pipe exploitation","expression":"(splice.pipe_exit_flag & PIPE_BUF_FLAG_CAN_MERGE) + > 0 && (process.uid != 0 && process.gid != 0)","category":"File Activity","creationDate":1648564123563,"updateDate":1666888149012,"filters":[],"actions":[],"agentConstraint":"","enabled":true,"defaultRule":true,"creator":{"name":"","handle":""},"updater":{"name":"","handle":""}},"type":"agent_rule"},{"id":"3ga-ibr-dlw","attributes":{"version":19,"name":"net_util_in_container","description":"A + network utility was executed in a container","expression":"(exec.comm in [\"socat\", + \"dig\", \"nslookup\", \"host\", ~\"netcat*\", ~\"nc*\", \"ncat\"] ||\n exec.comm + in [\"wget\", \"curl\", \"lwp-download\"]) &&\ncontainer.id != \"\" && exec.args + not in [ ~\"*localhost*\", ~\"*127.0.0.1*\", ~\"*motd.ubuntu.com*\" ]","category":"Process + Activity","creationDate":1617722068439,"updateDate":1666888148873,"filters":[],"actions":[],"agentConstraint":"","enabled":true,"defaultRule":true,"creator":{"name":"","handle":""},"updater":{"name":"","handle":""}},"type":"agent_rule"},{"id":"kel-je5-jhu","attributes":{"version":14,"name":"net_util","description":"A + network utility was executed","expression":"(exec.comm in [\"socat\", \"dig\", + \"nslookup\", \"host\", ~\"netcat*\", ~\"nc*\", \"ncat\"] ||\n exec.comm in + [\"wget\", \"curl\", \"lwp-download\"]) &&\ncontainer.id == \"\" && exec.args + not in [ ~\"*localhost*\", ~\"*127.0.0.1*\", ~\"*motd.ubuntu.com*\" ]","category":"Process + Activity","creationDate":1617722067377,"updateDate":1666888148817,"filters":[],"actions":[],"agentConstraint":"","enabled":true,"defaultRule":true,"creator":{"name":"","handle":""},"updater":{"name":"","handle":""}},"type":"agent_rule"},{"id":"zp1-2vr-dji","attributes":{"version":1,"name":"ld_preload_unusual_library_path","description":"The + LD_PRELOAD variable is populated by a link to a suspicious file directory","expression":"exec.envs + in [~\"LD_PRELOAD=*/tmp/*\" ,~\"LD_PRELOAD=/dev/shm/*\" ]","category":"Process + Activity","creationDate":0,"updateDate":1665475122104,"filters":[],"actions":[],"agentConstraint":"","enabled":true,"defaultRule":true,"creator":{"name":"","handle":""},"updater":{"name":"","handle":""}},"type":"agent_rule"},{"id":"iha-seu-ukg","attributes":{"version":18,"name":"pam_modification_chown","description":"PAM + may have been modified without authorization","expression":"(\n (chown.file.path + in [ ~\"/etc/pam.d/**\", \"/etc/pam.conf\" ])\n) && (chown.file.destination.uid + != chown.file.uid || chown.file.destination.gid != chown.file.gid)","category":"File + Activity","creationDate":1642158535185,"updateDate":1665475117830,"filters":[],"actions":[],"agentConstraint":"","enabled":true,"defaultRule":true,"creator":{"name":"","handle":""},"updater":{"name":"","handle":""}},"type":"agent_rule"},{"id":"5jz-f4m-ujl","attributes":{"version":17,"name":"pam_modification_chmod","description":"PAM + may have been modified without authorization","expression":"(\n (chmod.file.path + in [ ~\"/etc/pam.d/**\", \"/etc/pam.conf\" ])\n) && chmod.file.destination.mode + != chmod.file.mode","category":"File Activity","creationDate":1606142936138,"updateDate":1665475098297,"filters":[],"actions":[],"agentConstraint":"","enabled":true,"defaultRule":true,"creator":{"name":"","handle":""},"updater":{"name":"","handle":""}},"type":"agent_rule"},{"id":"hyg-xco-0yu","attributes":{"version":19,"name":"ssh_authorized_keys_chmod","description":"SSH + modified keys may have been modified","expression":"(\n chmod.file.name in + [ \"authorized_keys\", \"authorized_keys2\" ] && (chmod.file.path in [ ~\"/root/.ssh/*\", + ~\"/home/*/.ssh/*\", ~\"/var/lib/*/.ssh/*\" ])\n) && chmod.file.destination.mode + != chmod.file.mode","category":"File Activity","creationDate":1642158535014,"updateDate":1665475096405,"filters":[],"actions":[],"agentConstraint":"","enabled":true,"defaultRule":true,"creator":{"name":"","handle":""},"updater":{"name":"","handle":""}},"type":"agent_rule"},{"id":"m6c-qaa-oq5","attributes":{"version":1,"name":"shell_history_symlink","description":"A + symbolic link for shell history was created targeting /dev/null","expression":"exec.comm + == \"ln\" && exec.args in [~\"*.*history*\", \"/dev/null\"]","category":"Process + Activity","creationDate":0,"updateDate":1661193978111,"filters":[],"actions":[],"agentConstraint":"","enabled":true,"defaultRule":true,"creator":{"name":"","handle":""},"updater":{"name":"","handle":""}},"type":"agent_rule"},{"id":"e8x-hfv-opq","attributes":{"version":3,"name":"potential_cryptominer","description":"A + process resolved a DNS name associated with cryptomining activity","expression":"dns.question.name + in [~\"*minexmr.com\", ~\"*nanopool.org\", ~\"*supportxmr.com\", ~\"*c3pool.com\", + ~\"*p2pool.io\", ~\"*ethermine.org\", ~\"*f2pool.com\", ~\"*poolin.me\", ~\"*rplant.xyz\"] + && process.file.name != \"\"","category":"Network Activity","creationDate":1648643213236,"updateDate":1658502066736,"filters":[],"actions":[],"agentConstraint":"","enabled":true,"defaultRule":true,"creator":{"name":"","handle":""},"updater":{"name":"","handle":""}},"type":"agent_rule"},{"id":"o9o-bqw-xda","attributes":{"version":2,"name":"paste_site","description":"A + DNS lookup was done for a pastebin-like site","expression":"dns.question.name + in [\"pastebin.com\", \"ghostbin.com\", \"termbin.com\", \"klgrth.io\"] && process.file.name + != \"\"","category":"Network Activity","creationDate":1648643213212,"updateDate":1654020328112,"filters":[],"actions":[],"agentConstraint":"","enabled":true,"defaultRule":true,"creator":{"name":"","handle":""},"updater":{"name":"","handle":""}},"type":"agent_rule"},{"id":"ozc-4r6-5v6","attributes":{"version":2,"name":"kernel_module_load_container","description":"A + container loaded a new kernel module","expression":"load_module.name != \"\" + && container.id !=\"\"","category":"Kernel Activity","creationDate":1650293718705,"updateDate":1650371510304,"filters":[],"actions":[],"agentConstraint":"","enabled":true,"defaultRule":true,"creator":{"name":"","handle":""},"updater":{"name":"","handle":""}},"type":"agent_rule"},{"id":"qxl-uky-d3i","attributes":{"version":1,"name":"ptrace_injection","description":"A + process attempted to inject code into another process","expression":"ptrace.request + == PTRACE_POKETEXT || ptrace.request == PTRACE_POKEDATA || ptrace.request == + PTRACE_POKEUSR","category":"Kernel Activity","creationDate":1650293718540,"updateDate":1650293782685,"filters":[],"actions":[],"agentConstraint":"","enabled":true,"defaultRule":true,"creator":{"name":"","handle":""},"updater":{"name":"","handle":""}},"type":"agent_rule"},{"id":"hkb-qnu-nin","attributes":{"version":1,"name":"kernel_module_load_from_memory_container","description":"A + kernel module was loaded from memory inside a container","expression":"load_module.loaded_from_memory + == true && container.id !=\"\"","category":"Kernel Activity","creationDate":1650293718365,"updateDate":1650293782651,"filters":[],"actions":[],"agentConstraint":"","enabled":true,"defaultRule":true,"creator":{"name":"","handle":""},"updater":{"name":"","handle":""}},"type":"agent_rule"},{"id":"vgp-c7n-4ww","attributes":{"version":17,"name":"pam_modification_open","description":"PAM + may have been modified without authorization","expression":"(\n open.flags + & (O_CREAT|O_TRUNC|O_RDWR|O_WRONLY) > 0 &&\n (open.file.path in [ ~\"/etc/pam.d/**\", + \"/etc/pam.conf\" ])\n)","category":"File Activity","creationDate":1642158535331,"updateDate":1643993958380,"filters":[],"actions":[],"agentConstraint":"","enabled":true,"defaultRule":true,"creator":{"name":"","handle":""},"updater":{"name":"","handle":""}},"type":"agent_rule"},{"id":"dk5-qem-ukk","attributes":{"version":17,"name":"pam_modification_link","description":"PAM + may have been modified without authorization","expression":"(\n (link.file.path + in [ ~\"/etc/pam.d/**\", \"/etc/pam.conf\" ]\n || link.file.destination.path + in [ ~\"/etc/pam.d/**\", \"/etc/pam.conf\" ])\n)","category":"File Activity","creationDate":1642158535089,"updateDate":1643993957839,"filters":[],"actions":[],"agentConstraint":"","enabled":true,"defaultRule":true,"creator":{"name":"","handle":""},"updater":{"name":"","handle":""}},"type":"agent_rule"},{"id":"g0j-tcx-9yi","attributes":{"version":16,"name":"nsswitch_conf_mod_link","description":"Nsswitch + Configuration Modified","expression":"(\n (link.file.path in [ \"/etc/nsswitch.conf\" + ]\n || link.file.destination.path in [ \"/etc/nsswitch.conf\" ])\n)","category":"File + Activity","creationDate":1606142958657,"updateDate":1628512222322,"filters":[],"actions":[],"agentConstraint":"","enabled":true,"defaultRule":true,"creator":{"name":"","handle":""},"updater":{"name":"","handle":""}},"type":"agent_rule"},{"id":"wu3-ect-q5y","attributes":{"version":16,"name":"nsswitch_conf_mod_rename","description":"Nsswitch + Configuration Modified","expression":"(\n (rename.file.path in [ \"/etc/nsswitch.conf\" + ]\n || rename.file.destination.path in [ \"/etc/nsswitch.conf\" ])\n)","category":"File + Activity","creationDate":1606142958657,"updateDate":1628512222322,"filters":[],"actions":[],"agentConstraint":"","enabled":true,"defaultRule":true,"creator":{"name":"","handle":""},"updater":{"name":"","handle":""}},"type":"agent_rule"},{"id":"nfl-b7w-jla","attributes":{"version":16,"name":"nsswitch_conf_mod_unlink","description":"Nsswitch + Configuration Modified","expression":"(\n (unlink.file.path in [ \"/etc/nsswitch.conf\" + ])\n)","category":"File Activity","creationDate":1606142958657,"updateDate":1628512222322,"filters":[],"actions":[],"agentConstraint":"","enabled":true,"defaultRule":true,"creator":{"name":"","handle":""},"updater":{"name":"","handle":""}},"type":"agent_rule"},{"id":"vti-qnm-wg7","attributes":{"version":16,"name":"nsswitch_conf_mod_utimes","description":"Nsswitch + Configuration Modified","expression":"(\n (utimes.file.path in [ \"/etc/nsswitch.conf\" + ])\n)","category":"File Activity","creationDate":1606142958657,"updateDate":1628512222322,"filters":[],"actions":[],"agentConstraint":"","enabled":true,"defaultRule":true,"creator":{"name":"","handle":""},"updater":{"name":"","handle":""}},"type":"agent_rule"}]} + + ' code: 200 duration: 0ms headers: Content-Type: - - application/json;charset=utf-8 + - application/json status: 200 OK - request: body: '' @@ -806,13 +1072,11 @@ interactions: - '*/*' id: 2 method: DELETE - url: https://api.datadoghq.com/api/v2/security_monitoring/cloud_workload_security/agent_rules/w3n-qy8-qud + url: https://api.datadoghq.com/api/v2/security_monitoring/cloud_workload_security/agent_rules/gd2-ogg-fyk response: body: '' code: 204 duration: 0ms - headers: - Content-Type: - - application/json;charset=utf-8 + headers: {} status: 204 No Content version: 2 diff --git a/tests/scenarios/cassettes/TestScenarios/v2/Feature_Cloud_Workload_Security/Scenario_Get_the_latest_CSM_Threats_policy_returns_OK_response.freeze b/tests/scenarios/cassettes/TestScenarios/v2/Feature_Cloud_Workload_Security/Scenario_Get_the_latest_CSM_Threats_policy_returns_OK_response.freeze new file mode 100644 index 00000000000..bfb813f093f --- /dev/null +++ b/tests/scenarios/cassettes/TestScenarios/v2/Feature_Cloud_Workload_Security/Scenario_Get_the_latest_CSM_Threats_policy_returns_OK_response.freeze @@ -0,0 +1 @@ +2024-03-08T14:19:14.825Z \ No newline at end of file diff --git a/tests/scenarios/cassettes/TestScenarios/v2/Feature_Cloud_Workload_Security/Scenario_Get_the_latest_CSM_Threats_policy_returns_OK_response.yaml b/tests/scenarios/cassettes/TestScenarios/v2/Feature_Cloud_Workload_Security/Scenario_Get_the_latest_CSM_Threats_policy_returns_OK_response.yaml new file mode 100644 index 00000000000..b5e6167713c --- /dev/null +++ b/tests/scenarios/cassettes/TestScenarios/v2/Feature_Cloud_Workload_Security/Scenario_Get_the_latest_CSM_Threats_policy_returns_OK_response.yaml @@ -0,0 +1,19 @@ +interactions: +- request: + body: '' + form: {} + headers: + Accept: + - application/zip, application/json + id: 0 + method: GET + url: https://api.datadoghq.com/api/v2/remote_config/products/cws/policy/download + response: + body: UEsDBBQACAAIAAAAAAAAAAAAAAAAAAAAAAAOAAAAZGVmYXVsdC5wb2xpY3nsfftz4zaS8O/7VyD8rnK2biiNPY/dpG52P2fs3czNy2V5NrcV+2NBJCQiIgEGACVrzjd/+1d48AEKlGjJr5koVRkLYOPV6G4AjUb3/wFv3p9+PDs/+nD+IziJsOBAUCBizMEYJwjMcZIAQgUYIcDQOEGhQBHABIgYgWMoYEQn4CjLACSRBh4hQGeIzRkWAhEwxyIGBM1BRhMcLnStEZ2ThMKI98FpgiBHIKURHi8AyxPEXdWPKQPjPEnAOCehwJTABItF/08zxDim5Edw0D886D/1Wfji2Z9ULT/+CQAAfICjHwHMMshSygLVDEZRIMRCfQcgQjxkOBOqliMiWzuSsCBjVKMAclCUk12DBGAiEIOhwDMEOOKyB6a2MU4EYqZx3QHKwatXwEswya88k4+uMqbL/QjQFQr7sqU+gSmSLfzqQehHmMNRgrwnQKZCmmYJxMQkYR5h4V2C77/XxYVYBKr0d6+8og1TQfQjGMOEozo6ZOlQJEHO4QS58HAeoxIKhDRN1fRCDnKOIkkhZr4UTHRrY5ewRbNeOTjIJjwYJ3DCFSUqBHGJiMS77DbWKAgpGeNJOf8rxxwBDZ0zKL+AZSqQRE1zAXKOyaRE1OZooBkiGg0ZFLGCHSARDlTN+t+oLzulkKKhFT6+B3sfg9dnJ0fn1x+D87NPH15ffwzOjn85u/4Y/HL28cO7f+2Dv4KnslTGaIg4r2H7uzq2uyJS8lYg6+iKS83S945DRSU1JKpu9COd6quUJKEmms2XywfE85wHaMoDjtgMhyiAYUhzIgJBp4jIFOK8HelHvwzBydshMKWBKQ1UaTUBjRq2x/SrL8AbzCAbsJwMOAoZEnyAprwPU/iZEjjn/ZCmA9Mj06FBr1ejZUsAqK56S6hUbZX8P6CZGER6gfDhBBExQOkIRRGKBiNMBipLTfAaQL7gAqV+xugIdYJHYc6wWPidWzCjWFmg7LK74wOYpQNMfkOhJFNBA/07YDkJFWzOmaojivyYcuFjwgVMEue3kBIBMUGsDcoN4O50kRMmOReImUF2EMtzHuA04m2L8C9D8Ob98VBRbAiTBEVghiGAgCAxp2wKcoHlDmBzKlZLi1zaNEHNJ0ihPcyZGm8yz/xim1JbaOVapAp88XoHL3/oH7543jd/BwkUiItBigT0JV4GGKYVvYQMRYgIDBM+6MkWqvJ/fto//LejX4bB648fzo/efDg5k7Lm+OTD+Zujd8Pg7OTd0fmbf54En87eeE/Al0bJQW9Qq/tvOHrV6zIBn3OGVk6BBPj6JkFiXyNfYUQsBhTmIj4cKLHyN5hh3+wZO6FpBDl6+TyIUEij1p2SBnLuk3RBgMmYslRtJ7ZEli0rdcvOrZJCaNRhiCFiQk5k+27wtYFQI5Pt5EKPTjBIeIoFoKwYKQQZFZoWkwVIYYJDTHO9AVg79DkmEZ3zjoMvOt5HV0ihYG9P01MaJZggtTD1cpaEMIxRr0KS9Z1nCRY9bx9cXzu+6kH1vP31WIyhYJSmAUO/54gLJ1fJg1CyACFDUGJQbYqUtFWnKlhWAiKaQrwFqUSE91U3MCW1Y0WEeUiZ3Eqm6iCR4b5ACZowmPYpmyjWi0jfgMEsU5CXS2sxJkGeZYgFCVwgtvQ5jCGZoEDgFIH/BC+f8vXYo2lKSUCQCDARLJejCOTctqHRkj9gj6Qw2ze1JAvNfVid03RdAAoBwym3KHhz9LqObLILEoEp5DyE6qA2zjBRSP08YXBU/jiUv1jORQGXEfXrcuWJ558S0oiuLlxN00zu0uFYIBZEKMEzxNxn3gKWgTmjQrIwz3lW41t16gXltmBzvF37JbC1uTZ7a7mFLgEkP5cJAPZcu06RZi0bSbM69KdUrZj9nne5X6vt+tp1Xvii97GmVlluEKHZgMdpmWaUiiLRUzsg80HunxIawmSQ4JGEuCyb27fGVHBKter9BmdQbePCBGp6mYSh98QbhaF3KbtaFIEkRFxQ1rmw1fLywaSkrQxnahTZQsSU1Pv+/ffVvPdxpM4y688wBUEFmARNsmmlvfraggnHEQJ0fDt0t+di2LVob5aSTUyo59yGjHKcRIYsWC5RuL/vQJ5nnWuq+azoUCK43IyHOMF5ajbV67HOYDhNYRbI3gUNKWeh/S2hcwLoeIwIxzMEBKVJWVwNrruQXLdmF+upQVTRivxm8BWmqMtWrNrkVmq8ME6pc4RDOTKln6uKKVnGwRwxVKkhjPoBEEp8LiCJIIsUPtYOvIuUq0swAPZUdxtCx+ggeAwjOi9VEhOTBpbYWuZj61QMvAGXZDPD2bw81Nk5JjVhze+1HEV5Bd1GZbaWbi0f1VmQhlN3geYX1eaE0TyDUSM354g5M1PqyIyQfXqdZJDzud2tMIYTZBcNYwecyQKXbQh3sWuB+i9VPTATPRsv2XRiZbAstdI5gUIgEqHIz7MJgxGyPhMFXmshw5ndwiJPq9mF2bSaAjwacAKzSP9bX5SUdKroMZKbRaJOKP1UbuS/e1X/nNaOPzfkUDonXxOH0nlzW7Dj0B2HPhSH1gmyzqK53ovVvsqc62vQAj9Zgp/gqMOp1sHRCSbTr4ehZW9vyM9WBdfXoKqijtHO1e3Ew0483IV42Ih55ak3mB1+Nfxr38HVLuGsy7fiUm6/uIWzZYDjqL9j2h3TPgTT2joBowgOoAB/BT900ZM6WJohAlOn3v5RcvSe7u8N+bG5Jtcr2a3KOwZ/NAy+EQvn5OvaVOv+3pCFdxy347jHw3ECp8hp+vBIOU71d8dxO477OjiOkgCK4Dc6CtQeF1PSfldzREBOYC5iyvBnFIHf6EhbKkaRNjOR1QEexijKE0wmd8FfzpsZcx/MM0qTgexEeQ0s+Uxm9HtLWQKObsx65fwLm/zK6ircb6y2X9OLu6TC25AI7dTc5ebQSY4tFxOPgxwd1xCPlRzvRUe9I1+bfNsODI+Bel2Hgy2I16q8gz5+i6bujE92VOykYpqhxyqD215/OF992PTv0jfviPKrIcp2heojIMsW9ekW5NUUr+tVq1s0tqPl+6Xlds3iY6Bltx5xR15fD3m1qtEeBXk5lWY78nqc5LXIBE1lIwFkEzdNFbgBCcyJJB3tXgCySZ4iIjiAnNMQq8c16kutVr45hTmfVoVZ7mcMU4bFQmIgogQK5CdophSLXzwGSUTTK/9gMvIzOFGviotHRnXTcS4YFHn6HyLMNNGVOZwnds7BMtDBMtThMtRhDYrgEMWQxya5QDyjc8RuOkmIzJyTdGqmCJEZZpTIeQEzyLCskoMUirCYljBnDJFwAVSFW06P7I6emNOPH98Fn4YnZ3JWdOLsXfn79Gg4lInjjx+Ozk+Cdyf/PHnXZeQ5SwJN7wGXf5wPvM5jBI4VENBASuQxNEZyoMZ9BAg/nb0rHgtuOWolI6oHcTlzu01QeMkJvvJ1t1xvKb2eHl5fgvQ0ROP1QpenHxEUcAQ5CniMksS8QqiePTb4uYAGMMsSHGp/CzyDc6Lew6k6nug/xWOvJ4Ay8PP5+en2r0/rK0eFzvr1ipJykMfek5rkrwnA5U8y250poMCh31qXs9CovW3HpyLb1221FPzcWmV7Y2Hrl2nrF+EulODRABMsGEzH3BeUJlx3POeLEb1yDcn5pWhmjJ14mPL4h2eOfLbc4SLbCZ+44dP27NXYD3kMWeYomtFWTLJmZYpe2mdr4SaNzzx+0ZJd9BnIJaqCuNnz7KWSNjvp1kK5GzI/44nERJFQt3RFgs5JmShhIihQ+bsEjsblL8yKnyiMafE7KatKePErndaA0ymp2k6nAqVlk+ms+JXNSxCGYCQPLmU6rX7VquUJQmVFXMhtgvm9IGHxW9A8jItELkV5kZiZqkruZBqwFACHPE+tDMjRs8NmzsvnzZyikZIk45ASK2PaqFmSgJVWr6atnNxKRpiFNKGMNzKbTUd5PYXIzEpeZZBEjRwLJWMYCmrnpFY/xjSxKlAXx1anYgQtiJhyga2cRqpwiVFl/Uaxhb6CNMo0nTTHnUYvGijWOX2BrtSbdquP6XSMx7SeI/dwVtrqEKFxnlkZct9sZeRpA1PUGmUGuUB2hojD2BpWhsl0YWUwO4WJaMyoyhtbOeKqnmQIJrIpKy8nDfrk6HcrGcODBjZ5DA8PnzsyX7xcznz2Fwfki4Mme/GYocjOyK2xcMoslC4xiRSydjoaNaqwmxQwtJPYmmeBkJ3kVvXy9EttvhTMTuUkhPZEi+YojNwqkjlZZsuc4N/tdJMFco5sWTC3BjaPaSMJU1zkGLMLRqnwLvfryvbipJxBhoiobYbVcpMu+O+JOpymlEy0CUhGuZgw4+CprOe7vdaa5P5R7laikVcvUW2dJYAfAnVWRsCH3v4Nai6701r3F6+XTYI5TLr4oIhQggQKtEujIKGFUqXlEK3BI+M2AehiIKETbe5kCm+wr3aq9SofUblIlacElZHQyWDezBg1MxLIRUInVt4Y4qSZxxe8mZUiztXp24JDYc6QlQVzEfebhUeUiqXMKWJEZVqOMdQ2qXxRX1ON1JQn68+ZEcoSuggyhmfrXs5LGJygiZpBA6ld9Wir8s3nr3G0VAe/VsP1/wQH3MIDzIIMsRQLSVvfg9dHp8HwX8Pg6Pj9mw81Dw8rcICZWAQZzlAAhdyMOc/ap4WbGXAs4YGEl6NIKBb6HGkX3gAPe1KCh6ivuoKIYAt1ngbfg9M3pyfBT5/+Hvz93dE/gtdHH4L3J2f/ONmXuFJe4OyiV1isLfmqKFkg0phPWE7ljInE0w6yoEJiHSkbYfK2MNgFDX8FT8FtomFBYIpDZS6BWOEGcsWtSCkdNYxSQ5hKgK7EeIdUQnJzzLTISCTCQRL1Oe1nDKlz1RNQz1VOIEvNdJXXjwY9/XHZW8+96ZDvwNrwpjM7Z1i4r27LidVObgS9o4lt9UPZYVrXzOotOKS8N1q44/uErsa1a70zdnbjuHMU+SCOIpUvm4S3mA6/RYygBKQ0yksD/QRzUZrnixgBVfqWFO5ql6fAZKXr1eGq+/o84+r/eYyA/mp5D+zsfKdjZ82BqmNvWcqdW07VWflRct6EwfT2+ylr79bNXMiPwQiLQF0pt3W4ggUjLOwraOjwx7f5UGq3CTUL7CVXeS4g22Hes6fcglu6hGmppYMteNeS34Nh8Oa/Pw3PruXff5ydqr8fz39u2ruVMphNZlrg/sdVB66ehNkq36P/eH36+D2PFp5G+xNKJ2qmBWIEJoOQplku0PvCE+nsQGsNSYgKL8i+cYPMBxEawzwR2j2pvpFtujTdor71MxHjKEJEe/Re5TLsyEAqJmk6a2u4DKRJtPV9bk1R8gV4/Zr7Tntv9cUbxDRFpcFG3XnfCmd+6xFT8/Fv7jLXOrNrBAZQt5YSU1xAdgde7WoCZ3d7ubu93N1eAqcHVSXfsdOgoYM9A86CMEbhNLBc8jZE4/GHIUgoneaZ4veIEqQilkDw5hSo4oVDflN+A25vcemLQ0hi+BlnhVNfnPkww0UqXeCsL8+NsrjJUx3Cme2fX36Yx1BgrorAKUwhbnH/W2kFO6BP7b14gCZyJAFMEjp3rzAnCgIIBsdjHAIDafbxRT2b48/eaRb12f44i9Wdef3ex0/np5/O+729vcMXvz71X1xe7x3++tR/fnl9cBFd/3rg/3B5vX8R7V/0/3Yx2v+f5//b7x29fn1yet44nLKaE1/m7R0c/vmiv3+9d/BU//nz4UX/4NeX/g+XVVq2Y9L/T2U8+/Wpf2AAfpAFXv5FJ17+cCG3CBf9/Q4r2m9wBptmOYG+l3CTtSxQqk12Vjm7da0osVvX7ntd21nl7KxydlY5tZydVc7OKme0s8oxyYe2yimXmNrO12nxIreU608Nv+XZQiDWzYb8vzSw3GSjEaXTSjFltqqm2AZbUWfcAL1WFstksUIWi6NaF82SqFZDtRDqRcMsf2rlU7KkWO+Kpa5c5dQCp9e22rKmVrRiMSvWMbOEmdWrWLiKNcssV2aVKhanck0ql6LaClQsPMV6Y5aZcnXRi0p9LamWELVyaPFSEqRZHspVQYs4swaUot9I/FLQ639KsW6kuUFEJbtLkV0X0aVkNgJZyeFC/BZStxS2CvOFaK0kaiFIVedrYrOUllpI1mRjKRK1JKwEYF3u1cVdXcrVhVsh04woM7xf4N/Iq1JMmfEroWRkkRZBRvJUAkfJmZp4KaSKpqCaDDGio5QYhaBQ8kGLhVIaFDKgfNvUYJe121NnKX2G8/Q/1RlNZ+hDVv1Pubv31DnK01/UUcdTZwJPn3u88tRS+6XPKp45a3j6LOIVZw9PnzW8tPpTtVacGzx9TvDkmcDTZwBP7/c9vb/36vt5ZcXouL6uRXXRMs03Mk3irchK4KjDWX/6Fx5kNNowiuTbfIQYQQJxkNHoPoNJ4ioMTz2c5LTsUB9TRyhJpd6/SYGaPQXeBZ/8tmwKVs6enL6iOSu8jmwmpAxFhFt9MkA0QwyqBQx4gxQSOEH69zjJERH+COs+VUnPYfeS0DzyCY2QX6/CEK0vpQDyQ45Vrplw+4sfMTxDTJLMDEdyzPNGd2GCQ6raKDEH53yglb2+6sEcijCuT777mypPJphc+Zgo5ayaHUaTxHS8RHwuKA9hMztjNKNMqGjdTZgYZoxeLdpqlvyrxCXyUyQYDnkD2f5kinx0Jes3RUbqKKrvYH2DOD0EiW+BWGquuP0YkihZmj53jTOYJ66plB0MhaZOlaunRAo1ZPtDnGCRwJHPclL/UtWkWnBZSQkGQ6QnPMEE+cq2zVUDQxOsHvrKwTUQ2STApQnbmVJ9I2Jv/Z5AGUsF2lhqhTtGFa5/WresqsxmNl/ob+57McGjgbHsKtf43Oiqa/k3cstwlyaPd2D+ujSib8GR6LrxWCHwpjUzu23cX3Zniza3kPfPFm4fkDu2WB7Rji3uyQ1nVzZqf19xz1zU4mCqMxNZtXVzPtm57h2DflVjWzeeVQx6U/ahsGVvtsw6EnYb3pHlTbuNsMBkHBgrmSelxUygW9A5L5tZo8z6bBU3wES7wyLjgCG1ocbZ7LlpIDg7+a+T1+f15hicr8S81eMv3hgmISVqht2UATPR1+ePqB9BnCjfTVe6n36CJjBc+GmeCHUG59xoB/w5ZVN5WNpgHte946web+qZ1Gbp9kTf4uw6XnN2tYVzjG3MaBqkKKVtscXb6BXIksAqueXodL31HsmyguU33QI2B7ZuArsMsbD9vRXD326jvo05bvXPe8/L+EYv36wa2pzy7hbr5RHtFmv1X1cmWeEv+J7ZpN05cGcyt+rr6g24c+07JvqqxrZuPLfIRKue5N8zE7V6Jd6R+fKIdmSu/utM5u0Ok++dzNu8I+/IfHlEOzJX/60nc866+OAwrnn0M2xE1PNsWUw92aeS/FHi8wyFeIxDoO83t3fhXL7+SWmkLx9B86XOqy/A66Wc9dTzIz0U3utwbEppFCSYO1/SdPJSML0DJwVqEoHr8bJsvssr2MqOJogIDxDJU8RaPQnV7IaOPwzBMvQGI1p+9ybBIVn05f98FvbNPWhfXXOr4VplxCJTZYZn/3Qcibs8YkuiwLhtCXKS8xwmQYJHDLJFIBnHhYnzGIF3x8Hp2cm7j0fHpQNsgDnIaJYnyt/AaAGgUihrZwT1J9Q4QSDCDIViK/0Islxjf/GqLr3q6afRHnhiZVePpKvDwArM4FEG0wCNsnEQU+rcv73TqDKwfU6BhCxpH/10+vfNBzjKxv0wjSTQT6d/D94fnWrdwMkSZ2Pzrq/sRr8L/SeUErQIRE7MM0btFss5TgUKzg0o2Hv9zxP/8OnhM//5DwcH+4VHrUr2bT7qymKy8tYw/PTmuHD5U33PscJNlVt3p9Wkjt4/3r356XVw/unD0U/vToZd8JOidBzpeBBOka++Azr6DYXi1h3TSWGtGnB6B3jVibdTTHCUp1mQczhxDqFwaG+0a+qBb55mlvAuagHjnISymNb9hTTls5D3ow5G6HNMIjrn7UI9jRJM9KB77zHBx3madViZZNfIJMgoTQL9Rtk1yGppZojTZKbU0FKGK0S3hlVQEXBDgWdbvfh0P23+4vVSTNBVysz75C9ej0BC5Uj6lE10Ds+zjDJhQYXPFEyZzg5VGlOdRCJWxmCoqmV82ChBaYJJP0U6ybIEEtG/Wnze7jV0qmxwY8pFMHYeAuSyIT/rBcB45JQUp0qWAQS2VyGr+vqc5iyssctA8ZH+NuaBWjnlyOgMsQQuXNcG3YctkRbEOFrJZMbJiOYsVW7bMap/M4qJMOP8AjxlHzboLdv56rn8ApQtfwfmIkho1ymFRbubt5oru5xRubUUiOhNwK25takd9yyduVGZN33CdX1FWlb6/ffWMbKpVVfINS5XwLKFtWHrPo81X/VD85cb1uxPqWcdK6+vWyzE5TmlOJzKk049YM8N/L90OdrISS72fQwpQeWa5g/2HFbPkJTIrJHAp7M3m0/wv9/s9a9r79/P4iI8TP+3bNLzLsG/d0OCwImbwBv0e0tOzJY8AVTD5jTU98gRVudrwvXaJn9LAaqGR5AIodBDlews4WSxLZ5T77d65npV3KtW+C5jQckDlzycyJ4ZzB8c/rn/tP+0f2DSKRVRPx/lROSyM51238WcBOhKYrf9XHZS+17sP5VDrVuTO56NxQuFxgvvCbhQiNS/6qi80MR5QSp3LVT1lhuUXSjv2L5k/Fc9Wb7IiaCAZc55+St69X+Ln3kmW7CL/v2VTPZ0s7VWKy3ORX2STKnaNF14l93WAzUja31FrWSZW1vmvyoO+u4BOag+X8HscDdlDzVloM3P+F/BD095lwmVUxRwgsdjee4RlDrXrHeya+WLNv0MVWvmCq2VPAKNhXYLbAx0lCM3UJ6gNphd11tHEWby7CjxLngM2bTDuZugeTDCBLJFzZfPeqFTDQVVj6QJmgNdl5q8Mc2JImd5sK0K4LQ6H28wcDfZWJvvJVeZ9ueURnhsYoTZrjKbWO12KiGcz7EIY+U6Okhp1P4kogAFKVyAGM4QGCFEgO6R2eHRXIAi3uWWKs8bPpXQm96ij9pfdP1yZgOj+Ye7zCnp5G78Rm9EFS0vAh4RVTheCnSiiru1Gd9RUUVFbdYNj4aIXDYPbhqyynUwiV9LiRugs80w8bGg0zZY3GtYKF4bdcx+d1PFtUjcMZtNHS27+D82gbTvrHfkU5FPu0HnY6GeFkPPbvJ6vUnnWlraAKntBn6PBqluw787QUarGdjjQYbTPOwWkCEirk+qytQlwcTJaR/Oj4f6ssQOn71c7JauVGW/+hEWHW596HiMCMczFEz/wls1DEdgSuic1ExoQIaIUAw3AbIUiCHX07u9rtzlqgx88bKFiCkpFCt73tt8hIchJP1s4UmYQm8zk4LBk13lguEpYo2v+2C/xVWTKoV5CIn3xJtGeKK8mqiq/Dgn6jGYx+B0ijj3nngZwgwKxA0ID2GGzG+YR8rBlSqaYFNUR7Dn3pMv3oiKkd9FpNMUT9wn+Y8pVg+6tDtjDqAVRi/GSVSsgptPBSrsLP7aCFvmeroma6KmUx0oT25sShu7FjvS4iZfAisFT4s5Hdh7PzzbN1GvcnM7MN4qBkrzOvAV8AZ8wY3Z6CDlbJBBBlMkKx7Ubexq14X2lWXbK59OoQQzGE7hBAXa206KiFirJDvVRUBVRJt8IIHC29TzNqxV7nqXdduGpBuYAayZjJYNe9f5gEKpKWkuiiAbDb1tcDt6229ktrbUs2cwDSyFbKvu9PTo/YPvZdo8zMi9TAbTfqRNBKqM29ChboLDFk3j48Ch2x3JDXF4txrHm+O87VDyGFDe8gxpHcatSjro5zpUeZMN/hKK23R1jwDFd/eu+E4x2q6geAQ4bX+Eug4nTcJdr6joUOlWiG5XWjwGRLc+VLxbnLTqLh4FTtpetd0AJ39cXWgGOZ9Hqz2un8fIwAHKQBib33WjmJzrl11q+hcAktLQQgFTtoWiw7ETrw1T9aVEhXFSb3Kd0cFKZzdDWYoLpWvohCiBAt760K09IpgqOcLET/AUgVoNG+CiJSZY0UQR12sSUy5qaYFYWktOkwkTcR/T7YzbsxAHBwfBiyBkWOAQJtpABSPefjh4bUALU/eiRIsY2RxTNz8bSNIxdsO89rugtFqy+bni2KXMOuiIUvGo3tHej/BZGuS38LTWXjtu+5y4irFaToyPgrHcB8YdY+0Ya0PGemjlQTsjth0THgEftpwR7pENrf50U0jcY+92QuLbERLbsHCbmurhWXh7LVWLkuoeuWzHZDsmM0zWctG347Mdn+34rHmU3OKKtp0L2+8PHp4J268PHoqLut5E3GP/dnvWb4fNt2Hk9vupR8DIrddTO0bZMcp9M0rrpeVjYJS2O8sdo+wY5U4YhQpEBIZJMEcjE2Vbh+t2ccgRmKMRgFmWGBMAbTxdBdgGlJkfW/sRWfJ+0GAKzRM6OnBtMmszsvxppKLCuzKrwMLOupyFRu1tOz4V2WXIYGfBz61VtjcWtn6Ztn4R7kKSlDDBgsF0zH1BacJ1x4sQyctDcn4pmtEBlZcKmYDKS/lsucNFthM+ccOn7dmrsV8EcV4qqoM6O8uwZmWKXtpna+EmDR0c2pld9BlUMbK7+uuwX2rUzCTUaFX0cP3TxLA3CR3I3iR0NHudKGFMXHv9uwRWEe71LxVsXv00se71hJVVqfDsZlpqwEX8e5MwQfB1alb80uHwNfarmPg6nVa/atUWIfJ1Qkc51791sHz1u4iYrxJF2HyVMLHzK17UQfQrdjfh2uv8r8PqWzkqvr6VUzRSEqCJuF9lTBs1mxj8NZI1weCrnNxK1sPz1zObTauA/WVKR7ivkkU8+HqOhZIyqH+Vk1r9MGH+y3QZ77/MMYH/qzTlAls5jVQRH7XK+o1iC30FaZRpOmmOO41eNFCsc/oCXQm5ill9TKdjPKb1HIJDqz5idYjQOM+sDLnRsDLytIEpao1SmfDYGSIOY2tYGSbThZXB7BQmojGjKm9s5YirepIhmMimrLycNOiTo9+tZAwPGtjkMTw8fO7IfPFyOfPZXxyQLw6a7MVjhiI7I7fGwimzULrEJFKk2ulo1KjCblLA0E5ia54FQnaSW9XLbT21+VIwO5WTENoTLZqjMHKrSOZkmS1zgn+3000WyDmyZcHcGtg8po0kTHGRo7aeYcwoFQ1fUHvF/llvHvV6U9mhwQyGMTqUC5QKI662uoKmxj+VFwuRmeWqtaJXX4Cn/BV22NUyGipXvivNF4/008vCRFF57S1ezBkXvzd/lrnupWkDMbK9lJI+upJTX/RbJTuYHvIgwjykM+SOuWZcqbY6ms/4bbuZz7jlA2xWGVX6yquV72d4dfwBYsUd/D2HyYLrePRVCG8Tpb6MyWdXuEQ4ZW1sWjxDBd5v6uQSoyRT6S/ezFSm6PEUco7IBLGjos0ijP48grMIolSKQeCF8VQyw1TH+Bdc1aDOn3P4OY994+g/Wi4pYIJI5DOUUoF8JLkC+RyxmVpOZM0onCpPuSpoIkFzhhIc+qaGDsShgsYHkAgcoVE+cXNAQe+5pBJIgAT3FfxEUQkKY4J/z5FkkFFCwynQH7cKwaC71jceVCXs6fnZ0euTQP37/mQr21M9bB2ivZXxi2Fb0Sd0GRDSSDKnoAASKmLEtn8H3Drg049vT85P/vtcCb5VQMdH50drgT4Nz9bjZ06mWATlW+cA8RAmcD2q5pCXp33lxxaTCIdQci6gY2B82mutAB0D4/L+wH/+9NnzzTHXPPq/qkcmyabyayVx6g7shz+fvHundVu906Pzn3s1o28FVyl1esdvhqfvjv5loI9Phm/PP54Gw5Ph8M3HD/WChcv8DiuQem0fhAkOQtri6FqBaHKTyM0YneEIRYAWDveUaAadHBx0MJIvHpnXXAE4rOCVoAxb/AX7YW/48fXbYHh+dnL03uDLD3s8HxkyUdJTZildRy2lNmllOhOLviKmXrOl774Ar8eRyDOlfejgg4FBwmk6hwwFhLqt8E8p53iUoBqsnH9UxCEAOYmUe8c0pUTKQlaG3MBoC77v4IO7BLB8ZJcn9S/eIKYpKh1XM6OmfVIqhZuaYJOmmWj1hJ3QiZ3Go6W8EQyneWZlzedz22G226038/b+hvf7vT2m1nV0zZDaolzLs/q1PLSxXInm65jOA0Gv9aRcy9VFFlvQnAXXKrCAyruW1Rug/b4hmEa7BTMzr9+76MtS/9ZhiWRhoImEBw2lvkU9Z6+BAbsF3f/eRqYlzseFemKZ3n7pXUWRozTl3uX+/jeq2l4xpwhGwTQfIe3MwjWf5zECFYTyc6Hjq4Vqt7zF5K5i4EFftjnQjaoBKl62cjsOj6EEQS43OWPqGuDHIZCfWKpXYzk2WU5HIpFLiyKThI98U9Md+PpotOBy6nF23Nl7B0MR5gGHJBrRq0D7inGN/Fj5guDF7uPQf/ri+bPNB+YMalDQ5dVfXgYvn/uqsD8h+aA10IGX4FHoH/YPf9DhDYr0s6eN9EEjfdhIP2uknzfSLxrpl430n2X6skUoVDplhW1fnUB8Fo1kDTpLnk86xT4v5muGAitsuS1XJVAR4LA8aW8dGmhDCeua6vXxKzR65C9Ix+bXEo4b1HAL6M1JaD3FbRNzErDw6KyDx5hXuMpXCpGHaAFJBFkE5vB2LuucC1W5cuQkLIU7X8oZlXe4vsp3bDVu7BLoD3CF/Udb43kYIyk0okBAPtUxx1rPryUwkMCKC7qKmBvq8qAwajwexrIt3lGNx5Hiq8BABEiu3aFycOQa0vDknQQHNTCgXyvrB8amnbWja2Vm05++aaBvKtf6SsRSzDmeqekv2mrT6OkTnTxy9n46ef3x/Yk//PT69clw2OFYxxHhWOAZCgSDISZrFFiYAwNX9+OWlRpQygDncaSeXmfFcTBkKNLmD0r7WzWyAdb22lUzJydv1yt5Tk7erlfynJy8/TQ804uLBlL/oj6qh/crJkKt6KX2M0pmas6SmdmzwDR6+dxTb91lJfLXRC9HSRKNuq9GRmsZcEGdEeW0OVUoKlW7hASwKLg5zpeVG17ZmDvaqWy5i/sDbQkTY0nHiyBCCRLuw+FQWbv8rAEVAx5bwBuMyjKXVAOTuxHm9fd+jUbw8xhf9ni8v1f0bv/fvP22WZfTXi0otSXnphjgi7Q9KjtfpCOa4FBHMB2XNkBxDSuFpkVANkHK76UKwkXyDgERO14+JMQ95/2e6YhekIpmb4yD4o7uvuhg231scWu2inLa1U5a06QX9UIF1eIVQo6ivMDsiNSMUVnB2l2sxquBtvaw2yK25ZjeM23VRz7osbCud6o56149KfudTrecx0HhDgdFwRQtVjjKGA5/rrbxEvT+zFNr7gpqTl8bPZc81sg6LJzOtnnY0JoQzmOb4KysQlFZ5t61Uz73rLR4WXjQWSnfrm86K273DLczKw/8Ut81i20r2QNOYmPBv/Ectryv2HAKra51e6a/YUs38T/mmsq2p9oPOJUbLduOGjYnhpa3pw84RS0PfXezdBezBLZ7Leqaw/Znog84hfWnmJtNQesD0w0noSk3Oz0W3bCtbdmy/cHgA07p0sn3xlPa+tTwodDc+tzsIdFce2a2IZrbHqrdE5qxUNE2An1xqiMHuJB8rgxp6mENCsOOhfbCSGR1YE5ZujmenVceGhEZI5MmJup5Gkr3cOACtj85zqBdlq4OKE2CEDGhj+IoEDDNEMNksuoc+g7UijSpV9dgbMU2R+3NvTUiEQ44Twayb9wygcmm+FG9cLyDO5Plk7Dj9Ns8HP9pJSa+e1W/rsuzCArkh9Cvz73nqsJ1FXWrlX21c+Q2b/0CPJaTsMvVyApubdVPPDS3tscM+KNz671oSHbcfV9zenfc3b5hf1jmXuF7fg1vW/V0UzR1qPVblhitI7oZ84H1DHjrFX5TOHdzdbfjSxt/tyszH5S/284b61Vkq0KidObh3Qp23/TejdY3pfBWXfCOyMGOyB8ZkYOtleltrLBKpf6gnLA6atMNN3SdNOAd6v2Wt3Q73r9vjHfj/U24etWtysNy9coQYRb37bjtthjkViv7ajF+h9y24nLtgbltVfC5HbfdCYPcamVfLca35rY8oojxIKMJDhflw+gVF4G6ANAF9HPa+4n96O1dEOC6C3z1ClwYVtOdu/D2wQXZwEq0M5lc2HRy4T0BFzalNLJYljZylqmlAUB0kXpbkmIaUIu8qLigmhpAg24uvMttKKLtsunBKKL7BdSr4pGyGZ33yMxWW3Deurt8hChv7DeXMG5Br1b+r5qtjXHZqm59OFw+ryHz5mYelkO2tkf5JQYfMLjtHSx8N5/+FQqYhyOA7kqZtey0UvVyJwy14vD7CDG6dCC+G5y0H1EeI06ax5Z1y+TDyI/7eVi/arJxFMghr3YwCcHw05tjPbNzyLs7kWx/GsqRyHFUe+57fQ1MnsxSefvLhwC9lQXD4I3qkVwrlmDKKutfCo9n685vI+UxNaJddpM8wyGmOQ9GWHAYpZgEOYcTpyg+qsGDEr70jXaX/jkldNmiesoPitelYRolmJReQGAUyWJab93TdwQmwRDPU9SNpkq8lBQchAludcVfQoEUEjjRjgDqsdcLnADl7KMEX4uirs+tlZ2rZivJVcqlkki0jWp1ZaIJqIPnxhoCiIi4HEk7XQwrqlAwgI5BUWrtAG9GA0W1K0lAAjXm/0ZTriTKSmFyhkJERLIAc4albASUVQuELK7lzM05ol3Y7K2RIcsrgO6Qfs0byLUE/Cd49pTvl2irUKuIouvxWvuzi6CAEZ1oP60DlI5QFKFILzGFn9Z1gNo/gJ8xOkKd4FGYMywWfucWzHhWFii77O74AGbpQLsjHcBcUOPONFh2lhP5MeXCL12hO76VrNgG5QZwd7rICZOcC8QK/7vrSV2hPbKee7erlI4K1xAPviFqszJXxxA9JvPX8sS44rPaTC19+sa1wDdXvG1KUS0qqcdEUW5L6B1F3ZiiHlpH56LAFV5SHgkBtlwD3z79Wc12M+69/U5800ywGYm26T0fDYnevi3ejq7uga7aFaqPhrLabdtun0Ka4q+TKdztd2NHqEuE2q6nfjyE2mqutaOQ+6CQVq39I6KQNhOjHYXcLoUIyFar5s4hA5CFMZ6hzr5lOyhZqwuYYngCshVBO1TL3hMv7KCPEWJhor1iEjRVw02CVy74VMwXCM7P/3U3yuUaoaNduNdduNdduFfL26ZkWLfefIOrFpETgpJAMDge47AAt0SagsBkApS/ZCbAmLI5ZJGKClaEzTMlN+D2vT3bd2uGZ1QQGIbYs4Pcyo8TyoXt47Z078q8fm/Pf3ftv772z1R0mH1Zvla7ko1cTgKQf5q+qu2Kzq5lXcfX8zLQjANwb+/wxa9P/ReX13uHvz71n19eH1xE178e+D9c7l9E+xf9v12M9v/n+f96l6DZGTkazuNciAR5K/rBrn0TGu7aT659X4XuI87xqSppCMWK+s5fnz73370Znp98+PF6+PH122E7qjCNMFHrrv6lbswjwlW0YODFkPDir5+PciJymcw0SflkovE8ln+eZYxeLTwV9JHRqTNMX9WwFqLAi8xf80f/qwUY8Myfz/rPVP9RYudy/UKec8SC4gmXEM6YiUc6/FPdZfEMQwAJwEQgBkMhV3mu6Xhz+nddpcqGYaTwTdDcxOkEHowi+bsWKKsmC7pfoX0tGzPX/qa8BjzusLVRs2w8dneYZQN5r7McIXXHFqHkjzSza2dunuJARYXDZKJ3p665e21sP8odqJy5X96/WTtN3a/9NVYzOkdMdaMnd9VppOM5OIRYVVK280uKT9lseKLAWwb9/wMAAP//UEsHCF4/Fq5+LgAAbm8BAFBLAwQUAAgACAAAAAAAAAAAAAAAAAAAAAAADQAAAGN1c3RvbS5wb2xpY3m0WG1z27jxf3+fYo//mxvJf5O2HCeXeEbtuE46TZNcPInzynY5ILEUEYEAD1hYVsrms3cAUo+RHFmXvhGB1f7w8NvFLhb/B6/fXb7/cHX++9UZvOKCLJAGKoWFQkiEiZASlCbIEAwWEnNCDkIBlQgvGTGuR3Be18AUb5UzBH2HZmIEESqYCCpB4QRqLUU+bUfleqKkZtwmcCmRWYRKc1FMwTiJdtPwhTZQOCmhcConoRWTgqbJT3dorNDqDKLTJ8+jnwL+7CcAgBgEP4OXqHTqFHNUaiO+IE8V0kSbccryHK1NazSFNhXyAALgaHMjagqDfloCQgeEFgjZFDgqDcYpEhV28EJIQtMtoV2GtjAcQiSFcvdRJ8f72qBtV54JxRPGuUkKVgk5/cvwGH79FWqj/TxJrqtqOIz8XNGynJmRDZYRCq5NlBz0mJR6Eiukpm0VhWji867DpOwnB9HtbJvCskwiP4OCSYsPMmaQ8RTvMXe0A03ewHZqCSvwwB/H0zZCdI0qKSQb2eHw6cnpyfPnC6mQmChW4YyoJfLudiHT72AHDsm4hym0LuumSnODbBceFxDoID+OSm/MwCP8PIxWvUrlaEmbB/xurrGVNKd24Oz7fudDCO7leAH54+j6vufBr4PhcLCLR4Wl7UDPmkt9dvWU0JQuS22JUm5i4xzCX+CXGcIxszBjDwqjK2Dwz3acf7gMcs0R8sVYexAT/CgcsppRGXSPnDVHmVBHGbPlA64VlBe7iq1Qo+i7TjJ2GRqFhDbVRYHKijtMSWv5oJu8maNgjgKPgjXUHhT0FhyEQOPNDV+jekqlVgcR3HoKetEbl4mPOVNJPY28TkCFKNQ0EPltWTJijGbt337fK2yYw2OEzZmKDqMxF6MRGt9yGcalUxR6ho3HaG10GNUoDCO0nYrNWY1dmzkuaAaVooNaMoycjQ6/RpmmLN7lBBPHtGJywgymOPIMpWRYUYg8Dc6OPBU1ebDdZKXZf+Ascn8LCSBoR4JupP0NtYh5Xm022bcpdXZe33+6uvx0lRz0eidPr4/jp7dN7+T6OD69bQY3vLkexC9um/4N798kf73J+v8+/U9ycH5x8eryKrp9IA70Bie/3ST9pjc4bj+/ndwkg+tn8YvbRd/P0/X/FQRPro/jQafwwgOePW87z17cJCdPT2+S/iPtE4Jl6i9nKd6TPxJaPZib3jlJopbYhtn2WrdAzlOUUxxNiEBaeUMa4MJgTtqIudX3MJ5B7/hLocaz+TU6KnWFRwcH0SF8jY6M1jTv+BA0a89C0qx/x8yR1KPVvsi+kWUsH7v6aEkymUy8RrDw8po4WhKKeaoWR9REN4m3JIu/3P7/LzuAltPFTdKTOh83PKOqbqQeNZ+1M4rJRijR2LL5bLVqppVs/P9Wsbqhe2rqad5YYtSUuWyCG/VnUy9nsflUXaDyISI0nkSHERuh8hHBYu6MoGk8E/gQkZPsWhK9jLeX9DiXzraho9aW/Jl9pEeOfYiWaaW5k5j66gB56rNWSlW9MaoHALQAaAFtmuvcj6r6x3ifH7tb2JoLer+gql7xmq4Pj9u+FFnNqrTUeow8dT4dppjVxaadvw26idUgRWaYmUILgwCDJdgem83qIskr7pX+dvn39N35ZXrx4dX51autkVLOlrPTPW9507URd0LiCHnajewTu0mtLbnPHfnmWHQ+WweIkBhyv+vFWDAfC7QBP1YoH2ttrcgk+ljFUZFgEriraqFG+7PV69VhnUn4xQSd4MOugFv5wwlP6XG/aVbl4TS20ezAL/Uguu1vP61c3j2aYn0/zUsmlH3wjnQ51/NkEualEn84DMl4f3pWk+7SWr5/1VvehGHK6io0lfaXv+51YYtzzAy9gHkG8X+dpBYl559PUbpe6CHle6euLblrrTqe1ygm3NCxMZjrOzTTxhfAFTZCWTIuPLw0pZ6kpJuWXF+8HELATrUzaZObaU1NSF2iqrUhpqjv0xnd0y+P9N22mkulHtmU+3zzvXDQKc1M21WDUo/aW8v+pnVKCjVeM25Lq3HqyFFVR4ewMM9kXZCtCySzJPVoRVYwIddldmrXRRVay0b+Mr+s55M1roh8bZysgzOt6Ruhz71B+O1F4edhxHU+RsMfd2TJKYXSZzGmeOodIS20mTDDvWweX9Kl+LJi1KsZPrwsejws8G3x9udCU6+3FpzEnSbF8lxE85Jr/udIW4r6WzNgL37bxBdN/CHU8v2mWRo7eIq1pSfcB/gN5cFimA+NH+llMwkDbVF8oCJZKUiiWwjV49pGrS0dkcTtpU8vNk0cG6w0YRPLJo6lsISq3d2mIXXO6IHxri4uT+O3rz9evfr9rPn4/uLNx41DBaqE5kIFR25b3De5sn6GQ4hKpuzsG7vMKXK+W7f+FqtRy3PhP09CwvEtNTJ6vEpozQwqWpo4PFj4ubpv92l/KW+/3edL+xm3n0LYMrrt73Q+lEVfYqe14IOUI2EIqptOQKfZlsNCQa4VMaHQ+Nq4S+XtI45u38vff4TL1y8H+x+JtWcGr9stIth29iphUx2W2Bo4ImZGSMNBoGk4aFmeLzYRPDwy7kSOQZ4Ssirlugo3lm3R4UIr1TLnyTDIwcOghe1PAFc2+cP5smy5jvsaHSThXYTllNgyAp9SDxLNLCW10St9Ke5wRWAFrQq0TyWrosKplX41/ztzps61lCzThpE2iUJaVhXF1HtwJ8qZYmZKeozKLokTg2FTmVDLeK58ZklytTUr/zcAAP//UEsHCEx0fdwXCAAAHRoAAFBLAQIUABQACAAIAAAAAABePxaufi4AAG5vAQAOAAAAAAAAAAAAAAAAAAAAAABkZWZhdWx0LnBvbGljeVBLAQIUABQACAAIAAAAAABMdH3cFwgAAB0aAAANAAAAAAAAAAAAAAAAALouAABjdXN0b20ucG9saWN5UEsFBgAAAAACAAIAdwAAAAw3AAAAAA== + code: 200 + duration: 0ms + headers: + Content-Type: + - application/zip + status: 200 OK +version: 2 diff --git a/tests/scenarios/cassettes/TestScenarios/v2/Feature_Cloud_Workload_Security/Scenario_Get_the_latest_Cloud_Workload_Security_policy_returns_OK_response.freeze b/tests/scenarios/cassettes/TestScenarios/v2/Feature_Cloud_Workload_Security/Scenario_Get_the_latest_Cloud_Workload_Security_policy_returns_OK_response.freeze index c889c00f99b..70ab598aa1b 100644 --- a/tests/scenarios/cassettes/TestScenarios/v2/Feature_Cloud_Workload_Security/Scenario_Get_the_latest_Cloud_Workload_Security_policy_returns_OK_response.freeze +++ b/tests/scenarios/cassettes/TestScenarios/v2/Feature_Cloud_Workload_Security/Scenario_Get_the_latest_Cloud_Workload_Security_policy_returns_OK_response.freeze @@ -1 +1 @@ -2022-05-12T09:51:26.237Z \ No newline at end of file +2024-03-08T14:19:15.311Z \ No newline at end of file diff --git a/tests/scenarios/cassettes/TestScenarios/v2/Feature_Cloud_Workload_Security/Scenario_Get_the_latest_Cloud_Workload_Security_policy_returns_OK_response.yaml b/tests/scenarios/cassettes/TestScenarios/v2/Feature_Cloud_Workload_Security/Scenario_Get_the_latest_Cloud_Workload_Security_policy_returns_OK_response.yaml index b0da1607af3..7630a6c1969 100644 --- a/tests/scenarios/cassettes/TestScenarios/v2/Feature_Cloud_Workload_Security/Scenario_Get_the_latest_Cloud_Workload_Security_policy_returns_OK_response.yaml +++ b/tests/scenarios/cassettes/TestScenarios/v2/Feature_Cloud_Workload_Security/Scenario_Get_the_latest_Cloud_Workload_Security_policy_returns_OK_response.yaml @@ -11,798 +11,1153 @@ interactions: response: body: "# IMPORTANT: Edits to this file will not be reflected in the Datadog App\ \ and will be overwritten with new policy file downloads. Please modify rules\ - \ in the Datadog App for full functionality.\nversion: '1652349086649'\nrules:\n\ - - id: apparmor_modified_tty\n version: a7f3b5c2\n description: AppArmor Profile\ - \ Modified\n expression: exec.file.name in [\"aa-disable\", \"aa-complain\"\ - , \"aa-audit\"] && exec.tty_name\n !=\"\"\n- id: aws_metadata_service\n \ - \ version: 4601e52e\n description: EC2 Instance Metadata Service Accessed via\ - \ Network Utility\n expression: exec.file.path in [\"/usr/bin/wget\", \"/usr/bin/curl\"\ - ] && exec.args in\n [~\"*169.254.169.254*\"]\n- id: common_net_intrusion_util\n\ - \ version: c7198131\n description: Nmap Execution Detected\n expression:\ - \ exec.file.path == \"/usr/bin/nmap\"\n- id: compiler_in_container\n version:\ - \ 441a7e85\n description: Compiler Executed in Container\n expression: (exec.file.name\ - \ in [\"javac\", \"clang\", \"gcc\",\"bcc\"] || (exec.file.name\n == \"go\"\ - \ && exec.args in [~\"*build*\", ~\"*run*\"])) && container.id !=\"\" && process.ancestors.file.path\n\ - \ != \"/usr/bin/cilium-agent\"\n- id: credential_modified_chmod\n version:\ - \ 7e14d921\n description: Either /etc/shadow/ or /etc/gshadow was modified\ - \ by a non-standard\n tool\n expression: \"(\\n (chmod.file.path in [\ - \ \\\"/etc/shadow\\\", \\\"/etc/gshadow\\\" ])\\n\\\n \\ && process.file.path\ - \ not in [ \\\"/sbin/vipw\\\", \\\"/usr/sbin/vipw\\\", \\\"/sbin/vigr\\\"\\\n\ - \ , \\\"/usr/sbin/vigr\\\" ]\\n && process.ancestors.file.path not in\ - \ [\\\"/usr/bin/apt\\\"\\\n , \\\"/usr/bin/apt-get\\\", \\\"/usr/bin/apt-config\\\ - \", \\\"/usr/bin/dpkg\\\", \\\"/usr/bin/aptitude-curses\\\"\\\n , \\\"/usr/bin/rpm\\\ - \", \\\"/usr/bin/unattended-upgrade\\\"]\\n) && chmod.mode != chmod.file.mode\"\ - \n- id: credential_modified_chown\n version: 3731e0d5\n description: Either\ - \ /etc/shadow/ or /etc/gshadow was modified by a non-standard\n tool\n expression:\ - \ \"(\\n (chown.file.path in [ \\\"/etc/shadow\\\", \\\"/etc/gshadow\\\"\ - \ ])\\n\\\n \\ && process.file.path not in [ \\\"/sbin/vipw\\\", \\\"\ - /usr/sbin/vipw\\\", \\\"/sbin/vigr\\\"\\\n , \\\"/usr/sbin/vigr\\\" ]\\n\ - \ && process.ancestors.file.path not in [\\\"/usr/bin/apt\\\"\\\n , \\\ - \"/usr/bin/apt-get\\\", \\\"/usr/bin/apt-config\\\", \\\"/usr/bin/dpkg\\\",\ - \ \\\"/usr/bin/aptitude-curses\\\"\\\n , \\\"/usr/bin/rpm\\\", \\\"/usr/bin/unattended-upgrade\\\ - \"]\\n) && (chown.uid != chown.file.uid\\\n \\ || chown.gid != chown.file.gid)\"\ - \n- id: credential_modified_link\n version: 7594ec54\n description: Either\ - \ /etc/shadow/ or /etc/gshadow was modified by a non-standard\n tool\n expression:\ - \ \"(\\n (link.file.path in [ \\\"/etc/shadow\\\", \\\"/etc/gshadow\\\" ]\\\ - n \\\n \\ || link.file.destination.path in [ \\\"/etc/shadow\\\", \\\"\ - /etc/gshadow\\\" ])\\n\\\n \\ && process.file.path not in [ \\\"/sbin/vipw\\\ - \", \\\"/usr/sbin/vipw\\\", \\\"/sbin/vigr\\\"\\\n , \\\"/usr/sbin/vigr\\\ - \" ]\\n && process.ancestors.file.path not in [\\\"/usr/bin/apt\\\"\\\n \ - \ , \\\"/usr/bin/apt-get\\\", \\\"/usr/bin/apt-config\\\", \\\"/usr/bin/dpkg\\\ - \", \\\"/usr/bin/aptitude-curses\\\"\\\n , \\\"/usr/bin/rpm\\\", \\\"/usr/bin/unattended-upgrade\\\ - \"]\\n)\"\n- id: credential_modified_open\n version: 2d65e37f\n description:\ - \ Either /etc/shadow/ or /etc/gshadow was modified by a non-standard\n tool\n\ - \ expression: \"(\\n open.flags & ((O_CREAT|O_RDWR|O_WRONLY|O_TRUNC)) >\ - \ 0 &&\\n \\\n \\ (open.file.path in [ \\\"/etc/shadow\\\", \\\"/etc/gshadow\\\ - \" ])\\n && process.file.path\\\n \\ not in [ \\\"/sbin/vipw\\\", \\\"\ - /usr/sbin/vipw\\\", \\\"/sbin/vigr\\\", \\\"/usr/sbin/vigr\\\"\\\n \\ ]\\\ - n && process.ancestors.file.path not in [\\\"/usr/bin/apt\\\", \\\"/usr/bin/apt-get\\\ - \"\\\n , \\\"/usr/bin/apt-config\\\", \\\"/usr/bin/dpkg\\\", \\\"/usr/bin/aptitude-curses\\\ - \", \\\"\\\n /usr/bin/rpm\\\", \\\"/usr/bin/unattended-upgrade\\\"]\\n)\"\ - \n- id: credential_modified_rename\n version: 8bb8242b\n description: Either\ - \ /etc/shadow/ or /etc/gshadow was modified by a non-standard\n tool\n expression:\ - \ \"(\\n (rename.file.path in [ \\\"/etc/shadow\\\", \\\"/etc/gshadow\\\"\ - \ ]\\n\\\n \\ || rename.file.destination.path in [ \\\"/etc/shadow\\\"\ - , \\\"/etc/gshadow\\\" ])\\n\\\n \\ && process.file.path not in [ \\\"\ - /sbin/vipw\\\", \\\"/usr/sbin/vipw\\\", \\\"/sbin/vigr\\\"\\\n , \\\"/usr/sbin/vigr\\\ - \" ]\\n && process.ancestors.file.path not in [\\\"/usr/bin/apt\\\"\\\n \ - \ , \\\"/usr/bin/apt-get\\\", \\\"/usr/bin/apt-config\\\", \\\"/usr/bin/dpkg\\\ - \", \\\"/usr/bin/aptitude-curses\\\"\\\n , \\\"/usr/bin/rpm\\\", \\\"/usr/bin/unattended-upgrade\\\ - \"]\\n)\"\n- id: credential_modified_unlink\n version: 5af577d\n description:\ - \ Either /etc/shadow/ or /etc/gshadow was modified by a non-standard\n tool\n\ - \ expression: \"(\\n (unlink.file.path in [ \\\"/etc/shadow\\\", \\\"/etc/gshadow\\\ - \" ])\\n\\\n \\ && process.file.path not in [ \\\"/sbin/vipw\\\", \\\"\ - /usr/sbin/vipw\\\", \\\"/sbin/vigr\\\"\\\n , \\\"/usr/sbin/vigr\\\" ]\\n\ - \ && process.ancestors.file.path not in [\\\"/usr/bin/apt\\\"\\\n , \\\ - \"/usr/bin/apt-get\\\", \\\"/usr/bin/apt-config\\\", \\\"/usr/bin/dpkg\\\",\ - \ \\\"/usr/bin/aptitude-curses\\\"\\\n , \\\"/usr/bin/rpm\\\", \\\"/usr/bin/unattended-upgrade\\\ - \"]\\n)\"\n- id: credential_modified_utimes\n version: 1c101338\n description:\ - \ Either /etc/shadow/ or /etc/gshadow was modified by a non-standard\n tool\n\ - \ expression: \"(\\n (utimes.file.path in [ \\\"/etc/shadow\\\", \\\"/etc/gshadow\\\ - \" ])\\n\\\n \\ && process.file.path not in [ \\\"/sbin/vipw\\\", \\\"\ - /usr/sbin/vipw\\\", \\\"/sbin/vigr\\\"\\\n , \\\"/usr/sbin/vigr\\\" ]\\n\ - \ && process.ancestors.file.path not in [\\\"/usr/bin/apt\\\"\\\n , \\\ - \"/usr/bin/apt-get\\\", \\\"/usr/bin/apt-config\\\", \\\"/usr/bin/dpkg\\\",\ - \ \\\"/usr/bin/aptitude-curses\\\"\\\n , \\\"/usr/bin/rpm\\\", \\\"/usr/bin/unattended-upgrade\\\ - \"]\\n)\"\n- id: cron_at_job_creation_chmod\n version: 13512ebc\n description:\ - \ Cron AT Job Creation\n expression: \"(\\n (chmod.file.path in [ ~\\\"\ - /var/spool/cron/*\\\" ])\\n && process.file.path\\\n \\ not in [ \\\"\ - /usr/bin/at\\\", \\\"/usr/bin/crontab\\\" ]\\n) && chmod.mode != chmod.file.mode\"\ - \n- id: cron_at_job_creation_chown\n version: ee7b306c\n description: Cron\ - \ AT Job Creation\n expression: \"(\\n (chown.file.path in [ ~\\\"/var/spool/cron/*\\\ - \" ])\\n && process.file.path\\\n \\ not in [ \\\"/usr/bin/at\\\", \\\"\ - /usr/bin/crontab\\\" ]\\n) && (chown.uid != chown.file.uid\\\n \\ || chown.gid\ - \ != chown.file.gid)\"\n- id: cron_at_job_creation_link\n version: b83e03f6\n\ - \ description: Cron AT Job Creation\n expression: \"(\\n (link.file.path\ - \ in [ ~\\\"/var/spool/cron/*\\\" ]\\n || link.file.destination.path\\\n\ - \ \\ in [ ~\\\"/var/spool/cron/*\\\" ])\\n && process.file.path not in\ - \ [ \\\"/usr/bin/at\\\"\\\n , \\\"/usr/bin/crontab\\\" ]\\n)\"\n- id: cron_at_job_creation_open\n\ - \ version: 561ad06\n description: Cron AT Job Creation\n expression: \"(\\\ - n open.flags & (O_CREAT|O_RDWR|O_WRONLY) > 0 &&\\n (open.file.path\\\n\ - \ \\ in [ ~\\\"/var/spool/cron/*\\\" ])\\n && process.file.path not in\ - \ [ \\\"/usr/bin/at\\\"\\\n , \\\"/usr/bin/crontab\\\" ]\\n)\"\n- id: cron_at_job_creation_rename\n\ - \ version: 59b739d8\n description: Cron AT Job Creation\n expression: \"\ - (\\n (rename.file.path in [ ~\\\"/var/spool/cron/*\\\" ]\\n || rename.file.destination.path\\\ - \n \\ in [ ~\\\"/var/spool/cron/*\\\" ])\\n && process.file.path not in\ - \ [ \\\"/usr/bin/at\\\"\\\n , \\\"/usr/bin/crontab\\\" ]\\n)\"\n- id: cron_at_job_creation_unlink\n\ - \ version: 82b6d187\n description: Cron AT Job Creation\n expression: \"\ - (\\n (unlink.file.path in [ ~\\\"/var/spool/cron/*\\\" ])\\n && process.file.path\\\ - \n \\ not in [ \\\"/usr/bin/at\\\", \\\"/usr/bin/crontab\\\" ]\\n)\"\n- id:\ - \ cron_at_job_creation_utimes\n version: d460ba68\n description: Cron AT Job\ - \ Creation\n expression: \"(\\n (utimes.file.path in [ ~\\\"/var/spool/cron/*\\\ - \" ])\\n && process.file.path\\\n \\ not in [ \\\"/usr/bin/at\\\", \\\"\ - /usr/bin/crontab\\\" ]\\n)\"\n- id: database_shell_execution\n version: 3508c713\n\ - \ description: A database application spawned a shell, shell utility, or HTTP\ - \ utility\n expression: \"(exec.file.path in [ \\\"/bin/dash\\\", \\\"/usr/bin/dash\\\ - \",\\n \\\"/bin/sh\\\"\\\n , \\\"/bin/static-sh\\\", \\\"/usr/bin/sh\\\"\ - ,\\n \\\"/usr/bin/bash\\\",\\n \\\"/bin/bash-static\\\"\\\n ,\\n \\\"\ - /usr/bin/zsh\\\",\\n \\\"/usr/bin/ash\\\",\\n \\\"/usr/bin/csh\\\",\\n \\\ - \"/usr/bin/ksh\\\"\\\n ,\\n \\\"/usr/bin/tcsh\\\",\\n \\\"/usr/lib/initramfs-tools/bin/busybox\\\ - \",\\n \\\"/bin/busybox\\\"\\\n ,\\n \\\"/usr/bin/fish\\\",\\n \\\"/bin/ksh93\\\ - \",\\n \\\"/bin/rksh\\\", \\\"/bin/rksh93\\\",\\n\\\n \\ \\\"/bin/lksh\\\ - \",\\n \\\"/bin/mksh\\\", \\\"/bin/mksh-static\\\",\\n \\\"/usr/bin/csharp\\\ - \"\\\n ,\\n \\\"/bin/posh\\\",\\n \\\"/usr/bin/rc\\\",\\n \\\"/bin/sash\\\ - \",\\n \\\"/usr/bin/yash\\\"\\\n ,\\n \\\"/bin/zsh5\\\", \\\"/bin/zsh5-static\\\ - \" ] ||\\n exec.file.path in [\\\"/usr/bin/wget\\\"\\\n , \\\"/usr/bin/curl\\\ - \"] ||\\n exec.file.path in [\\\"/bin/cat\\\",\\\"/bin/chgrp\\\",\\\"/bin/chmod\\\ - \"\\\n ,\\\"/bin/chown\\\",\\\"/bin/cp\\\",\\\"/bin/date\\\",\\\"/bin/dd\\\ - \",\\\"/bin/df\\\",\\\"/bin/dir\\\"\\\n ,\\\"/bin/echo\\\",\\\"/bin/ln\\\"\ - ,\\\"/bin/ls\\\",\\\"/bin/mkdir\\\",\\\"/bin/mknod\\\",\\\"/bin/mktemp\\\"\\\ - \n ,\\\"/bin/mv\\\",\\\"/bin/pwd\\\",\\\"/bin/readlink\\\",\\\"/bin/rm\\\"\ - ,\\\"/bin/rmdir\\\",\\\"/bin/sleep\\\"\\\n ,\\\"/bin/stty\\\",\\\"/bin/sync\\\ - \",\\\"/bin/touch\\\",\\\"/bin/uname\\\",\\\"/bin/vdir\\\",\\\"/usr/bin/arch\\\ - \"\\\n ,\\\"/usr/bin/b2sum\\\",\\\"/usr/bin/base32\\\",\\\"/usr/bin/base64\\\ - \",\\\"/usr/bin/basename\\\"\\\n ,\\\"/usr/bin/chcon\\\",\\\"/usr/bin/cksum\\\ - \",\\\"/usr/bin/comm\\\",\\\"/usr/bin/csplit\\\",\\\"\\\n /usr/bin/cut\\\"\ - ,\\\"/usr/bin/dircolors\\\",\\\"/usr/bin/dirname\\\",\\\"/usr/bin/du\\\",\\\"\ - \\\n /usr/bin/env\\\",\\\"/usr/bin/expand\\\",\\\"/usr/bin/expr\\\",\\\"\ - /usr/bin/factor\\\",\\\"/usr/bin/fmt\\\"\\\n ,\\\"/usr/bin/fold\\\",\\\"\ - /usr/bin/groups\\\",\\\"/usr/bin/head\\\",\\\"/usr/bin/hostid\\\",\\\"\\\n \ - \ /usr/bin/id\\\",\\\"/usr/bin/install\\\",\\\"/usr/bin/join\\\",\\\"/usr/bin/link\\\ - \",\\\"/usr/bin/logname\\\"\\\n ,\\\"/usr/bin/md5sum\\\",\\\"/usr/bin/md5sum.textutils\\\ - \",\\\"/usr/bin/mkfifo\\\",\\\"/usr/bin/nice\\\"\\\n ,\\\"/usr/bin/nl\\\"\ - ,\\\"/usr/bin/nohup\\\",\\\"/usr/bin/nproc\\\",\\\"/usr/bin/numfmt\\\",\\\"\\\ - \n /usr/bin/od\\\",\\\"/usr/bin/paste\\\",\\\"/usr/bin/pathchk\\\",\\\"/usr/bin/pinky\\\ - \",\\\"/usr/bin/pr\\\"\\\n ,\\\"/usr/bin/printenv\\\",\\\"/usr/bin/printf\\\ - \",\\\"/usr/bin/ptx\\\",\\\"/usr/bin/realpath\\\"\\\n ,\\\"/usr/bin/runcon\\\ - \",\\\"/usr/bin/seq\\\",\\\"/usr/bin/sha1sum\\\",\\\"/usr/bin/sha224sum\\\"\\\ - \n ,\\\"/usr/bin/sha256sum\\\",\\\"/usr/bin/sha384sum\\\",\\\"/usr/bin/sha512sum\\\ - \",\\\"/usr/bin/shred\\\"\\\n ,\\\"/usr/bin/shuf\\\",\\\"/usr/bin/sort\\\"\ - ,\\\"/usr/bin/split\\\",\\\"/usr/bin/stat\\\",\\\"/usr/bin/stdbuf\\\"\\\n \ - \ ,\\\"/usr/bin/sum\\\",\\\"/usr/bin/tac\\\",\\\"/usr/bin/tail\\\",\\\"/usr/bin/tee\\\ - \",\\\"/usr/bin/test\\\"\\\n ,\\\"/usr/bin/timeout\\\",\\\"/usr/bin/tr\\\"\ - ,\\\"/usr/bin/truncate\\\",\\\"/usr/bin/tsort\\\"\\\n ,\\\"/usr/bin/tty\\\ - \",\\\"/usr/bin/unexpand\\\",\\\"/usr/bin/uniq\\\",\\\"/usr/bin/unlink\\\"\\\ - \n ,\\\"/usr/bin/users\\\",\\\"/usr/bin/wc\\\",\\\"/usr/bin/who\\\",\\\"\ - /usr/bin/whoami\\\",\\\"/usr/sbin/chroot\\\"\\\n ]) &&\\nprocess.ancestors.file.name\ - \ in [\\\"mysqld\\\", \\\"mongod\\\", \\\"postgres\\\"] &&\\n\\\n !(process.ancestors.file.name\ - \ == \\\"initdb\\\" &&\\nexec.args == ~\\\"*locale -a*\\\")\"\n- id: dirty_pipe_attempt\n\ + \ in the Datadog App for full functionality.\nversion: '1709907555575'\nrules:\n\ + - id: Deno_unauthorized_network_access_performed\n version: 482a395e\n description:\ + \ Unauthorized network access by deno runtime\n expression: bind.addr.family>=0\ + \ && process.comm==\"deno\" && process.args not in [r\".*(allow-net|allow-ffi|-A|allow-all).*\"\ + ]\n agent_version: ''\n filters: []\n- id: Deno_unauthorized_subprocess_created\n\ + \ version: d2d82b09\n description: Unauthorized subprocess created by deno\ + \ runtime\n expression: exec.comm !=\"\" && process.ancestors.comm==\"deno\"\ + \ && process.ancestors.args\n not in [r\".*(allow-run|-A|allow-all).*\"]\n\ + \ agent_version: ''\n filters: []\n- id: apparmor_modified_tty\n version:\ + \ a7f3b5c2\n description: An AppArmor profile was modified in an interactive\ + \ session\n expression: exec.file.name in [\"aa-disable\", \"aa-complain\"\ + , \"aa-audit\"] && exec.tty_name\n !=\"\"\n agent_version: ''\n filters:\n\ + \ - os == \"linux\"\n- id: auditctl_usage\n version: fdc2412d\n description:\ + \ The auditctl command was used to modify auditd\n expression: exec.file.name\ + \ == \"auditctl\"\n agent_version: ''\n filters: []\n- id: auditd_config_modified\n\ + \ version: c7f52a7a\n description: The auditd configuration file was modified\ + \ without using auditctl\n expression: open.file.path == \"/etc/audit/auditd.conf\"\ + \ && open.flags & (O_CREAT|O_TRUNC|O_RDWR|O_WRONLY)\n > 0 && process.file.name\ + \ != \"auditctl\"\n agent_version: ''\n filters:\n - os == \"linux\"\n- id:\ + \ auditd_rule_file_modified\n version: c533115d\n description: The auditd\ + \ rules file was modified without using auditctl\n expression: open.file.path\ + \ in [\"/etc/audit/rules.d/audit.rules\", \"/etc/audit/audit.rules\"]\n &&\ + \ open.flags & (O_CREAT|O_TRUNC|O_RDWR|O_WRONLY) > 0 && process.file.name !=\n\ + \ \"auditctl\"\n agent_version: ''\n filters:\n - os == \"linux\"\n- id:\ + \ aws_eks_service_account_token_accessed\n version: d6a7a4a0\n description:\ + \ The AWS EKS service account token was accessed\n expression: open.file.path\ + \ =~ \"/var/run/secrets/eks.amazonaws.com/serviceaccount/**\"\n && open.file.name\ + \ == \"token\" && process.file.path not in [\"/opt/datadog-agent/embedded/bin/agent\"\ + ,\n \"/opt/datadog-agent/embedded/bin/system-probe\", \"/opt/datadog-agent/embedded/bin/security-agent\"\ + ,\n \"/opt/datadog-agent/embedded/bin/process-agent\", \"/opt/datadog-agent/bin/agent/agent\"\ + ,\n \"/opt/datadog/apm/inject/auto_inject_runc\", \"/usr/bin/dd-host-install\"\ + , \"/usr/bin/dd-host-container-install\",\n \"/usr/bin/dd-container-install\"\ + , \"/opt/datadog-agent/bin/datadog-cluster-agent\"]\n agent_version: ''\n \ + \ filters: []\n- id: aws_imds\n version: 6d47fcfe\n description: An AWS IMDS\ + \ was called via a network utility\n expression: exec.comm in [\"wget\", \"\ + curl\", \"lwp-download\"] && exec.args in [~\"*169.254.169.254/latest/meta-data/iam/security-credentials/*\"\ + ,\n \"*169.254.170.2$AWS_CONTAINER_CREDENTIALS_RELATIVE_URI\", ~\"*169.254.170.2/*/credentials?id=*\"\ + ]\n agent_version: ''\n filters: []\n- id: azure_imds\n version: 784f9a83\n\ + \ description: An Azure IMDS was called via a network utility\n expression:\ + \ exec.comm in [\"wget\", \"curl\", \"lwp-download\"] && exec.args in [~\"*169.254.169.254/metadata/identity/oauth2/token?api-version=*\"\ + ]\n agent_version: ''\n filters: []\n- id: base64_decode\n version: dd942ef2\n\ + \ description: The base64 command was used to decode information\n expression:\ + \ exec.file.name == \"base64\" && exec.args_flags in [\"d\"]\n agent_version:\ + \ ''\n filters: []\n- id: certutil_usage\n version: 4b9c58b5\n description:\ + \ Certutil was executed to transmit or decode a potentially malicious\n file\n\ + \ expression: exec.file.name == \"certutil.exe\" && ((exec.cmdline =~ \"*urlcache*\"\ + \ &&\n exec.cmdline =~ \"*split*\") || exec.cmdline =~ \"*decode*\")\n agent_version:\ + \ ''\n filters:\n - os == \"windows\"\n- id: chatroom_request\n version:\ + \ 91aa2a0f\n description: A newly created file contacted a chatroom domain\n\ + \ expression: dns.question.name in [\"discord.com\", \"api.telegram.org\",\ + \ \"cdn.discordapp.com\"]\n && process.file.in_upper_layer && process.file.change_time\ + \ < 60s\n agent_version: ''\n filters:\n - os == \"linux\"\n- id: compile_after_delivery\n\ + \ version: f41c1e36\n description: A compiler wrote a suspicious file in a\ + \ container\n expression: |-\n open.flags & O_CREAT > 0\n && (\n \ + \ (open.file.path =~ \"/tmp/**\" && open.file.name in [~\"*.ko\", ~\".*\"])\n\ + \ || open.file.path in [~\"/var/tmp/**\", ~\"/dev/shm/**\", ~\"/root/**\"\ + , ~\"*/bin/*\", ~\"/usr/local/lib/**\"]\n )\n && (process.comm in [\"\ + javac\", \"clang\", \"gcc\",\"bcc\"] || process.ancestors.comm in [\"javac\"\ + , \"clang\", \"gcc\",\"bcc\"])\n && process.file.name not in [\"pip\", ~\"\ + python*\"]\n && container.id != \"\"\n agent_version: ''\n filters:\n \ + \ - os == \"linux\"\n- id: compiler_in_container\n version: 441a7e85\n description:\ + \ Compiler Executed in Container\n expression: (exec.file.name in [\"javac\"\ + , \"clang\", \"gcc\",\"bcc\"] || (exec.file.name\n == \"go\" && exec.args\ + \ in [~\"*build*\", ~\"*run*\"])) && container.id !=\"\" && process.ancestors.file.path\n\ + \ != \"/usr/bin/cilium-agent\"\n agent_version: ''\n filters: []\n- id:\ + \ crackmap_exec_executed\n version: 62b05d89\n description: Known offensive\ + \ tool crackmap exec executed\n expression: exec.cmdline in [~\"*crackmapexec*\"\ + , ~\"*cme*\"]\n agent_version: ''\n filters:\n - os == \"windows\"\n- id:\ + \ credential_modified_chown\n version: b5e2cf51\n description: Sensitive credential\ + \ files were modified using a non-standard tool\n expression: |-\n (\n \ + \ (chown.file.path in [ \"/etc/shadow\", \"/etc/gshadow\" ])\n \ + \ && process.file.path not in [ \"/sbin/vipw\", \"/usr/sbin/vipw\", \"/sbin/vigr\"\ + , \"/usr/sbin/vigr\", \"/usr/bin/containerd\", \"/usr/local/bin/containerd\"\ + , \"/usr/bin/dockerd\", \"/usr/local/bin/dockerd\", \"/usr/sbin/groupadd\",\ + \ \"/usr/sbin/useradd\", \"/usr/sbin/usermod\", \"/usr/sbin/userdel\", \"/usr/bin/gpasswd\"\ + , \"/usr/bin/chage\", \"/usr/sbin/chpasswd\", \"/usr/bin/passwd\" ]\n \ + \ && process.ancestors.file.path not in [~\"/usr/bin/apt*\", \"/usr/bin/dpkg\"\ + , \"/usr/bin/rpm\", \"/usr/bin/unattended-upgrade\", \"/usr/bin/npm\", ~\"/usr/bin/pip*\"\ + , \"/usr/bin/yum\", \"/sbin/apk\", \"/usr/lib/snapd/snapd\"]\n ) && (chown.file.destination.uid\ + \ != chown.file.uid || chown.file.destination.gid != chown.file.gid)\n agent_version:\ + \ ''\n filters: []\n- id: credential_modified_link\n version: 5fe23f72\n \ + \ description: Sensitive credential files were modified using a non-standard\ + \ tool\n expression: |-\n (\n (link.file.path in [ \"/etc/shadow\"\ + , \"/etc/gshadow\" ]\n || link.file.destination.path in [ \"/etc/shadow\"\ + , \"/etc/gshadow\" ])\n && process.file.path not in [ \"/sbin/vipw\"\ + , \"/usr/sbin/vipw\", \"/sbin/vigr\", \"/usr/sbin/vigr\", \"/usr/bin/containerd\"\ + , \"/usr/local/bin/containerd\", \"/usr/bin/dockerd\", \"/usr/local/bin/dockerd\"\ + , \"/usr/sbin/groupadd\", \"/usr/sbin/useradd\", \"/usr/sbin/usermod\", \"/usr/sbin/userdel\"\ + , \"/usr/bin/gpasswd\", \"/usr/bin/chage\", \"/usr/sbin/chpasswd\", \"/usr/bin/passwd\"\ + \ ]\n && process.ancestors.file.path not in [~\"/usr/bin/apt*\", \"/usr/bin/dpkg\"\ + , \"/usr/bin/rpm\", \"/usr/bin/unattended-upgrade\", \"/usr/bin/npm\", ~\"/usr/bin/pip*\"\ + , \"/usr/bin/yum\", \"/sbin/apk\", \"/usr/lib/snapd/snapd\"]\n )\n agent_version:\ + \ ''\n filters: []\n- id: credential_modified_open_v2\n version: 5aec9afe\n\ + \ description: Sensitive credential files were modified using a non-standard\ + \ tool\n expression: |-\n (\n open.flags & ((O_CREAT|O_RDWR|O_WRONLY|O_TRUNC))\ + \ > 0 &&\n (open.file.path in [ \"/etc/shadow\", \"/etc/gshadow\" ])\n\ + \ && process.file.path not in [ \"/sbin/vipw\", \"/usr/sbin/vipw\", \"\ + /sbin/vigr\", \"/usr/sbin/vigr\", \"/usr/bin/containerd\", \"/usr/local/bin/containerd\"\ + , \"/usr/bin/dockerd\", \"/usr/local/bin/dockerd\", \"/usr/sbin/groupadd\",\ + \ \"/usr/sbin/useradd\", \"/usr/sbin/usermod\", \"/usr/sbin/userdel\", \"/usr/bin/gpasswd\"\ + , \"/usr/bin/chage\", \"/usr/sbin/chpasswd\", \"/usr/bin/passwd\" ]\n \ + \ && process.ancestors.file.path not in [~\"/usr/bin/apt*\", \"/usr/bin/dpkg\"\ + , \"/usr/bin/rpm\", \"/usr/bin/unattended-upgrade\", \"/usr/bin/npm\", ~\"/usr/bin/pip*\"\ + , \"/usr/bin/yum\", \"/sbin/apk\", \"/usr/lib/snapd/snapd\"]\n ) && container.created_at\ + \ > 90s\n agent_version: ''\n filters:\n - os == \"linux\"\n- id: credential_modified_rename\n\ + \ version: b7458786\n description: Sensitive credential files were modified\ + \ using a non-standard tool\n expression: |-\n (\n (rename.file.path\ + \ in [ \"/etc/shadow\", \"/etc/gshadow\" ]\n || rename.file.destination.path\ + \ in [ \"/etc/shadow\", \"/etc/gshadow\" ])\n && process.file.path not\ + \ in [ \"/sbin/vipw\", \"/usr/sbin/vipw\", \"/sbin/vigr\", \"/usr/sbin/vigr\"\ + , \"/usr/bin/containerd\", \"/usr/local/bin/containerd\", \"/usr/bin/dockerd\"\ + , \"/usr/local/bin/dockerd\", \"/usr/sbin/groupadd\", \"/usr/sbin/useradd\"\ + , \"/usr/sbin/usermod\", \"/usr/sbin/userdel\", \"/usr/bin/gpasswd\", \"/usr/bin/chage\"\ + , \"/usr/sbin/chpasswd\", \"/usr/bin/passwd\" ]\n && process.ancestors.file.path\ + \ not in [~\"/usr/bin/apt*\", \"/usr/bin/dpkg\", \"/usr/bin/rpm\", \"/usr/bin/unattended-upgrade\"\ + , \"/usr/bin/npm\", ~\"/usr/bin/pip*\", \"/usr/bin/yum\", \"/sbin/apk\", \"\ + /usr/lib/snapd/snapd\"]\n )\n agent_version: ''\n filters: []\n- id: credential_modified_unlink\n\ + \ version: 557758b6\n description: Sensitive credential files were modified\ + \ using a non-standard tool\n expression: |-\n (\n (unlink.file.path\ + \ in [ \"/etc/shadow\", \"/etc/gshadow\" ])\n && process.file.path not\ + \ in [ \"/sbin/vipw\", \"/usr/sbin/vipw\", \"/sbin/vigr\", \"/usr/sbin/vigr\"\ + , \"/usr/bin/containerd\", \"/usr/local/bin/containerd\", \"/usr/bin/dockerd\"\ + , \"/usr/local/bin/dockerd\", \"/usr/sbin/groupadd\", \"/usr/sbin/useradd\"\ + , \"/usr/sbin/usermod\", \"/usr/sbin/userdel\", \"/usr/bin/gpasswd\", \"/usr/bin/chage\"\ + , \"/usr/sbin/chpasswd\", \"/usr/bin/passwd\" ]\n && process.ancestors.file.path\ + \ not in [~\"/usr/bin/apt*\", \"/usr/bin/dpkg\", \"/usr/bin/rpm\", \"/usr/bin/unattended-upgrade\"\ + , \"/usr/bin/npm\", ~\"/usr/bin/pip*\", \"/usr/bin/yum\", \"/sbin/apk\", \"\ + /usr/lib/snapd/snapd\"]\n )\n agent_version: ''\n filters: []\n- id: credential_modified_utimes\n\ + \ version: de8d14c5\n description: Sensitive credential files were modified\ + \ using a non-standard tool\n expression: |-\n (\n (utimes.file.path\ + \ in [ \"/etc/shadow\", \"/etc/gshadow\" ])\n && process.file.path not\ + \ in [ \"/sbin/vipw\", \"/usr/sbin/vipw\", \"/sbin/vigr\", \"/usr/sbin/vigr\"\ + , \"/usr/bin/containerd\", \"/usr/local/bin/containerd\", \"/usr/bin/dockerd\"\ + , \"/usr/local/bin/dockerd\", \"/usr/sbin/groupadd\", \"/usr/sbin/useradd\"\ + , \"/usr/sbin/usermod\", \"/usr/sbin/userdel\", \"/usr/bin/gpasswd\", \"/usr/bin/chage\"\ + , \"/usr/sbin/chpasswd\", \"/usr/bin/passwd\" ]\n && process.ancestors.file.path\ + \ not in [~\"/usr/bin/apt*\", \"/usr/bin/dpkg\", \"/usr/bin/rpm\", \"/usr/bin/unattended-upgrade\"\ + , \"/usr/bin/npm\", ~\"/usr/bin/pip*\", \"/usr/bin/yum\", \"/sbin/apk\", \"\ + /usr/lib/snapd/snapd\"]\n )\n agent_version: ''\n filters: []\n- id: cryptominer_envs\n\ + \ version: 735b7690\n description: Process environment variables match cryptocurrency\ + \ miner\n expression: exec.envs in [~\"*POOL_USER*\", ~\"*POOL_URL*\", ~\"\ + *POOL_PASS*\", ~\"*DONATE_LEVEL*\"]\n agent_version: ''\n filters:\n - os\ + \ == \"linux\"\n- id: curl_docker_socket\n version: f736b6e6\n description:\ + \ The Docker socket was referenced in a cURL command\n expression: exec.file.name\ + \ == \"curl\" && exec.args_flags in [\"unix-socket\"] && exec.args\n in [\"\ + *docker.sock*\"] && container.id != \"\"\n agent_version: ''\n filters: []\n\ + - id: database_shell_execution\n version: 3508c713\n description: A database\ + \ application spawned a shell, shell utility, or HTTP utility\n expression:\ + \ |-\n (exec.file.path in [ \"/bin/dash\",\n \"/usr/bin/dash\",\n \ + \ \"/bin/sh\",\n \"/bin/static-sh\",\n \"/usr/bin/sh\",\n \ + \ \"/bin/bash\",\n \"/usr/bin/bash\",\n \"/bin/bash-static\",\n \ + \ \"/usr/bin/zsh\",\n \"/usr/bin/ash\",\n \"/usr/bin/csh\",\n \ + \ \"/usr/bin/ksh\",\n \"/usr/bin/tcsh\",\n \"/usr/lib/initramfs-tools/bin/busybox\"\ + ,\n \"/bin/busybox\",\n \"/usr/bin/fish\",\n \"/bin/ksh93\",\n\ + \ \"/bin/rksh\",\n \"/bin/rksh93\",\n \"/bin/lksh\",\n \"\ + /bin/mksh\",\n \"/bin/mksh-static\",\n \"/usr/bin/csharp\",\n \ + \ \"/bin/posh\",\n \"/usr/bin/rc\",\n \"/bin/sash\",\n \"/usr/bin/yash\"\ + ,\n \"/bin/zsh5\",\n \"/bin/zsh5-static\" ] ||\n exec.comm in\ + \ [\"wget\", \"curl\", \"lwp-download\"] ||\n exec.file.path in [\"/bin/cat\"\ + ,\"/bin/chgrp\",\"/bin/chmod\",\"/bin/chown\",\"/bin/cp\",\"/bin/date\",\"/bin/dd\"\ + ,\"/bin/df\",\"/bin/dir\",\"/bin/echo\",\"/bin/ln\",\"/bin/ls\",\"/bin/mkdir\"\ + ,\"/bin/mknod\",\"/bin/mktemp\",\"/bin/mv\",\"/bin/pwd\",\"/bin/readlink\",\"\ + /bin/rm\",\"/bin/rmdir\",\"/bin/sleep\",\"/bin/stty\",\"/bin/sync\",\"/bin/touch\"\ + ,\"/bin/uname\",\"/bin/vdir\",\"/usr/bin/arch\",\"/usr/bin/b2sum\",\"/usr/bin/base32\"\ + ,\"/usr/bin/base64\",\"/usr/bin/basename\",\"/usr/bin/chcon\",\"/usr/bin/cksum\"\ + ,\"/usr/bin/comm\",\"/usr/bin/csplit\",\"/usr/bin/cut\",\"/usr/bin/dircolors\"\ + ,\"/usr/bin/dirname\",\"/usr/bin/du\",\"/usr/bin/env\",\"/usr/bin/expand\",\"\ + /usr/bin/expr\",\"/usr/bin/factor\",\"/usr/bin/fmt\",\"/usr/bin/fold\",\"/usr/bin/groups\"\ + ,\"/usr/bin/head\",\"/usr/bin/hostid\",\"/usr/bin/id\",\"/usr/bin/install\"\ + ,\"/usr/bin/join\",\"/usr/bin/link\",\"/usr/bin/logname\",\"/usr/bin/md5sum\"\ + ,\"/usr/bin/md5sum.textutils\",\"/usr/bin/mkfifo\",\"/usr/bin/nice\",\"/usr/bin/nl\"\ + ,\"/usr/bin/nohup\",\"/usr/bin/nproc\",\"/usr/bin/numfmt\",\"/usr/bin/od\",\"\ + /usr/bin/paste\",\"/usr/bin/pathchk\",\"/usr/bin/pinky\",\"/usr/bin/pr\",\"\ + /usr/bin/printenv\",\"/usr/bin/printf\",\"/usr/bin/ptx\",\"/usr/bin/realpath\"\ + ,\"/usr/bin/runcon\",\"/usr/bin/seq\",\"/usr/bin/sha1sum\",\"/usr/bin/sha224sum\"\ + ,\"/usr/bin/sha256sum\",\"/usr/bin/sha384sum\",\"/usr/bin/sha512sum\",\"/usr/bin/shred\"\ + ,\"/usr/bin/shuf\",\"/usr/bin/sort\",\"/usr/bin/split\",\"/usr/bin/stat\",\"\ + /usr/bin/stdbuf\",\"/usr/bin/sum\",\"/usr/bin/tac\",\"/usr/bin/tail\",\"/usr/bin/tee\"\ + ,\"/usr/bin/test\",\"/usr/bin/timeout\",\"/usr/bin/tr\",\"/usr/bin/truncate\"\ + ,\"/usr/bin/tsort\",\"/usr/bin/tty\",\"/usr/bin/unexpand\",\"/usr/bin/uniq\"\ + ,\"/usr/bin/unlink\",\"/usr/bin/users\",\"/usr/bin/wc\",\"/usr/bin/who\",\"\ + /usr/bin/whoami\",\"/usr/sbin/chroot\"]) &&\n process.parent.file.name in\ + \ [\"mysqld\", \"mongod\", \"postgres\"] &&\n !(process.parent.file.name\ + \ == \"initdb\" &&\n exec.args == \"-c locale -a\") &&\n !(process.parent.file.name\ + \ == \"postgres\" &&\n exec.args == ~\"*pg_wal*\")\n agent_version: ''\n\ + \ filters:\n - os == \"linux\"\n- id: delete_system_log\n version: 5436807c\n\ + \ description: A process deleted common system log files\n expression: unlink.file.path\ + \ in [\"/var/run/utmp\", \"/var/log/wtmp\", \"/var/log/btmp\",\n \"/var/log/lastlog\"\ + , \"/var/log/faillog\", \"/var/log/syslog\", \"/var/log/messages\",\n \"\ + /var/log/secure\", \"/var/log/auth.log\", \"/var/log/boot.log\", \"/var/log/kern.log\"\ + ]\n && process.comm not in [\"dockerd\", \"containerd\"]\n agent_version:\ + \ ''\n filters:\n - os == \"linux\"\n- id: deploy_priv_container\n version:\ + \ 356d5ee7\n description: A privileged container was created\n expression:\ + \ exec.file.name != \"\" && container.created_at < 1s && process.cap_permitted\n\ + \ & CAP_SYS_ADMIN > 0\n agent_version: ''\n filters: []\n- id: dirty_pipe_attempt\n\ \ version: 8814807c\n description: Potential Dirty pipe exploitation attempt\n\ \ expression: (splice.pipe_entry_flag & PIPE_BUF_FLAG_CAN_MERGE) != 0 && (splice.pipe_exit_flag\n\ - \ & PIPE_BUF_FLAG_CAN_MERGE) == 0\n- id: dirty_pipe_exploitation\n version:\ + \ & PIPE_BUF_FLAG_CAN_MERGE) == 0 && (process.uid != 0 && process.gid !=\ + \ 0)\n agent_version: ''\n filters: []\n- id: dirty_pipe_exploitation\n version:\ \ 9bcacfe3\n description: Potential Dirty pipe exploitation\n expression:\ - \ (splice.pipe_exit_flag & PIPE_BUF_FLAG_CAN_MERGE) > 0\n- id: example_agent_rule\n\ - \ version: 28ba1078\n description: An example agent rule generated in terraform\n\ - \ expression: exec.file.name == \"java\"\n- id: java_shell_execution\n version:\ - \ 24c2eb7c\n description: Java process spawned shell/utility\n expression:\ - \ \"(exec.file.path in [ \\\"/bin/dash\\\", \\\"/usr/bin/dash\\\",\\n \\\"\ - /bin/sh\\\"\\\n , \\\"/bin/static-sh\\\", \\\"/usr/bin/sh\\\",\\n \\\"/usr/bin/bash\\\ - \",\\n \\\"/bin/bash-static\\\"\\\n ,\\n \\\"/usr/bin/zsh\\\",\\n \\\"\ - /usr/bin/ash\\\",\\n \\\"/usr/bin/csh\\\",\\n \\\"/usr/bin/ksh\\\"\\\n \ - \ ,\\n \\\"/usr/bin/tcsh\\\",\\n \\\"/usr/lib/initramfs-tools/bin/busybox\\\ - \",\\n \\\"/bin/busybox\\\"\\\n ,\\n \\\"/usr/bin/fish\\\",\\n \\\"/bin/ksh93\\\ - \",\\n \\\"/bin/rksh\\\", \\\"/bin/rksh93\\\",\\n\\\n \\ \\\"/bin/lksh\\\ - \",\\n \\\"/bin/mksh\\\", \\\"/bin/mksh-static\\\",\\n \\\"/usr/bin/csharp\\\ - \"\\\n ,\\n \\\"/bin/posh\\\",\\n \\\"/usr/bin/rc\\\",\\n \\\"/bin/sash\\\ - \",\\n \\\"/usr/bin/yash\\\"\\\n ,\\n \\\"/bin/zsh5\\\", \\\"/bin/zsh5-static\\\ - \" ] ||\\n exec.file.path in [\\\"/usr/bin/wget\\\"\\\n , \\\"/usr/bin/curl\\\ - \"] ||\\n exec.file.path in [\\\"/bin/cat\\\",\\\"/bin/chgrp\\\",\\\"/bin/chmod\\\ - \"\\\n ,\\\"/bin/chown\\\",\\\"/bin/cp\\\",\\\"/bin/date\\\",\\\"/bin/dd\\\ - \",\\\"/bin/df\\\",\\\"/bin/dir\\\"\\\n ,\\\"/bin/echo\\\",\\\"/bin/ln\\\"\ - ,\\\"/bin/ls\\\",\\\"/bin/mkdir\\\",\\\"/bin/mknod\\\",\\\"/bin/mktemp\\\"\\\ - \n ,\\\"/bin/mv\\\",\\\"/bin/pwd\\\",\\\"/bin/readlink\\\",\\\"/bin/rm\\\"\ - ,\\\"/bin/rmdir\\\",\\\"/bin/sleep\\\"\\\n ,\\\"/bin/stty\\\",\\\"/bin/sync\\\ - \",\\\"/bin/touch\\\",\\\"/bin/uname\\\",\\\"/bin/vdir\\\",\\\"/usr/bin/arch\\\ - \"\\\n ,\\\"/usr/bin/b2sum\\\",\\\"/usr/bin/base32\\\",\\\"/usr/bin/base64\\\ - \",\\\"/usr/bin/basename\\\"\\\n ,\\\"/usr/bin/chcon\\\",\\\"/usr/bin/cksum\\\ - \",\\\"/usr/bin/comm\\\",\\\"/usr/bin/csplit\\\",\\\"\\\n /usr/bin/cut\\\"\ - ,\\\"/usr/bin/dircolors\\\",\\\"/usr/bin/dirname\\\",\\\"/usr/bin/du\\\",\\\"\ - \\\n /usr/bin/env\\\",\\\"/usr/bin/expand\\\",\\\"/usr/bin/expr\\\",\\\"\ - /usr/bin/factor\\\",\\\"/usr/bin/fmt\\\"\\\n ,\\\"/usr/bin/fold\\\",\\\"\ - /usr/bin/groups\\\",\\\"/usr/bin/head\\\",\\\"/usr/bin/hostid\\\",\\\"\\\n \ - \ /usr/bin/id\\\",\\\"/usr/bin/install\\\",\\\"/usr/bin/join\\\",\\\"/usr/bin/link\\\ - \",\\\"/usr/bin/logname\\\"\\\n ,\\\"/usr/bin/md5sum\\\",\\\"/usr/bin/md5sum.textutils\\\ - \",\\\"/usr/bin/mkfifo\\\",\\\"/usr/bin/nice\\\"\\\n ,\\\"/usr/bin/nl\\\"\ - ,\\\"/usr/bin/nohup\\\",\\\"/usr/bin/nproc\\\",\\\"/usr/bin/numfmt\\\",\\\"\\\ - \n /usr/bin/od\\\",\\\"/usr/bin/paste\\\",\\\"/usr/bin/pathchk\\\",\\\"/usr/bin/pinky\\\ - \",\\\"/usr/bin/pr\\\"\\\n ,\\\"/usr/bin/printenv\\\",\\\"/usr/bin/printf\\\ - \",\\\"/usr/bin/ptx\\\",\\\"/usr/bin/realpath\\\"\\\n ,\\\"/usr/bin/runcon\\\ - \",\\\"/usr/bin/seq\\\",\\\"/usr/bin/sha1sum\\\",\\\"/usr/bin/sha224sum\\\"\\\ - \n ,\\\"/usr/bin/sha256sum\\\",\\\"/usr/bin/sha384sum\\\",\\\"/usr/bin/sha512sum\\\ - \",\\\"/usr/bin/shred\\\"\\\n ,\\\"/usr/bin/shuf\\\",\\\"/usr/bin/sort\\\"\ - ,\\\"/usr/bin/split\\\",\\\"/usr/bin/stat\\\",\\\"/usr/bin/stdbuf\\\"\\\n \ - \ ,\\\"/usr/bin/sum\\\",\\\"/usr/bin/tac\\\",\\\"/usr/bin/tail\\\",\\\"/usr/bin/tee\\\ - \",\\\"/usr/bin/test\\\"\\\n ,\\\"/usr/bin/timeout\\\",\\\"/usr/bin/tr\\\"\ - ,\\\"/usr/bin/truncate\\\",\\\"/usr/bin/tsort\\\"\\\n ,\\\"/usr/bin/tty\\\ - \",\\\"/usr/bin/unexpand\\\",\\\"/usr/bin/uniq\\\",\\\"/usr/bin/unlink\\\"\\\ - \n ,\\\"/usr/bin/users\\\",\\\"/usr/bin/wc\\\",\\\"/usr/bin/who\\\",\\\"\ - /usr/bin/whoami\\\",\\\"/usr/sbin/chroot\\\"\\\n ])\\n&& process.ancestors.file.name\ - \ == \\\"java\\\"\"\n- id: kernel_module_chmod\n version: 82c61c82\n description:\ - \ A kernel module was added to /lib/modules/\n expression: \"(\\n (chmod.file.path\ - \ in [ ~\\\"/lib/modules/*\\\", ~\\\"/usr/lib/modules/*\\\"\\\n \\ ])\\n\ - \ && process.file.path not in [\\\"/usr/bin/apt\\\", \\\"/usr/bin/apt-get\\\ - \"\\\n , \\\"/usr/bin/apt-config\\\", \\\"/usr/bin/dpkg\\\", \\\"/usr/bin/aptitude-curses\\\ - \", \\\"\\\n /usr/bin/rpm\\\", \\\"/usr/bin/unattended-upgrade\\\"]\\n \ - \ && process.ancestors.file.path\\\n \\ not in [\\\"/usr/bin/apt\\\", \\\ - \"/usr/bin/apt-get\\\", \\\"/usr/bin/apt-config\\\", \\\"\\\n /usr/bin/dpkg\\\ - \", \\\"/usr/bin/aptitude-curses\\\", \\\"/usr/bin/rpm\\\", \\\"/usr/bin/unattended-upgrade\\\ - \"\\\n ] && process.ancestors.file.path != \\\"/usr/bin/kmod\\\"\\n) && chmod.mode\ - \ != chmod.file.mode\"\n- id: kernel_module_chown\n version: ca2cf124\n description:\ - \ A kernel module was added to /lib/modules/\n expression: \"(\\n (chown.file.path\ - \ in [ ~\\\"/lib/modules/*\\\", ~\\\"/usr/lib/modules/*\\\"\\\n \\ ])\\n\ - \ && process.file.path not in [\\\"/usr/bin/apt\\\", \\\"/usr/bin/apt-get\\\ - \"\\\n , \\\"/usr/bin/apt-config\\\", \\\"/usr/bin/dpkg\\\", \\\"/usr/bin/aptitude-curses\\\ - \", \\\"\\\n /usr/bin/rpm\\\", \\\"/usr/bin/unattended-upgrade\\\"]\\n \ - \ && process.ancestors.file.path\\\n \\ not in [\\\"/usr/bin/apt\\\", \\\ - \"/usr/bin/apt-get\\\", \\\"/usr/bin/apt-config\\\", \\\"\\\n /usr/bin/dpkg\\\ - \", \\\"/usr/bin/aptitude-curses\\\", \\\"/usr/bin/rpm\\\", \\\"/usr/bin/unattended-upgrade\\\ - \"\\\n ] && process.ancestors.file.path != \\\"/usr/bin/kmod\\\"\\n) && (chown.uid\ - \ != chown.file.uid\\\n \\ || chown.gid != chown.file.gid)\"\n- id: kernel_module_link\n\ - \ version: a18ca197\n description: A kernel module was added to /lib/modules/\n\ - \ expression: \"(\\n (link.file.path in [ ~\\\"/lib/modules/*\\\", ~\\\"\ - /usr/lib/modules/*\\\"\\\n \\ ]\\n || link.file.destination.path in [\ - \ ~\\\"/lib/modules/*\\\", ~\\\"/usr/lib/modules/*\\\"\\\n \\ ])\\n &&\ - \ process.file.path not in [\\\"/usr/bin/apt\\\", \\\"/usr/bin/apt-get\\\"\\\ - \n , \\\"/usr/bin/apt-config\\\", \\\"/usr/bin/dpkg\\\", \\\"/usr/bin/aptitude-curses\\\ - \", \\\"\\\n /usr/bin/rpm\\\", \\\"/usr/bin/unattended-upgrade\\\"]\\n \ - \ && process.ancestors.file.path\\\n \\ not in [\\\"/usr/bin/apt\\\", \\\ - \"/usr/bin/apt-get\\\", \\\"/usr/bin/apt-config\\\", \\\"\\\n /usr/bin/dpkg\\\ - \", \\\"/usr/bin/aptitude-curses\\\", \\\"/usr/bin/rpm\\\", \\\"/usr/bin/unattended-upgrade\\\ - \"\\\n ] && process.ancestors.file.path != \\\"/usr/bin/kmod\\\"\\n)\"\n\ - - id: kernel_module_load\n version: 904592b4\n description: A kernel module\ - \ was loaded\n expression: load_module.name != \"\"\n- id: kernel_module_load_container\n\ + \ (splice.pipe_exit_flag & PIPE_BUF_FLAG_CAN_MERGE) > 0 && (process.uid\n \ + \ != 0 && process.gid != 0)\n agent_version: ''\n filters: []\n- id: dynamic_linker_config_unlink\n\ + \ version: 1924611e\n description: A process unlinked a dynamic linker config\ + \ file\n expression: unlink.file.path in [\"/etc/ld.so.preload\", \"/etc/ld.so.conf\"\ + , ~\"/etc/ld.so.conf.d/*.conf\"]\n && process.file.path not in [~\"/usr/bin/apt*\"\ + , \"/usr/bin/dpkg\", \"/usr/bin/rpm\",\n \"/usr/bin/unattended-upgrade\"\ + , \"/usr/bin/npm\", ~\"/usr/bin/pip*\", \"/usr/bin/yum\",\n \"/sbin/apk\"\ + , \"/usr/lib/snapd/snapd\"]\n agent_version: ''\n filters:\n - os == \"linux\"\ + \n- id: dynamic_linker_config_write\n version: 764fc516\n description: A process\ + \ wrote to a dynamic linker config file\n expression: open.file.path in [\"\ + /etc/ld.so.preload\", \"/etc/ld.so.conf\", \"/etc/ld.so.conf.d/*.conf\"]\n \ + \ && open.flags & (O_CREAT|O_TRUNC|O_RDWR|O_WRONLY) > 0 && process.file.path\ + \ not\n in [~\"/usr/bin/apt*\", \"/usr/bin/dpkg\", \"/usr/bin/rpm\", \"/usr/bin/unattended-upgrade\"\ + ,\n \"/usr/bin/containerd\", \"/usr/local/bin/containerd\", \"/usr/bin/dockerd\"\ + , \"/usr/bin/npm\",\n ~\"/usr/bin/pip*\"] && process.ancestors.file.path\ + \ not in [\"/opt/datadog-agent/embedded/bin/agent\",\n \"/opt/datadog-agent/embedded/bin/system-probe\"\ + , \"/opt/datadog-agent/embedded/bin/security-agent\",\n \"/opt/datadog-agent/embedded/bin/process-agent\"\ + , \"/opt/datadog-agent/bin/agent/agent\",\n \"/opt/datadog/apm/inject/auto_inject_runc\"\ + , \"/usr/bin/dd-host-install\", \"/usr/bin/dd-host-container-install\",\n \ + \ \"/usr/bin/dd-container-install\", \"/opt/datadog-agent/bin/datadog-cluster-agent\"\ + ]\n agent_version: ''\n filters: []\n- id: exec_lsmod\n version: 1a14c811\n\ + \ description: Kernel modules were listed using the lsmod command\n expression:\ + \ exec.comm == \"lsmod\"\n agent_version: ''\n filters:\n - os == \"linux\"\ + \n- id: exec_whoami\n version: 90ea91b6\n description: The whoami command\ + \ was executed\n expression: exec.comm == \"whoami\"\n agent_version: ''\n\ + \ filters:\n - os == \"linux\"\n- id: exec_wrmsr\n version: 13ea7d84\n description:\ + \ The wrmsr program executed\n expression: exec.comm == \"wrmsr\"\n agent_version:\ + \ ''\n filters:\n - os == \"linux\"\n- id: executable_bit_added\n version:\ + \ 6f8761f\n description: The executable bit was added to a newly created file\n\ + \ expression: |-\n chmod.file.in_upper_layer &&\n chmod.file.change_time\ + \ < 30s &&\n container.id != \"\" &&\n chmod.file.destination.mode !=\ + \ chmod.file.mode &&\n chmod.file.destination.mode & S_IXUSR|S_IXGRP|S_IXOTH\ + \ > 0 &&\n process.argv in [\"+x\"]\n agent_version: ''\n filters: []\n\ + - id: gcp_imds\n version: 3035dbbf\n description: An GCP IMDS was called via\ + \ a network utility\n expression: exec.comm in [\"wget\", \"curl\", \"lwp-download\"\ + ] && exec.args in [~\"*metadata.google.internal/computeMetadata/v1/instance/service-accounts/default/token\"\ + ,\n ~\"*169.254.169.254/computeMetadata/v1/instance/service-accounts/default/token\"\ + ]\n agent_version: ''\n filters: []\n- id: hidden_file_executed\n version:\ + \ 60fd84a9\n description: A hidden file was executed in a suspicious folder\n\ + \ expression: exec.file.name =~ \".*\" && exec.file.path in [~\"/home/**\"\ + , ~\"/tmp/**\",\n ~\"/var/tmp/**\", ~\"/dev/shm/**\"]\n agent_version: ''\n\ + \ filters: []\n- id: interactive_shell_in_container\n version: f8bc8845\n\ + \ description: An interactive shell was started inside of a container\n expression:\ + \ |-\n exec.file.path in [ \"/bin/dash\",\n \"/usr/bin/dash\",\n \ + \ \"/bin/sh\",\n \"/bin/static-sh\",\n \"/usr/bin/sh\",\n \"\ + /bin/bash\",\n \"/usr/bin/bash\",\n \"/bin/bash-static\",\n \"\ + /usr/bin/zsh\",\n \"/usr/bin/ash\",\n \"/usr/bin/csh\",\n \"\ + /usr/bin/ksh\",\n \"/usr/bin/tcsh\",\n \"/usr/lib/initramfs-tools/bin/busybox\"\ + ,\n \"/bin/busybox\",\n \"/usr/bin/fish\",\n \"/bin/ksh93\",\n\ + \ \"/bin/rksh\",\n \"/bin/rksh93\",\n \"/bin/lksh\",\n \"\ + /bin/mksh\",\n \"/bin/mksh-static\",\n \"/usr/bin/csharp\",\n \ + \ \"/bin/posh\",\n \"/usr/bin/rc\",\n \"/bin/sash\",\n \"/usr/bin/yash\"\ + ,\n \"/bin/zsh5\",\n \"/bin/zsh5-static\" ] && exec.args_flags in\ + \ [\"i\"] && container.id !=\"\"\n agent_version: ''\n filters:\n - os ==\ + \ \"linux\"\n- id: ip_check_domain\n version: d8a9934\n description: A DNS\ + \ lookup was done for a IP check service\n expression: dns.question.name in\ + \ [\"icanhazip.com\", \"ip-api.com\", \"myip.opendns.com\",\n \"checkip.amazonaws.com\"\ + , \"whatismyip.akamai.com\"] && process.file.name != \"\"\n agent_version:\ + \ ''\n filters: []\n- id: iptables_egress_allowed\n version: a5be0ef9\n description:\ + \ Egress traffic allowed using iptables\n expression: exec.comm == \"iptables\"\ + \ && process.args in [r\".*OUTPUT.*((25[0-5]|(2[0-4]|1\\d|[1-9]|)\\d)\\.?\\\ + b){4}.*ACCEPT\"]\n && process.args not in [r\"(127\\.)|(10\\.)|(172\\.1[6-9]\\\ + .)|(172\\.2[0-9]\\.)|(^172\\.3[0-1]\\.)|(192\\.168\\.)|(169\\.254\\.)\"]\n \ + \ agent_version: ''\n filters:\n - os == \"linux\"\n- id: java_shell_execution_parent\n\ + \ version: 1bcff0aa\n description: A java process spawned a shell, shell utility,\ + \ or HTTP utility\n expression: |-\n (exec.file.path in [ \"/bin/dash\"\ + ,\n \"/usr/bin/dash\",\n \"/bin/sh\",\n \"/bin/static-sh\",\n\ + \ \"/usr/bin/sh\",\n \"/bin/bash\",\n \"/usr/bin/bash\",\n \ + \ \"/bin/bash-static\",\n \"/usr/bin/zsh\",\n \"/usr/bin/ash\"\ + ,\n \"/usr/bin/csh\",\n \"/usr/bin/ksh\",\n \"/usr/bin/tcsh\"\ + ,\n \"/usr/lib/initramfs-tools/bin/busybox\",\n \"/bin/busybox\",\n\ + \ \"/usr/bin/fish\",\n \"/bin/ksh93\",\n \"/bin/rksh\",\n \ + \ \"/bin/rksh93\",\n \"/bin/lksh\",\n \"/bin/mksh\",\n \"/bin/mksh-static\"\ + ,\n \"/usr/bin/csharp\",\n \"/bin/posh\",\n \"/usr/bin/rc\",\n\ + \ \"/bin/sash\",\n \"/usr/bin/yash\",\n \"/bin/zsh5\",\n \ + \ \"/bin/zsh5-static\" ] ||\n exec.comm in [\"wget\", \"curl\", \"lwp-download\"\ + ] ||\n exec.file.path in [\"/bin/cat\",\"/bin/chgrp\",\"/bin/chmod\",\"\ + /bin/chown\",\"/bin/cp\",\"/bin/date\",\"/bin/dd\",\"/bin/df\",\"/bin/dir\"\ + ,\"/bin/echo\",\"/bin/ln\",\"/bin/ls\",\"/bin/mkdir\",\"/bin/mknod\",\"/bin/mktemp\"\ + ,\"/bin/mv\",\"/bin/pwd\",\"/bin/readlink\",\"/bin/rm\",\"/bin/rmdir\",\"/bin/sleep\"\ + ,\"/bin/stty\",\"/bin/sync\",\"/bin/touch\",\"/bin/uname\",\"/bin/vdir\",\"\ + /usr/bin/arch\",\"/usr/bin/b2sum\",\"/usr/bin/base32\",\"/usr/bin/base64\",\"\ + /usr/bin/basename\",\"/usr/bin/chcon\",\"/usr/bin/cksum\",\"/usr/bin/comm\"\ + ,\"/usr/bin/csplit\",\"/usr/bin/cut\",\"/usr/bin/dircolors\",\"/usr/bin/dirname\"\ + ,\"/usr/bin/du\",\"/usr/bin/env\",\"/usr/bin/expand\",\"/usr/bin/expr\",\"/usr/bin/factor\"\ + ,\"/usr/bin/fmt\",\"/usr/bin/fold\",\"/usr/bin/groups\",\"/usr/bin/head\",\"\ + /usr/bin/hostid\",\"/usr/bin/id\",\"/usr/bin/install\",\"/usr/bin/join\",\"\ + /usr/bin/link\",\"/usr/bin/logname\",\"/usr/bin/md5sum\",\"/usr/bin/md5sum.textutils\"\ + ,\"/usr/bin/mkfifo\",\"/usr/bin/nice\",\"/usr/bin/nl\",\"/usr/bin/nohup\",\"\ + /usr/bin/nproc\",\"/usr/bin/numfmt\",\"/usr/bin/od\",\"/usr/bin/paste\",\"/usr/bin/pathchk\"\ + ,\"/usr/bin/pinky\",\"/usr/bin/pr\",\"/usr/bin/printenv\",\"/usr/bin/printf\"\ + ,\"/usr/bin/ptx\",\"/usr/bin/realpath\",\"/usr/bin/runcon\",\"/usr/bin/seq\"\ + ,\"/usr/bin/sha1sum\",\"/usr/bin/sha224sum\",\"/usr/bin/sha256sum\",\"/usr/bin/sha384sum\"\ + ,\"/usr/bin/sha512sum\",\"/usr/bin/shred\",\"/usr/bin/shuf\",\"/usr/bin/sort\"\ + ,\"/usr/bin/split\",\"/usr/bin/stat\",\"/usr/bin/stdbuf\",\"/usr/bin/sum\",\"\ + /usr/bin/tac\",\"/usr/bin/tail\",\"/usr/bin/tee\",\"/usr/bin/test\",\"/usr/bin/timeout\"\ + ,\"/usr/bin/tr\",\"/usr/bin/truncate\",\"/usr/bin/tsort\",\"/usr/bin/tty\",\"\ + /usr/bin/unexpand\",\"/usr/bin/uniq\",\"/usr/bin/unlink\",\"/usr/bin/users\"\ + ,\"/usr/bin/wc\",\"/usr/bin/who\",\"/usr/bin/whoami\",\"/usr/sbin/chroot\"])\n\ + \ && process.parent.file.name == \"java\"\n agent_version: ''\n filters:\n\ + \ - os == \"linux\"\n- id: jupyterhub_shell\n version: ee1b8429\n description:\ + \ A shell command was executed from a JupyterHub code cell\n expression: exec.file.path\ + \ == \"/usr/bin/bash\" && process.ancestors.comm == \"jupyterhub-sing\"\n agent_version:\ + \ ''\n filters: []\n- id: k8s_pod_service_account_token_accessed\n version:\ + \ 88c0ee3a\n description: The Kubernetes pod service account token was accessed\n\ + \ expression: open.file.path in [~\"/var/run/secrets/kubernetes.io/serviceaccount/**\"\ + ,\n ~\"/run/secrets/kubernetes.io/serviceaccount/**\"] && open.file.name\ + \ == \"token\"\n && process.file.path not in [\"/opt/datadog-agent/embedded/bin/agent\"\ + , \"/opt/datadog-agent/embedded/bin/system-probe\",\n \"/opt/datadog-agent/embedded/bin/security-agent\"\ + , \"/opt/datadog-agent/embedded/bin/process-agent\",\n \"/opt/datadog-agent/bin/agent/agent\"\ + , \"/opt/datadog/apm/inject/auto_inject_runc\",\n \"/usr/bin/dd-host-install\"\ + , \"/usr/bin/dd-host-container-install\", \"/usr/bin/dd-container-install\"\ + ,\n \"/opt/datadog-agent/bin/datadog-cluster-agent\"] && process.file.path\ + \ not in [\"/usr/bin/cilium-agent\",\n \"/coredns\", \"/usr/bin/cilium-operator\"\ + , \"/manager\", \"/fluent-bit/bin/fluent-bit\",\n \"/usr/local/bin/cloud-node-manager\"\ + , \"/secrets-store-csi\", \"/bin/secrets-store-csi-driver-provider-aws\",\n\ + \ \"/usr/bin/calico-node\", \"/opt/aws/amazon-cloudwatch-agent/bin/amazon-cloudwatch-agent\"\ + ,\n \"/nginx-ingress-controller\", \"/cluster-autoscaler\", \"/cluster-proportional-autoscaler\"\ + ,\n \"/haproxy-ingress-controller\", \"/kube-state-metrics\", \"/fluent-bit-gke-exporter\"\ + ,\n \"/bin/external-secrets\", \"/node-termination-handler\", \"/fluent-bit-gke-exporter\"\ + ]\n && process.ancestors.file.path not in [\"/opt/datadog-agent/embedded/bin/agent\"\ + ,\n \"/opt/datadog-agent/embedded/bin/system-probe\", \"/opt/datadog-agent/embedded/bin/security-agent\"\ + ,\n \"/opt/datadog-agent/embedded/bin/process-agent\", \"/opt/datadog-agent/bin/agent/agent\"\ + ,\n \"/opt/datadog/apm/inject/auto_inject_runc\", \"/usr/bin/dd-host-install\"\ + , \"/usr/bin/dd-host-container-install\",\n \"/usr/bin/dd-container-install\"\ + , \"/opt/datadog-agent/bin/datadog-cluster-agent\"]\n agent_version: ''\n \ + \ filters:\n - os == \"linux\"\n- id: kernel_module_chmod\n version: 93da2ba6\n\ + \ description: A new kernel module was added\n expression: |-\n (\n \ + \ (chmod.file.path in [ ~\"/lib/modules/**\", ~\"/usr/lib/modules/**\" ])\n\ + \ && process.file.path not in [~\"/usr/bin/apt*\", \"/usr/bin/dpkg\"\ + , \"/usr/bin/rpm\", \"/usr/bin/unattended-upgrade\", \"/usr/bin/npm\", ~\"/usr/bin/pip*\"\ + , \"/usr/bin/yum\", \"/sbin/apk\", \"/usr/lib/snapd/snapd\"]\n && process.ancestors.file.path\ + \ not in [~\"/usr/bin/apt*\", \"/usr/bin/dpkg\", \"/usr/bin/rpm\", \"/usr/bin/unattended-upgrade\"\ + , \"/usr/bin/npm\", ~\"/usr/bin/pip*\", \"/usr/bin/yum\", \"/sbin/apk\", \"\ + /usr/lib/snapd/snapd\"] && process.ancestors.file.path != \"/usr/bin/kmod\"\n\ + \ ) && chmod.file.destination.mode != chmod.file.mode\n agent_version: ''\n\ + \ filters:\n - os == \"linux\"\n- id: kernel_module_chown\n version: ca2cf124\n\ + \ description: A new kernel module was added\n expression: |-\n (\n \ + \ (chown.file.path in [ ~\"/lib/modules/**\", ~\"/usr/lib/modules/**\" ])\n\ + \ && process.file.path not in [~\"/usr/bin/apt*\", \"/usr/bin/dpkg\"\ + , \"/usr/bin/rpm\", \"/usr/bin/unattended-upgrade\", \"/usr/bin/npm\", ~\"/usr/bin/pip*\"\ + , \"/usr/bin/yum\", \"/sbin/apk\", \"/usr/lib/snapd/snapd\"]\n && process.ancestors.file.path\ + \ not in [~\"/usr/bin/apt*\", \"/usr/bin/dpkg\", \"/usr/bin/rpm\", \"/usr/bin/unattended-upgrade\"\ + , \"/usr/bin/npm\", ~\"/usr/bin/pip*\", \"/usr/bin/yum\", \"/sbin/apk\", \"\ + /usr/lib/snapd/snapd\"] && process.ancestors.file.path != \"/usr/bin/kmod\"\n\ + \ ) && (chown.file.destination.uid != chown.file.uid || chown.file.destination.gid\ + \ != chown.file.gid)\n agent_version: ''\n filters: []\n- id: kernel_module_link\n\ + \ version: ae6469e5\n description: A new kernel module was added\n expression:\ + \ |-\n (\n (link.file.path in [ ~\"/lib/modules/**\", ~\"/usr/lib/modules/**\"\ + \ ]\n || link.file.destination.path in [ ~\"/lib/modules/**\", ~\"/usr/lib/modules/**\"\ + \ ])\n && process.file.path not in [~\"/usr/bin/apt*\", \"/usr/bin/dpkg\"\ + , \"/usr/bin/rpm\", \"/usr/bin/unattended-upgrade\", \"/usr/bin/npm\", ~\"/usr/bin/pip*\"\ + , \"/usr/bin/yum\", \"/sbin/apk\", \"/usr/lib/snapd/snapd\"]\n && process.ancestors.file.path\ + \ not in [~\"/usr/bin/apt*\", \"/usr/bin/dpkg\", \"/usr/bin/rpm\", \"/usr/bin/unattended-upgrade\"\ + , \"/usr/bin/npm\", ~\"/usr/bin/pip*\", \"/usr/bin/yum\", \"/sbin/apk\", \"\ + /usr/lib/snapd/snapd\"] && process.ancestors.file.path != \"/usr/bin/kmod\"\n\ + \ )\n agent_version: ''\n filters: []\n- id: kernel_module_load\n version:\ + \ 904592b4\n description: A kernel module was loaded\n expression: load_module.name\ + \ not in [\"nf_tables\", \"iptable_filter\", \"ip6table_filter\",\n \"bpfilter\"\ + , \"ip6_tables\", \"ip6table_nat\", \"nf_reject_ipv4\", \"ipt_REJECT\", \"iptable_raw\"\ + ]\n && process.ancestors.file.name not in [~\"falcon*\", \"unattended-upgrade\"\ + , \"apt.systemd.daily\",\n \"xtables-legacy-multi\", \"ssm-agent-worker\"\ + ]\n agent_version: ''\n filters:\n - os == \"linux\"\n- id: kernel_module_load_container\n\ \ version: 139b666a\n description: A container loaded a new kernel module\n\ - \ expression: load_module.name != \"\" && container.id !=\"\"\n- id: kernel_module_load_from_memory\n\ - \ version: 78122acd\n description: A kernel module was loaded from memory\n\ - \ expression: load_module.loaded_from_memory == true\n- id: kernel_module_load_from_memory_container\n\ + \ expression: load_module.name != \"\" && container.id !=\"\"\n agent_version:\ + \ ''\n filters: []\n- id: kernel_module_load_from_memory\n version: 78122acd\n\ + \ description: A kernel module was loaded from memory\n expression: load_module.loaded_from_memory\ + \ == true\n agent_version: ''\n filters:\n - os == \"linux\"\n- id: kernel_module_load_from_memory_container\n\ \ version: a277c753\n description: A kernel module was loaded from memory\ \ inside a container\n expression: load_module.loaded_from_memory == true &&\ - \ container.id !=\"\"\n- id: kernel_module_open\n version: 55f9569\n description:\ - \ A kernel module was added to /lib/modules/\n expression: \"(\\n open.flags\ - \ & (O_CREAT|O_TRUNC|O_RDWR|O_WRONLY) > 0 &&\\n (open.file.path\\\n \\\ - \ in [ ~\\\"/lib/modules/*\\\", ~\\\"/usr/lib/modules/*\\\" ])\\n && process.file.path\\\ - \n \\ not in [\\\"/usr/bin/apt\\\", \\\"/usr/bin/apt-get\\\", \\\"/usr/bin/apt-config\\\ - \", \\\"\\\n /usr/bin/dpkg\\\", \\\"/usr/bin/aptitude-curses\\\", \\\"/usr/bin/rpm\\\ - \", \\\"/usr/bin/unattended-upgrade\\\"\\\n ]\\n && process.ancestors.file.path\ - \ not in [\\\"/usr/bin/apt\\\", \\\"/usr/bin/apt-get\\\"\\\n , \\\"/usr/bin/apt-config\\\ - \", \\\"/usr/bin/dpkg\\\", \\\"/usr/bin/aptitude-curses\\\", \\\"\\\n /usr/bin/rpm\\\ - \", \\\"/usr/bin/unattended-upgrade\\\"] && process.ancestors.file.path\\\n\ - \ \\ != \\\"/usr/bin/kmod\\\"\\n)\"\n- id: kernel_module_rename\n version:\ - \ 9d8cb7d8\n description: A kernel module was added to /lib/modules/\n expression:\ - \ \"(\\n (rename.file.path in [ ~\\\"/lib/modules/*\\\", ~\\\"/usr/lib/modules/*\\\ - \"\\\n \\ ]\\n || rename.file.destination.path in [ ~\\\"/lib/modules/*\\\ - \", ~\\\"/usr/lib/modules/*\\\"\\\n \\ ])\\n && process.file.path not\ - \ in [\\\"/usr/bin/apt\\\", \\\"/usr/bin/apt-get\\\"\\\n , \\\"/usr/bin/apt-config\\\ - \", \\\"/usr/bin/dpkg\\\", \\\"/usr/bin/aptitude-curses\\\", \\\"\\\n /usr/bin/rpm\\\ - \", \\\"/usr/bin/unattended-upgrade\\\"]\\n && process.ancestors.file.path\\\ - \n \\ not in [\\\"/usr/bin/apt\\\", \\\"/usr/bin/apt-get\\\", \\\"/usr/bin/apt-config\\\ - \", \\\"\\\n /usr/bin/dpkg\\\", \\\"/usr/bin/aptitude-curses\\\", \\\"/usr/bin/rpm\\\ - \", \\\"/usr/bin/unattended-upgrade\\\"\\\n ] && process.ancestors.file.path\ - \ != \\\"/usr/bin/kmod\\\"\\n)\"\n- id: kernel_module_unlink\n version: 652391be\n\ - \ description: A kernel module was added to /lib/modules/\n expression: \"\ - (\\n (unlink.file.path in [ ~\\\"/lib/modules/*\\\", ~\\\"/usr/lib/modules/*\\\ - \"\\\n \\ ])\\n && process.file.path not in [\\\"/usr/bin/apt\\\", \\\"\ - /usr/bin/apt-get\\\"\\\n , \\\"/usr/bin/apt-config\\\", \\\"/usr/bin/dpkg\\\ - \", \\\"/usr/bin/aptitude-curses\\\", \\\"\\\n /usr/bin/rpm\\\", \\\"/usr/bin/unattended-upgrade\\\ - \"]\\n && process.ancestors.file.path\\\n \\ not in [\\\"/usr/bin/apt\\\ - \", \\\"/usr/bin/apt-get\\\", \\\"/usr/bin/apt-config\\\", \\\"\\\n /usr/bin/dpkg\\\ - \", \\\"/usr/bin/aptitude-curses\\\", \\\"/usr/bin/rpm\\\", \\\"/usr/bin/unattended-upgrade\\\ - \"\\\n ] && process.ancestors.file.path != \\\"/usr/bin/kmod\\\"\\n)\"\n\ - - id: kernel_module_utimes\n version: 405d45e7\n description: A kernel module\ - \ was added to /lib/modules/\n expression: \"(\\n (utimes.file.path in [\ - \ ~\\\"/lib/modules/*\\\", ~\\\"/usr/lib/modules/*\\\"\\\n \\ ])\\n &&\ - \ process.file.path not in [\\\"/usr/bin/apt\\\", \\\"/usr/bin/apt-get\\\"\\\ - \n , \\\"/usr/bin/apt-config\\\", \\\"/usr/bin/dpkg\\\", \\\"/usr/bin/aptitude-curses\\\ - \", \\\"\\\n /usr/bin/rpm\\\", \\\"/usr/bin/unattended-upgrade\\\"]\\n \ - \ && process.ancestors.file.path\\\n \\ not in [\\\"/usr/bin/apt\\\", \\\ - \"/usr/bin/apt-get\\\", \\\"/usr/bin/apt-config\\\", \\\"\\\n /usr/bin/dpkg\\\ - \", \\\"/usr/bin/aptitude-curses\\\", \\\"/usr/bin/rpm\\\", \\\"/usr/bin/unattended-upgrade\\\ - \"\\\n ] && process.ancestors.file.path != \\\"/usr/bin/kmod\\\"\\n)\"\n\ - - id: net_util\n version: fc362090\n description: A network utility was executed\ - \ from a suspicious location\n expression: \"(exec.file.path in [\\\"/usr/bin/socat\\\ - \", \\\"/usr/bin/dig\\\", \\\"/usr/bin/nslookup\\\"\\\n , \\\"/usr/bin/netcat\\\ - \", \\\"/usr/bin/nc\\\"] ||\\n exec.file.path in [\\\"/usr/bin/wget\\\"\\\n\ - \ , \\\"/usr/bin/curl\\\"]) &&\\ncontainer.id == \\\"\\\" && (exec.args not\ - \ in [ ~\\\"*localhost*\\\"\\\n , ~\\\"*127.0.0.1*\\\", ~\\\"*motd.ubuntu.com*\\\ - \" ] || process.ancestors.comm != \\\"50-motd-news\\\"\\\n ) && process.ancestors.file.path\ - \ in [ ~\\\"/tmp/**\\\", ~\\\"/var/tmp/**\\\", ~\\\"/home/**\\\"\\\n , ~\\\ - \"/run/user/**\\\" ]\"\n- id: net_util_in_container\n version: 69e03ac1\n \ - \ description: A network utility was executed from a suspicious location in\ - \ a container\n expression: \"(exec.file.path in [\\\"/usr/bin/socat\\\", \\\ - \"/usr/bin/dig\\\", \\\"/usr/bin/nslookup\\\"\\\n , \\\"/usr/bin/netcat\\\ - \", \\\"/usr/bin/nc\\\"] ||\\n exec.file.path in [\\\"/usr/bin/wget\\\"\\\n\ - \ , \\\"/usr/bin/curl\\\"]) &&\\ncontainer.id != \\\"\\\" && (exec.args not\ - \ in [ ~\\\"*localhost*\\\"\\\n , ~\\\"*127.0.0.1*\\\", ~\\\"*motd.ubuntu.com*\\\ - \" ] || process.ancestors.comm != \\\"50-motd-news\\\"\\\n ) && process.ancestors.file.path\ - \ in [ ~\\\"/tmp/**\\\", ~\\\"/var/tmp/**\\\", ~\\\"/home/**\\\"\\\n , ~\\\ - \"/run/user/**\\\" ]\"\n- id: new_binary_execution_in_container\n version:\ - \ 9dc42e1d\n description: A container executed a new a binary not found in\ - \ the container image\n expression: container.id !=\"\" && !process.file.in_upper_layer\ - \ && process.file.modification_time\n < 30s && exec.file.name !=\"\"\n- id:\ - \ new_kernel_module_audit\n version: 904592b4\n description: A kernel module\ - \ was loaded\n expression: load_module.name != \"\"\n- id: new_kernel_module_audit_container\n\ - \ version: 139b666a\n description: A kernel module was loaded\n expression:\ - \ load_module.name != \"\" && container.id !=\"\"\n- id: nsswitch_conf_mod_chmod\n\ - \ version: d301aedf\n description: Nsswitch Configuration Modified\n expression:\ - \ \"(\\n (chmod.file.path in [ \\\"/etc/nsswitch.conf\\\" ])\\n) && chmod.mode\\\ - \n \\ != chmod.file.mode\"\n- id: nsswitch_conf_mod_chown\n version: '69383592'\n\ - \ description: Nsswitch Configuration Modified\n expression: \"(\\n (chown.file.path\ - \ in [ \\\"/etc/nsswitch.conf\\\" ])\\n) && (chown.uid\\\n \\ != chown.file.uid\ - \ || chown.gid != chown.file.gid)\"\n- id: nsswitch_conf_mod_link\n version:\ - \ e0565b29\n description: Nsswitch Configuration Modified\n expression: \"\ - (\\n (link.file.path in [ \\\"/etc/nsswitch.conf\\\" ]\\n || link.file.destination.path\\\ - \n \\ in [ \\\"/etc/nsswitch.conf\\\" ])\\n)\"\n- id: nsswitch_conf_mod_open\n\ - \ version: b5602c6f\n description: Nsswitch Configuration Modified\n expression:\ - \ \"(\\n open.flags & ((O_RDWR|O_WRONLY|O_CREAT)) > 0 &&\\n (open.file.path\\\ - \n \\ in [ \\\"/etc/nsswitch.conf\\\" ])\\n)\"\n- id: nsswitch_conf_mod_rename\n\ - \ version: aad34176\n description: Nsswitch Configuration Modified\n expression:\ - \ \"(\\n (rename.file.path in [ \\\"/etc/nsswitch.conf\\\" ]\\n || rename.file.destination.path\\\ - \n \\ in [ \\\"/etc/nsswitch.conf\\\" ])\\n)\"\n- id: nsswitch_conf_mod_unlink\n\ - \ version: 8a3e2fbb\n description: Nsswitch Configuration Modified\n expression:\ - \ \"(\\n (unlink.file.path in [ \\\"/etc/nsswitch.conf\\\" ])\\n)\"\n- id:\ - \ nsswitch_conf_mod_utimes\n version: 902597c0\n description: Nsswitch Configuration\ - \ Modified\n expression: \"(\\n (utimes.file.path in [ \\\"/etc/nsswitch.conf\\\ - \" ])\\n)\"\n- id: package_management_in_container\n version: c152fcaf\n description:\ - \ Package management in container\n expression: exec.file.path in [\"/usr/bin/apt\"\ - , \"/usr/bin/apt-get\", \"/usr/bin/apt-config\",\n \"/usr/bin/dpkg\", \"\ - /usr/bin/aptitude-curses\", \"/usr/bin/rpm\", \"/usr/bin/unattended-upgrade\"\ - ]\n && container.id != \"\"\n- id: pam_modification_chmod\n version: 974a676e\n\ - \ description: PAM Configuration Files Modification\n expression: \"(\\n \ - \ (chmod.file.path in [ ~\\\"/etc/pam.d/*\\\", \\\"/etc/pam.conf\\\" ])\\\ - n\\\n ) && chmod.mode != chmod.file.mode\"\n- id: pam_modification_chown\n\ - \ version: ca22d0ab\n description: PAM Configuration Files Modification\n\ - \ expression: \"(\\n (chown.file.path in [ ~\\\"/etc/pam.d/*\\\", \\\"/etc/pam.conf\\\ - \" ])\\n\\\n ) && (chown.uid != chown.file.uid || chown.gid != chown.file.gid)\"\ - \n- id: pam_modification_link\n version: 3d5d6b31\n description: PAM Configuration\ - \ Files Modification\n expression: \"(\\n (link.file.path in [ ~\\\"/etc/pam.d/*\\\ - \", \\\"/etc/pam.conf\\\" ]\\n\\\n \\ || link.file.destination.path in\ - \ [ ~\\\"/etc/pam.d/*\\\", \\\"/etc/pam.conf\\\" ])\\n\\\n )\"\n- id: pam_modification_open\n\ - \ version: 9440f452\n description: PAM Configuration Files Modification\n\ - \ expression: \"(\\n open.flags & (O_CREAT|O_TRUNC|O_RDWR|O_WRONLY) > 0\ - \ &&\\n (open.file.path\\\n \\ in [ ~\\\"/etc/pam.d/*\\\", \\\"/etc/pam.conf\\\ - \" ])\\n)\"\n- id: pam_modification_rename\n version: bd1d257a\n description:\ - \ PAM Configuration Files Modification\n expression: \"(\\n (rename.file.path\ - \ in [ ~\\\"/etc/pam.d/*\\\", \\\"/etc/pam.conf\\\"\\\n \\ ]\\n || rename.file.destination.path\ - \ in [ ~\\\"/etc/pam.d/*\\\", \\\"/etc/pam.conf\\\"\\\n \\ ])\\n)\"\n- id:\ - \ pam_modification_unlink\n version: c3dc53e1\n description: PAM Configuration\ - \ Files Modification\n expression: \"(\\n (unlink.file.path in [ ~\\\"/etc/pam.d/*\\\ - \", \\\"/etc/pam.conf\\\"\\\n \\ ])\\n)\"\n- id: pam_modification_utimes\n\ - \ version: d377b599\n description: PAM Configuration Files Modification\n\ - \ expression: \"(\\n (utimes.file.path in [ ~\\\"/etc/pam.d/*\\\", \\\"\ - /etc/pam.conf\\\"\\\n \\ ])\\n)\"\n- id: passwd_execution\n version: e1d41f5e\n\ - \ description: Passwd utility executed\n expression: exec.file.path == \"\ - /usr/bin/passwd\"\n- id: pci_11_5_critical_binaries_chmod\n version: 1945831d\n\ - \ description: Critical System Binaries\n expression: \"(\\n (chmod.file.path\ - \ in [ ~\\\"/bin/*\\\", ~\\\"/sbin/*\\\", ~\\\"/usr/bin/*\\\"\\\n , ~\\\"\ - /usr/sbin/*\\\", ~\\\"/usr/local/bin/*\\\", ~\\\"/usr/local/sbin/*\\\", ~\\\"\ - /boot/*\\\"\\\n \\ ])\\n && process.file.path not in [\\\"/usr/bin/apt\\\ - \", \\\"/usr/bin/apt-get\\\"\\\n , \\\"/usr/bin/apt-config\\\", \\\"/usr/bin/dpkg\\\ - \", \\\"/usr/bin/aptitude-curses\\\", \\\"\\\n /usr/bin/rpm\\\", \\\"/usr/bin/unattended-upgrade\\\ - \"]\\n && process.ancestors.file.path\\\n \\ not in [\\\"/usr/bin/apt\\\ - \", \\\"/usr/bin/apt-get\\\", \\\"/usr/bin/apt-config\\\", \\\"\\\n /usr/bin/dpkg\\\ - \", \\\"/usr/bin/aptitude-curses\\\", \\\"/usr/bin/rpm\\\", \\\"/usr/bin/unattended-upgrade\\\ - \"\\\n ]\\n) && chmod.mode != chmod.file.mode\"\n- id: pci_11_5_critical_binaries_chown\n\ - \ version: 21da2189\n description: Critical System Binaries\n expression:\ - \ \"(\\n (chown.file.path in [ ~\\\"/bin/*\\\", ~\\\"/sbin/*\\\", ~\\\"/usr/bin/*\\\ - \"\\\n , ~\\\"/usr/sbin/*\\\", ~\\\"/usr/local/bin/*\\\", ~\\\"/usr/local/sbin/*\\\ - \", ~\\\"/boot/*\\\"\\\n \\ ])\\n && process.file.path not in [\\\"/usr/bin/apt\\\ - \", \\\"/usr/bin/apt-get\\\"\\\n , \\\"/usr/bin/apt-config\\\", \\\"/usr/bin/dpkg\\\ - \", \\\"/usr/bin/aptitude-curses\\\", \\\"\\\n /usr/bin/rpm\\\", \\\"/usr/bin/unattended-upgrade\\\ - \"]\\n && process.ancestors.file.path\\\n \\ not in [\\\"/usr/bin/apt\\\ - \", \\\"/usr/bin/apt-get\\\", \\\"/usr/bin/apt-config\\\", \\\"\\\n /usr/bin/dpkg\\\ - \", \\\"/usr/bin/aptitude-curses\\\", \\\"/usr/bin/rpm\\\", \\\"/usr/bin/unattended-upgrade\\\ - \"\\\n ]\\n) && (chown.uid != chown.file.uid || chown.gid != chown.file.gid)\"\ - \n- id: pci_11_5_critical_binaries_link\n version: a7ac587c\n description:\ - \ Critical System Binaries\n expression: \"(\\n (link.file.path in [ ~\\\ - \"/bin/*\\\", ~\\\"/sbin/*\\\", ~\\\"/usr/bin/*\\\"\\\n , ~\\\"/usr/sbin/*\\\ - \", ~\\\"/usr/local/bin/*\\\", ~\\\"/usr/local/sbin/*\\\", ~\\\"/boot/*\\\"\\\ - \n \\ ]\\n || link.file.destination.path in [ ~\\\"/bin/*\\\", ~\\\"/sbin/*\\\ - \", ~\\\"/usr/bin/*\\\"\\\n , ~\\\"/usr/sbin/*\\\", ~\\\"/usr/local/bin/*\\\ - \", ~\\\"/usr/local/sbin/*\\\", ~\\\"/boot/*\\\"\\\n \\ ])\\n && process.file.path\ - \ not in [\\\"/usr/bin/apt\\\", \\\"/usr/bin/apt-get\\\"\\\n , \\\"/usr/bin/apt-config\\\ - \", \\\"/usr/bin/dpkg\\\", \\\"/usr/bin/aptitude-curses\\\", \\\"\\\n /usr/bin/rpm\\\ - \", \\\"/usr/bin/unattended-upgrade\\\"]\\n && process.ancestors.file.path\\\ - \n \\ not in [\\\"/usr/bin/apt\\\", \\\"/usr/bin/apt-get\\\", \\\"/usr/bin/apt-config\\\ - \", \\\"\\\n /usr/bin/dpkg\\\", \\\"/usr/bin/aptitude-curses\\\", \\\"/usr/bin/rpm\\\ - \", \\\"/usr/bin/unattended-upgrade\\\"\\\n ]\\n)\"\n- id: pci_11_5_critical_binaries_open\n\ - \ version: f583ba7c\n description: Critical System Binaries\n expression:\ - \ \"(\\n open.flags & (O_CREAT|O_TRUNC|O_RDWR|O_WRONLY) > 0 &&\\n (open.file.path\\\ - \n \\ in [ ~\\\"/bin/*\\\", ~\\\"/sbin/*\\\", ~\\\"/usr/bin/*\\\", ~\\\"\ - /usr/sbin/*\\\", ~\\\"/usr/local/bin/*\\\"\\\n , ~\\\"/usr/local/sbin/*\\\ - \", ~\\\"/boot/*\\\" ])\\n && process.file.path not in [\\\"\\\n /usr/bin/apt\\\ - \", \\\"/usr/bin/apt-get\\\", \\\"/usr/bin/apt-config\\\", \\\"/usr/bin/dpkg\\\ - \"\\\n , \\\"/usr/bin/aptitude-curses\\\", \\\"/usr/bin/rpm\\\", \\\"/usr/bin/unattended-upgrade\\\ - \"\\\n ]\\n && process.ancestors.file.path not in [\\\"/usr/bin/apt\\\"\ - , \\\"/usr/bin/apt-get\\\"\\\n , \\\"/usr/bin/apt-config\\\", \\\"/usr/bin/dpkg\\\ - \", \\\"/usr/bin/aptitude-curses\\\", \\\"\\\n /usr/bin/rpm\\\", \\\"/usr/bin/unattended-upgrade\\\ - \"]\\n)\"\n- id: pci_11_5_critical_binaries_rename\n version: e0bc0857\n description:\ - \ Critical System Binaries\n expression: \"(\\n (rename.file.path in [ ~\\\ - \"/bin/*\\\", ~\\\"/sbin/*\\\", ~\\\"/usr/bin/*\\\"\\\n , ~\\\"/usr/sbin/*\\\ - \", ~\\\"/usr/local/bin/*\\\", ~\\\"/usr/local/sbin/*\\\", ~\\\"/boot/*\\\"\\\ - \n \\ ]\\n || rename.file.destination.path in [ ~\\\"/bin/*\\\", ~\\\"\ - /sbin/*\\\", ~\\\"/usr/bin/*\\\"\\\n , ~\\\"/usr/sbin/*\\\", ~\\\"/usr/local/bin/*\\\ - \", ~\\\"/usr/local/sbin/*\\\", ~\\\"/boot/*\\\"\\\n \\ ])\\n && process.file.path\ - \ not in [\\\"/usr/bin/apt\\\", \\\"/usr/bin/apt-get\\\"\\\n , \\\"/usr/bin/apt-config\\\ - \", \\\"/usr/bin/dpkg\\\", \\\"/usr/bin/aptitude-curses\\\", \\\"\\\n /usr/bin/rpm\\\ - \", \\\"/usr/bin/unattended-upgrade\\\"]\\n && process.ancestors.file.path\\\ - \n \\ not in [\\\"/usr/bin/apt\\\", \\\"/usr/bin/apt-get\\\", \\\"/usr/bin/apt-config\\\ - \", \\\"\\\n /usr/bin/dpkg\\\", \\\"/usr/bin/aptitude-curses\\\", \\\"/usr/bin/rpm\\\ - \", \\\"/usr/bin/unattended-upgrade\\\"\\\n ]\\n)\"\n- id: pci_11_5_critical_binaries_unlink\n\ - \ version: 3bb086ca\n description: Critical System Binaries\n expression:\ - \ \"(\\n (unlink.file.path in [ ~\\\"/bin/*\\\", ~\\\"/sbin/*\\\", ~\\\"\ - /usr/bin/*\\\"\\\n , ~\\\"/usr/sbin/*\\\", ~\\\"/usr/local/bin/*\\\", ~\\\ - \"/usr/local/sbin/*\\\", ~\\\"/boot/*\\\"\\\n \\ ])\\n && process.file.path\ - \ not in [\\\"/usr/bin/apt\\\", \\\"/usr/bin/apt-get\\\"\\\n , \\\"/usr/bin/apt-config\\\ - \", \\\"/usr/bin/dpkg\\\", \\\"/usr/bin/aptitude-curses\\\", \\\"\\\n /usr/bin/rpm\\\ - \", \\\"/usr/bin/unattended-upgrade\\\"]\\n && process.ancestors.file.path\\\ - \n \\ not in [\\\"/usr/bin/apt\\\", \\\"/usr/bin/apt-get\\\", \\\"/usr/bin/apt-config\\\ - \", \\\"\\\n /usr/bin/dpkg\\\", \\\"/usr/bin/aptitude-curses\\\", \\\"/usr/bin/rpm\\\ - \", \\\"/usr/bin/unattended-upgrade\\\"\\\n ]\\n)\"\n- id: pci_11_5_critical_binaries_utimes\n\ - \ version: 6d979630\n description: Critical System Binaries\n expression:\ - \ \"(\\n (utimes.file.path in [ ~\\\"/bin/*\\\", ~\\\"/sbin/*\\\", ~\\\"\ - /usr/bin/*\\\"\\\n , ~\\\"/usr/sbin/*\\\", ~\\\"/usr/local/bin/*\\\", ~\\\ - \"/usr/local/sbin/*\\\", ~\\\"/boot/*\\\"\\\n \\ ])\\n && process.file.path\ - \ not in [\\\"/usr/bin/apt\\\", \\\"/usr/bin/apt-get\\\"\\\n , \\\"/usr/bin/apt-config\\\ - \", \\\"/usr/bin/dpkg\\\", \\\"/usr/bin/aptitude-curses\\\", \\\"\\\n /usr/bin/rpm\\\ - \", \\\"/usr/bin/unattended-upgrade\\\"]\\n && process.ancestors.file.path\\\ - \n \\ not in [\\\"/usr/bin/apt\\\", \\\"/usr/bin/apt-get\\\", \\\"/usr/bin/apt-config\\\ - \", \\\"\\\n /usr/bin/dpkg\\\", \\\"/usr/bin/aptitude-curses\\\", \\\"/usr/bin/rpm\\\ - \", \\\"/usr/bin/unattended-upgrade\\\"\\\n ]\\n)\"\n- id: potential_web_shell\n\ - \ version: dcaa6f4d\n description: A webapp process (language engine or webserver)\ - \ spawned a shell, shell\n utility, or HTTP utility\n expression: \"(exec.file.path\ - \ in [ \\\"/bin/dash\\\", \\\"/usr/bin/dash\\\",\\n \\\"/bin/sh\\\"\\\n \ - \ , \\\"/bin/static-sh\\\", \\\"/usr/bin/sh\\\",\\n \\\"/usr/bin/bash\\\",\\\ - n \\\"/bin/bash-static\\\"\\\n ,\\n \\\"/usr/bin/zsh\\\",\\n \\\"/usr/bin/ash\\\ - \",\\n \\\"/usr/bin/csh\\\",\\n \\\"/usr/bin/ksh\\\"\\\n ,\\n \\\"/usr/bin/tcsh\\\ - \",\\n \\\"/usr/lib/initramfs-tools/bin/busybox\\\",\\n \\\"/bin/busybox\\\ - \"\\\n ,\\n \\\"/usr/bin/fish\\\",\\n \\\"/bin/ksh93\\\",\\n \\\"/bin/rksh\\\ - \", \\\"/bin/rksh93\\\",\\n\\\n \\ \\\"/bin/lksh\\\",\\n \\\"/bin/mksh\\\ - \", \\\"/bin/mksh-static\\\",\\n \\\"/usr/bin/csharp\\\"\\\n ,\\n \\\"\ - /bin/posh\\\",\\n \\\"/usr/bin/rc\\\",\\n \\\"/bin/sash\\\",\\n \\\"/usr/bin/yash\\\ - \"\\\n ,\\n \\\"/bin/zsh5\\\", \\\"/bin/zsh5-static\\\" ] || exec.file.path\ - \ in [\\\"/usr/bin/wget\\\"\\\n , \\\"/usr/bin/curl\\\"] || exec.file.path\ - \ in [\\\"/bin/cat\\\",\\\"/bin/chgrp\\\",\\\"/bin/chmod\\\"\\\n ,\\\"/bin/chown\\\ - \",\\\"/bin/cp\\\",\\\"/bin/date\\\",\\\"/bin/dd\\\",\\\"/bin/df\\\",\\\"/bin/dir\\\ - \"\\\n ,\\\"/bin/echo\\\",\\\"/bin/ln\\\",\\\"/bin/ls\\\",\\\"/bin/mkdir\\\ - \",\\\"/bin/mknod\\\",\\\"/bin/mktemp\\\"\\\n ,\\\"/bin/mv\\\",\\\"/bin/pwd\\\ - \",\\\"/bin/readlink\\\",\\\"/bin/rm\\\",\\\"/bin/rmdir\\\",\\\"/bin/sleep\\\ - \"\\\n ,\\\"/bin/stty\\\",\\\"/bin/sync\\\",\\\"/bin/touch\\\",\\\"/bin/uname\\\ - \",\\\"/bin/vdir\\\",\\\"/usr/bin/arch\\\"\\\n ,\\\"/usr/bin/b2sum\\\",\\\ - \"/usr/bin/base32\\\",\\\"/usr/bin/base64\\\",\\\"/usr/bin/basename\\\"\\\n\ - \ ,\\\"/usr/bin/chcon\\\",\\\"/usr/bin/cksum\\\",\\\"/usr/bin/comm\\\",\\\ - \"/usr/bin/csplit\\\",\\\"\\\n /usr/bin/cut\\\",\\\"/usr/bin/dircolors\\\"\ - ,\\\"/usr/bin/dirname\\\",\\\"/usr/bin/du\\\",\\\"\\\n /usr/bin/env\\\",\\\ - \"/usr/bin/expand\\\",\\\"/usr/bin/expr\\\",\\\"/usr/bin/factor\\\",\\\"/usr/bin/fmt\\\ - \"\\\n ,\\\"/usr/bin/fold\\\",\\\"/usr/bin/groups\\\",\\\"/usr/bin/head\\\ - \",\\\"/usr/bin/hostid\\\",\\\"\\\n /usr/bin/id\\\",\\\"/usr/bin/install\\\ - \",\\\"/usr/bin/join\\\",\\\"/usr/bin/link\\\",\\\"/usr/bin/logname\\\"\\\n\ - \ ,\\\"/usr/bin/md5sum\\\",\\\"/usr/bin/md5sum.textutils\\\",\\\"/usr/bin/mkfifo\\\ - \",\\\"/usr/bin/nice\\\"\\\n ,\\\"/usr/bin/nl\\\",\\\"/usr/bin/nohup\\\"\ - ,\\\"/usr/bin/nproc\\\",\\\"/usr/bin/numfmt\\\",\\\"\\\n /usr/bin/od\\\"\ - ,\\\"/usr/bin/paste\\\",\\\"/usr/bin/pathchk\\\",\\\"/usr/bin/pinky\\\",\\\"\ - /usr/bin/pr\\\"\\\n ,\\\"/usr/bin/printenv\\\",\\\"/usr/bin/printf\\\",\\\ - \"/usr/bin/ptx\\\",\\\"/usr/bin/realpath\\\"\\\n ,\\\"/usr/bin/runcon\\\"\ - ,\\\"/usr/bin/seq\\\",\\\"/usr/bin/sha1sum\\\",\\\"/usr/bin/sha224sum\\\"\\\n\ - \ ,\\\"/usr/bin/sha256sum\\\",\\\"/usr/bin/sha384sum\\\",\\\"/usr/bin/sha512sum\\\ - \",\\\"/usr/bin/shred\\\"\\\n ,\\\"/usr/bin/shuf\\\",\\\"/usr/bin/sort\\\"\ - ,\\\"/usr/bin/split\\\",\\\"/usr/bin/stat\\\",\\\"/usr/bin/stdbuf\\\"\\\n \ - \ ,\\\"/usr/bin/sum\\\",\\\"/usr/bin/tac\\\",\\\"/usr/bin/tail\\\",\\\"/usr/bin/tee\\\ - \",\\\"/usr/bin/test\\\"\\\n ,\\\"/usr/bin/timeout\\\",\\\"/usr/bin/tr\\\"\ - ,\\\"/usr/bin/truncate\\\",\\\"/usr/bin/tsort\\\"\\\n ,\\\"/usr/bin/tty\\\ - \",\\\"/usr/bin/unexpand\\\",\\\"/usr/bin/uniq\\\",\\\"/usr/bin/unlink\\\"\\\ - \n ,\\\"/usr/bin/users\\\",\\\"/usr/bin/wc\\\",\\\"/usr/bin/who\\\",\\\"\ - /usr/bin/whoami\\\",\\\"/usr/sbin/chroot\\\"\\\n ]) &&\\n(process.ancestors.file.name\ - \ in [~\\\"python2*\\\", ~\\\"python3*\\\", \\\"node\\\"\\\n , \\\"apache2\\\ - \", \\\"nginx\\\", ~\\\"tomcat*\\\"] || process.ancestors.file.name =~ \\\"\ - php*\\\"\\\n ) &&\\nprocess.ancestors.comm not in [\\\"pip3\\\", \\\"pip\\\ - \", \\\"npm\\\"]\"\n- id: ptrace_antidebug\n version: a6289ff7\n description:\ + \ container.id !=\"\"\n agent_version: ''\n filters: []\n- id: kernel_module_open\n\ + \ version: 55f9569\n description: A new kernel module was added\n expression:\ + \ |-\n (\n open.flags & (O_CREAT|O_TRUNC|O_RDWR|O_WRONLY) > 0 &&\n\ + \ (open.file.path in [ ~\"/lib/modules/**\", ~\"/usr/lib/modules/**\"\ + \ ])\n && process.file.path not in [~\"/usr/bin/apt*\", \"/usr/bin/dpkg\"\ + , \"/usr/bin/rpm\", \"/usr/bin/unattended-upgrade\", \"/usr/bin/npm\", ~\"/usr/bin/pip*\"\ + , \"/usr/bin/yum\", \"/sbin/apk\", \"/usr/lib/snapd/snapd\"]\n && process.ancestors.file.path\ + \ not in [~\"/usr/bin/apt*\", \"/usr/bin/dpkg\", \"/usr/bin/rpm\", \"/usr/bin/unattended-upgrade\"\ + , \"/usr/bin/npm\", ~\"/usr/bin/pip*\", \"/usr/bin/yum\", \"/sbin/apk\", \"\ + /usr/lib/snapd/snapd\"] && process.ancestors.file.path != \"/usr/bin/kmod\"\n\ + \ )\n agent_version: ''\n filters: []\n- id: kernel_module_rename\n version:\ + \ 8dd78e74\n description: A new kernel module was added\n expression: |-\n\ + \ (\n (rename.file.path in [ ~\"/lib/modules/**\", ~\"/usr/lib/modules/**\"\ + \ ]\n || rename.file.destination.path in [ ~\"/lib/modules/**\", ~\"\ + /usr/lib/modules/**\" ])\n && process.file.path not in [~\"/usr/bin/apt*\"\ + , \"/usr/bin/dpkg\", \"/usr/bin/rpm\", \"/usr/bin/unattended-upgrade\", \"/usr/bin/npm\"\ + , ~\"/usr/bin/pip*\", \"/usr/bin/yum\", \"/sbin/apk\", \"/usr/lib/snapd/snapd\"\ + ]\n && process.ancestors.file.path not in [~\"/usr/bin/apt*\", \"/usr/bin/dpkg\"\ + , \"/usr/bin/rpm\", \"/usr/bin/unattended-upgrade\", \"/usr/bin/npm\", ~\"/usr/bin/pip*\"\ + , \"/usr/bin/yum\", \"/sbin/apk\", \"/usr/lib/snapd/snapd\"] && process.ancestors.file.path\ + \ != \"/usr/bin/kmod\"\n )\n agent_version: ''\n filters: []\n- id: kernel_module_unlink\n\ + \ version: 652391be\n description: A new kernel module was added\n expression:\ + \ |-\n (\n (unlink.file.path in [ ~\"/lib/modules/**\", ~\"/usr/lib/modules/**\"\ + \ ])\n && process.file.path not in [~\"/usr/bin/apt*\", \"/usr/bin/dpkg\"\ + , \"/usr/bin/rpm\", \"/usr/bin/unattended-upgrade\", \"/usr/bin/npm\", ~\"/usr/bin/pip*\"\ + , \"/usr/bin/yum\", \"/sbin/apk\", \"/usr/lib/snapd/snapd\"]\n && process.ancestors.file.path\ + \ not in [~\"/usr/bin/apt*\", \"/usr/bin/dpkg\", \"/usr/bin/rpm\", \"/usr/bin/unattended-upgrade\"\ + , \"/usr/bin/npm\", ~\"/usr/bin/pip*\", \"/usr/bin/yum\", \"/sbin/apk\", \"\ + /usr/lib/snapd/snapd\"] && process.ancestors.file.path != \"/usr/bin/kmod\"\n\ + \ )\n agent_version: ''\n filters: []\n- id: kernel_module_utimes\n version:\ + \ 405d45e7\n description: A new kernel module was added\n expression: |-\n\ + \ (\n (utimes.file.path in [ ~\"/lib/modules/**\", ~\"/usr/lib/modules/**\"\ + \ ])\n && process.file.path not in [~\"/usr/bin/apt*\", \"/usr/bin/dpkg\"\ + , \"/usr/bin/rpm\", \"/usr/bin/unattended-upgrade\", \"/usr/bin/npm\", ~\"/usr/bin/pip*\"\ + , \"/usr/bin/yum\", \"/sbin/apk\", \"/usr/lib/snapd/snapd\"]\n && process.ancestors.file.path\ + \ not in [~\"/usr/bin/apt*\", \"/usr/bin/dpkg\", \"/usr/bin/rpm\", \"/usr/bin/unattended-upgrade\"\ + , \"/usr/bin/npm\", ~\"/usr/bin/pip*\", \"/usr/bin/yum\", \"/sbin/apk\", \"\ + /usr/lib/snapd/snapd\"] && process.ancestors.file.path != \"/usr/bin/kmod\"\n\ + \ )\n agent_version: ''\n filters: []\n- id: kernel_msr_write\n version:\ + \ 2c433a21\n description: A process attempted to enable writing to model-specific\ + \ registers\n expression: exec.comm == \"modprobe\" && process.args =~ \"*msr*allow_writes*\"\ + \n agent_version: ''\n filters:\n - os == \"linux\"\n- id: kmod_list\n version:\ + \ c353a548\n description: Kernel modules were listed using the kmod command\n\ + \ expression: exec.comm == \"kmod\" && exec.args in [~\"*list*\"]\n agent_version:\ + \ ''\n filters:\n - os == \"linux\"\n- id: kubernetes_dns_enumeration\n version:\ + \ 70a1304\n description: Kubernetes DNS enumeration\n expression: dns.question.name\ + \ == \"any.any.svc.cluster.local\" && dns.question.type\n == SRV && container.id\ + \ != \"\"\n agent_version: ''\n filters:\n - os == \"linux\"\n- id: kubernetes_offensive_tool_executed\n\ + \ version: 18130cbb\n description: Kubernetes offensive tool executed\n expression:\ + \ (exec.file.name in [ ~\"python*\" ] && (\"KubiScan.py\" in exec.argv ||\n\ + \ \"kubestriker\" in exec.argv )) || exec.file.name in [\"kubiscan\",\"kdigger\"\ + ,\"kube-hunter\",\"rakkess\",\"peirates\",\"kubescape\",\"kubeaudit\",\"kube-linter\"\ + ,\"stratus\",~\"botb-*\"]\n agent_version: ''\n filters: []\n- id: ld_preload_unusual_library_path\n\ + \ version: cc6fd0c4\n description: The LD_PRELOAD variable is populated by\ + \ a link to a suspicious file\n directory\n expression: exec.envs in [~\"\ + LD_PRELOAD=*/tmp/*\" ,~\"LD_PRELOAD=/dev/shm/*\" ]\n agent_version: ''\n filters:\ + \ []\n- id: libpam_ebpf_hook\n version: adbe1bb1\n description: Library libpam.so\ + \ hooked using eBPF\n expression: bpf.cmd == BPF_MAP_CREATE && process.args\ + \ in [r\".*libpam.so.*\"]\n agent_version: ''\n filters:\n - os == \"linux\"\ + \n- id: looney_tunables_exploit\n version: 7e9f4346\n description: Looney\ + \ Tunables (CVE-2023-4911) exploit attempted\n expression: exec.file.mode &\ + \ S_ISUID > 0 && exec.file.uid == 0 && exec.uid != 0\n && exec.envs in [~\"\ + *GLIBC_TUNABLES*\"]\n agent_version: ''\n filters:\n - os == \"linux\"\n\ + - id: memfd_create\n version: 5908512a\n description: memfd object created\n\ + \ expression: exec.file.name =~ \"memfd*\" && exec.file.path == \"\"\n agent_version:\ + \ ''\n filters: []\n- id: minidump_usage\n version: 3de40e55\n description:\ + \ Process memory was dumped using the minidump function from comsvcs.dll\n \ + \ expression: exec.cmdline =~ \"*MiniDump*\"\n agent_version: ''\n filters:\n\ + \ - os == \"windows\"\n- id: mount_host_fs\n version: accb4f\n description:\ + \ The host file system was mounted in a container\n expression: mount.source.path\ + \ == \"/\" && mount.fs_type != \"overlay\" && container.id\n != \"\"\n agent_version:\ + \ ''\n filters: []\n- id: net_file_download\n version: 75b930ad\n description:\ + \ A suspicious file was written by a network utility\n expression: |-\n \ + \ open.flags & O_CREAT > 0 && process.comm in [\"wget\", \"curl\", \"lwp-download\"\ + ]\n && (\n (open.file.path =~ \"/tmp/**\" && open.file.name in [~\"\ + *.sh\", ~\"*.c\", ~\"*.so\", ~\"*.ko\"])\n || open.file.path in [~\"/usr/**\"\ + , ~\"/lib/**\", ~\"/etc/**\", ~\"/var/tmp/**\", ~\"/dev/shm/**\"]\n )\n \ + \ agent_version: ''\n filters:\n - os == \"linux\"\n- id: net_unusual_request\n\ + \ version: 3df2d9ef\n description: Network utility executed with suspicious\ + \ URI\n expression: 'exec.comm in [\"wget\", \"curl\", \"lwp-download\"] &&\ + \ exec.args in [~\"*.php*\",\n ~\"*.jpg*\"] '\n agent_version: ''\n filters:\ + \ []\n- id: net_util\n version: c3f2117b\n description: A network utility\ + \ was executed\n expression: |-\n (exec.comm in [\"socat\", \"dig\", \"\ + nslookup\", \"host\", ~\"netcat*\", ~\"nc*\", \"ncat\"] ||\n exec.comm in\ + \ [\"wget\", \"curl\", \"lwp-download\"]) &&\n container.id == \"\" && exec.args\ + \ not in [ ~\"*localhost*\", ~\"*127.0.0.1*\", ~\"*motd.ubuntu.com*\" ]\n agent_version:\ + \ ''\n filters: []\n- id: net_util_exfiltration\n version: 5f7c8871\n description:\ + \ Exfiltration attempt via network utility\n expression: \"exec.comm in [\\\ + \"wget\\\", \\\"curl\\\", \\\"lwp-download\\\"] && \\nexec.args_options\\\n\ + \ \\ in [ ~\\\"post-file=*\\\", ~\\\"post-data=*\\\", ~\\\"T=*\\\", ~\\\"\ + d=@*\\\", ~\\\"upload-file=*\\\"\\\n , ~\\\"F=file*\\\"] &&\\nexec.args not\ + \ in [~\\\"*localhost*\\\", ~\\\"*127.0.0.1*\\\"]\"\n agent_version: ''\n \ + \ filters:\n - os == \"linux\"\n- id: net_util_in_container\n version: 69e03ac1\n\ + \ description: A network utility was executed in a container\n expression:\ + \ |-\n (exec.comm in [\"socat\", \"dig\", \"nslookup\", \"host\", ~\"netcat*\"\ + , ~\"nc*\", \"ncat\"] ||\n exec.comm in [\"wget\", \"curl\", \"lwp-download\"\ + ]) &&\n container.id != \"\" && exec.args not in [ ~\"*localhost*\", ~\"\ + *127.0.0.1*\", ~\"*motd.ubuntu.com*\" ]\n agent_version: ''\n filters: []\n\ + - id: net_util_in_container_v2\n version: 26d8eba1\n description: A network\ + \ utility was executed in a container\n expression: |-\n (exec.comm in [\"\ + socat\", \"dig\", \"nslookup\", \"host\", ~\"netcat*\", ~\"nc*\", \"ncat\"]\ + \ ||\n exec.comm in [\"wget\", \"curl\", \"lwp-download\"]) &&\n container.id\ + \ != \"\" && exec.args not in [ ~\"*localhost*\", ~\"*127.0.0.1*\", ~\"*motd.ubuntu.com*\"\ + \ ] && container.created_at > 180s\n agent_version: ''\n filters: []\n- id:\ + \ network_sniffing_tool\n version: 4ae409bf\n description: Local account groups\ + \ were enumerated after container start up\n expression: exec.file.name in\ + \ [\"tcpdump\", \"tshark\"]\n agent_version: ''\n filters:\n - os == \"linux\"\ + \n- id: new_binary_execution_in_container\n version: 9dc42e1d\n description:\ + \ A container executed a new binary not found in the container image\n expression:\ + \ container.id != \"\" && process.file.in_upper_layer && process.file.modification_time\n\ + \ < 30s && exec.file.name != \"\"\n agent_version: ''\n filters: []\n-\ + \ id: nsswitch_conf_mod_chmod\n version: d301aedf\n description: nsswitch\ + \ may have been modified without authorization\n expression: |-\n (\n \ + \ (chmod.file.path in [ \"/etc/nsswitch.conf\" ])\n ) && chmod.file.destination.mode\ + \ != chmod.file.mode && process.file.path not in [~\"/usr/bin/apt*\", \"/usr/bin/dpkg\"\ + , \"/usr/bin/rpm\", \"/usr/bin/unattended-upgrade\", \"/usr/bin/containerd\"\ + , \"/usr/local/bin/containerd\", \"/usr/bin/dockerd\", \"/usr/bin/npm\", ~\"\ + /usr/bin/pip*\"]\n agent_version: ''\n filters:\n - os == \"linux\"\n- id:\ + \ nsswitch_conf_mod_chown\n version: '69383592'\n description: nsswitch may\ + \ have been modified without authorization\n expression: |-\n (\n \ + \ (chown.file.path in [ \"/etc/nsswitch.conf\" ])\n ) && (chown.file.destination.uid\ + \ != chown.file.uid || chown.file.destination.gid != chown.file.gid) && process.file.path\ + \ not in [~\"/usr/bin/apt*\", \"/usr/bin/dpkg\", \"/usr/bin/rpm\", \"/usr/bin/unattended-upgrade\"\ + , \"/usr/bin/containerd\", \"/usr/local/bin/containerd\", \"/usr/bin/dockerd\"\ + , \"/usr/bin/npm\", ~\"/usr/bin/pip*\"]\n agent_version: ''\n filters:\n \ + \ - os == \"linux\"\n- id: nsswitch_conf_mod_link\n version: e0565b29\n description:\ + \ Nsswitch Configuration Modified\n expression: |-\n (\n (link.file.path\ + \ in [ \"/etc/nsswitch.conf\" ]\n || link.file.destination.path in [\ + \ \"/etc/nsswitch.conf\" ])\n )\n agent_version: ''\n filters: []\n- id:\ + \ nsswitch_conf_mod_open\n version: b5602c6f\n description: nsswitch may have\ + \ been modified without authorization\n expression: |-\n (\n open.flags\ + \ & ((O_RDWR|O_WRONLY|O_CREAT)) > 0 &&\n (open.file.path in [ \"/etc/nsswitch.conf\"\ + \ ])\n ) && process.file.path not in [~\"/usr/bin/apt*\", \"/usr/bin/dpkg\"\ + , \"/usr/bin/rpm\", \"/usr/bin/unattended-upgrade\", \"/usr/bin/containerd\"\ + , \"/usr/local/bin/containerd\", \"/usr/bin/dockerd\", \"/usr/bin/npm\", ~\"\ + /usr/bin/pip*\"]\n agent_version: ''\n filters:\n - os == \"linux\"\n- id:\ + \ nsswitch_conf_mod_open_v2\n version: abef53c9\n description: nsswitch may\ + \ have been modified without authorization\n expression: |-\n (\n \ + \ open.flags & ((O_RDWR|O_WRONLY|O_CREAT)) > 0 &&\n (open.file.path\ + \ in [ \"/etc/nsswitch.conf\" ])\n ) && container.created_at > 90s && process.file.path\ + \ not in [~\"/usr/bin/apt*\", \"/usr/bin/dpkg\", \"/usr/bin/rpm\", \"/usr/bin/unattended-upgrade\"\ + , \"/usr/bin/containerd\", \"/usr/local/bin/containerd\", \"/usr/bin/dockerd\"\ + , \"/usr/bin/npm\", ~\"/usr/bin/pip*\"]\n agent_version: ''\n filters:\n \ + \ - os == \"linux\"\n- id: nsswitch_conf_mod_rename\n version: aad34176\n \ + \ description: Nsswitch Configuration Modified\n expression: |-\n (\n \ + \ (rename.file.path in [ \"/etc/nsswitch.conf\" ]\n || rename.file.destination.path\ + \ in [ \"/etc/nsswitch.conf\" ])\n )\n agent_version: ''\n filters: []\n\ + - id: nsswitch_conf_mod_unlink\n version: 8a3e2fbb\n description: Nsswitch\ + \ Configuration Modified\n expression: |-\n (\n (unlink.file.path\ + \ in [ \"/etc/nsswitch.conf\" ])\n )\n agent_version: ''\n filters: []\n\ + - id: nsswitch_conf_mod_utimes\n version: 902597c0\n description: Nsswitch\ + \ Configuration Modified\n expression: |-\n (\n (utimes.file.path\ + \ in [ \"/etc/nsswitch.conf\" ])\n )\n agent_version: ''\n filters: []\n\ + - id: ntds_in_commandline\n version: 5cdd4bba\n description: NTDS file referenced\ + \ in commandline\n expression: exec.cmdline =~ \"*ntds.dit*\"\n agent_version:\ + \ ''\n filters:\n - os == \"windows\"\n- id: offensive_k8s_tool\n version:\ + \ b83fba22\n description: A known kubernetes pentesting tool has been executed\n\ + \ expression: (exec.file.name in [ ~\"python*\" ] && (\"KubiScan.py\" in exec.argv\ + \ ||\n \"kubestriker\" in exec.argv ) ) || exec.file.name in [ \"kubiscan\"\ + ,\"kdigger\",\"kube-hunter\",\"rakkess\",\"peirates\",\"kubescape\",\"kubeaudit\"\ + ,\"kube-linter\",\"stratus\",~\"botb-*\"]\n agent_version: ''\n filters: []\n\ + - id: omigod\n version: 2064b3b4\n description: Omiagent spawns a privileged\ + \ child process\n expression: exec.uid >= 0 && process.ancestors.file.name\ + \ == \"omiagent\"\n agent_version: ''\n filters:\n - os == \"linux\"\n- id:\ + \ open_msr_writes\n version: 261f8f98\n description: A process opened a model-specific\ + \ register (MSR) configuration file\n expression: open.file.path == \"/sys/module/msr/parameters/allow_writes\"\ + \ && open.flags\n & O_CREAT|O_TRUNC|O_RDWR|O_WRONLY > 0\n agent_version:\ + \ ''\n filters:\n - os == \"linux\"\n- id: package_management_in_container\n\ + \ version: c152fcaf\n description: Package management was detected in a container\n\ + \ expression: exec.file.path in [~\"/usr/bin/apt*\", \"/usr/bin/dpkg\", \"\ + /usr/bin/rpm\",\n \"/usr/bin/unattended-upgrade\", \"/usr/bin/npm\", ~\"\ + /usr/bin/pip*\", \"/usr/bin/yum\",\n \"/sbin/apk\", \"/usr/lib/snapd/snapd\"\ + ] && container.id != \"\"\n agent_version: ''\n filters: []\n- id: package_management_in_container_v2\n\ + \ version: 7eb85510\n description: Package management was detected in a conatiner\ + \ outside of container\n start_up\n expression: exec.file.path in [~\"/usr/bin/apt*\"\ + , \"/usr/bin/dpkg\", \"/usr/bin/rpm\",\n \"/usr/bin/unattended-upgrade\"\ + , \"/usr/bin/npm\", ~\"/usr/bin/pip*\", \"/usr/bin/yum\",\n \"/sbin/apk\"\ + , \"/usr/lib/snapd/snapd\"] && container.id != \"\" && container.created_at\n\ + \ > 90s\n agent_version: ''\n filters:\n - os == \"linux\"\n- id: pam_modification_chmod\n\ + \ version: 974a676e\n description: PAM may have been modified without authorization\n\ + \ expression: |-\n (\n (chmod.file.path in [ ~\"/etc/pam.d/**\",\ + \ \"/etc/pam.conf\" ])\n ) && chmod.file.destination.mode != chmod.file.mode\n\ + \ agent_version: ''\n filters: []\n- id: pam_modification_chown\n version:\ + \ d89aa0a7\n description: PAM may have been modified without authorization\n\ + \ expression: |-\n (\n (chown.file.path in [ ~\"/etc/pam.d/**\",\ + \ \"/etc/pam.conf\" ])\n ) && (chown.file.destination.uid != chown.file.uid\ + \ || chown.file.destination.gid != chown.file.gid)\n agent_version: ''\n filters:\ + \ []\n- id: pam_modification_link\n version: aa68153f\n description: PAM may\ + \ have been modified without authorization\n expression: |-\n (\n \ + \ (link.file.path in [ ~\"/etc/pam.d/**\", \"/etc/pam.conf\" ]\n ||\ + \ link.file.destination.path in [ ~\"/etc/pam.d/**\", \"/etc/pam.conf\" ])\n\ + \ )\n agent_version: ''\n filters: []\n- id: pam_modification_open\n version:\ + \ e22e05b7\n description: PAM may have been modified without authorization\n\ + \ expression: |-\n (\n open.flags & (O_CREAT|O_TRUNC|O_RDWR|O_WRONLY)\ + \ > 0 &&\n (open.file.path in [ ~\"/etc/pam.d/**\", \"/etc/pam.conf\"\ + \ ])\n )\n agent_version: ''\n filters: []\n- id: pam_modification_rename\n\ + \ version: bd1d257a\n description: PAM may have been modified without authorization\n\ + \ expression: |-\n (\n (rename.file.path in [ ~\"/etc/pam.d/**\"\ + , \"/etc/pam.conf\" ]\n || rename.file.destination.path in [ ~\"/etc/pam.d/**\"\ + , \"/etc/pam.conf\" ])\n )\n agent_version: ''\n filters: []\n- id: pam_modification_unlink\n\ + \ version: c3dc53e1\n description: PAM may have been modified without authorization\n\ + \ expression: |-\n (\n (unlink.file.path in [ ~\"/etc/pam.d/**\"\ + , \"/etc/pam.conf\" ])\n )\n agent_version: ''\n filters: []\n- id: pam_modification_utimes\n\ + \ version: d377b599\n description: PAM may have been modified without authorization\n\ + \ expression: |-\n (\n (utimes.file.path in [ ~\"/etc/pam.d/**\"\ + , \"/etc/pam.conf\" ])\n ) && process.file.path not in [~\"/usr/bin/apt*\"\ + , \"/usr/bin/dpkg\", \"/usr/bin/rpm\", \"/usr/bin/unattended-upgrade\", \"/usr/bin/containerd\"\ + , \"/usr/local/bin/containerd\", \"/usr/bin/dockerd\", \"/usr/bin/npm\", ~\"\ + /usr/bin/pip*\"]\n agent_version: ''\n filters: []\n- id: passwd_execution\n\ + \ version: e1d41f5e\n description: The passwd or chpasswd utility was used\ + \ to modify an account password\n expression: exec.file.path in [\"/usr/bin/passwd\"\ + , \"/usr/sbin/chpasswd\"] && exec.args_flags\n not in [\"S\", \"status\"\ + ]\n agent_version: ''\n filters: []\n- id: paste_site\n version: 3dcef11\n\ + \ description: A DNS lookup was done for a pastebin-like site\n expression:\ + \ dns.question.name in [\"pastebin.com\", \"ghostbin.com\", \"termbin.com\"\ + ,\n \"klgrth.io\"] && process.file.name != \"\"\n agent_version: ''\n filters:\ + \ []\n- id: pci_11_5_critical_binaries_chmod\n version: b858137e\n description:\ + \ Critical system binaries may have been modified\n expression: |-\n (\n\ + \ (chmod.file.path in [ ~\"/bin/*\", ~\"/sbin/*\", ~\"/usr/bin/*\", ~\"\ + /usr/sbin/*\", ~\"/usr/local/bin/*\", ~\"/usr/local/sbin/*\", ~\"/boot/**\"\ + \ ])\n && process.file.path not in [~\"/usr/bin/apt*\", \"/usr/bin/dpkg\"\ + , \"/usr/bin/rpm\", \"/usr/bin/unattended-upgrade\", \"/usr/bin/containerd\"\ + , \"/usr/local/bin/containerd\", \"/usr/bin/dockerd\", \"/usr/bin/npm\", ~\"\ + /usr/bin/pip*\"]\n && process.ancestors.file.path not in [~\"/usr/bin/apt*\"\ + , \"/usr/bin/dpkg\", \"/usr/bin/rpm\", \"/usr/bin/unattended-upgrade\", \"/usr/bin/npm\"\ + , ~\"/usr/bin/pip*\", \"/usr/bin/yum\", \"/sbin/apk\", \"/usr/lib/snapd/snapd\"\ + ]\n ) && chmod.file.destination.mode != chmod.file.mode\n agent_version:\ + \ ''\n filters: []\n- id: pci_11_5_critical_binaries_chown\n version: d6630ebc\n\ + \ description: Critical system binaries may have been modified\n expression:\ + \ |-\n (\n (chown.file.path in [ ~\"/bin/*\", ~\"/sbin/*\", ~\"/usr/bin/*\"\ + , ~\"/usr/sbin/*\", ~\"/usr/local/bin/*\", ~\"/usr/local/sbin/*\", ~\"/boot/**\"\ + \ ])\n && process.file.path not in [~\"/usr/bin/apt*\", \"/usr/bin/dpkg\"\ + , \"/usr/bin/rpm\", \"/usr/bin/unattended-upgrade\", \"/usr/bin/containerd\"\ + , \"/usr/local/bin/containerd\", \"/usr/bin/dockerd\", \"/usr/bin/npm\", ~\"\ + /usr/bin/pip*\"]\n && process.ancestors.file.path not in [~\"/usr/bin/apt*\"\ + , \"/usr/bin/dpkg\", \"/usr/bin/rpm\", \"/usr/bin/unattended-upgrade\", \"/usr/bin/npm\"\ + , ~\"/usr/bin/pip*\", \"/usr/bin/yum\", \"/sbin/apk\", \"/usr/lib/snapd/snapd\"\ + ]\n ) && (chown.file.destination.uid != chown.file.uid || chown.file.destination.gid\ + \ != chown.file.gid)\n agent_version: ''\n filters: []\n- id: pci_11_5_critical_binaries_link\n\ + \ version: 9b8182c6\n description: Critical system binaries may have been\ + \ modified\n expression: |-\n (\n (link.file.path in [ ~\"/bin/*\"\ + , ~\"/sbin/*\", ~\"/usr/bin/*\", ~\"/usr/sbin/*\", ~\"/usr/local/bin/*\", ~\"\ + /usr/local/sbin/*\", ~\"/boot/**\" ]\n || link.file.destination.path\ + \ in [ ~\"/bin/*\", ~\"/sbin/*\", ~\"/usr/bin/*\", ~\"/usr/sbin/*\", ~\"/usr/local/bin/*\"\ + , ~\"/usr/local/sbin/*\", ~\"/boot/**\" ])\n && process.file.path not\ + \ in [~\"/usr/bin/apt*\", \"/usr/bin/dpkg\", \"/usr/bin/rpm\", \"/usr/bin/unattended-upgrade\"\ + , \"/usr/bin/containerd\", \"/usr/local/bin/containerd\", \"/usr/bin/dockerd\"\ + , \"/usr/bin/npm\", ~\"/usr/bin/pip*\"]\n && process.ancestors.file.path\ + \ not in [~\"/usr/bin/apt*\", \"/usr/bin/dpkg\", \"/usr/bin/rpm\", \"/usr/bin/unattended-upgrade\"\ + , \"/usr/bin/npm\", ~\"/usr/bin/pip*\", \"/usr/bin/yum\", \"/sbin/apk\", \"\ + /usr/lib/snapd/snapd\"]\n )\n agent_version: ''\n filters: []\n- id: pci_11_5_critical_binaries_open\n\ + \ version: ce1c6918\n description: Critical system binaries may have been\ + \ modified\n expression: |-\n (\n open.flags & (O_CREAT|O_TRUNC|O_RDWR|O_WRONLY)\ + \ > 0 &&\n open.file.path in [ ~\"/bin/*\", ~\"/sbin/*\", ~\"/usr/bin/*\"\ + , ~\"/usr/sbin/*\", ~\"/usr/local/bin/*\", ~\"/usr/local/sbin/*\", ~\"/boot/**\"\ + \ ]\n && process.file.path not in [~\"/usr/bin/apt*\", \"/usr/bin/dpkg\"\ + , \"/usr/bin/rpm\", \"/usr/bin/unattended-upgrade\", \"/usr/bin/containerd\"\ + , \"/usr/local/bin/containerd\", \"/usr/bin/dockerd\", \"/usr/bin/npm\", ~\"\ + /usr/bin/pip*\"]\n && process.ancestors.file.path not in [~\"/usr/bin/apt*\"\ + , \"/usr/bin/dpkg\", \"/usr/bin/rpm\", \"/usr/bin/unattended-upgrade\", \"/usr/bin/npm\"\ + , ~\"/usr/bin/pip*\", \"/usr/bin/yum\", \"/sbin/apk\", \"/usr/lib/snapd/snapd\"\ + ]\n )\n agent_version: ''\n filters:\n - os == \"linux\"\n- id: pci_11_5_critical_binaries_open_v2\n\ + \ version: 45abd074\n description: Critical system binaries may have been\ + \ modified\n expression: |-\n (\n open.flags & (O_CREAT|O_TRUNC|O_RDWR|O_WRONLY)\ + \ > 0 &&\n open.file.path in [ ~\"/bin/*\", ~\"/sbin/*\", ~\"/usr/bin/*\"\ + , ~\"/usr/sbin/*\", ~\"/usr/local/bin/*\", ~\"/usr/local/sbin/*\", ~\"/boot/**\"\ + \ ]\n && process.file.path not in [~\"/usr/bin/apt*\", \"/usr/bin/dpkg\"\ + , \"/usr/bin/rpm\", \"/usr/bin/unattended-upgrade\", \"/usr/bin/containerd\"\ + , \"/usr/local/bin/containerd\", \"/usr/bin/dockerd\", \"/usr/bin/npm\", ~\"\ + /usr/bin/pip*\"]\n && process.ancestors.file.path not in [~\"/usr/bin/apt*\"\ + , \"/usr/bin/dpkg\", \"/usr/bin/rpm\", \"/usr/bin/unattended-upgrade\", \"/usr/bin/npm\"\ + , ~\"/usr/bin/pip*\", \"/usr/bin/yum\", \"/sbin/apk\", \"/usr/lib/snapd/snapd\"\ + ]\n ) && container.created_at > 90s\n agent_version: ''\n filters:\n -\ + \ os == \"linux\"\n- id: pci_11_5_critical_binaries_rename\n version: 2a133ffc\n\ + \ description: Critical system binaries may have been modified\n expression:\ + \ |-\n (\n (rename.file.path in [ ~\"/bin/*\", ~\"/sbin/*\", ~\"/usr/bin/*\"\ + , ~\"/usr/sbin/*\", ~\"/usr/local/bin/*\", ~\"/usr/local/sbin/*\", ~\"/boot/**\"\ + \ ]\n || rename.file.destination.path in [ ~\"/bin/*\", ~\"/sbin/*\"\ + , ~\"/usr/bin/*\", ~\"/usr/sbin/*\", ~\"/usr/local/bin/*\", ~\"/usr/local/sbin/*\"\ + , ~\"/boot/**\" ])\n && process.file.path not in [~\"/usr/bin/apt*\"\ + , \"/usr/bin/dpkg\", \"/usr/bin/rpm\", \"/usr/bin/unattended-upgrade\", \"/usr/bin/containerd\"\ + , \"/usr/local/bin/containerd\", \"/usr/bin/dockerd\", \"/usr/bin/npm\", ~\"\ + /usr/bin/pip*\"]\n && process.ancestors.file.path not in [~\"/usr/bin/apt*\"\ + , \"/usr/bin/dpkg\", \"/usr/bin/rpm\", \"/usr/bin/unattended-upgrade\", \"/usr/bin/npm\"\ + , ~\"/usr/bin/pip*\", \"/usr/bin/yum\", \"/sbin/apk\", \"/usr/lib/snapd/snapd\"\ + ]\n )\n agent_version: ''\n filters: []\n- id: pci_11_5_critical_binaries_unlink\n\ + \ version: a750ab26\n description: Critical system binaries may have been\ + \ modified\n expression: |-\n (\n (unlink.file.path in [ ~\"/bin/*\"\ + , ~\"/sbin/*\", ~\"/usr/bin/*\", ~\"/usr/sbin/*\", ~\"/usr/local/bin/*\", ~\"\ + /usr/local/sbin/*\", ~\"/boot/**\" ])\n && process.file.path not in [~\"\ + /usr/bin/apt*\", \"/usr/bin/dpkg\", \"/usr/bin/rpm\", \"/usr/bin/unattended-upgrade\"\ + , \"/usr/bin/containerd\", \"/usr/local/bin/containerd\", \"/usr/bin/dockerd\"\ + , \"/usr/bin/npm\", ~\"/usr/bin/pip*\"]\n && process.ancestors.file.path\ + \ not in [~\"/usr/bin/apt*\", \"/usr/bin/dpkg\", \"/usr/bin/rpm\", \"/usr/bin/unattended-upgrade\"\ + , \"/usr/bin/npm\", ~\"/usr/bin/pip*\", \"/usr/bin/yum\", \"/sbin/apk\", \"\ + /usr/lib/snapd/snapd\"]\n )\n agent_version: ''\n filters:\n - os == \"\ + linux\"\n- id: pci_11_5_critical_binaries_utimes\n version: 5e2a9d6f\n description:\ + \ Critical system binaries may have been modified\n expression: |-\n (\n\ + \ (utimes.file.path in [ ~\"/bin/*\", ~\"/sbin/*\", ~\"/usr/bin/*\",\ + \ ~\"/usr/sbin/*\", ~\"/usr/local/bin/*\", ~\"/usr/local/sbin/*\", ~\"/boot/**\"\ + \ ])\n && process.file.path not in [~\"/usr/bin/apt*\", \"/usr/bin/dpkg\"\ + , \"/usr/bin/rpm\", \"/usr/bin/unattended-upgrade\", \"/usr/bin/containerd\"\ + , \"/usr/local/bin/containerd\", \"/usr/bin/dockerd\", \"/usr/bin/npm\", ~\"\ + /usr/bin/pip*\"]\n && process.ancestors.file.path not in [~\"/usr/bin/apt*\"\ + , \"/usr/bin/dpkg\", \"/usr/bin/rpm\", \"/usr/bin/unattended-upgrade\", \"/usr/bin/npm\"\ + , ~\"/usr/bin/pip*\", \"/usr/bin/yum\", \"/sbin/apk\", \"/usr/lib/snapd/snapd\"\ + ]\n )\n agent_version: ''\n filters: []\n- id: potential_cryptominer\n\ + \ version: 47048a42\n description: A process resolved a DNS name associated\ + \ with cryptomining activity\n expression: dns.question.name in [~\"*minexmr.com\"\ + , ~\"*nanopool.org\", ~\"*supportxmr.com\",\n ~\"*c3pool.com\", ~\"*p2pool.io\"\ + , ~\"*ethermine.org\", ~\"*f2pool.com\", ~\"*poolin.me\",\n ~\"*rplant.xyz\"\ + ] && process.file.name != \"\"\n agent_version: ''\n filters: []\n- id: potential_web_shell_parent\n\ + \ version: b67ffbcd\n description: A web application spawned a shell or shell\ + \ utility\n expression: |-\n (exec.file.path in [ \"/bin/dash\",\n \ + \ \"/usr/bin/dash\",\n \"/bin/sh\",\n \"/bin/static-sh\",\n \"\ + /usr/bin/sh\",\n \"/bin/bash\",\n \"/usr/bin/bash\",\n \"/bin/bash-static\"\ + ,\n \"/usr/bin/zsh\",\n \"/usr/bin/ash\",\n \"/usr/bin/csh\"\ + ,\n \"/usr/bin/ksh\",\n \"/usr/bin/tcsh\",\n \"/usr/lib/initramfs-tools/bin/busybox\"\ + ,\n \"/bin/busybox\",\n \"/usr/bin/fish\",\n \"/bin/ksh93\",\n\ + \ \"/bin/rksh\",\n \"/bin/rksh93\",\n \"/bin/lksh\",\n \"\ + /bin/mksh\",\n \"/bin/mksh-static\",\n \"/usr/bin/csharp\",\n \ + \ \"/bin/posh\",\n \"/usr/bin/rc\",\n \"/bin/sash\",\n \"/usr/bin/yash\"\ + ,\n \"/bin/zsh5\",\n \"/bin/zsh5-static\" ] || exec.comm in [\"wget\"\ + , \"curl\", \"lwp-download\"] || exec.file.path in [\"/bin/cat\",\"/bin/chgrp\"\ + ,\"/bin/chmod\",\"/bin/chown\",\"/bin/cp\",\"/bin/date\",\"/bin/dd\",\"/bin/df\"\ + ,\"/bin/dir\",\"/bin/echo\",\"/bin/ln\",\"/bin/ls\",\"/bin/mkdir\",\"/bin/mknod\"\ + ,\"/bin/mktemp\",\"/bin/mv\",\"/bin/pwd\",\"/bin/readlink\",\"/bin/rm\",\"/bin/rmdir\"\ + ,\"/bin/sleep\",\"/bin/stty\",\"/bin/sync\",\"/bin/touch\",\"/bin/uname\",\"\ + /bin/vdir\",\"/usr/bin/arch\",\"/usr/bin/b2sum\",\"/usr/bin/base32\",\"/usr/bin/base64\"\ + ,\"/usr/bin/basename\",\"/usr/bin/chcon\",\"/usr/bin/cksum\",\"/usr/bin/comm\"\ + ,\"/usr/bin/csplit\",\"/usr/bin/cut\",\"/usr/bin/dircolors\",\"/usr/bin/dirname\"\ + ,\"/usr/bin/du\",\"/usr/bin/env\",\"/usr/bin/expand\",\"/usr/bin/expr\",\"/usr/bin/factor\"\ + ,\"/usr/bin/fmt\",\"/usr/bin/fold\",\"/usr/bin/groups\",\"/usr/bin/head\",\"\ + /usr/bin/hostid\",\"/usr/bin/id\",\"/usr/bin/install\",\"/usr/bin/join\",\"\ + /usr/bin/link\",\"/usr/bin/logname\",\"/usr/bin/md5sum\",\"/usr/bin/md5sum.textutils\"\ + ,\"/usr/bin/mkfifo\",\"/usr/bin/nice\",\"/usr/bin/nl\",\"/usr/bin/nohup\",\"\ + /usr/bin/nproc\",\"/usr/bin/numfmt\",\"/usr/bin/od\",\"/usr/bin/paste\",\"/usr/bin/pathchk\"\ + ,\"/usr/bin/pinky\",\"/usr/bin/pr\",\"/usr/bin/printenv\",\"/usr/bin/printf\"\ + ,\"/usr/bin/ptx\",\"/usr/bin/realpath\",\"/usr/bin/runcon\",\"/usr/bin/seq\"\ + ,\"/usr/bin/sha1sum\",\"/usr/bin/sha224sum\",\"/usr/bin/sha256sum\",\"/usr/bin/sha384sum\"\ + ,\"/usr/bin/sha512sum\",\"/usr/bin/shred\",\"/usr/bin/shuf\",\"/usr/bin/sort\"\ + ,\"/usr/bin/split\",\"/usr/bin/stat\",\"/usr/bin/stdbuf\",\"/usr/bin/sum\",\"\ + /usr/bin/tac\",\"/usr/bin/tail\",\"/usr/bin/tee\",\"/usr/bin/test\",\"/usr/bin/timeout\"\ + ,\"/usr/bin/tr\",\"/usr/bin/truncate\",\"/usr/bin/tsort\",\"/usr/bin/tty\",\"\ + /usr/bin/unexpand\",\"/usr/bin/uniq\",\"/usr/bin/unlink\",\"/usr/bin/users\"\ + ,\"/usr/bin/wc\",\"/usr/bin/who\",\"/usr/bin/whoami\",\"/usr/sbin/chroot\"])\ + \ &&\n (process.parent.file.name in [\"apache2\", \"nginx\", ~\"tomcat*\"\ + , \"httpd\"] || process.parent.file.name =~ \"php*\")\n agent_version: ''\n\ + \ filters: []\n- id: procdump_execution\n version: bfcebb5c\n description:\ + \ A tool used to dump process memory has been executed\n expression: exec.file.name\ + \ in [\"procmon.exe\",\"procdump.exe\"]\n agent_version: ''\n filters:\n \ + \ - os == \"windows\"\n- id: ptrace_antidebug\n version: a6289ff7\n description:\ \ A process uses an anti-debugging technique to block debuggers\n expression:\ - \ ptrace.request == PTRACE_TRACEME\n- id: ptrace_injection\n version: 6d290a43\n\ - \ description: A process attempted to inject code into another process\n expression:\ - \ ptrace.request == PTRACE_POKETEXT || ptrace.request == PTRACE_POKEDATA\n \ - \ || ptrace.request == PTRACE_POKEUSR\n- id: pwnkit_privilege_escalation\n\ + \ ptrace.request == PTRACE_TRACEME && process.file.name != \"\"\n agent_version:\ + \ ''\n filters: []\n- id: ptrace_injection\n version: 6d290a43\n description:\ + \ A process attempted to inject code into another process\n expression: ptrace.request\ + \ == PTRACE_POKETEXT || ptrace.request == PTRACE_POKEDATA\n || ptrace.request\ + \ == PTRACE_POKEUSR\n agent_version: ''\n filters: []\n- id: pwnkit_privilege_escalation\n\ \ version: c83bbabc\n description: A process was spawned with indicators of\ \ exploitation of CVE-2021-4034\n expression: (exec.file.path == \"/usr/bin/pkexec\"\ - \ && exec.envs in [~\"*SHELL*\", ~\"*PATH*\"]\n && exec.uid != 0)\n- id:\ - \ runc_modification\n version: c7144439\n description: Runc Binary Modified\n\ - \ expression: 'open.file.path in [\"/usr/bin/runc\", \"/usr/sbin/runc\", \"\ - /usr/bin/docker-runc\"]\n\n && open.flags & O_CREAT|O_TRUNC|O_RDWR|O_WRONLY\ - \ > 0\n\n && process.file.path not in [\"/usr/bin/apt\", \"/usr/bin/apt-get\"\ - , \"/usr/bin/apt-config\",\n \"/usr/bin/dpkg\", \"/usr/bin/aptitude-curses\"\ - , \"/usr/bin/rpm\", \"/usr/bin/unattended-upgrade\"]\n\n && process.ancestors.file.path\ - \ not in [\"/usr/bin/apt\", \"/usr/bin/apt-get\", \"/usr/bin/apt-config\",\n\ - \ \"/usr/bin/dpkg\", \"/usr/bin/aptitude-curses\", \"/usr/bin/rpm\", \"/usr/bin/unattended-upgrade\"\ - ]'\n- id: selinux_disable_enforcement\n version: afa9a8ba\n description: SELinux\ - \ enforcement status was disabled\n expression: selinux.enforce.status in [\"\ - permissive\", \"disabled\"]\n- id: ssh_authorized_keys_chmod\n version: e4096f79\n\ - \ description: SSH Authorized Keys Modified\n expression: \"(\\n chmod.file.name\ - \ == \\\"authorized_keys\\\" && (chmod.file.path in\\\n \\ [ ~\\\"*/.ssh/*\\\ - \" ])\\n) && chmod.mode != chmod.file.mode\"\n- id: ssh_authorized_keys_chown\n\ - \ version: 9639bf6\n description: SSH Authorized Keys Modified\n expression:\ - \ \"(\\n chown.file.name == \\\"authorized_keys\\\" && (chown.file.path in\\\ - \n \\ [ ~\\\"*/.ssh/*\\\" ])\\n) && (chown.uid != chown.file.uid || chown.gid\ - \ != chown.file.gid)\"\n- id: ssh_authorized_keys_link\n version: 81382bdd\n\ - \ description: SSH Authorized Keys Modified\n expression: \"(\\n link.file.name\ - \ == \\\"authorized_keys\\\" && (link.file.path in\\\n \\ [ ~\\\"*/.ssh/*\\\ - \" ]\\n || link.file.destination.path in [ ~\\\"*/.ssh/*\\\" ])\\n\\\n \ - \ )\"\n- id: ssh_authorized_keys_open\n version: 1ae8f7d6\n description:\ - \ SSH Authorized Keys Modified\n expression: \"(\\n open.flags & (O_CREAT|O_TRUNC|O_RDWR|O_WRONLY)\ - \ > 0 &&\\n open.file.name\\\n \\ == \\\"authorized_keys\\\" && (open.file.path\ - \ in [ ~\\\"*/.ssh/*\\\" ])\\n)\"\n- id: ssh_authorized_keys_rename\n version:\ - \ fd3bdabf\n description: SSH Authorized Keys Modified\n expression: \"(\\\ - n rename.file.name == \\\"authorized_keys\\\" && (rename.file.path\\\n \ - \ \\ in [ ~\\\"*/.ssh/*\\\" ]\\n || rename.file.destination.path in [ ~\\\ - \"*/.ssh/*\\\"\\\n \\ ])\\n)\"\n- id: ssh_authorized_keys_unlink\n version:\ - \ 54cf4a88\n description: SSH Authorized Keys Modified\n expression: \"(\\\ - n unlink.file.name == \\\"authorized_keys\\\" && (unlink.file.path\\\n \ - \ \\ in [ ~\\\"*/.ssh/*\\\" ])\\n)\"\n- id: ssh_authorized_keys_utimes\n version:\ - \ 59377e61\n description: SSH Authorized Keys Modified\n expression: \"(\\\ - n utimes.file.name == \\\"authorized_keys\\\" && (utimes.file.path\\\n \ - \ \\ in [ ~\\\"*/.ssh/*\\\" ])\\n)\"\n- id: ssl_certificate_tampering_chmod\n\ - \ version: d8ac6517\n description: SSL Certificate Tampering\n expression:\ - \ \"(\\n (chmod.file.path in [ ~\\\"/etc/ssl/certs/*\\\" ])\\n && process.file.path\\\ - \n \\ not in [\\\"/usr/bin/apt\\\", \\\"/usr/bin/apt-get\\\", \\\"/usr/bin/apt-config\\\ - \", \\\"\\\n /usr/bin/dpkg\\\", \\\"/usr/bin/aptitude-curses\\\", \\\"/usr/bin/rpm\\\ - \", \\\"/usr/bin/unattended-upgrade\\\"\\\n ]\\n) && chmod.mode != chmod.file.mode\"\ - \n- id: ssl_certificate_tampering_chown\n version: 3d04895f\n description:\ - \ SSL Certificate Tampering\n expression: \"(\\n (chown.file.path in [ ~\\\ - \"/etc/ssl/certs/*\\\" ])\\n && process.file.path\\\n \\ not in [\\\"\ - /usr/bin/apt\\\", \\\"/usr/bin/apt-get\\\", \\\"/usr/bin/apt-config\\\", \\\"\ - \\\n /usr/bin/dpkg\\\", \\\"/usr/bin/aptitude-curses\\\", \\\"/usr/bin/rpm\\\ - \", \\\"/usr/bin/unattended-upgrade\\\"\\\n ]\\n) && (chown.uid != chown.file.uid\ - \ || chown.gid != chown.file.gid)\"\n- id: ssl_certificate_tampering_link\n\ - \ version: eb594616\n description: SSL Certificate Tampering\n expression:\ - \ \"(\\n (link.file.path in [ ~\\\"/etc/ssl/certs/*\\\" ]\\n || link.file.destination.path\\\ - \n \\ in [ ~\\\"/etc/ssl/certs/*\\\" ])\\n && process.file.path not in\ - \ [\\\"/usr/bin/apt\\\"\\\n , \\\"/usr/bin/apt-get\\\", \\\"/usr/bin/apt-config\\\ - \", \\\"/usr/bin/dpkg\\\", \\\"/usr/bin/aptitude-curses\\\"\\\n , \\\"/usr/bin/rpm\\\ - \", \\\"/usr/bin/unattended-upgrade\\\"]\\n)\"\n- id: ssl_certificate_tampering_open\n\ - \ version: 59d94d53\n description: SSL Certificate Tampering\n expression:\ - \ \"(\\n open.flags & (O_CREAT|O_RDWR|O_WRONLY) > 0 &&\\n (open.file.path\\\ - \n \\ in [ ~\\\"/etc/ssl/certs/*\\\" ])\\n && process.file.path not in\ - \ [\\\"/usr/bin/apt\\\"\\\n , \\\"/usr/bin/apt-get\\\", \\\"/usr/bin/apt-config\\\ - \", \\\"/usr/bin/dpkg\\\", \\\"/usr/bin/aptitude-curses\\\"\\\n , \\\"/usr/bin/rpm\\\ - \", \\\"/usr/bin/unattended-upgrade\\\"]\\n)\"\n- id: ssl_certificate_tampering_rename\n\ - \ version: e42eefb4\n description: SSL Certificate Tampering\n expression:\ - \ \"(\\n (rename.file.path in [ ~\\\"/etc/ssl/certs/*\\\" ]\\n || rename.file.destination.path\\\ - \n \\ in [ ~\\\"/etc/ssl/certs/*\\\" ])\\n && process.file.path not in\ - \ [\\\"/usr/bin/apt\\\"\\\n , \\\"/usr/bin/apt-get\\\", \\\"/usr/bin/apt-config\\\ - \", \\\"/usr/bin/dpkg\\\", \\\"/usr/bin/aptitude-curses\\\"\\\n , \\\"/usr/bin/rpm\\\ - \", \\\"/usr/bin/unattended-upgrade\\\"]\\n)\"\n- id: ssl_certificate_tampering_unlink\n\ - \ version: 37c40311\n description: SSL Certificate Tampering\n expression:\ - \ \"(\\n (unlink.file.path in [ ~\\\"/etc/ssl/certs/*\\\" ])\\n && process.file.path\\\ - \n \\ not in [\\\"/usr/bin/apt\\\", \\\"/usr/bin/apt-get\\\", \\\"/usr/bin/apt-config\\\ - \", \\\"\\\n /usr/bin/dpkg\\\", \\\"/usr/bin/aptitude-curses\\\", \\\"/usr/bin/rpm\\\ - \", \\\"/usr/bin/unattended-upgrade\\\"\\\n ]\\n)\"\n- id: ssl_certificate_tampering_utimes\n\ - \ version: de3d3032\n description: SSL Certificate Tampering\n expression:\ - \ \"(\\n (utimes.file.path in [ ~\\\"/etc/ssl/certs/*\\\" ])\\n && process.file.path\\\ - \n \\ not in [\\\"/usr/bin/apt\\\", \\\"/usr/bin/apt-get\\\", \\\"/usr/bin/apt-config\\\ - \", \\\"\\\n /usr/bin/dpkg\\\", \\\"/usr/bin/aptitude-curses\\\", \\\"/usr/bin/rpm\\\ - \", \\\"/usr/bin/unattended-upgrade\\\"\\\n ]\\n)\"\n- id: suspicious_container_client\n\ - \ version: 8b9461f4\n description: A container management utility was executed\ - \ in a container\n expression: exec.file.name in [\"docker\", \"kubectl\"]\ - \ && container.id != \"\"\n- id: systemd_modification_chmod\n version: b0643139\n\ - \ description: Systemd Modification\n expression: \"(\\n (chmod.file.path\ - \ in [ ~\\\"/lib/systemd/system/*\\\", ~\\\"/usr/lib/systemd/system/*\\\"\\\n\ - \ , ~\\\"/etc/systemd/system/*\\\" ])\\n && process.file.path not in [\\\ - \"/usr/bin/apt\\\"\\\n , \\\"/usr/bin/apt-get\\\", \\\"/usr/bin/apt-config\\\ - \", \\\"/usr/bin/dpkg\\\", \\\"/usr/bin/aptitude-curses\\\"\\\n , \\\"/usr/bin/rpm\\\ - \", \\\"/usr/bin/unattended-upgrade\\\"]\\n) && chmod.mode != chmod.file.mode\"\ - \n- id: systemd_modification_chown\n version: 380d501\n description: Systemd\ - \ Modification\n expression: \"(\\n (chown.file.path in [ ~\\\"/lib/systemd/system/*\\\ - \", ~\\\"/usr/lib/systemd/system/*\\\"\\\n , ~\\\"/etc/systemd/system/*\\\ - \" ])\\n && process.file.path not in [\\\"/usr/bin/apt\\\"\\\n , \\\"\ - /usr/bin/apt-get\\\", \\\"/usr/bin/apt-config\\\", \\\"/usr/bin/dpkg\\\", \\\ - \"/usr/bin/aptitude-curses\\\"\\\n , \\\"/usr/bin/rpm\\\", \\\"/usr/bin/unattended-upgrade\\\ - \"]\\n) && (chown.uid != chown.file.uid\\\n \\ || chown.gid != chown.file.gid)\"\ - \n- id: systemd_modification_link\n version: cbd89cec\n description: Systemd\ - \ Modification\n expression: \"(\\n (link.file.path in [ ~\\\"/lib/systemd/system/*\\\ - \", ~\\\"/usr/lib/systemd/system/*\\\"\\\n , ~\\\"/etc/systemd/system/*\\\ - \" ]\\n || link.file.destination.path in [ ~\\\"/lib/systemd/system/*\\\"\ - \\\n , ~\\\"/usr/lib/systemd/system/*\\\", ~\\\"/etc/systemd/system/*\\\"\ - \ ])\\n && process.file.path\\\n \\ not in [\\\"/usr/bin/apt\\\", \\\"\ - /usr/bin/apt-get\\\", \\\"/usr/bin/apt-config\\\", \\\"\\\n /usr/bin/dpkg\\\ - \", \\\"/usr/bin/aptitude-curses\\\", \\\"/usr/bin/rpm\\\", \\\"/usr/bin/unattended-upgrade\\\ - \"\\\n ]\\n)\"\n- id: systemd_modification_open\n version: b6dce303\n description:\ - \ Systemd Modification\n expression: \"(\\n open.flags & (O_CREAT|O_RDWR|O_WRONLY)\ - \ > 0 &&\\n (open.file.path\\\n \\ in [ ~\\\"/lib/systemd/system/*\\\"\ - , ~\\\"/usr/lib/systemd/system/*\\\", ~\\\"/etc/systemd/system/*\\\"\\\n \ - \ \\ ])\\n && process.file.path not in [\\\"/usr/bin/apt\\\", \\\"/usr/bin/apt-get\\\ - \"\\\n , \\\"/usr/bin/apt-config\\\", \\\"/usr/bin/dpkg\\\", \\\"/usr/bin/aptitude-curses\\\ - \", \\\"\\\n /usr/bin/rpm\\\", \\\"/usr/bin/unattended-upgrade\\\"]\\n)\"\ - \n- id: systemd_modification_rename\n version: 1e723c46\n description: Systemd\ - \ Modification\n expression: \"(\\n (rename.file.path in [ ~\\\"/lib/systemd/system/*\\\ - \", ~\\\"/usr/lib/systemd/system/*\\\"\\\n , ~\\\"/etc/systemd/system/*\\\ - \" ]\\n || rename.file.destination.path in [ ~\\\"/lib/systemd/system/*\\\ - \"\\\n , ~\\\"/usr/lib/systemd/system/*\\\", ~\\\"/etc/systemd/system/*\\\ - \" ])\\n && process.file.path\\\n \\ not in [\\\"/usr/bin/apt\\\", \\\"\ - /usr/bin/apt-get\\\", \\\"/usr/bin/apt-config\\\", \\\"\\\n /usr/bin/dpkg\\\ - \", \\\"/usr/bin/aptitude-curses\\\", \\\"/usr/bin/rpm\\\", \\\"/usr/bin/unattended-upgrade\\\ - \"\\\n ]\\n)\"\n- id: systemd_modification_unlink\n version: dcb17382\n\ - \ description: Systemd Modification\n expression: \"(\\n (unlink.file.path\ - \ in [ ~\\\"/lib/systemd/system/*\\\", ~\\\"/usr/lib/systemd/system/*\\\"\\\n\ - \ , ~\\\"/etc/systemd/system/*\\\" ])\\n && process.file.path not in [\\\ - \"/usr/bin/apt\\\"\\\n , \\\"/usr/bin/apt-get\\\", \\\"/usr/bin/apt-config\\\ - \", \\\"/usr/bin/dpkg\\\", \\\"/usr/bin/aptitude-curses\\\"\\\n , \\\"/usr/bin/rpm\\\ - \", \\\"/usr/bin/unattended-upgrade\\\"]\\n)\"\n- id: systemd_modification_utimes\n\ - \ version: 6b596fc5\n description: Systemd Modification\n expression: \"\ - (\\n (utimes.file.path in [ ~\\\"/lib/systemd/system/*\\\", ~\\\"/usr/lib/systemd/system/*\\\ - \"\\\n , ~\\\"/etc/systemd/system/*\\\" ])\\n && process.file.path not\ - \ in [\\\"/usr/bin/apt\\\"\\\n , \\\"/usr/bin/apt-get\\\", \\\"/usr/bin/apt-config\\\ - \", \\\"/usr/bin/dpkg\\\", \\\"/usr/bin/aptitude-curses\\\"\\\n , \\\"/usr/bin/rpm\\\ - \", \\\"/usr/bin/unattended-upgrade\\\"]\\n)\"\n- id: testtypescriptcreateacloudworkloadsecurityagentrulereturnsokresponse1651997883\n\ - \ version: f43786f8\n description: Test Agent rule\n expression: exec.file.name\ - \ == \"sh\"\n- id: testtypescriptdeleteacloudworkloadsecurityagentrulereturnsokresponse1651997884\n\ - \ version: f43786f8\n description: My Agent rule\n expression: exec.file.name\ - \ == \"sh\"\n- id: testtypescriptgetacloudworkloadsecurityagentrulereturnsokresponse1651997885\n\ - \ version: f43786f8\n description: My Agent rule\n expression: exec.file.name\ - \ == \"sh\"\n- id: testtypescriptgetallcloudworkloadsecurityagentrulesreturnsokresponse1651867149\n\ - \ version: f43786f8\n description: My Agent rule\n expression: exec.file.name\ - \ == \"sh\"\n- id: testtypescriptgetallcloudworkloadsecurityagentrulesreturnsokresponse1651912469\n\ - \ version: f43786f8\n description: My Agent rule\n expression: exec.file.name\ - \ == \"sh\"\n- id: testtypescriptgetallcloudworkloadsecurityagentrulesreturnsokresponse1651915814\n\ - \ version: f43786f8\n description: My Agent rule\n expression: exec.file.name\ - \ == \"sh\"\n- id: testtypescriptgetallcloudworkloadsecurityagentrulesreturnsokresponse1651943471\n\ - \ version: f43786f8\n description: My Agent rule\n expression: exec.file.name\ - \ == \"sh\"\n- id: testtypescriptgetallcloudworkloadsecurityagentrulesreturnsokresponse1651997885\n\ - \ version: f43786f8\n description: My Agent rule\n expression: exec.file.name\ - \ == \"sh\"\n- id: testtypescriptgetallcloudworkloadsecurityagentrulesreturnsokresponse1652008845\n\ - \ version: f43786f8\n description: My Agent rule\n expression: exec.file.name\ - \ == \"sh\"\n- id: testtypescriptupdateacloudworkloadsecurityagentrulereturnsbadrequestresponse1651997886\n\ - \ version: f43786f8\n description: My Agent rule\n expression: exec.file.name\ - \ == \"sh\"\n- id: testtypescriptupdateacloudworkloadsecurityagentrulereturnsokresponse1651997887\n\ - \ version: f43786f8\n description: Test Agent rule\n expression: exec.file.name\ - \ == \"sh\"\n- id: tf_TestAccDatadogCloudWorkloadSecurityAgentRule_local_1643386657\n\ - \ version: 28ba1078\n description: an agent rule\n expression: exec.file.name\ - \ == \"java\"\n- id: tf_TestAccDatadogCloudWorkloadSecurityAgentRule_local_1643386695\n\ - \ version: 28ba1078\n description: an agent rule\n expression: exec.file.name\ - \ == \"java\"\n- id: tf_TestAccDatadogCloudWorkloadSecurityAgentRule_local_1643386742\n\ - \ version: 28ba1078\n description: an agent rule\n expression: exec.file.name\ - \ == \"java\"\n- id: tf_TestAccDatadogCloudWorkloadSecurityAgentRule_local_1643386809\n\ - \ version: 28ba1078\n description: an agent rule\n expression: exec.file.name\ - \ == \"java\"\n- id: tf_TestAccDatadogCloudWorkloadSecurityAgentRule_local_1643386858\n\ - \ version: 28ba1078\n description: an agent rule\n expression: exec.file.name\ - \ == \"java\"\n- id: tf_TestAccDatadogCloudWorkloadSecurityAgentRule_local_1643386909\n\ - \ version: 28ba1078\n description: an agent rule\n expression: exec.file.name\ - \ == \"java\"\n- id: tf_TestAccDatadogCloudWorkloadSecurityAgentRule_local_1643387039\n\ - \ version: 28ba1078\n description: an agent rule\n expression: exec.file.name\ - \ == \"java\"\n- id: tf_TestAccDatadogCloudWorkloadSecurityAgentRule_local_1643387090\n\ - \ version: 28ba1078\n description: an agent rule\n expression: exec.file.name\ - \ == \"java\"\n- id: tf_TestAccDatadogCloudWorkloadSecurityAgentRule_local_1643387148\n\ - \ version: 28ba1078\n description: an agent rule\n expression: exec.file.name\ - \ == \"java\"\n- id: tf_TestAccDatadogCloudWorkloadSecurityAgentRule_local_1643387484\n\ - \ version: 28ba1078\n description: an agent rule\n expression: exec.file.name\ - \ == \"java\"\n- id: tf_TestAccDatadogCloudWorkloadSecurityAgentRule_local_1643387531\n\ - \ version: 28ba1078\n description: an agent rule\n expression: exec.file.name\ - \ == \"java\"\n- id: tf_TestAccDatadogCloudWorkloadSecurityAgentRule_local_1643387579\n\ - \ version: 28ba1078\n description: an agent rule\n expression: exec.file.name\ - \ == \"java\"\n- id: tf_TestAccDatadogCloudWorkloadSecurityAgentRule_local_1643388161\n\ - \ version: 28ba1078\n description: an agent rule\n expression: exec.file.name\ - \ == \"java\"\n- id: tf_TestAccDatadogCloudWorkloadSecurityAgentRule_local_1643388208\n\ - \ version: 28ba1078\n description: an agent rule\n expression: exec.file.name\ - \ == \"java\"\n- id: tf_TestAccDatadogCloudWorkloadSecurityAgentRule_local_1643388257\n\ - \ version: 28ba1078\n description: an agent rule\n expression: exec.file.name\ - \ == \"java\"\n- id: tf_TestAccDatadogCloudWorkloadSecurityAgentRule_local_1643388666\n\ - \ version: 28ba1078\n description: an agent rule\n expression: exec.file.name\ - \ == \"java\"\n- id: tf_TestAccDatadogCloudWorkloadSecurityAgentRule_local_1643388726\n\ - \ version: 28ba1078\n description: an agent rule\n expression: exec.file.name\ - \ == \"java\"\n- id: tf_TestAccDatadogCloudWorkloadSecurityAgentRule_local_1643388847\n\ - \ version: 28ba1078\n description: an agent rule\n expression: exec.file.name\ - \ == \"java\"\n- id: tf_TestAccDatadogCloudWorkloadSecurityAgentRule_local_1643388890\n\ - \ version: 28ba1078\n description: an agent rule\n expression: exec.file.name\ - \ == \"java\"\n- id: tf_TestAccDatadogCloudWorkloadSecurityAgentRule_local_1643388939\n\ - \ version: 28ba1078\n description: an agent rule\n expression: exec.file.name\ - \ == \"java\"\n- id: tf_TestAccDatadogCloudWorkloadSecurityAgentRule_local_1643389111\n\ - \ version: 28ba1078\n description: an agent rule\n expression: exec.file.name\ - \ == \"java\"\n- id: tf_TestAccDatadogCloudWorkloadSecurityAgentRule_local_1643389165\n\ - \ version: 28ba1078\n description: an agent rule\n expression: exec.file.name\ - \ == \"java\"\n- id: tf_TestAccDatadogCloudWorkloadSecurityAgentRule_local_1643389210\n\ - \ version: 28ba1078\n description: an agent rule\n expression: exec.file.name\ - \ == \"java\"\n- id: tf_TestAccDatadogCloudWorkloadSecurityAgentRule_local_1643389339\n\ - \ version: 28ba1078\n description: an agent rule\n expression: exec.file.name\ - \ == \"java\"\n- id: tf_TestAccDatadogCloudWorkloadSecurityAgentRule_local_1643389389\n\ - \ version: 28ba1078\n description: an agent rule\n expression: exec.file.name\ - \ == \"java\"\n- id: tf_TestAccDatadogCloudWorkloadSecurityAgentRule_local_1643389484\n\ - \ version: 28ba1078\n description: an agent rule\n expression: exec.file.name\ - \ == \"java\"\n- id: tf_TestAccDatadogCloudWorkloadSecurityAgentRule_local_1643389530\n\ - \ version: 28ba1078\n description: an agent rule\n expression: exec.file.name\ - \ == \"java\"\n- id: tf_TestAccDatadogCloudWorkloadSecurityAgentRule_local_1643389627\n\ - \ version: 28ba1078\n description: an agent rule\n expression: exec.file.name\ - \ == \"java\"\n- id: tf_TestAccDatadogCloudWorkloadSecurityAgentRule_local_1643389685\n\ - \ version: 28ba1078\n description: an agent rule\n expression: exec.file.name\ - \ == \"java\"\n- id: tf_TestAccDatadogCloudWorkloadSecurityAgentRule_local_1643389756\n\ - \ version: 28ba1078\n description: an agent rule\n expression: exec.file.name\ - \ == \"java\"\n- id: tf_TestAccDatadogCloudWorkloadSecurityAgentRule_local_1643389931\n\ - \ version: 28ba1078\n description: an agent rule\n expression: exec.file.name\ - \ == \"java\"\n- id: tf_TestAccDatadogCloudWorkloadSecurityAgentRule_local_1643389977\n\ - \ version: 28ba1078\n description: an agent rule\n expression: exec.file.name\ - \ == \"java\"\n- id: tf_TestAccDatadogCloudWorkloadSecurityAgentRule_local_1643390108\n\ - \ version: 28ba1078\n description: an agent rule\n expression: exec.file.name\ - \ == \"java\"\n- id: tf_TestAccDatadogCloudWorkloadSecurityAgentRule_local_1643390130\n\ - \ version: 28ba1078\n description: an agent rule\n expression: exec.file.name\ - \ == \"java\"\n- id: tf_TestAccDatadogCloudWorkloadSecurityAgentRule_local_1643390151\n\ - \ version: 28ba1078\n description: an agent rule\n expression: exec.file.name\ - \ == \"java\"\n- id: tf_TestAccDatadogCloudWorkloadSecurityAgentRule_local_1643391687\n\ - \ version: 28ba1078\n description: an agent rule\n expression: exec.file.name\ - \ == \"java\"\n- id: tf_TestAccDatadogCloudWorkloadSecurityAgentRule_local_1643391707\n\ - \ version: 28ba1078\n description: an agent rule\n expression: exec.file.name\ - \ == \"java\"\n- id: tf_TestAccDatadogCloudWorkloadSecurityAgentRule_local_1643391729\n\ - \ version: 28ba1078\n description: an agent rule\n expression: exec.file.name\ - \ == \"java\"\n- id: tf_TestAccDatadogCloudWorkloadSecurityAgentRule_local_1643391983\n\ - \ version: 28ba1078\n description: an agent rule\n expression: exec.file.name\ - \ == \"java\"\n- id: tf_TestAccDatadogCloudWorkloadSecurityAgentRule_local_1643392003\n\ - \ version: 28ba1078\n description: an agent rule\n expression: exec.file.name\ - \ == \"java\"\n- id: tf_TestAccDatadogCloudWorkloadSecurityAgentRule_local_1643392026\n\ - \ version: 28ba1078\n description: an agent rule\n expression: exec.file.name\ - \ == \"java\"\n- id: tf_TestAccDatadogCloudWorkloadSecurityAgentRule_local_1643392419\n\ - \ version: 28ba1078\n description: an agent rule\n expression: exec.file.name\ - \ == \"java\"\n- id: tf_TestAccDatadogCloudWorkloadSecurityAgentRule_local_1643392438\n\ - \ version: 28ba1078\n description: an agent rule\n expression: exec.file.name\ - \ == \"java\"\n- id: tf_TestAccDatadogCloudWorkloadSecurityAgentRule_local_1643392458\n\ - \ version: 28ba1078\n description: an agent rule\n expression: exec.file.name\ - \ == \"java\"\n- id: tf_TestAccDatadogCloudWorkloadSecurityAgentRule_local_1643392885\n\ - \ version: 28ba1078\n description: an agent rule\n expression: exec.file.name\ - \ == \"java\"\n- id: tf_TestAccDatadogCloudWorkloadSecurityAgentRule_local_1643392903\n\ - \ version: 28ba1078\n description: an agent rule\n expression: exec.file.name\ - \ == \"java\"\n- id: tf_TestAccDatadogCloudWorkloadSecurityAgentRule_local_1643392923\n\ - \ version: 28ba1078\n description: an agent rule\n expression: exec.file.name\ - \ == \"java\"\n- id: tf_TestAccDatadogCloudWorkloadSecurityAgentRulesDatasource_local_1643386718\n\ - \ version: 28ba1078\n description: an agent rule\n expression: exec.file.name\ - \ == \"java\"\n- id: tf_TestAccDatadogCloudWorkloadSecurityAgentRulesDatasource_local_1643386786\n\ - \ version: 28ba1078\n description: an agent rule\n expression: exec.file.name\ - \ == \"java\"\n- id: tf_TestAccDatadogCloudWorkloadSecurityAgentRulesDatasource_local_1643386831\n\ - \ version: 28ba1078\n description: an agent rule\n expression: exec.file.name\ - \ == \"java\"\n- id: tf_TestAccDatadogCloudWorkloadSecurityAgentRulesDatasource_local_1643386882\n\ - \ version: 28ba1078\n description: an agent rule\n expression: exec.file.name\ - \ == \"java\"\n- id: tf_TestAccDatadogCloudWorkloadSecurityAgentRulesDatasource_local_1643387014\n\ - \ version: 28ba1078\n description: an agent rule\n expression: exec.file.name\ - \ == \"java\"\n- id: tf_TestAccDatadogCloudWorkloadSecurityAgentRulesDatasource_local_1643387063\n\ - \ version: 28ba1078\n description: an agent rule\n expression: exec.file.name\ - \ == \"java\"\n- id: tf_TestAccDatadogCloudWorkloadSecurityAgentRulesDatasource_local_1643387120\n\ - \ version: 28ba1078\n description: an agent rule\n expression: exec.file.name\ - \ == \"java\"\n- id: tf_TestAccDatadogCloudWorkloadSecurityAgentRulesDatasource_local_1643387461\n\ - \ version: 28ba1078\n description: an agent rule\n expression: exec.file.name\ - \ == \"java\"\n- id: tf_TestAccDatadogCloudWorkloadSecurityAgentRulesDatasource_local_1643387505\n\ - \ version: 28ba1078\n description: an agent rule\n expression: exec.file.name\ - \ == \"java\"\n- id: tf_TestAccDatadogCloudWorkloadSecurityAgentRulesDatasource_local_1643387554\n\ - \ version: 28ba1078\n description: an agent rule\n expression: exec.file.name\ - \ == \"java\"\n- id: tf_TestAccDatadogCloudWorkloadSecurityAgentRulesDatasource_local_1643387992\n\ - \ version: 28ba1078\n description: an agent rule\n expression: exec.file.name\ - \ == \"java\"\n- id: tf_TestAccDatadogCloudWorkloadSecurityAgentRulesDatasource_local_1643388137\n\ - \ version: 2dd188de\n description: an agent rule\n expression: exec.file.name\ - \ == \"go\"\n- id: tf_TestAccDatadogCloudWorkloadSecurityAgentRulesDatasource_local_1643388182\n\ - \ version: 2dd188de\n description: an agent rule\n expression: exec.file.name\ - \ == \"go\"\n- id: tf_TestAccDatadogCloudWorkloadSecurityAgentRulesDatasource_local_1643388230\n\ - \ version: 2dd188de\n description: an agent rule\n expression: exec.file.name\ - \ == \"go\"\n- id: tf_TestAccDatadogCloudWorkloadSecurityAgentRulesDatasource_local_1643388700\n\ - \ version: 2dd188de\n description: an agent rule\n expression: exec.file.name\ - \ == \"go\"\n- id: tf_TestAccDatadogCloudWorkloadSecurityAgentRulesDatasource_local_1643388825\n\ - \ version: 2dd188de\n description: an agent rule\n expression: exec.file.name\ - \ == \"go\"\n- id: tf_TestAccDatadogCloudWorkloadSecurityAgentRulesDatasource_local_1643388866\n\ - \ version: 2dd188de\n description: an agent rule\n expression: exec.file.name\ - \ == \"go\"\n- id: tf_TestAccDatadogCloudWorkloadSecurityAgentRulesDatasource_local_1643388912\n\ - \ version: 2dd188de\n description: an agent rule\n expression: exec.file.name\ - \ == \"go\"\n- id: tf_TestAccDatadogCloudWorkloadSecurityAgentRulesDatasource_local_1643389088\n\ - \ version: 2dd188de\n description: an agent rule\n expression: exec.file.name\ - \ == \"go\"\n- id: tf_TestAccDatadogCloudWorkloadSecurityAgentRulesDatasource_local_1643389136\n\ - \ version: 2dd188de\n description: an agent rule\n expression: exec.file.name\ - \ == \"go\"\n- id: tf_TestAccDatadogCloudWorkloadSecurityAgentRulesDatasource_local_1643389186\n\ - \ version: 2dd188de\n description: an agent rule\n expression: exec.file.name\ - \ == \"go\"\n- id: tf_TestAccDatadogCloudWorkloadSecurityAgentRulesDatasource_local_1643389317\n\ - \ version: 2dd188de\n description: an agent rule\n expression: exec.file.name\ - \ == \"go\"\n- id: tf_TestAccDatadogCloudWorkloadSecurityAgentRulesDatasource_local_1643389363\n\ - \ version: 2dd188de\n description: an agent rule\n expression: exec.file.name\ - \ == \"go\"\n- id: tf_TestAccDatadogCloudWorkloadSecurityAgentRulesDatasource_local_1643389411\n\ - \ version: 2dd188de\n description: an agent rule\n expression: exec.file.name\ - \ == \"go\"\n- id: tf_TestAccDatadogCloudWorkloadSecurityAgentRulesDatasource_local_1643389460\n\ - \ version: 2dd188de\n description: an agent rule\n expression: exec.file.name\ - \ == \"go\"\n- id: tf_TestAccDatadogCloudWorkloadSecurityAgentRulesDatasource_local_1643389507\n\ - \ version: 2dd188de\n description: an agent rule\n expression: exec.file.name\ - \ == \"go\"\n- id: tf_TestAccDatadogCloudWorkloadSecurityAgentRulesDatasource_local_1643389553\n\ - \ version: 2dd188de\n description: an agent rule\n expression: exec.file.name\ - \ == \"go\"\n- id: tf_TestAccDatadogCloudWorkloadSecurityAgentRulesDatasource_local_1643389911\n\ - \ version: 2dd188de\n description: an agent rule\n expression: exec.file.name\ - \ == \"go\"\n- id: tf_TestAccDatadogCloudWorkloadSecurityAgentRulesDatasource_local_1643389955\n\ - \ version: 2dd188de\n description: an agent rule\n expression: exec.file.name\ - \ == \"go\"\n- id: tf_TestAccDatadogCloudWorkloadSecurityAgentRulesDatasource_local_1643390389\n\ - \ version: 2dd188de\n description: an agent rule\n expression: exec.file.name\ - \ == \"go\"\n- id: tf_TestAccDatadogCloudWorkloadSecurityAgentRulesDatasource_local_1643390410\n\ - \ version: 2dd188de\n description: an agent rule\n expression: exec.file.name\ - \ == \"go\"\n- id: tf_TestAccDatadogCloudWorkloadSecurityAgentRulesDatasource_local_1643390432\n\ - \ version: 2dd188de\n description: an agent rule\n expression: exec.file.name\ - \ == \"go\"\n- id: user_created_tty\n version: 5b5f4a52\n description: User\ - \ Created Interactively\n expression: exec.file.name in [\"useradd\", \"newusers\"\ - ] && exec.tty_name !=\"\"\n" + \ && exec.envs in [~\"*SHELL*\", ~\"*PATH*\"]\n && exec.envs not in [~\"\ + *DISPLAY*\", ~\"*DESKTOP_SESSION*\"] && exec.uid != 0)\n agent_version: ''\n\ + \ filters:\n - os == \"linux\"\n- id: python_cli_code\n version: '989474'\n\ + \ description: Python code was provided on the command line\n expression:\ + \ exec.file.name == ~\"python*\" && exec.args_flags in [\"c\"] && exec.args\n\ + \ in [~\"*-c*SOCK_STREAM*\", ~\"*-c*subprocess*\", \"*-c*/bash*\", \"*-c*/bin/sh*\"\ + , \"*-c*pty.spawn*\"]\n && exec.args !~ \"*setuptools*\"\n agent_version:\ + \ ''\n filters: []\n- id: ransomware_note\n version: ffd9b885\n description:\ + \ Possible ransomware note created under common user directories\n expression:\ + \ open.flags & O_CREAT > 0 && open.file.path in [~\"/home/**\", ~\"/root/**\"\ + ,\n ~\"/bin/**\", ~\"/usr/bin/**\", ~\"/opt/**\", ~\"/etc/**\", ~\"/var/log/**\"\ + , ~\"/var/lib/log/**\",\n ~\"/var/backup/**\", ~\"/var/www/**\"] && open.file.name\ + \ in [r\"(?i).*(restore|recovery|readme|instruction|how_to|ransom).*|.*(your_|crypt|lock|important).*\\\ + .txt$\"]\n && open.file.name != \"README.md\"\n agent_version: ''\n filters:\n\ + \ - os == \"linux\"\n- id: rc_scripts_modified\n version: af295b08\n description:\ + \ RC scripts modified\n expression: (open.flags & (O_CREAT|O_TRUNC|O_RDWR|O_WRONLY)\ + \ > 0 && (open.file.path\n in [\"/etc/rc.common\", \"/etc/rc.local\"])) &&\ + \ process.ancestors.file.path not in\n [~\"/usr/bin/apt*\", \"/usr/bin/dpkg\"\ + , \"/usr/bin/rpm\", \"/usr/bin/unattended-upgrade\",\n \"/usr/bin/npm\",\ + \ ~\"/usr/bin/pip*\", \"/usr/bin/yum\", \"/sbin/apk\", \"/usr/lib/snapd/snapd\"\ + ]\n agent_version: ''\n filters: []\n- id: read_kubeconfig\n version: '80926379'\n\ + \ description: The kubeconfig file was accessed\n expression: open.file.path\ + \ in [~\"/home/*/.kube/config\", \"/root/.kube/config\"]\n agent_version: ''\n\ + \ filters: []\n- id: read_release_info\n version: d0cc9710\n description:\ + \ OS information was read from the /etc/lsb-release file\n expression: open.file.path\ + \ == \"/etc/lsb-release\" && open.flags & O_RDONLY > 0\n agent_version: ''\n\ + \ filters: []\n- id: redis_sandbox_escape\n version: d7eb615a\n description:\ + \ Detects CVE-2022-0543\n expression: (open.file.path =~ \"/usr/lib/x86_64-linux-gnu/*\"\ + \ && open.file.name in\n [\"libc-2.29.so\", \"libc-2.30.so\", \"libc-2.31.so\"\ + , \"libc-2.32.so\", \"libc-2.33.so\",\n \"libc-2.34.so\", \"libc-2.35.so\"\ + , \"libc-2.36.so\", \"libc-2.37.so\"]) && process.ancestors.comm\n in [\"\ + redis-check-rdb\", \"redis-server\"]\n agent_version: ''\n filters: []\n-\ + \ id: redis_save_module\n version: b1cb9110\n description: Redis module has\ + \ been created\n expression: (open.flags & (O_CREAT|O_TRUNC|O_RDWR|O_WRONLY)\ + \ > 0 && open.file.path\n =~ \"/tmp/**\" && open.file.name in [~\"*.rdb\"\ + , ~\"*.aof\", ~\"*.so\"]) && process.file.name\n in [\"redis-check-rdb\"\ + , \"redis-server\"]\n agent_version: ''\n filters: []\n- id: runc_modification\n\ + \ version: c7144439\n description: The runc binary was modified in a non-standard\ + \ way\n expression: |-\n open.file.path in [\"/usr/bin/runc\", \"/usr/sbin/runc\"\ + , \"/usr/bin/docker-runc\"]\n && open.flags & O_CREAT|O_TRUNC|O_RDWR|O_WRONLY\ + \ > 0\n && process.file.path not in [~\"/usr/bin/apt*\", \"/usr/bin/dpkg\"\ + , \"/usr/bin/rpm\", \"/usr/bin/unattended-upgrade\", \"/usr/bin/containerd\"\ + , \"/usr/local/bin/containerd\", \"/usr/bin/dockerd\", \"/usr/bin/npm\", ~\"\ + /usr/bin/pip*\"]\n && process.ancestors.file.path not in [~\"/usr/bin/apt*\"\ + , \"/usr/bin/dpkg\", \"/usr/bin/rpm\", \"/usr/bin/unattended-upgrade\", \"/usr/bin/npm\"\ + , ~\"/usr/bin/pip*\", \"/usr/bin/yum\", \"/sbin/apk\", \"/usr/lib/snapd/snapd\"\ + ]\n agent_version: ''\n filters: []\n- id: scheduled_task_creation\n version:\ + \ 9c3f2289\n description: A scheduled task was created\n expression: exec.file.name\ + \ in [\"at.exe\",\"schtasks.exe\"]\n agent_version: ''\n filters:\n - os\ + \ == \"windows\"\n- id: selinux_disable_enforcement\n version: afa9a8ba\n \ + \ description: SELinux enforcement status was disabled\n expression: selinux.enforce.status\ + \ in [\"permissive\", \"disabled\"] && process.ancestors.args\n != ~\"*BECOME-SUCCESS*\"\ + \n agent_version: ''\n filters: []\n- id: sensitive_tracing\n version: c4585b20\n\ + \ description: A process is tracing privileged processes or sshd for possible\ + \ credential\n dumping\n expression: (ptrace.request == PTRACE_PEEKTEXT\ + \ || ptrace.request == PTRACE_PEEKDATA\n || ptrace.request == PTRACE_PEEKUSR)\ + \ && ptrace.tracee.euid == 0 && process.comm\n not in [\"dlv\", \"dlv-linux-amd64\"\ + , \"strace\", \"gdb\", \"lldb-server\"]\n agent_version: ''\n filters:\n \ + \ - os == \"linux\"\n- id: service_stop\n version: 8e434232\n description:\ + \ systemctl used to stop a service\n expression: exec.file.name == \"systemctl\"\ + \ && exec.args in [~\"*stop*\"]\n agent_version: ''\n filters: []\n- id: shell_history_deleted\n\ + \ version: ff763e6\n description: Shell History was Deleted\n expression:\ + \ (unlink.file.name =~ r\".([dbazfi]*sh)(_history)$\") && process.comm\n \ + \ not in [\"dockerd\", \"containerd\"]\n agent_version: ''\n filters: []\n\ + - id: shell_history_symlink\n version: 31982e4d\n description: A symbolic\ + \ link for shell history was created targeting /dev/null\n expression: exec.comm\ + \ == \"ln\" && exec.args in [~\"*.*history*\", \"/dev/null\"]\n agent_version:\ + \ ''\n filters: []\n- id: shell_history_truncated\n version: 38ec83e8\n description:\ + \ Shell History was Deleted\n expression: open.flags & (O_CREAT|O_TRUNC|O_RDWR|O_WRONLY)\ + \ > 0 && open.file.name\n =~ r\".([dbazfi]*sh)(_history)$\" && open.file.path\ + \ in [~\"/root/*\", ~\"/home/**\"]\n && process.file.name == \"truncate\"\ + \n agent_version: ''\n filters: []\n- id: shell_profile_modification\n version:\ + \ d1cecdac\n description: Shell profile was modified\n expression: open.file.path\ + \ in [~\"/home/*/*profile\", ~\"/home/*/*rc\"] && open.flags\n & ((O_CREAT|O_TRUNC|O_RDWR|O_WRONLY))\ + \ > 0\n agent_version: ''\n filters: []\n- id: ssh_authorized_keys_chmod\n\ + \ version: 79be8a18\n description: SSH modified keys may have been modified\n\ + \ expression: |-\n (\n chmod.file.name in [ \"authorized_keys\",\ + \ \"authorized_keys2\" ] && (chmod.file.path in [ ~\"/root/.ssh/*\", ~\"/home/*/.ssh/*\"\ + , ~\"/var/lib/*/.ssh/*\" ])\n ) && chmod.file.destination.mode != chmod.file.mode\n\ + \ agent_version: ''\n filters: []\n- id: ssh_authorized_keys_chown\n version:\ + \ 7c835bfd\n description: SSH modified keys may have been modified\n expression:\ + \ |-\n (\n chown.file.name in [ \"authorized_keys\", \"authorized_keys2\"\ + \ ] && (chown.file.path in [ ~\"/root/.ssh/*\", ~\"/home/*/.ssh/*\", ~\"/var/lib/*/.ssh/*\"\ + \ ])\n ) && (chown.file.destination.uid != chown.file.uid || chown.file.destination.gid\ + \ != chown.file.gid)\n agent_version: ''\n filters:\n - os == \"linux\"\n\ + - id: ssh_authorized_keys_link\n version: 979d56a1\n description: SSH modified\ + \ keys may have been modified\n expression: |-\n (\n link.file.name\ + \ in [ \"authorized_keys\", \"authorized_keys2\" ] && (link.file.path in [ ~\"\ + /root/.ssh/*\", ~\"/home/*/.ssh/*\", ~\"/var/lib/*/.ssh/*\" ]\n || link.file.destination.path\ + \ in [ ~\"/root/.ssh/*\", ~\"/home/*/.ssh/*\", ~\"/var/lib/*/.ssh/*\" ])\n \ + \ )\n agent_version: ''\n filters: []\n- id: ssh_authorized_keys_open\n\ + \ version: c4fa7b8f\n description: SSH modified keys may have been modified\n\ + \ expression: |-\n (\n open.flags & (O_CREAT|O_TRUNC|O_RDWR|O_WRONLY)\ + \ > 0 &&\n open.file.name in [ \"authorized_keys\", \"authorized_keys2\"\ + \ ] && (open.file.path in [ ~\"/root/.ssh/*\", ~\"/home/*/.ssh/*\", ~\"/var/lib/*/.ssh/*\"\ + \ ])\n )\n agent_version: ''\n filters: []\n- id: ssh_authorized_keys_open_v2\n\ + \ version: 513f8108\n description: SSH modified keys may have been modified\n\ + \ expression: |-\n (\n open.flags & (O_CREAT|O_TRUNC|O_RDWR|O_WRONLY)\ + \ > 0 &&\n open.file.name in [ \"authorized_keys\", \"authorized_keys2\"\ + \ ] && (open.file.path in [ ~\"/root/.ssh/*\", ~\"/home/*/.ssh/*\", ~\"/var/lib/*/.ssh/*\"\ + \ ])\n ) && container.created_at > 90s\n agent_version: ''\n filters:\n\ + \ - os == \"linux\"\n- id: ssh_authorized_keys_rename\n version: 6f58449a\n\ + \ description: SSH modified keys may have been modified\n expression: |-\n\ + \ (\n rename.file.name in [ \"authorized_keys\", \"authorized_keys2\"\ + \ ] && (rename.file.path in [ ~\"/root/.ssh/*\", ~\"/home/*/.ssh/*\", ~\"/var/lib/*/.ssh/*\"\ + \ ]\n || rename.file.destination.path in [ ~\"/root/.ssh/*\", ~\"/home/*/.ssh/*\"\ + , ~\"/var/lib/*/.ssh/*\" ])\n )\n agent_version: ''\n filters:\n - os\ + \ == \"linux\"\n- id: ssh_authorized_keys_unlink\n version: 41090e4e\n description:\ + \ SSH modified keys may have been modified\n expression: |-\n (\n \ + \ unlink.file.name in [ \"authorized_keys\", \"authorized_keys2\" ] && (unlink.file.path\ + \ in [ ~\"/root/.ssh/*\", ~\"/home/*/.ssh/*\", ~\"/var/lib/*/.ssh/*\" ])\n \ + \ )\n agent_version: ''\n filters:\n - os == \"linux\"\n- id: ssh_authorized_keys_utimes\n\ + \ version: c614f0d\n description: SSH modified keys may have been modified\n\ + \ expression: |-\n (\n utimes.file.name in [ \"authorized_keys\"\ + , \"authorized_keys2\" ] && (utimes.file.path in [ ~\"/root/.ssh/*\", ~\"/home/*/.ssh/*\"\ + , ~\"/var/lib/*/.ssh/*\" ])\n )\n agent_version: ''\n filters: []\n- id:\ + \ ssl_certificate_tampering_chmod\n version: 128236e9\n description: SSL certificates\ + \ may have been tampered with\n expression: |-\n (\n (chmod.file.path\ + \ in [ ~\"/etc/ssl/certs/**\", ~\"/etc/pki/**\" ])\n && process.file.path\ + \ not in [~\"/usr/bin/apt*\", \"/usr/bin/dpkg\", \"/usr/bin/rpm\", \"/usr/bin/unattended-upgrade\"\ + , \"/usr/bin/npm\", ~\"/usr/bin/pip*\", \"/usr/bin/yum\", \"/sbin/apk\", \"\ + /usr/lib/snapd/snapd\"]\n ) && chmod.file.mode != chmod.file.destination.mode\n\ + \ && process.file.path != \"/usr/sbin/update-ca-certificates\"\n && process.ancestors.file.path\ + \ != \"/usr/sbin/update-ca-certificates\"\n && process.ancestors.file.path\ + \ not in [~\"/usr/bin/apt*\", \"/usr/bin/dpkg\", \"/usr/bin/rpm\", \"/usr/bin/unattended-upgrade\"\ + , \"/usr/bin/npm\", ~\"/usr/bin/pip*\", \"/usr/bin/yum\", \"/sbin/apk\", \"\ + /usr/lib/snapd/snapd\"]\n && process.file.name !~ \"runc*\"\n agent_version:\ + \ ''\n filters: []\n- id: ssl_certificate_tampering_chown\n version: 5af3db18\n\ + \ description: SSL certificates may have been tampered with\n expression:\ + \ |-\n (\n (chown.file.path in [ ~\"/etc/ssl/certs/**\", ~\"/etc/pki/**\"\ + \ ])\n && process.file.path not in [~\"/usr/bin/apt*\", \"/usr/bin/dpkg\"\ + , \"/usr/bin/rpm\", \"/usr/bin/unattended-upgrade\", \"/usr/bin/npm\", ~\"/usr/bin/pip*\"\ + , \"/usr/bin/yum\", \"/sbin/apk\", \"/usr/lib/snapd/snapd\"]\n ) && (chown.file.destination.uid\ + \ != chown.file.uid || chown.file.destination.gid != chown.file.gid)\n &&\ + \ process.file.path != \"/usr/sbin/update-ca-certificates\"\n && process.ancestors.file.path\ + \ != \"/usr/sbin/update-ca-certificates\"\n && process.ancestors.file.path\ + \ not in [~\"/usr/bin/apt*\", \"/usr/bin/dpkg\", \"/usr/bin/rpm\", \"/usr/bin/unattended-upgrade\"\ + , \"/usr/bin/npm\", ~\"/usr/bin/pip*\", \"/usr/bin/yum\", \"/sbin/apk\", \"\ + /usr/lib/snapd/snapd\"]\n && process.file.name !~ \"runc*\"\n agent_version:\ + \ ''\n filters:\n - os == \"linux\"\n- id: ssl_certificate_tampering_link\n\ + \ version: 1f02b72d\n description: SSL certificates may have been tampered\ + \ with\n expression: |-\n (\n (link.file.path in [ ~\"/etc/ssl/certs/**\"\ + , ~\"/etc/pki/**\" ]\n || link.file.destination.path in [ ~\"/etc/ssl/certs/**\"\ + , ~\"/etc/pki/**\" ])\n && process.file.path not in [~\"/usr/bin/apt*\"\ + , \"/usr/bin/dpkg\", \"/usr/bin/rpm\", \"/usr/bin/unattended-upgrade\", \"/usr/bin/npm\"\ + , ~\"/usr/bin/pip*\", \"/usr/bin/yum\", \"/sbin/apk\", \"/usr/lib/snapd/snapd\"\ + ]\n && process.file.path != \"/usr/sbin/update-ca-certificates\"\n \ + \ && process.ancestors.file.path != \"/usr/sbin/update-ca-certificates\"\ + \n && process.ancestors.file.path not in [~\"/usr/bin/apt*\", \"/usr/bin/dpkg\"\ + , \"/usr/bin/rpm\", \"/usr/bin/unattended-upgrade\", \"/usr/bin/npm\", ~\"/usr/bin/pip*\"\ + , \"/usr/bin/yum\", \"/sbin/apk\", \"/usr/lib/snapd/snapd\"]\n && process.file.name\ + \ !~ \"runc*\"\n )\n agent_version: ''\n filters: []\n- id: ssl_certificate_tampering_open\n\ + \ version: c34bcf3a\n description: SSL certificates may have been tampered\ + \ with\n expression: |-\n (\n open.flags & (O_CREAT|O_RDWR|O_WRONLY)\ + \ > 0 &&\n (open.file.path in [ ~\"/etc/ssl/certs/**\", ~\"/etc/pki/**\"\ + \ ])\n )\n && process.file.path != \"/usr/sbin/update-ca-certificates\"\ + \n && process.ancestors.file.path != \"/usr/sbin/update-ca-certificates\"\ + \n && process.ancestors.file.path not in [~\"/usr/bin/apt*\", \"/usr/bin/dpkg\"\ + , \"/usr/bin/rpm\", \"/usr/bin/unattended-upgrade\", \"/usr/bin/npm\", ~\"/usr/bin/pip*\"\ + , \"/usr/bin/yum\", \"/sbin/apk\", \"/usr/lib/snapd/snapd\"]\n && process.file.name\ + \ !~ \"runc*\"\n agent_version: ''\n filters: []\n- id: ssl_certificate_tampering_open_v2\n\ + \ version: a90058eb\n description: SSL certificates may have been tampered\ + \ with\n expression: |-\n (\n open.flags & (O_CREAT|O_RDWR|O_WRONLY)\ + \ > 0 &&\n (open.file.path in [ ~\"/etc/ssl/certs/**\", ~\"/etc/pki/**\"\ + \ ])\n )\n && process.file.path != \"/usr/sbin/update-ca-certificates\"\ + \n && process.ancestors.file.path != \"/usr/sbin/update-ca-certificates\"\ + \n && process.ancestors.file.path not in [~\"/usr/bin/apt*\", \"/usr/bin/dpkg\"\ + , \"/usr/bin/rpm\", \"/usr/bin/unattended-upgrade\", \"/usr/bin/npm\", ~\"/usr/bin/pip*\"\ + , \"/usr/bin/yum\", \"/sbin/apk\", \"/usr/lib/snapd/snapd\"]\n && process.file.name\ + \ !~ \"runc*\"\n && container.created_at > 90s\n agent_version: ''\n filters:\n\ + \ - os == \"linux\"\n- id: ssl_certificate_tampering_rename\n version: e74f2226\n\ + \ description: SSL certificates may have been tampered with\n expression:\ + \ |-\n (\n (rename.file.path in [ ~\"/etc/ssl/certs/**\", ~\"/etc/pki/**\"\ + \ ]\n || rename.file.destination.path in [ ~\"/etc/ssl/certs/**\", ~\"\ + /etc/pki/**\" ])\n && process.file.path not in [~\"/usr/bin/apt*\", \"\ + /usr/bin/dpkg\", \"/usr/bin/rpm\", \"/usr/bin/unattended-upgrade\", \"/usr/bin/npm\"\ + , ~\"/usr/bin/pip*\", \"/usr/bin/yum\", \"/sbin/apk\", \"/usr/lib/snapd/snapd\"\ + ]\n )\n && process.file.path != \"/usr/sbin/update-ca-certificates\"\n\ + \ && process.ancestors.file.path != \"/usr/sbin/update-ca-certificates\"\n\ + \ && process.ancestors.file.path not in [~\"/usr/bin/apt*\", \"/usr/bin/dpkg\"\ + , \"/usr/bin/rpm\", \"/usr/bin/unattended-upgrade\", \"/usr/bin/npm\", ~\"/usr/bin/pip*\"\ + , \"/usr/bin/yum\", \"/sbin/apk\", \"/usr/lib/snapd/snapd\"]\n && process.file.name\ + \ !~ \"runc*\"\n agent_version: ''\n filters: []\n- id: ssl_certificate_tampering_unlink\n\ + \ version: 774e2aea\n description: SSL certificates may have been tampered\ + \ with\n expression: |-\n (\n (unlink.file.path in [ ~\"/etc/ssl/certs/**\"\ + \ ])\n && process.file.path not in [~\"/usr/bin/apt*\", \"/usr/bin/dpkg\"\ + , \"/usr/bin/rpm\", \"/usr/bin/unattended-upgrade\", \"/usr/bin/npm\", ~\"/usr/bin/pip*\"\ + , \"/usr/bin/yum\", \"/sbin/apk\", \"/usr/lib/snapd/snapd\"]\n )\n &&\ + \ process.file.path != \"/usr/sbin/update-ca-certificates\"\n && process.ancestors.file.path\ + \ != \"/usr/sbin/update-ca-certificates\"\n && process.ancestors.file.path\ + \ not in [~\"/usr/bin/apt*\", \"/usr/bin/dpkg\", \"/usr/bin/rpm\", \"/usr/bin/unattended-upgrade\"\ + , \"/usr/bin/npm\", ~\"/usr/bin/pip*\", \"/usr/bin/yum\", \"/sbin/apk\", \"\ + /usr/lib/snapd/snapd\"]\n && process.file.name !~ \"runc*\"\n agent_version:\ + \ ''\n filters: []\n- id: ssl_certificate_tampering_utimes\n version: 29db81c1\n\ + \ description: SSL certificates may have been tampered with\n expression:\ + \ |-\n (\n (utimes.file.path in [ ~\"/etc/ssl/certs/**\" ])\n \ + \ && process.file.path not in [~\"/usr/bin/apt*\", \"/usr/bin/dpkg\", \"\ + /usr/bin/rpm\", \"/usr/bin/unattended-upgrade\", \"/usr/bin/npm\", ~\"/usr/bin/pip*\"\ + , \"/usr/bin/yum\", \"/sbin/apk\", \"/usr/lib/snapd/snapd\"]\n )\n &&\ + \ process.file.path != \"/usr/sbin/update-ca-certificates\"\n && process.ancestors.file.path\ + \ != \"/usr/sbin/update-ca-certificates\"\n && process.ancestors.file.path\ + \ not in [~\"/usr/bin/apt*\", \"/usr/bin/dpkg\", \"/usr/bin/rpm\", \"/usr/bin/unattended-upgrade\"\ + , \"/usr/bin/npm\", ~\"/usr/bin/pip*\", \"/usr/bin/yum\", \"/sbin/apk\", \"\ + /usr/lib/snapd/snapd\"]\n && process.file.name !~ \"runc*\"\n agent_version:\ + \ ''\n filters:\n - os == \"linux\"\n- id: sudoers_policy_modified_chmod\n\ + \ version: ae70daab\n description: Sudoers policy file may have been modified\ + \ without authorization\n expression: \"(\\n (chmod.file.path == \\\"/etc/sudoers\\\ + \") \\n) && chmod.file.destination.mode\\\n \\ != chmod.file.mode && process.ancestors.file.path\ + \ not in [~\\\"/usr/bin/apt*\\\"\\\n , \\\"/usr/bin/dpkg\\\", \\\"/usr/bin/rpm\\\ + \", \\\"/usr/bin/unattended-upgrade\\\", \\\"/usr/bin/npm\\\"\\\n , ~\\\"\ + /usr/bin/pip*\\\", \\\"/usr/bin/yum\\\", \\\"/sbin/apk\\\", \\\"/usr/lib/snapd/snapd\\\ + \"\\\n ]\"\n agent_version: ''\n filters:\n - os == \"linux\"\n- id: sudoers_policy_modified_chown\n\ + \ version: 898b1aa0\n description: Sudoers policy file may have been modified\ + \ without authorization\n expression: |-\n (\n (chown.file.path ==\ + \ \"/etc/sudoers\")\n ) && (chown.file.destination.uid != chown.file.uid\ + \ || chown.file.destination.gid != chown.file.gid)\n agent_version: ''\n filters:\ + \ []\n- id: sudoers_policy_modified_link\n version: 1f1b8962\n description:\ + \ Sudoers policy file may have been modified without authorization\n expression:\ + \ |-\n (\n (link.file.path == \"/etc/sudoers\"\n || link.file.destination.path\ + \ == \"/etc/sudoers\")\n )\n agent_version: ''\n filters: []\n- id: sudoers_policy_modified_open\n\ + \ version: af2610b6\n description: Sudoers policy file may have been modified\ + \ without authorization\n expression: |2-\n\n (open.flags & (O_CREAT|O_TRUNC|O_RDWR|O_WRONLY)\ + \ > 0 &&\n (open.file.path == \"/etc/sudoers\")) && process.file.path not\ + \ in [~\"/usr/bin/apt*\", \"/usr/bin/dpkg\", \"/usr/bin/rpm\", \"/usr/bin/unattended-upgrade\"\ + , \"/usr/bin/npm\", ~\"/usr/bin/pip*\", \"/usr/bin/yum\", \"/sbin/apk\", \"\ + /usr/lib/snapd/snapd\"]\n agent_version: ''\n filters:\n - os == \"linux\"\ + \n- id: sudoers_policy_modified_rename\n version: 531fc9ae\n description:\ + \ Sudoers policy file may have been modified without authorization\n expression:\ + \ |-\n (\n (rename.file.path == \"/etc/sudoers\"\n || rename.file.destination.path\ + \ == \"/etc/sudoers\")\n )\n agent_version: ''\n filters:\n - os == \"\ + linux\"\n- id: sudoers_policy_modified_unlink\n version: 5568da57\n description:\ + \ Sudoers policy file may have been modified without authorization\n expression:\ + \ |-\n (\n (unlink.file.path == \"/etc/sudoers\")\n )\n agent_version:\ + \ ''\n filters: []\n- id: sudoers_policy_modified_utimes\n version: d99c2466\n\ + \ description: Sudoers policy file may have been modified without authorization\n\ + \ expression: |-\n (\n (utimes.file.path == \"/etc/sudoers\")\n \ + \ ) && process.file.path not in [~\"/usr/bin/apt*\", \"/usr/bin/dpkg\", \"\ + /usr/bin/rpm\", \"/usr/bin/unattended-upgrade\", \"/usr/bin/containerd\", \"\ + /usr/local/bin/containerd\", \"/usr/bin/dockerd\", \"/usr/bin/npm\", ~\"/usr/bin/pip*\"\ + ]\n agent_version: ''\n filters:\n - os == \"linux\"\n- id: suid_file_execution\n\ + \ version: 1b4f4075\n description: a SUID file was executed\n expression:\ + \ (setuid.euid == 0 || setuid.uid == 0) && process.file.mode & S_ISUID\n \ + \ > 0 && process.file.uid == 0 && process.uid != 0 && process.file.path\ + \ != \"/usr/bin/sudo\"\n agent_version: ''\n filters: []\n- id: suspicious_bitsadmin_usage\n\ + \ version: 86c03d62\n description: A suspicious bitsadmin command has been\ + \ executed\n expression: exec.file.name == \"bitsadmin.exe\" && exec.cmdline\ + \ in [~\"*addfile*\",\n ~\"*create*\", ~\"*resume*\"]\n agent_version: ''\n\ + \ filters:\n - os == \"windows\"\n- id: suspicious_container_client\n version:\ + \ 8b9461f4\n description: A container management utility was executed in a\ + \ container\n expression: exec.file.name in [\"docker\", \"kubectl\"] && container.id\ + \ != \"\"\n agent_version: ''\n filters:\n - os == \"linux\"\n- id: suspicious_suid_execution\n\ + \ version: 216c8207\n description: Recently written or modified suid file\ + \ has been executed\n expression: ((process.file.mode & S_ISUID > 0) && process.file.modification_time\n\ + \ < 30s) && exec.file.name != \"\" && process.ancestors.file.path not in\ + \ [\"/opt/datadog-agent/embedded/bin/agent\",\n \"/opt/datadog-agent/embedded/bin/system-probe\"\ + , \"/opt/datadog-agent/embedded/bin/security-agent\",\n \"/opt/datadog-agent/embedded/bin/process-agent\"\ + , \"/opt/datadog-agent/bin/agent/agent\",\n \"/opt/datadog/apm/inject/auto_inject_runc\"\ + , \"/usr/bin/dd-host-install\", \"/usr/bin/dd-host-container-install\",\n \ + \ \"/usr/bin/dd-container-install\", \"/opt/datadog-agent/bin/datadog-cluster-agent\"\ + ]\n agent_version: ''\n filters:\n - os == \"linux\"\n- id: systemd_modification_chmod\n\ + \ version: e555b2b0\n description: A service may have been modified without\ + \ authorization\n expression: |-\n (\n (chmod.file.path in [ ~\"\ + /lib/systemd/system/**\", ~\"/usr/lib/systemd/system/**\", ~\"/etc/systemd/system/**\"\ + \ ])\n && process.file.path not in [~\"/usr/bin/apt*\", \"/usr/bin/dpkg\"\ + , \"/usr/bin/rpm\", \"/usr/bin/unattended-upgrade\", \"/usr/bin/npm\", ~\"/usr/bin/pip*\"\ + , \"/usr/bin/yum\", \"/sbin/apk\", \"/usr/lib/snapd/snapd\"]\n ) && chmod.file.destination.mode\ + \ != chmod.file.mode\n agent_version: ''\n filters: []\n- id: systemd_modification_chown\n\ + \ version: a0497885\n description: A service may have been modified without\ + \ authorization\n expression: |-\n (\n (chown.file.path in [ ~\"\ + /lib/systemd/system/**\", ~\"/usr/lib/systemd/system/**\", ~\"/etc/systemd/system/**\"\ + \ ])\n && process.file.path not in [~\"/usr/bin/apt*\", \"/usr/bin/dpkg\"\ + , \"/usr/bin/rpm\", \"/usr/bin/unattended-upgrade\", \"/usr/bin/npm\", ~\"/usr/bin/pip*\"\ + , \"/usr/bin/yum\", \"/sbin/apk\", \"/usr/lib/snapd/snapd\"]\n ) && (chown.file.destination.uid\ + \ != chown.file.uid || chown.file.destination.gid != chown.file.gid)\n agent_version:\ + \ ''\n filters: []\n- id: systemd_modification_link\n version: 11a77f5b\n\ + \ description: A service may have been modified without authorization\n expression:\ + \ |-\n (\n (link.file.path in [ ~\"/lib/systemd/system/**\", ~\"/usr/lib/systemd/system/**\"\ + , ~\"/etc/systemd/system/**\" ]\n || link.file.destination.path in [\ + \ ~\"/lib/systemd/system/**\", ~\"/usr/lib/systemd/system/**\", ~\"/etc/systemd/system/**\"\ + \ ])\n && process.file.path not in [~\"/usr/bin/apt*\", \"/usr/bin/dpkg\"\ + , \"/usr/bin/rpm\", \"/usr/bin/unattended-upgrade\", \"/usr/bin/npm\", ~\"/usr/bin/pip*\"\ + , \"/usr/bin/yum\", \"/sbin/apk\", \"/usr/lib/snapd/snapd\"]\n )\n agent_version:\ + \ ''\n filters: []\n- id: systemd_modification_open\n version: 13b2daf3\n\ + \ description: A service may have been modified without authorization\n expression:\ + \ |-\n (\n open.flags & (O_CREAT|O_RDWR|O_WRONLY) > 0 &&\n \ + \ (open.file.path in [ ~\"/lib/systemd/system/**\", ~\"/usr/lib/systemd/system/**\"\ + , ~\"/etc/systemd/system/**\" ])\n && process.file.path not in [~\"/usr/bin/apt*\"\ + , \"/usr/bin/dpkg\", \"/usr/bin/rpm\", \"/usr/bin/unattended-upgrade\", \"/usr/bin/npm\"\ + , ~\"/usr/bin/pip*\", \"/usr/bin/yum\", \"/sbin/apk\", \"/usr/lib/snapd/snapd\"\ + ]\n )\n agent_version: ''\n filters:\n - os == \"linux\"\n- id: systemd_modification_rename\n\ + \ version: 9759ce6\n description: A service may have been modified without\ + \ authorization\n expression: |-\n (\n (rename.file.path in [ ~\"\ + /lib/systemd/system/**\", ~\"/usr/lib/systemd/system/**\", ~\"/etc/systemd/system/**\"\ + \ ]\n || rename.file.destination.path in [ ~\"/lib/systemd/system/**\"\ + , ~\"/usr/lib/systemd/system/**\", ~\"/etc/systemd/system/**\" ])\n &&\ + \ process.file.path not in [~\"/usr/bin/apt*\", \"/usr/bin/dpkg\", \"/usr/bin/rpm\"\ + , \"/usr/bin/unattended-upgrade\", \"/usr/bin/npm\", ~\"/usr/bin/pip*\", \"\ + /usr/bin/yum\", \"/sbin/apk\", \"/usr/lib/snapd/snapd\"]\n )\n agent_version:\ + \ ''\n filters: []\n- id: systemd_modification_unlink\n version: 8400ece8\n\ + \ description: A service may have been modified without authorization\n expression:\ + \ |-\n (\n (unlink.file.path in [ ~\"/lib/systemd/system/**\", ~\"\ + /usr/lib/systemd/system/**\", ~\"/etc/systemd/system/**\" ])\n && process.file.path\ + \ not in [~\"/usr/bin/apt*\", \"/usr/bin/dpkg\", \"/usr/bin/rpm\", \"/usr/bin/unattended-upgrade\"\ + , \"/usr/bin/npm\", ~\"/usr/bin/pip*\", \"/usr/bin/yum\", \"/sbin/apk\", \"\ + /usr/lib/snapd/snapd\"]\n )\n agent_version: ''\n filters:\n - os == \"\ + linux\"\n- id: systemd_modification_utimes\n version: 82acf2d\n description:\ + \ A service may have been modified without authorization\n expression: |-\n\ + \ (\n (utimes.file.path in [ ~\"/lib/systemd/system/**\", ~\"/usr/lib/systemd/system/**\"\ + , ~\"/etc/systemd/system/**\" ])\n && process.file.path not in [~\"/usr/bin/apt*\"\ + , \"/usr/bin/dpkg\", \"/usr/bin/rpm\", \"/usr/bin/unattended-upgrade\", \"/usr/bin/npm\"\ + , ~\"/usr/bin/pip*\", \"/usr/bin/yum\", \"/sbin/apk\", \"/usr/lib/snapd/snapd\"\ + ]\n )\n agent_version: ''\n filters:\n - os == \"linux\"\n- id: tar_execution\n\ + \ version: e63af392\n description: Tar archive created\n expression: exec.file.path\ + \ == \"/usr/bin/tar\" && exec.args_flags in [\"create\",\"c\"]\n agent_version:\ + \ ''\n filters:\n - os == \"linux\"\n- id: tde_malware_egress_traffic_allowed_iptables\n\ + \ version: 14f124d7\n description: iptables used to allow egress traffic\n\ + \ expression: exec.comm == \"iptables\" && process.args in [r\".*OUTPUT.*((25[0-5]|(2[0-4]|1\\\ + d|[1-9]|)\\d)\\.?\\b){4}.*ACCEPT\"]\n && process.args not in [r\"(127\\.)|(10\\\ + .)|(172\\.1[6-9]\\.)|(172\\.2[0-9]\\.)|(172\\.3[0-1]|\\.)|(192\\.168\\.)|(169\\\ + .254\\.)\"]\n agent_version: ''\n filters:\n - os == \"linux\"\n- id: tde_malware_files_with_extensions_created\n\ + \ version: 161c317f\n description: Multiple files with extensions created\ + \ under common user directories\n expression: rename.file.path in [~\"/home/**\"\ + , ~\"/root/**\", ~\"/bin/**\", ~\"/usr/bin/**\",\n ~\"/var/log/**\", ~\"\ + /var/lib/log/**\", ~\"/var/backup/*\", ~\"/var/www/**\"] && rename.file.destination.name\n\ + \ in [r\"\\.[0-9a-z]+$\"] && rename.file.destination.name not in [r\".*\\\ + .(lock|dbtmp|log|journal|ini|sh|json|yml|tmp|snap|txt|pyc|stat|hcl|[0-9])+$\"\ + ]\n && process.comm not in [\"python\",\"python3\",\"agent\",\"security-agent\"\ + ,\"kubectl\",\"kubelet\",\"datadog-cluster\"]\n agent_version: ''\n filters:\n\ + \ - os == \"linux\"\n- id: tde_malware_kernel_module_loaded_from_tmp\n version:\ + \ 7673f399\n description: Kernel module loaded from common tmp directories\n\ + \ expression: load_module.file.path in [ ~\"/tmp/**\", ~\"/var/tmp/**\" ]\n\ + \ agent_version: ''\n filters:\n - os == \"linux\"\n- id: tde_malware_libpam_hooked_using_ebpf\n\ + \ version: adbe1bb1\n description: Libpam.so library hooked using ebpf\n \ + \ expression: bpf.cmd == BPF_MAP_CREATE && process.args in [r\".*libpam.so.*\"\ + ]\n agent_version: ''\n filters:\n - os == \"linux\"\n- id: tde_malware_privileged_processes_or_sshd_traced\n\ + \ version: eda95b21\n description: A process is tracing privileged processes\ + \ or sshd for possible credential\n dumping\n expression: ((ptrace.tracee.euid==0\ + \ && ptrace.tracee.uid ==0)||ptrace.tracee.comm\n in [~\"*sshd*\"]) && process.comm\ + \ not in [\"dlv\"]\n agent_version: ''\n filters:\n - os == \"linux\"\n-\ + \ id: tde_malware_proxychains_executed\n version: 192a7f03\n description:\ + \ Proxychaining technique used\n expression: exec.comm == \"proxychains\"\n\ + \ agent_version: ''\n filters:\n - os == \"linux\"\n- id: tde_malware_ransomware_notes_written\n\ + \ version: 6d3052dc\n description: A possible ransomware note created under\ + \ common user directories\n expression: open.file.path in [~\"/home/**\", ~\"\ + /root/**\", ~\"/bin/**\", ~\"/usr/bin/**\",\n ~\"/opt/**\", ~\"/etc/**\"\ + , ~\"/var/log/**\", ~\"/var/lib/log/**\", ~\"/var/backup/**\",\n ~\"/var/www/**\"\ + ] && open.file.name in [r\".*(restore|recovery|readme|instruction|how_to|ransom).*\"\ + ,\n r\".*(your_|crypt|lock|important).*\\.txt$\"]\n agent_version: ''\n\ + \ filters:\n - os == \"linux\"\n- id: tde_malware_system_logs_deleted\n version:\ + \ f5fec42d\n description: A process deleted common system log files\n expression:\ + \ unlink.file.path in [\"/var/run/utmp\", \"/var/log/wtmp\", \"/var/log/btmp\"\ + ,\n \"/var/log/lastlog\", \"/var/log/faillog\", \"/var/log/syslog\", \"/var/log/messages\"\ + ,\n \"/var/log/secure\", \"/var/log/auth.log\", \"/var/log/boot.log\", \"\ + /var/log/kern.log\"]\n && process.comm !=\"dockerd\"\n agent_version: ''\n\ + \ filters:\n - os == \"linux\"\n- id: tde_malware_tunneling_and_port_forwarding_technique_used\n\ + \ version: e253fced\n description: Tunneling and port forwarding tool used\n\ + \ expression: ((exec.comm == \"pivotnacci\" || exec.comm == \"gost\") && process.args\n\ + \ in [r\".*(-L|-C|-R).*\"])||(exec.comm in [\"ssh\", \"sshd\"] && process.args\ + \ in [r\".*(-R|-L|-D|w).*\"]\n && process.args in [r\"((25[0-5]|(2[0-4]|1\\\ + d|[1-9])\\d)\\.?\\b){4}\"] ) || (exec.comm\n == \"sshuttle\" && process.args\ + \ in [r\".*(-r|--remote|-l|--listen).*\"]) || (exec.comm\n == \"socat\" &&\ + \ process.args in [r\".*(TCP4-LISTEN:|SOCKS).*\"]) || (exec.comm in\n [\"\ + iodine\", \"iodined\", \"dnscat\", \"hans\", \"hans-ubuntu\", \"ptunnel-ng\"\ + , \"ssf\", \"3proxy\",\n \"ngrok\"] && process.parent.comm in [\"bash\",\ + \ \"dash\", \"ash\", \"sh\", \"tcsh\", \"csh\",\n \"zsh\", \"ksh\", \"fish\"\ + ])\n agent_version: ''\n filters:\n - os == \"linux\"\n- id: tde_nsenter_pid1_detection\n\ + \ version: 7a2d42c7\n description: nsenter used in container to execute code\ + \ on the OS PID1\n expression: exec.file.name == \"nsenter\" && exec.args_options\ + \ in [\"target=1\", \"t=1\"]\n && container.id !=\"\"\n agent_version: ''\n\ + \ filters:\n - os == \"linux\"\n- id: tde_red_team_domains_used\n version:\ + \ 1b507607\n description: Connection to red team domain\n expression: dns.question.name\ + \ in [~\"*.interact.sh\" , ~\"*.oast.pro\" , ~\"*.oast.live\"\n , ~\"*.oast.site\"\ + \ , ~\"*.oast.online\" , ~\"*.oast.fun\" , ~\"*.oast.me\" , ~\"*.burpcollaborator.net\"\ + \n , ~\"*.oastify.com\" , ~\"*canarytokens.com\" , ~\"*.requestbin.net\"\ + \ , ~\"*.dnslog.cn\"]\n agent_version: ''\n filters:\n - os == \"linux\"\n\ + - id: tde_testing_tampering\n version: c2be3b92\n description: testing only\n\ + \ expression: exec.comm == \"abcdefgh\"\n agent_version: ''\n filters:\n\ + \ - os == \"linux\"\n- id: tty_shell_in_container\n version: 3d9489bb\n description:\ + \ A shell with a TTY was executed in a container\n expression: |-\n exec.file.path\ + \ in [ \"/bin/dash\",\n \"/usr/bin/dash\",\n \"/bin/sh\",\n \"\ + /bin/static-sh\",\n \"/usr/bin/sh\",\n \"/bin/bash\",\n \"/usr/bin/bash\"\ + ,\n \"/bin/bash-static\",\n \"/usr/bin/zsh\",\n \"/usr/bin/ash\"\ + ,\n \"/usr/bin/csh\",\n \"/usr/bin/ksh\",\n \"/usr/bin/tcsh\"\ + ,\n \"/usr/lib/initramfs-tools/bin/busybox\",\n \"/bin/busybox\",\n\ + \ \"/usr/bin/fish\",\n \"/bin/ksh93\",\n \"/bin/rksh\",\n \ + \ \"/bin/rksh93\",\n \"/bin/lksh\",\n \"/bin/mksh\",\n \"/bin/mksh-static\"\ + ,\n \"/usr/bin/csharp\",\n \"/bin/posh\",\n \"/usr/bin/rc\",\n\ + \ \"/bin/sash\",\n \"/usr/bin/yash\",\n \"/bin/zsh5\",\n \ + \ \"/bin/zsh5-static\" ] && process.tty_name != \"\" && process.container.id\ + \ != \"\"\n agent_version: ''\n filters: []\n- id: tunnel_traffic\n version:\ + \ 816201a5\n description: Tunneling or port forwarding tool used\n expression:\ + \ ((exec.comm == \"pivotnacci\" || exec.comm == \"gost\") && process.args\n\ + \ in [r\".*(-L|-C|-R).*\"]) || (exec.comm in [\"ssh\", \"sshd\"] && process.args\ + \ in [r\".*(-R|-L|-D|w).*\"]\n && process.args in [r\"((25[0-5]|(2[0-4]|1\\\ + d|[1-9])\\d)\\.?\\b){4}\"] ) || (exec.comm\n == \"sshuttle\" && process.args\ + \ in [r\".*(-r|--remote|-l|--listen).*\"]) || (exec.comm\n == \"socat\" &&\ + \ process.args in [r\".*(TCP4-LISTEN:|SOCKS).*\"]) || (exec.comm in\n [\"\ + iodine\", \"iodined\", \"dnscat\", \"hans\", \"hans-ubuntu\", \"ptunnel-ng\"\ + , \"ssf\", \"3proxy\",\n \"ngrok\"] && process.parent.comm in [\"bash\",\ + \ \"dash\", \"ash\", \"sh\", \"tcsh\", \"csh\",\n \"zsh\", \"ksh\", \"fish\"\ + ])\n agent_version: ''\n filters:\n - os == \"linux\"\n- id: user_created_tty\n\ + \ version: 5b5f4a52\n description: A user was created via an interactive session\n\ + \ expression: exec.file.name in [\"useradd\", \"newusers\", \"adduser\"] &&\ + \ exec.tty_name\n !=\"\" && process.ancestors.file.path not in [~\"/usr/bin/apt*\"\ + , \"/usr/bin/dpkg\",\n \"/usr/bin/rpm\", \"/usr/bin/unattended-upgrade\"\ + , \"/usr/bin/npm\", ~\"/usr/bin/pip*\",\n \"/usr/bin/yum\", \"/sbin/apk\"\ + , \"/usr/lib/snapd/snapd\"] && exec.args_flags not in\n [\"D\"]\n agent_version:\ + \ ''\n filters: []\n- id: user_deleted_tty\n version: ad8edbe\n description:\ + \ A user was deleted via an interactive session\n expression: exec.file.name\ + \ in [\"userdel\", \"deluser\"] && exec.tty_name !=\"\" && process.ancestors.file.path\n\ + \ not in [~\"/usr/bin/apt*\", \"/usr/bin/dpkg\", \"/usr/bin/rpm\", \"/usr/bin/unattended-upgrade\"\ + ,\n \"/usr/bin/npm\", ~\"/usr/bin/pip*\", \"/usr/bin/yum\", \"/sbin/apk\"\ + , \"/usr/lib/snapd/snapd\"]\n agent_version: ''\n filters: []\n- id: wmi_spawning_shell\n\ + \ version: 6b9ff5c7\n description: Command executed via WMI\n expression:\ + \ exec.file.name in [~\"powershell*\",\"cmd.exe\"] && process.parent.file.name\n\ + \ == \"WmiPrvSE.exe\"\n agent_version: ''\n filters:\n - os == \"windows\"\ + \n" code: 200 duration: 0ms headers: diff --git a/tests/scenarios/cassettes/TestScenarios/v2/Feature_Cloud_Workload_Security/Scenario_Update_a_CSM_Threats_Agent_rule_returns_Bad_Request_response.freeze b/tests/scenarios/cassettes/TestScenarios/v2/Feature_Cloud_Workload_Security/Scenario_Update_a_CSM_Threats_Agent_rule_returns_Bad_Request_response.freeze new file mode 100644 index 00000000000..36950db3c90 --- /dev/null +++ b/tests/scenarios/cassettes/TestScenarios/v2/Feature_Cloud_Workload_Security/Scenario_Update_a_CSM_Threats_Agent_rule_returns_Bad_Request_response.freeze @@ -0,0 +1 @@ +2024-03-08T14:19:15.935Z \ No newline at end of file diff --git a/tests/scenarios/cassettes/TestScenarios/v2/Feature_Cloud_Workload_Security/Scenario_Update_a_CSM_Threats_Agent_rule_returns_Bad_Request_response.yaml b/tests/scenarios/cassettes/TestScenarios/v2/Feature_Cloud_Workload_Security/Scenario_Update_a_CSM_Threats_Agent_rule_returns_Bad_Request_response.yaml new file mode 100644 index 00000000000..790baef7ea2 --- /dev/null +++ b/tests/scenarios/cassettes/TestScenarios/v2/Feature_Cloud_Workload_Security/Scenario_Update_a_CSM_Threats_Agent_rule_returns_Bad_Request_response.yaml @@ -0,0 +1,65 @@ +interactions: +- request: + body: | + {"data":{"attributes":{"description":"My Agent rule","enabled":true,"expression":"exec.file.name == \"sh\"","name":"testupdateacsmthreatsagentrulereturnsbadrequestresponse1709907555"},"type":"agent_rule"}} + form: {} + headers: + Accept: + - application/json + Content-Type: + - application/json + id: 0 + method: POST + url: https://api.datadoghq.com/api/v2/remote_config/products/cws/agent_rules + response: + body: '{"data":{"id":"oes-jfu-tm8","type":"agent_rule","attributes":{"category":"Process + Activity","creationDate":1709907556177,"creator":{"name":"Malo Le Goff","handle":"malo.legoff@datadoghq.com"},"defaultRule":false,"description":"My + Agent rule","enabled":true,"expression":"exec.file.name == \"sh\"","filters":["os + == \"linux\""],"name":"testupdateacsmthreatsagentrulereturnsbadrequestresponse1709907555","updateDate":1709907556177,"updater":{"name":"Malo + Le Goff","handle":"malo.legoff@datadoghq.com"}}}}' + code: 200 + duration: 0ms + headers: + Content-Type: + - application/json + status: 200 OK +- request: + body: | + {"data":{"attributes":{"description":"Test Agent rule","enabled":true,"expression":"open.file.path = sh"},"id":"abc-123-xyz","type":"agent_rule"}} + form: {} + headers: + Accept: + - application/json + Content-Type: + - application/json + id: 1 + method: PATCH + url: https://api.datadoghq.com/api/v2/remote_config/products/cws/agent_rules/oes-jfu-tm8 + response: + body: '{"errors":[{"title":"failed to update rule"}]} + + ' + code: 400 + duration: 0ms + headers: + Content-Type: + - application/json + status: 400 Bad Request +- request: + body: '' + form: {} + headers: + Accept: + - '*/*' + id: 2 + method: DELETE + url: https://api.datadoghq.com/api/v2/remote_config/products/cws/agent_rules/oes-jfu-tm8 + response: + body: '' + code: 204 + duration: 0ms + headers: + Content-Type: + - application/json + status: 204 No Content +version: 2 diff --git a/tests/scenarios/cassettes/TestScenarios/v2/Feature_Cloud_Workload_Security/Scenario_Update_a_CSM_Threats_Agent_rule_returns_Not_Found_response.freeze b/tests/scenarios/cassettes/TestScenarios/v2/Feature_Cloud_Workload_Security/Scenario_Update_a_CSM_Threats_Agent_rule_returns_Not_Found_response.freeze new file mode 100644 index 00000000000..205d72408c0 --- /dev/null +++ b/tests/scenarios/cassettes/TestScenarios/v2/Feature_Cloud_Workload_Security/Scenario_Update_a_CSM_Threats_Agent_rule_returns_Not_Found_response.freeze @@ -0,0 +1 @@ +2024-03-08T14:19:17.581Z \ No newline at end of file diff --git a/tests/scenarios/cassettes/TestScenarios/v2/Feature_Cloud_Workload_Security/Scenario_Update_a_CSM_Threats_Agent_rule_returns_Not_Found_response.yaml b/tests/scenarios/cassettes/TestScenarios/v2/Feature_Cloud_Workload_Security/Scenario_Update_a_CSM_Threats_Agent_rule_returns_Not_Found_response.yaml new file mode 100644 index 00000000000..51148f379d1 --- /dev/null +++ b/tests/scenarios/cassettes/TestScenarios/v2/Feature_Cloud_Workload_Security/Scenario_Update_a_CSM_Threats_Agent_rule_returns_Not_Found_response.yaml @@ -0,0 +1,24 @@ +interactions: +- request: + body: | + {"data":{"attributes":{"description":"My Agent rule","enabled":true,"expression":"exec.file.name == \"sh\""},"id":"abc-123-xyz","type":"agent_rule"}} + form: {} + headers: + Accept: + - application/json + Content-Type: + - application/json + id: 0 + method: PATCH + url: https://api.datadoghq.com/api/v2/remote_config/products/cws/agent_rules/abc-123-xyz + response: + body: '{"errors":[{"title":"failed to update rule"}]} + + ' + code: 404 + duration: 0ms + headers: + Content-Type: + - application/json + status: 404 Not Found +version: 2 diff --git a/tests/scenarios/cassettes/TestScenarios/v2/Feature_Cloud_Workload_Security/Scenario_Update_a_CSM_Threats_Agent_rule_returns_OK_response.freeze b/tests/scenarios/cassettes/TestScenarios/v2/Feature_Cloud_Workload_Security/Scenario_Update_a_CSM_Threats_Agent_rule_returns_OK_response.freeze new file mode 100644 index 00000000000..0c7bf42c8f1 --- /dev/null +++ b/tests/scenarios/cassettes/TestScenarios/v2/Feature_Cloud_Workload_Security/Scenario_Update_a_CSM_Threats_Agent_rule_returns_OK_response.freeze @@ -0,0 +1 @@ +2024-03-08T14:19:17.965Z \ No newline at end of file diff --git a/tests/scenarios/cassettes/TestScenarios/v2/Feature_Cloud_Workload_Security/Scenario_Update_a_CSM_Threats_Agent_rule_returns_OK_response.yaml b/tests/scenarios/cassettes/TestScenarios/v2/Feature_Cloud_Workload_Security/Scenario_Update_a_CSM_Threats_Agent_rule_returns_OK_response.yaml new file mode 100644 index 00000000000..f7f5c89c814 --- /dev/null +++ b/tests/scenarios/cassettes/TestScenarios/v2/Feature_Cloud_Workload_Security/Scenario_Update_a_CSM_Threats_Agent_rule_returns_OK_response.yaml @@ -0,0 +1,67 @@ +interactions: +- request: + body: | + {"data":{"attributes":{"description":"My Agent rule","enabled":true,"expression":"exec.file.name == \"sh\"","name":"testupdateacsmthreatsagentrulereturnsokresponse1709907557"},"type":"agent_rule"}} + form: {} + headers: + Accept: + - application/json + Content-Type: + - application/json + id: 0 + method: POST + url: https://api.datadoghq.com/api/v2/remote_config/products/cws/agent_rules + response: + body: '{"data":{"id":"qp6-ix5-6o6","type":"agent_rule","attributes":{"category":"Process + Activity","creationDate":1709907558307,"creator":{"name":"Malo Le Goff","handle":"malo.legoff@datadoghq.com"},"defaultRule":false,"description":"My + Agent rule","enabled":true,"expression":"exec.file.name == \"sh\"","filters":["os + == \"linux\""],"name":"testupdateacsmthreatsagentrulereturnsokresponse1709907557","updateDate":1709907558307,"updater":{"name":"Malo + Le Goff","handle":"malo.legoff@datadoghq.com"}}}}' + code: 200 + duration: 0ms + headers: + Content-Type: + - application/json + status: 200 OK +- request: + body: | + {"data":{"attributes":{"description":"Test Agent rule","enabled":true,"expression":"exec.file.name == \"sh\""},"id":"qp6-ix5-6o6","type":"agent_rule"}} + form: {} + headers: + Accept: + - application/json + Content-Type: + - application/json + id: 1 + method: PATCH + url: https://api.datadoghq.com/api/v2/remote_config/products/cws/agent_rules/qp6-ix5-6o6 + response: + body: '{"data":{"id":"qp6-ix5-6o6","type":"agent_rule","attributes":{"category":"Process + Activity","creationDate":1709907558000,"creator":{"name":"Malo Le Goff","handle":"malo.legoff@datadoghq.com"},"defaultRule":false,"description":"Test + Agent rule","enabled":true,"expression":"exec.file.name == \"sh\"","filters":["os + == \"linux\""],"name":"testupdateacsmthreatsagentrulereturnsokresponse1709907557","updateDate":1709907559088,"updater":{"name":"Malo + Le Goff","handle":"malo.legoff@datadoghq.com"}}}}' + code: 200 + duration: 0ms + headers: + Content-Type: + - application/json + status: 200 OK +- request: + body: '' + form: {} + headers: + Accept: + - '*/*' + id: 2 + method: DELETE + url: https://api.datadoghq.com/api/v2/remote_config/products/cws/agent_rules/qp6-ix5-6o6 + response: + body: '' + code: 204 + duration: 0ms + headers: + Content-Type: + - application/json + status: 204 No Content +version: 2 diff --git a/tests/scenarios/cassettes/TestScenarios/v2/Feature_Cloud_Workload_Security/Scenario_Update_a_Cloud_Workload_Security_Agent_rule_returns_Bad_Request_response.freeze b/tests/scenarios/cassettes/TestScenarios/v2/Feature_Cloud_Workload_Security/Scenario_Update_a_Cloud_Workload_Security_Agent_rule_returns_Bad_Request_response.freeze index 8028840b89f..2d0f6f108f8 100644 --- a/tests/scenarios/cassettes/TestScenarios/v2/Feature_Cloud_Workload_Security/Scenario_Update_a_Cloud_Workload_Security_Agent_rule_returns_Bad_Request_response.freeze +++ b/tests/scenarios/cassettes/TestScenarios/v2/Feature_Cloud_Workload_Security/Scenario_Update_a_Cloud_Workload_Security_Agent_rule_returns_Bad_Request_response.freeze @@ -1 +1 @@ -2022-05-12T09:51:26.947Z \ No newline at end of file +2024-03-08T14:19:20.303Z \ No newline at end of file diff --git a/tests/scenarios/cassettes/TestScenarios/v2/Feature_Cloud_Workload_Security/Scenario_Update_a_Cloud_Workload_Security_Agent_rule_returns_Bad_Request_response.yaml b/tests/scenarios/cassettes/TestScenarios/v2/Feature_Cloud_Workload_Security/Scenario_Update_a_Cloud_Workload_Security_Agent_rule_returns_Bad_Request_response.yaml index b6fb8b2c190..8b99165b583 100644 --- a/tests/scenarios/cassettes/TestScenarios/v2/Feature_Cloud_Workload_Security/Scenario_Update_a_Cloud_Workload_Security_Agent_rule_returns_Bad_Request_response.yaml +++ b/tests/scenarios/cassettes/TestScenarios/v2/Feature_Cloud_Workload_Security/Scenario_Update_a_Cloud_Workload_Security_Agent_rule_returns_Bad_Request_response.yaml @@ -1,7 +1,7 @@ interactions: - request: body: | - {"data":{"attributes":{"description":"My Agent rule","enabled":true,"expression":"exec.file.name == \"sh\"","name":"testupdateacloudworkloadsecurityagentrulereturnsbadrequestresponse1652349086"},"type":"agent_rule"}} + {"data":{"attributes":{"description":"My Agent rule","enabled":true,"expression":"exec.file.name == \"sh\"","name":"testupdateacloudworkloadsecurityagentrulereturnsbadrequestresponse1709907560"},"type":"agent_rule"}} form: {} headers: Accept: @@ -12,14 +12,17 @@ interactions: method: POST url: https://api.datadoghq.com/api/v2/security_monitoring/cloud_workload_security/agent_rules response: - body: '{"data":{"attributes":{"category":"Process Activity","name":"testupdateacloudworkloadsecurityagentrulereturnsbadrequestresponse1652349086","creator":{"handle":"frog@datadoghq.com","name":null},"description":"My - Agent rule","enabled":true,"defaultRule":false,"version":1,"updater":{"handle":"frog@datadoghq.com","name":null},"updateDate":1652349087367,"creationDate":1652349087367,"expression":"exec.file.name - == \"sh\""},"type":"agent_rule","id":"ezf-mkn-g0o"}}' + body: '{"data":{"id":"bvz-vbk-lmb","attributes":{"version":1,"name":"testupdateacloudworkloadsecurityagentrulereturnsbadrequestresponse1709907560","description":"My + Agent rule","expression":"exec.file.name == \"sh\"","category":"Process Activity","creationAuthorUuId":"cc32ddea-b5e4-11ec-93be-da7ad0900002","creationDate":1709907560595,"updateAuthorUuId":"cc32ddea-b5e4-11ec-93be-da7ad0900002","updateDate":1709907560595,"filters":["os + == \"linux\""],"actions":[],"agentConstraint":"","enabled":true,"defaultRule":false,"creator":{"name":"Malo + Le Goff","handle":"malo.legoff@datadoghq.com"},"updater":{"name":"Malo Le Goff","handle":"malo.legoff@datadoghq.com"}},"type":"agent_rule"}} + + ' code: 200 duration: 0ms headers: Content-Type: - - application/json;charset=utf-8 + - application/json status: 200 OK - request: body: | @@ -32,11 +35,13 @@ interactions: - application/json id: 1 method: PATCH - url: https://api.datadoghq.com/api/v2/security_monitoring/cloud_workload_security/agent_rules/ezf-mkn-g0o + url: https://api.datadoghq.com/api/v2/security_monitoring/cloud_workload_security/agent_rules/bvz-vbk-lmb response: body: '{"errors":["input_validation_error(Field ''expression'' is invalid: rule - `testupdateacloudworkloadsecurityagentrulereturnsbadrequestresponse1652349086` - definition error: syntax error: 1:18: unexpected token \"sh\" (expected \"~\"))"]}' + `testupdateacloudworkloadsecurityagentrulereturnsbadrequestresponse1709907560` + error: syntax error `1:18: unexpected token \"sh\" (expected \"~\")`)"]} + + ' code: 400 duration: 0ms headers: @@ -51,13 +56,11 @@ interactions: - '*/*' id: 2 method: DELETE - url: https://api.datadoghq.com/api/v2/security_monitoring/cloud_workload_security/agent_rules/ezf-mkn-g0o + url: https://api.datadoghq.com/api/v2/security_monitoring/cloud_workload_security/agent_rules/bvz-vbk-lmb response: body: '' code: 204 duration: 0ms - headers: - Content-Type: - - application/json;charset=utf-8 + headers: {} status: 204 No Content version: 2 diff --git a/tests/scenarios/cassettes/TestScenarios/v2/Feature_Cloud_Workload_Security/Scenario_Update_a_Cloud_Workload_Security_Agent_rule_returns_Not_Found_response.freeze b/tests/scenarios/cassettes/TestScenarios/v2/Feature_Cloud_Workload_Security/Scenario_Update_a_Cloud_Workload_Security_Agent_rule_returns_Not_Found_response.freeze index 27f706249cc..aab8c031377 100644 --- a/tests/scenarios/cassettes/TestScenarios/v2/Feature_Cloud_Workload_Security/Scenario_Update_a_Cloud_Workload_Security_Agent_rule_returns_Not_Found_response.freeze +++ b/tests/scenarios/cassettes/TestScenarios/v2/Feature_Cloud_Workload_Security/Scenario_Update_a_Cloud_Workload_Security_Agent_rule_returns_Not_Found_response.freeze @@ -1 +1 @@ -2022-01-11T18:11:42.604Z \ No newline at end of file +2024-03-08T14:19:21.451Z \ No newline at end of file diff --git a/tests/scenarios/cassettes/TestScenarios/v2/Feature_Cloud_Workload_Security/Scenario_Update_a_Cloud_Workload_Security_Agent_rule_returns_Not_Found_response.yaml b/tests/scenarios/cassettes/TestScenarios/v2/Feature_Cloud_Workload_Security/Scenario_Update_a_Cloud_Workload_Security_Agent_rule_returns_Not_Found_response.yaml index 446393a437b..bccbb853aea 100644 --- a/tests/scenarios/cassettes/TestScenarios/v2/Feature_Cloud_Workload_Security/Scenario_Update_a_Cloud_Workload_Security_Agent_rule_returns_Not_Found_response.yaml +++ b/tests/scenarios/cassettes/TestScenarios/v2/Feature_Cloud_Workload_Security/Scenario_Update_a_Cloud_Workload_Security_Agent_rule_returns_Not_Found_response.yaml @@ -12,7 +12,9 @@ interactions: method: PATCH url: https://api.datadoghq.com/api/v2/security_monitoring/cloud_workload_security/agent_rules/abc-123-xyz response: - body: '{"errors":["not_found(Agent rule not found: agentRuleId=abc-123-xyz)"]}' + body: '{"errors":["not_found(Agent rule not found: agentRuleId=abc-123-xyz)"]} + + ' code: 404 duration: 0ms headers: diff --git a/tests/scenarios/cassettes/TestScenarios/v2/Feature_Cloud_Workload_Security/Scenario_Update_a_Cloud_Workload_Security_Agent_rule_returns_OK_response.freeze b/tests/scenarios/cassettes/TestScenarios/v2/Feature_Cloud_Workload_Security/Scenario_Update_a_Cloud_Workload_Security_Agent_rule_returns_OK_response.freeze index 0aec4a5ed8a..944438cc312 100644 --- a/tests/scenarios/cassettes/TestScenarios/v2/Feature_Cloud_Workload_Security/Scenario_Update_a_Cloud_Workload_Security_Agent_rule_returns_OK_response.freeze +++ b/tests/scenarios/cassettes/TestScenarios/v2/Feature_Cloud_Workload_Security/Scenario_Update_a_Cloud_Workload_Security_Agent_rule_returns_OK_response.freeze @@ -1 +1 @@ -2022-05-12T09:51:28.357Z \ No newline at end of file +2024-03-08T14:19:21.789Z \ No newline at end of file diff --git a/tests/scenarios/cassettes/TestScenarios/v2/Feature_Cloud_Workload_Security/Scenario_Update_a_Cloud_Workload_Security_Agent_rule_returns_OK_response.yaml b/tests/scenarios/cassettes/TestScenarios/v2/Feature_Cloud_Workload_Security/Scenario_Update_a_Cloud_Workload_Security_Agent_rule_returns_OK_response.yaml index 055f03b739a..6531e6911d6 100644 --- a/tests/scenarios/cassettes/TestScenarios/v2/Feature_Cloud_Workload_Security/Scenario_Update_a_Cloud_Workload_Security_Agent_rule_returns_OK_response.yaml +++ b/tests/scenarios/cassettes/TestScenarios/v2/Feature_Cloud_Workload_Security/Scenario_Update_a_Cloud_Workload_Security_Agent_rule_returns_OK_response.yaml @@ -1,7 +1,7 @@ interactions: - request: body: | - {"data":{"attributes":{"description":"My Agent rule","enabled":true,"expression":"exec.file.name == \"sh\"","name":"testupdateacloudworkloadsecurityagentrulereturnsokresponse1652349088"},"type":"agent_rule"}} + {"data":{"attributes":{"description":"My Agent rule","enabled":true,"expression":"exec.file.name == \"sh\"","name":"testupdateacloudworkloadsecurityagentrulereturnsokresponse1709907561"},"type":"agent_rule"}} form: {} headers: Accept: @@ -12,14 +12,17 @@ interactions: method: POST url: https://api.datadoghq.com/api/v2/security_monitoring/cloud_workload_security/agent_rules response: - body: '{"data":{"attributes":{"category":"Process Activity","name":"testupdateacloudworkloadsecurityagentrulereturnsokresponse1652349088","creator":{"handle":"frog@datadoghq.com","name":null},"description":"My - Agent rule","enabled":true,"defaultRule":false,"version":1,"updater":{"handle":"frog@datadoghq.com","name":null},"updateDate":1652349088786,"creationDate":1652349088786,"expression":"exec.file.name - == \"sh\""},"type":"agent_rule","id":"ivl-0d3-hga"}}' + body: '{"data":{"id":"usl-wf5-qjp","attributes":{"version":1,"name":"testupdateacloudworkloadsecurityagentrulereturnsokresponse1709907561","description":"My + Agent rule","expression":"exec.file.name == \"sh\"","category":"Process Activity","creationAuthorUuId":"cc32ddea-b5e4-11ec-93be-da7ad0900002","creationDate":1709907562158,"updateAuthorUuId":"cc32ddea-b5e4-11ec-93be-da7ad0900002","updateDate":1709907562158,"filters":["os + == \"linux\""],"actions":[],"agentConstraint":"","enabled":true,"defaultRule":false,"creator":{"name":"Malo + Le Goff","handle":"malo.legoff@datadoghq.com"},"updater":{"name":"Malo Le Goff","handle":"malo.legoff@datadoghq.com"}},"type":"agent_rule"}} + + ' code: 200 duration: 0ms headers: Content-Type: - - application/json;charset=utf-8 + - application/json status: 200 OK - request: body: | @@ -32,16 +35,19 @@ interactions: - application/json id: 1 method: PATCH - url: https://api.datadoghq.com/api/v2/security_monitoring/cloud_workload_security/agent_rules/ivl-0d3-hga + url: https://api.datadoghq.com/api/v2/security_monitoring/cloud_workload_security/agent_rules/usl-wf5-qjp response: - body: '{"data":{"attributes":{"category":"Process Activity","name":"testupdateacloudworkloadsecurityagentrulereturnsokresponse1652349088","creator":{"handle":"frog@datadoghq.com","name":null},"description":"Test - Agent rule","enabled":true,"defaultRule":false,"version":2,"updater":{"handle":"frog@datadoghq.com","name":null},"updateDate":1652349089262,"creationDate":1652349088786,"expression":"exec.file.name - == \"sh\""},"type":"agent_rule","id":"ivl-0d3-hga"}}' + body: '{"data":{"id":"usl-wf5-qjp","attributes":{"version":2,"name":"testupdateacloudworkloadsecurityagentrulereturnsokresponse1709907561","description":"Test + Agent rule","expression":"exec.file.name == \"sh\"","category":"Process Activity","creationAuthorUuId":"cc32ddea-b5e4-11ec-93be-da7ad0900002","creationDate":1709907562158,"updateAuthorUuId":"cc32ddea-b5e4-11ec-93be-da7ad0900002","updateDate":1709907562613,"filters":["os + == \"linux\""],"actions":[],"agentConstraint":"","enabled":true,"defaultRule":false,"creator":{"name":"Malo + Le Goff","handle":"malo.legoff@datadoghq.com"},"updater":{"name":"Malo Le Goff","handle":"malo.legoff@datadoghq.com"}},"type":"agent_rule"}} + + ' code: 200 duration: 0ms headers: Content-Type: - - application/json;charset=utf-8 + - application/json status: 200 OK - request: body: '' @@ -51,13 +57,11 @@ interactions: - '*/*' id: 2 method: DELETE - url: https://api.datadoghq.com/api/v2/security_monitoring/cloud_workload_security/agent_rules/ivl-0d3-hga + url: https://api.datadoghq.com/api/v2/security_monitoring/cloud_workload_security/agent_rules/usl-wf5-qjp response: body: '' code: 204 duration: 0ms - headers: - Content-Type: - - application/json;charset=utf-8 + headers: {} status: 204 No Content version: 2 diff --git a/tests/scenarios/features/v2/cloud_workload_security.feature b/tests/scenarios/features/v2/cloud_workload_security.feature index ae068c81dca..338b440b423 100644 --- a/tests/scenarios/features/v2/cloud_workload_security.feature +++ b/tests/scenarios/features/v2/cloud_workload_security.feature @@ -10,6 +10,27 @@ Feature: Cloud Workload Security And a valid "appKeyAuth" key in the system And an instance of "CloudWorkloadSecurity" API + @team:DataDog/k9-cloud-security-platform @team:DataDog/k9-cws-backend + Scenario: Create a CSM Threats Agent rule returns "Bad Request" response + Given new "CreateCSMThreatsAgentRule" request + And body with value {"data": {"attributes": {"description": "My Agent rule", "enabled": true, "expression": "exec.file.name == sh", "name": "my_agent_rule"}, "type": "agent_rule"}} + When the request is sent + Then the response status is 400 Bad Request + + @skip @team:DataDog/k9-cloud-security-platform @team:DataDog/k9-cws-backend + Scenario: Create a CSM Threats Agent rule returns "Conflict" response + Given new "CreateCSMThreatsAgentRule" request + And body with value {"data": {"attributes": {"description": "My Agent rule", "enabled": true, "expression": "exec.file.name == \"sh\"", "name": "my_agent_rule"}, "type": "agent_rule"}} + When the request is sent + Then the response status is 409 Conflict + + @team:DataDog/k9-cloud-security-platform @team:DataDog/k9-cws-backend + Scenario: Create a CSM Threats Agent rule returns "OK" response + Given new "CreateCSMThreatsAgentRule" request + And body with value {"data": {"attributes": {"description": "My Agent rule", "enabled": true, "expression": "exec.file.name == \"sh\"", "name": "my_agent_rule"}, "type": "agent_rule"}} + When the request is sent + Then the response status is 200 OK + @team:DataDog/k9-cloud-security-platform @team:DataDog/k9-cws-backend Scenario: Create a Cloud Workload Security Agent rule returns "Bad Request" response Given new "CreateCloudWorkloadSecurityAgentRule" request @@ -33,6 +54,21 @@ Feature: Cloud Workload Security And the response "data.type" is equal to "agent_rule" And the response "data.attributes.description" is equal to "Test Agent rule" + @team:DataDog/k9-cloud-security-platform @team:DataDog/k9-cws-backend + Scenario: Delete a CSM Threats Agent rule returns "Not Found" response + Given new "DeleteCSMThreatsAgentRule" request + And request contains "agent_rule_id" parameter with value "abc-123-xyz" + When the request is sent + Then the response status is 404 Not Found + + @team:DataDog/k9-cloud-security-platform @team:DataDog/k9-cws-backend + Scenario: Delete a CSM Threats Agent rule returns "OK" response + Given there is a valid "agent_rule_rc" in the system + And new "DeleteCSMThreatsAgentRule" request + And request contains "agent_rule_id" parameter from "agent_rule.data.id" + When the request is sent + Then the response status is 204 OK + @team:DataDog/k9-cloud-security-platform @team:DataDog/k9-cws-backend Scenario: Delete a Cloud Workload Security Agent rule returns "Not Found" response Given new "DeleteCloudWorkloadSecurityAgentRule" request @@ -48,6 +84,23 @@ Feature: Cloud Workload Security When the request is sent Then the response status is 204 OK + @team:DataDog/k9-cloud-security-platform @team:DataDog/k9-cws-backend + Scenario: Get a CSM Threats Agent rule returns "Not Found" response + Given new "GetCSMThreatsAgentRule" request + And request contains "agent_rule_id" parameter with value "abc-123-xyz" + When the request is sent + Then the response status is 404 Not Found + + @team:DataDog/k9-cloud-security-platform @team:DataDog/k9-cws-backend + Scenario: Get a CSM Threats Agent rule returns "OK" response + Given there is a valid "agent_rule_rc" in the system + And new "GetCSMThreatsAgentRule" request + And request contains "agent_rule_id" parameter from "agent_rule.data.id" + When the request is sent + Then the response status is 200 OK + And the response "data.type" is equal to "agent_rule" + And the response "data.attributes.description" is equal to "My Agent rule" + @team:DataDog/k9-cloud-security-platform @team:DataDog/k9-cws-backend Scenario: Get a Cloud Workload Security Agent rule returns "Not Found" response Given new "GetCloudWorkloadSecurityAgentRule" request @@ -65,6 +118,12 @@ Feature: Cloud Workload Security And the response "data.type" is equal to "agent_rule" And the response "data.attributes.description" is equal to "My Agent rule" + @team:DataDog/k9-cloud-security-platform @team:DataDog/k9-cws-backend + Scenario: Get all CSM Threats Agent rules returns "OK" response + Given new "ListCSMThreatsAgentRules" request + When the request is sent + Then the response status is 200 OK + @team:DataDog/k9-cloud-security-platform @team:DataDog/k9-cws-backend Scenario: Get all Cloud Workload Security Agent rules returns "OK" response Given there is a valid "agent_rule" in the system @@ -73,12 +132,54 @@ Feature: Cloud Workload Security Then the response status is 200 OK And the response "data[0].type" is equal to "agent_rule" + @team:DataDog/k9-cloud-security-platform @team:DataDog/k9-cws-backend + Scenario: Get the latest CSM Threats policy returns "OK" response + Given new "DownloadCSMThreatsPolicy" request + When the request is sent + Then the response status is 200 OK + @team:DataDog/k9-cloud-security-platform @team:DataDog/k9-cws-backend Scenario: Get the latest Cloud Workload Security policy returns "OK" response Given new "DownloadCloudWorkloadPolicyFile" request When the request is sent Then the response status is 200 OK + @team:DataDog/k9-cloud-security-platform @team:DataDog/k9-cws-backend + Scenario: Update a CSM Threats Agent rule returns "Bad Request" response + Given there is a valid "agent_rule_rc" in the system + And new "UpdateCSMThreatsAgentRule" request + And request contains "agent_rule_id" parameter from "agent_rule.data.id" + And body with value {"data": {"attributes": {"description": "Test Agent rule", "enabled": true, "expression": "open.file.path = sh"}, "type": "agent_rule", "id":"abc-123-xyz"}} + When the request is sent + Then the response status is 400 Bad Request + + @skip @team:DataDog/k9-cloud-security-platform @team:DataDog/k9-cws-backend + Scenario: Update a CSM Threats Agent rule returns "Concurrent Modification" response + Given new "UpdateCSMThreatsAgentRule" request + And request contains "agent_rule_id" parameter from "REPLACE.ME" + And body with value {"data": {"attributes": {"description": "My Agent rule", "enabled": true, "expression": "exec.file.name == \"sh\""}, "type": "agent_rule"}} + When the request is sent + Then the response status is 409 Concurrent Modification + + @team:DataDog/k9-cloud-security-platform @team:DataDog/k9-cws-backend + Scenario: Update a CSM Threats Agent rule returns "Not Found" response + Given new "UpdateCSMThreatsAgentRule" request + And request contains "agent_rule_id" parameter with value "abc-123-xyz" + And body with value {"data": {"attributes": {"description": "My Agent rule", "enabled": true, "expression": "exec.file.name == \"sh\""}, "type": "agent_rule", "id":"abc-123-xyz"}} + When the request is sent + Then the response status is 404 Not Found + + @team:DataDog/k9-cloud-security-platform @team:DataDog/k9-cws-backend + Scenario: Update a CSM Threats Agent rule returns "OK" response + Given there is a valid "agent_rule_rc" in the system + And new "UpdateCSMThreatsAgentRule" request + And request contains "agent_rule_id" parameter from "agent_rule.data.id" + And body with value {"data": {"attributes": {"description": "Test Agent rule", "enabled": true, "expression": "exec.file.name == \"sh\""}, "type": "agent_rule", "id":"{{ agent_rule.data.id }}"}} + When the request is sent + Then the response status is 200 OK + And the response "data.type" is equal to "agent_rule" + And the response "data.attributes.description" is equal to "Test Agent rule" + @team:DataDog/k9-cloud-security-platform @team:DataDog/k9-cws-backend Scenario: Update a Cloud Workload Security Agent rule returns "Bad Request" response Given there is a valid "agent_rule" in the system diff --git a/tests/scenarios/features/v2/given.json b/tests/scenarios/features/v2/given.json index 8c2a75b9b1b..73de3c05e39 100644 --- a/tests/scenarios/features/v2/given.json +++ b/tests/scenarios/features/v2/given.json @@ -355,6 +355,18 @@ "tag": "Powerpack", "operationId": "CreatePowerpack" }, + { + "parameters": [ + { + "name": "body", + "value": "{\n \"data\": {\n \"type\": \"agent_rule\",\n \"attributes\": {\n \"name\": \"{{ unique_lower_alnum }}\",\n \"description\": \"My Agent rule\",\n \"expression\": \"exec.file.name == \\\"sh\\\"\",\n \"enabled\": true\n }\n }\n}" + } + ], + "step": "there is a valid \"agent_rule_rc\" in the system", + "key": "agent_rule", + "tag": "Cloud Workload Security", + "operationId": "CreateCSMThreatsAgentRule" + }, { "parameters": [ { diff --git a/tests/scenarios/features/v2/undo.json b/tests/scenarios/features/v2/undo.json index 387676557ab..90fee66806c 100644 --- a/tests/scenarios/features/v2/undo.json +++ b/tests/scenarios/features/v2/undo.json @@ -1333,6 +1333,49 @@ "type": "idempotent" } }, + "ListCSMThreatsAgentRules": { + "tag": "Cloud Workload Security", + "undo": { + "type": "safe" + } + }, + "CreateCSMThreatsAgentRule": { + "tag": "Cloud Workload Security", + "undo": { + "operationId": "DeleteCSMThreatsAgentRule", + "parameters": [ + { + "name": "agent_rule_id", + "source": "data.id" + } + ], + "type": "unsafe" + } + }, + "DeleteCSMThreatsAgentRule": { + "tag": "Cloud Workload Security", + "undo": { + "type": "idempotent" + } + }, + "GetCSMThreatsAgentRule": { + "tag": "Cloud Workload Security", + "undo": { + "type": "safe" + } + }, + "UpdateCSMThreatsAgentRule": { + "tag": "Cloud Workload Security", + "undo": { + "type": "idempotent" + } + }, + "DownloadCSMThreatsPolicy": { + "tag": "Cloud Workload Security", + "undo": { + "type": "safe" + } + }, "DeleteRestrictionPolicy": { "tag": "Restriction Policies", "undo": {