From cf02c146816e62c8cdbcfdc5bbf51bc4458f8796 Mon Sep 17 00:00:00 2001 From: "ci.datadog-api-spec" Date: Wed, 22 May 2024 17:02:30 +0000 Subject: [PATCH] Regenerate client from commit 32bd4ce8 of spec repo --- .apigentools-info | 8 +- .generator/schemas/v2/openapi.yaml | 5 + ...d_security_agent_rule_create_attributes.go | 45 +- .../csm-threats/CreateCSMThreatsAgentRule.go | 5 +- ...eats_Agent_rule_returns_OK_response.freeze | 2 +- ...hreats_Agent_rule_returns_OK_response.yaml | 10 +- ...t_rule_returns_Bad_Request_response.freeze | 1 - ...ent_rule_returns_Bad_Request_response.yaml | 24 - ...gent_rule_returns_Conflict_response.freeze | 1 - ..._Agent_rule_returns_Conflict_response.yaml | 42 - ...eats_Agent_rule_returns_OK_response.freeze | 1 - ...hreats_Agent_rule_returns_OK_response.yaml | 43 - ...t_rule_returns_Bad_Request_response.freeze | 1 - ...ent_rule_returns_Bad_Request_response.yaml | 26 - ...rity_Agent_rule_returns_OK_response.freeze | 1 - ...curity_Agent_rule_returns_OK_response.yaml | 42 - ...ent_rule_returns_Not_Found_response.freeze | 1 - ...Agent_rule_returns_Not_Found_response.yaml | 21 - ...eats_Agent_rule_returns_OK_response.freeze | 1 - ...hreats_Agent_rule_returns_OK_response.yaml | 62 - ...ent_rule_returns_Not_Found_response.freeze | 1 - ...Agent_rule_returns_Not_Found_response.yaml | 21 - ...rity_Agent_rule_returns_OK_response.freeze | 1 - ...curity_Agent_rule_returns_OK_response.yaml | 61 - ...ent_rule_returns_Not_Found_response.freeze | 1 - ...Agent_rule_returns_Not_Found_response.yaml | 21 - ...eats_Agent_rule_returns_OK_response.freeze | 1 - ...hreats_Agent_rule_returns_OK_response.yaml | 64 - ...ent_rule_returns_Not_Found_response.freeze | 1 - ...Agent_rule_returns_Not_Found_response.yaml | 21 - ...rity_Agent_rule_returns_OK_response.freeze | 1 - ...curity_Agent_rule_returns_OK_response.yaml | 64 - ...ats_Agent_rules_returns_OK_response.freeze | 1 - ...reats_Agent_rules_returns_OK_response.yaml | 1410 ----------------- ...ity_Agent_rules_returns_OK_response.freeze | 1 - ...urity_Agent_rules_returns_OK_response.yaml | 1082 ------------- ..._Threats_policy_returns_OK_response.freeze | 1 - ...SM_Threats_policy_returns_OK_response.yaml | 19 - ...Security_policy_returns_OK_response.freeze | 1 - ...d_Security_policy_returns_OK_response.yaml | 1167 -------------- ...t_rule_returns_Bad_Request_response.freeze | 1 - ...ent_rule_returns_Bad_Request_response.yaml | 65 - ...ent_rule_returns_Not_Found_response.freeze | 1 - ...Agent_rule_returns_Not_Found_response.yaml | 24 - ...eats_Agent_rule_returns_OK_response.freeze | 1 - ...hreats_Agent_rule_returns_OK_response.yaml | 67 - ...t_rule_returns_Bad_Request_response.freeze | 1 - ...ent_rule_returns_Bad_Request_response.yaml | 66 - ...ent_rule_returns_Not_Found_response.freeze | 1 - ...Agent_rule_returns_Not_Found_response.yaml | 24 - ...rity_Agent_rule_returns_OK_response.freeze | 1 - ...curity_Agent_rule_returns_OK_response.yaml | 67 - .../scenarios/features/v2/csm_threats.feature | 2 +- 53 files changed, 60 insertions(+), 4543 deletions(-) delete mode 100644 tests/scenarios/cassettes/TestScenarios/v2/Feature_Cloud_Workload_Security/Scenario_Create_a_CSM_Threats_Agent_rule_returns_Bad_Request_response.freeze delete mode 100644 tests/scenarios/cassettes/TestScenarios/v2/Feature_Cloud_Workload_Security/Scenario_Create_a_CSM_Threats_Agent_rule_returns_Bad_Request_response.yaml delete mode 100644 tests/scenarios/cassettes/TestScenarios/v2/Feature_Cloud_Workload_Security/Scenario_Create_a_CSM_Threats_Agent_rule_returns_Conflict_response.freeze delete mode 100644 tests/scenarios/cassettes/TestScenarios/v2/Feature_Cloud_Workload_Security/Scenario_Create_a_CSM_Threats_Agent_rule_returns_Conflict_response.yaml delete mode 100644 tests/scenarios/cassettes/TestScenarios/v2/Feature_Cloud_Workload_Security/Scenario_Create_a_CSM_Threats_Agent_rule_returns_OK_response.freeze delete mode 100644 tests/scenarios/cassettes/TestScenarios/v2/Feature_Cloud_Workload_Security/Scenario_Create_a_CSM_Threats_Agent_rule_returns_OK_response.yaml delete mode 100644 tests/scenarios/cassettes/TestScenarios/v2/Feature_Cloud_Workload_Security/Scenario_Create_a_Cloud_Workload_Security_Agent_rule_returns_Bad_Request_response.freeze delete mode 100644 tests/scenarios/cassettes/TestScenarios/v2/Feature_Cloud_Workload_Security/Scenario_Create_a_Cloud_Workload_Security_Agent_rule_returns_Bad_Request_response.yaml delete mode 100644 tests/scenarios/cassettes/TestScenarios/v2/Feature_Cloud_Workload_Security/Scenario_Create_a_Cloud_Workload_Security_Agent_rule_returns_OK_response.freeze delete mode 100644 tests/scenarios/cassettes/TestScenarios/v2/Feature_Cloud_Workload_Security/Scenario_Create_a_Cloud_Workload_Security_Agent_rule_returns_OK_response.yaml delete mode 100644 tests/scenarios/cassettes/TestScenarios/v2/Feature_Cloud_Workload_Security/Scenario_Delete_a_CSM_Threats_Agent_rule_returns_Not_Found_response.freeze delete mode 100644 tests/scenarios/cassettes/TestScenarios/v2/Feature_Cloud_Workload_Security/Scenario_Delete_a_CSM_Threats_Agent_rule_returns_Not_Found_response.yaml delete mode 100644 tests/scenarios/cassettes/TestScenarios/v2/Feature_Cloud_Workload_Security/Scenario_Delete_a_CSM_Threats_Agent_rule_returns_OK_response.freeze delete mode 100644 tests/scenarios/cassettes/TestScenarios/v2/Feature_Cloud_Workload_Security/Scenario_Delete_a_CSM_Threats_Agent_rule_returns_OK_response.yaml delete mode 100644 tests/scenarios/cassettes/TestScenarios/v2/Feature_Cloud_Workload_Security/Scenario_Delete_a_Cloud_Workload_Security_Agent_rule_returns_Not_Found_response.freeze delete mode 100644 tests/scenarios/cassettes/TestScenarios/v2/Feature_Cloud_Workload_Security/Scenario_Delete_a_Cloud_Workload_Security_Agent_rule_returns_Not_Found_response.yaml delete mode 100644 tests/scenarios/cassettes/TestScenarios/v2/Feature_Cloud_Workload_Security/Scenario_Delete_a_Cloud_Workload_Security_Agent_rule_returns_OK_response.freeze delete mode 100644 tests/scenarios/cassettes/TestScenarios/v2/Feature_Cloud_Workload_Security/Scenario_Delete_a_Cloud_Workload_Security_Agent_rule_returns_OK_response.yaml delete mode 100644 tests/scenarios/cassettes/TestScenarios/v2/Feature_Cloud_Workload_Security/Scenario_Get_a_CSM_Threats_Agent_rule_returns_Not_Found_response.freeze delete mode 100644 tests/scenarios/cassettes/TestScenarios/v2/Feature_Cloud_Workload_Security/Scenario_Get_a_CSM_Threats_Agent_rule_returns_Not_Found_response.yaml delete mode 100644 tests/scenarios/cassettes/TestScenarios/v2/Feature_Cloud_Workload_Security/Scenario_Get_a_CSM_Threats_Agent_rule_returns_OK_response.freeze delete mode 100644 tests/scenarios/cassettes/TestScenarios/v2/Feature_Cloud_Workload_Security/Scenario_Get_a_CSM_Threats_Agent_rule_returns_OK_response.yaml delete mode 100644 tests/scenarios/cassettes/TestScenarios/v2/Feature_Cloud_Workload_Security/Scenario_Get_a_Cloud_Workload_Security_Agent_rule_returns_Not_Found_response.freeze delete mode 100644 tests/scenarios/cassettes/TestScenarios/v2/Feature_Cloud_Workload_Security/Scenario_Get_a_Cloud_Workload_Security_Agent_rule_returns_Not_Found_response.yaml delete mode 100644 tests/scenarios/cassettes/TestScenarios/v2/Feature_Cloud_Workload_Security/Scenario_Get_a_Cloud_Workload_Security_Agent_rule_returns_OK_response.freeze delete mode 100644 tests/scenarios/cassettes/TestScenarios/v2/Feature_Cloud_Workload_Security/Scenario_Get_a_Cloud_Workload_Security_Agent_rule_returns_OK_response.yaml delete mode 100644 tests/scenarios/cassettes/TestScenarios/v2/Feature_Cloud_Workload_Security/Scenario_Get_all_CSM_Threats_Agent_rules_returns_OK_response.freeze delete mode 100644 tests/scenarios/cassettes/TestScenarios/v2/Feature_Cloud_Workload_Security/Scenario_Get_all_CSM_Threats_Agent_rules_returns_OK_response.yaml delete mode 100644 tests/scenarios/cassettes/TestScenarios/v2/Feature_Cloud_Workload_Security/Scenario_Get_all_Cloud_Workload_Security_Agent_rules_returns_OK_response.freeze delete mode 100644 tests/scenarios/cassettes/TestScenarios/v2/Feature_Cloud_Workload_Security/Scenario_Get_all_Cloud_Workload_Security_Agent_rules_returns_OK_response.yaml delete mode 100644 tests/scenarios/cassettes/TestScenarios/v2/Feature_Cloud_Workload_Security/Scenario_Get_the_latest_CSM_Threats_policy_returns_OK_response.freeze delete mode 100644 tests/scenarios/cassettes/TestScenarios/v2/Feature_Cloud_Workload_Security/Scenario_Get_the_latest_CSM_Threats_policy_returns_OK_response.yaml delete mode 100644 tests/scenarios/cassettes/TestScenarios/v2/Feature_Cloud_Workload_Security/Scenario_Get_the_latest_Cloud_Workload_Security_policy_returns_OK_response.freeze delete mode 100644 tests/scenarios/cassettes/TestScenarios/v2/Feature_Cloud_Workload_Security/Scenario_Get_the_latest_Cloud_Workload_Security_policy_returns_OK_response.yaml delete mode 100644 tests/scenarios/cassettes/TestScenarios/v2/Feature_Cloud_Workload_Security/Scenario_Update_a_CSM_Threats_Agent_rule_returns_Bad_Request_response.freeze delete mode 100644 tests/scenarios/cassettes/TestScenarios/v2/Feature_Cloud_Workload_Security/Scenario_Update_a_CSM_Threats_Agent_rule_returns_Bad_Request_response.yaml delete mode 100644 tests/scenarios/cassettes/TestScenarios/v2/Feature_Cloud_Workload_Security/Scenario_Update_a_CSM_Threats_Agent_rule_returns_Not_Found_response.freeze delete mode 100644 tests/scenarios/cassettes/TestScenarios/v2/Feature_Cloud_Workload_Security/Scenario_Update_a_CSM_Threats_Agent_rule_returns_Not_Found_response.yaml delete mode 100644 tests/scenarios/cassettes/TestScenarios/v2/Feature_Cloud_Workload_Security/Scenario_Update_a_CSM_Threats_Agent_rule_returns_OK_response.freeze delete mode 100644 tests/scenarios/cassettes/TestScenarios/v2/Feature_Cloud_Workload_Security/Scenario_Update_a_CSM_Threats_Agent_rule_returns_OK_response.yaml delete mode 100644 tests/scenarios/cassettes/TestScenarios/v2/Feature_Cloud_Workload_Security/Scenario_Update_a_Cloud_Workload_Security_Agent_rule_returns_Bad_Request_response.freeze delete mode 100644 tests/scenarios/cassettes/TestScenarios/v2/Feature_Cloud_Workload_Security/Scenario_Update_a_Cloud_Workload_Security_Agent_rule_returns_Bad_Request_response.yaml delete mode 100644 tests/scenarios/cassettes/TestScenarios/v2/Feature_Cloud_Workload_Security/Scenario_Update_a_Cloud_Workload_Security_Agent_rule_returns_Not_Found_response.freeze delete mode 100644 tests/scenarios/cassettes/TestScenarios/v2/Feature_Cloud_Workload_Security/Scenario_Update_a_Cloud_Workload_Security_Agent_rule_returns_Not_Found_response.yaml delete mode 100644 tests/scenarios/cassettes/TestScenarios/v2/Feature_Cloud_Workload_Security/Scenario_Update_a_Cloud_Workload_Security_Agent_rule_returns_OK_response.freeze delete mode 100644 tests/scenarios/cassettes/TestScenarios/v2/Feature_Cloud_Workload_Security/Scenario_Update_a_Cloud_Workload_Security_Agent_rule_returns_OK_response.yaml diff --git a/.apigentools-info b/.apigentools-info index 46fb44a75d5..85298e11a5a 100644 --- a/.apigentools-info +++ b/.apigentools-info @@ -4,13 +4,13 @@ "spec_versions": { "v1": { "apigentools_version": "1.6.6", - "regenerated": "2024-05-20 18:10:24.268068", - "spec_repo_commit": "6340fda5" + "regenerated": "2024-05-22 17:00:52.719251", + "spec_repo_commit": "32bd4ce8" }, "v2": { "apigentools_version": "1.6.6", - "regenerated": "2024-05-20 18:10:24.286542", - "spec_repo_commit": "6340fda5" + "regenerated": "2024-05-22 17:00:52.742553", + "spec_repo_commit": "32bd4ce8" } } } \ No newline at end of file diff --git a/.generator/schemas/v2/openapi.yaml b/.generator/schemas/v2/openapi.yaml index 8575f7f5f14..c904282b709 100644 --- a/.generator/schemas/v2/openapi.yaml +++ b/.generator/schemas/v2/openapi.yaml @@ -4105,6 +4105,11 @@ components: description: The SECL expression of the Agent rule. example: exec.file.name == \"sh\" type: string + filters: + description: The platforms the Agent rule is supported on. + items: + type: string + type: array name: description: The name of the Agent rule. example: my_agent_rule diff --git a/api/datadogV2/model_cloud_workload_security_agent_rule_create_attributes.go b/api/datadogV2/model_cloud_workload_security_agent_rule_create_attributes.go index f72687d4b57..3fd2950b8cc 100644 --- a/api/datadogV2/model_cloud_workload_security_agent_rule_create_attributes.go +++ b/api/datadogV2/model_cloud_workload_security_agent_rule_create_attributes.go @@ -18,6 +18,8 @@ type CloudWorkloadSecurityAgentRuleCreateAttributes struct { Enabled *bool `json:"enabled,omitempty"` // The SECL expression of the Agent rule. Expression string `json:"expression"` + // The platforms the Agent rule is supported on. + Filters []string `json:"filters,omitempty"` // The name of the Agent rule. Name string `json:"name"` // UnparsedObject contains the raw value of the object if there was an error when deserializing into the struct @@ -123,6 +125,34 @@ func (o *CloudWorkloadSecurityAgentRuleCreateAttributes) SetExpression(v string) o.Expression = v } +// GetFilters returns the Filters field value if set, zero value otherwise. +func (o *CloudWorkloadSecurityAgentRuleCreateAttributes) GetFilters() []string { + if o == nil || o.Filters == nil { + var ret []string + return ret + } + return o.Filters +} + +// GetFiltersOk returns a tuple with the Filters field value if set, nil otherwise +// and a boolean to check if the value has been set. +func (o *CloudWorkloadSecurityAgentRuleCreateAttributes) GetFiltersOk() (*[]string, bool) { + if o == nil || o.Filters == nil { + return nil, false + } + return &o.Filters, true +} + +// HasFilters returns a boolean if a field has been set. +func (o *CloudWorkloadSecurityAgentRuleCreateAttributes) HasFilters() bool { + return o != nil && o.Filters != nil +} + +// SetFilters gets a reference to the given []string and assigns it to the Filters field. +func (o *CloudWorkloadSecurityAgentRuleCreateAttributes) SetFilters(v []string) { + o.Filters = v +} + // GetName returns the Name field value. func (o *CloudWorkloadSecurityAgentRuleCreateAttributes) GetName() string { if o == nil { @@ -159,6 +189,9 @@ func (o CloudWorkloadSecurityAgentRuleCreateAttributes) MarshalJSON() ([]byte, e toSerialize["enabled"] = o.Enabled } toSerialize["expression"] = o.Expression + if o.Filters != nil { + toSerialize["filters"] = o.Filters + } toSerialize["name"] = o.Name for key, value := range o.AdditionalProperties { @@ -170,10 +203,11 @@ func (o CloudWorkloadSecurityAgentRuleCreateAttributes) MarshalJSON() ([]byte, e // UnmarshalJSON deserializes the given payload. func (o *CloudWorkloadSecurityAgentRuleCreateAttributes) UnmarshalJSON(bytes []byte) (err error) { all := struct { - Description *string `json:"description,omitempty"` - Enabled *bool `json:"enabled,omitempty"` - Expression *string `json:"expression"` - Name *string `json:"name"` + Description *string `json:"description,omitempty"` + Enabled *bool `json:"enabled,omitempty"` + Expression *string `json:"expression"` + Filters []string `json:"filters,omitempty"` + Name *string `json:"name"` }{} if err = datadog.Unmarshal(bytes, &all); err != nil { return datadog.Unmarshal(bytes, &o.UnparsedObject) @@ -186,13 +220,14 @@ func (o *CloudWorkloadSecurityAgentRuleCreateAttributes) UnmarshalJSON(bytes []b } additionalProperties := make(map[string]interface{}) if err = datadog.Unmarshal(bytes, &additionalProperties); err == nil { - datadog.DeleteKeys(additionalProperties, &[]string{"description", "enabled", "expression", "name"}) + datadog.DeleteKeys(additionalProperties, &[]string{"description", "enabled", "expression", "filters", "name"}) } else { return err } o.Description = all.Description o.Enabled = all.Enabled o.Expression = *all.Expression + o.Filters = all.Filters o.Name = *all.Name if len(additionalProperties) > 0 { diff --git a/examples/v2/csm-threats/CreateCSMThreatsAgentRule.go b/examples/v2/csm-threats/CreateCSMThreatsAgentRule.go index 8efb12ef04b..921d6e9af2b 100644 --- a/examples/v2/csm-threats/CreateCSMThreatsAgentRule.go +++ b/examples/v2/csm-threats/CreateCSMThreatsAgentRule.go @@ -19,7 +19,10 @@ func main() { Description: datadog.PtrString("My Agent rule"), Enabled: datadog.PtrBool(true), Expression: `exec.file.name == "sh"`, - Name: "examplecsmthreat", + Filters: []string{ + `os == "linux"`, + }, + Name: "examplecsmthreat", }, Type: datadogV2.CLOUDWORKLOADSECURITYAGENTRULETYPE_AGENT_RULE, }, diff --git a/tests/scenarios/cassettes/TestScenarios/v2/Feature_CSM_Threats/Scenario_Create_a_CSM_Threats_Agent_rule_returns_OK_response.freeze b/tests/scenarios/cassettes/TestScenarios/v2/Feature_CSM_Threats/Scenario_Create_a_CSM_Threats_Agent_rule_returns_OK_response.freeze index bff050d55d1..42b749c2db2 100644 --- a/tests/scenarios/cassettes/TestScenarios/v2/Feature_CSM_Threats/Scenario_Create_a_CSM_Threats_Agent_rule_returns_OK_response.freeze +++ b/tests/scenarios/cassettes/TestScenarios/v2/Feature_CSM_Threats/Scenario_Create_a_CSM_Threats_Agent_rule_returns_OK_response.freeze @@ -1 +1 @@ -2024-04-23T17:57:44.371Z \ No newline at end of file +2024-05-22T16:22:22.200Z \ No newline at end of file diff --git a/tests/scenarios/cassettes/TestScenarios/v2/Feature_CSM_Threats/Scenario_Create_a_CSM_Threats_Agent_rule_returns_OK_response.yaml b/tests/scenarios/cassettes/TestScenarios/v2/Feature_CSM_Threats/Scenario_Create_a_CSM_Threats_Agent_rule_returns_OK_response.yaml index 7fada680809..4396f0538f8 100644 --- a/tests/scenarios/cassettes/TestScenarios/v2/Feature_CSM_Threats/Scenario_Create_a_CSM_Threats_Agent_rule_returns_OK_response.yaml +++ b/tests/scenarios/cassettes/TestScenarios/v2/Feature_CSM_Threats/Scenario_Create_a_CSM_Threats_Agent_rule_returns_OK_response.yaml @@ -1,7 +1,7 @@ interactions: - request: body: | - {"data":{"attributes":{"description":"My Agent rule","enabled":true,"expression":"exec.file.name == \"sh\"","name":"testcreateacsmthreatsagentrulereturnsokresponse1713895064"},"type":"agent_rule"}} + {"data":{"attributes":{"description":"My Agent rule","enabled":true,"expression":"exec.file.name == \"sh\"","filters":["os == \"linux\""],"name":"testcreateacsmthreatsagentrulereturnsokresponse1716394942"},"type":"agent_rule"}} form: {} headers: Accept: @@ -12,10 +12,10 @@ interactions: method: POST url: https://api.datadoghq.com/api/v2/remote_config/products/cws/agent_rules response: - body: '{"data":{"id":"922-a60-32v","type":"agent_rule","attributes":{"category":"Process - Activity","creationDate":1713895064438,"creator":{"name":"","handle":"frog@datadoghq.com"},"defaultRule":false,"description":"My + body: '{"data":{"id":"pn4-mo8-u5r","type":"agent_rule","attributes":{"category":"Process + Activity","creationDate":1716394942614,"creator":{"name":"","handle":"frog@datadoghq.com"},"defaultRule":false,"description":"My Agent rule","enabled":true,"expression":"exec.file.name == \"sh\"","filters":["os - == \"linux\""],"name":"testcreateacsmthreatsagentrulereturnsokresponse1713895064","updateDate":1713895064438,"updater":{"name":"","handle":"frog@datadoghq.com"}}}}' + == \"linux\""],"name":"testcreateacsmthreatsagentrulereturnsokresponse1716394942","updateDate":1716394942614,"updater":{"name":"","handle":"frog@datadoghq.com"}}}}' code: 200 duration: 0ms headers: @@ -30,7 +30,7 @@ interactions: - '*/*' id: 1 method: DELETE - url: https://api.datadoghq.com/api/v2/remote_config/products/cws/agent_rules/922-a60-32v + url: https://api.datadoghq.com/api/v2/remote_config/products/cws/agent_rules/pn4-mo8-u5r response: body: '' code: 204 diff --git a/tests/scenarios/cassettes/TestScenarios/v2/Feature_Cloud_Workload_Security/Scenario_Create_a_CSM_Threats_Agent_rule_returns_Bad_Request_response.freeze b/tests/scenarios/cassettes/TestScenarios/v2/Feature_Cloud_Workload_Security/Scenario_Create_a_CSM_Threats_Agent_rule_returns_Bad_Request_response.freeze deleted file mode 100644 index 8ad43c5ec3f..00000000000 --- a/tests/scenarios/cassettes/TestScenarios/v2/Feature_Cloud_Workload_Security/Scenario_Create_a_CSM_Threats_Agent_rule_returns_Bad_Request_response.freeze +++ /dev/null @@ -1 +0,0 @@ -2024-03-28T13:57:47.808Z \ No newline at end of file diff --git a/tests/scenarios/cassettes/TestScenarios/v2/Feature_Cloud_Workload_Security/Scenario_Create_a_CSM_Threats_Agent_rule_returns_Bad_Request_response.yaml b/tests/scenarios/cassettes/TestScenarios/v2/Feature_Cloud_Workload_Security/Scenario_Create_a_CSM_Threats_Agent_rule_returns_Bad_Request_response.yaml deleted file mode 100644 index 616378199a0..00000000000 --- a/tests/scenarios/cassettes/TestScenarios/v2/Feature_Cloud_Workload_Security/Scenario_Create_a_CSM_Threats_Agent_rule_returns_Bad_Request_response.yaml +++ /dev/null @@ -1,24 +0,0 @@ -interactions: -- request: - body: | - {"data":{"attributes":{"description":"My Agent rule","enabled":true,"expression":"exec.file.name == sh","name":"testcreateacsmthreatsagentrulereturnsbadrequestresponse1711634267"},"type":"agent_rule"}} - form: {} - headers: - Accept: - - application/json - Content-Type: - - application/json - id: 0 - method: POST - url: https://api.datadoghq.com/api/v2/remote_config/products/cws/agent_rules - response: - body: '{"errors":["input_validation_error(Field ''expression'' is invalid: rule - `testcreateacsmthreatsagentrulereturnsbadrequestresponse1711634267` error: rule - compilation error: field `sh` not found)"]}' - code: 400 - duration: 0ms - headers: - Content-Type: - - application/json - status: 400 Bad Request -version: 2 diff --git a/tests/scenarios/cassettes/TestScenarios/v2/Feature_Cloud_Workload_Security/Scenario_Create_a_CSM_Threats_Agent_rule_returns_Conflict_response.freeze b/tests/scenarios/cassettes/TestScenarios/v2/Feature_Cloud_Workload_Security/Scenario_Create_a_CSM_Threats_Agent_rule_returns_Conflict_response.freeze deleted file mode 100644 index 2dccd862e9d..00000000000 --- a/tests/scenarios/cassettes/TestScenarios/v2/Feature_Cloud_Workload_Security/Scenario_Create_a_CSM_Threats_Agent_rule_returns_Conflict_response.freeze +++ /dev/null @@ -1 +0,0 @@ -2024-03-06T09:58:37.695Z \ No newline at end of file diff --git a/tests/scenarios/cassettes/TestScenarios/v2/Feature_Cloud_Workload_Security/Scenario_Create_a_CSM_Threats_Agent_rule_returns_Conflict_response.yaml b/tests/scenarios/cassettes/TestScenarios/v2/Feature_Cloud_Workload_Security/Scenario_Create_a_CSM_Threats_Agent_rule_returns_Conflict_response.yaml deleted file mode 100644 index 4dcb89a911e..00000000000 --- a/tests/scenarios/cassettes/TestScenarios/v2/Feature_Cloud_Workload_Security/Scenario_Create_a_CSM_Threats_Agent_rule_returns_Conflict_response.yaml +++ /dev/null @@ -1,42 +0,0 @@ -interactions: -- request: - body: | - {"data":{"attributes":{"description":"My Agent rule","enabled":true,"expression":"exec.file.name == \"sh\"","name":"my_agent_rule"},"type":"agent_rule"}} - form: {} - headers: - Accept: - - application/json - Content-Type: - - application/json - id: 0 - method: POST - url: https://api.datadoghq.com/api/v2/remote_config/products/cws/agent_rules - response: - body: '{"data":{"id":"8r4-bdz-7ma","type":"agent_rule","attributes":{"category":"Process - Activity","creationDate":1709719118032,"creator":{"name":"Malo Le Goff","handle":"malo.legoff@datadoghq.com"},"defaultRule":false,"description":"My - Agent rule","enabled":true,"expression":"exec.file.name == \"sh\"","filters":null,"name":"my_agent_rule","updateDate":1709719118032,"updater":{"name":"Malo - Le Goff","handle":"malo.legoff@datadoghq.com"}}}}' - code: 200 - duration: 0ms - headers: - Content-Type: - - application/json - status: 200 OK -- request: - body: '' - form: {} - headers: - Accept: - - '*/*' - id: 1 - method: DELETE - url: https://api.datadoghq.com/api/v2/remote_config/products/cws/agent_rules/8r4-bdz-7ma - response: - body: '' - code: 200 - duration: 0ms - headers: - Content-Type: - - application/json - status: 200 OK -version: 2 diff --git a/tests/scenarios/cassettes/TestScenarios/v2/Feature_Cloud_Workload_Security/Scenario_Create_a_CSM_Threats_Agent_rule_returns_OK_response.freeze b/tests/scenarios/cassettes/TestScenarios/v2/Feature_Cloud_Workload_Security/Scenario_Create_a_CSM_Threats_Agent_rule_returns_OK_response.freeze deleted file mode 100644 index 5c5d9638b82..00000000000 --- a/tests/scenarios/cassettes/TestScenarios/v2/Feature_Cloud_Workload_Security/Scenario_Create_a_CSM_Threats_Agent_rule_returns_OK_response.freeze +++ /dev/null @@ -1 +0,0 @@ -2024-03-28T13:57:48.169Z \ No newline at end of file diff --git a/tests/scenarios/cassettes/TestScenarios/v2/Feature_Cloud_Workload_Security/Scenario_Create_a_CSM_Threats_Agent_rule_returns_OK_response.yaml b/tests/scenarios/cassettes/TestScenarios/v2/Feature_Cloud_Workload_Security/Scenario_Create_a_CSM_Threats_Agent_rule_returns_OK_response.yaml deleted file mode 100644 index 06d94c0eae3..00000000000 --- a/tests/scenarios/cassettes/TestScenarios/v2/Feature_Cloud_Workload_Security/Scenario_Create_a_CSM_Threats_Agent_rule_returns_OK_response.yaml +++ /dev/null @@ -1,43 +0,0 @@ -interactions: -- request: - body: | - {"data":{"attributes":{"description":"My Agent rule","enabled":true,"expression":"exec.file.name == \"sh\"","name":"testcreateacsmthreatsagentrulereturnsokresponse1711634268"},"type":"agent_rule"}} - form: {} - headers: - Accept: - - application/json - Content-Type: - - application/json - id: 0 - method: POST - url: https://api.datadoghq.com/api/v2/remote_config/products/cws/agent_rules - response: - body: '{"data":{"id":"kll-o34-int","type":"agent_rule","attributes":{"category":"Process - Activity","creationDate":1711634268228,"creator":{"name":"CI Account","handle":"9919ec9b-ebc7-49ee-8dc8-03626e717cca"},"defaultRule":false,"description":"My - Agent rule","enabled":true,"expression":"exec.file.name == \"sh\"","filters":["os - == \"linux\""],"name":"testcreateacsmthreatsagentrulereturnsokresponse1711634268","updateDate":1711634268228,"updater":{"name":"CI - Account","handle":"9919ec9b-ebc7-49ee-8dc8-03626e717cca"}}}}' - code: 200 - duration: 0ms - headers: - Content-Type: - - application/json - status: 200 OK -- request: - body: '' - form: {} - headers: - Accept: - - '*/*' - id: 1 - method: DELETE - url: https://api.datadoghq.com/api/v2/remote_config/products/cws/agent_rules/kll-o34-int - response: - body: '' - code: 204 - duration: 0ms - headers: - Content-Type: - - application/json - status: 204 No Content -version: 2 diff --git a/tests/scenarios/cassettes/TestScenarios/v2/Feature_Cloud_Workload_Security/Scenario_Create_a_Cloud_Workload_Security_Agent_rule_returns_Bad_Request_response.freeze b/tests/scenarios/cassettes/TestScenarios/v2/Feature_Cloud_Workload_Security/Scenario_Create_a_Cloud_Workload_Security_Agent_rule_returns_Bad_Request_response.freeze deleted file mode 100644 index e9ee5cb3f4d..00000000000 --- a/tests/scenarios/cassettes/TestScenarios/v2/Feature_Cloud_Workload_Security/Scenario_Create_a_Cloud_Workload_Security_Agent_rule_returns_Bad_Request_response.freeze +++ /dev/null @@ -1 +0,0 @@ -2024-03-08T14:19:03.967Z \ No newline at end of file diff --git a/tests/scenarios/cassettes/TestScenarios/v2/Feature_Cloud_Workload_Security/Scenario_Create_a_Cloud_Workload_Security_Agent_rule_returns_Bad_Request_response.yaml b/tests/scenarios/cassettes/TestScenarios/v2/Feature_Cloud_Workload_Security/Scenario_Create_a_Cloud_Workload_Security_Agent_rule_returns_Bad_Request_response.yaml deleted file mode 100644 index e7f8be70174..00000000000 --- a/tests/scenarios/cassettes/TestScenarios/v2/Feature_Cloud_Workload_Security/Scenario_Create_a_Cloud_Workload_Security_Agent_rule_returns_Bad_Request_response.yaml +++ /dev/null @@ -1,26 +0,0 @@ -interactions: -- request: - body: | - {"data":{"attributes":{"description":"Test Agent rule","enabled":true,"expression":"open.file.path = sh","name":"testcreateacloudworkloadsecurityagentrulereturnsbadrequestresponse1709907543"},"type":"agent_rule"}} - form: {} - headers: - Accept: - - application/json - Content-Type: - - application/json - id: 0 - method: POST - url: https://api.datadoghq.com/api/v2/security_monitoring/cloud_workload_security/agent_rules - response: - body: '{"errors":["input_validation_error(Field ''expression'' is invalid: rule - `testcreateacloudworkloadsecurityagentrulereturnsbadrequestresponse1709907543` - error: syntax error `1:18: unexpected token \"sh\" (expected \"~\")`)"]} - - ' - code: 400 - duration: 0ms - headers: - Content-Type: - - application/json - status: 400 Bad Request -version: 2 diff --git a/tests/scenarios/cassettes/TestScenarios/v2/Feature_Cloud_Workload_Security/Scenario_Create_a_Cloud_Workload_Security_Agent_rule_returns_OK_response.freeze b/tests/scenarios/cassettes/TestScenarios/v2/Feature_Cloud_Workload_Security/Scenario_Create_a_Cloud_Workload_Security_Agent_rule_returns_OK_response.freeze deleted file mode 100644 index bbb5bba9c39..00000000000 --- a/tests/scenarios/cassettes/TestScenarios/v2/Feature_Cloud_Workload_Security/Scenario_Create_a_Cloud_Workload_Security_Agent_rule_returns_OK_response.freeze +++ /dev/null @@ -1 +0,0 @@ -2024-03-08T14:19:04.358Z \ No newline at end of file diff --git a/tests/scenarios/cassettes/TestScenarios/v2/Feature_Cloud_Workload_Security/Scenario_Create_a_Cloud_Workload_Security_Agent_rule_returns_OK_response.yaml b/tests/scenarios/cassettes/TestScenarios/v2/Feature_Cloud_Workload_Security/Scenario_Create_a_Cloud_Workload_Security_Agent_rule_returns_OK_response.yaml deleted file mode 100644 index 5cf006e3ef0..00000000000 --- a/tests/scenarios/cassettes/TestScenarios/v2/Feature_Cloud_Workload_Security/Scenario_Create_a_Cloud_Workload_Security_Agent_rule_returns_OK_response.yaml +++ /dev/null @@ -1,42 +0,0 @@ -interactions: -- request: - body: | - {"data":{"attributes":{"description":"Test Agent rule","enabled":true,"expression":"exec.file.name == \"sh\"","name":"testcreateacloudworkloadsecurityagentrulereturnsokresponse1709907544"},"type":"agent_rule"}} - form: {} - headers: - Accept: - - application/json - Content-Type: - - application/json - id: 0 - method: POST - url: https://api.datadoghq.com/api/v2/security_monitoring/cloud_workload_security/agent_rules - response: - body: '{"data":{"id":"svr-luf-gzy","attributes":{"version":1,"name":"testcreateacloudworkloadsecurityagentrulereturnsokresponse1709907544","description":"Test - Agent rule","expression":"exec.file.name == \"sh\"","category":"Process Activity","creationAuthorUuId":"cc32ddea-b5e4-11ec-93be-da7ad0900002","creationDate":1709907544744,"updateAuthorUuId":"cc32ddea-b5e4-11ec-93be-da7ad0900002","updateDate":1709907544744,"filters":["os - == \"linux\""],"actions":[],"agentConstraint":"","enabled":true,"defaultRule":false,"creator":{"name":"Malo - Le Goff","handle":"malo.legoff@datadoghq.com"},"updater":{"name":"Malo Le Goff","handle":"malo.legoff@datadoghq.com"}},"type":"agent_rule"}} - - ' - code: 200 - duration: 0ms - headers: - Content-Type: - - application/json - status: 200 OK -- request: - body: '' - form: {} - headers: - Accept: - - '*/*' - id: 1 - method: DELETE - url: https://api.datadoghq.com/api/v2/security_monitoring/cloud_workload_security/agent_rules/svr-luf-gzy - response: - body: '' - code: 204 - duration: 0ms - headers: {} - status: 204 No Content -version: 2 diff --git a/tests/scenarios/cassettes/TestScenarios/v2/Feature_Cloud_Workload_Security/Scenario_Delete_a_CSM_Threats_Agent_rule_returns_Not_Found_response.freeze b/tests/scenarios/cassettes/TestScenarios/v2/Feature_Cloud_Workload_Security/Scenario_Delete_a_CSM_Threats_Agent_rule_returns_Not_Found_response.freeze deleted file mode 100644 index 2a00f4dad77..00000000000 --- a/tests/scenarios/cassettes/TestScenarios/v2/Feature_Cloud_Workload_Security/Scenario_Delete_a_CSM_Threats_Agent_rule_returns_Not_Found_response.freeze +++ /dev/null @@ -1 +0,0 @@ -2024-03-08T14:19:05.335Z \ No newline at end of file diff --git a/tests/scenarios/cassettes/TestScenarios/v2/Feature_Cloud_Workload_Security/Scenario_Delete_a_CSM_Threats_Agent_rule_returns_Not_Found_response.yaml b/tests/scenarios/cassettes/TestScenarios/v2/Feature_Cloud_Workload_Security/Scenario_Delete_a_CSM_Threats_Agent_rule_returns_Not_Found_response.yaml deleted file mode 100644 index 2de1cc7fda1..00000000000 --- a/tests/scenarios/cassettes/TestScenarios/v2/Feature_Cloud_Workload_Security/Scenario_Delete_a_CSM_Threats_Agent_rule_returns_Not_Found_response.yaml +++ /dev/null @@ -1,21 +0,0 @@ -interactions: -- request: - body: '' - form: {} - headers: - Accept: - - '*/*' - id: 0 - method: DELETE - url: https://api.datadoghq.com/api/v2/remote_config/products/cws/agent_rules/abc-123-xyz - response: - body: '{"errors":[{"title":"failed to delete rule"}]} - - ' - code: 404 - duration: 0ms - headers: - Content-Type: - - application/json - status: 404 Not Found -version: 2 diff --git a/tests/scenarios/cassettes/TestScenarios/v2/Feature_Cloud_Workload_Security/Scenario_Delete_a_CSM_Threats_Agent_rule_returns_OK_response.freeze b/tests/scenarios/cassettes/TestScenarios/v2/Feature_Cloud_Workload_Security/Scenario_Delete_a_CSM_Threats_Agent_rule_returns_OK_response.freeze deleted file mode 100644 index 9b393995ff0..00000000000 --- a/tests/scenarios/cassettes/TestScenarios/v2/Feature_Cloud_Workload_Security/Scenario_Delete_a_CSM_Threats_Agent_rule_returns_OK_response.freeze +++ /dev/null @@ -1 +0,0 @@ -2024-03-08T14:19:05.699Z \ No newline at end of file diff --git a/tests/scenarios/cassettes/TestScenarios/v2/Feature_Cloud_Workload_Security/Scenario_Delete_a_CSM_Threats_Agent_rule_returns_OK_response.yaml b/tests/scenarios/cassettes/TestScenarios/v2/Feature_Cloud_Workload_Security/Scenario_Delete_a_CSM_Threats_Agent_rule_returns_OK_response.yaml deleted file mode 100644 index dba93a774c8..00000000000 --- a/tests/scenarios/cassettes/TestScenarios/v2/Feature_Cloud_Workload_Security/Scenario_Delete_a_CSM_Threats_Agent_rule_returns_OK_response.yaml +++ /dev/null @@ -1,62 +0,0 @@ -interactions: -- request: - body: | - {"data":{"attributes":{"description":"My Agent rule","enabled":true,"expression":"exec.file.name == \"sh\"","name":"testdeleteacsmthreatsagentrulereturnsokresponse1709907545"},"type":"agent_rule"}} - form: {} - headers: - Accept: - - application/json - Content-Type: - - application/json - id: 0 - method: POST - url: https://api.datadoghq.com/api/v2/remote_config/products/cws/agent_rules - response: - body: '{"data":{"id":"e19-wln-ypy","type":"agent_rule","attributes":{"category":"Process - Activity","creationDate":1709907546083,"creator":{"name":"Malo Le Goff","handle":"malo.legoff@datadoghq.com"},"defaultRule":false,"description":"My - Agent rule","enabled":true,"expression":"exec.file.name == \"sh\"","filters":["os - == \"linux\""],"name":"testdeleteacsmthreatsagentrulereturnsokresponse1709907545","updateDate":1709907546083,"updater":{"name":"Malo - Le Goff","handle":"malo.legoff@datadoghq.com"}}}}' - code: 200 - duration: 0ms - headers: - Content-Type: - - application/json - status: 200 OK -- request: - body: '' - form: {} - headers: - Accept: - - '*/*' - id: 1 - method: DELETE - url: https://api.datadoghq.com/api/v2/remote_config/products/cws/agent_rules/e19-wln-ypy - response: - body: '' - code: 204 - duration: 0ms - headers: - Content-Type: - - application/json - status: 204 No Content -- request: - body: '' - form: {} - headers: - Accept: - - '*/*' - id: 2 - method: DELETE - url: https://api.datadoghq.com/api/v2/remote_config/products/cws/agent_rules/e19-wln-ypy - response: - body: '{"errors":[{"title":"failed to delete rule"}]} - - ' - code: 404 - duration: 0ms - headers: - Content-Type: - - application/json - status: 404 Not Found -version: 2 diff --git a/tests/scenarios/cassettes/TestScenarios/v2/Feature_Cloud_Workload_Security/Scenario_Delete_a_Cloud_Workload_Security_Agent_rule_returns_Not_Found_response.freeze b/tests/scenarios/cassettes/TestScenarios/v2/Feature_Cloud_Workload_Security/Scenario_Delete_a_Cloud_Workload_Security_Agent_rule_returns_Not_Found_response.freeze deleted file mode 100644 index da35a9232ee..00000000000 --- a/tests/scenarios/cassettes/TestScenarios/v2/Feature_Cloud_Workload_Security/Scenario_Delete_a_Cloud_Workload_Security_Agent_rule_returns_Not_Found_response.freeze +++ /dev/null @@ -1 +0,0 @@ -2024-03-08T14:19:07.580Z \ No newline at end of file diff --git a/tests/scenarios/cassettes/TestScenarios/v2/Feature_Cloud_Workload_Security/Scenario_Delete_a_Cloud_Workload_Security_Agent_rule_returns_Not_Found_response.yaml b/tests/scenarios/cassettes/TestScenarios/v2/Feature_Cloud_Workload_Security/Scenario_Delete_a_Cloud_Workload_Security_Agent_rule_returns_Not_Found_response.yaml deleted file mode 100644 index 0a30fdeb3d0..00000000000 --- a/tests/scenarios/cassettes/TestScenarios/v2/Feature_Cloud_Workload_Security/Scenario_Delete_a_Cloud_Workload_Security_Agent_rule_returns_Not_Found_response.yaml +++ /dev/null @@ -1,21 +0,0 @@ -interactions: -- request: - body: '' - form: {} - headers: - Accept: - - '*/*' - id: 0 - method: DELETE - url: https://api.datadoghq.com/api/v2/security_monitoring/cloud_workload_security/agent_rules/abc-123-xyz - response: - body: '{"errors":["not_found(Agent rule not found: agentRuleId=abc-123-xyz)"]} - - ' - code: 404 - duration: 0ms - headers: - Content-Type: - - application/json - status: 404 Not Found -version: 2 diff --git a/tests/scenarios/cassettes/TestScenarios/v2/Feature_Cloud_Workload_Security/Scenario_Delete_a_Cloud_Workload_Security_Agent_rule_returns_OK_response.freeze b/tests/scenarios/cassettes/TestScenarios/v2/Feature_Cloud_Workload_Security/Scenario_Delete_a_Cloud_Workload_Security_Agent_rule_returns_OK_response.freeze deleted file mode 100644 index 7aaa4d93699..00000000000 --- a/tests/scenarios/cassettes/TestScenarios/v2/Feature_Cloud_Workload_Security/Scenario_Delete_a_Cloud_Workload_Security_Agent_rule_returns_OK_response.freeze +++ /dev/null @@ -1 +0,0 @@ -2024-03-08T14:19:07.919Z \ No newline at end of file diff --git a/tests/scenarios/cassettes/TestScenarios/v2/Feature_Cloud_Workload_Security/Scenario_Delete_a_Cloud_Workload_Security_Agent_rule_returns_OK_response.yaml b/tests/scenarios/cassettes/TestScenarios/v2/Feature_Cloud_Workload_Security/Scenario_Delete_a_Cloud_Workload_Security_Agent_rule_returns_OK_response.yaml deleted file mode 100644 index b4430ab231d..00000000000 --- a/tests/scenarios/cassettes/TestScenarios/v2/Feature_Cloud_Workload_Security/Scenario_Delete_a_Cloud_Workload_Security_Agent_rule_returns_OK_response.yaml +++ /dev/null @@ -1,61 +0,0 @@ -interactions: -- request: - body: | - {"data":{"attributes":{"description":"My Agent rule","enabled":true,"expression":"exec.file.name == \"sh\"","name":"testdeleteacloudworkloadsecurityagentrulereturnsokresponse1709907547"},"type":"agent_rule"}} - form: {} - headers: - Accept: - - application/json - Content-Type: - - application/json - id: 0 - method: POST - url: https://api.datadoghq.com/api/v2/security_monitoring/cloud_workload_security/agent_rules - response: - body: '{"data":{"id":"bo0-5k6-vtc","attributes":{"version":1,"name":"testdeleteacloudworkloadsecurityagentrulereturnsokresponse1709907547","description":"My - Agent rule","expression":"exec.file.name == \"sh\"","category":"Process Activity","creationAuthorUuId":"cc32ddea-b5e4-11ec-93be-da7ad0900002","creationDate":1709907548216,"updateAuthorUuId":"cc32ddea-b5e4-11ec-93be-da7ad0900002","updateDate":1709907548216,"filters":["os - == \"linux\""],"actions":[],"agentConstraint":"","enabled":true,"defaultRule":false,"creator":{"name":"Malo - Le Goff","handle":"malo.legoff@datadoghq.com"},"updater":{"name":"Malo Le Goff","handle":"malo.legoff@datadoghq.com"}},"type":"agent_rule"}} - - ' - code: 200 - duration: 0ms - headers: - Content-Type: - - application/json - status: 200 OK -- request: - body: '' - form: {} - headers: - Accept: - - '*/*' - id: 1 - method: DELETE - url: https://api.datadoghq.com/api/v2/security_monitoring/cloud_workload_security/agent_rules/bo0-5k6-vtc - response: - body: '' - code: 204 - duration: 0ms - headers: {} - status: 204 No Content -- request: - body: '' - form: {} - headers: - Accept: - - '*/*' - id: 2 - method: DELETE - url: https://api.datadoghq.com/api/v2/security_monitoring/cloud_workload_security/agent_rules/bo0-5k6-vtc - response: - body: '{"errors":["not_found(Agent rule not found: agentRuleId=bo0-5k6-vtc)"]} - - ' - code: 404 - duration: 0ms - headers: - Content-Type: - - application/json - status: 404 Not Found -version: 2 diff --git a/tests/scenarios/cassettes/TestScenarios/v2/Feature_Cloud_Workload_Security/Scenario_Get_a_CSM_Threats_Agent_rule_returns_Not_Found_response.freeze b/tests/scenarios/cassettes/TestScenarios/v2/Feature_Cloud_Workload_Security/Scenario_Get_a_CSM_Threats_Agent_rule_returns_Not_Found_response.freeze deleted file mode 100644 index fa6ab0bcca0..00000000000 --- a/tests/scenarios/cassettes/TestScenarios/v2/Feature_Cloud_Workload_Security/Scenario_Get_a_CSM_Threats_Agent_rule_returns_Not_Found_response.freeze +++ /dev/null @@ -1 +0,0 @@ -2024-03-08T14:19:09.189Z \ No newline at end of file diff --git a/tests/scenarios/cassettes/TestScenarios/v2/Feature_Cloud_Workload_Security/Scenario_Get_a_CSM_Threats_Agent_rule_returns_Not_Found_response.yaml b/tests/scenarios/cassettes/TestScenarios/v2/Feature_Cloud_Workload_Security/Scenario_Get_a_CSM_Threats_Agent_rule_returns_Not_Found_response.yaml deleted file mode 100644 index f46bb283ae7..00000000000 --- a/tests/scenarios/cassettes/TestScenarios/v2/Feature_Cloud_Workload_Security/Scenario_Get_a_CSM_Threats_Agent_rule_returns_Not_Found_response.yaml +++ /dev/null @@ -1,21 +0,0 @@ -interactions: -- request: - body: '' - form: {} - headers: - Accept: - - application/json - id: 0 - method: GET - url: https://api.datadoghq.com/api/v2/remote_config/products/cws/agent_rules/abc-123-xyz - response: - body: '{"errors":[{"title":"failed to get rule"}]} - - ' - code: 404 - duration: 0ms - headers: - Content-Type: - - application/json - status: 404 Not Found -version: 2 diff --git a/tests/scenarios/cassettes/TestScenarios/v2/Feature_Cloud_Workload_Security/Scenario_Get_a_CSM_Threats_Agent_rule_returns_OK_response.freeze b/tests/scenarios/cassettes/TestScenarios/v2/Feature_Cloud_Workload_Security/Scenario_Get_a_CSM_Threats_Agent_rule_returns_OK_response.freeze deleted file mode 100644 index 6a658aeb97c..00000000000 --- a/tests/scenarios/cassettes/TestScenarios/v2/Feature_Cloud_Workload_Security/Scenario_Get_a_CSM_Threats_Agent_rule_returns_OK_response.freeze +++ /dev/null @@ -1 +0,0 @@ -2024-03-08T14:19:09.586Z \ No newline at end of file diff --git a/tests/scenarios/cassettes/TestScenarios/v2/Feature_Cloud_Workload_Security/Scenario_Get_a_CSM_Threats_Agent_rule_returns_OK_response.yaml b/tests/scenarios/cassettes/TestScenarios/v2/Feature_Cloud_Workload_Security/Scenario_Get_a_CSM_Threats_Agent_rule_returns_OK_response.yaml deleted file mode 100644 index fbe3dedd460..00000000000 --- a/tests/scenarios/cassettes/TestScenarios/v2/Feature_Cloud_Workload_Security/Scenario_Get_a_CSM_Threats_Agent_rule_returns_OK_response.yaml +++ /dev/null @@ -1,64 +0,0 @@ -interactions: -- request: - body: | - {"data":{"attributes":{"description":"My Agent rule","enabled":true,"expression":"exec.file.name == \"sh\"","name":"testgetacsmthreatsagentrulereturnsokresponse1709907549"},"type":"agent_rule"}} - form: {} - headers: - Accept: - - application/json - Content-Type: - - application/json - id: 0 - method: POST - url: https://api.datadoghq.com/api/v2/remote_config/products/cws/agent_rules - response: - body: '{"data":{"id":"hod-pqw-spq","type":"agent_rule","attributes":{"category":"Process - Activity","creationDate":1709907549922,"creator":{"name":"Malo Le Goff","handle":"malo.legoff@datadoghq.com"},"defaultRule":false,"description":"My - Agent rule","enabled":true,"expression":"exec.file.name == \"sh\"","filters":["os - == \"linux\""],"name":"testgetacsmthreatsagentrulereturnsokresponse1709907549","updateDate":1709907549922,"updater":{"name":"Malo - Le Goff","handle":"malo.legoff@datadoghq.com"}}}}' - code: 200 - duration: 0ms - headers: - Content-Type: - - application/json - status: 200 OK -- request: - body: '' - form: {} - headers: - Accept: - - application/json - id: 1 - method: GET - url: https://api.datadoghq.com/api/v2/remote_config/products/cws/agent_rules/hod-pqw-spq - response: - body: '{"data":{"id":"hod-pqw-spq","type":"agent_rule","attributes":{"category":"Process - Activity","creationDate":1709907549000,"creator":{"name":"Malo Le Goff","handle":"malo.legoff@datadoghq.com"},"defaultRule":false,"description":"My - Agent rule","enabled":true,"expression":"exec.file.name == \"sh\"","filters":["os - == \"linux\""],"name":"testgetacsmthreatsagentrulereturnsokresponse1709907549","updateDate":1709907549000,"updater":{"name":"Malo - Le Goff","handle":"malo.legoff@datadoghq.com"}}}}' - code: 200 - duration: 0ms - headers: - Content-Type: - - application/json - status: 200 OK -- request: - body: '' - form: {} - headers: - Accept: - - '*/*' - id: 2 - method: DELETE - url: https://api.datadoghq.com/api/v2/remote_config/products/cws/agent_rules/hod-pqw-spq - response: - body: '' - code: 204 - duration: 0ms - headers: - Content-Type: - - application/json - status: 204 No Content -version: 2 diff --git a/tests/scenarios/cassettes/TestScenarios/v2/Feature_Cloud_Workload_Security/Scenario_Get_a_Cloud_Workload_Security_Agent_rule_returns_Not_Found_response.freeze b/tests/scenarios/cassettes/TestScenarios/v2/Feature_Cloud_Workload_Security/Scenario_Get_a_Cloud_Workload_Security_Agent_rule_returns_Not_Found_response.freeze deleted file mode 100644 index 723e55f423d..00000000000 --- a/tests/scenarios/cassettes/TestScenarios/v2/Feature_Cloud_Workload_Security/Scenario_Get_a_Cloud_Workload_Security_Agent_rule_returns_Not_Found_response.freeze +++ /dev/null @@ -1 +0,0 @@ -2024-03-08T14:19:11.425Z \ No newline at end of file diff --git a/tests/scenarios/cassettes/TestScenarios/v2/Feature_Cloud_Workload_Security/Scenario_Get_a_Cloud_Workload_Security_Agent_rule_returns_Not_Found_response.yaml b/tests/scenarios/cassettes/TestScenarios/v2/Feature_Cloud_Workload_Security/Scenario_Get_a_Cloud_Workload_Security_Agent_rule_returns_Not_Found_response.yaml deleted file mode 100644 index 770ec0d149a..00000000000 --- a/tests/scenarios/cassettes/TestScenarios/v2/Feature_Cloud_Workload_Security/Scenario_Get_a_Cloud_Workload_Security_Agent_rule_returns_Not_Found_response.yaml +++ /dev/null @@ -1,21 +0,0 @@ -interactions: -- request: - body: '' - form: {} - headers: - Accept: - - application/json - id: 0 - method: GET - url: https://api.datadoghq.com/api/v2/security_monitoring/cloud_workload_security/agent_rules/abc-123-xyz - response: - body: '{"errors":["not_found(Agent rule not found: agentRuleId=abc-123-xyz)"]} - - ' - code: 404 - duration: 0ms - headers: - Content-Type: - - application/json - status: 404 Not Found -version: 2 diff --git a/tests/scenarios/cassettes/TestScenarios/v2/Feature_Cloud_Workload_Security/Scenario_Get_a_Cloud_Workload_Security_Agent_rule_returns_OK_response.freeze b/tests/scenarios/cassettes/TestScenarios/v2/Feature_Cloud_Workload_Security/Scenario_Get_a_Cloud_Workload_Security_Agent_rule_returns_OK_response.freeze deleted file mode 100644 index fc05df64737..00000000000 --- a/tests/scenarios/cassettes/TestScenarios/v2/Feature_Cloud_Workload_Security/Scenario_Get_a_Cloud_Workload_Security_Agent_rule_returns_OK_response.freeze +++ /dev/null @@ -1 +0,0 @@ -2024-03-08T14:19:11.763Z \ No newline at end of file diff --git a/tests/scenarios/cassettes/TestScenarios/v2/Feature_Cloud_Workload_Security/Scenario_Get_a_Cloud_Workload_Security_Agent_rule_returns_OK_response.yaml b/tests/scenarios/cassettes/TestScenarios/v2/Feature_Cloud_Workload_Security/Scenario_Get_a_Cloud_Workload_Security_Agent_rule_returns_OK_response.yaml deleted file mode 100644 index 1ca342fb36e..00000000000 --- a/tests/scenarios/cassettes/TestScenarios/v2/Feature_Cloud_Workload_Security/Scenario_Get_a_Cloud_Workload_Security_Agent_rule_returns_OK_response.yaml +++ /dev/null @@ -1,64 +0,0 @@ -interactions: -- request: - body: | - {"data":{"attributes":{"description":"My Agent rule","enabled":true,"expression":"exec.file.name == \"sh\"","name":"testgetacloudworkloadsecurityagentrulereturnsokresponse1709907551"},"type":"agent_rule"}} - form: {} - headers: - Accept: - - application/json - Content-Type: - - application/json - id: 0 - method: POST - url: https://api.datadoghq.com/api/v2/security_monitoring/cloud_workload_security/agent_rules - response: - body: '{"data":{"id":"ynn-umb-rss","attributes":{"version":1,"name":"testgetacloudworkloadsecurityagentrulereturnsokresponse1709907551","description":"My - Agent rule","expression":"exec.file.name == \"sh\"","category":"Process Activity","creationAuthorUuId":"cc32ddea-b5e4-11ec-93be-da7ad0900002","creationDate":1709907552061,"updateAuthorUuId":"cc32ddea-b5e4-11ec-93be-da7ad0900002","updateDate":1709907552061,"filters":["os - == \"linux\""],"actions":[],"agentConstraint":"","enabled":true,"defaultRule":false,"creator":{"name":"Malo - Le Goff","handle":"malo.legoff@datadoghq.com"},"updater":{"name":"Malo Le Goff","handle":"malo.legoff@datadoghq.com"}},"type":"agent_rule"}} - - ' - code: 200 - duration: 0ms - headers: - Content-Type: - - application/json - status: 200 OK -- request: - body: '' - form: {} - headers: - Accept: - - application/json - id: 1 - method: GET - url: https://api.datadoghq.com/api/v2/security_monitoring/cloud_workload_security/agent_rules/ynn-umb-rss - response: - body: '{"data":{"id":"ynn-umb-rss","attributes":{"version":1,"name":"testgetacloudworkloadsecurityagentrulereturnsokresponse1709907551","description":"My - Agent rule","expression":"exec.file.name == \"sh\"","category":"Process Activity","creationAuthorUuId":"cc32ddea-b5e4-11ec-93be-da7ad0900002","creationDate":1709907552061,"updateAuthorUuId":"cc32ddea-b5e4-11ec-93be-da7ad0900002","updateDate":1709907552061,"filters":["os - == \"linux\""],"actions":[],"agentConstraint":"","enabled":true,"defaultRule":false,"creator":{"name":"Malo - Le Goff","handle":"malo.legoff@datadoghq.com"},"updater":{"name":"Malo Le Goff","handle":"malo.legoff@datadoghq.com"}},"type":"agent_rule"}} - - ' - code: 200 - duration: 0ms - headers: - Content-Type: - - application/json - status: 200 OK -- request: - body: '' - form: {} - headers: - Accept: - - '*/*' - id: 2 - method: DELETE - url: https://api.datadoghq.com/api/v2/security_monitoring/cloud_workload_security/agent_rules/ynn-umb-rss - response: - body: '' - code: 204 - duration: 0ms - headers: {} - status: 204 No Content -version: 2 diff --git a/tests/scenarios/cassettes/TestScenarios/v2/Feature_Cloud_Workload_Security/Scenario_Get_all_CSM_Threats_Agent_rules_returns_OK_response.freeze b/tests/scenarios/cassettes/TestScenarios/v2/Feature_Cloud_Workload_Security/Scenario_Get_all_CSM_Threats_Agent_rules_returns_OK_response.freeze deleted file mode 100644 index 38810c62a98..00000000000 --- a/tests/scenarios/cassettes/TestScenarios/v2/Feature_Cloud_Workload_Security/Scenario_Get_all_CSM_Threats_Agent_rules_returns_OK_response.freeze +++ /dev/null @@ -1 +0,0 @@ -2024-03-08T14:19:12.809Z \ No newline at end of file diff --git a/tests/scenarios/cassettes/TestScenarios/v2/Feature_Cloud_Workload_Security/Scenario_Get_all_CSM_Threats_Agent_rules_returns_OK_response.yaml b/tests/scenarios/cassettes/TestScenarios/v2/Feature_Cloud_Workload_Security/Scenario_Get_all_CSM_Threats_Agent_rules_returns_OK_response.yaml deleted file mode 100644 index 27eb64af442..00000000000 --- a/tests/scenarios/cassettes/TestScenarios/v2/Feature_Cloud_Workload_Security/Scenario_Get_all_CSM_Threats_Agent_rules_returns_OK_response.yaml +++ /dev/null @@ -1,1410 +0,0 @@ -interactions: -- request: - body: '' - form: {} - headers: - Accept: - - application/json - id: 0 - method: GET - url: https://api.datadoghq.com/api/v2/remote_config/products/cws/agent_rules - response: - body: '{"data":[{"id":"cwq-z6j-igp","type":"agent_rule","attributes":{"category":"Kernel - Activity","creationDate":1691743022000,"creator":{"name":"Threat Detection Engineering - CI/CD","handle":"9b3398f3-af79-49aa-b643-8a607ee6f848"},"defaultRule":false,"description":"Unauthorized - network access by deno runtime","enabled":true,"expression":"bind.addr.family\u003e=0 - \u0026\u0026 process.comm==\"deno\" \u0026\u0026 process.args not in [r\".*(allow-net|allow-ffi|-A|allow-all).*\"]","filters":["os - == \"linux\""],"name":"Deno_unauthorized_network_access_performed","updateDate":1698239523000,"updater":{"name":"Juvenal - Araujo","handle":"juvenal.araujo@datadoghq.com"}}},{"id":"lsi-6pb-7th","type":"agent_rule","attributes":{"category":"File - Activity","creationDate":1691743022000,"creator":{"name":"Threat Detection Engineering - CI/CD","handle":"9b3398f3-af79-49aa-b643-8a607ee6f848"},"defaultRule":false,"description":"Unauthorized - filesystem read by deno runtime","enabled":false,"expression":"process.comm==\"deno\" - \u0026\u0026 open.flags==524288 \u0026\u0026 open.file.name not in process.argv - \u0026\u0026 process.args not in [r\".*(allow-read|-A|allow-all).*\"]","filters":["os - == \"linux\""],"name":"Deno_unauthorized_read_executed","updateDate":1698237510000,"updater":{"name":"Juvenal - Araujo","handle":"juvenal.araujo@datadoghq.com"}}},{"id":"mal-nic-u3y","type":"agent_rule","attributes":{"category":"Process - Activity","creationDate":1691743022000,"creator":{"name":"Threat Detection Engineering - CI/CD","handle":"9b3398f3-af79-49aa-b643-8a607ee6f848"},"defaultRule":false,"description":"Unauthorized - subprocess created by deno runtime","enabled":true,"expression":"exec.comm !=\"\" - \u0026\u0026 process.ancestors.comm==\"deno\" \u0026\u0026 process.ancestors.args - not in [r\".*(allow-run|-A|allow-all).*\"]","filters":["os == \"linux\""],"name":"Deno_unauthorized_subprocess_created","updateDate":1698239525000,"updater":{"name":"Juvenal - Araujo","handle":"juvenal.araujo@datadoghq.com"}}},{"id":"q17-vsb-c4k","type":"agent_rule","attributes":{"category":"File - Activity","creationDate":1691743022000,"creator":{"name":"Threat Detection Engineering - CI/CD","handle":"9b3398f3-af79-49aa-b643-8a607ee6f848"},"defaultRule":false,"description":"Unauthorized - filesystem write by deno runtime","enabled":false,"expression":"process.comm==\"deno\" - \u0026\u0026 open.flags \u00261==1 \u0026\u0026 process.args not in [r\".*(allow-write|-A|allow-all).*\"]","filters":["os - == \"linux\""],"name":"Deno_unauthorized_write_executed","updateDate":1698237513000,"updater":{"name":"Juvenal - Araujo","handle":"juvenal.araujo@datadoghq.com"}}},{"id":"qp4-oog-vwu","type":"agent_rule","attributes":{"category":"Process - Activity","creationDate":1682687626000,"creator":{"name":"Threat Detection Engineering - CI/CD","handle":"9b3398f3-af79-49aa-b643-8a607ee6f848"},"defaultRule":false,"description":"A - shell command was executed from a JupyterHub code cell","enabled":true,"expression":"exec.file.path - == \"/usr/bin/bash\" \u0026\u0026 process.ancestors.comm == \"jupyterhub-sing\"","filters":["os - == \"linux\""],"name":"jupyterhub_shell","updateDate":1698238456000,"updater":{"name":"Juvenal - Araujo","handle":"juvenal.araujo@datadoghq.com"}}},{"id":"doi-13m-kzx","type":"agent_rule","attributes":{"category":"Process - Activity","creationDate":1688462439000,"creator":{"name":"Threat Detection Engineering - CI/CD","handle":"9b3398f3-af79-49aa-b643-8a607ee6f848"},"defaultRule":false,"description":"Kubernetes - offensive tool executed","enabled":true,"expression":"(exec.file.name in [ ~\"python*\" - ] \u0026\u0026 (\"KubiScan.py\" in exec.argv || \"kubestriker\" in exec.argv - )) || exec.file.name in [\"kubiscan\",\"kdigger\",\"kube-hunter\",\"rakkess\",\"peirates\",\"kubescape\",\"kubeaudit\",\"kube-linter\",\"stratus\",~\"botb-*\"]","filters":["os - == \"linux\""],"name":"kubernetes_offensive_tool_executed","updateDate":1698238459000,"updater":{"name":"Juvenal - Araujo","handle":"juvenal.araujo@datadoghq.com"}}},{"id":"p24-io5-dv2","type":"agent_rule","attributes":{"category":"Process - Activity","creationDate":1702898544000,"creator":{"name":"Ahmed Mkadem","handle":"ahmed.mkadem@datadoghq.com"},"defaultRule":false,"description":"iptables - used to allow egress traffic","enabled":true,"expression":"exec.comm == \"iptables\" - \u0026\u0026 process.args in [r\".*OUTPUT.*((25[0-5]|(2[0-4]|1\\d|[1-9]|)\\d)\\.?\\b){4}.*ACCEPT\"] - \u0026\u0026 process.args not in [r\"(127\\.)|(10\\.)|(172\\.1[6-9]\\.)|(172\\.2[0-9]\\.)|(^172\\.3[0-1]\\.)|(192\\.168\\.)|(169\\.254\\.)\"]","filters":["os - == \"linux\""],"name":"tde_malware_egress_traffic_allowed_iptables","updateDate":1702898544000,"updater":{"name":"Ahmed - Mkadem","handle":"ahmed.mkadem@datadoghq.com"}}},{"id":"wy7-3ug-3k7","type":"agent_rule","attributes":{"category":"File - Activity","creationDate":1702898570000,"creator":{"name":"Ahmed Mkadem","handle":"ahmed.mkadem@datadoghq.com"},"defaultRule":false,"description":"Multiple - files with extensions created under common user directories","enabled":true,"expression":"rename.file.path - in [~\"/home/**\", ~\"/root/**\", ~\"/bin/**\", ~\"/usr/bin/**\", ~\"/var/log/**\", - ~\"/var/lib/log/**\", ~\"/var/backup/*\", ~\"/var/www/**\"] \u0026\u0026 rename.file.destination.name - in [r\"\\.[0-9a-z]+$\"] \u0026\u0026 rename.file.destination.name not in [r\".*\\.(lock|dbtmp|log|journal|ini|sh|json|yml|tmp|snap|txt|pyc|stat|hcl|[0-9])+$\"] - \u0026\u0026 process.comm not in [\"python\",\"python3\",\"agent\",\"security-agent\",\"kubectl\",\"kubelet\",\"datadog-cluster\",\"postgres\"]","filters":["os - == \"linux\""],"name":"tde_malware_files_with_extensions_created","updateDate":1703590999000,"updater":{"name":"Ahmed - Mkadem","handle":"ahmed.mkadem@datadoghq.com"}}},{"id":"s7a-oly-ndz","type":"agent_rule","attributes":{"category":"Kernel - Activity","creationDate":1702898596000,"creator":{"name":"Ahmed Mkadem","handle":"ahmed.mkadem@datadoghq.com"},"defaultRule":false,"description":"Kernel - module loaded from common tmp directories","enabled":true,"expression":"load_module.file.path - in [ ~\"/tmp/**\", ~\"/var/tmp/**\" ]","filters":["os == \"linux\""],"name":"tde_malware_kernel_module_loaded_from_tmp","updateDate":1702898596000,"updater":{"name":"Ahmed - Mkadem","handle":"ahmed.mkadem@datadoghq.com"}}},{"id":"wvn-ega-hae","type":"agent_rule","attributes":{"category":"Kernel - Activity","creationDate":1702898618000,"creator":{"name":"Ahmed Mkadem","handle":"ahmed.mkadem@datadoghq.com"},"defaultRule":false,"description":"Libpam.so - library hooked using ebpf","enabled":true,"expression":"bpf.cmd == BPF_MAP_CREATE - \u0026\u0026 process.args in [r\".*libpam.so.*\"]","filters":["os == \"linux\""],"name":"tde_malware_libpam_hooked_using_ebpf","updateDate":1702898618000,"updater":{"name":"Ahmed - Mkadem","handle":"ahmed.mkadem@datadoghq.com"}}},{"id":"aie-5ua-pqh","type":"agent_rule","attributes":{"category":"Kernel - Activity","creationDate":1702898642000,"creator":{"name":"Ahmed Mkadem","handle":"ahmed.mkadem@datadoghq.com"},"defaultRule":false,"description":"A - process is tracing privileged processes or sshd for possible credential dumping","enabled":true,"expression":"((ptrace.tracee.euid==0 - \u0026\u0026 ptrace.tracee.uid ==0)||ptrace.tracee.comm in [~\"*sshd*\"]) \u0026\u0026 - process.comm not in [\"dlv\"]","filters":["os == \"linux\""],"name":"tde_malware_privileged_processes_or_sshd_traced","updateDate":1702898642000,"updater":{"name":"Ahmed - Mkadem","handle":"ahmed.mkadem@datadoghq.com"}}},{"id":"46g-4uu-8q2","type":"agent_rule","attributes":{"category":"Process - Activity","creationDate":1702898821000,"creator":{"name":"Ahmed Mkadem","handle":"ahmed.mkadem@datadoghq.com"},"defaultRule":false,"description":"Proxychaining - technique used","enabled":true,"expression":"exec.comm == \"proxychains\"","filters":["os - == \"linux\""],"name":"tde_malware_proxychains_executed","updateDate":1702898821000,"updater":{"name":"Ahmed - Mkadem","handle":"ahmed.mkadem@datadoghq.com"}}},{"id":"yyy-5go-xpw","type":"agent_rule","attributes":{"category":"File - Activity","creationDate":1702898856000,"creator":{"name":"Ahmed Mkadem","handle":"ahmed.mkadem@datadoghq.com"},"defaultRule":false,"description":"A - possible ransomware note created under common user directories","enabled":true,"expression":"open.file.path - in [~\"/home/**\", ~\"/root/**\", ~\"/bin/**\", ~\"/usr/bin/**\", ~\"/opt/**\", - ~\"/etc/**\", ~\"/var/log/**\", ~\"/var/lib/log/**\", ~\"/var/backup/**\", ~\"/var/www/**\"] - \u0026\u0026 open.file.name in [r\".*(restore|recovery|readme|instruction|how_to|ransom).*\", - r\".*(your_|crypt|lock|important).*\\.txt$\"]","filters":["os == \"linux\""],"name":"tde_malware_ransomware_notes_written","updateDate":1709907009000,"updater":{"name":"Ahmed - Mkadem","handle":"ahmed.mkadem@datadoghq.com"}}},{"id":"vdn-l8j-9h1","type":"agent_rule","attributes":{"category":"File - Activity","creationDate":1702898880000,"creator":{"name":"Ahmed Mkadem","handle":"ahmed.mkadem@datadoghq.com"},"defaultRule":false,"description":"A - process deleted common system log files","enabled":true,"expression":"unlink.file.path - in [\"/var/run/utmp\", \"/var/log/wtmp\", \"/var/log/btmp\", \"/var/log/lastlog\", - \"/var/log/faillog\", \"/var/log/syslog\", \"/var/log/messages\", \"/var/log/secure\", - \"/var/log/auth.log\", \"/var/log/boot.log\", \"/var/log/kern.log\"] \u0026\u0026 - process.comm !=\"dockerd\"","filters":["os == \"linux\""],"name":"tde_malware_system_logs_deleted","updateDate":1702898880000,"updater":{"name":"Ahmed - Mkadem","handle":"ahmed.mkadem@datadoghq.com"}}},{"id":"ofh-ne6-jcq","type":"agent_rule","attributes":{"category":"Process - Activity","creationDate":1702898912000,"creator":{"name":"Ahmed Mkadem","handle":"ahmed.mkadem@datadoghq.com"},"defaultRule":false,"description":"Tunneling - and port forwarding tool used","enabled":true,"expression":"((exec.comm == \"pivotnacci\" - || exec.comm == \"gost\") \u0026\u0026 process.args in [r\".*(-L|-C|-R).*\"])||(exec.comm - in [\"ssh\", \"sshd\"] \u0026\u0026 process.args in [r\".*(-R|-L|-D|w).*\"] - \u0026\u0026 process.args in [r\"((25[0-5]|(2[0-4]|1\\d|[1-9])\\d)\\.?\\b){4}\"] - ) || (exec.comm == \"sshuttle\" \u0026\u0026 process.args in [r\".*(-r|--remote|-l|--listen).*\"]) - || (exec.comm == \"socat\" \u0026\u0026 process.args in [r\".*(TCP4-LISTEN:|SOCKS).*\"]) - || (exec.comm in [\"iodine\", \"iodined\", \"dnscat\", \"hans\", \"hans-ubuntu\", - \"ptunnel-ng\", \"ssf\", \"3proxy\", \"ngrok\"] \u0026\u0026 process.parent.comm - in [\"bash\", \"dash\", \"ash\", \"sh\", \"tcsh\", \"csh\", \"zsh\", \"ksh\", - \"fish\"])","filters":["os == \"linux\""],"name":"tde_malware_tunneling_and_port_forwarding_technique_used","updateDate":1702898912000,"updater":{"name":"Ahmed - Mkadem","handle":"ahmed.mkadem@datadoghq.com"}}},{"id":"7nc-c8z-od7","type":"agent_rule","attributes":{"category":"Process - Activity","creationDate":1707330428000,"creator":{"name":"Juvenal Araujo","handle":"juvenal.araujo@datadoghq.com"},"defaultRule":false,"description":"nsenter - used in container to execute code on the OS PID1","enabled":true,"expression":"exec.file.name - == \"nsenter\" \u0026\u0026 exec.args_options in [\"target=1\", \"t=1\"] \u0026\u0026 - container.id !=\"\"","filters":["os == \"linux\""],"name":"tde_nsenter_pid1_detection","updateDate":1707330428000,"updater":{"name":"Juvenal - Araujo","handle":"juvenal.araujo@datadoghq.com"}}},{"id":"vui-e82-jrw","type":"agent_rule","attributes":{"category":"Network - Activity","creationDate":1705501135000,"creator":{"name":"Ahmed Mkadem","handle":"ahmed.mkadem@datadoghq.com"},"defaultRule":false,"description":"Connection - to red team domain","enabled":true,"expression":"dns.question.name in [~\"*.interact.sh\" - , ~\"*.oast.pro\" , ~\"*.oast.live\" , ~\"*.oast.site\" , ~\"*.oast.online\" - , ~\"*.oast.fun\" , ~\"*.oast.me\" , ~\"*.burpcollaborator.net\" , ~\"*.oastify.com\" - , ~\"*canarytokens.com\" , ~\"*.requestbin.net\" , ~\"*.dnslog.cn\"]","filters":["os - == \"linux\""],"name":"tde_red_team_domains_used","updateDate":1705501135000,"updater":{"name":"Ahmed - Mkadem","handle":"ahmed.mkadem@datadoghq.com"}}},{"id":"7ts-208-rn4","type":"agent_rule","attributes":{"category":"Process - Activity","creationDate":1707493323000,"creator":{"name":"Detection Engineer","handle":""},"defaultRule":true,"description":"An - AppArmor profile was modified in an interactive session","enabled":true,"expression":"exec.file.name - in [\"aa-disable\", \"aa-complain\", \"aa-audit\"] \u0026\u0026 exec.tty_name - !=\"\"","filters":["os == \"linux\""],"name":"apparmor_modified_tty","updateDate":1708708314000,"updater":{"name":"Malo - Le Goff","handle":"malo.legoff@datadoghq.com"}}},{"id":"def-000-7m7","type":"agent_rule","attributes":{"category":"Process - Activity","creationDate":1707493323000,"creator":{"name":"Detection Engineer","handle":""},"defaultRule":true,"description":"The - auditctl command was used to modify auditd","enabled":true,"expression":"exec.file.name - == \"auditctl\" \u0026\u0026 exec.args_flags not in [\"s\", \"l\"]","filters":["os - == \"linux\""],"name":"auditctl_usage","updateDate":1707493323000,"updater":{"name":"Detection - Engineer","handle":""}}},{"id":"def-000-ly8","type":"agent_rule","attributes":{"category":"Process - Activity","creationDate":1707493323000,"creator":{"name":"Detection Engineer","handle":""},"defaultRule":true,"description":"The - auditd configuration file was modified without using auditctl","enabled":true,"expression":"open.file.path - == \"/etc/audit/auditd.conf\" \u0026\u0026 open.flags \u0026 (O_CREAT|O_TRUNC|O_RDWR|O_WRONLY) - \u003e 0 \u0026\u0026 process.file.name != \"auditctl\"","filters":["os == \"linux\""],"name":"auditd_config_modified","updateDate":1707493323000,"updater":{"name":"Detection - Engineer","handle":""}}},{"id":"def-000-ehx","type":"agent_rule","attributes":{"category":"Process - Activity","creationDate":1707493323000,"creator":{"name":"Detection Engineer","handle":""},"defaultRule":true,"description":"The - auditd rules file was modified without using auditctl","enabled":true,"expression":"open.file.path - in [\"/etc/audit/rules.d/audit.rules\", \"/etc/audit/audit.rules\"] \u0026\u0026 - open.flags \u0026 (O_CREAT|O_TRUNC|O_RDWR|O_WRONLY) \u003e 0 \u0026\u0026 process.file.name - != \"auditctl\"","filters":["os == \"linux\""],"name":"auditd_rule_file_modified","updateDate":1707493323000,"updater":{"name":"Detection - Engineer","handle":""}}},{"id":"9f3-haw-91q","type":"agent_rule","attributes":{"category":"File - Activity","creationDate":1707493323000,"creator":{"name":"Detection Engineer","handle":""},"defaultRule":true,"description":"The - AWS EKS service account token was accessed","enabled":true,"expression":"open.file.path - =~ \"/var/run/secrets/eks.amazonaws.com/serviceaccount/**\" \u0026\u0026 open.file.name - == \"token\" \u0026\u0026 process.file.path not in [\"/opt/datadog-agent/embedded/bin/agent\", - \"/opt/datadog-agent/embedded/bin/system-probe\", \"/opt/datadog-agent/embedded/bin/security-agent\", - \"/opt/datadog-agent/embedded/bin/process-agent\", \"/opt/datadog-agent/bin/agent/agent\", - \"/opt/datadog/apm/inject/auto_inject_runc\", \"/usr/bin/dd-host-install\", - \"/usr/bin/dd-host-container-install\", \"/usr/bin/dd-container-install\", \"/opt/datadog-agent/bin/datadog-cluster-agent\"]","filters":["os - == \"linux\""],"name":"aws_eks_service_account_token_accessed","updateDate":1707493323000,"updater":{"name":"Detection - Engineer","handle":""}}},{"id":"wgv-wsb-pse","type":"agent_rule","attributes":{"category":"Process - Activity","creationDate":1707493323000,"creator":{"name":"Detection Engineer","handle":""},"defaultRule":true,"description":"An - AWS IMDS was called via a network utility","enabled":true,"expression":"exec.comm - in [\"wget\", \"curl\", \"lwp-download\"] \u0026\u0026 exec.args in [~\"*169.254.169.254/latest/meta-data/iam/security-credentials/*\", - \"*169.254.170.2$AWS_CONTAINER_CREDENTIALS_RELATIVE_URI\", ~\"*169.254.170.2/*/credentials?id=*\"]","filters":["os - == \"linux\""],"name":"aws_imds","updateDate":1707493323000,"updater":{"name":"Detection - Engineer","handle":""}}},{"id":"c2g-31u-jpk","type":"agent_rule","attributes":{"category":"Process - Activity","creationDate":1707493323000,"creator":{"name":"Detection Engineer","handle":""},"defaultRule":true,"description":"An - Azure IMDS was called via a network utility","enabled":true,"expression":"exec.comm - in [\"wget\", \"curl\", \"lwp-download\"] \u0026\u0026 exec.args in [~\"*169.254.169.254/metadata/identity/oauth2/token?api-version=*\"]","filters":["os - == \"linux\""],"name":"azure_imds","updateDate":1707493323000,"updater":{"name":"Detection - Engineer","handle":""}}},{"id":"def-000-a41","type":"agent_rule","attributes":{"category":"Process - Activity","creationDate":1707493323000,"creator":{"name":"Detection Engineer","handle":""},"defaultRule":true,"description":"The - base64 command was used to decode information","enabled":true,"expression":"exec.file.name - == \"base64\" \u0026\u0026 exec.args_flags in [\"d\"]","filters":["os == \"linux\""],"name":"base64_decode","updateDate":1707493323000,"updater":{"name":"Detection - Engineer","handle":""}}},{"id":"def-000-4tl","type":"agent_rule","attributes":{"category":"Process - Activity","creationDate":1707493323000,"creator":{"name":"Detection Engineer","handle":""},"defaultRule":true,"description":"Certutil - was executed to transmit or decode a potentially malicious file","enabled":true,"expression":"exec.file.name - == \"certutil.exe\" \u0026\u0026 ((exec.cmdline =~ \"*urlcache*\" \u0026\u0026 - exec.cmdline =~ \"*split*\") || exec.cmdline =~ \"*decode*\")","filters":["os - == \"windows\""],"name":"certutil_usage","updateDate":1707493323000,"updater":{"name":"Detection - Engineer","handle":""}}},{"id":"def-000-nin","type":"agent_rule","attributes":{"category":"Network - Activity","creationDate":1707493323000,"creator":{"name":"Detection Engineer","handle":""},"defaultRule":true,"description":"A - newly created file contacted a chatroom domain","enabled":true,"expression":"dns.question.name - in [\"discord.com\", \"api.telegram.org\", \"cdn.discordapp.com\"] \u0026\u0026 - process.file.in_upper_layer \u0026\u0026 process.file.change_time \u003c 60s","filters":["os - == \"linux\""],"name":"chatroom_request","updateDate":1707493323000,"updater":{"name":"Detection - Engineer","handle":""}}},{"id":"647-nlb-uld","type":"agent_rule","attributes":{"category":"Process - Activity","creationDate":1707493323000,"creator":{"name":"Detection Engineer","handle":""},"defaultRule":true,"description":"A - network utility (nmap) commonly used in intrusion attacks was executed","enabled":true,"expression":"exec.file.name - in [\"nmap\", \"masscan\", \"fping\", \"zgrab\", \"zgrab2\", \"rustscan\", \"pnscan\"] - \u0026\u0026 exec.args_flags not in [\"V\", \"version\"]","filters":["os == - \"linux\""],"name":"common_net_intrusion_util","updateDate":1707493323000,"updater":{"name":"Detection - Engineer","handle":""}}},{"id":"smg-le8-msf","type":"agent_rule","attributes":{"category":"File - Activity","creationDate":1707493323000,"creator":{"name":"Detection Engineer","handle":""},"defaultRule":true,"description":"A - compiler wrote a suspicious file in a container","enabled":true,"expression":"open.flags - \u0026 O_CREAT \u003e 0\n\u0026\u0026 (\n (open.file.path =~ \"/tmp/**\" \u0026\u0026 - open.file.name in [~\"*.ko\", ~\".*\"])\n || open.file.path in [~\"/var/tmp/**\", - ~\"/dev/shm/**\", ~\"/root/**\", ~\"*/bin/*\", ~\"/usr/local/lib/**\"]\n)\n\u0026\u0026 - (process.comm in [\"javac\", \"clang\", \"gcc\",\"bcc\"] || process.ancestors.comm - in [\"javac\", \"clang\", \"gcc\",\"bcc\"])\n\u0026\u0026 process.file.name - not in [\"pip\", ~\"python*\"]\n\u0026\u0026 container.id != \"\"","filters":["os - == \"linux\""],"name":"compile_after_delivery","updateDate":1707493323000,"updater":{"name":"Detection - Engineer","handle":""}}},{"id":"ehh-ypb-9pl","type":"agent_rule","attributes":{"category":"Process - Activity","creationDate":1707493323000,"creator":{"name":"Detection Engineer","handle":""},"defaultRule":true,"description":"A - compiler was executed inside of a container","enabled":true,"expression":"(exec.file.name - in [\"javac\", \"clang\", \"gcc\",\"bcc\"] || (exec.file.name == \"go\" \u0026\u0026 - exec.args in [~\"*build*\", ~\"*run*\"])) \u0026\u0026 container.id !=\"\" \u0026\u0026 - process.ancestors.file.path != \"/usr/bin/cilium-agent\"","filters":["os == - \"linux\""],"name":"compiler_in_container","updateDate":1707493323000,"updater":{"name":"Detection - Engineer","handle":""}}},{"id":"def-000-u7b","type":"agent_rule","attributes":{"category":"Process - Activity","creationDate":1707493323000,"creator":{"name":"Detection Engineer","handle":""},"defaultRule":true,"description":"Known - offensive tool crackmap exec executed","enabled":true,"expression":"exec.cmdline - in [~\"*crackmapexec*\", ~\"*cme*\"]","filters":["os == \"windows\""],"name":"crackmap_exec_executed","updateDate":1707493323000,"updater":{"name":"Detection - Engineer","handle":""}}},{"id":"s9m-foq-qqz","type":"agent_rule","attributes":{"category":"File - Activity","creationDate":1707493323000,"creator":{"name":"Detection Engineer","handle":""},"defaultRule":true,"description":"Sensitive - credential files were modified using a non-standard tool","enabled":true,"expression":"(\n (chmod.file.path - in [ \"/etc/shadow\", \"/etc/gshadow\" ])\n \u0026\u0026 process.file.path - not in [ \"/sbin/vipw\", \"/usr/sbin/vipw\", \"/sbin/vigr\", \"/usr/sbin/vigr\", - \"/usr/bin/containerd\", \"/usr/local/bin/containerd\", \"/usr/bin/dockerd\", - \"/usr/local/bin/dockerd\", \"/usr/sbin/groupadd\", \"/usr/sbin/useradd\", \"/usr/sbin/usermod\", - \"/usr/sbin/userdel\", \"/usr/bin/gpasswd\", \"/usr/bin/chage\", \"/usr/sbin/chpasswd\", - \"/usr/bin/passwd\" ]\n \u0026\u0026 process.ancestors.file.path not in [~\"/usr/bin/apt*\", - \"/usr/bin/dpkg\", \"/usr/bin/rpm\", \"/usr/bin/unattended-upgrade\", \"/usr/bin/npm\", - ~\"/usr/bin/pip*\", \"/usr/bin/yum\", \"/sbin/apk\", \"/usr/lib/snapd/snapd\"]\n) - \u0026\u0026 chmod.file.destination.mode != chmod.file.mode","filters":["os - == \"linux\""],"name":"credential_modified_chmod","updateDate":1707493323000,"updater":{"name":"Detection - Engineer","handle":""}}},{"id":"td2-31c-ln4","type":"agent_rule","attributes":{"category":"File - Activity","creationDate":1707493323000,"creator":{"name":"Detection Engineer","handle":""},"defaultRule":true,"description":"Sensitive - credential files were modified using a non-standard tool","enabled":true,"expression":"(\n (chown.file.path - in [ \"/etc/shadow\", \"/etc/gshadow\" ])\n \u0026\u0026 process.file.path - not in [ \"/sbin/vipw\", \"/usr/sbin/vipw\", \"/sbin/vigr\", \"/usr/sbin/vigr\", - \"/usr/bin/containerd\", \"/usr/local/bin/containerd\", \"/usr/bin/dockerd\", - \"/usr/local/bin/dockerd\", \"/usr/sbin/groupadd\", \"/usr/sbin/useradd\", \"/usr/sbin/usermod\", - \"/usr/sbin/userdel\", \"/usr/bin/gpasswd\", \"/usr/bin/chage\", \"/usr/sbin/chpasswd\", - \"/usr/bin/passwd\" ]\n \u0026\u0026 process.ancestors.file.path not in [~\"/usr/bin/apt*\", - \"/usr/bin/dpkg\", \"/usr/bin/rpm\", \"/usr/bin/unattended-upgrade\", \"/usr/bin/npm\", - ~\"/usr/bin/pip*\", \"/usr/bin/yum\", \"/sbin/apk\", \"/usr/lib/snapd/snapd\"]\n) - \u0026\u0026 (chown.file.destination.uid != chown.file.uid || chown.file.destination.gid - != chown.file.gid)","filters":["os == \"linux\""],"name":"credential_modified_chown","updateDate":1707493323000,"updater":{"name":"Detection - Engineer","handle":""}}},{"id":"lli-czr-q4y","type":"agent_rule","attributes":{"category":"File - Activity","creationDate":1707493323000,"creator":{"name":"Detection Engineer","handle":""},"defaultRule":true,"description":"Sensitive - credential files were modified using a non-standard tool","enabled":true,"expression":"(\n (link.file.path - in [ \"/etc/shadow\", \"/etc/gshadow\" ]\n || link.file.destination.path - in [ \"/etc/shadow\", \"/etc/gshadow\" ])\n \u0026\u0026 process.file.path - not in [ \"/sbin/vipw\", \"/usr/sbin/vipw\", \"/sbin/vigr\", \"/usr/sbin/vigr\", - \"/usr/bin/containerd\", \"/usr/local/bin/containerd\", \"/usr/bin/dockerd\", - \"/usr/local/bin/dockerd\", \"/usr/sbin/groupadd\", \"/usr/sbin/useradd\", \"/usr/sbin/usermod\", - \"/usr/sbin/userdel\", \"/usr/bin/gpasswd\", \"/usr/bin/chage\", \"/usr/sbin/chpasswd\", - \"/usr/bin/passwd\" ]\n \u0026\u0026 process.ancestors.file.path not in [~\"/usr/bin/apt*\", - \"/usr/bin/dpkg\", \"/usr/bin/rpm\", \"/usr/bin/unattended-upgrade\", \"/usr/bin/npm\", - ~\"/usr/bin/pip*\", \"/usr/bin/yum\", \"/sbin/apk\", \"/usr/lib/snapd/snapd\"]\n)","filters":["os - == \"linux\""],"name":"credential_modified_link","updateDate":1707493323000,"updater":{"name":"Detection - Engineer","handle":""}}},{"id":"def-000-3b9","type":"agent_rule","attributes":{"category":"File - Activity","creationDate":1707493323000,"creator":{"name":"Detection Engineer","handle":""},"defaultRule":true,"description":"Sensitive - credential files were modified using a non-standard tool","enabled":true,"expression":"(\n open.flags - \u0026 ((O_CREAT|O_RDWR|O_WRONLY|O_TRUNC)) \u003e 0 \u0026\u0026\n (open.file.path - in [ \"/etc/shadow\", \"/etc/gshadow\" ])\n \u0026\u0026 process.file.path - not in [ \"/sbin/vipw\", \"/usr/sbin/vipw\", \"/sbin/vigr\", \"/usr/sbin/vigr\", - \"/usr/bin/containerd\", \"/usr/local/bin/containerd\", \"/usr/bin/dockerd\", - \"/usr/local/bin/dockerd\", \"/usr/sbin/groupadd\", \"/usr/sbin/useradd\", \"/usr/sbin/usermod\", - \"/usr/sbin/userdel\", \"/usr/bin/gpasswd\", \"/usr/bin/chage\", \"/usr/sbin/chpasswd\", - \"/usr/bin/passwd\" ]\n \u0026\u0026 process.ancestors.file.path not in [~\"/usr/bin/apt*\", - \"/usr/bin/dpkg\", \"/usr/bin/rpm\", \"/usr/bin/unattended-upgrade\", \"/usr/bin/npm\", - ~\"/usr/bin/pip*\", \"/usr/bin/yum\", \"/sbin/apk\", \"/usr/lib/snapd/snapd\"]\n) - \u0026\u0026 container.created_at \u003e 90s","filters":["os == \"linux\""],"name":"credential_modified_open_v2","updateDate":1707493323000,"updater":{"name":"Detection - Engineer","handle":""}}},{"id":"0yj-grp-cmx","type":"agent_rule","attributes":{"category":"File - Activity","creationDate":1707493323000,"creator":{"name":"Detection Engineer","handle":""},"defaultRule":true,"description":"Sensitive - credential files were modified using a non-standard tool","enabled":true,"expression":"(\n (rename.file.path - in [ \"/etc/shadow\", \"/etc/gshadow\" ]\n || rename.file.destination.path - in [ \"/etc/shadow\", \"/etc/gshadow\" ])\n \u0026\u0026 process.file.path - not in [ \"/sbin/vipw\", \"/usr/sbin/vipw\", \"/sbin/vigr\", \"/usr/sbin/vigr\", - \"/usr/bin/containerd\", \"/usr/local/bin/containerd\", \"/usr/bin/dockerd\", - \"/usr/local/bin/dockerd\", \"/usr/sbin/groupadd\", \"/usr/sbin/useradd\", \"/usr/sbin/usermod\", - \"/usr/sbin/userdel\", \"/usr/bin/gpasswd\", \"/usr/bin/chage\", \"/usr/sbin/chpasswd\", - \"/usr/bin/passwd\" ]\n \u0026\u0026 process.ancestors.file.path not in [~\"/usr/bin/apt*\", - \"/usr/bin/dpkg\", \"/usr/bin/rpm\", \"/usr/bin/unattended-upgrade\", \"/usr/bin/npm\", - ~\"/usr/bin/pip*\", \"/usr/bin/yum\", \"/sbin/apk\", \"/usr/lib/snapd/snapd\"]\n)","filters":["os - == \"linux\""],"name":"credential_modified_rename","updateDate":1707493323000,"updater":{"name":"Detection - Engineer","handle":""}}},{"id":"q08-c9l-rsp","type":"agent_rule","attributes":{"category":"File - Activity","creationDate":1707493323000,"creator":{"name":"Detection Engineer","handle":""},"defaultRule":true,"description":"Sensitive - credential files were modified using a non-standard tool","enabled":true,"expression":"(\n (unlink.file.path - in [ \"/etc/shadow\", \"/etc/gshadow\" ])\n \u0026\u0026 process.file.path - not in [ \"/sbin/vipw\", \"/usr/sbin/vipw\", \"/sbin/vigr\", \"/usr/sbin/vigr\", - \"/usr/bin/containerd\", \"/usr/local/bin/containerd\", \"/usr/bin/dockerd\", - \"/usr/local/bin/dockerd\", \"/usr/sbin/groupadd\", \"/usr/sbin/useradd\", \"/usr/sbin/usermod\", - \"/usr/sbin/userdel\", \"/usr/bin/gpasswd\", \"/usr/bin/chage\", \"/usr/sbin/chpasswd\", - \"/usr/bin/passwd\" ]\n \u0026\u0026 process.ancestors.file.path not in [~\"/usr/bin/apt*\", - \"/usr/bin/dpkg\", \"/usr/bin/rpm\", \"/usr/bin/unattended-upgrade\", \"/usr/bin/npm\", - ~\"/usr/bin/pip*\", \"/usr/bin/yum\", \"/sbin/apk\", \"/usr/lib/snapd/snapd\"]\n)","filters":["os - == \"linux\""],"name":"credential_modified_unlink","updateDate":1707493323000,"updater":{"name":"Detection - Engineer","handle":""}}},{"id":"kv9-026-vhz","type":"agent_rule","attributes":{"category":"File - Activity","creationDate":1707493323000,"creator":{"name":"Detection Engineer","handle":""},"defaultRule":true,"description":"Sensitive - credential files were modified using a non-standard tool","enabled":true,"expression":"(\n (utimes.file.path - in [ \"/etc/shadow\", \"/etc/gshadow\" ])\n \u0026\u0026 process.file.path - not in [ \"/sbin/vipw\", \"/usr/sbin/vipw\", \"/sbin/vigr\", \"/usr/sbin/vigr\", - \"/usr/bin/containerd\", \"/usr/local/bin/containerd\", \"/usr/bin/dockerd\", - \"/usr/local/bin/dockerd\", \"/usr/sbin/groupadd\", \"/usr/sbin/useradd\", \"/usr/sbin/usermod\", - \"/usr/sbin/userdel\", \"/usr/bin/gpasswd\", \"/usr/bin/chage\", \"/usr/sbin/chpasswd\", - \"/usr/bin/passwd\" ]\n \u0026\u0026 process.ancestors.file.path not in [~\"/usr/bin/apt*\", - \"/usr/bin/dpkg\", \"/usr/bin/rpm\", \"/usr/bin/unattended-upgrade\", \"/usr/bin/npm\", - ~\"/usr/bin/pip*\", \"/usr/bin/yum\", \"/sbin/apk\", \"/usr/lib/snapd/snapd\"]\n)","filters":["os - == \"linux\""],"name":"credential_modified_utimes","updateDate":1707493323000,"updater":{"name":"Detection - Engineer","handle":""}}},{"id":"ogb-clp-hot","type":"agent_rule","attributes":{"category":"File - Activity","creationDate":1707493323000,"creator":{"name":"Detection Engineer","handle":""},"defaultRule":true,"description":"An - unauthorized job was added to cron scheduling","enabled":true,"expression":"(\n (chmod.file.path - in [ ~\"/var/spool/cron/**\", ~\"/etc/cron.*/**\", ~\"/etc/crontab\" ])\n \u0026\u0026 - process.file.path not in [ \"/usr/bin/at\", \"/usr/bin/crontab\" ]\n) \u0026\u0026 - chmod.file.destination.mode != chmod.file.mode\n\u0026\u0026 process.file.path - not in [~\"/usr/bin/apt*\", \"/usr/bin/dpkg\", \"/usr/bin/rpm\", \"/usr/bin/unattended-upgrade\", - \"/usr/bin/containerd\", \"/usr/local/bin/containerd\", \"/usr/bin/dockerd\", - \"/usr/bin/npm\", ~\"/usr/bin/pip*\"]","filters":["os == \"linux\""],"name":"cron_at_job_creation_chmod","updateDate":1707493323000,"updater":{"name":"Detection - Engineer","handle":""}}},{"id":"wnk-nli-nbp","type":"agent_rule","attributes":{"category":"File - Activity","creationDate":1707493323000,"creator":{"name":"Detection Engineer","handle":""},"defaultRule":true,"description":"An - unauthorized job was added to cron scheduling","enabled":true,"expression":"(\n (chown.file.path - in [ ~\"/var/spool/cron/**\", ~\"/etc/cron.*/**\", ~\"/etc/crontab\" ])\n \u0026\u0026 - process.file.path not in [ \"/usr/bin/at\", \"/usr/bin/crontab\" ]\n) \u0026\u0026 - (chown.file.destination.uid != chown.file.uid || chown.file.destination.gid - != chown.file.gid)\n\u0026\u0026 process.file.path not in [~\"/usr/bin/apt*\", - \"/usr/bin/dpkg\", \"/usr/bin/rpm\", \"/usr/bin/unattended-upgrade\", \"/usr/bin/containerd\", - \"/usr/local/bin/containerd\", \"/usr/bin/dockerd\", \"/usr/bin/npm\", ~\"/usr/bin/pip*\"]","filters":["os - == \"linux\""],"name":"cron_at_job_creation_chown","updateDate":1707493323000,"updater":{"name":"Detection - Engineer","handle":""}}},{"id":"mcv-y5o-zg5","type":"agent_rule","attributes":{"category":"File - Activity","creationDate":1707493323000,"creator":{"name":"Detection Engineer","handle":""},"defaultRule":true,"description":"An - unauthorized job was added to cron scheduling","enabled":true,"expression":"(\n (link.file.path - in [ ~\"/var/spool/cron/**\", ~\"/etc/cron.*/**\", ~\"/etc/crontab\" ]\n || - link.file.destination.path in [ ~\"/var/spool/cron/**\", ~\"/etc/cron.*/**\", - ~\"/etc/crontab\" ])\n \u0026\u0026 process.file.path not in [ \"/usr/bin/at\", - \"/usr/bin/crontab\" ]\n)\n\u0026\u0026 process.file.path not in [~\"/usr/bin/apt*\", - \"/usr/bin/dpkg\", \"/usr/bin/rpm\", \"/usr/bin/unattended-upgrade\", \"/usr/bin/containerd\", - \"/usr/local/bin/containerd\", \"/usr/bin/dockerd\", \"/usr/bin/npm\", ~\"/usr/bin/pip*\"]","filters":["os - == \"linux\""],"name":"cron_at_job_creation_link","updateDate":1707493323000,"updater":{"name":"Detection - Engineer","handle":""}}},{"id":"uis-h13-41q","type":"agent_rule","attributes":{"category":"File - Activity","creationDate":1707493323000,"creator":{"name":"Detection Engineer","handle":""},"defaultRule":true,"description":"An - unauthorized job was added to cron scheduling","enabled":true,"expression":"(\n open.flags - \u0026 (O_CREAT|O_RDWR|O_WRONLY) \u003e 0 \u0026\u0026\n (open.file.path - in [ ~\"/var/spool/cron/**\", ~\"/etc/cron.*/**\", ~\"/etc/crontab\" ])\n \u0026\u0026 - process.file.path not in [ \"/usr/bin/at\", \"/usr/bin/crontab\" ]\n)\n\u0026\u0026 - process.file.path not in [~\"/usr/bin/apt*\", \"/usr/bin/dpkg\", \"/usr/bin/rpm\", - \"/usr/bin/unattended-upgrade\", \"/usr/bin/containerd\", \"/usr/local/bin/containerd\", - \"/usr/bin/dockerd\", \"/usr/bin/npm\", ~\"/usr/bin/pip*\"]","filters":["os - == \"linux\""],"name":"cron_at_job_creation_open","updateDate":1707493323000,"updater":{"name":"Detection - Engineer","handle":""}}},{"id":"xa1-b6v-n2l","type":"agent_rule","attributes":{"category":"File - Activity","creationDate":1707493323000,"creator":{"name":"Detection Engineer","handle":""},"defaultRule":true,"description":"An - unauthorized job was added to cron scheduling","enabled":true,"expression":"(\n (rename.file.path - in [ ~\"/var/spool/cron/**\", ~\"/etc/cron.*/**\", ~\"/etc/crontab\" ]\n || - rename.file.destination.path in [ ~\"/var/spool/cron/**\", ~\"/etc/cron.*/**\", - ~\"/etc/crontab\" ])\n \u0026\u0026 process.file.path not in [ \"/usr/bin/at\", - \"/usr/bin/crontab\" ]\n)\n\u0026\u0026 process.file.path not in [~\"/usr/bin/apt*\", - \"/usr/bin/dpkg\", \"/usr/bin/rpm\", \"/usr/bin/unattended-upgrade\", \"/usr/bin/containerd\", - \"/usr/local/bin/containerd\", \"/usr/bin/dockerd\", \"/usr/bin/npm\", ~\"/usr/bin/pip*\"]","filters":["os - == \"linux\""],"name":"cron_at_job_creation_rename","updateDate":1707493323000,"updater":{"name":"Detection - Engineer","handle":""}}},{"id":"m23-qb9-9s8","type":"agent_rule","attributes":{"category":"File - Activity","creationDate":1707493323000,"creator":{"name":"Detection Engineer","handle":""},"defaultRule":true,"description":"An - unauthorized job was added to cron scheduling","enabled":true,"expression":"(\n (unlink.file.path - in [ ~\"/var/spool/cron/**\", ~\"/etc/cron.*/**\", ~\"/etc/crontab\" ])\n \u0026\u0026 - process.file.path not in [ \"/usr/bin/at\", \"/usr/bin/crontab\" ]\n)\n\u0026\u0026 - process.file.path not in [~\"/usr/bin/apt*\", \"/usr/bin/dpkg\", \"/usr/bin/rpm\", - \"/usr/bin/unattended-upgrade\", \"/usr/bin/containerd\", \"/usr/local/bin/containerd\", - \"/usr/bin/dockerd\", \"/usr/bin/npm\", ~\"/usr/bin/pip*\"]","filters":["os - == \"linux\""],"name":"cron_at_job_creation_unlink","updateDate":1707493323000,"updater":{"name":"Detection - Engineer","handle":""}}},{"id":"4mx-n6o-mmb","type":"agent_rule","attributes":{"category":"File - Activity","creationDate":1707493323000,"creator":{"name":"Detection Engineer","handle":""},"defaultRule":true,"description":"An - unauthorized job was added to cron scheduling","enabled":true,"expression":"(\n (utimes.file.path - in [ ~\"/var/spool/cron/**\", ~\"/etc/cron.*/**\", ~\"/etc/crontab\" ])\n \u0026\u0026 - process.file.path not in [ \"/usr/bin/at\", \"/usr/bin/crontab\" ]\n)\n\u0026\u0026 - process.file.path not in [~\"/usr/bin/apt*\", \"/usr/bin/dpkg\", \"/usr/bin/rpm\", - \"/usr/bin/unattended-upgrade\", \"/usr/bin/containerd\", \"/usr/local/bin/containerd\", - \"/usr/bin/dockerd\", \"/usr/bin/npm\", ~\"/usr/bin/pip*\"]","filters":["os - == \"linux\""],"name":"cron_at_job_creation_utimes","updateDate":1707493323000,"updater":{"name":"Detection - Engineer","handle":""}}},{"id":"jr3-0m8-jlj","type":"agent_rule","attributes":{"category":"Process - Activity","creationDate":1707493323000,"creator":{"name":"Detection Engineer","handle":""},"defaultRule":true,"description":"A - process launched with arguments associated with cryptominers","enabled":true,"expression":"exec.args_flags - in [\"cpu-priority\", \"donate-level\", ~\"randomx-1gb-pages\"] || exec.args - in [~\"*stratum+tcp*\", ~\"*stratum+ssl*\", ~\"*stratum1+tcp*\", ~\"*stratum1+ssl*\", - ~\"*stratum2+tcp*\", ~\"*stratum2+ssl*\", ~\"*nicehash*\", ~\"*yespower*\"]","filters":["os - == \"linux\""],"name":"cryptominer_args","updateDate":1707493323000,"updater":{"name":"Detection - Engineer","handle":""}}},{"id":"def-000-6jw","type":"agent_rule","attributes":{"category":"Process - Activity","creationDate":1707493323000,"creator":{"name":"Detection Engineer","handle":""},"defaultRule":true,"description":"Process - environment variables match cryptocurrency miner","enabled":true,"expression":"exec.envs - in [\"POOL_USER\", \"POOL_URL\", \"POOL_PASS\", \"DONATE_LEVEL\"]","filters":["os - == \"linux\""],"name":"cryptominer_envs","updateDate":1707493323000,"updater":{"name":"Detection - Engineer","handle":""}}},{"id":"def-000-h1x","type":"agent_rule","attributes":{"category":"Process - Activity","creationDate":1707493323000,"creator":{"name":"Detection Engineer","handle":""},"defaultRule":true,"description":"The - Docker socket was referenced in a cURL command","enabled":true,"expression":"exec.file.name - == \"curl\" \u0026\u0026 exec.args_flags in [\"unix-socket\"] \u0026\u0026 exec.args - in [\"*docker.sock*\"] \u0026\u0026 container.id != \"\"","filters":["os == - \"linux\""],"name":"curl_docker_socket","updateDate":1707493323000,"updater":{"name":"Detection - Engineer","handle":""}}},{"id":"mq1-y7n-kf2","type":"agent_rule","attributes":{"category":"Process - Activity","creationDate":1707493323000,"creator":{"name":"Detection Engineer","handle":""},"defaultRule":true,"description":"A - database application spawned a shell, shell utility, or HTTP utility","enabled":true,"expression":"(exec.file.path - in [ \"/bin/dash\",\n \"/usr/bin/dash\",\n \"/bin/sh\",\n \"/bin/static-sh\",\n \"/usr/bin/sh\",\n \"/bin/bash\",\n \"/usr/bin/bash\",\n \"/bin/bash-static\",\n \"/usr/bin/zsh\",\n \"/usr/bin/ash\",\n \"/usr/bin/csh\",\n \"/usr/bin/ksh\",\n \"/usr/bin/tcsh\",\n \"/usr/lib/initramfs-tools/bin/busybox\",\n \"/bin/busybox\",\n \"/usr/bin/fish\",\n \"/bin/ksh93\",\n \"/bin/rksh\",\n \"/bin/rksh93\",\n \"/bin/lksh\",\n \"/bin/mksh\",\n \"/bin/mksh-static\",\n \"/usr/bin/csharp\",\n \"/bin/posh\",\n \"/usr/bin/rc\",\n \"/bin/sash\",\n \"/usr/bin/yash\",\n \"/bin/zsh5\",\n \"/bin/zsh5-static\" - ] ||\n exec.comm in [\"wget\", \"curl\", \"lwp-download\"] ||\n exec.file.path - in [\"/bin/cat\",\"/bin/chgrp\",\"/bin/chmod\",\"/bin/chown\",\"/bin/cp\",\"/bin/date\",\"/bin/dd\",\"/bin/df\",\"/bin/dir\",\"/bin/echo\",\"/bin/ln\",\"/bin/ls\",\"/bin/mkdir\",\"/bin/mknod\",\"/bin/mktemp\",\"/bin/mv\",\"/bin/pwd\",\"/bin/readlink\",\"/bin/rm\",\"/bin/rmdir\",\"/bin/sleep\",\"/bin/stty\",\"/bin/sync\",\"/bin/touch\",\"/bin/uname\",\"/bin/vdir\",\"/usr/bin/arch\",\"/usr/bin/b2sum\",\"/usr/bin/base32\",\"/usr/bin/base64\",\"/usr/bin/basename\",\"/usr/bin/chcon\",\"/usr/bin/cksum\",\"/usr/bin/comm\",\"/usr/bin/csplit\",\"/usr/bin/cut\",\"/usr/bin/dircolors\",\"/usr/bin/dirname\",\"/usr/bin/du\",\"/usr/bin/env\",\"/usr/bin/expand\",\"/usr/bin/expr\",\"/usr/bin/factor\",\"/usr/bin/fmt\",\"/usr/bin/fold\",\"/usr/bin/groups\",\"/usr/bin/head\",\"/usr/bin/hostid\",\"/usr/bin/id\",\"/usr/bin/install\",\"/usr/bin/join\",\"/usr/bin/link\",\"/usr/bin/logname\",\"/usr/bin/md5sum\",\"/usr/bin/md5sum.textutils\",\"/usr/bin/mkfifo\",\"/usr/bin/nice\",\"/usr/bin/nl\",\"/usr/bin/nohup\",\"/usr/bin/nproc\",\"/usr/bin/numfmt\",\"/usr/bin/od\",\"/usr/bin/paste\",\"/usr/bin/pathchk\",\"/usr/bin/pinky\",\"/usr/bin/pr\",\"/usr/bin/printenv\",\"/usr/bin/printf\",\"/usr/bin/ptx\",\"/usr/bin/realpath\",\"/usr/bin/runcon\",\"/usr/bin/seq\",\"/usr/bin/sha1sum\",\"/usr/bin/sha224sum\",\"/usr/bin/sha256sum\",\"/usr/bin/sha384sum\",\"/usr/bin/sha512sum\",\"/usr/bin/shred\",\"/usr/bin/shuf\",\"/usr/bin/sort\",\"/usr/bin/split\",\"/usr/bin/stat\",\"/usr/bin/stdbuf\",\"/usr/bin/sum\",\"/usr/bin/tac\",\"/usr/bin/tail\",\"/usr/bin/tee\",\"/usr/bin/test\",\"/usr/bin/timeout\",\"/usr/bin/tr\",\"/usr/bin/truncate\",\"/usr/bin/tsort\",\"/usr/bin/tty\",\"/usr/bin/unexpand\",\"/usr/bin/uniq\",\"/usr/bin/unlink\",\"/usr/bin/users\",\"/usr/bin/wc\",\"/usr/bin/who\",\"/usr/bin/whoami\",\"/usr/sbin/chroot\"]) - \u0026\u0026\nprocess.parent.file.name in [\"mysqld\", \"mongod\", \"postgres\"] - \u0026\u0026\n!(process.parent.file.name == \"initdb\" \u0026\u0026\nexec.args - == \"-c locale -a\") \u0026\u0026\n!(process.parent.file.name == \"postgres\" - \u0026\u0026\nexec.args == ~\"*pg_wal*\")","filters":["os == \"linux\""],"name":"database_shell_execution","updateDate":1707493323000,"updater":{"name":"Detection - Engineer","handle":""}}},{"id":"def-000-u1r","type":"agent_rule","attributes":{"category":"File - Activity","creationDate":1707493323000,"creator":{"name":"Detection Engineer","handle":""},"defaultRule":true,"description":"A - process deleted common system log files","enabled":true,"expression":"unlink.file.path - in [\"/var/run/utmp\", \"/var/log/wtmp\", \"/var/log/btmp\", \"/var/log/lastlog\", - \"/var/log/faillog\", \"/var/log/syslog\", \"/var/log/messages\", \"/var/log/secure\", - \"/var/log/auth.log\", \"/var/log/boot.log\", \"/var/log/kern.log\"] \u0026\u0026 - process.comm not in [\"dockerd\", \"containerd\"]","filters":["os == \"linux\""],"name":"delete_system_log","updateDate":1707493323000,"updater":{"name":"Detection - Engineer","handle":""}}},{"id":"def-000-juz","type":"agent_rule","attributes":{"category":"Process - Activity","creationDate":1707493323000,"creator":{"name":"Detection Engineer","handle":""},"defaultRule":true,"description":"A - privileged container was created","enabled":true,"expression":"exec.file.name - != \"\" \u0026\u0026 container.created_at \u003c 1s \u0026\u0026 process.cap_permitted - \u0026 CAP_SYS_ADMIN \u003e 0","filters":["os == \"linux\""],"name":"deploy_priv_container","updateDate":1707493323000,"updater":{"name":"Detection - Engineer","handle":""}}},{"id":"sej-11b-ey6","type":"agent_rule","attributes":{"category":"File - Activity","creationDate":1707493323000,"creator":{"name":"Detection Engineer","handle":""},"defaultRule":true,"description":"Potential - Dirty pipe exploitation attempt","enabled":true,"expression":"(splice.pipe_entry_flag - \u0026 PIPE_BUF_FLAG_CAN_MERGE) != 0 \u0026\u0026 (splice.pipe_exit_flag \u0026 - PIPE_BUF_FLAG_CAN_MERGE) == 0 \u0026\u0026 (process.uid != 0 \u0026\u0026 process.gid - != 0)","filters":["os == \"linux\""],"name":"dirty_pipe_attempt","updateDate":1707493323000,"updater":{"name":"Detection - Engineer","handle":""}}},{"id":"422-svi-03v","type":"agent_rule","attributes":{"category":"File - Activity","creationDate":1707493323000,"creator":{"name":"Detection Engineer","handle":""},"defaultRule":true,"description":"Potential - Dirty pipe exploitation","enabled":true,"expression":"(splice.pipe_exit_flag - \u0026 PIPE_BUF_FLAG_CAN_MERGE) \u003e 0 \u0026\u0026 (process.uid != 0 \u0026\u0026 - process.gid != 0)","filters":["os == \"linux\""],"name":"dirty_pipe_exploitation","updateDate":1707493323000,"updater":{"name":"Detection - Engineer","handle":""}}},{"id":"2rq-drz-11u","type":"agent_rule","attributes":{"category":"File - Activity","creationDate":1707493323000,"creator":{"name":"Detection Engineer","handle":""},"defaultRule":true,"description":"A - process unlinked a dynamic linker config file","enabled":true,"expression":"unlink.file.path - in [\"/etc/ld.so.preload\", \"/etc/ld.so.conf\", ~\"/etc/ld.so.conf.d/*.conf\"] - \u0026\u0026 process.file.path not in [~\"/usr/bin/apt*\", \"/usr/bin/dpkg\", - \"/usr/bin/rpm\", \"/usr/bin/unattended-upgrade\", \"/usr/bin/npm\", ~\"/usr/bin/pip*\", - \"/usr/bin/yum\", \"/sbin/apk\", \"/usr/lib/snapd/snapd\"]","filters":["os == - \"linux\""],"name":"dynamic_linker_config_unlink","updateDate":1707493323000,"updater":{"name":"Detection - Engineer","handle":""}}},{"id":"2s5-ipa-ooo","type":"agent_rule","attributes":{"category":"File - Activity","creationDate":1707493323000,"creator":{"name":"Detection Engineer","handle":""},"defaultRule":true,"description":"A - process wrote to a dynamic linker config file","enabled":true,"expression":"open.file.path - in [\"/etc/ld.so.preload\", \"/etc/ld.so.conf\", \"/etc/ld.so.conf.d/*.conf\"] - \u0026\u0026 open.flags \u0026 (O_CREAT|O_TRUNC|O_RDWR|O_WRONLY) \u003e 0 \u0026\u0026 - process.file.path not in [~\"/usr/bin/apt*\", \"/usr/bin/dpkg\", \"/usr/bin/rpm\", - \"/usr/bin/unattended-upgrade\", \"/usr/bin/containerd\", \"/usr/local/bin/containerd\", - \"/usr/bin/dockerd\", \"/usr/bin/npm\", ~\"/usr/bin/pip*\"] \u0026\u0026 process.ancestors.file.path - not in [\"/opt/datadog-agent/embedded/bin/agent\", \"/opt/datadog-agent/embedded/bin/system-probe\", - \"/opt/datadog-agent/embedded/bin/security-agent\", \"/opt/datadog-agent/embedded/bin/process-agent\", - \"/opt/datadog-agent/bin/agent/agent\", \"/opt/datadog/apm/inject/auto_inject_runc\", - \"/usr/bin/dd-host-install\", \"/usr/bin/dd-host-container-install\", \"/usr/bin/dd-container-install\", - \"/opt/datadog-agent/bin/datadog-cluster-agent\"]","filters":["os == \"linux\""],"name":"dynamic_linker_config_write","updateDate":1707493323000,"updater":{"name":"Detection - Engineer","handle":""}}},{"id":"def-000-4xu","type":"agent_rule","attributes":{"category":"Process - Activity","creationDate":1707493323000,"creator":{"name":"Detection Engineer","handle":""},"defaultRule":true,"description":"Kernel - modules were listed using the lsmod command","enabled":true,"expression":"exec.comm - == \"lsmod\"","filters":["os == \"linux\""],"name":"exec_lsmod","updateDate":1707493323000,"updater":{"name":"Detection - Engineer","handle":""}}},{"id":"def-000-fqm","type":"agent_rule","attributes":{"category":"Process - Activity","creationDate":1707493323000,"creator":{"name":"Detection Engineer","handle":""},"defaultRule":true,"description":"The - whoami command was executed","enabled":true,"expression":"exec.comm == \"whoami\"","filters":["os - == \"linux\""],"name":"exec_whoami","updateDate":1707493323000,"updater":{"name":"Detection - Engineer","handle":""}}},{"id":"def-000-ev8","type":"agent_rule","attributes":{"category":"Process - Activity","creationDate":1707493323000,"creator":{"name":"Detection Engineer","handle":""},"defaultRule":true,"description":"The - wrmsr program executed","enabled":true,"expression":"exec.comm == \"wrmsr\"","filters":["os - == \"linux\""],"name":"exec_wrmsr","updateDate":1707493323000,"updater":{"name":"Detection - Engineer","handle":""}}},{"id":"def-000-bus","type":"agent_rule","attributes":{"category":"File - Activity","creationDate":1707493323000,"creator":{"name":"Detection Engineer","handle":""},"defaultRule":true,"description":"The - executable bit was added to a newly created file","enabled":true,"expression":"chmod.file.in_upper_layer - \u0026\u0026\nchmod.file.change_time \u003c 30s \u0026\u0026\ncontainer.id != - \"\" \u0026\u0026\nchmod.file.destination.mode != chmod.file.mode \u0026\u0026\nchmod.file.destination.mode - \u0026 S_IXUSR|S_IXGRP|S_IXOTH \u003e 0 \u0026\u0026\nprocess.argv in [\"+x\"]","filters":["os - == \"linux\""],"name":"executable_bit_added","updateDate":1707493323000,"updater":{"name":"Detection - Engineer","handle":""}}},{"id":"ro4-rju-1vq","type":"agent_rule","attributes":{"category":"Process - Activity","creationDate":1707493323000,"creator":{"name":"Detection Engineer","handle":""},"defaultRule":true,"description":"An - GCP IMDS was called via a network utility","enabled":true,"expression":"exec.comm - in [\"wget\", \"curl\", \"lwp-download\"] \u0026\u0026 exec.args in [~\"*metadata.google.internal/computeMetadata/v1/instance/service-accounts/default/token\", - ~\"*169.254.169.254/computeMetadata/v1/instance/service-accounts/default/token\"]","filters":["os - == \"linux\""],"name":"gcp_imds","updateDate":1707493323000,"updater":{"name":"Detection - Engineer","handle":""}}},{"id":"def-000-bgf","type":"agent_rule","attributes":{"category":"Process - Activity","creationDate":1707493323000,"creator":{"name":"Detection Engineer","handle":""},"defaultRule":true,"description":"A - hidden file was executed in a suspicious folder","enabled":true,"expression":"exec.file.name - =~ \".*\" \u0026\u0026 exec.file.path in [~\"/home/**\", ~\"/tmp/**\", ~\"/var/tmp/**\", - ~\"/dev/shm/**\"]","filters":["os == \"linux\""],"name":"hidden_file_executed","updateDate":1707493323000,"updater":{"name":"Detection - Engineer","handle":""}}},{"id":"jeh-18e-m9h","type":"agent_rule","attributes":{"category":"Process - Activity","creationDate":1707493323000,"creator":{"name":"Detection Engineer","handle":""},"defaultRule":true,"description":"An - interactive shell was started inside of a container","enabled":true,"expression":"exec.file.path - in [ \"/bin/dash\",\n \"/usr/bin/dash\",\n \"/bin/sh\",\n \"/bin/static-sh\",\n \"/usr/bin/sh\",\n \"/bin/bash\",\n \"/usr/bin/bash\",\n \"/bin/bash-static\",\n \"/usr/bin/zsh\",\n \"/usr/bin/ash\",\n \"/usr/bin/csh\",\n \"/usr/bin/ksh\",\n \"/usr/bin/tcsh\",\n \"/usr/lib/initramfs-tools/bin/busybox\",\n \"/bin/busybox\",\n \"/usr/bin/fish\",\n \"/bin/ksh93\",\n \"/bin/rksh\",\n \"/bin/rksh93\",\n \"/bin/lksh\",\n \"/bin/mksh\",\n \"/bin/mksh-static\",\n \"/usr/bin/csharp\",\n \"/bin/posh\",\n \"/usr/bin/rc\",\n \"/bin/sash\",\n \"/usr/bin/yash\",\n \"/bin/zsh5\",\n \"/bin/zsh5-static\" - ] \u0026\u0026 exec.args_flags in [\"i\"] \u0026\u0026 container.id !=\"\"","filters":["os - == \"linux\""],"name":"interactive_shell_in_container","updateDate":1707493323000,"updater":{"name":"Detection - Engineer","handle":""}}},{"id":"4ov-ang-2gx","type":"agent_rule","attributes":{"category":"Network - Activity","creationDate":1707493323000,"creator":{"name":"Detection Engineer","handle":""},"defaultRule":true,"description":"A - DNS lookup was done for a IP check service","enabled":true,"expression":"dns.question.name - in [\"icanhazip.com\", \"ip-api.com\", \"myip.opendns.com\", \"checkip.amazonaws.com\", - \"whatismyip.akamai.com\"] \u0026\u0026 process.file.name != \"\"","filters":["os - == \"linux\""],"name":"ip_check_domain","updateDate":1707493323000,"updater":{"name":"Detection - Engineer","handle":""}}},{"id":"def-000-88h","type":"agent_rule","attributes":{"category":"Process - Activity","creationDate":1707493323000,"creator":{"name":"Detection Engineer","handle":""},"defaultRule":true,"description":"Egress - traffic allowed using iptables","enabled":true,"expression":"exec.comm == \"iptables\" - \u0026\u0026 process.args in [r\".*OUTPUT.*((25[0-5]|(2[0-4]|1\\d|[1-9]|)\\d)\\.?\\b){4}.*ACCEPT\"] - \u0026\u0026 process.args not in [r\"(127\\.)|(10\\.)|(172\\.1[6-9]\\.)|(172\\.2[0-9]\\.)|(^172\\.3[0-1]\\.)|(192\\.168\\.)|(169\\.254\\.)\"]","filters":["os - == \"linux\""],"name":"iptables_egress_allowed","updateDate":1707493323000,"updater":{"name":"Detection - Engineer","handle":""}}},{"id":"def-000-but","type":"agent_rule","attributes":{"category":"Process - Activity","creationDate":1707493323000,"creator":{"name":"Detection Engineer","handle":""},"defaultRule":true,"description":"A - java process spawned a shell, shell utility, or HTTP utility","enabled":true,"expression":"(exec.file.path - in [ \"/bin/dash\",\n \"/usr/bin/dash\",\n \"/bin/sh\",\n \"/bin/static-sh\",\n \"/usr/bin/sh\",\n \"/bin/bash\",\n \"/usr/bin/bash\",\n \"/bin/bash-static\",\n \"/usr/bin/zsh\",\n \"/usr/bin/ash\",\n \"/usr/bin/csh\",\n \"/usr/bin/ksh\",\n \"/usr/bin/tcsh\",\n \"/usr/lib/initramfs-tools/bin/busybox\",\n \"/bin/busybox\",\n \"/usr/bin/fish\",\n \"/bin/ksh93\",\n \"/bin/rksh\",\n \"/bin/rksh93\",\n \"/bin/lksh\",\n \"/bin/mksh\",\n \"/bin/mksh-static\",\n \"/usr/bin/csharp\",\n \"/bin/posh\",\n \"/usr/bin/rc\",\n \"/bin/sash\",\n \"/usr/bin/yash\",\n \"/bin/zsh5\",\n \"/bin/zsh5-static\" - ] ||\n exec.comm in [\"wget\", \"curl\", \"lwp-download\"] ||\n exec.file.path - in [\"/bin/cat\",\"/bin/chgrp\",\"/bin/chmod\",\"/bin/chown\",\"/bin/cp\",\"/bin/date\",\"/bin/dd\",\"/bin/df\",\"/bin/dir\",\"/bin/echo\",\"/bin/ln\",\"/bin/ls\",\"/bin/mkdir\",\"/bin/mknod\",\"/bin/mktemp\",\"/bin/mv\",\"/bin/pwd\",\"/bin/readlink\",\"/bin/rm\",\"/bin/rmdir\",\"/bin/sleep\",\"/bin/stty\",\"/bin/sync\",\"/bin/touch\",\"/bin/uname\",\"/bin/vdir\",\"/usr/bin/arch\",\"/usr/bin/b2sum\",\"/usr/bin/base32\",\"/usr/bin/base64\",\"/usr/bin/basename\",\"/usr/bin/chcon\",\"/usr/bin/cksum\",\"/usr/bin/comm\",\"/usr/bin/csplit\",\"/usr/bin/cut\",\"/usr/bin/dircolors\",\"/usr/bin/dirname\",\"/usr/bin/du\",\"/usr/bin/env\",\"/usr/bin/expand\",\"/usr/bin/expr\",\"/usr/bin/factor\",\"/usr/bin/fmt\",\"/usr/bin/fold\",\"/usr/bin/groups\",\"/usr/bin/head\",\"/usr/bin/hostid\",\"/usr/bin/id\",\"/usr/bin/install\",\"/usr/bin/join\",\"/usr/bin/link\",\"/usr/bin/logname\",\"/usr/bin/md5sum\",\"/usr/bin/md5sum.textutils\",\"/usr/bin/mkfifo\",\"/usr/bin/nice\",\"/usr/bin/nl\",\"/usr/bin/nohup\",\"/usr/bin/nproc\",\"/usr/bin/numfmt\",\"/usr/bin/od\",\"/usr/bin/paste\",\"/usr/bin/pathchk\",\"/usr/bin/pinky\",\"/usr/bin/pr\",\"/usr/bin/printenv\",\"/usr/bin/printf\",\"/usr/bin/ptx\",\"/usr/bin/realpath\",\"/usr/bin/runcon\",\"/usr/bin/seq\",\"/usr/bin/sha1sum\",\"/usr/bin/sha224sum\",\"/usr/bin/sha256sum\",\"/usr/bin/sha384sum\",\"/usr/bin/sha512sum\",\"/usr/bin/shred\",\"/usr/bin/shuf\",\"/usr/bin/sort\",\"/usr/bin/split\",\"/usr/bin/stat\",\"/usr/bin/stdbuf\",\"/usr/bin/sum\",\"/usr/bin/tac\",\"/usr/bin/tail\",\"/usr/bin/tee\",\"/usr/bin/test\",\"/usr/bin/timeout\",\"/usr/bin/tr\",\"/usr/bin/truncate\",\"/usr/bin/tsort\",\"/usr/bin/tty\",\"/usr/bin/unexpand\",\"/usr/bin/uniq\",\"/usr/bin/unlink\",\"/usr/bin/users\",\"/usr/bin/wc\",\"/usr/bin/who\",\"/usr/bin/whoami\",\"/usr/sbin/chroot\"])\n\u0026\u0026 - process.parent.file.name == \"java\"","filters":["os == \"linux\""],"name":"java_shell_execution_parent","updateDate":1707493323000,"updater":{"name":"Detection - Engineer","handle":""}}},{"id":"def-000-mfu","type":"agent_rule","attributes":{"category":"Process - Activity","creationDate":1707493323000,"creator":{"name":"Detection Engineer","handle":""},"defaultRule":true,"description":"A - Jupyter notebook executed a shell","enabled":true,"expression":"(exec.file.name - in [\"cat\",\"chgrp\",\"chmod\",\"chown\",\"cp\",\"date\",\"dd\",\"df\",\"dir\",\"echo\",\"ln\",\"ls\",\"mkdir\",\"mknod\",\"mktemp\",\"mv\",\"pwd\",\"readlink\",\"rm\",\"rmdir\",\"sleep\",\"stty\",\"sync\",\"touch\",\"uname\",\"vdir\",\"arch\",\"b2sum\",\"base32\",\"base64\",\"basename\",\"chcon\",\"cksum\",\"comm\",\"csplit\",\"cut\",\"dircolors\",\"dirname\",\"du\",\"env\",\"expand\",\"expr\",\"factor\",\"fmt\",\"fold\",\"groups\",\"head\",\"hostid\",\"id\",\"install\",\"join\",\"link\",\"logname\",\"md5sum\",\"textutils\",\"mkfifo\",\"nice\",\"nl\",\"nohup\",\"nproc\",\"numfmt\",\"od\",\"paste\",\"pathchk\",\"pinky\",\"pr\",\"printenv\",\"printf\",\"ptx\",\"realpath\",\"runcon\",\"seq\",\"sha1sum\",\"sha224sum\",\"sha256sum\",\"sha384sum\",\"sha512sum\",\"shred\",\"shuf\",\"sort\",\"split\",\"stat\",\"stdbuf\",\"sum\",\"tac\",\"tail\",\"tee\",\"test\",\"timeout\",\"tr\",\"truncate\",\"tsort\",\"tty\",\"unexpand\",\"uniq\",\"unlink\",\"users\",\"wc\",\"who\",\"whoami\",\"chroot\"] - || exec.file.name in [\"wget\", \"curl\", \"lwp-download\"] || exec.file.name - in [\"dash\",\"sh\",\"static-sh\",\"sh\",\"bash\",\"bash\",\"bash-static\",\"zsh\",\"ash\",\"csh\",\"ksh\",\"tcsh\",\"busybox\",\"busybox\",\"fish\",\"ksh93\",\"rksh\",\"rksh93\",\"lksh\",\"mksh\",\"mksh-static\",\"csharp\",\"posh\",\"rc\",\"sash\",\"yash\",\"zsh5\",\"zsh5-static\"]) - \u0026\u0026 process.ancestors.comm in [\"jupyter-noteboo\", \"jupyter-lab\"]","filters":["os - == \"linux\""],"name":"jupyter_shell_execution","updateDate":1707493323000,"updater":{"name":"Detection - Engineer","handle":""}}},{"id":"0i7-z9o-zed","type":"agent_rule","attributes":{"category":"File - Activity","creationDate":1707493323000,"creator":{"name":"Detection Engineer","handle":""},"defaultRule":true,"description":"The - Kubernetes pod service account token was accessed","enabled":true,"expression":"open.file.path - in [~\"/var/run/secrets/kubernetes.io/serviceaccount/**\", ~\"/run/secrets/kubernetes.io/serviceaccount/**\"] - \u0026\u0026 open.file.name == \"token\" \u0026\u0026 process.file.path not - in [\"/opt/datadog-agent/embedded/bin/agent\", \"/opt/datadog-agent/embedded/bin/system-probe\", - \"/opt/datadog-agent/embedded/bin/security-agent\", \"/opt/datadog-agent/embedded/bin/process-agent\", - \"/opt/datadog-agent/bin/agent/agent\", \"/opt/datadog/apm/inject/auto_inject_runc\", - \"/usr/bin/dd-host-install\", \"/usr/bin/dd-host-container-install\", \"/usr/bin/dd-container-install\", - \"/opt/datadog-agent/bin/datadog-cluster-agent\"] \u0026\u0026 process.file.path - not in [\"/usr/bin/cilium-agent\", \"/coredns\", \"/usr/bin/cilium-operator\", - \"/manager\", \"/fluent-bit/bin/fluent-bit\", \"/usr/local/bin/cloud-node-manager\", - \"/secrets-store-csi\", \"/bin/secrets-store-csi-driver-provider-aws\", \"/usr/bin/calico-node\", - \"/opt/aws/amazon-cloudwatch-agent/bin/amazon-cloudwatch-agent\", \"/nginx-ingress-controller\", - \"/cluster-autoscaler\", \"/cluster-proportional-autoscaler\", \"/haproxy-ingress-controller\", - \"/kube-state-metrics\", \"/fluent-bit-gke-exporter\", \"/bin/external-secrets\", - \"/node-termination-handler\", \"/fluent-bit-gke-exporter\", \"/bin/vault\", - \"/usr/local/bin/kubectl\", \"/local-provisioner\", \"/usr/bin/gitlab-runner\", - \"/usr/local/bin/vaultd\", \"/usr/local/bin/trace-driveline-writer\", \"/usr/local/bin/registration-controller\", - \"/usr/local/bin/cluster-autoscaler\"] \u0026\u0026 process.ancestors.file.path - not in [\"/opt/datadog-agent/embedded/bin/agent\", \"/opt/datadog-agent/embedded/bin/system-probe\", - \"/opt/datadog-agent/embedded/bin/security-agent\", \"/opt/datadog-agent/embedded/bin/process-agent\", - \"/opt/datadog-agent/bin/agent/agent\", \"/opt/datadog/apm/inject/auto_inject_runc\", - \"/usr/bin/dd-host-install\", \"/usr/bin/dd-host-container-install\", \"/usr/bin/dd-container-install\", - \"/opt/datadog-agent/bin/datadog-cluster-agent\"]","filters":["os == \"linux\""],"name":"k8s_pod_service_account_token_accessed","updateDate":1707493323000,"updater":{"name":"Detection - Engineer","handle":""}}},{"id":"2dz-kyt-nme","type":"agent_rule","attributes":{"category":"File - Activity","creationDate":1707493323000,"creator":{"name":"Detection Engineer","handle":""},"defaultRule":true,"description":"A - new kernel module was added","enabled":true,"expression":"(\n (chmod.file.path - in [ ~\"/lib/modules/**\", ~\"/usr/lib/modules/**\" ])\n \u0026\u0026 process.file.path - not in [~\"/usr/bin/apt*\", \"/usr/bin/dpkg\", \"/usr/bin/rpm\", \"/usr/bin/unattended-upgrade\", - \"/usr/bin/npm\", ~\"/usr/bin/pip*\", \"/usr/bin/yum\", \"/sbin/apk\", \"/usr/lib/snapd/snapd\"]\n \u0026\u0026 - process.ancestors.file.path not in [~\"/usr/bin/apt*\", \"/usr/bin/dpkg\", \"/usr/bin/rpm\", - \"/usr/bin/unattended-upgrade\", \"/usr/bin/npm\", ~\"/usr/bin/pip*\", \"/usr/bin/yum\", - \"/sbin/apk\", \"/usr/lib/snapd/snapd\"] \u0026\u0026 process.ancestors.file.path - != \"/usr/bin/kmod\"\n) \u0026\u0026 chmod.file.destination.mode != chmod.file.mode","filters":["os - == \"linux\""],"name":"kernel_module_chmod","updateDate":1707493323000,"updater":{"name":"Detection - Engineer","handle":""}}},{"id":"94l-lhd-e33","type":"agent_rule","attributes":{"category":"File - Activity","creationDate":1707493323000,"creator":{"name":"Detection Engineer","handle":""},"defaultRule":true,"description":"A - new kernel module was added","enabled":true,"expression":"(\n (chown.file.path - in [ ~\"/lib/modules/**\", ~\"/usr/lib/modules/**\" ])\n \u0026\u0026 process.file.path - not in [~\"/usr/bin/apt*\", \"/usr/bin/dpkg\", \"/usr/bin/rpm\", \"/usr/bin/unattended-upgrade\", - \"/usr/bin/npm\", ~\"/usr/bin/pip*\", \"/usr/bin/yum\", \"/sbin/apk\", \"/usr/lib/snapd/snapd\"]\n \u0026\u0026 - process.ancestors.file.path not in [~\"/usr/bin/apt*\", \"/usr/bin/dpkg\", \"/usr/bin/rpm\", - \"/usr/bin/unattended-upgrade\", \"/usr/bin/npm\", ~\"/usr/bin/pip*\", \"/usr/bin/yum\", - \"/sbin/apk\", \"/usr/lib/snapd/snapd\"] \u0026\u0026 process.ancestors.file.path - != \"/usr/bin/kmod\"\n) \u0026\u0026 (chown.file.destination.uid != chown.file.uid - || chown.file.destination.gid != chown.file.gid)","filters":["os == \"linux\""],"name":"kernel_module_chown","updateDate":1707493323000,"updater":{"name":"Detection - Engineer","handle":""}}},{"id":"ucb-5zb-rmj","type":"agent_rule","attributes":{"category":"File - Activity","creationDate":1707493323000,"creator":{"name":"Detection Engineer","handle":""},"defaultRule":true,"description":"A - new kernel module was added","enabled":true,"expression":"(\n (link.file.path - in [ ~\"/lib/modules/**\", ~\"/usr/lib/modules/**\" ]\n || link.file.destination.path - in [ ~\"/lib/modules/**\", ~\"/usr/lib/modules/**\" ])\n \u0026\u0026 process.file.path - not in [~\"/usr/bin/apt*\", \"/usr/bin/dpkg\", \"/usr/bin/rpm\", \"/usr/bin/unattended-upgrade\", - \"/usr/bin/npm\", ~\"/usr/bin/pip*\", \"/usr/bin/yum\", \"/sbin/apk\", \"/usr/lib/snapd/snapd\"]\n \u0026\u0026 - process.ancestors.file.path not in [~\"/usr/bin/apt*\", \"/usr/bin/dpkg\", \"/usr/bin/rpm\", - \"/usr/bin/unattended-upgrade\", \"/usr/bin/npm\", ~\"/usr/bin/pip*\", \"/usr/bin/yum\", - \"/sbin/apk\", \"/usr/lib/snapd/snapd\"] \u0026\u0026 process.ancestors.file.path - != \"/usr/bin/kmod\"\n)","filters":["os == \"linux\""],"name":"kernel_module_link","updateDate":1707493323000,"updater":{"name":"Detection - Engineer","handle":""}}},{"id":"5t3-iiv-rv5","type":"agent_rule","attributes":{"category":"Kernel - Activity","creationDate":1707493323000,"creator":{"name":"Detection Engineer","handle":""},"defaultRule":true,"description":"A - kernel module was loaded","enabled":true,"expression":"load_module.name not - in [\"nf_tables\", \"iptable_filter\", \"ip6table_filter\", \"bpfilter\", \"ip6_tables\", - \"ip6table_nat\", \"nf_reject_ipv4\", \"ipt_REJECT\", \"iptable_raw\"] \u0026\u0026 - process.ancestors.file.name not in [~\"falcon*\", \"unattended-upgrade\", \"apt.systemd.daily\", - \"xtables-legacy-multi\", \"ssm-agent-worker\"]","filters":["os == \"linux\""],"name":"kernel_module_load","updateDate":1707493323000,"updater":{"name":"Detection - Engineer","handle":""}}},{"id":"dkb-9ud-0ca","type":"agent_rule","attributes":{"category":"Kernel - Activity","creationDate":1707493323000,"creator":{"name":"Detection Engineer","handle":""},"defaultRule":true,"description":"A - container loaded a new kernel module","enabled":true,"expression":"load_module.name - != \"\" \u0026\u0026 container.id !=\"\"","filters":["os == \"linux\""],"name":"kernel_module_load_container","updateDate":1707493323000,"updater":{"name":"Detection - Engineer","handle":""}}},{"id":"lrg-avx-x1k","type":"agent_rule","attributes":{"category":"Kernel - Activity","creationDate":1707493323000,"creator":{"name":"Detection Engineer","handle":""},"defaultRule":true,"description":"A - kernel module was loaded from memory","enabled":true,"expression":"load_module.loaded_from_memory - == true","filters":["os == \"linux\""],"name":"kernel_module_load_from_memory","updateDate":1707493323000,"updater":{"name":"Detection - Engineer","handle":""}}},{"id":"gx3-4a5-w9a","type":"agent_rule","attributes":{"category":"Kernel - Activity","creationDate":1707493323000,"creator":{"name":"Detection Engineer","handle":""},"defaultRule":true,"description":"A - kernel module was loaded from memory inside a container","enabled":true,"expression":"load_module.loaded_from_memory - == true \u0026\u0026 container.id !=\"\"","filters":["os == \"linux\""],"name":"kernel_module_load_from_memory_container","updateDate":1707493323000,"updater":{"name":"Detection - Engineer","handle":""}}},{"id":"56y-vsb-zqu","type":"agent_rule","attributes":{"category":"File - Activity","creationDate":1707493323000,"creator":{"name":"Detection Engineer","handle":""},"defaultRule":true,"description":"A - new kernel module was added","enabled":true,"expression":"(\n open.flags - \u0026 (O_CREAT|O_TRUNC|O_RDWR|O_WRONLY) \u003e 0 \u0026\u0026\n (open.file.path - in [ ~\"/lib/modules/**\", ~\"/usr/lib/modules/**\" ])\n \u0026\u0026 process.file.path - not in [~\"/usr/bin/apt*\", \"/usr/bin/dpkg\", \"/usr/bin/rpm\", \"/usr/bin/unattended-upgrade\", - \"/usr/bin/npm\", ~\"/usr/bin/pip*\", \"/usr/bin/yum\", \"/sbin/apk\", \"/usr/lib/snapd/snapd\"]\n \u0026\u0026 - process.ancestors.file.path not in [~\"/usr/bin/apt*\", \"/usr/bin/dpkg\", \"/usr/bin/rpm\", - \"/usr/bin/unattended-upgrade\", \"/usr/bin/npm\", ~\"/usr/bin/pip*\", \"/usr/bin/yum\", - \"/sbin/apk\", \"/usr/lib/snapd/snapd\"] \u0026\u0026 process.ancestors.file.path - != \"/usr/bin/kmod\"\n)","filters":["os == \"linux\""],"name":"kernel_module_open","updateDate":1707493323000,"updater":{"name":"Detection - Engineer","handle":""}}},{"id":"3i1-zpd-ycj","type":"agent_rule","attributes":{"category":"File - Activity","creationDate":1707493323000,"creator":{"name":"Detection Engineer","handle":""},"defaultRule":true,"description":"A - new kernel module was added","enabled":true,"expression":"(\n (rename.file.path - in [ ~\"/lib/modules/**\", ~\"/usr/lib/modules/**\" ]\n || rename.file.destination.path - in [ ~\"/lib/modules/**\", ~\"/usr/lib/modules/**\" ])\n \u0026\u0026 process.file.path - not in [~\"/usr/bin/apt*\", \"/usr/bin/dpkg\", \"/usr/bin/rpm\", \"/usr/bin/unattended-upgrade\", - \"/usr/bin/npm\", ~\"/usr/bin/pip*\", \"/usr/bin/yum\", \"/sbin/apk\", \"/usr/lib/snapd/snapd\"]\n \u0026\u0026 - process.ancestors.file.path not in [~\"/usr/bin/apt*\", \"/usr/bin/dpkg\", \"/usr/bin/rpm\", - \"/usr/bin/unattended-upgrade\", \"/usr/bin/npm\", ~\"/usr/bin/pip*\", \"/usr/bin/yum\", - \"/sbin/apk\", \"/usr/lib/snapd/snapd\"] \u0026\u0026 process.ancestors.file.path - != \"/usr/bin/kmod\"\n)","filters":["os == \"linux\""],"name":"kernel_module_rename","updateDate":1707493323000,"updater":{"name":"Detection - Engineer","handle":""}}},{"id":"20v-gdb-0ha","type":"agent_rule","attributes":{"category":"File - Activity","creationDate":1707493323000,"creator":{"name":"Detection Engineer","handle":""},"defaultRule":true,"description":"A - new kernel module was added","enabled":true,"expression":"(\n (unlink.file.path - in [ ~\"/lib/modules/**\", ~\"/usr/lib/modules/**\" ])\n \u0026\u0026 process.file.path - not in [~\"/usr/bin/apt*\", \"/usr/bin/dpkg\", \"/usr/bin/rpm\", \"/usr/bin/unattended-upgrade\", - \"/usr/bin/npm\", ~\"/usr/bin/pip*\", \"/usr/bin/yum\", \"/sbin/apk\", \"/usr/lib/snapd/snapd\"]\n \u0026\u0026 - process.ancestors.file.path not in [~\"/usr/bin/apt*\", \"/usr/bin/dpkg\", \"/usr/bin/rpm\", - \"/usr/bin/unattended-upgrade\", \"/usr/bin/npm\", ~\"/usr/bin/pip*\", \"/usr/bin/yum\", - \"/sbin/apk\", \"/usr/lib/snapd/snapd\"] \u0026\u0026 process.ancestors.file.path - != \"/usr/bin/kmod\"\n)","filters":["os == \"linux\""],"name":"kernel_module_unlink","updateDate":1707493323000,"updater":{"name":"Detection - Engineer","handle":""}}},{"id":"fyq-x5u-mv1","type":"agent_rule","attributes":{"category":"File - Activity","creationDate":1707493323000,"creator":{"name":"Detection Engineer","handle":""},"defaultRule":true,"description":"A - new kernel module was added","enabled":true,"expression":"(\n (utimes.file.path - in [ ~\"/lib/modules/**\", ~\"/usr/lib/modules/**\" ])\n \u0026\u0026 process.file.path - not in [~\"/usr/bin/apt*\", \"/usr/bin/dpkg\", \"/usr/bin/rpm\", \"/usr/bin/unattended-upgrade\", - \"/usr/bin/npm\", ~\"/usr/bin/pip*\", \"/usr/bin/yum\", \"/sbin/apk\", \"/usr/lib/snapd/snapd\"]\n \u0026\u0026 - process.ancestors.file.path not in [~\"/usr/bin/apt*\", \"/usr/bin/dpkg\", \"/usr/bin/rpm\", - \"/usr/bin/unattended-upgrade\", \"/usr/bin/npm\", ~\"/usr/bin/pip*\", \"/usr/bin/yum\", - \"/sbin/apk\", \"/usr/lib/snapd/snapd\"] \u0026\u0026 process.ancestors.file.path - != \"/usr/bin/kmod\"\n)","filters":["os == \"linux\""],"name":"kernel_module_utimes","updateDate":1707493323000,"updater":{"name":"Detection - Engineer","handle":""}}},{"id":"def-000-dpm","type":"agent_rule","attributes":{"category":"Process - Activity","creationDate":1707493323000,"creator":{"name":"Detection Engineer","handle":""},"defaultRule":true,"description":"A - process attempted to enable writing to model-specific registers","enabled":true,"expression":"exec.comm - == \"modprobe\" \u0026\u0026 process.args =~ \"*msr*allow_writes*\"","filters":["os - == \"linux\""],"name":"kernel_msr_write","updateDate":1707493323000,"updater":{"name":"Detection - Engineer","handle":""}}},{"id":"def-000-xv7","type":"agent_rule","attributes":{"category":"Process - Activity","creationDate":1707493323000,"creator":{"name":"Detection Engineer","handle":""},"defaultRule":true,"description":"Kernel - modules were listed using the kmod command","enabled":true,"expression":"exec.comm - == \"kmod\" \u0026\u0026 exec.args in [~\"*list*\"]","filters":["os == \"linux\""],"name":"kmod_list","updateDate":1707493323000,"updater":{"name":"Detection - Engineer","handle":""}}},{"id":"def-000-b7s","type":"agent_rule","attributes":{"category":"Network - Activity","creationDate":1707493323000,"creator":{"name":"Detection Engineer","handle":""},"defaultRule":true,"description":"Kubernetes - DNS enumeration","enabled":true,"expression":"dns.question.name == \"any.any.svc.cluster.local\" - \u0026\u0026 dns.question.type == SRV \u0026\u0026 container.id != \"\"","filters":["os - == \"linux\""],"name":"kubernetes_dns_enumeration","updateDate":1707493323000,"updater":{"name":"Detection - Engineer","handle":""}}},{"id":"j8a-wic-bvi","type":"agent_rule","attributes":{"category":"Process - Activity","creationDate":1707493323000,"creator":{"name":"Detection Engineer","handle":""},"defaultRule":true,"description":"The - LD_PRELOAD variable is populated by a link to a suspicious file directory","enabled":true,"expression":"exec.envs - in [~\"LD_PRELOAD=*/tmp/*\" ,~\"LD_PRELOAD=/dev/shm/*\" ]","filters":["os == - \"linux\""],"name":"ld_preload_unusual_library_path","updateDate":1707493323000,"updater":{"name":"Detection - Engineer","handle":""}}},{"id":"def-000-fbb","type":"agent_rule","attributes":{"category":"Kernel - Activity","creationDate":1707493323000,"creator":{"name":"Detection Engineer","handle":""},"defaultRule":true,"description":"Library - libpam.so hooked using eBPF","enabled":true,"expression":"bpf.cmd == BPF_MAP_CREATE - \u0026\u0026 process.args in [r\".*libpam.so.*\"]","filters":["os == \"linux\""],"name":"libpam_ebpf_hook","updateDate":1707493323000,"updater":{"name":"Detection - Engineer","handle":""}}},{"id":"def-000-j1b","type":"agent_rule","attributes":{"category":"Process - Activity","creationDate":1707493323000,"creator":{"name":"Detection Engineer","handle":""},"defaultRule":true,"description":"Looney - Tunables (CVE-2023-4911) exploit attempted","enabled":true,"expression":"exec.file.mode - \u0026 S_ISUID \u003e 0 \u0026\u0026 exec.file.uid == 0 \u0026\u0026 exec.uid - != 0 \u0026\u0026 exec.envs in [~\"*GLIBC_TUNABLES*\"]","filters":["os == \"linux\""],"name":"looney_tunables_exploit","updateDate":1707493323000,"updater":{"name":"Detection - Engineer","handle":""}}},{"id":"def-000-6ql","type":"agent_rule","attributes":{"category":"Process - Activity","creationDate":1707493323000,"creator":{"name":"Detection Engineer","handle":""},"defaultRule":true,"description":"memfd - object created","enabled":true,"expression":"exec.file.name =~ \"memfd*\" \u0026\u0026 - exec.file.path == \"\"","filters":["os == \"linux\""],"name":"memfd_create","updateDate":1707493323000,"updater":{"name":"Detection - Engineer","handle":""}}},{"id":"def-000-d1i","type":"agent_rule","attributes":{"category":"Process - Activity","creationDate":1707493323000,"creator":{"name":"Detection Engineer","handle":""},"defaultRule":true,"description":"Process - memory was dumped using the minidump function from comsvcs.dll","enabled":true,"expression":"exec.cmdline - =~ \"*MiniDump*\"","filters":["os == \"windows\""],"name":"minidump_usage","updateDate":1707493323000,"updater":{"name":"Detection - Engineer","handle":""}}},{"id":"caz-yrk-14e","type":"agent_rule","attributes":{"category":"Network - Activity","creationDate":1707493323000,"creator":{"name":"Detection Engineer","handle":""},"defaultRule":true,"description":"A - process resolved a DNS name associated with cryptomining activity","enabled":true,"expression":"dns.question.name - in [~\"*minexmr.com\", ~\"*nanopool.org\", ~\"*supportxmr.com\", ~\"*c3pool.com\", - ~\"*p2pool.io\", ~\"*ethermine.org\", ~\"*f2pool.com\", ~\"*poolin.me\", ~\"*rplant.xyz\"] - \u0026\u0026 process.file.name != \"\"","filters":["os == \"linux\""],"name":"mining_pool_lookup","updateDate":1707493323000,"updater":{"name":"Detection - Engineer","handle":""}}},{"id":"def-000-mxb","type":"agent_rule","attributes":{"category":"File - Activity","creationDate":1707493323000,"creator":{"name":"Detection Engineer","handle":""},"defaultRule":true,"description":"The - host file system was mounted in a container","enabled":true,"expression":"mount.source.path - == \"/\" \u0026\u0026 mount.fs_type != \"overlay\" \u0026\u0026 container.id - != \"\"","filters":["os == \"linux\""],"name":"mount_host_fs","updateDate":1707493323000,"updater":{"name":"Detection - Engineer","handle":""}}},{"id":"def-000-mr5","type":"agent_rule","attributes":{"category":"File - Activity","creationDate":1707493323000,"creator":{"name":"Detection Engineer","handle":""},"defaultRule":true,"description":"Process - hidden using mount","enabled":true,"expression":"mount.mountpoint.path =~ \"/proc/*\" - \u0026\u0026 process.file.name !~ \"runc*\"","filters":["os == \"linux\""],"name":"mount_proc_hide","updateDate":1707493323000,"updater":{"name":"Detection - Engineer","handle":""}}},{"id":"zfb-ixo-o4w","type":"agent_rule","attributes":{"category":"File - Activity","creationDate":1707493323000,"creator":{"name":"Detection Engineer","handle":""},"defaultRule":true,"description":"A - suspicious file was written by a network utility","enabled":true,"expression":"open.flags - \u0026 O_CREAT \u003e 0 \u0026\u0026 process.comm in [\"wget\", \"curl\", \"lwp-download\"]\n\u0026\u0026 - (\n (open.file.path =~ \"/tmp/**\" \u0026\u0026 open.file.name in [~\"*.sh\", - ~\"*.c\", ~\"*.so\", ~\"*.ko\"])\n || open.file.path in [~\"/usr/**\", ~\"/lib/**\", - ~\"/etc/**\", ~\"/var/tmp/**\", ~\"/dev/shm/**\"]\n)","filters":["os == \"linux\""],"name":"net_file_download","updateDate":1707493323000,"updater":{"name":"Detection - Engineer","handle":""}}},{"id":"sqi-q1z-onu","type":"agent_rule","attributes":{"category":"Process - Activity","creationDate":1707493323000,"creator":{"name":"Detection Engineer","handle":""},"defaultRule":true,"description":"Network - utility executed with suspicious URI","enabled":true,"expression":"exec.comm - in [\"wget\", \"curl\", \"lwp-download\"] \u0026\u0026 exec.args in [~\"*.php*\", - ~\"*.jpg*\"] ","filters":["os == \"linux\""],"name":"net_unusual_request","updateDate":1707493323000,"updater":{"name":"Detection - Engineer","handle":""}}},{"id":"7y2-ihu-hm2","type":"agent_rule","attributes":{"category":"Process - Activity","creationDate":1707493323000,"creator":{"name":"Detection Engineer","handle":""},"defaultRule":true,"description":"A - network utility was executed","enabled":true,"expression":"(exec.comm in [\"socat\", - \"dig\", \"nslookup\", \"host\", ~\"netcat*\", ~\"nc*\", \"ncat\"] ||\n exec.comm - in [\"wget\", \"curl\", \"lwp-download\"]) \u0026\u0026\ncontainer.id == \"\" - \u0026\u0026 exec.args not in [ ~\"*localhost*\", ~\"*127.0.0.1*\", ~\"*motd.ubuntu.com*\" - ]","filters":["os == \"linux\""],"name":"net_util","updateDate":1707493323000,"updater":{"name":"Detection - Engineer","handle":""}}},{"id":"a52-req-ghm","type":"agent_rule","attributes":{"category":"Process - Activity","creationDate":1707493323000,"creator":{"name":"Detection Engineer","handle":""},"defaultRule":true,"description":"Exfiltration - attempt via network utility","enabled":true,"expression":"exec.comm in [\"wget\", - \"curl\", \"lwp-download\"] \u0026\u0026 \nexec.args_options in [ ~\"post-file=*\", - ~\"post-data=*\", ~\"T=*\", ~\"d=@*\", ~\"upload-file=*\", ~\"F=file*\"] \u0026\u0026\nexec.args - not in [~\"*localhost*\", ~\"*127.0.0.1*\"]","filters":["os == \"linux\""],"name":"net_util_exfiltration","updateDate":1707493323000,"updater":{"name":"Detection - Engineer","handle":""}}},{"id":"w0z-64n-bss","type":"agent_rule","attributes":{"category":"Process - Activity","creationDate":1707493323000,"creator":{"name":"Detection Engineer","handle":""},"defaultRule":true,"description":"A - network utility was executed in a container","enabled":true,"expression":"(exec.comm - in [\"socat\", \"dig\", \"nslookup\", \"host\", ~\"netcat*\", ~\"nc*\", \"ncat\"] - ||\n exec.comm in [\"wget\", \"curl\", \"lwp-download\"]) \u0026\u0026\ncontainer.id - != \"\" \u0026\u0026 exec.args not in [ ~\"*localhost*\", ~\"*127.0.0.1*\", - ~\"*motd.ubuntu.com*\" ]","filters":["os == \"linux\""],"name":"net_util_in_container","updateDate":1707493323000,"updater":{"name":"Detection - Engineer","handle":""}}},{"id":"def-000-0ra","type":"agent_rule","attributes":{"category":"Process - Activity","creationDate":1707493323000,"creator":{"name":"Detection Engineer","handle":""},"defaultRule":true,"description":"A - network utility was executed in a container","enabled":true,"expression":"(exec.comm - in [\"socat\", \"dig\", \"nslookup\", \"host\", ~\"netcat*\", ~\"nc*\", \"ncat\"] - ||\n exec.comm in [\"wget\", \"curl\", \"lwp-download\"]) \u0026\u0026\ncontainer.id - != \"\" \u0026\u0026 exec.args not in [ ~\"*localhost*\", ~\"*127.0.0.1*\", - ~\"*motd.ubuntu.com*\" ] \u0026\u0026 container.created_at \u003e 90s","filters":["os - == \"linux\""],"name":"net_util_in_container_v2","updateDate":1707493323000,"updater":{"name":"Detection - Engineer","handle":""}}},{"id":"def-000-9rk","type":"agent_rule","attributes":{"category":"Process - Activity","creationDate":1707493323000,"creator":{"name":"Detection Engineer","handle":""},"defaultRule":true,"description":"Local - account groups were enumerated after container start up","enabled":true,"expression":"exec.file.name - in [\"tcpdump\", \"tshark\"]","filters":["os == \"linux\""],"name":"network_sniffing_tool","updateDate":1707493323000,"updater":{"name":"Detection - Engineer","handle":""}}},{"id":"xgw-28i-480","type":"agent_rule","attributes":{"category":"Process - Activity","creationDate":1707493323000,"creator":{"name":"Detection Engineer","handle":""},"defaultRule":true,"description":"A - container executed a new binary not found in the container image","enabled":true,"expression":"container.id - != \"\" \u0026\u0026 process.file.in_upper_layer \u0026\u0026 process.file.modification_time - \u003c 30s \u0026\u0026 exec.file.name != \"\"","filters":["os == \"linux\""],"name":"new_binary_execution_in_container","updateDate":1707493323000,"updater":{"name":"Detection - Engineer","handle":""}}},{"id":"mqh-lgo-brj","type":"agent_rule","attributes":{"category":"File - Activity","creationDate":1707493323000,"creator":{"name":"Detection Engineer","handle":""},"defaultRule":true,"description":"nsswitch - may have been modified without authorization","enabled":true,"expression":"(\n (chmod.file.path - in [ \"/etc/nsswitch.conf\" ])\n) \u0026\u0026 chmod.file.destination.mode != - chmod.file.mode \u0026\u0026 process.file.path not in [~\"/usr/bin/apt*\", \"/usr/bin/dpkg\", - \"/usr/bin/rpm\", \"/usr/bin/unattended-upgrade\", \"/usr/bin/containerd\", - \"/usr/local/bin/containerd\", \"/usr/bin/dockerd\", \"/usr/bin/npm\", ~\"/usr/bin/pip*\"]","filters":["os - == \"linux\""],"name":"nsswitch_conf_mod_chmod","updateDate":1707493323000,"updater":{"name":"Detection - Engineer","handle":""}}},{"id":"v2b-cd3-clr","type":"agent_rule","attributes":{"category":"File - Activity","creationDate":1707493323000,"creator":{"name":"Detection Engineer","handle":""},"defaultRule":true,"description":"nsswitch - may have been modified without authorization","enabled":true,"expression":"(\n (chown.file.path - in [ \"/etc/nsswitch.conf\" ])\n) \u0026\u0026 (chown.file.destination.uid != - chown.file.uid || chown.file.destination.gid != chown.file.gid) \u0026\u0026 - process.file.path not in [~\"/usr/bin/apt*\", \"/usr/bin/dpkg\", \"/usr/bin/rpm\", - \"/usr/bin/unattended-upgrade\", \"/usr/bin/containerd\", \"/usr/local/bin/containerd\", - \"/usr/bin/dockerd\", \"/usr/bin/npm\", ~\"/usr/bin/pip*\"]","filters":["os - == \"linux\""],"name":"nsswitch_conf_mod_chown","updateDate":1707493323000,"updater":{"name":"Detection - Engineer","handle":""}}},{"id":"wwc-6it-t7i","type":"agent_rule","attributes":{"category":"File - Activity","creationDate":1707493323000,"creator":{"name":"Detection Engineer","handle":""},"defaultRule":true,"description":"nsswitch - may have been modified without authorization","enabled":true,"expression":"(\n (link.file.path - in [ \"/etc/nsswitch.conf\" ]\n || link.file.destination.path in [ \"/etc/nsswitch.conf\" - ])\n)","filters":["os == \"linux\""],"name":"nsswitch_conf_mod_link","updateDate":1707493323000,"updater":{"name":"Detection - Engineer","handle":""}}},{"id":"e5h-onu-f7l","type":"agent_rule","attributes":{"category":"File - Activity","creationDate":1707493323000,"creator":{"name":"Detection Engineer","handle":""},"defaultRule":true,"description":"nsswitch - may have been modified without authorization","enabled":true,"expression":"(\n open.flags - \u0026 ((O_RDWR|O_WRONLY|O_CREAT)) \u003e 0 \u0026\u0026\n (open.file.path - in [ \"/etc/nsswitch.conf\" ])\n) \u0026\u0026 process.file.path not in [~\"/usr/bin/apt*\", - \"/usr/bin/dpkg\", \"/usr/bin/rpm\", \"/usr/bin/unattended-upgrade\", \"/usr/bin/containerd\", - \"/usr/local/bin/containerd\", \"/usr/bin/dockerd\", \"/usr/bin/npm\", ~\"/usr/bin/pip*\"]","filters":["os - == \"linux\""],"name":"nsswitch_conf_mod_open","updateDate":1707493323000,"updater":{"name":"Detection - Engineer","handle":""}}},{"id":"def-000-i9x","type":"agent_rule","attributes":{"category":"File - Activity","creationDate":1707493323000,"creator":{"name":"Detection Engineer","handle":""},"defaultRule":true,"description":"nsswitch - may have been modified without authorization","enabled":true,"expression":"(\n open.flags - \u0026 ((O_RDWR|O_WRONLY|O_CREAT)) \u003e 0 \u0026\u0026\n (open.file.path - in [ \"/etc/nsswitch.conf\" ])\n) \u0026\u0026 container.created_at \u003e 90s - \u0026\u0026 process.file.path not in [~\"/usr/bin/apt*\", \"/usr/bin/dpkg\", - \"/usr/bin/rpm\", \"/usr/bin/unattended-upgrade\", \"/usr/bin/containerd\", - \"/usr/local/bin/containerd\", \"/usr/bin/dockerd\", \"/usr/bin/npm\", ~\"/usr/bin/pip*\"]","filters":["os - == \"linux\""],"name":"nsswitch_conf_mod_open_v2","updateDate":1707493323000,"updater":{"name":"Detection - Engineer","handle":""}}},{"id":"sif-d9p-wzg","type":"agent_rule","attributes":{"category":"File - Activity","creationDate":1707493323000,"creator":{"name":"Detection Engineer","handle":""},"defaultRule":true,"description":"nsswitch - may have been modified without authorization","enabled":true,"expression":"(\n (rename.file.path - in [ \"/etc/nsswitch.conf\" ]\n || rename.file.destination.path in [ \"/etc/nsswitch.conf\" - ])\n)","filters":["os == \"linux\""],"name":"nsswitch_conf_mod_rename","updateDate":1707493323000,"updater":{"name":"Detection - Engineer","handle":""}}},{"id":"4mu-d2x-fyk","type":"agent_rule","attributes":{"category":"File - Activity","creationDate":1707493323000,"creator":{"name":"Detection Engineer","handle":""},"defaultRule":true,"description":"nsswitch - may have been modified without authorization","enabled":true,"expression":"(\n (unlink.file.path - in [ \"/etc/nsswitch.conf\" ])\n)","filters":["os == \"linux\""],"name":"nsswitch_conf_mod_unlink","updateDate":1707493323000,"updater":{"name":"Detection - Engineer","handle":""}}},{"id":"qt9-i99-q9p","type":"agent_rule","attributes":{"category":"File - Activity","creationDate":1707493323000,"creator":{"name":"Detection Engineer","handle":""},"defaultRule":true,"description":"nsswitch - may have been modified without authorization","enabled":true,"expression":"(\n (utimes.file.path - in [ \"/etc/nsswitch.conf\" ])\n)","filters":["os == \"linux\""],"name":"nsswitch_conf_mod_utimes","updateDate":1707493323000,"updater":{"name":"Detection - Engineer","handle":""}}},{"id":"def-000-d4i","type":"agent_rule","attributes":{"category":"Process - Activity","creationDate":1707493323000,"creator":{"name":"Detection Engineer","handle":""},"defaultRule":true,"description":"NTDS - file referenced in commandline","enabled":true,"expression":"exec.cmdline =~ - \"*ntds.dit*\"","filters":["os == \"windows\""],"name":"ntds_in_commandline","updateDate":1707493323000,"updater":{"name":"Detection - Engineer","handle":""}}},{"id":"def-000-49j","type":"agent_rule","attributes":{"category":"Process - Activity","creationDate":1707493323000,"creator":{"name":"Detection Engineer","handle":""},"defaultRule":true,"description":"A - known kubernetes pentesting tool has been executed","enabled":true,"expression":"(exec.file.name - in [ ~\"python*\" ] \u0026\u0026 (\"KubiScan.py\" in exec.argv || \"kubestriker\" - in exec.argv ) ) || exec.file.name in [ \"kubiscan\",\"kdigger\",\"kube-hunter\",\"rakkess\",\"peirates\",\"kubescape\",\"kubeaudit\",\"kube-linter\",\"stratus\",~\"botb-*\"]","filters":["os - == \"linux\""],"name":"offensive_k8s_tool","updateDate":1707493323000,"updater":{"name":"Detection - Engineer","handle":""}}},{"id":"4yt-ize-avz","type":"agent_rule","attributes":{"category":"Process - Activity","creationDate":1707493323000,"creator":{"name":"Detection Engineer","handle":""},"defaultRule":true,"description":"Omiagent - spawns a privileged child process","enabled":true,"expression":"exec.uid \u003e= - 0 \u0026\u0026 process.ancestors.file.name == \"omiagent\"","filters":["os == - \"linux\""],"name":"omigod","updateDate":1707493323000,"updater":{"name":"Detection - Engineer","handle":""}}},{"id":"def-000-tp8","type":"agent_rule","attributes":{"category":"File - Activity","creationDate":1707493323000,"creator":{"name":"Detection Engineer","handle":""},"defaultRule":true,"description":"A - process opened a model-specific register (MSR) configuration file","enabled":true,"expression":"open.file.path - == \"/sys/module/msr/parameters/allow_writes\" \u0026\u0026 open.flags \u0026 - O_CREAT|O_TRUNC|O_RDWR|O_WRONLY \u003e 0","filters":["os == \"linux\""],"name":"open_msr_writes","updateDate":1707493323000,"updater":{"name":"Detection - Engineer","handle":""}}},{"id":"m7d-vlh-3yq","type":"agent_rule","attributes":{"category":"Process - Activity","creationDate":1707493323000,"creator":{"name":"Detection Engineer","handle":""},"defaultRule":true,"description":"Package - management was detected in a container","enabled":true,"expression":"exec.file.path - in [~\"/usr/bin/apt*\", \"/usr/bin/dpkg\", \"/usr/bin/rpm\", \"/usr/bin/unattended-upgrade\", - \"/usr/bin/npm\", ~\"/usr/bin/pip*\", \"/usr/bin/yum\", \"/sbin/apk\", \"/usr/lib/snapd/snapd\"] - \u0026\u0026 container.id != \"\"","filters":["os == \"linux\""],"name":"package_management_in_container","updateDate":1707493323000,"updater":{"name":"Detection - Engineer","handle":""}}},{"id":"def-000-k6i","type":"agent_rule","attributes":{"category":"Process - Activity","creationDate":1707493323000,"creator":{"name":"Detection Engineer","handle":""},"defaultRule":true,"description":"Package - management was detected in a conatiner outside of container start_up","enabled":true,"expression":"exec.file.path - in [~\"/usr/bin/apt*\", \"/usr/bin/dpkg\", \"/usr/bin/rpm\", \"/usr/bin/unattended-upgrade\", - \"/usr/bin/npm\", ~\"/usr/bin/pip*\", \"/usr/bin/yum\", \"/sbin/apk\", \"/usr/lib/snapd/snapd\"] - \u0026\u0026 container.id != \"\" \u0026\u0026 container.created_at \u003e 90s","filters":["os - == \"linux\""],"name":"package_management_in_container_v2","updateDate":1707493323000,"updater":{"name":"Detection - Engineer","handle":""}}},{"id":"34t-hic-8cn","type":"agent_rule","attributes":{"category":"File - Activity","creationDate":1707493323000,"creator":{"name":"Detection Engineer","handle":""},"defaultRule":true,"description":"PAM - may have been modified without authorization","enabled":true,"expression":"(\n (chmod.file.path - in [ ~\"/etc/pam.d/**\", \"/etc/pam.conf\" ])\n) \u0026\u0026 chmod.file.destination.mode - != chmod.file.mode","filters":["os == \"linux\""],"name":"pam_modification_chmod","updateDate":1707493323000,"updater":{"name":"Detection - Engineer","handle":""}}},{"id":"pfu-dvh-e5w","type":"agent_rule","attributes":{"category":"File - Activity","creationDate":1707493323000,"creator":{"name":"Detection Engineer","handle":""},"defaultRule":true,"description":"PAM - may have been modified without authorization","enabled":true,"expression":"(\n (chown.file.path - in [ ~\"/etc/pam.d/**\", \"/etc/pam.conf\" ])\n) \u0026\u0026 (chown.file.destination.uid - != chown.file.uid || chown.file.destination.gid != chown.file.gid)","filters":["os - == \"linux\""],"name":"pam_modification_chown","updateDate":1707493323000,"updater":{"name":"Detection - Engineer","handle":""}}},{"id":"x7i-34j-1rv","type":"agent_rule","attributes":{"category":"File - Activity","creationDate":1707493323000,"creator":{"name":"Detection Engineer","handle":""},"defaultRule":true,"description":"PAM - may have been modified without authorization","enabled":true,"expression":"(\n (link.file.path - in [ ~\"/etc/pam.d/**\", \"/etc/pam.conf\" ]\n || link.file.destination.path - in [ ~\"/etc/pam.d/**\", \"/etc/pam.conf\" ])\n)","filters":["os == \"linux\""],"name":"pam_modification_link","updateDate":1707493323000,"updater":{"name":"Detection - Engineer","handle":""}}},{"id":"w7o-w48-j34","type":"agent_rule","attributes":{"category":"File - Activity","creationDate":1707493323000,"creator":{"name":"Detection Engineer","handle":""},"defaultRule":true,"description":"PAM - may have been modified without authorization","enabled":true,"expression":"(\n open.flags - \u0026 (O_CREAT|O_TRUNC|O_RDWR|O_WRONLY) \u003e 0 \u0026\u0026\n (open.file.path - in [ ~\"/etc/pam.d/**\", \"/etc/pam.conf\" ])\n)","filters":["os == \"linux\""],"name":"pam_modification_open","updateDate":1707493323000,"updater":{"name":"Detection - Engineer","handle":""}}},{"id":"wri-hx3-4n3","type":"agent_rule","attributes":{"category":"File - Activity","creationDate":1707493323000,"creator":{"name":"Detection Engineer","handle":""},"defaultRule":true,"description":"PAM - may have been modified without authorization","enabled":true,"expression":"(\n (rename.file.path - in [ ~\"/etc/pam.d/**\", \"/etc/pam.conf\" ]\n || rename.file.destination.path - in [ ~\"/etc/pam.d/**\", \"/etc/pam.conf\" ])\n)","filters":["os == \"linux\""],"name":"pam_modification_rename","updateDate":1707493323000,"updater":{"name":"Detection - Engineer","handle":""}}},{"id":"900-1sj-xhs","type":"agent_rule","attributes":{"category":"File - Activity","creationDate":1707493323000,"creator":{"name":"Detection Engineer","handle":""},"defaultRule":true,"description":"PAM - may have been modified without authorization","enabled":true,"expression":"(\n (unlink.file.path - in [ ~\"/etc/pam.d/**\", \"/etc/pam.conf\" ])\n)","filters":["os == \"linux\""],"name":"pam_modification_unlink","updateDate":1707493323000,"updater":{"name":"Detection - Engineer","handle":""}}},{"id":"pxk-42u-fga","type":"agent_rule","attributes":{"category":"File - Activity","creationDate":1707493323000,"creator":{"name":"Detection Engineer","handle":""},"defaultRule":true,"description":"PAM - may have been modified without authorization","enabled":true,"expression":"(\n (utimes.file.path - in [ ~\"/etc/pam.d/**\", \"/etc/pam.conf\" ])\n) \u0026\u0026 process.file.path - not in [~\"/usr/bin/apt*\", \"/usr/bin/dpkg\", \"/usr/bin/rpm\", \"/usr/bin/unattended-upgrade\", - \"/usr/bin/containerd\", \"/usr/local/bin/containerd\", \"/usr/bin/dockerd\", - \"/usr/bin/npm\", ~\"/usr/bin/pip*\"]","filters":["os == \"linux\""],"name":"pam_modification_utimes","updateDate":1707493323000,"updater":{"name":"Detection - Engineer","handle":""}}},{"id":"l2e-aka-bw6","type":"agent_rule","attributes":{"category":"Process - Activity","creationDate":1707493323000,"creator":{"name":"Detection Engineer","handle":""},"defaultRule":true,"description":"The - passwd or chpasswd utility was used to modify an account password","enabled":true,"expression":"exec.file.path - in [\"/usr/bin/passwd\", \"/usr/sbin/chpasswd\"] \u0026\u0026 exec.args_flags - not in [\"S\", \"status\"]","filters":["os == \"linux\""],"name":"passwd_execution","updateDate":1707493323000,"updater":{"name":"Detection - Engineer","handle":""}}},{"id":"460-gys-lqp","type":"agent_rule","attributes":{"category":"Network - Activity","creationDate":1707493323000,"creator":{"name":"Detection Engineer","handle":""},"defaultRule":true,"description":"A - DNS lookup was done for a pastebin-like site","enabled":true,"expression":"dns.question.name - in [\"pastebin.com\", \"ghostbin.com\", \"termbin.com\", \"klgrth.io\"] \u0026\u0026 - process.file.name != \"\"","filters":["os == \"linux\""],"name":"paste_site","updateDate":1707493323000,"updater":{"name":"Detection - Engineer","handle":""}}},{"id":"7vi-w5r-h15","type":"agent_rule","attributes":{"category":"File - Activity","creationDate":1707493323000,"creator":{"name":"Detection Engineer","handle":""},"defaultRule":true,"description":"Critical - system binaries may have been modified","enabled":true,"expression":"(\n (chmod.file.path - in [ ~\"/bin/*\", ~\"/sbin/*\", ~\"/usr/bin/*\", ~\"/usr/sbin/*\", ~\"/usr/local/bin/*\", - ~\"/usr/local/sbin/*\", ~\"/boot/**\" ])\n \u0026\u0026 process.file.path - not in [~\"/usr/bin/apt*\", \"/usr/bin/dpkg\", \"/usr/bin/rpm\", \"/usr/bin/unattended-upgrade\", - \"/usr/bin/containerd\", \"/usr/local/bin/containerd\", \"/usr/bin/dockerd\", - \"/usr/bin/npm\", ~\"/usr/bin/pip*\"]\n \u0026\u0026 process.ancestors.file.path - not in [~\"/usr/bin/apt*\", \"/usr/bin/dpkg\", \"/usr/bin/rpm\", \"/usr/bin/unattended-upgrade\", - \"/usr/bin/npm\", ~\"/usr/bin/pip*\", \"/usr/bin/yum\", \"/sbin/apk\", \"/usr/lib/snapd/snapd\"]\n) - \u0026\u0026 chmod.file.destination.mode != chmod.file.mode","filters":["os - == \"linux\""],"name":"pci_11_5_critical_binaries_chmod","updateDate":1707493323000,"updater":{"name":"Detection - Engineer","handle":""}}},{"id":"xiu-ghq-4zi","type":"agent_rule","attributes":{"category":"File - Activity","creationDate":1707493323000,"creator":{"name":"Detection Engineer","handle":""},"defaultRule":true,"description":"Critical - system binaries may have been modified","enabled":true,"expression":"(\n (chown.file.path - in [ ~\"/bin/*\", ~\"/sbin/*\", ~\"/usr/bin/*\", ~\"/usr/sbin/*\", ~\"/usr/local/bin/*\", - ~\"/usr/local/sbin/*\", ~\"/boot/**\" ])\n \u0026\u0026 process.file.path - not in [~\"/usr/bin/apt*\", \"/usr/bin/dpkg\", \"/usr/bin/rpm\", \"/usr/bin/unattended-upgrade\", - \"/usr/bin/containerd\", \"/usr/local/bin/containerd\", \"/usr/bin/dockerd\", - \"/usr/bin/npm\", ~\"/usr/bin/pip*\"]\n \u0026\u0026 process.ancestors.file.path - not in [~\"/usr/bin/apt*\", \"/usr/bin/dpkg\", \"/usr/bin/rpm\", \"/usr/bin/unattended-upgrade\", - \"/usr/bin/npm\", ~\"/usr/bin/pip*\", \"/usr/bin/yum\", \"/sbin/apk\", \"/usr/lib/snapd/snapd\"]\n) - \u0026\u0026 (chown.file.destination.uid != chown.file.uid || chown.file.destination.gid - != chown.file.gid)","filters":["os == \"linux\""],"name":"pci_11_5_critical_binaries_chown","updateDate":1707493323000,"updater":{"name":"Detection - Engineer","handle":""}}},{"id":"9ym-18v-5zi","type":"agent_rule","attributes":{"category":"File - Activity","creationDate":1707493323000,"creator":{"name":"Detection Engineer","handle":""},"defaultRule":true,"description":"Critical - system binaries may have been modified","enabled":true,"expression":"(\n (link.file.path - in [ ~\"/bin/*\", ~\"/sbin/*\", ~\"/usr/bin/*\", ~\"/usr/sbin/*\", ~\"/usr/local/bin/*\", - ~\"/usr/local/sbin/*\", ~\"/boot/**\" ]\n || link.file.destination.path in - [ ~\"/bin/*\", ~\"/sbin/*\", ~\"/usr/bin/*\", ~\"/usr/sbin/*\", ~\"/usr/local/bin/*\", - ~\"/usr/local/sbin/*\", ~\"/boot/**\" ])\n \u0026\u0026 process.file.path - not in [~\"/usr/bin/apt*\", \"/usr/bin/dpkg\", \"/usr/bin/rpm\", \"/usr/bin/unattended-upgrade\", - \"/usr/bin/containerd\", \"/usr/local/bin/containerd\", \"/usr/bin/dockerd\", - \"/usr/bin/npm\", ~\"/usr/bin/pip*\"]\n \u0026\u0026 process.ancestors.file.path - not in [~\"/usr/bin/apt*\", \"/usr/bin/dpkg\", \"/usr/bin/rpm\", \"/usr/bin/unattended-upgrade\", - \"/usr/bin/npm\", ~\"/usr/bin/pip*\", \"/usr/bin/yum\", \"/sbin/apk\", \"/usr/lib/snapd/snapd\"]\n)","filters":["os - == \"linux\""],"name":"pci_11_5_critical_binaries_link","updateDate":1707493323000,"updater":{"name":"Detection - Engineer","handle":""}}},{"id":"fpa-r6g-2em","type":"agent_rule","attributes":{"category":"File - Activity","creationDate":1707493323000,"creator":{"name":"Detection Engineer","handle":""},"defaultRule":true,"description":"Critical - system binaries may have been modified","enabled":true,"expression":"(\n open.flags - \u0026 (O_CREAT|O_TRUNC|O_RDWR|O_WRONLY) \u003e 0 \u0026\u0026\n open.file.path - in [ ~\"/bin/*\", ~\"/sbin/*\", ~\"/usr/bin/*\", ~\"/usr/sbin/*\", ~\"/usr/local/bin/*\", - ~\"/usr/local/sbin/*\", ~\"/boot/**\" ]\n \u0026\u0026 process.file.path - not in [~\"/usr/bin/apt*\", \"/usr/bin/dpkg\", \"/usr/bin/rpm\", \"/usr/bin/unattended-upgrade\", - \"/usr/bin/containerd\", \"/usr/local/bin/containerd\", \"/usr/bin/dockerd\", - \"/usr/bin/npm\", ~\"/usr/bin/pip*\"]\n \u0026\u0026 process.ancestors.file.path - not in [~\"/usr/bin/apt*\", \"/usr/bin/dpkg\", \"/usr/bin/rpm\", \"/usr/bin/unattended-upgrade\", - \"/usr/bin/npm\", ~\"/usr/bin/pip*\", \"/usr/bin/yum\", \"/sbin/apk\", \"/usr/lib/snapd/snapd\"]\n)","filters":["os - == \"linux\""],"name":"pci_11_5_critical_binaries_open","updateDate":1707493323000,"updater":{"name":"Detection - Engineer","handle":""}}},{"id":"def-000-y7j","type":"agent_rule","attributes":{"category":"File - Activity","creationDate":1707493323000,"creator":{"name":"Detection Engineer","handle":""},"defaultRule":true,"description":"Critical - system binaries may have been modified","enabled":true,"expression":"(\n open.flags - \u0026 (O_CREAT|O_TRUNC|O_RDWR|O_WRONLY) \u003e 0 \u0026\u0026\n open.file.path - in [ ~\"/bin/*\", ~\"/sbin/*\", ~\"/usr/bin/*\", ~\"/usr/sbin/*\", ~\"/usr/local/bin/*\", - ~\"/usr/local/sbin/*\", ~\"/boot/**\" ]\n \u0026\u0026 process.file.path - not in [~\"/usr/bin/apt*\", \"/usr/bin/dpkg\", \"/usr/bin/rpm\", \"/usr/bin/unattended-upgrade\", - \"/usr/bin/containerd\", \"/usr/local/bin/containerd\", \"/usr/bin/dockerd\", - \"/usr/bin/npm\", ~\"/usr/bin/pip*\"]\n \u0026\u0026 process.ancestors.file.path - not in [~\"/usr/bin/apt*\", \"/usr/bin/dpkg\", \"/usr/bin/rpm\", \"/usr/bin/unattended-upgrade\", - \"/usr/bin/npm\", ~\"/usr/bin/pip*\", \"/usr/bin/yum\", \"/sbin/apk\", \"/usr/lib/snapd/snapd\"]\n) - \u0026\u0026 container.created_at \u003e 90s","filters":["os == \"linux\""],"name":"pci_11_5_critical_binaries_open_v2","updateDate":1707493323000,"updater":{"name":"Detection - Engineer","handle":""}}},{"id":"9pu-mp3-xea","type":"agent_rule","attributes":{"category":"File - Activity","creationDate":1707493323000,"creator":{"name":"Detection Engineer","handle":""},"defaultRule":true,"description":"Critical - system binaries may have been modified","enabled":true,"expression":"(\n (rename.file.path - in [ ~\"/bin/*\", ~\"/sbin/*\", ~\"/usr/bin/*\", ~\"/usr/sbin/*\", ~\"/usr/local/bin/*\", - ~\"/usr/local/sbin/*\", ~\"/boot/**\" ]\n || rename.file.destination.path - in [ ~\"/bin/*\", ~\"/sbin/*\", ~\"/usr/bin/*\", ~\"/usr/sbin/*\", ~\"/usr/local/bin/*\", - ~\"/usr/local/sbin/*\", ~\"/boot/**\" ])\n \u0026\u0026 process.file.path - not in [~\"/usr/bin/apt*\", \"/usr/bin/dpkg\", \"/usr/bin/rpm\", \"/usr/bin/unattended-upgrade\", - \"/usr/bin/containerd\", \"/usr/local/bin/containerd\", \"/usr/bin/dockerd\", - \"/usr/bin/npm\", ~\"/usr/bin/pip*\"]\n \u0026\u0026 process.ancestors.file.path - not in [~\"/usr/bin/apt*\", \"/usr/bin/dpkg\", \"/usr/bin/rpm\", \"/usr/bin/unattended-upgrade\", - \"/usr/bin/npm\", ~\"/usr/bin/pip*\", \"/usr/bin/yum\", \"/sbin/apk\", \"/usr/lib/snapd/snapd\"]\n)","filters":["os - == \"linux\""],"name":"pci_11_5_critical_binaries_rename","updateDate":1707493323000,"updater":{"name":"Detection - Engineer","handle":""}}},{"id":"ssp-47a-p20","type":"agent_rule","attributes":{"category":"File - Activity","creationDate":1707493323000,"creator":{"name":"Detection Engineer","handle":""},"defaultRule":true,"description":"Critical - system binaries may have been modified","enabled":true,"expression":"(\n (unlink.file.path - in [ ~\"/bin/*\", ~\"/sbin/*\", ~\"/usr/bin/*\", ~\"/usr/sbin/*\", ~\"/usr/local/bin/*\", - ~\"/usr/local/sbin/*\", ~\"/boot/**\" ])\n \u0026\u0026 process.file.path - not in [~\"/usr/bin/apt*\", \"/usr/bin/dpkg\", \"/usr/bin/rpm\", \"/usr/bin/unattended-upgrade\", - \"/usr/bin/containerd\", \"/usr/local/bin/containerd\", \"/usr/bin/dockerd\", - \"/usr/bin/npm\", ~\"/usr/bin/pip*\"]\n \u0026\u0026 process.ancestors.file.path - not in [~\"/usr/bin/apt*\", \"/usr/bin/dpkg\", \"/usr/bin/rpm\", \"/usr/bin/unattended-upgrade\", - \"/usr/bin/npm\", ~\"/usr/bin/pip*\", \"/usr/bin/yum\", \"/sbin/apk\", \"/usr/lib/snapd/snapd\"]\n)","filters":["os - == \"linux\""],"name":"pci_11_5_critical_binaries_unlink","updateDate":1707493323000,"updater":{"name":"Detection - Engineer","handle":""}}},{"id":"q0u-s8m-8pd","type":"agent_rule","attributes":{"category":"File - Activity","creationDate":1707493323000,"creator":{"name":"Detection Engineer","handle":""},"defaultRule":true,"description":"Critical - system binaries may have been modified","enabled":true,"expression":"(\n (utimes.file.path - in [ ~\"/bin/*\", ~\"/sbin/*\", ~\"/usr/bin/*\", ~\"/usr/sbin/*\", ~\"/usr/local/bin/*\", - ~\"/usr/local/sbin/*\", ~\"/boot/**\" ])\n \u0026\u0026 process.file.path - not in [~\"/usr/bin/apt*\", \"/usr/bin/dpkg\", \"/usr/bin/rpm\", \"/usr/bin/unattended-upgrade\", - \"/usr/bin/containerd\", \"/usr/local/bin/containerd\", \"/usr/bin/dockerd\", - \"/usr/bin/npm\", ~\"/usr/bin/pip*\"]\n \u0026\u0026 process.ancestors.file.path - not in [~\"/usr/bin/apt*\", \"/usr/bin/dpkg\", \"/usr/bin/rpm\", \"/usr/bin/unattended-upgrade\", - \"/usr/bin/npm\", ~\"/usr/bin/pip*\", \"/usr/bin/yum\", \"/sbin/apk\", \"/usr/lib/snapd/snapd\"]\n)","filters":["os - == \"linux\""],"name":"pci_11_5_critical_binaries_utimes","updateDate":1707493323000,"updater":{"name":"Detection - Engineer","handle":""}}},{"id":"def-000-8j2","type":"agent_rule","attributes":{"category":"Process - Activity","creationDate":1707493323000,"creator":{"name":"Detection Engineer","handle":""},"defaultRule":true,"description":"A - web application spawned a shell or shell utility","enabled":true,"expression":"(exec.file.path - in [ \"/bin/dash\",\n \"/usr/bin/dash\",\n \"/bin/sh\",\n \"/bin/static-sh\",\n \"/usr/bin/sh\",\n \"/bin/bash\",\n \"/usr/bin/bash\",\n \"/bin/bash-static\",\n \"/usr/bin/zsh\",\n \"/usr/bin/ash\",\n \"/usr/bin/csh\",\n \"/usr/bin/ksh\",\n \"/usr/bin/tcsh\",\n \"/usr/lib/initramfs-tools/bin/busybox\",\n \"/bin/busybox\",\n \"/usr/bin/fish\",\n \"/bin/ksh93\",\n \"/bin/rksh\",\n \"/bin/rksh93\",\n \"/bin/lksh\",\n \"/bin/mksh\",\n \"/bin/mksh-static\",\n \"/usr/bin/csharp\",\n \"/bin/posh\",\n \"/usr/bin/rc\",\n \"/bin/sash\",\n \"/usr/bin/yash\",\n \"/bin/zsh5\",\n \"/bin/zsh5-static\" - ] || exec.comm in [\"wget\", \"curl\", \"lwp-download\"] || exec.file.path in - [\"/bin/cat\",\"/bin/chgrp\",\"/bin/chmod\",\"/bin/chown\",\"/bin/cp\",\"/bin/date\",\"/bin/dd\",\"/bin/df\",\"/bin/dir\",\"/bin/echo\",\"/bin/ln\",\"/bin/ls\",\"/bin/mkdir\",\"/bin/mknod\",\"/bin/mktemp\",\"/bin/mv\",\"/bin/pwd\",\"/bin/readlink\",\"/bin/rm\",\"/bin/rmdir\",\"/bin/sleep\",\"/bin/stty\",\"/bin/sync\",\"/bin/touch\",\"/bin/uname\",\"/bin/vdir\",\"/usr/bin/arch\",\"/usr/bin/b2sum\",\"/usr/bin/base32\",\"/usr/bin/base64\",\"/usr/bin/basename\",\"/usr/bin/chcon\",\"/usr/bin/cksum\",\"/usr/bin/comm\",\"/usr/bin/csplit\",\"/usr/bin/cut\",\"/usr/bin/dircolors\",\"/usr/bin/dirname\",\"/usr/bin/du\",\"/usr/bin/env\",\"/usr/bin/expand\",\"/usr/bin/expr\",\"/usr/bin/factor\",\"/usr/bin/fmt\",\"/usr/bin/fold\",\"/usr/bin/groups\",\"/usr/bin/head\",\"/usr/bin/hostid\",\"/usr/bin/id\",\"/usr/bin/install\",\"/usr/bin/join\",\"/usr/bin/link\",\"/usr/bin/logname\",\"/usr/bin/md5sum\",\"/usr/bin/md5sum.textutils\",\"/usr/bin/mkfifo\",\"/usr/bin/nice\",\"/usr/bin/nl\",\"/usr/bin/nohup\",\"/usr/bin/nproc\",\"/usr/bin/numfmt\",\"/usr/bin/od\",\"/usr/bin/paste\",\"/usr/bin/pathchk\",\"/usr/bin/pinky\",\"/usr/bin/pr\",\"/usr/bin/printenv\",\"/usr/bin/printf\",\"/usr/bin/ptx\",\"/usr/bin/realpath\",\"/usr/bin/runcon\",\"/usr/bin/seq\",\"/usr/bin/sha1sum\",\"/usr/bin/sha224sum\",\"/usr/bin/sha256sum\",\"/usr/bin/sha384sum\",\"/usr/bin/sha512sum\",\"/usr/bin/shred\",\"/usr/bin/shuf\",\"/usr/bin/sort\",\"/usr/bin/split\",\"/usr/bin/stat\",\"/usr/bin/stdbuf\",\"/usr/bin/sum\",\"/usr/bin/tac\",\"/usr/bin/tail\",\"/usr/bin/tee\",\"/usr/bin/test\",\"/usr/bin/timeout\",\"/usr/bin/tr\",\"/usr/bin/truncate\",\"/usr/bin/tsort\",\"/usr/bin/tty\",\"/usr/bin/unexpand\",\"/usr/bin/uniq\",\"/usr/bin/unlink\",\"/usr/bin/users\",\"/usr/bin/wc\",\"/usr/bin/who\",\"/usr/bin/whoami\",\"/usr/sbin/chroot\"]) - \u0026\u0026\n(process.parent.file.name in [\"apache2\", \"nginx\", ~\"tomcat*\", - \"httpd\"] || process.parent.file.name =~ \"php*\")","filters":["os == \"linux\""],"name":"potential_web_shell_parent","updateDate":1707493323000,"updater":{"name":"Detection - Engineer","handle":""}}},{"id":"def-000-oy4","type":"agent_rule","attributes":{"category":"Process - Activity","creationDate":1707493323000,"creator":{"name":"Detection Engineer","handle":""},"defaultRule":true,"description":"A - tool used to dump process memory has been executed","enabled":true,"expression":"exec.file.name - in [\"procmon.exe\",\"procdump.exe\"]","filters":["os == \"windows\""],"name":"procdump_execution","updateDate":1707493323000,"updater":{"name":"Detection - Engineer","handle":""}}},{"id":"def-000-oyv","type":"agent_rule","attributes":{"category":"Process - Activity","creationDate":1707493323000,"creator":{"name":"Detection Engineer","handle":""},"defaultRule":true,"description":"Processes - were listed using the ps command","enabled":true,"expression":"exec.comm == - \"ps\" \u0026\u0026 exec.argv not in [\"-p\", \"--pid\"] \u0026\u0026 process.ancestors.file.name - not in [\"qualys-cloud-agent\", \"amazon-ssm-agent\"] \u0026\u0026 process.parent.file.name - not in [\"rkhunter\", \"jspawnhelper\", ~\"vm-agent*\", \"PassengerAgent\", - \"node\", \"wdavdaemon\", \"chkrootkit\", \"tsagentd\", \"wazuh-modulesd\", - \"wdavdaemon\", \"talend-remote-engine-service\", \"check_procs\", \"newrelic-daemon\"]","filters":["os - == \"linux\""],"name":"ps_discovery","updateDate":1707493323000,"updater":{"name":"Detection - Engineer","handle":""}}},{"id":"pwu-7u7-iiq","type":"agent_rule","attributes":{"category":"Kernel - Activity","creationDate":1707493323000,"creator":{"name":"Detection Engineer","handle":""},"defaultRule":true,"description":"A - process uses an anti-debugging technique to block debuggers","enabled":true,"expression":"ptrace.request - == PTRACE_TRACEME \u0026\u0026 process.file.name != \"\"","filters":["os == - \"linux\""],"name":"ptrace_antidebug","updateDate":1707493323000,"updater":{"name":"Detection - Engineer","handle":""}}},{"id":"kpm-7kh-xz5","type":"agent_rule","attributes":{"category":"Kernel - Activity","creationDate":1707493323000,"creator":{"name":"Detection Engineer","handle":""},"defaultRule":true,"description":"A - process attempted to inject code into another process","enabled":true,"expression":"ptrace.request - == PTRACE_POKETEXT || ptrace.request == PTRACE_POKEDATA || ptrace.request == - PTRACE_POKEUSR","filters":["os == \"linux\""],"name":"ptrace_injection","updateDate":1707493323000,"updater":{"name":"Detection - Engineer","handle":""}}},{"id":"wpz-bim-6rb","type":"agent_rule","attributes":{"category":"Process - Activity","creationDate":1707493323000,"creator":{"name":"Detection Engineer","handle":""},"defaultRule":true,"description":"A - process was spawned with indicators of exploitation of CVE-2021-4034","enabled":true,"expression":"(exec.file.path - == \"/usr/bin/pkexec\" \u0026\u0026 exec.envs in [~\"*SHELL*\", ~\"*PATH*\"] - \u0026\u0026 exec.envs not in [~\"*DISPLAY*\", ~\"*DESKTOP_SESSION*\"] \u0026\u0026 - exec.uid != 0)","filters":["os == \"linux\""],"name":"pwnkit_privilege_escalation","updateDate":1707493323000,"updater":{"name":"Detection - Engineer","handle":""}}},{"id":"g7f-kfr-tdb","type":"agent_rule","attributes":{"category":"Process - Activity","creationDate":1707493323000,"creator":{"name":"Detection Engineer","handle":""},"defaultRule":true,"description":"Python - code was provided on the command line","enabled":true,"expression":"exec.file.name - == ~\"python*\" \u0026\u0026 exec.args_flags in [\"c\"] \u0026\u0026 exec.args - in [~\"*-c*SOCK_STREAM*\", ~\"*-c*subprocess*\", \"*-c*/bash*\", \"*-c*/bin/sh*\", - \"*-c*pty.spawn*\"] \u0026\u0026 exec.args !~ \"*setuptools*\"","filters":["os - == \"linux\""],"name":"python_cli_code","updateDate":1707493323000,"updater":{"name":"Detection - Engineer","handle":""}}},{"id":"def-000-do7","type":"agent_rule","attributes":{"category":"File - Activity","creationDate":1707493323000,"creator":{"name":"Detection Engineer","handle":""},"defaultRule":true,"description":"Possible - ransomware note created under common user directories","enabled":true,"expression":"open.flags - \u0026 O_CREAT \u003e 0\n\u0026\u0026 open.file.path in [~\"/home/**\", ~\"/root/**\", - ~\"/bin/**\", ~\"/usr/bin/**\", ~\"/opt/**\", ~\"/etc/**\", ~\"/var/log/**\", - ~\"/var/lib/log/**\", ~\"/var/backup/**\", ~\"/var/www/**\"]\n\u0026\u0026 open.file.name - in [r\"(?i).*(restore|recover|read|instruction|how_to|ransom|lock).*(your_|crypt|lock|file|ransom).*\"] - \u0026\u0026 open.file.name not in [r\".*\\.lock$\"]","filters":["os == \"linux\""],"name":"ransomware_note","updateDate":1707493323000,"updater":{"name":"Detection - Engineer","handle":""}}},{"id":"def-000-y27","type":"agent_rule","attributes":{"category":"File - Activity","creationDate":1707493323000,"creator":{"name":"Detection Engineer","handle":""},"defaultRule":true,"description":"RC - scripts modified","enabled":true,"expression":"(open.flags \u0026 (O_CREAT|O_TRUNC|O_RDWR|O_WRONLY) - \u003e 0 \u0026\u0026 (open.file.path in [\"/etc/rc.common\", \"/etc/rc.local\"])) - \u0026\u0026 process.ancestors.file.path not in [~\"/usr/bin/apt*\", \"/usr/bin/dpkg\", - \"/usr/bin/rpm\", \"/usr/bin/unattended-upgrade\", \"/usr/bin/npm\", ~\"/usr/bin/pip*\", - \"/usr/bin/yum\", \"/sbin/apk\", \"/usr/lib/snapd/snapd\"]","filters":["os == - \"linux\""],"name":"rc_scripts_modified","updateDate":1707493323000,"updater":{"name":"Detection - Engineer","handle":""}}},{"id":"def-000-qwm","type":"agent_rule","attributes":{"category":"File - Activity","creationDate":1707493323000,"creator":{"name":"Detection Engineer","handle":""},"defaultRule":true,"description":"The - kubeconfig file was accessed","enabled":true,"expression":"open.file.path in - [~\"/home/*/.kube/config\", \"/root/.kube/config\"]","filters":["os == \"linux\""],"name":"read_kubeconfig","updateDate":1707493323000,"updater":{"name":"Detection - Engineer","handle":""}}},{"id":"def-000-rhk","type":"agent_rule","attributes":{"category":"File - Activity","creationDate":1707493323000,"creator":{"name":"Detection Engineer","handle":""},"defaultRule":true,"description":"OS - information was read from the /etc/lsb-release file","enabled":true,"expression":"open.file.path - == \"/etc/lsb-release\" \u0026\u0026 open.flags \u0026 O_RDONLY \u003e 0","filters":["os - == \"linux\""],"name":"read_release_info","updateDate":1707493323000,"updater":{"name":"Detection - Engineer","handle":""}}},{"id":"def-000-npv","type":"agent_rule","attributes":{"category":"File - Activity","creationDate":1707493323000,"creator":{"name":"Detection Engineer","handle":""},"defaultRule":true,"description":"Detects - CVE-2022-0543","enabled":true,"expression":"(open.file.path =~ \"/usr/lib/x86_64-linux-gnu/*\" - \u0026\u0026 open.file.name in [\"libc-2.29.so\", \"libc-2.30.so\", \"libc-2.31.so\", - \"libc-2.32.so\", \"libc-2.33.so\", \"libc-2.34.so\", \"libc-2.35.so\", \"libc-2.36.so\", - \"libc-2.37.so\"]) \u0026\u0026 process.ancestors.comm in [\"redis-check-rdb\", - \"redis-server\"]","filters":["os == \"linux\""],"name":"redis_sandbox_escape","updateDate":1707493323000,"updater":{"name":"Detection - Engineer","handle":""}}},{"id":"def-000-wv3","type":"agent_rule","attributes":{"category":"File - Activity","creationDate":1707493323000,"creator":{"name":"Detection Engineer","handle":""},"defaultRule":true,"description":"Redis - module has been created","enabled":true,"expression":"(open.flags \u0026 (O_CREAT|O_TRUNC|O_RDWR|O_WRONLY) - \u003e 0 \u0026\u0026 open.file.path =~ \"/tmp/**\" \u0026\u0026 open.file.name - in [~\"*.rdb\", ~\"*.aof\", ~\"*.so\"]) \u0026\u0026 process.file.name in [\"redis-check-rdb\", - \"redis-server\"]","filters":["os == \"linux\""],"name":"redis_save_module","updateDate":1707493323000,"updater":{"name":"Detection - Engineer","handle":""}}},{"id":"tlu-qlm-1ow","type":"agent_rule","attributes":{"category":"File - Activity","creationDate":1707493323000,"creator":{"name":"Detection Engineer","handle":""},"defaultRule":true,"description":"The - runc binary was modified in a non-standard way","enabled":true,"expression":"open.file.path - in [\"/usr/bin/runc\", \"/usr/sbin/runc\", \"/usr/bin/docker-runc\"]\n\u0026\u0026 - open.flags \u0026 O_CREAT|O_TRUNC|O_RDWR|O_WRONLY \u003e 0\n\u0026\u0026 process.file.path - not in [~\"/usr/bin/apt*\", \"/usr/bin/dpkg\", \"/usr/bin/rpm\", \"/usr/bin/unattended-upgrade\", - \"/usr/bin/containerd\", \"/usr/local/bin/containerd\", \"/usr/bin/dockerd\", - \"/usr/bin/npm\", ~\"/usr/bin/pip*\"]\n\u0026\u0026 process.ancestors.file.path - not in [~\"/usr/bin/apt*\", \"/usr/bin/dpkg\", \"/usr/bin/rpm\", \"/usr/bin/unattended-upgrade\", - \"/usr/bin/npm\", ~\"/usr/bin/pip*\", \"/usr/bin/yum\", \"/sbin/apk\", \"/usr/lib/snapd/snapd\"]","filters":["os - == \"linux\""],"name":"runc_modification","updateDate":1707493323000,"updater":{"name":"Detection - Engineer","handle":""}}},{"id":"def-000-vqm","type":"agent_rule","attributes":{"category":"Process - Activity","creationDate":1707493323000,"creator":{"name":"Detection Engineer","handle":""},"defaultRule":true,"description":"A - scheduled task was created","enabled":true,"expression":"exec.file.name in [\"at.exe\",\"schtasks.exe\"]","filters":["os - == \"windows\""],"name":"scheduled_task_creation","updateDate":1707493323000,"updater":{"name":"Detection - Engineer","handle":""}}},{"id":"wgq-lg4-tas","type":"agent_rule","attributes":{"category":"Kernel - Activity","creationDate":1707493323000,"creator":{"name":"Detection Engineer","handle":""},"defaultRule":true,"description":"SELinux - enforcement status was disabled","enabled":true,"expression":"selinux.enforce.status - in [\"permissive\", \"disabled\"] \u0026\u0026 process.ancestors.args != ~\"*BECOME-SUCCESS*\"","filters":["os - == \"linux\""],"name":"selinux_disable_enforcement","updateDate":1707493323000,"updater":{"name":"Detection - Engineer","handle":""}}},{"id":"def-000-j45","type":"agent_rule","attributes":{"category":"Kernel - Activity","creationDate":1707493323000,"creator":{"name":"Detection Engineer","handle":""},"defaultRule":true,"description":"A - process is tracing privileged processes or sshd for possible credential dumping","enabled":true,"expression":"(ptrace.request - == PTRACE_PEEKTEXT || ptrace.request == PTRACE_PEEKDATA || ptrace.request == - PTRACE_PEEKUSR) \u0026\u0026 ptrace.tracee.euid == 0 \u0026\u0026 process.comm - not in [\"dlv\", \"dlv-linux-amd64\", \"strace\", \"gdb\", \"lldb-server\"]","filters":["os - == \"linux\""],"name":"sensitive_tracing","updateDate":1707493323000,"updater":{"name":"Detection - Engineer","handle":""}}},{"id":"def-000-uv8","type":"agent_rule","attributes":{"category":"Process - Activity","creationDate":1707493323000,"creator":{"name":"Detection Engineer","handle":""},"defaultRule":true,"description":"systemctl - used to stop a service","enabled":true,"expression":"exec.file.name == \"systemctl\" - \u0026\u0026 exec.args in [~\"*stop*\"]","filters":["os == \"linux\""],"name":"service_stop","updateDate":1707493323000,"updater":{"name":"Detection - Engineer","handle":""}}},{"id":"dfr-by9-sx8","type":"agent_rule","attributes":{"category":"File - Activity","creationDate":1707493323000,"creator":{"name":"Detection Engineer","handle":""},"defaultRule":true,"description":"Shell - History was Deleted","enabled":true,"expression":"(unlink.file.name =~ r\".([dbazfi]*sh)(_history)$\") - \u0026\u0026 process.comm not in [\"dockerd\", \"containerd\"]","filters":["os - == \"linux\""],"name":"shell_history_deleted","updateDate":1707493323000,"updater":{"name":"Detection - Engineer","handle":""}}},{"id":"dmf-a2c-odj","type":"agent_rule","attributes":{"category":"Process - Activity","creationDate":1707493323000,"creator":{"name":"Detection Engineer","handle":""},"defaultRule":true,"description":"A - symbolic link for shell history was created targeting /dev/null","enabled":true,"expression":"exec.comm - == \"ln\" \u0026\u0026 exec.args in [~\"*.*history*\", \"/dev/null\"]","filters":["os - == \"linux\""],"name":"shell_history_symlink","updateDate":1707493323000,"updater":{"name":"Detection - Engineer","handle":""}}},{"id":"v5x-8l4-d6a","type":"agent_rule","attributes":{"category":"File - Activity","creationDate":1707493323000,"creator":{"name":"Detection Engineer","handle":""},"defaultRule":true,"description":"Shell - History was Deleted","enabled":true,"expression":"open.flags \u0026 (O_CREAT|O_TRUNC|O_RDWR|O_WRONLY) - \u003e 0 \u0026\u0026 open.file.name =~ r\".([dbazfi]*sh)(_history)$\" \u0026\u0026 - open.file.path in [~\"/root/*\", ~\"/home/**\"] \u0026\u0026 process.file.name - == \"truncate\"","filters":["os == \"linux\""],"name":"shell_history_truncated","updateDate":1707493323000,"updater":{"name":"Detection - Engineer","handle":""}}},{"id":"def-000-fn2","type":"agent_rule","attributes":{"category":"Process - Activity","creationDate":1707493323000,"creator":{"name":"Detection Engineer","handle":""},"defaultRule":true,"description":"Shell - profile was modified","enabled":true,"expression":"open.file.path in [~\"/home/*/*profile\", - ~\"/home/*/*rc\"] \u0026\u0026 open.flags \u0026 ((O_CREAT|O_TRUNC|O_RDWR|O_WRONLY)) - \u003e 0","filters":["os == \"linux\""],"name":"shell_profile_modification","updateDate":1707493323000,"updater":{"name":"Detection - Engineer","handle":""}}},{"id":"htc-275-0wt","type":"agent_rule","attributes":{"category":"File - Activity","creationDate":1707493323000,"creator":{"name":"Detection Engineer","handle":""},"defaultRule":true,"description":"SSH - modified keys may have been modified","enabled":true,"expression":"(\n chmod.file.name - in [ \"authorized_keys\", \"authorized_keys2\" ] \u0026\u0026 (chmod.file.path - in [ ~\"/root/.ssh/*\", ~\"/home/*/.ssh/*\", ~\"/var/lib/*/.ssh/*\" ])\n) \u0026\u0026 - chmod.file.destination.mode != chmod.file.mode","filters":["os == \"linux\""],"name":"ssh_authorized_keys_chmod","updateDate":1707493323000,"updater":{"name":"Detection - Engineer","handle":""}}},{"id":"7q3-6aa-pix","type":"agent_rule","attributes":{"category":"File - Activity","creationDate":1707493323000,"creator":{"name":"Detection Engineer","handle":""},"defaultRule":true,"description":"SSH - modified keys may have been modified","enabled":true,"expression":"(\n chown.file.name - in [ \"authorized_keys\", \"authorized_keys2\" ] \u0026\u0026 (chown.file.path - in [ ~\"/root/.ssh/*\", ~\"/home/*/.ssh/*\", ~\"/var/lib/*/.ssh/*\" ])\n) \u0026\u0026 - (chown.file.destination.uid != chown.file.uid || chown.file.destination.gid - != chown.file.gid)","filters":["os == \"linux\""],"name":"ssh_authorized_keys_chown","updateDate":1707493323000,"updater":{"name":"Detection - Engineer","handle":""}}},{"id":"91f-pyq-54k","type":"agent_rule","attributes":{"category":"File - Activity","creationDate":1707493323000,"creator":{"name":"Detection Engineer","handle":""},"defaultRule":true,"description":"SSH - modified keys may have been modified","enabled":true,"expression":"(\n link.file.name - in [ \"authorized_keys\", \"authorized_keys2\" ] \u0026\u0026 (link.file.path - in [ ~\"/root/.ssh/*\", ~\"/home/*/.ssh/*\", ~\"/var/lib/*/.ssh/*\" ]\n || - link.file.destination.path in [ ~\"/root/.ssh/*\", ~\"/home/*/.ssh/*\", ~\"/var/lib/*/.ssh/*\" - ])\n)","filters":["os == \"linux\""],"name":"ssh_authorized_keys_link","updateDate":1707493323000,"updater":{"name":"Detection - Engineer","handle":""}}},{"id":"rpc-ji0-zfu","type":"agent_rule","attributes":{"category":"File - Activity","creationDate":1707493323000,"creator":{"name":"Detection Engineer","handle":""},"defaultRule":true,"description":"SSH - modified keys may have been modified","enabled":true,"expression":"(\n open.flags - \u0026 (O_CREAT|O_TRUNC|O_RDWR|O_WRONLY) \u003e 0 \u0026\u0026\n open.file.name - in [ \"authorized_keys\", \"authorized_keys2\" ] \u0026\u0026 (open.file.path - in [ ~\"/root/.ssh/*\", ~\"/home/*/.ssh/*\", ~\"/var/lib/*/.ssh/*\" ])\n)","filters":["os - == \"linux\""],"name":"ssh_authorized_keys_open","updateDate":1707493323000,"updater":{"name":"Detection - Engineer","handle":""}}},{"id":"def-000-qwu","type":"agent_rule","attributes":{"category":"File - Activity","creationDate":1707493323000,"creator":{"name":"Detection Engineer","handle":""},"defaultRule":true,"description":"SSH - modified keys may have been modified","enabled":true,"expression":"(\n open.flags - \u0026 (O_CREAT|O_TRUNC|O_RDWR|O_WRONLY) \u003e 0 \u0026\u0026\n open.file.name - in [ \"authorized_keys\", \"authorized_keys2\" ] \u0026\u0026 (open.file.path - in [ ~\"/root/.ssh/*\", ~\"/home/*/.ssh/*\", ~\"/var/lib/*/.ssh/*\" ])\n) \u0026\u0026 - container.created_at \u003e 90s","filters":["os == \"linux\""],"name":"ssh_authorized_keys_open_v2","updateDate":1707493323000,"updater":{"name":"Detection - Engineer","handle":""}}},{"id":"t5u-qdx-650","type":"agent_rule","attributes":{"category":"File - Activity","creationDate":1707493323000,"creator":{"name":"Detection Engineer","handle":""},"defaultRule":true,"description":"SSH - modified keys may have been modified","enabled":true,"expression":"(\n rename.file.name - in [ \"authorized_keys\", \"authorized_keys2\" ] \u0026\u0026 (rename.file.path - in [ ~\"/root/.ssh/*\", ~\"/home/*/.ssh/*\", ~\"/var/lib/*/.ssh/*\" ]\n || - rename.file.destination.path in [ ~\"/root/.ssh/*\", ~\"/home/*/.ssh/*\", ~\"/var/lib/*/.ssh/*\" - ])\n)","filters":["os == \"linux\""],"name":"ssh_authorized_keys_rename","updateDate":1707493323000,"updater":{"name":"Detection - Engineer","handle":""}}},{"id":"y0y-3gl-645","type":"agent_rule","attributes":{"category":"File - Activity","creationDate":1707493323000,"creator":{"name":"Detection Engineer","handle":""},"defaultRule":true,"description":"SSH - modified keys may have been modified","enabled":true,"expression":"(\n unlink.file.name - in [ \"authorized_keys\", \"authorized_keys2\" ] \u0026\u0026 (unlink.file.path - in [ ~\"/root/.ssh/*\", ~\"/home/*/.ssh/*\", ~\"/var/lib/*/.ssh/*\" ])\n)","filters":["os - == \"linux\""],"name":"ssh_authorized_keys_unlink","updateDate":1707493323000,"updater":{"name":"Detection - Engineer","handle":""}}},{"id":"hba-kfe-1xr","type":"agent_rule","attributes":{"category":"File - Activity","creationDate":1707493323000,"creator":{"name":"Detection Engineer","handle":""},"defaultRule":true,"description":"SSH - modified keys may have been modified","enabled":true,"expression":"(\n utimes.file.name - in [ \"authorized_keys\", \"authorized_keys2\" ] \u0026\u0026 (utimes.file.path - in [ ~\"/root/.ssh/*\", ~\"/home/*/.ssh/*\", ~\"/var/lib/*/.ssh/*\" ])\n)","filters":["os - == \"linux\""],"name":"ssh_authorized_keys_utimes","updateDate":1707493323000,"updater":{"name":"Detection - Engineer","handle":""}}},{"id":"def-000-o13","type":"agent_rule","attributes":{"category":"File - Activity","creationDate":1707493323000,"creator":{"name":"Detection Engineer","handle":""},"defaultRule":true,"description":"The - configuration directory for an ssh worm","enabled":true,"expression":"open.file.path - in [\"/root/.prng/*\", ~\"/home/*/.prng/*\", ~\"/root/.config/prng/*\", ~\"/home/*/.config/prng/*\"] - \u0026\u0026 open.flags \u0026 (O_CREAT|O_TRUNC|O_RDWR|O_WRONLY) \u003e 0","filters":["os - == \"linux\""],"name":"ssh_it_tool_config_write","updateDate":1707493323000,"updater":{"name":"Detection - Engineer","handle":""}}},{"id":"y5i-yxn-27t","type":"agent_rule","attributes":{"category":"File - Activity","creationDate":1707493323000,"creator":{"name":"Detection Engineer","handle":""},"defaultRule":true,"description":"SSL - certificates may have been tampered with","enabled":true,"expression":"(\n (chmod.file.path - in [ ~\"/etc/ssl/certs/**\", ~\"/etc/pki/**\" ])\n \u0026\u0026 process.file.path - not in [~\"/usr/bin/apt*\", \"/usr/bin/dpkg\", \"/usr/bin/rpm\", \"/usr/bin/unattended-upgrade\", - \"/usr/bin/npm\", ~\"/usr/bin/pip*\", \"/usr/bin/yum\", \"/sbin/apk\", \"/usr/lib/snapd/snapd\"]\n) - \u0026\u0026 chmod.file.mode != chmod.file.destination.mode\n\u0026\u0026 process.file.path - != \"/usr/sbin/update-ca-certificates\"\n\u0026\u0026 process.ancestors.file.path - != \"/usr/sbin/update-ca-certificates\"\n\u0026\u0026 process.ancestors.file.path - not in [~\"/usr/bin/apt*\", \"/usr/bin/dpkg\", \"/usr/bin/rpm\", \"/usr/bin/unattended-upgrade\", - \"/usr/bin/npm\", ~\"/usr/bin/pip*\", \"/usr/bin/yum\", \"/sbin/apk\", \"/usr/lib/snapd/snapd\"]\n\u0026\u0026 - process.file.name !~ \"runc*\"","filters":["os == \"linux\""],"name":"ssl_certificate_tampering_chmod","updateDate":1707493323000,"updater":{"name":"Detection - Engineer","handle":""}}},{"id":"kyr-sg6-us9","type":"agent_rule","attributes":{"category":"File - Activity","creationDate":1707493323000,"creator":{"name":"Detection Engineer","handle":""},"defaultRule":true,"description":"SSL - certificates may have been tampered with","enabled":true,"expression":"(\n (chown.file.path - in [ ~\"/etc/ssl/certs/**\", ~\"/etc/pki/**\" ])\n \u0026\u0026 process.file.path - not in [~\"/usr/bin/apt*\", \"/usr/bin/dpkg\", \"/usr/bin/rpm\", \"/usr/bin/unattended-upgrade\", - \"/usr/bin/npm\", ~\"/usr/bin/pip*\", \"/usr/bin/yum\", \"/sbin/apk\", \"/usr/lib/snapd/snapd\"]\n) - \u0026\u0026 (chown.file.destination.uid != chown.file.uid || chown.file.destination.gid - != chown.file.gid)\n\u0026\u0026 process.file.path != \"/usr/sbin/update-ca-certificates\"\n\u0026\u0026 - process.ancestors.file.path != \"/usr/sbin/update-ca-certificates\"\n\u0026\u0026 - process.ancestors.file.path not in [~\"/usr/bin/apt*\", \"/usr/bin/dpkg\", \"/usr/bin/rpm\", - \"/usr/bin/unattended-upgrade\", \"/usr/bin/npm\", ~\"/usr/bin/pip*\", \"/usr/bin/yum\", - \"/sbin/apk\", \"/usr/lib/snapd/snapd\"]\n\u0026\u0026 process.file.name !~ - \"runc*\"","filters":["os == \"linux\""],"name":"ssl_certificate_tampering_chown","updateDate":1707493323000,"updater":{"name":"Detection - Engineer","handle":""}}},{"id":"w6f-wte-i63","type":"agent_rule","attributes":{"category":"File - Activity","creationDate":1707493323000,"creator":{"name":"Detection Engineer","handle":""},"defaultRule":true,"description":"SSL - certificates may have been tampered with","enabled":true,"expression":"(\n (link.file.path - in [ ~\"/etc/ssl/certs/**\", ~\"/etc/pki/**\" ]\n || link.file.destination.path - in [ ~\"/etc/ssl/certs/**\", ~\"/etc/pki/**\" ])\n \u0026\u0026 process.file.path - not in [~\"/usr/bin/apt*\", \"/usr/bin/dpkg\", \"/usr/bin/rpm\", \"/usr/bin/unattended-upgrade\", - \"/usr/bin/npm\", ~\"/usr/bin/pip*\", \"/usr/bin/yum\", \"/sbin/apk\", \"/usr/lib/snapd/snapd\"]\n \u0026\u0026 - process.file.path != \"/usr/sbin/update-ca-certificates\"\n \u0026\u0026 - process.ancestors.file.path != \"/usr/sbin/update-ca-certificates\"\n \u0026\u0026 - process.ancestors.file.path not in [~\"/usr/bin/apt*\", \"/usr/bin/dpkg\", \"/usr/bin/rpm\", - \"/usr/bin/unattended-upgrade\", \"/usr/bin/npm\", ~\"/usr/bin/pip*\", \"/usr/bin/yum\", - \"/sbin/apk\", \"/usr/lib/snapd/snapd\"]\n \u0026\u0026 process.file.name - !~ \"runc*\"\n)","filters":["os == \"linux\""],"name":"ssl_certificate_tampering_link","updateDate":1707493323000,"updater":{"name":"Detection - Engineer","handle":""}}},{"id":"191-ty1-ede","type":"agent_rule","attributes":{"category":"File - Activity","creationDate":1707493323000,"creator":{"name":"Detection Engineer","handle":""},"defaultRule":true,"description":"SSL - certificates may have been tampered with","enabled":true,"expression":"(\n open.flags - \u0026 (O_CREAT|O_RDWR|O_WRONLY) \u003e 0 \u0026\u0026\n (open.file.path - in [ ~\"/etc/ssl/certs/**\", ~\"/etc/pki/**\" ])\n)\n\u0026\u0026 process.file.path - != \"/usr/sbin/update-ca-certificates\"\n\u0026\u0026 process.ancestors.file.path - != \"/usr/sbin/update-ca-certificates\"\n\u0026\u0026 process.ancestors.file.path - not in [~\"/usr/bin/apt*\", \"/usr/bin/dpkg\", \"/usr/bin/rpm\", \"/usr/bin/unattended-upgrade\", - \"/usr/bin/npm\", ~\"/usr/bin/pip*\", \"/usr/bin/yum\", \"/sbin/apk\", \"/usr/lib/snapd/snapd\"]\n\u0026\u0026 - process.file.name !~ \"runc*\"","filters":["os == \"linux\""],"name":"ssl_certificate_tampering_open","updateDate":1707493323000,"updater":{"name":"Detection - Engineer","handle":""}}},{"id":"def-000-qt6","type":"agent_rule","attributes":{"category":"File - Activity","creationDate":1707493323000,"creator":{"name":"Detection Engineer","handle":""},"defaultRule":true,"description":"SSL - certificates may have been tampered with","enabled":true,"expression":"(\n open.flags - \u0026 (O_CREAT|O_RDWR|O_WRONLY) \u003e 0 \u0026\u0026\n (open.file.path - in [ ~\"/etc/ssl/certs/**\", ~\"/etc/pki/**\" ])\n)\n\u0026\u0026 process.file.path - != \"/usr/sbin/update-ca-certificates\"\n\u0026\u0026 process.ancestors.file.path - != \"/usr/sbin/update-ca-certificates\"\n\u0026\u0026 process.ancestors.file.path - not in [~\"/usr/bin/apt*\", \"/usr/bin/dpkg\", \"/usr/bin/rpm\", \"/usr/bin/unattended-upgrade\", - \"/usr/bin/npm\", ~\"/usr/bin/pip*\", \"/usr/bin/yum\", \"/sbin/apk\", \"/usr/lib/snapd/snapd\"]\n\u0026\u0026 - process.file.name !~ \"runc*\"\n\u0026\u0026 container.created_at \u003e 90s","filters":["os - == \"linux\""],"name":"ssl_certificate_tampering_open_v2","updateDate":1707493323000,"updater":{"name":"Detection - Engineer","handle":""}}},{"id":"o5t-b08-86p","type":"agent_rule","attributes":{"category":"File - Activity","creationDate":1707493323000,"creator":{"name":"Detection Engineer","handle":""},"defaultRule":true,"description":"SSL - certificates may have been tampered with","enabled":true,"expression":"(\n (rename.file.path - in [ ~\"/etc/ssl/certs/**\", ~\"/etc/pki/**\" ]\n || rename.file.destination.path - in [ ~\"/etc/ssl/certs/**\", ~\"/etc/pki/**\" ])\n \u0026\u0026 process.file.path - not in [~\"/usr/bin/apt*\", \"/usr/bin/dpkg\", \"/usr/bin/rpm\", \"/usr/bin/unattended-upgrade\", - \"/usr/bin/npm\", ~\"/usr/bin/pip*\", \"/usr/bin/yum\", \"/sbin/apk\", \"/usr/lib/snapd/snapd\"]\n)\n\u0026\u0026 - process.file.path != \"/usr/sbin/update-ca-certificates\"\n\u0026\u0026 process.ancestors.file.path - != \"/usr/sbin/update-ca-certificates\"\n\u0026\u0026 process.ancestors.file.path - not in [~\"/usr/bin/apt*\", \"/usr/bin/dpkg\", \"/usr/bin/rpm\", \"/usr/bin/unattended-upgrade\", - \"/usr/bin/npm\", ~\"/usr/bin/pip*\", \"/usr/bin/yum\", \"/sbin/apk\", \"/usr/lib/snapd/snapd\"]\n\u0026\u0026 - process.file.name !~ \"runc*\"","filters":["os == \"linux\""],"name":"ssl_certificate_tampering_rename","updateDate":1707493323000,"updater":{"name":"Detection - Engineer","handle":""}}},{"id":"9y1-cbb-p03","type":"agent_rule","attributes":{"category":"File - Activity","creationDate":1707493323000,"creator":{"name":"Detection Engineer","handle":""},"defaultRule":true,"description":"SSL - certificates may have been tampered with","enabled":true,"expression":"(\n (unlink.file.path - in [ ~\"/etc/ssl/certs/**\" ])\n \u0026\u0026 process.file.path not in [~\"/usr/bin/apt*\", - \"/usr/bin/dpkg\", \"/usr/bin/rpm\", \"/usr/bin/unattended-upgrade\", \"/usr/bin/npm\", - ~\"/usr/bin/pip*\", \"/usr/bin/yum\", \"/sbin/apk\", \"/usr/lib/snapd/snapd\"]\n)\n\u0026\u0026 - process.file.path != \"/usr/sbin/update-ca-certificates\"\n\u0026\u0026 process.ancestors.file.path - != \"/usr/sbin/update-ca-certificates\"\n\u0026\u0026 process.ancestors.file.path - not in [~\"/usr/bin/apt*\", \"/usr/bin/dpkg\", \"/usr/bin/rpm\", \"/usr/bin/unattended-upgrade\", - \"/usr/bin/npm\", ~\"/usr/bin/pip*\", \"/usr/bin/yum\", \"/sbin/apk\", \"/usr/lib/snapd/snapd\"]\n\u0026\u0026 - process.file.name !~ \"runc*\"","filters":["os == \"linux\""],"name":"ssl_certificate_tampering_unlink","updateDate":1707493323000,"updater":{"name":"Detection - Engineer","handle":""}}},{"id":"ayv-hqe-lx8","type":"agent_rule","attributes":{"category":"File - Activity","creationDate":1707493323000,"creator":{"name":"Detection Engineer","handle":""},"defaultRule":true,"description":"SSL - certificates may have been tampered with","enabled":true,"expression":"(\n (utimes.file.path - in [ ~\"/etc/ssl/certs/**\" ])\n \u0026\u0026 process.file.path not in [~\"/usr/bin/apt*\", - \"/usr/bin/dpkg\", \"/usr/bin/rpm\", \"/usr/bin/unattended-upgrade\", \"/usr/bin/npm\", - ~\"/usr/bin/pip*\", \"/usr/bin/yum\", \"/sbin/apk\", \"/usr/lib/snapd/snapd\"]\n)\n\u0026\u0026 - process.file.path != \"/usr/sbin/update-ca-certificates\"\n\u0026\u0026 process.ancestors.file.path - != \"/usr/sbin/update-ca-certificates\"\n\u0026\u0026 process.ancestors.file.path - not in [~\"/usr/bin/apt*\", \"/usr/bin/dpkg\", \"/usr/bin/rpm\", \"/usr/bin/unattended-upgrade\", - \"/usr/bin/npm\", ~\"/usr/bin/pip*\", \"/usr/bin/yum\", \"/sbin/apk\", \"/usr/lib/snapd/snapd\"]\n\u0026\u0026 - process.file.name !~ \"runc*\"","filters":["os == \"linux\""],"name":"ssl_certificate_tampering_utimes","updateDate":1707493323000,"updater":{"name":"Detection - Engineer","handle":""}}},{"id":"def-000-crv","type":"agent_rule","attributes":{"category":"File - Activity","creationDate":1707493323000,"creator":{"name":"Detection Engineer","handle":""},"defaultRule":true,"description":"Sudoers - policy file may have been modified without authorization","enabled":true,"expression":"(\n (chmod.file.path - == \"/etc/sudoers\") \n) \u0026\u0026 chmod.file.destination.mode != chmod.file.mode - \u0026\u0026 process.ancestors.file.path not in [~\"/usr/bin/apt*\", \"/usr/bin/dpkg\", - \"/usr/bin/rpm\", \"/usr/bin/unattended-upgrade\", \"/usr/bin/npm\", ~\"/usr/bin/pip*\", - \"/usr/bin/yum\", \"/sbin/apk\", \"/usr/lib/snapd/snapd\"]","filters":["os == - \"linux\""],"name":"sudoers_policy_modified_chmod","updateDate":1707493323000,"updater":{"name":"Detection - Engineer","handle":""}}},{"id":"def-000-l8e","type":"agent_rule","attributes":{"category":"File - Activity","creationDate":1707493323000,"creator":{"name":"Detection Engineer","handle":""},"defaultRule":true,"description":"Sudoers - policy file may have been modified without authorization","enabled":true,"expression":"(\n (chown.file.path - == \"/etc/sudoers\")\n) \u0026\u0026 (chown.file.destination.uid != chown.file.uid - || chown.file.destination.gid != chown.file.gid)","filters":["os == \"linux\""],"name":"sudoers_policy_modified_chown","updateDate":1707493323000,"updater":{"name":"Detection - Engineer","handle":""}}},{"id":"def-000-myb","type":"agent_rule","attributes":{"category":"File - Activity","creationDate":1707493323000,"creator":{"name":"Detection Engineer","handle":""},"defaultRule":true,"description":"Sudoers - policy file may have been modified without authorization","enabled":true,"expression":"(\n (link.file.path - == \"/etc/sudoers\"\n || link.file.destination.path == \"/etc/sudoers\")\n)","filters":["os - == \"linux\""],"name":"sudoers_policy_modified_link","updateDate":1707493323000,"updater":{"name":"Detection - Engineer","handle":""}}},{"id":"def-000-mmo","type":"agent_rule","attributes":{"category":"File - Activity","creationDate":1707493323000,"creator":{"name":"Detection Engineer","handle":""},"defaultRule":true,"description":"Sudoers - policy file may have been modified without authorization","enabled":true,"expression":"\n(open.flags - \u0026 (O_CREAT|O_TRUNC|O_RDWR|O_WRONLY) \u003e 0 \u0026\u0026\n(open.file.path - == \"/etc/sudoers\")) \u0026\u0026 process.file.path not in [~\"/usr/bin/apt*\", - \"/usr/bin/dpkg\", \"/usr/bin/rpm\", \"/usr/bin/unattended-upgrade\", \"/usr/bin/npm\", - ~\"/usr/bin/pip*\", \"/usr/bin/yum\", \"/sbin/apk\", \"/usr/lib/snapd/snapd\"]","filters":["os - == \"linux\""],"name":"sudoers_policy_modified_open","updateDate":1707493323000,"updater":{"name":"Detection - Engineer","handle":""}}},{"id":"def-000-550","type":"agent_rule","attributes":{"category":"File - Activity","creationDate":1707493323000,"creator":{"name":"Detection Engineer","handle":""},"defaultRule":true,"description":"Sudoers - policy file may have been modified without authorization","enabled":true,"expression":"(\n (rename.file.path - == \"/etc/sudoers\"\n || rename.file.destination.path == \"/etc/sudoers\")\n)","filters":["os - == \"linux\""],"name":"sudoers_policy_modified_rename","updateDate":1707493323000,"updater":{"name":"Detection - Engineer","handle":""}}},{"id":"def-000-bxs","type":"agent_rule","attributes":{"category":"File - Activity","creationDate":1707493323000,"creator":{"name":"Detection Engineer","handle":""},"defaultRule":true,"description":"Sudoers - policy file may have been modified without authorization","enabled":true,"expression":"(\n (unlink.file.path - == \"/etc/sudoers\")\n)","filters":["os == \"linux\""],"name":"sudoers_policy_modified_unlink","updateDate":1707493323000,"updater":{"name":"Detection - Engineer","handle":""}}},{"id":"def-000-s07","type":"agent_rule","attributes":{"category":"File - Activity","creationDate":1707493323000,"creator":{"name":"Detection Engineer","handle":""},"defaultRule":true,"description":"Sudoers - policy file may have been modified without authorization","enabled":true,"expression":"(\n (utimes.file.path - == \"/etc/sudoers\")\n) \u0026\u0026 process.file.path not in [~\"/usr/bin/apt*\", - \"/usr/bin/dpkg\", \"/usr/bin/rpm\", \"/usr/bin/unattended-upgrade\", \"/usr/bin/containerd\", - \"/usr/local/bin/containerd\", \"/usr/bin/dockerd\", \"/usr/bin/npm\", ~\"/usr/bin/pip*\"]","filters":["os - == \"linux\""],"name":"sudoers_policy_modified_utimes","updateDate":1707493323000,"updater":{"name":"Detection - Engineer","handle":""}}},{"id":"def-000-5wh","type":"agent_rule","attributes":{"category":"Process - Activity","creationDate":1707493323000,"creator":{"name":"Detection Engineer","handle":""},"defaultRule":true,"description":"a - SUID file was executed","enabled":true,"expression":"(setuid.euid == 0 || setuid.uid == - 0) \u0026\u0026 process.file.mode \u0026 S_ISUID \u003e 0 \u0026\u0026 process.file.uid - == 0 \u0026\u0026 process.uid != 0 \u0026\u0026 process.file.path != \"/usr/bin/sudo\"","filters":["os - == \"linux\""],"name":"suid_file_execution","updateDate":1707493323000,"updater":{"name":"Detection - Engineer","handle":""}}},{"id":"def-000-4y4","type":"agent_rule","attributes":{"category":"Process - Activity","creationDate":1707493323000,"creator":{"name":"Detection Engineer","handle":""},"defaultRule":true,"description":"A - suspicious bitsadmin command has been executed","enabled":true,"expression":"exec.file.name - == \"bitsadmin.exe\" \u0026\u0026 exec.cmdline in [~\"*addfile*\", ~\"*create*\", - ~\"*resume*\"]","filters":["os == \"windows\""],"name":"suspicious_bitsadmin_usage","updateDate":1707493323000,"updater":{"name":"Detection - Engineer","handle":""}}},{"id":"afj-5sv-2wb","type":"agent_rule","attributes":{"category":"Process - Activity","creationDate":1707493323000,"creator":{"name":"Detection Engineer","handle":""},"defaultRule":true,"description":"A - container management utility was executed in a container","enabled":true,"expression":"exec.file.name - in [\"docker\", \"kubectl\"] \u0026\u0026 container.id != \"\"","filters":["os - == \"linux\""],"name":"suspicious_container_client","updateDate":1707493323000,"updater":{"name":"Detection - Engineer","handle":""}}},{"id":"def-000-2k6","type":"agent_rule","attributes":{"category":"Process - Activity","creationDate":1707493323000,"creator":{"name":"Detection Engineer","handle":""},"defaultRule":true,"description":"Suspicious - usage of ntdsutil","enabled":true,"expression":"exec.file.name == \"ntdsutil.exe\" - \u0026\u0026 exec.cmdline in [~\"*ntds*\", ~\"*create*\"]","filters":["os == - \"windows\""],"name":"suspicious_ntdsutil_usage","updateDate":1707493323000,"updater":{"name":"Detection - Engineer","handle":""}}},{"id":"def-000-zo8","type":"agent_rule","attributes":{"category":"Process - Activity","creationDate":1707493323000,"creator":{"name":"Detection Engineer","handle":""},"defaultRule":true,"description":"Recently - written or modified suid file has been executed","enabled":true,"expression":"((process.file.mode - \u0026 S_ISUID \u003e 0) \u0026\u0026 process.file.modification_time \u003c - 30s) \u0026\u0026 exec.file.name != \"\" \u0026\u0026 process.ancestors.file.path - not in [\"/opt/datadog-agent/embedded/bin/agent\", \"/opt/datadog-agent/embedded/bin/system-probe\", - \"/opt/datadog-agent/embedded/bin/security-agent\", \"/opt/datadog-agent/embedded/bin/process-agent\", - \"/opt/datadog-agent/bin/agent/agent\", \"/opt/datadog/apm/inject/auto_inject_runc\", - \"/usr/bin/dd-host-install\", \"/usr/bin/dd-host-container-install\", \"/usr/bin/dd-container-install\", - \"/opt/datadog-agent/bin/datadog-cluster-agent\"]","filters":["os == \"linux\""],"name":"suspicious_suid_execution","updateDate":1707493323000,"updater":{"name":"Detection - Engineer","handle":""}}},{"id":"48s-46n-g4w","type":"agent_rule","attributes":{"category":"File - Activity","creationDate":1707493323000,"creator":{"name":"Detection Engineer","handle":""},"defaultRule":true,"description":"A - service may have been modified without authorization","enabled":true,"expression":"(\n (chmod.file.path - in [ ~\"/lib/systemd/system/**\", ~\"/usr/lib/systemd/system/**\", ~\"/etc/systemd/system/**\" - ])\n \u0026\u0026 process.file.path not in [~\"/usr/bin/apt*\", \"/usr/bin/dpkg\", - \"/usr/bin/rpm\", \"/usr/bin/unattended-upgrade\", \"/usr/bin/npm\", ~\"/usr/bin/pip*\", - \"/usr/bin/yum\", \"/sbin/apk\", \"/usr/lib/snapd/snapd\"]\n) \u0026\u0026 chmod.file.destination.mode - != chmod.file.mode","filters":["os == \"linux\""],"name":"systemd_modification_chmod","updateDate":1707493323000,"updater":{"name":"Detection - Engineer","handle":""}}},{"id":"wwy-h4d-pwm","type":"agent_rule","attributes":{"category":"File - Activity","creationDate":1707493323000,"creator":{"name":"Detection Engineer","handle":""},"defaultRule":true,"description":"A - service may have been modified without authorization","enabled":true,"expression":"(\n (chown.file.path - in [ ~\"/lib/systemd/system/**\", ~\"/usr/lib/systemd/system/**\", ~\"/etc/systemd/system/**\" - ])\n \u0026\u0026 process.file.path not in [~\"/usr/bin/apt*\", \"/usr/bin/dpkg\", - \"/usr/bin/rpm\", \"/usr/bin/unattended-upgrade\", \"/usr/bin/npm\", ~\"/usr/bin/pip*\", - \"/usr/bin/yum\", \"/sbin/apk\", \"/usr/lib/snapd/snapd\"]\n) \u0026\u0026 (chown.file.destination.uid - != chown.file.uid || chown.file.destination.gid != chown.file.gid)","filters":["os - == \"linux\""],"name":"systemd_modification_chown","updateDate":1707493323000,"updater":{"name":"Detection - Engineer","handle":""}}},{"id":"64n-p6m-uq1","type":"agent_rule","attributes":{"category":"File - Activity","creationDate":1707493323000,"creator":{"name":"Detection Engineer","handle":""},"defaultRule":true,"description":"A - service may have been modified without authorization","enabled":true,"expression":"(\n (link.file.path - in [ ~\"/lib/systemd/system/**\", ~\"/usr/lib/systemd/system/**\", ~\"/etc/systemd/system/**\" - ]\n || link.file.destination.path in [ ~\"/lib/systemd/system/**\", ~\"/usr/lib/systemd/system/**\", - ~\"/etc/systemd/system/**\" ])\n \u0026\u0026 process.file.path not in [~\"/usr/bin/apt*\", - \"/usr/bin/dpkg\", \"/usr/bin/rpm\", \"/usr/bin/unattended-upgrade\", \"/usr/bin/npm\", - ~\"/usr/bin/pip*\", \"/usr/bin/yum\", \"/sbin/apk\", \"/usr/lib/snapd/snapd\"]\n)","filters":["os - == \"linux\""],"name":"systemd_modification_link","updateDate":1707493323000,"updater":{"name":"Detection - Engineer","handle":""}}},{"id":"7zw-qbm-y6d","type":"agent_rule","attributes":{"category":"File - Activity","creationDate":1707493323000,"creator":{"name":"Detection Engineer","handle":""},"defaultRule":true,"description":"A - service may have been modified without authorization","enabled":true,"expression":"(\n open.flags - \u0026 (O_CREAT|O_RDWR|O_WRONLY) \u003e 0 \u0026\u0026\n (open.file.path - in [ ~\"/lib/systemd/system/**\", ~\"/usr/lib/systemd/system/**\", ~\"/etc/systemd/system/**\" - ])\n \u0026\u0026 process.file.path not in [~\"/usr/bin/apt*\", \"/usr/bin/dpkg\", - \"/usr/bin/rpm\", \"/usr/bin/unattended-upgrade\", \"/usr/bin/npm\", ~\"/usr/bin/pip*\", - \"/usr/bin/yum\", \"/sbin/apk\", \"/usr/lib/snapd/snapd\"]\n)","filters":["os - == \"linux\""],"name":"systemd_modification_open","updateDate":1707493323000,"updater":{"name":"Detection - Engineer","handle":""}}},{"id":"prk-6q1-g0m","type":"agent_rule","attributes":{"category":"File - Activity","creationDate":1707493323000,"creator":{"name":"Detection Engineer","handle":""},"defaultRule":true,"description":"A - service may have been modified without authorization","enabled":true,"expression":"(\n (rename.file.path - in [ ~\"/lib/systemd/system/**\", ~\"/usr/lib/systemd/system/**\", ~\"/etc/systemd/system/**\" - ]\n || rename.file.destination.path in [ ~\"/lib/systemd/system/**\", ~\"/usr/lib/systemd/system/**\", - ~\"/etc/systemd/system/**\" ])\n \u0026\u0026 process.file.path not in [~\"/usr/bin/apt*\", - \"/usr/bin/dpkg\", \"/usr/bin/rpm\", \"/usr/bin/unattended-upgrade\", \"/usr/bin/npm\", - ~\"/usr/bin/pip*\", \"/usr/bin/yum\", \"/sbin/apk\", \"/usr/lib/snapd/snapd\"]\n)","filters":["os - == \"linux\""],"name":"systemd_modification_rename","updateDate":1707493323000,"updater":{"name":"Detection - Engineer","handle":""}}},{"id":"jlt-y4v-dax","type":"agent_rule","attributes":{"category":"File - Activity","creationDate":1707493323000,"creator":{"name":"Detection Engineer","handle":""},"defaultRule":true,"description":"A - service may have been modified without authorization","enabled":true,"expression":"(\n (unlink.file.path - in [ ~\"/lib/systemd/system/**\", ~\"/usr/lib/systemd/system/**\", ~\"/etc/systemd/system/**\" - ])\n \u0026\u0026 process.file.path not in [~\"/usr/bin/apt*\", \"/usr/bin/dpkg\", - \"/usr/bin/rpm\", \"/usr/bin/unattended-upgrade\", \"/usr/bin/npm\", ~\"/usr/bin/pip*\", - \"/usr/bin/yum\", \"/sbin/apk\", \"/usr/lib/snapd/snapd\"]\n)","filters":["os - == \"linux\""],"name":"systemd_modification_unlink","updateDate":1707493323000,"updater":{"name":"Detection - Engineer","handle":""}}},{"id":"yjj-o5q-x00","type":"agent_rule","attributes":{"category":"File - Activity","creationDate":1707493323000,"creator":{"name":"Detection Engineer","handle":""},"defaultRule":true,"description":"A - service may have been modified without authorization","enabled":true,"expression":"(\n (utimes.file.path - in [ ~\"/lib/systemd/system/**\", ~\"/usr/lib/systemd/system/**\", ~\"/etc/systemd/system/**\" - ])\n \u0026\u0026 process.file.path not in [~\"/usr/bin/apt*\", \"/usr/bin/dpkg\", - \"/usr/bin/rpm\", \"/usr/bin/unattended-upgrade\", \"/usr/bin/npm\", ~\"/usr/bin/pip*\", - \"/usr/bin/yum\", \"/sbin/apk\", \"/usr/lib/snapd/snapd\"]\n)","filters":["os - == \"linux\""],"name":"systemd_modification_utimes","updateDate":1707493323000,"updater":{"name":"Detection - Engineer","handle":""}}},{"id":"def-000-18q","type":"agent_rule","attributes":{"category":"Process - Activity","creationDate":1707493323000,"creator":{"name":"Detection Engineer","handle":""},"defaultRule":true,"description":"Tar - archive created","enabled":true,"expression":"exec.file.path == \"/usr/bin/tar\" - \u0026\u0026 exec.args_flags in [\"create\",\"c\"]","filters":["os == \"linux\""],"name":"tar_execution","updateDate":1707493323000,"updater":{"name":"Detection - Engineer","handle":""}}},{"id":"def-000-925","type":"agent_rule","attributes":{"category":"Process - Activity","creationDate":1707493323000,"creator":{"name":"Detection Engineer","handle":""},"defaultRule":true,"description":"A - shell with a TTY was executed in a container","enabled":true,"expression":"exec.file.path - in [ \"/bin/dash\",\n \"/usr/bin/dash\",\n \"/bin/sh\",\n \"/bin/static-sh\",\n \"/usr/bin/sh\",\n \"/bin/bash\",\n \"/usr/bin/bash\",\n \"/bin/bash-static\",\n \"/usr/bin/zsh\",\n \"/usr/bin/ash\",\n \"/usr/bin/csh\",\n \"/usr/bin/ksh\",\n \"/usr/bin/tcsh\",\n \"/usr/lib/initramfs-tools/bin/busybox\",\n \"/bin/busybox\",\n \"/usr/bin/fish\",\n \"/bin/ksh93\",\n \"/bin/rksh\",\n \"/bin/rksh93\",\n \"/bin/lksh\",\n \"/bin/mksh\",\n \"/bin/mksh-static\",\n \"/usr/bin/csharp\",\n \"/bin/posh\",\n \"/usr/bin/rc\",\n \"/bin/sash\",\n \"/usr/bin/yash\",\n \"/bin/zsh5\",\n \"/bin/zsh5-static\" - ] \u0026\u0026 process.tty_name != \"\" \u0026\u0026 process.container.id != - \"\"","filters":["os == \"linux\""],"name":"tty_shell_in_container","updateDate":1707493323000,"updater":{"name":"Detection - Engineer","handle":""}}},{"id":"def-000-hlr","type":"agent_rule","attributes":{"category":"Process - Activity","creationDate":1707493323000,"creator":{"name":"Detection Engineer","handle":""},"defaultRule":true,"description":"Tunneling - or port forwarding tool used","enabled":true,"expression":"((exec.comm == \"pivotnacci\" - || exec.comm == \"gost\") \u0026\u0026 process.args in [r\".*(-L|-C|-R).*\"]) - || (exec.comm in [\"ssh\", \"sshd\"] \u0026\u0026 process.args in [r\".*(-R|-L|-D|w).*\"] - \u0026\u0026 process.args in [r\"((25[0-5]|(2[0-4]|1\\d|[1-9])\\d)\\.?\\b){4}\"] - ) || (exec.comm == \"sshuttle\" \u0026\u0026 process.args in [r\".*(-r|--remote|-l|--listen).*\"]) - || (exec.comm == \"socat\" \u0026\u0026 process.args in [r\".*(TCP4-LISTEN:|SOCKS).*\"]) - || (exec.comm in [\"iodine\", \"iodined\", \"dnscat\", \"hans\", \"hans-ubuntu\", - \"ptunnel-ng\", \"ssf\", \"3proxy\", \"ngrok\"] \u0026\u0026 process.parent.comm - in [\"bash\", \"dash\", \"ash\", \"sh\", \"tcsh\", \"csh\", \"zsh\", \"ksh\", - \"fish\"])","filters":["os == \"linux\""],"name":"tunnel_traffic","updateDate":1707493323000,"updater":{"name":"Detection - Engineer","handle":""}}},{"id":"07y-k18-cih","type":"agent_rule","attributes":{"category":"Process - Activity","creationDate":1707493323000,"creator":{"name":"Detection Engineer","handle":""},"defaultRule":true,"description":"A - user was created via an interactive session","enabled":true,"expression":"exec.file.name - in [\"useradd\", \"newusers\", \"adduser\"] \u0026\u0026 exec.tty_name !=\"\" - \u0026\u0026 process.ancestors.file.path not in [~\"/usr/bin/apt*\", \"/usr/bin/dpkg\", - \"/usr/bin/rpm\", \"/usr/bin/unattended-upgrade\", \"/usr/bin/npm\", ~\"/usr/bin/pip*\", - \"/usr/bin/yum\", \"/sbin/apk\", \"/usr/lib/snapd/snapd\"] \u0026\u0026 exec.args_flags - not in [\"D\"]","filters":["os == \"linux\""],"name":"user_created_tty","updateDate":1707493323000,"updater":{"name":"Detection - Engineer","handle":""}}},{"id":"def-000-qem","type":"agent_rule","attributes":{"category":"Process - Activity","creationDate":1707493323000,"creator":{"name":"Detection Engineer","handle":""},"defaultRule":true,"description":"A - user was deleted via an interactive session","enabled":true,"expression":"exec.file.name - in [\"userdel\", \"deluser\"] \u0026\u0026 exec.tty_name !=\"\" \u0026\u0026 - process.ancestors.file.path not in [~\"/usr/bin/apt*\", \"/usr/bin/dpkg\", \"/usr/bin/rpm\", - \"/usr/bin/unattended-upgrade\", \"/usr/bin/npm\", ~\"/usr/bin/pip*\", \"/usr/bin/yum\", - \"/sbin/apk\", \"/usr/lib/snapd/snapd\"]","filters":["os == \"linux\""],"name":"user_deleted_tty","updateDate":1707493323000,"updater":{"name":"Detection - Engineer","handle":""}}},{"id":"def-000-vjv","type":"agent_rule","attributes":{"category":"Process - Activity","creationDate":1707493323000,"creator":{"name":"Detection Engineer","handle":""},"defaultRule":true,"description":"Command - executed via WMI","enabled":true,"expression":"exec.file.name in [~\"powershell*\",\"cmd.exe\"] - \u0026\u0026 process.parent.file.name == \"WmiPrvSE.exe\"","filters":["os == - \"windows\""],"name":"wmi_spawning_shell","updateDate":1707493323000,"updater":{"name":"Detection - Engineer","handle":""}}}]}' - code: 200 - duration: 0ms - headers: - Content-Type: - - application/json - status: 200 OK -version: 2 diff --git a/tests/scenarios/cassettes/TestScenarios/v2/Feature_Cloud_Workload_Security/Scenario_Get_all_Cloud_Workload_Security_Agent_rules_returns_OK_response.freeze b/tests/scenarios/cassettes/TestScenarios/v2/Feature_Cloud_Workload_Security/Scenario_Get_all_Cloud_Workload_Security_Agent_rules_returns_OK_response.freeze deleted file mode 100644 index 6718e5385e3..00000000000 --- a/tests/scenarios/cassettes/TestScenarios/v2/Feature_Cloud_Workload_Security/Scenario_Get_all_Cloud_Workload_Security_Agent_rules_returns_OK_response.freeze +++ /dev/null @@ -1 +0,0 @@ -2024-03-08T14:19:13.469Z \ No newline at end of file diff --git a/tests/scenarios/cassettes/TestScenarios/v2/Feature_Cloud_Workload_Security/Scenario_Get_all_Cloud_Workload_Security_Agent_rules_returns_OK_response.yaml b/tests/scenarios/cassettes/TestScenarios/v2/Feature_Cloud_Workload_Security/Scenario_Get_all_Cloud_Workload_Security_Agent_rules_returns_OK_response.yaml deleted file mode 100644 index ba4c47dc58c..00000000000 --- a/tests/scenarios/cassettes/TestScenarios/v2/Feature_Cloud_Workload_Security/Scenario_Get_all_Cloud_Workload_Security_Agent_rules_returns_OK_response.yaml +++ /dev/null @@ -1,1082 +0,0 @@ -interactions: -- request: - body: | - {"data":{"attributes":{"description":"My Agent rule","enabled":true,"expression":"exec.file.name == \"sh\"","name":"testgetallcloudworkloadsecurityagentrulesreturnsokresponse1709907553"},"type":"agent_rule"}} - form: {} - headers: - Accept: - - application/json - Content-Type: - - application/json - id: 0 - method: POST - url: https://api.datadoghq.com/api/v2/security_monitoring/cloud_workload_security/agent_rules - response: - body: '{"data":{"id":"gd2-ogg-fyk","attributes":{"version":1,"name":"testgetallcloudworkloadsecurityagentrulesreturnsokresponse1709907553","description":"My - Agent rule","expression":"exec.file.name == \"sh\"","category":"Process Activity","creationAuthorUuId":"cc32ddea-b5e4-11ec-93be-da7ad0900002","creationDate":1709907553752,"updateAuthorUuId":"cc32ddea-b5e4-11ec-93be-da7ad0900002","updateDate":1709907553752,"filters":["os - == \"linux\""],"actions":[],"agentConstraint":"","defaultRule":false,"enabled":true,"creator":{"name":"Malo - Le Goff","handle":"malo.legoff@datadoghq.com"},"updater":{"name":"Malo Le Goff","handle":"malo.legoff@datadoghq.com"}},"type":"agent_rule"}} - - ' - code: 200 - duration: 0ms - headers: - Content-Type: - - application/json - status: 200 OK -- request: - body: '' - form: {} - headers: - Accept: - - application/json - id: 1 - method: GET - url: https://api.datadoghq.com/api/v2/security_monitoring/cloud_workload_security/agent_rules - response: - body: '{"data":[{"id":"gd2-ogg-fyk","attributes":{"version":1,"name":"testgetallcloudworkloadsecurityagentrulesreturnsokresponse1709907553","description":"My - Agent rule","expression":"exec.file.name == \"sh\"","category":"Process Activity","creationAuthorUuId":"cc32ddea-b5e4-11ec-93be-da7ad0900002","creationDate":1709907553752,"updateAuthorUuId":"cc32ddea-b5e4-11ec-93be-da7ad0900002","updateDate":1709907553752,"filters":["os - == \"linux\""],"actions":[],"agentConstraint":"","enabled":true,"defaultRule":false,"creator":{"name":"Malo - Le Goff","handle":"malo.legoff@datadoghq.com"},"updater":{"name":"Malo Le Goff","handle":"malo.legoff@datadoghq.com"}},"type":"agent_rule"},{"id":"g5j-9l5-phu","attributes":{"version":11,"name":"cryptominer_args","description":"A - process launched with arguments associated with cryptominers","expression":"exec.args_flags - in [\"cpu-priority\", \"donate-level\", ~\"randomx-1gb-pages\"] || exec.args - in [~\"*stratum+tcp*\", ~\"*stratum+ssl*\", ~\"*stratum1+tcp*\", ~\"*stratum1+ssl*\", - ~\"*stratum2+tcp*\", ~\"*stratum2+ssl*\", ~\"*nicehash*\", ~\"*yespower*\"]","category":"Process - Activity","creationDate":0,"updateAuthorUuId":"3c3ddadd-9ceb-11ed-b5f9-b6e96f801924","updateDate":1709241156082,"filters":["os - == \"linux\""],"actions":[],"agentConstraint":"","enabled":false,"defaultRule":true,"creator":{"name":"","handle":""},"updater":{"name":"Daniel - Zhou","handle":"daniel.zhou@datadoghq.com"}},"type":"agent_rule"},{"id":"ya1-tzs-p2g","attributes":{"version":2,"name":"tde_malware_ransomware_notes_written","description":"A - possible ransomware note created under common user directories","expression":"open.file.path - in [~\"/home/**\", ~\"/root/**\", ~\"/bin/**\", ~\"/usr/bin/**\", ~\"/opt/**\", - ~\"/etc/**\", ~\"/var/log/**\", ~\"/var/lib/log/**\", ~\"/var/backup/**\", ~\"/var/www/**\"] - && open.file.name in [r\".*(restore|recovery|readme|instruction|how_to|ransom).*\", - r\".*(your_|crypt|lock|important).*\\.txt$\"]","category":"File Activity","creationAuthorUuId":"9b3398f3-af79-49aa-b643-8a607ee6f848","creationDate":1703167436145,"updateAuthorUuId":"9b3398f3-af79-49aa-b643-8a607ee6f848","updateDate":1708536266340,"filters":["os - == \"linux\""],"actions":[],"agentConstraint":"","enabled":true,"defaultRule":false,"creator":{"name":"Threat - Detection Engineering CI/CD","handle":"9b3398f3-af79-49aa-b643-8a607ee6f848"},"updater":{"name":"Threat - Detection Engineering CI/CD","handle":"9b3398f3-af79-49aa-b643-8a607ee6f848"}},"type":"agent_rule"},{"id":"xn0-ede-cwo","attributes":{"version":1,"name":"tde_nsenter_pid1_detection","description":"nsenter - used in container to execute code on the OS PID1","expression":"exec.file.name - == \"nsenter\" && exec.args_options in [\"target=1\", \"t=1\"] && container.id - !=\"\"","category":"Process Activity","creationAuthorUuId":"9b3398f3-af79-49aa-b643-8a607ee6f848","creationDate":1707329054174,"updateAuthorUuId":"9b3398f3-af79-49aa-b643-8a607ee6f848","updateDate":1707329054174,"filters":["os - == \"linux\""],"actions":[],"agentConstraint":"","enabled":true,"defaultRule":false,"creator":{"name":"Threat - Detection Engineering CI/CD","handle":"9b3398f3-af79-49aa-b643-8a607ee6f848"},"updater":{"name":"Threat - Detection Engineering CI/CD","handle":"9b3398f3-af79-49aa-b643-8a607ee6f848"}},"type":"agent_rule"},{"id":"wyh-nt8-y0o","attributes":{"version":1,"name":"tde_red_team_domains_used","description":"Connection - to red team domain","expression":"dns.question.name in [~\"*.interact.sh\" , - ~\"*.oast.pro\" , ~\"*.oast.live\" , ~\"*.oast.site\" , ~\"*.oast.online\" , - ~\"*.oast.fun\" , ~\"*.oast.me\" , ~\"*.burpcollaborator.net\" , ~\"*.oastify.com\" - , ~\"*canarytokens.com\" , ~\"*.requestbin.net\" , ~\"*.dnslog.cn\"]","category":"Network - Activity","creationAuthorUuId":"9b3398f3-af79-49aa-b643-8a607ee6f848","creationDate":1705421116371,"updateAuthorUuId":"9b3398f3-af79-49aa-b643-8a607ee6f848","updateDate":1705421116371,"filters":["os - == \"linux\""],"actions":[],"agentConstraint":"","enabled":true,"defaultRule":false,"creator":{"name":"Threat - Detection Engineering CI/CD","handle":"9b3398f3-af79-49aa-b643-8a607ee6f848"},"updater":{"name":"Threat - Detection Engineering CI/CD","handle":"9b3398f3-af79-49aa-b643-8a607ee6f848"}},"type":"agent_rule"},{"id":"mua-npg-7n2","attributes":{"version":1,"name":"looney_tunables_exploit","description":"Looney - Tunables (CVE-2023-4911) exploit attempted","expression":"exec.file.mode & S_ISUID - > 0 && exec.file.uid == 0 && exec.uid != 0 && exec.envs in [~\"*GLIBC_TUNABLES*\"]","category":"Process - Activity","creationDate":0,"updateDate":1704404434303,"filters":["os == \"linux\""],"actions":[],"agentConstraint":"","enabled":true,"defaultRule":true,"creator":{"name":"","handle":""},"updater":{"name":"","handle":""}},"type":"agent_rule"},{"id":"afy-gnp-rfp","attributes":{"version":1,"name":"kernel_msr_write","description":"A - process attempted to enable writing to model-specific registers","expression":"exec.comm - == \"modprobe\" && process.args =~ \"*msr*allow_writes*\"","category":"Process - Activity","creationDate":0,"updateDate":1704404434302,"filters":["os == \"linux\""],"actions":[],"agentConstraint":"","enabled":true,"defaultRule":true,"creator":{"name":"","handle":""},"updater":{"name":"","handle":""}},"type":"agent_rule"},{"id":"qew-m41-jfc","attributes":{"version":1,"name":"ransomware_note","description":"Possible - ransomware note created under common user directories","expression":"open.flags - & O_CREAT > 0 && open.file.path in [~\"/home/**\", ~\"/root/**\", ~\"/bin/**\", - ~\"/usr/bin/**\", ~\"/opt/**\", ~\"/etc/**\", ~\"/var/log/**\", ~\"/var/lib/log/**\", - ~\"/var/backup/**\", ~\"/var/www/**\"] && open.file.name in [r\"(?i).*(restore|recovery|readme|instruction|how_to|ransom).*|.*(your_|crypt|lock|important).*\\.txt$\"] - && open.file.name != \"README.md\"","category":"File Activity","creationDate":0,"updateDate":1704404434302,"filters":["os - == \"linux\""],"actions":[],"agentConstraint":"","enabled":true,"defaultRule":true,"creator":{"name":"","handle":""},"updater":{"name":"","handle":""}},"type":"agent_rule"},{"id":"mwt-r43-san","attributes":{"version":1,"name":"sensitive_tracing","description":"A - process is tracing privileged processes or sshd for possible credential dumping","expression":"(ptrace.request - == PTRACE_PEEKTEXT || ptrace.request == PTRACE_PEEKDATA || ptrace.request == - PTRACE_PEEKUSR) && ptrace.tracee.euid == 0 && process.comm not in [\"dlv\", - \"dlv-linux-amd64\", \"strace\", \"gdb\", \"lldb-server\"]","category":"Kernel - Activity","creationDate":0,"updateDate":1704404434302,"filters":["os == \"linux\""],"actions":[],"agentConstraint":"","enabled":true,"defaultRule":true,"creator":{"name":"","handle":""},"updater":{"name":"","handle":""}},"type":"agent_rule"},{"id":"ul7-jol-1bw","attributes":{"version":1,"name":"cryptominer_envs","description":"Process - environment variables match cryptocurrency miner","expression":"exec.envs in - [~\"*POOL_USER*\", ~\"*POOL_URL*\", ~\"*POOL_PASS*\", ~\"*DONATE_LEVEL*\"]","category":"Process - Activity","creationDate":0,"updateDate":1704404426851,"filters":["os == \"linux\""],"actions":[],"agentConstraint":"","enabled":true,"defaultRule":true,"creator":{"name":"","handle":""},"updater":{"name":"","handle":""}},"type":"agent_rule"},{"id":"dqg-wa2-0oi","attributes":{"version":1,"name":"procdump_execution","description":"A - tool used to dump process memory has been executed","expression":"exec.file.name - in [\"procmon.exe\",\"procdump.exe\"]","category":"Process Activity","creationDate":0,"updateDate":1704404425515,"filters":["os - == \"windows\""],"actions":[],"agentConstraint":"","enabled":true,"defaultRule":true,"creator":{"name":"","handle":""},"updater":{"name":"","handle":""}},"type":"agent_rule"},{"id":"csf-k3c-qka","attributes":{"version":1,"name":"minidump_usage","description":"Process - memory was dumped using the minidump function from comsvcs.dll","expression":"exec.cmdline - =~ \"*MiniDump*\"","category":"Process Activity","creationDate":0,"updateDate":1704404425504,"filters":["os - == \"windows\""],"actions":[],"agentConstraint":"","enabled":true,"defaultRule":true,"creator":{"name":"","handle":""},"updater":{"name":"","handle":""}},"type":"agent_rule"},{"id":"ghp-mfr-1qz","attributes":{"version":1,"name":"tunnel_traffic","description":"Tunneling - or port forwarding tool used","expression":"((exec.comm == \"pivotnacci\" || - exec.comm == \"gost\") && process.args in [r\".*(-L|-C|-R).*\"]) || (exec.comm - in [\"ssh\", \"sshd\"] && process.args in [r\".*(-R|-L|-D|w).*\"] && process.args - in [r\"((25[0-5]|(2[0-4]|1\\d|[1-9])\\d)\\.?\\b){4}\"] ) || (exec.comm == \"sshuttle\" - && process.args in [r\".*(-r|--remote|-l|--listen).*\"]) || (exec.comm == \"socat\" - && process.args in [r\".*(TCP4-LISTEN:|SOCKS).*\"]) || (exec.comm in [\"iodine\", - \"iodined\", \"dnscat\", \"hans\", \"hans-ubuntu\", \"ptunnel-ng\", \"ssf\", - \"3proxy\", \"ngrok\"] && process.parent.comm in [\"bash\", \"dash\", \"ash\", - \"sh\", \"tcsh\", \"csh\", \"zsh\", \"ksh\", \"fish\"])","category":"Process - Activity","creationDate":0,"updateDate":1704404425504,"filters":["os == \"linux\""],"actions":[],"agentConstraint":"","enabled":true,"defaultRule":true,"creator":{"name":"","handle":""},"updater":{"name":"","handle":""}},"type":"agent_rule"},{"id":"uhr-n6q-lvh","attributes":{"version":1,"name":"iptables_egress_allowed","description":"Egress - traffic allowed using iptables","expression":"exec.comm == \"iptables\" && process.args - in [r\".*OUTPUT.*((25[0-5]|(2[0-4]|1\\d|[1-9]|)\\d)\\.?\\b){4}.*ACCEPT\"] && - process.args not in [r\"(127\\.)|(10\\.)|(172\\.1[6-9]\\.)|(172\\.2[0-9]\\.)|(^172\\.3[0-1]\\.)|(192\\.168\\.)|(169\\.254\\.)\"]","category":"Process - Activity","creationDate":0,"updateDate":1704404424741,"filters":["os == \"linux\""],"actions":[],"agentConstraint":"","enabled":true,"defaultRule":true,"creator":{"name":"","handle":""},"updater":{"name":"","handle":""}},"type":"agent_rule"},{"id":"642-j0s-psf","attributes":{"version":1,"name":"libpam_ebpf_hook","description":"Library - libpam.so hooked using eBPF","expression":"bpf.cmd == BPF_MAP_CREATE && process.args - in [r\".*libpam.so.*\"]","category":"Kernel Activity","creationDate":0,"updateDate":1704404424739,"filters":["os - == \"linux\""],"actions":[],"agentConstraint":"","enabled":true,"defaultRule":true,"creator":{"name":"","handle":""},"updater":{"name":"","handle":""}},"type":"agent_rule"},{"id":"u8d-fot-gin","attributes":{"version":1,"name":"wmi_spawning_shell","description":"Command - executed via WMI","expression":"exec.file.name in [~\"powershell*\",\"cmd.exe\"] - && process.parent.file.name == \"WmiPrvSE.exe\"","category":"Process Activity","creationDate":0,"updateDate":1704404424705,"filters":["os - == \"windows\""],"actions":[],"agentConstraint":"","enabled":true,"defaultRule":true,"creator":{"name":"","handle":""},"updater":{"name":"","handle":""}},"type":"agent_rule"},{"id":"17k-2xh-ie2","attributes":{"version":1,"name":"crackmap_exec_executed","description":"Known - offensive tool crackmap exec executed","expression":"exec.cmdline in [~\"*crackmapexec*\", - ~\"*cme*\"]","category":"Process Activity","creationDate":0,"updateDate":1704404424475,"filters":["os - == \"windows\""],"actions":[],"agentConstraint":"","enabled":true,"defaultRule":true,"creator":{"name":"","handle":""},"updater":{"name":"","handle":""}},"type":"agent_rule"},{"id":"45j-2y7-vyd","attributes":{"version":1,"name":"chatroom_request","description":"A - newly created file contacted a chatroom domain","expression":"dns.question.name - in [\"discord.com\", \"api.telegram.org\", \"cdn.discordapp.com\"] && process.file.in_upper_layer - && process.file.change_time < 60s","category":"Network Activity","creationDate":0,"updateDate":1704404424472,"filters":["os - == \"linux\""],"actions":[],"agentConstraint":"","enabled":true,"defaultRule":true,"creator":{"name":"","handle":""},"updater":{"name":"","handle":""}},"type":"agent_rule"},{"id":"ecn-u6p-nqz","attributes":{"version":1,"name":"suspicious_bitsadmin_usage","description":"A - suspicious bitsadmin command has been executed","expression":"exec.file.name - == \"bitsadmin.exe\" && exec.cmdline in [~\"*addfile*\", ~\"*create*\", ~\"*resume*\"]","category":"Process - Activity","creationDate":0,"updateDate":1704404424472,"filters":["os == \"windows\""],"actions":[],"agentConstraint":"","enabled":true,"defaultRule":true,"creator":{"name":"","handle":""},"updater":{"name":"","handle":""}},"type":"agent_rule"},{"id":"xcs-z8z-hx3","attributes":{"version":1,"name":"ntds_in_commandline","description":"NTDS - file referenced in commandline","expression":"exec.cmdline =~ \"*ntds.dit*\"","category":"Process - Activity","creationDate":0,"updateDate":1704404424468,"filters":["os == \"windows\""],"actions":[],"agentConstraint":"","enabled":true,"defaultRule":true,"creator":{"name":"","handle":""},"updater":{"name":"","handle":""}},"type":"agent_rule"},{"id":"l7e-zmy-5pd","attributes":{"version":1,"name":"scheduled_task_creation","description":"A - scheduled task was created","expression":"exec.file.name in [\"at.exe\",\"schtasks.exe\"]","category":"Process - Activity","creationDate":0,"updateDate":1704404424467,"filters":["os == \"windows\""],"actions":[],"agentConstraint":"","enabled":true,"defaultRule":true,"creator":{"name":"","handle":""},"updater":{"name":"","handle":""}},"type":"agent_rule"},{"id":"i8x-ujp-ueg","attributes":{"version":1,"name":"delete_system_log","description":"A - process deleted common system log files","expression":"unlink.file.path in [\"/var/run/utmp\", - \"/var/log/wtmp\", \"/var/log/btmp\", \"/var/log/lastlog\", \"/var/log/faillog\", - \"/var/log/syslog\", \"/var/log/messages\", \"/var/log/secure\", \"/var/log/auth.log\", - \"/var/log/boot.log\", \"/var/log/kern.log\"] && process.comm not in [\"dockerd\", - \"containerd\"]","category":"File Activity","creationDate":0,"updateDate":1704404424465,"filters":["os - == \"linux\""],"actions":[],"agentConstraint":"","enabled":true,"defaultRule":true,"creator":{"name":"","handle":""},"updater":{"name":"","handle":""}},"type":"agent_rule"},{"id":"xns-u7l-cxs","attributes":{"version":1,"name":"certutil_usage","description":"Certutil - was executed to transmit or decode a potentially malicious file","expression":"exec.file.name - == \"certutil.exe\" && ((exec.cmdline =~ \"*urlcache*\" && exec.cmdline =~ \"*split*\") - || exec.cmdline =~ \"*decode*\")","category":"Process Activity","creationDate":0,"updateDate":1704404424457,"filters":["os - == \"windows\""],"actions":[],"agentConstraint":"","enabled":true,"defaultRule":true,"creator":{"name":"","handle":""},"updater":{"name":"","handle":""}},"type":"agent_rule"},{"id":"hxr-rjo-6am","attributes":{"version":1,"name":"open_msr_writes","description":"A - process opened a model-specific register (MSR) configuration file","expression":"open.file.path - == \"/sys/module/msr/parameters/allow_writes\" && open.flags & O_CREAT|O_TRUNC|O_RDWR|O_WRONLY - > 0","category":"File Activity","creationDate":0,"updateDate":1704404424453,"filters":["os - == \"linux\""],"actions":[],"agentConstraint":"","enabled":true,"defaultRule":true,"creator":{"name":"","handle":""},"updater":{"name":"","handle":""}},"type":"agent_rule"},{"id":"jzh-eac-blf","attributes":{"version":1,"name":"exec_wrmsr","description":"The - wrmsr program executed","expression":"exec.comm == \"wrmsr\"","category":"Process - Activity","creationDate":0,"updateDate":1704404424444,"filters":["os == \"linux\""],"actions":[],"agentConstraint":"","enabled":true,"defaultRule":true,"creator":{"name":"","handle":""},"updater":{"name":"","handle":""}},"type":"agent_rule"},{"id":"mdd-iec-z0k","attributes":{"version":14,"name":"database_shell_execution","description":"A - database application spawned a shell, shell utility, or HTTP utility","expression":"(exec.file.path - in [ \"/bin/dash\",\n \"/usr/bin/dash\",\n \"/bin/sh\",\n \"/bin/static-sh\",\n \"/usr/bin/sh\",\n \"/bin/bash\",\n \"/usr/bin/bash\",\n \"/bin/bash-static\",\n \"/usr/bin/zsh\",\n \"/usr/bin/ash\",\n \"/usr/bin/csh\",\n \"/usr/bin/ksh\",\n \"/usr/bin/tcsh\",\n \"/usr/lib/initramfs-tools/bin/busybox\",\n \"/bin/busybox\",\n \"/usr/bin/fish\",\n \"/bin/ksh93\",\n \"/bin/rksh\",\n \"/bin/rksh93\",\n \"/bin/lksh\",\n \"/bin/mksh\",\n \"/bin/mksh-static\",\n \"/usr/bin/csharp\",\n \"/bin/posh\",\n \"/usr/bin/rc\",\n \"/bin/sash\",\n \"/usr/bin/yash\",\n \"/bin/zsh5\",\n \"/bin/zsh5-static\" - ] ||\n exec.comm in [\"wget\", \"curl\", \"lwp-download\"] ||\n exec.file.path - in [\"/bin/cat\",\"/bin/chgrp\",\"/bin/chmod\",\"/bin/chown\",\"/bin/cp\",\"/bin/date\",\"/bin/dd\",\"/bin/df\",\"/bin/dir\",\"/bin/echo\",\"/bin/ln\",\"/bin/ls\",\"/bin/mkdir\",\"/bin/mknod\",\"/bin/mktemp\",\"/bin/mv\",\"/bin/pwd\",\"/bin/readlink\",\"/bin/rm\",\"/bin/rmdir\",\"/bin/sleep\",\"/bin/stty\",\"/bin/sync\",\"/bin/touch\",\"/bin/uname\",\"/bin/vdir\",\"/usr/bin/arch\",\"/usr/bin/b2sum\",\"/usr/bin/base32\",\"/usr/bin/base64\",\"/usr/bin/basename\",\"/usr/bin/chcon\",\"/usr/bin/cksum\",\"/usr/bin/comm\",\"/usr/bin/csplit\",\"/usr/bin/cut\",\"/usr/bin/dircolors\",\"/usr/bin/dirname\",\"/usr/bin/du\",\"/usr/bin/env\",\"/usr/bin/expand\",\"/usr/bin/expr\",\"/usr/bin/factor\",\"/usr/bin/fmt\",\"/usr/bin/fold\",\"/usr/bin/groups\",\"/usr/bin/head\",\"/usr/bin/hostid\",\"/usr/bin/id\",\"/usr/bin/install\",\"/usr/bin/join\",\"/usr/bin/link\",\"/usr/bin/logname\",\"/usr/bin/md5sum\",\"/usr/bin/md5sum.textutils\",\"/usr/bin/mkfifo\",\"/usr/bin/nice\",\"/usr/bin/nl\",\"/usr/bin/nohup\",\"/usr/bin/nproc\",\"/usr/bin/numfmt\",\"/usr/bin/od\",\"/usr/bin/paste\",\"/usr/bin/pathchk\",\"/usr/bin/pinky\",\"/usr/bin/pr\",\"/usr/bin/printenv\",\"/usr/bin/printf\",\"/usr/bin/ptx\",\"/usr/bin/realpath\",\"/usr/bin/runcon\",\"/usr/bin/seq\",\"/usr/bin/sha1sum\",\"/usr/bin/sha224sum\",\"/usr/bin/sha256sum\",\"/usr/bin/sha384sum\",\"/usr/bin/sha512sum\",\"/usr/bin/shred\",\"/usr/bin/shuf\",\"/usr/bin/sort\",\"/usr/bin/split\",\"/usr/bin/stat\",\"/usr/bin/stdbuf\",\"/usr/bin/sum\",\"/usr/bin/tac\",\"/usr/bin/tail\",\"/usr/bin/tee\",\"/usr/bin/test\",\"/usr/bin/timeout\",\"/usr/bin/tr\",\"/usr/bin/truncate\",\"/usr/bin/tsort\",\"/usr/bin/tty\",\"/usr/bin/unexpand\",\"/usr/bin/uniq\",\"/usr/bin/unlink\",\"/usr/bin/users\",\"/usr/bin/wc\",\"/usr/bin/who\",\"/usr/bin/whoami\",\"/usr/sbin/chroot\"]) - &&\nprocess.parent.file.name in [\"mysqld\", \"mongod\", \"postgres\"] &&\n!(process.parent.file.name - == \"initdb\" &&\nexec.args == \"-c locale -a\") &&\n!(process.parent.file.name - == \"postgres\" &&\nexec.args == ~\"*pg_wal*\")","category":"Process Activity","creationDate":1617722069155,"updateDate":1704404408433,"filters":["os - == \"linux\""],"actions":[],"agentConstraint":"","enabled":true,"defaultRule":true,"creator":{"name":"","handle":""},"updater":{"name":"","handle":""}},"type":"agent_rule"},{"id":"wic-due-xxn","attributes":{"version":2,"name":"pci_11_5_critical_binaries_open_v2","description":"Critical - system binaries may have been modified","expression":"(\n open.flags & (O_CREAT|O_TRUNC|O_RDWR|O_WRONLY) - > 0 &&\n open.file.path in [ ~\"/bin/*\", ~\"/sbin/*\", ~\"/usr/bin/*\", - ~\"/usr/sbin/*\", ~\"/usr/local/bin/*\", ~\"/usr/local/sbin/*\", ~\"/boot/**\" - ]\n && process.file.path not in [~\"/usr/bin/apt*\", \"/usr/bin/dpkg\", \"/usr/bin/rpm\", - \"/usr/bin/unattended-upgrade\", \"/usr/bin/containerd\", \"/usr/local/bin/containerd\", - \"/usr/bin/dockerd\", \"/usr/bin/npm\", ~\"/usr/bin/pip*\"]\n && process.ancestors.file.path - not in [~\"/usr/bin/apt*\", \"/usr/bin/dpkg\", \"/usr/bin/rpm\", \"/usr/bin/unattended-upgrade\", - \"/usr/bin/npm\", ~\"/usr/bin/pip*\", \"/usr/bin/yum\", \"/sbin/apk\", \"/usr/lib/snapd/snapd\"]\n) - && container.created_at > 90s","category":"File Activity","creationDate":0,"updateDate":1704404408077,"filters":["os - == \"linux\""],"actions":[],"agentConstraint":"","enabled":true,"defaultRule":true,"creator":{"name":"","handle":""},"updater":{"name":"","handle":""}},"type":"agent_rule"},{"id":"ie9-9ii-vjx","attributes":{"version":18,"name":"nsswitch_conf_mod_chmod","description":"nsswitch - may have been modified without authorization","expression":"(\n (chmod.file.path - in [ \"/etc/nsswitch.conf\" ])\n) && chmod.file.destination.mode != chmod.file.mode - && process.file.path not in [~\"/usr/bin/apt*\", \"/usr/bin/dpkg\", \"/usr/bin/rpm\", - \"/usr/bin/unattended-upgrade\", \"/usr/bin/containerd\", \"/usr/local/bin/containerd\", - \"/usr/bin/dockerd\", \"/usr/bin/npm\", ~\"/usr/bin/pip*\"]","category":"File - Activity","creationDate":1606142958657,"updateDate":1704404407750,"filters":["os - == \"linux\""],"actions":[],"agentConstraint":"","enabled":true,"defaultRule":true,"creator":{"name":"","handle":""},"updater":{"name":"","handle":""}},"type":"agent_rule"},{"id":"1ez-rlj-tiq","attributes":{"version":2,"name":"nsswitch_conf_mod_open_v2","description":"nsswitch - may have been modified without authorization","expression":"(\n open.flags - & ((O_RDWR|O_WRONLY|O_CREAT)) > 0 &&\n (open.file.path in [ \"/etc/nsswitch.conf\" - ])\n) && container.created_at > 90s && process.file.path not in [~\"/usr/bin/apt*\", - \"/usr/bin/dpkg\", \"/usr/bin/rpm\", \"/usr/bin/unattended-upgrade\", \"/usr/bin/containerd\", - \"/usr/local/bin/containerd\", \"/usr/bin/dockerd\", \"/usr/bin/npm\", ~\"/usr/bin/pip*\"]","category":"File - Activity","creationDate":0,"updateDate":1704404407660,"filters":["os == \"linux\""],"actions":[],"agentConstraint":"","enabled":true,"defaultRule":true,"creator":{"name":"","handle":""},"updater":{"name":"","handle":""}},"type":"agent_rule"},{"id":"oi0-rk3-alq","attributes":{"version":2,"name":"ssl_certificate_tampering_open_v2","description":"SSL - certificates may have been tampered with","expression":"(\n open.flags & - (O_CREAT|O_RDWR|O_WRONLY) > 0 &&\n (open.file.path in [ ~\"/etc/ssl/certs/**\", - ~\"/etc/pki/**\" ])\n)\n&& process.file.path != \"/usr/sbin/update-ca-certificates\"\n&& - process.ancestors.file.path != \"/usr/sbin/update-ca-certificates\"\n&& process.ancestors.file.path - not in [~\"/usr/bin/apt*\", \"/usr/bin/dpkg\", \"/usr/bin/rpm\", \"/usr/bin/unattended-upgrade\", - \"/usr/bin/npm\", ~\"/usr/bin/pip*\", \"/usr/bin/yum\", \"/sbin/apk\", \"/usr/lib/snapd/snapd\"]\n&& - process.file.name !~ \"runc*\"\n&& container.created_at > 90s","category":"File - Activity","creationDate":0,"updateDate":1704404407651,"filters":["os == \"linux\""],"actions":[],"agentConstraint":"","enabled":true,"defaultRule":true,"creator":{"name":"","handle":""},"updater":{"name":"","handle":""}},"type":"agent_rule"},{"id":"vzp-pj6-nlx","attributes":{"version":19,"name":"nsswitch_conf_mod_chown","description":"nsswitch - may have been modified without authorization","expression":"(\n (chown.file.path - in [ \"/etc/nsswitch.conf\" ])\n) && (chown.file.destination.uid != chown.file.uid - || chown.file.destination.gid != chown.file.gid) && process.file.path not in - [~\"/usr/bin/apt*\", \"/usr/bin/dpkg\", \"/usr/bin/rpm\", \"/usr/bin/unattended-upgrade\", - \"/usr/bin/containerd\", \"/usr/local/bin/containerd\", \"/usr/bin/dockerd\", - \"/usr/bin/npm\", ~\"/usr/bin/pip*\"]","category":"File Activity","creationDate":1606142958657,"updateDate":1704404407506,"filters":["os - == \"linux\""],"actions":[],"agentConstraint":"","enabled":true,"defaultRule":true,"creator":{"name":"","handle":""},"updater":{"name":"","handle":""}},"type":"agent_rule"},{"id":"wbw-rqf-s3a","attributes":{"version":18,"name":"nsswitch_conf_mod_open","description":"nsswitch - may have been modified without authorization","expression":"(\n open.flags - & ((O_RDWR|O_WRONLY|O_CREAT)) > 0 &&\n (open.file.path in [ \"/etc/nsswitch.conf\" - ])\n) && process.file.path not in [~\"/usr/bin/apt*\", \"/usr/bin/dpkg\", \"/usr/bin/rpm\", - \"/usr/bin/unattended-upgrade\", \"/usr/bin/containerd\", \"/usr/local/bin/containerd\", - \"/usr/bin/dockerd\", \"/usr/bin/npm\", ~\"/usr/bin/pip*\"]","category":"File - Activity","creationDate":1606142958657,"updateDate":1704404407503,"filters":["os - == \"linux\""],"actions":[],"agentConstraint":"","enabled":true,"defaultRule":true,"creator":{"name":"","handle":""},"updater":{"name":"","handle":""}},"type":"agent_rule"},{"id":"vkp-n2c-4el","attributes":{"version":3,"name":"credential_modified_open_v2","description":"Sensitive - credential files were modified using a non-standard tool","expression":"(\n open.flags - & ((O_CREAT|O_RDWR|O_WRONLY|O_TRUNC)) > 0 &&\n (open.file.path in [ \"/etc/shadow\", - \"/etc/gshadow\" ])\n && process.file.path not in [ \"/sbin/vipw\", \"/usr/sbin/vipw\", - \"/sbin/vigr\", \"/usr/sbin/vigr\", \"/usr/bin/containerd\", \"/usr/local/bin/containerd\", - \"/usr/bin/dockerd\", \"/usr/local/bin/dockerd\", \"/usr/sbin/groupadd\", \"/usr/sbin/useradd\", - \"/usr/sbin/usermod\", \"/usr/sbin/userdel\", \"/usr/bin/gpasswd\", \"/usr/bin/chage\", - \"/usr/sbin/chpasswd\", \"/usr/bin/passwd\" ]\n && process.ancestors.file.path - not in [~\"/usr/bin/apt*\", \"/usr/bin/dpkg\", \"/usr/bin/rpm\", \"/usr/bin/unattended-upgrade\", - \"/usr/bin/npm\", ~\"/usr/bin/pip*\", \"/usr/bin/yum\", \"/sbin/apk\", \"/usr/lib/snapd/snapd\"]\n) - && container.created_at > 90s","category":"File Activity","creationDate":0,"updateDate":1704404407503,"filters":["os - == \"linux\""],"actions":[],"agentConstraint":"","enabled":true,"defaultRule":true,"creator":{"name":"","handle":""},"updater":{"name":"","handle":""}},"type":"agent_rule"},{"id":"ir2-b4s-gfn","attributes":{"version":3,"name":"ssh_authorized_keys_open_v2","description":"SSH - modified keys may have been modified","expression":"(\n open.flags & (O_CREAT|O_TRUNC|O_RDWR|O_WRONLY) - > 0 &&\n open.file.name in [ \"authorized_keys\", \"authorized_keys2\" ] - && (open.file.path in [ ~\"/root/.ssh/*\", ~\"/home/*/.ssh/*\", ~\"/var/lib/*/.ssh/*\" - ])\n) && container.created_at > 90s","category":"File Activity","creationDate":0,"updateDate":1704404407501,"filters":["os - == \"linux\""],"actions":[],"agentConstraint":"","enabled":true,"defaultRule":true,"creator":{"name":"","handle":""},"updater":{"name":"","handle":""}},"type":"agent_rule"},{"id":"c2x-vcd-5b4","attributes":{"version":3,"name":"package_management_in_container_v2","description":"Package - management was detected in a conatiner outside of container start_up","expression":"exec.file.path - in [~\"/usr/bin/apt*\", \"/usr/bin/dpkg\", \"/usr/bin/rpm\", \"/usr/bin/unattended-upgrade\", - \"/usr/bin/npm\", ~\"/usr/bin/pip*\", \"/usr/bin/yum\", \"/sbin/apk\", \"/usr/lib/snapd/snapd\"] - && container.id != \"\" && container.created_at > 90s","category":"Process Activity","creationDate":0,"updateDate":1704404407500,"filters":["os - == \"linux\""],"actions":[],"agentConstraint":"","enabled":true,"defaultRule":true,"creator":{"name":"","handle":""},"updater":{"name":"","handle":""}},"type":"agent_rule"},{"id":"nmo-zeb-pga","attributes":{"version":3,"name":"suspicious_suid_execution","description":"Recently - written or modified suid file has been executed","expression":"((process.file.mode - & S_ISUID > 0) && process.file.modification_time < 30s) && exec.file.name != - \"\" && process.ancestors.file.path not in [\"/opt/datadog-agent/embedded/bin/agent\", - \"/opt/datadog-agent/embedded/bin/system-probe\", \"/opt/datadog-agent/embedded/bin/security-agent\", - \"/opt/datadog-agent/embedded/bin/process-agent\", \"/opt/datadog-agent/bin/agent/agent\", - \"/opt/datadog/apm/inject/auto_inject_runc\", \"/usr/bin/dd-host-install\", - \"/usr/bin/dd-host-container-install\", \"/usr/bin/dd-container-install\", \"/opt/datadog-agent/bin/datadog-cluster-agent\"]","category":"Process - Activity","creationDate":0,"updateDate":1704404407500,"filters":["os == \"linux\""],"actions":[],"agentConstraint":"","enabled":true,"defaultRule":true,"creator":{"name":"","handle":""},"updater":{"name":"","handle":""}},"type":"agent_rule"},{"id":"crl-kkv-3cm","attributes":{"version":3,"name":"tde_testing_tampering","description":"testing - only","expression":"exec.comm == \"abcdefgh\"","category":"Process Activity","creationAuthorUuId":"9b3398f3-af79-49aa-b643-8a607ee6f848","creationDate":1703684038882,"updateAuthorUuId":"9b3398f3-af79-49aa-b643-8a607ee6f848","updateDate":1704280473848,"filters":["os - == \"linux\""],"actions":[],"agentConstraint":"","enabled":true,"defaultRule":false,"creator":{"name":"Threat - Detection Engineering CI/CD","handle":"9b3398f3-af79-49aa-b643-8a607ee6f848"},"updater":{"name":"Threat - Detection Engineering CI/CD","handle":"9b3398f3-af79-49aa-b643-8a607ee6f848"}},"type":"agent_rule"},{"id":"s6d-kk2-xoh","attributes":{"version":1,"name":"tde_malware_tunneling_and_port_forwarding_technique_used","description":"Tunneling - and port forwarding tool used","expression":"((exec.comm == \"pivotnacci\" || - exec.comm == \"gost\") && process.args in [r\".*(-L|-C|-R).*\"])||(exec.comm - in [\"ssh\", \"sshd\"] && process.args in [r\".*(-R|-L|-D|w).*\"] && process.args - in [r\"((25[0-5]|(2[0-4]|1\\d|[1-9])\\d)\\.?\\b){4}\"] ) || (exec.comm == \"sshuttle\" - && process.args in [r\".*(-r|--remote|-l|--listen).*\"]) || (exec.comm == \"socat\" - && process.args in [r\".*(TCP4-LISTEN:|SOCKS).*\"]) || (exec.comm in [\"iodine\", - \"iodined\", \"dnscat\", \"hans\", \"hans-ubuntu\", \"ptunnel-ng\", \"ssf\", - \"3proxy\", \"ngrok\"] && process.parent.comm in [\"bash\", \"dash\", \"ash\", - \"sh\", \"tcsh\", \"csh\", \"zsh\", \"ksh\", \"fish\"])","category":"Process - Activity","creationAuthorUuId":"9b3398f3-af79-49aa-b643-8a607ee6f848","creationDate":1703183027074,"updateAuthorUuId":"9b3398f3-af79-49aa-b643-8a607ee6f848","updateDate":1703183027074,"filters":["os - == \"linux\""],"actions":[],"agentConstraint":"","enabled":true,"defaultRule":false,"creator":{"name":"Threat - Detection Engineering CI/CD","handle":"9b3398f3-af79-49aa-b643-8a607ee6f848"},"updater":{"name":"Threat - Detection Engineering CI/CD","handle":"9b3398f3-af79-49aa-b643-8a607ee6f848"}},"type":"agent_rule"},{"id":"iqa-7wg-rxt","attributes":{"version":1,"name":"tde_malware_privileged_processes_or_sshd_traced","description":"A - process is tracing privileged processes or sshd for possible credential dumping","expression":"((ptrace.tracee.euid==0 - && ptrace.tracee.uid ==0)||ptrace.tracee.comm in [~\"*sshd*\"]) && process.comm - not in [\"dlv\"]","category":"Kernel Activity","creationAuthorUuId":"9b3398f3-af79-49aa-b643-8a607ee6f848","creationDate":1703180056299,"updateAuthorUuId":"9b3398f3-af79-49aa-b643-8a607ee6f848","updateDate":1703180056299,"filters":["os - == \"linux\""],"actions":[],"agentConstraint":"","enabled":true,"defaultRule":false,"creator":{"name":"Threat - Detection Engineering CI/CD","handle":"9b3398f3-af79-49aa-b643-8a607ee6f848"},"updater":{"name":"Threat - Detection Engineering CI/CD","handle":"9b3398f3-af79-49aa-b643-8a607ee6f848"}},"type":"agent_rule"},{"id":"w8h-hbp-12m","attributes":{"version":1,"name":"tde_malware_system_logs_deleted","description":"A - process deleted common system log files","expression":"unlink.file.path in [\"/var/run/utmp\", - \"/var/log/wtmp\", \"/var/log/btmp\", \"/var/log/lastlog\", \"/var/log/faillog\", - \"/var/log/syslog\", \"/var/log/messages\", \"/var/log/secure\", \"/var/log/auth.log\", - \"/var/log/boot.log\", \"/var/log/kern.log\"] && process.comm !=\"dockerd\"","category":"File - Activity","creationAuthorUuId":"9b3398f3-af79-49aa-b643-8a607ee6f848","creationDate":1703178864120,"updateAuthorUuId":"9b3398f3-af79-49aa-b643-8a607ee6f848","updateDate":1703178864120,"filters":["os - == \"linux\""],"actions":[],"agentConstraint":"","enabled":true,"defaultRule":false,"creator":{"name":"Threat - Detection Engineering CI/CD","handle":"9b3398f3-af79-49aa-b643-8a607ee6f848"},"updater":{"name":"Threat - Detection Engineering CI/CD","handle":"9b3398f3-af79-49aa-b643-8a607ee6f848"}},"type":"agent_rule"},{"id":"wxv-xlp-34y","attributes":{"version":1,"name":"tde_malware_files_with_extensions_created","description":"Multiple - files with extensions created under common user directories","expression":"rename.file.path - in [~\"/home/**\", ~\"/root/**\", ~\"/bin/**\", ~\"/usr/bin/**\", ~\"/var/log/**\", - ~\"/var/lib/log/**\", ~\"/var/backup/*\", ~\"/var/www/**\"] && rename.file.destination.name - in [r\"\\.[0-9a-z]+$\"] && rename.file.destination.name not in [r\".*\\.(lock|dbtmp|log|journal|ini|sh|json|yml|tmp|snap|txt|pyc|stat|hcl|[0-9])+$\"] - && process.comm not in [\"python\",\"python3\",\"agent\",\"security-agent\",\"kubectl\",\"kubelet\",\"datadog-cluster\"]","category":"File - Activity","creationAuthorUuId":"9b3398f3-af79-49aa-b643-8a607ee6f848","creationDate":1703174626572,"updateAuthorUuId":"9b3398f3-af79-49aa-b643-8a607ee6f848","updateDate":1703174626572,"filters":["os - == \"linux\""],"actions":[],"agentConstraint":"","enabled":true,"defaultRule":false,"creator":{"name":"Threat - Detection Engineering CI/CD","handle":"9b3398f3-af79-49aa-b643-8a607ee6f848"},"updater":{"name":"Threat - Detection Engineering CI/CD","handle":"9b3398f3-af79-49aa-b643-8a607ee6f848"}},"type":"agent_rule"},{"id":"3fl-m83-qqt","attributes":{"version":1,"name":"tde_malware_proxychains_executed","description":"Proxychaining - technique used","expression":"exec.comm == \"proxychains\"","category":"Process - Activity","creationAuthorUuId":"9b3398f3-af79-49aa-b643-8a607ee6f848","creationDate":1703171141223,"updateAuthorUuId":"9b3398f3-af79-49aa-b643-8a607ee6f848","updateDate":1703171141223,"filters":["os - == \"linux\""],"actions":[],"agentConstraint":"","enabled":true,"defaultRule":false,"creator":{"name":"Threat - Detection Engineering CI/CD","handle":"9b3398f3-af79-49aa-b643-8a607ee6f848"},"updater":{"name":"Threat - Detection Engineering CI/CD","handle":"9b3398f3-af79-49aa-b643-8a607ee6f848"}},"type":"agent_rule"},{"id":"gha-zgq-l5p","attributes":{"version":1,"name":"tde_malware_egress_traffic_allowed_iptables","description":"iptables - used to allow egress traffic","expression":"exec.comm == \"iptables\" && process.args - in [r\".*OUTPUT.*((25[0-5]|(2[0-4]|1\\d|[1-9]|)\\d)\\.?\\b){4}.*ACCEPT\"] && - process.args not in [r\"(127\\.)|(10\\.)|(172\\.1[6-9]\\.)|(172\\.2[0-9]\\.)|(172\\.3[0-1]|\\.)|(192\\.168\\.)|(169\\.254\\.)\"]","category":"Process - Activity","creationAuthorUuId":"9b3398f3-af79-49aa-b643-8a607ee6f848","creationDate":1703167436195,"updateAuthorUuId":"9b3398f3-af79-49aa-b643-8a607ee6f848","updateDate":1703167436195,"filters":["os - == \"linux\""],"actions":[],"agentConstraint":"","enabled":true,"defaultRule":false,"creator":{"name":"Threat - Detection Engineering CI/CD","handle":"9b3398f3-af79-49aa-b643-8a607ee6f848"},"updater":{"name":"Threat - Detection Engineering CI/CD","handle":"9b3398f3-af79-49aa-b643-8a607ee6f848"}},"type":"agent_rule"},{"id":"n9z-ini-wrv","attributes":{"version":1,"name":"tde_malware_kernel_module_loaded_from_tmp","description":"Kernel - module loaded from common tmp directories","expression":"load_module.file.path - in [ ~\"/tmp/**\", ~\"/var/tmp/**\" ]","category":"Kernel Activity","creationAuthorUuId":"9b3398f3-af79-49aa-b643-8a607ee6f848","creationDate":1703167436172,"updateAuthorUuId":"9b3398f3-af79-49aa-b643-8a607ee6f848","updateDate":1703167436172,"filters":["os - == \"linux\""],"actions":[],"agentConstraint":"","enabled":true,"defaultRule":false,"creator":{"name":"Threat - Detection Engineering CI/CD","handle":"9b3398f3-af79-49aa-b643-8a607ee6f848"},"updater":{"name":"Threat - Detection Engineering CI/CD","handle":"9b3398f3-af79-49aa-b643-8a607ee6f848"}},"type":"agent_rule"},{"id":"4jr-tig-mue","attributes":{"version":1,"name":"tde_malware_libpam_hooked_using_ebpf","description":"Libpam.so - library hooked using ebpf","expression":"bpf.cmd == BPF_MAP_CREATE && process.args - in [r\".*libpam.so.*\"]","category":"Kernel Activity","creationAuthorUuId":"9b3398f3-af79-49aa-b643-8a607ee6f848","creationDate":1703160289438,"updateAuthorUuId":"9b3398f3-af79-49aa-b643-8a607ee6f848","updateDate":1703160289438,"filters":["os - == \"linux\""],"actions":[],"agentConstraint":"","enabled":true,"defaultRule":false,"creator":{"name":"Threat - Detection Engineering CI/CD","handle":"9b3398f3-af79-49aa-b643-8a607ee6f848"},"updater":{"name":"Threat - Detection Engineering CI/CD","handle":"9b3398f3-af79-49aa-b643-8a607ee6f848"}},"type":"agent_rule"},{"id":"f24-lwh-8pz","attributes":{"version":3,"name":"ps_discovery","description":"Processes - were listed using the ps command","expression":"exec.comm == \"ps\" && exec.argv - not in [\"-p\", \"--pid\"] && process.ancestors.file.name not in [\"qualys-cloud-agent\", - \"amazon-ssm-agent\"]","category":"Process Activity","creationDate":0,"updateAuthorUuId":"309c6bc6-6e68-11ec-b3fe-da7ad0900002","updateDate":1702489222385,"filters":[],"actions":[],"agentConstraint":"","enabled":false,"defaultRule":true,"creator":{"name":"","handle":""},"updater":{"name":"Matt - Mills","handle":"matt.mills@datadoghq.com"}},"type":"agent_rule"},{"id":"esa-kku-q4m","attributes":{"version":8,"name":"common_net_intrusion_util","description":"A - network utility (nmap) commonly used in intrusion attacks was executed","expression":"exec.file.name - in [\"nmap\", \"masscan\", \"fping\", \"zgrab\", \"zgrab2\", \"rustscan\", \"pnscan\"] - && exec.args_flags not in [\"V\", \"version\"]","category":"Process Activity","creationDate":0,"updateAuthorUuId":"de54768c-eb9f-11e9-a77a-cb84d47a0c16","updateDate":1700488339815,"filters":["os - == \"linux\""],"actions":[],"agentConstraint":"","enabled":false,"defaultRule":true,"creator":{"name":"","handle":""},"updater":{"name":"C\u00e9cile - Guyon","handle":"cecile.guyon@datadoghq.com"}},"type":"agent_rule"},{"id":"ll4-n4d-zsq","attributes":{"version":8,"name":"k8s_pod_service_account_token_accessed","description":"The - Kubernetes pod service account token was accessed","expression":"open.file.path - in [~\"/var/run/secrets/kubernetes.io/serviceaccount/**\", ~\"/run/secrets/kubernetes.io/serviceaccount/**\"] - && open.file.name == \"token\" && process.file.path not in [\"/opt/datadog-agent/embedded/bin/agent\", - \"/opt/datadog-agent/embedded/bin/system-probe\", \"/opt/datadog-agent/embedded/bin/security-agent\", - \"/opt/datadog-agent/embedded/bin/process-agent\", \"/opt/datadog-agent/bin/agent/agent\", - \"/opt/datadog/apm/inject/auto_inject_runc\", \"/usr/bin/dd-host-install\", - \"/usr/bin/dd-host-container-install\", \"/usr/bin/dd-container-install\", \"/opt/datadog-agent/bin/datadog-cluster-agent\"] - && process.file.path not in [\"/usr/bin/cilium-agent\", \"/coredns\", \"/usr/bin/cilium-operator\", - \"/manager\", \"/fluent-bit/bin/fluent-bit\", \"/usr/local/bin/cloud-node-manager\", - \"/secrets-store-csi\", \"/bin/secrets-store-csi-driver-provider-aws\", \"/usr/bin/calico-node\", - \"/opt/aws/amazon-cloudwatch-agent/bin/amazon-cloudwatch-agent\", \"/nginx-ingress-controller\", - \"/cluster-autoscaler\", \"/cluster-proportional-autoscaler\", \"/haproxy-ingress-controller\", - \"/kube-state-metrics\", \"/fluent-bit-gke-exporter\", \"/bin/external-secrets\", - \"/node-termination-handler\", \"/fluent-bit-gke-exporter\"] && process.ancestors.file.path - not in [\"/opt/datadog-agent/embedded/bin/agent\", \"/opt/datadog-agent/embedded/bin/system-probe\", - \"/opt/datadog-agent/embedded/bin/security-agent\", \"/opt/datadog-agent/embedded/bin/process-agent\", - \"/opt/datadog-agent/bin/agent/agent\", \"/opt/datadog/apm/inject/auto_inject_runc\", - \"/usr/bin/dd-host-install\", \"/usr/bin/dd-host-container-install\", \"/usr/bin/dd-container-install\", - \"/opt/datadog-agent/bin/datadog-cluster-agent\"]","category":"File Activity","creationDate":0,"updateDate":1699614647574,"filters":["os - == \"linux\""],"actions":[],"agentConstraint":"","enabled":true,"defaultRule":true,"creator":{"name":"","handle":""},"updater":{"name":"","handle":""}},"type":"agent_rule"},{"id":"o5b-3eb-em5","attributes":{"version":4,"name":"interactive_shell_in_container","description":"An - interactive shell was started inside of a container","expression":"exec.file.path - in [ \"/bin/dash\",\n \"/usr/bin/dash\",\n \"/bin/sh\",\n \"/bin/static-sh\",\n \"/usr/bin/sh\",\n \"/bin/bash\",\n \"/usr/bin/bash\",\n \"/bin/bash-static\",\n \"/usr/bin/zsh\",\n \"/usr/bin/ash\",\n \"/usr/bin/csh\",\n \"/usr/bin/ksh\",\n \"/usr/bin/tcsh\",\n \"/usr/lib/initramfs-tools/bin/busybox\",\n \"/bin/busybox\",\n \"/usr/bin/fish\",\n \"/bin/ksh93\",\n \"/bin/rksh\",\n \"/bin/rksh93\",\n \"/bin/lksh\",\n \"/bin/mksh\",\n \"/bin/mksh-static\",\n \"/usr/bin/csharp\",\n \"/bin/posh\",\n \"/usr/bin/rc\",\n \"/bin/sash\",\n \"/usr/bin/yash\",\n \"/bin/zsh5\",\n \"/bin/zsh5-static\" - ] && exec.args_flags in [\"i\"] && container.id !=\"\"","category":"Process - Activity","creationDate":1627392835654,"updateDate":1699614634532,"filters":["os - == \"linux\""],"actions":[],"agentConstraint":"","enabled":true,"defaultRule":true,"creator":{"name":"","handle":""},"updater":{"name":"","handle":""}},"type":"agent_rule"},{"id":"pm7-0bt-lbp","attributes":{"version":19,"name":"ssh_authorized_keys_unlink","description":"SSH - modified keys may have been modified","expression":"(\n unlink.file.name - in [ \"authorized_keys\", \"authorized_keys2\" ] && (unlink.file.path in [ ~\"/root/.ssh/*\", - ~\"/home/*/.ssh/*\", ~\"/var/lib/*/.ssh/*\" ])\n)","category":"File Activity","creationDate":1642158535302,"updateDate":1699614632218,"filters":["os - == \"linux\""],"actions":[],"agentConstraint":"","enabled":true,"defaultRule":true,"creator":{"name":"","handle":""},"updater":{"name":"","handle":""}},"type":"agent_rule"},{"id":"6ss-gx0-o0l","attributes":{"version":2,"name":"exec_lsmod","description":"Kernel - modules were listed using the lsmod command","expression":"exec.comm == \"lsmod\"","category":"Process - Activity","creationDate":0,"updateDate":1699614632049,"filters":["os == \"linux\""],"actions":[],"agentConstraint":"","enabled":true,"defaultRule":true,"creator":{"name":"","handle":""},"updater":{"name":"","handle":""}},"type":"agent_rule"},{"id":"bay-wrp-htk","attributes":{"version":2,"name":"omigod","description":"Omiagent - spawns a privileged child process","expression":"exec.uid >= 0 && process.ancestors.file.name - == \"omiagent\"","category":"Process Activity","creationDate":1636729662305,"updateDate":1699614629763,"filters":["os - == \"linux\""],"actions":[],"agentConstraint":"","enabled":true,"defaultRule":true,"creator":{"name":"","handle":""},"updater":{"name":"","handle":""}},"type":"agent_rule"},{"id":"5vv-6pw-c3z","attributes":{"version":2,"name":"exec_whoami","description":"The - whoami command was executed","expression":"exec.comm == \"whoami\"","category":"Process - Activity","creationDate":0,"updateDate":1699614622203,"filters":["os == \"linux\""],"actions":[],"agentConstraint":"","enabled":true,"defaultRule":true,"creator":{"name":"","handle":""},"updater":{"name":"","handle":""}},"type":"agent_rule"},{"id":"lb9-6hv-6k2","attributes":{"version":22,"name":"systemd_modification_utimes","description":"A - service may have been modified without authorization","expression":"(\n (utimes.file.path - in [ ~\"/lib/systemd/system/**\", ~\"/usr/lib/systemd/system/**\", ~\"/etc/systemd/system/**\" - ])\n && process.file.path not in [~\"/usr/bin/apt*\", \"/usr/bin/dpkg\", - \"/usr/bin/rpm\", \"/usr/bin/unattended-upgrade\", \"/usr/bin/npm\", ~\"/usr/bin/pip*\", - \"/usr/bin/yum\", \"/sbin/apk\", \"/usr/lib/snapd/snapd\"]\n)","category":"File - Activity","creationDate":0,"updateDate":1699614620744,"filters":["os == \"linux\""],"actions":[],"agentConstraint":"","enabled":true,"defaultRule":true,"creator":{"name":"","handle":""},"updater":{"name":"","handle":""}},"type":"agent_rule"},{"id":"u8t-ums-bdn","attributes":{"version":9,"name":"suspicious_container_client","description":"A - container management utility was executed in a container","expression":"exec.file.name - in [\"docker\", \"kubectl\"] && container.id != \"\"","category":"Process Activity","creationDate":1617722068555,"updateDate":1699614618370,"filters":["os - == \"linux\""],"actions":[],"agentConstraint":"","enabled":true,"defaultRule":true,"creator":{"name":"","handle":""},"updater":{"name":"","handle":""}},"type":"agent_rule"},{"id":"3kb-bma-rya","attributes":{"version":4,"name":"auditd_config_modified","description":"The - auditd configuration file was modified without using auditctl","expression":"open.file.path - == \"/etc/audit/auditd.conf\" && open.flags & (O_CREAT|O_TRUNC|O_RDWR|O_WRONLY) - > 0 && process.file.name != \"auditctl\"","category":"File Activity","creationDate":0,"updateDate":1699614615388,"filters":["os - == \"linux\""],"actions":[],"agentConstraint":"","enabled":true,"defaultRule":true,"creator":{"name":"","handle":""},"updater":{"name":"","handle":""}},"type":"agent_rule"},{"id":"lag-ggh-k1o","attributes":{"version":2,"name":"network_sniffing_tool","description":"Local - account groups were enumerated after container start up","expression":"exec.file.name - in [\"tcpdump\", \"tshark\"]","category":"Process Activity","creationDate":0,"updateDate":1699614614908,"filters":["os - == \"linux\""],"actions":[],"agentConstraint":"","enabled":true,"defaultRule":true,"creator":{"name":"","handle":""},"updater":{"name":"","handle":""}},"type":"agent_rule"},{"id":"o4t-6hb-gsb","attributes":{"version":22,"name":"systemd_modification_unlink","description":"A - service may have been modified without authorization","expression":"(\n (unlink.file.path - in [ ~\"/lib/systemd/system/**\", ~\"/usr/lib/systemd/system/**\", ~\"/etc/systemd/system/**\" - ])\n && process.file.path not in [~\"/usr/bin/apt*\", \"/usr/bin/dpkg\", - \"/usr/bin/rpm\", \"/usr/bin/unattended-upgrade\", \"/usr/bin/npm\", ~\"/usr/bin/pip*\", - \"/usr/bin/yum\", \"/sbin/apk\", \"/usr/lib/snapd/snapd\"]\n)","category":"File - Activity","creationDate":0,"updateDate":1699614614159,"filters":["os == \"linux\""],"actions":[],"agentConstraint":"","enabled":true,"defaultRule":true,"creator":{"name":"","handle":""},"updater":{"name":"","handle":""}},"type":"agent_rule"},{"id":"cp9-wqy-ie5","attributes":{"version":19,"name":"ssh_authorized_keys_rename","description":"SSH - modified keys may have been modified","expression":"(\n rename.file.name - in [ \"authorized_keys\", \"authorized_keys2\" ] && (rename.file.path in [ ~\"/root/.ssh/*\", - ~\"/home/*/.ssh/*\", ~\"/var/lib/*/.ssh/*\" ]\n || rename.file.destination.path - in [ ~\"/root/.ssh/*\", ~\"/home/*/.ssh/*\", ~\"/var/lib/*/.ssh/*\" ])\n)","category":"File - Activity","creationDate":1642158535225,"updateDate":1699614610736,"filters":["os - == \"linux\""],"actions":[],"agentConstraint":"","enabled":true,"defaultRule":true,"creator":{"name":"","handle":""},"updater":{"name":"","handle":""}},"type":"agent_rule"},{"id":"mmd-hm9-nul","attributes":{"version":28,"name":"pci_11_5_critical_binaries_unlink","description":"Critical - system binaries may have been modified","expression":"(\n (unlink.file.path - in [ ~\"/bin/*\", ~\"/sbin/*\", ~\"/usr/bin/*\", ~\"/usr/sbin/*\", ~\"/usr/local/bin/*\", - ~\"/usr/local/sbin/*\", ~\"/boot/**\" ])\n && process.file.path not in [~\"/usr/bin/apt*\", - \"/usr/bin/dpkg\", \"/usr/bin/rpm\", \"/usr/bin/unattended-upgrade\", \"/usr/bin/containerd\", - \"/usr/local/bin/containerd\", \"/usr/bin/dockerd\", \"/usr/bin/npm\", ~\"/usr/bin/pip*\"]\n && - process.ancestors.file.path not in [~\"/usr/bin/apt*\", \"/usr/bin/dpkg\", \"/usr/bin/rpm\", - \"/usr/bin/unattended-upgrade\", \"/usr/bin/npm\", ~\"/usr/bin/pip*\", \"/usr/bin/yum\", - \"/sbin/apk\", \"/usr/lib/snapd/snapd\"]\n)","category":"File Activity","creationDate":1642158535384,"updateDate":1699614610678,"filters":["os - == \"linux\""],"actions":[],"agentConstraint":"","enabled":true,"defaultRule":true,"creator":{"name":"","handle":""},"updater":{"name":"","handle":""}},"type":"agent_rule"},{"id":"sjc-t7h-y3g","attributes":{"version":2,"name":"sudoers_policy_modified_open","description":"Sudoers - policy file may have been modified without authorization","expression":"\n(open.flags - & (O_CREAT|O_TRUNC|O_RDWR|O_WRONLY) > 0 &&\n(open.file.path == \"/etc/sudoers\")) - && process.file.path not in [~\"/usr/bin/apt*\", \"/usr/bin/dpkg\", \"/usr/bin/rpm\", - \"/usr/bin/unattended-upgrade\", \"/usr/bin/npm\", ~\"/usr/bin/pip*\", \"/usr/bin/yum\", - \"/sbin/apk\", \"/usr/lib/snapd/snapd\"]","category":"File Activity","creationDate":0,"updateDate":1699614610658,"filters":["os - == \"linux\""],"actions":[],"agentConstraint":"","enabled":true,"defaultRule":true,"creator":{"name":"","handle":""},"updater":{"name":"","handle":""}},"type":"agent_rule"},{"id":"wty-l8v-uum","attributes":{"version":22,"name":"systemd_modification_open","description":"A - service may have been modified without authorization","expression":"(\n open.flags - & (O_CREAT|O_RDWR|O_WRONLY) > 0 &&\n (open.file.path in [ ~\"/lib/systemd/system/**\", - ~\"/usr/lib/systemd/system/**\", ~\"/etc/systemd/system/**\" ])\n && process.file.path - not in [~\"/usr/bin/apt*\", \"/usr/bin/dpkg\", \"/usr/bin/rpm\", \"/usr/bin/unattended-upgrade\", - \"/usr/bin/npm\", ~\"/usr/bin/pip*\", \"/usr/bin/yum\", \"/sbin/apk\", \"/usr/lib/snapd/snapd\"]\n)","category":"File - Activity","creationDate":1642158534936,"updateDate":1699614610639,"filters":["os - == \"linux\""],"actions":[],"agentConstraint":"","enabled":true,"defaultRule":true,"creator":{"name":"","handle":""},"updater":{"name":"","handle":""}},"type":"agent_rule"},{"id":"1fj-fmh-6kw","attributes":{"version":4,"name":"compile_after_delivery","description":"A - compiler wrote a suspicious file in a container","expression":"open.flags & - O_CREAT > 0\n&& (\n (open.file.path =~ \"/tmp/**\" && open.file.name in [~\"*.ko\", - ~\".*\"])\n || open.file.path in [~\"/var/tmp/**\", ~\"/dev/shm/**\", ~\"/root/**\", - ~\"*/bin/*\", ~\"/usr/local/lib/**\"]\n)\n&& (process.comm in [\"javac\", \"clang\", - \"gcc\",\"bcc\"] || process.ancestors.comm in [\"javac\", \"clang\", \"gcc\",\"bcc\"])\n&& - process.file.name not in [\"pip\", ~\"python*\"]\n&& container.id != \"\"","category":"File - Activity","creationDate":0,"updateAuthorUuId":"82ba1758-696c-11ea-828d-fb376ef71e70","updateDate":1699614610524,"filters":["os - == \"linux\""],"actions":[],"agentConstraint":"","enabled":true,"defaultRule":true,"creator":{"name":"","handle":""},"updater":{"name":"","handle":""}},"type":"agent_rule"},{"id":"qox-gue-mq8","attributes":{"version":3,"name":"pwnkit_privilege_escalation","description":"A - process was spawned with indicators of exploitation of CVE-2021-4034","expression":"(exec.file.path - == \"/usr/bin/pkexec\" && exec.envs in [~\"*SHELL*\", ~\"*PATH*\"] && exec.envs - not in [~\"*DISPLAY*\", ~\"*DESKTOP_SESSION*\"] && exec.uid != 0)","category":"Process - Activity","creationDate":1643639113864,"updateDate":1699614610455,"filters":["os - == \"linux\""],"actions":[],"agentConstraint":"","enabled":true,"defaultRule":true,"creator":{"name":"","handle":""},"updater":{"name":"","handle":""}},"type":"agent_rule"},{"id":"dlp-tcr-jju","attributes":{"version":2,"name":"kmod_list","description":"Kernel - modules were listed using the kmod command","expression":"exec.comm == \"kmod\" - && exec.args in [~\"*list*\"]","category":"Process Activity","creationDate":0,"updateDate":1699614610436,"filters":["os - == \"linux\""],"actions":[],"agentConstraint":"","enabled":true,"defaultRule":true,"creator":{"name":"","handle":""},"updater":{"name":"","handle":""}},"type":"agent_rule"},{"id":"knr-3tx-cl8","attributes":{"version":2,"name":"java_shell_execution_parent","description":"A - java process spawned a shell, shell utility, or HTTP utility","expression":"(exec.file.path - in [ \"/bin/dash\",\n \"/usr/bin/dash\",\n \"/bin/sh\",\n \"/bin/static-sh\",\n \"/usr/bin/sh\",\n \"/bin/bash\",\n \"/usr/bin/bash\",\n \"/bin/bash-static\",\n \"/usr/bin/zsh\",\n \"/usr/bin/ash\",\n \"/usr/bin/csh\",\n \"/usr/bin/ksh\",\n \"/usr/bin/tcsh\",\n \"/usr/lib/initramfs-tools/bin/busybox\",\n \"/bin/busybox\",\n \"/usr/bin/fish\",\n \"/bin/ksh93\",\n \"/bin/rksh\",\n \"/bin/rksh93\",\n \"/bin/lksh\",\n \"/bin/mksh\",\n \"/bin/mksh-static\",\n \"/usr/bin/csharp\",\n \"/bin/posh\",\n \"/usr/bin/rc\",\n \"/bin/sash\",\n \"/usr/bin/yash\",\n \"/bin/zsh5\",\n \"/bin/zsh5-static\" - ] ||\n exec.comm in [\"wget\", \"curl\", \"lwp-download\"] ||\n exec.file.path - in [\"/bin/cat\",\"/bin/chgrp\",\"/bin/chmod\",\"/bin/chown\",\"/bin/cp\",\"/bin/date\",\"/bin/dd\",\"/bin/df\",\"/bin/dir\",\"/bin/echo\",\"/bin/ln\",\"/bin/ls\",\"/bin/mkdir\",\"/bin/mknod\",\"/bin/mktemp\",\"/bin/mv\",\"/bin/pwd\",\"/bin/readlink\",\"/bin/rm\",\"/bin/rmdir\",\"/bin/sleep\",\"/bin/stty\",\"/bin/sync\",\"/bin/touch\",\"/bin/uname\",\"/bin/vdir\",\"/usr/bin/arch\",\"/usr/bin/b2sum\",\"/usr/bin/base32\",\"/usr/bin/base64\",\"/usr/bin/basename\",\"/usr/bin/chcon\",\"/usr/bin/cksum\",\"/usr/bin/comm\",\"/usr/bin/csplit\",\"/usr/bin/cut\",\"/usr/bin/dircolors\",\"/usr/bin/dirname\",\"/usr/bin/du\",\"/usr/bin/env\",\"/usr/bin/expand\",\"/usr/bin/expr\",\"/usr/bin/factor\",\"/usr/bin/fmt\",\"/usr/bin/fold\",\"/usr/bin/groups\",\"/usr/bin/head\",\"/usr/bin/hostid\",\"/usr/bin/id\",\"/usr/bin/install\",\"/usr/bin/join\",\"/usr/bin/link\",\"/usr/bin/logname\",\"/usr/bin/md5sum\",\"/usr/bin/md5sum.textutils\",\"/usr/bin/mkfifo\",\"/usr/bin/nice\",\"/usr/bin/nl\",\"/usr/bin/nohup\",\"/usr/bin/nproc\",\"/usr/bin/numfmt\",\"/usr/bin/od\",\"/usr/bin/paste\",\"/usr/bin/pathchk\",\"/usr/bin/pinky\",\"/usr/bin/pr\",\"/usr/bin/printenv\",\"/usr/bin/printf\",\"/usr/bin/ptx\",\"/usr/bin/realpath\",\"/usr/bin/runcon\",\"/usr/bin/seq\",\"/usr/bin/sha1sum\",\"/usr/bin/sha224sum\",\"/usr/bin/sha256sum\",\"/usr/bin/sha384sum\",\"/usr/bin/sha512sum\",\"/usr/bin/shred\",\"/usr/bin/shuf\",\"/usr/bin/sort\",\"/usr/bin/split\",\"/usr/bin/stat\",\"/usr/bin/stdbuf\",\"/usr/bin/sum\",\"/usr/bin/tac\",\"/usr/bin/tail\",\"/usr/bin/tee\",\"/usr/bin/test\",\"/usr/bin/timeout\",\"/usr/bin/tr\",\"/usr/bin/truncate\",\"/usr/bin/tsort\",\"/usr/bin/tty\",\"/usr/bin/unexpand\",\"/usr/bin/uniq\",\"/usr/bin/unlink\",\"/usr/bin/users\",\"/usr/bin/wc\",\"/usr/bin/who\",\"/usr/bin/whoami\",\"/usr/sbin/chroot\"])\n&& - process.parent.file.name == \"java\"","category":"Process Activity","creationDate":0,"updateDate":1699614610329,"filters":["os - == \"linux\""],"actions":[],"agentConstraint":"","enabled":true,"defaultRule":true,"creator":{"name":"","handle":""},"updater":{"name":"","handle":""}},"type":"agent_rule"},{"id":"r8w-red-u4k","attributes":{"version":2,"name":"kernel_module_load_from_memory","description":"A - kernel module was loaded from memory","expression":"load_module.loaded_from_memory - == true","category":"Kernel Activity","creationDate":1650293718630,"updateDate":1699614610258,"filters":["os - == \"linux\""],"actions":[],"agentConstraint":"","enabled":true,"defaultRule":true,"creator":{"name":"","handle":""},"updater":{"name":"","handle":""}},"type":"agent_rule"},{"id":"jnv-fq4-f23","attributes":{"version":2,"name":"sudoers_policy_modified_chmod","description":"Sudoers - policy file may have been modified without authorization","expression":"(\n (chmod.file.path - == \"/etc/sudoers\") \n) && chmod.file.destination.mode != chmod.file.mode && - process.ancestors.file.path not in [~\"/usr/bin/apt*\", \"/usr/bin/dpkg\", \"/usr/bin/rpm\", - \"/usr/bin/unattended-upgrade\", \"/usr/bin/npm\", ~\"/usr/bin/pip*\", \"/usr/bin/yum\", - \"/sbin/apk\", \"/usr/lib/snapd/snapd\"]","category":"File Activity","creationDate":0,"updateDate":1699614610235,"filters":["os - == \"linux\""],"actions":[],"agentConstraint":"","enabled":true,"defaultRule":true,"creator":{"name":"","handle":""},"updater":{"name":"","handle":""}},"type":"agent_rule"},{"id":"ji5-8o4-btp","attributes":{"version":2,"name":"kubernetes_dns_enumeration","description":"Kubernetes - DNS enumeration","expression":"dns.question.name == \"any.any.svc.cluster.local\" - && dns.question.type == SRV && container.id != \"\"","category":"Network Activity","creationDate":0,"updateDate":1699614610050,"filters":["os - == \"linux\""],"actions":[],"agentConstraint":"","enabled":true,"defaultRule":true,"creator":{"name":"","handle":""},"updater":{"name":"","handle":""}},"type":"agent_rule"},{"id":"3j1-wdg-qsg","attributes":{"version":28,"name":"pci_11_5_critical_binaries_open","description":"Critical - system binaries may have been modified","expression":"(\n open.flags & (O_CREAT|O_TRUNC|O_RDWR|O_WRONLY) - > 0 &&\n open.file.path in [ ~\"/bin/*\", ~\"/sbin/*\", ~\"/usr/bin/*\", - ~\"/usr/sbin/*\", ~\"/usr/local/bin/*\", ~\"/usr/local/sbin/*\", ~\"/boot/**\" - ]\n && process.file.path not in [~\"/usr/bin/apt*\", \"/usr/bin/dpkg\", \"/usr/bin/rpm\", - \"/usr/bin/unattended-upgrade\", \"/usr/bin/containerd\", \"/usr/local/bin/containerd\", - \"/usr/bin/dockerd\", \"/usr/bin/npm\", ~\"/usr/bin/pip*\"]\n && process.ancestors.file.path - not in [~\"/usr/bin/apt*\", \"/usr/bin/dpkg\", \"/usr/bin/rpm\", \"/usr/bin/unattended-upgrade\", - \"/usr/bin/npm\", ~\"/usr/bin/pip*\", \"/usr/bin/yum\", \"/sbin/apk\", \"/usr/lib/snapd/snapd\"]\n)","category":"File - Activity","creationDate":1642158535263,"updateDate":1699614610036,"filters":["os - == \"linux\""],"actions":[],"agentConstraint":"","enabled":true,"defaultRule":true,"creator":{"name":"","handle":""},"updater":{"name":"","handle":""}},"type":"agent_rule"},{"id":"vaz-icd-nel","attributes":{"version":2,"name":"net_file_download","description":"A - suspicious file was written by a network utility","expression":"open.flags & - O_CREAT > 0 && process.comm in [\"wget\", \"curl\", \"lwp-download\"]\n&& (\n (open.file.path - =~ \"/tmp/**\" && open.file.name in [~\"*.sh\", ~\"*.c\", ~\"*.so\", ~\"*.ko\"])\n || - open.file.path in [~\"/usr/**\", ~\"/lib/**\", ~\"/etc/**\", ~\"/var/tmp/**\", - ~\"/dev/shm/**\"]\n)","category":"File Activity","creationDate":0,"updateDate":1699614609925,"filters":["os - == \"linux\""],"actions":[],"agentConstraint":"","enabled":true,"defaultRule":true,"creator":{"name":"","handle":""},"updater":{"name":"","handle":""}},"type":"agent_rule"},{"id":"hir-1j3-tsx","attributes":{"version":20,"name":"ssh_authorized_keys_chown","description":"SSH - modified keys may have been modified","expression":"(\n chown.file.name in - [ \"authorized_keys\", \"authorized_keys2\" ] && (chown.file.path in [ ~\"/root/.ssh/*\", - ~\"/home/*/.ssh/*\", ~\"/var/lib/*/.ssh/*\" ])\n) && (chown.file.destination.uid - != chown.file.uid || chown.file.destination.gid != chown.file.gid)","category":"File - Activity","creationDate":1642158534934,"updateDate":1699614609845,"filters":["os - == \"linux\""],"actions":[],"agentConstraint":"","enabled":true,"defaultRule":true,"creator":{"name":"","handle":""},"updater":{"name":"","handle":""}},"type":"agent_rule"},{"id":"mag-ijd-ucx","attributes":{"version":2,"name":"sudoers_policy_modified_utimes","description":"Sudoers - policy file may have been modified without authorization","expression":"(\n (utimes.file.path - == \"/etc/sudoers\")\n) && process.file.path not in [~\"/usr/bin/apt*\", \"/usr/bin/dpkg\", - \"/usr/bin/rpm\", \"/usr/bin/unattended-upgrade\", \"/usr/bin/containerd\", - \"/usr/local/bin/containerd\", \"/usr/bin/dockerd\", \"/usr/bin/npm\", ~\"/usr/bin/pip*\"]","category":"File - Activity","creationDate":0,"updateDate":1699614609831,"filters":["os == \"linux\""],"actions":[],"agentConstraint":"","enabled":true,"defaultRule":true,"creator":{"name":"","handle":""},"updater":{"name":"","handle":""}},"type":"agent_rule"},{"id":"yq3-x9w-n3j","attributes":{"version":2,"name":"tar_execution","description":"Tar - archive created","expression":"exec.file.path == \"/usr/bin/tar\" && exec.args_flags - in [\"create\",\"c\"]","category":"Process Activity","creationDate":0,"updateDate":1699614609831,"filters":["os - == \"linux\""],"actions":[],"agentConstraint":"","enabled":true,"defaultRule":true,"creator":{"name":"","handle":""},"updater":{"name":"","handle":""}},"type":"agent_rule"},{"id":"sfh-mqa-shl","attributes":{"version":24,"name":"ssl_certificate_tampering_chown","description":"SSL - certificates may have been tampered with","expression":"(\n (chown.file.path - in [ ~\"/etc/ssl/certs/**\", ~\"/etc/pki/**\" ])\n && process.file.path not - in [~\"/usr/bin/apt*\", \"/usr/bin/dpkg\", \"/usr/bin/rpm\", \"/usr/bin/unattended-upgrade\", - \"/usr/bin/npm\", ~\"/usr/bin/pip*\", \"/usr/bin/yum\", \"/sbin/apk\", \"/usr/lib/snapd/snapd\"]\n) - && (chown.file.destination.uid != chown.file.uid || chown.file.destination.gid - != chown.file.gid)\n&& process.file.path != \"/usr/sbin/update-ca-certificates\"\n&& - process.ancestors.file.path != \"/usr/sbin/update-ca-certificates\"\n&& process.ancestors.file.path - not in [~\"/usr/bin/apt*\", \"/usr/bin/dpkg\", \"/usr/bin/rpm\", \"/usr/bin/unattended-upgrade\", - \"/usr/bin/npm\", ~\"/usr/bin/pip*\", \"/usr/bin/yum\", \"/sbin/apk\", \"/usr/lib/snapd/snapd\"]\n&& - process.file.name !~ \"runc*\"","category":"File Activity","creationDate":1642158535153,"updateDate":1699614609662,"filters":["os - == \"linux\""],"actions":[],"agentConstraint":"","enabled":true,"defaultRule":true,"creator":{"name":"","handle":""},"updater":{"name":"","handle":""}},"type":"agent_rule"},{"id":"f6g-gbx-9l6","attributes":{"version":4,"name":"auditd_rule_file_modified","description":"The - auditd rules file was modified without using auditctl","expression":"open.file.path - in [\"/etc/audit/rules.d/audit.rules\", \"/etc/audit/audit.rules\"] && open.flags - & (O_CREAT|O_TRUNC|O_RDWR|O_WRONLY) > 0 && process.file.name != \"auditctl\"","category":"File - Activity","creationDate":0,"updateDate":1699614609625,"filters":["os == \"linux\""],"actions":[],"agentConstraint":"","enabled":true,"defaultRule":true,"creator":{"name":"","handle":""},"updater":{"name":"","handle":""}},"type":"agent_rule"},{"id":"ysi-0bm-8tc","attributes":{"version":34,"name":"kernel_module_chmod","description":"A - new kernel module was added","expression":"(\n (chmod.file.path in [ ~\"/lib/modules/**\", - ~\"/usr/lib/modules/**\" ])\n && process.file.path not in [~\"/usr/bin/apt*\", - \"/usr/bin/dpkg\", \"/usr/bin/rpm\", \"/usr/bin/unattended-upgrade\", \"/usr/bin/npm\", - ~\"/usr/bin/pip*\", \"/usr/bin/yum\", \"/sbin/apk\", \"/usr/lib/snapd/snapd\"]\n && - process.ancestors.file.path not in [~\"/usr/bin/apt*\", \"/usr/bin/dpkg\", \"/usr/bin/rpm\", - \"/usr/bin/unattended-upgrade\", \"/usr/bin/npm\", ~\"/usr/bin/pip*\", \"/usr/bin/yum\", - \"/sbin/apk\", \"/usr/lib/snapd/snapd\"] && process.ancestors.file.path != \"/usr/bin/kmod\"\n) - && chmod.file.destination.mode != chmod.file.mode","category":"File Activity","creationDate":1642158535040,"updateDate":1699614609526,"filters":["os - == \"linux\""],"actions":[],"agentConstraint":"","enabled":true,"defaultRule":true,"creator":{"name":"","handle":""},"updater":{"name":"","handle":""}},"type":"agent_rule"},{"id":"0sl-ako-4w6","attributes":{"version":24,"name":"ssl_certificate_tampering_utimes","description":"SSL - certificates may have been tampered with","expression":"(\n (utimes.file.path - in [ ~\"/etc/ssl/certs/**\" ])\n && process.file.path not in [~\"/usr/bin/apt*\", - \"/usr/bin/dpkg\", \"/usr/bin/rpm\", \"/usr/bin/unattended-upgrade\", \"/usr/bin/npm\", - ~\"/usr/bin/pip*\", \"/usr/bin/yum\", \"/sbin/apk\", \"/usr/lib/snapd/snapd\"]\n)\n&& - process.file.path != \"/usr/sbin/update-ca-certificates\"\n&& process.ancestors.file.path - != \"/usr/sbin/update-ca-certificates\"\n&& process.ancestors.file.path not - in [~\"/usr/bin/apt*\", \"/usr/bin/dpkg\", \"/usr/bin/rpm\", \"/usr/bin/unattended-upgrade\", - \"/usr/bin/npm\", ~\"/usr/bin/pip*\", \"/usr/bin/yum\", \"/sbin/apk\", \"/usr/lib/snapd/snapd\"]\n&& - process.file.name !~ \"runc*\"","category":"File Activity","creationDate":0,"updateDate":1699614609522,"filters":["os - == \"linux\""],"actions":[],"agentConstraint":"","enabled":true,"defaultRule":true,"creator":{"name":"","handle":""},"updater":{"name":"","handle":""}},"type":"agent_rule"},{"id":"4ec-mzv-u5g","attributes":{"version":5,"name":"kernel_module_load","description":"A - kernel module was loaded","expression":"load_module.name not in [\"nf_tables\", - \"iptable_filter\", \"ip6table_filter\", \"bpfilter\", \"ip6_tables\", \"ip6table_nat\", - \"nf_reject_ipv4\", \"ipt_REJECT\", \"iptable_raw\"] && process.ancestors.file.name - not in [~\"falcon*\", \"unattended-upgrade\", \"apt.systemd.daily\", \"xtables-legacy-multi\", - \"ssm-agent-worker\"]","category":"Kernel Activity","creationDate":1650293718458,"updateDate":1699614609521,"filters":["os - == \"linux\""],"actions":[],"agentConstraint":"","enabled":true,"defaultRule":true,"creator":{"name":"","handle":""},"updater":{"name":"","handle":""}},"type":"agent_rule"},{"id":"kik-wm5-my4","attributes":{"version":5,"name":"dynamic_linker_config_unlink","description":"A - process unlinked a dynamic linker config file","expression":"unlink.file.path - in [\"/etc/ld.so.preload\", \"/etc/ld.so.conf\", ~\"/etc/ld.so.conf.d/*.conf\"] - && process.file.path not in [~\"/usr/bin/apt*\", \"/usr/bin/dpkg\", \"/usr/bin/rpm\", - \"/usr/bin/unattended-upgrade\", \"/usr/bin/npm\", ~\"/usr/bin/pip*\", \"/usr/bin/yum\", - \"/sbin/apk\", \"/usr/lib/snapd/snapd\"]","category":"File Activity","creationDate":0,"updateDate":1699614609521,"filters":["os - == \"linux\""],"actions":[],"agentConstraint":"","enabled":true,"defaultRule":true,"creator":{"name":"","handle":""},"updater":{"name":"","handle":""}},"type":"agent_rule"},{"id":"tji-eua-ery","attributes":{"version":2,"name":"sudoers_policy_modified_rename","description":"Sudoers - policy file may have been modified without authorization","expression":"(\n (rename.file.path - == \"/etc/sudoers\"\n || rename.file.destination.path == \"/etc/sudoers\")\n)","category":"File - Activity","creationDate":0,"updateDate":1699614609520,"filters":["os == \"linux\""],"actions":[],"agentConstraint":"","enabled":true,"defaultRule":true,"creator":{"name":"","handle":""},"updater":{"name":"","handle":""}},"type":"agent_rule"},{"id":"bpi-apd-1ad","attributes":{"version":1,"name":"offensive_k8s_tool","description":"A - known kubernetes pentesting tool has been executed","expression":"(exec.file.name - in [ ~\"python*\" ] && (\"KubiScan.py\" in exec.argv || \"kubestriker\" in exec.argv - ) ) || exec.file.name in [ \"kubiscan\",\"kdigger\",\"kube-hunter\",\"rakkess\",\"peirates\",\"kubescape\",\"kubeaudit\",\"kube-linter\",\"stratus\",~\"botb-*\"]","category":"Process - Activity","creationDate":0,"updateDate":1699605542656,"filters":[],"actions":[],"agentConstraint":"","enabled":true,"defaultRule":true,"creator":{"name":"","handle":""},"updater":{"name":"","handle":""}},"type":"agent_rule"},{"id":"rcz-xwn-5lq","attributes":{"version":1,"name":"redis_save_module","description":"Redis - module has been created","expression":"(open.flags & (O_CREAT|O_TRUNC|O_RDWR|O_WRONLY) - > 0 && open.file.path =~ \"/tmp/**\" && open.file.name in [~\"*.rdb\", ~\"*.aof\", - ~\"*.so\"]) && process.file.name in [\"redis-check-rdb\", \"redis-server\"]","category":"File - Activity","creationDate":0,"updateDate":1699605540650,"filters":[],"actions":[],"agentConstraint":"","enabled":true,"defaultRule":true,"creator":{"name":"","handle":""},"updater":{"name":"","handle":""}},"type":"agent_rule"},{"id":"oit-dq6-jtz","attributes":{"version":4,"name":"net_util_exfiltration","description":"Exfiltration - attempt via network utility","expression":"exec.comm in [\"wget\", \"curl\", - \"lwp-download\"] && \nexec.args_options in [ ~\"post-file=*\", ~\"post-data=*\", - ~\"T=*\", ~\"d=@*\", ~\"upload-file=*\", ~\"F=file*\"] &&\nexec.args not in - [~\"*localhost*\", ~\"*127.0.0.1*\"]","category":"Process Activity","creationDate":0,"updateDate":1699605533426,"filters":["os - == \"linux\""],"actions":[],"agentConstraint":"","enabled":true,"defaultRule":true,"creator":{"name":"","handle":""},"updater":{"name":"","handle":""}},"type":"agent_rule"},{"id":"wos-cqg-alj","attributes":{"version":27,"name":"pci_11_5_critical_binaries_rename","description":"Critical - system binaries may have been modified","expression":"(\n (rename.file.path - in [ ~\"/bin/*\", ~\"/sbin/*\", ~\"/usr/bin/*\", ~\"/usr/sbin/*\", ~\"/usr/local/bin/*\", - ~\"/usr/local/sbin/*\", ~\"/boot/**\" ]\n || rename.file.destination.path - in [ ~\"/bin/*\", ~\"/sbin/*\", ~\"/usr/bin/*\", ~\"/usr/sbin/*\", ~\"/usr/local/bin/*\", - ~\"/usr/local/sbin/*\", ~\"/boot/**\" ])\n && process.file.path not in [~\"/usr/bin/apt*\", - \"/usr/bin/dpkg\", \"/usr/bin/rpm\", \"/usr/bin/unattended-upgrade\", \"/usr/bin/containerd\", - \"/usr/local/bin/containerd\", \"/usr/bin/dockerd\", \"/usr/bin/npm\", ~\"/usr/bin/pip*\"]\n && - process.ancestors.file.path not in [~\"/usr/bin/apt*\", \"/usr/bin/dpkg\", \"/usr/bin/rpm\", - \"/usr/bin/unattended-upgrade\", \"/usr/bin/npm\", ~\"/usr/bin/pip*\", \"/usr/bin/yum\", - \"/sbin/apk\", \"/usr/lib/snapd/snapd\"]\n)","category":"File Activity","creationDate":1642158535169,"updateDate":1699605533116,"filters":[],"actions":[],"agentConstraint":"","enabled":true,"defaultRule":true,"creator":{"name":"","handle":""},"updater":{"name":"","handle":""}},"type":"agent_rule"},{"id":"1bt-oqb-nhw","attributes":{"version":27,"name":"pci_11_5_critical_binaries_link","description":"Critical - system binaries may have been modified","expression":"(\n (link.file.path - in [ ~\"/bin/*\", ~\"/sbin/*\", ~\"/usr/bin/*\", ~\"/usr/sbin/*\", ~\"/usr/local/bin/*\", - ~\"/usr/local/sbin/*\", ~\"/boot/**\" ]\n || link.file.destination.path in - [ ~\"/bin/*\", ~\"/sbin/*\", ~\"/usr/bin/*\", ~\"/usr/sbin/*\", ~\"/usr/local/bin/*\", - ~\"/usr/local/sbin/*\", ~\"/boot/**\" ])\n && process.file.path not in [~\"/usr/bin/apt*\", - \"/usr/bin/dpkg\", \"/usr/bin/rpm\", \"/usr/bin/unattended-upgrade\", \"/usr/bin/containerd\", - \"/usr/local/bin/containerd\", \"/usr/bin/dockerd\", \"/usr/bin/npm\", ~\"/usr/bin/pip*\"]\n && - process.ancestors.file.path not in [~\"/usr/bin/apt*\", \"/usr/bin/dpkg\", \"/usr/bin/rpm\", - \"/usr/bin/unattended-upgrade\", \"/usr/bin/npm\", ~\"/usr/bin/pip*\", \"/usr/bin/yum\", - \"/sbin/apk\", \"/usr/lib/snapd/snapd\"]\n)","category":"File Activity","creationDate":1642158535044,"updateDate":1699605533055,"filters":[],"actions":[],"agentConstraint":"","enabled":true,"defaultRule":true,"creator":{"name":"","handle":""},"updater":{"name":"","handle":""}},"type":"agent_rule"},{"id":"f1p-4uk-ji9","attributes":{"version":2,"name":"selinux_disable_enforcement","description":"SELinux - enforcement status was disabled","expression":"selinux.enforce.status in [\"permissive\", - \"disabled\"] && process.ancestors.args != ~\"*BECOME-SUCCESS*\"","category":"Kernel - Activity","creationDate":1635332067172,"updateDate":1699605533031,"filters":[],"actions":[],"agentConstraint":"","enabled":true,"defaultRule":true,"creator":{"name":"","handle":""},"updater":{"name":"","handle":""}},"type":"agent_rule"},{"id":"ewk-kr1-m8w","attributes":{"version":6,"name":"runc_modification","description":"The - runc binary was modified in a non-standard way","expression":"open.file.path - in [\"/usr/bin/runc\", \"/usr/sbin/runc\", \"/usr/bin/docker-runc\"]\n&& open.flags - & O_CREAT|O_TRUNC|O_RDWR|O_WRONLY > 0\n&& process.file.path not in [~\"/usr/bin/apt*\", - \"/usr/bin/dpkg\", \"/usr/bin/rpm\", \"/usr/bin/unattended-upgrade\", \"/usr/bin/containerd\", - \"/usr/local/bin/containerd\", \"/usr/bin/dockerd\", \"/usr/bin/npm\", ~\"/usr/bin/pip*\"]\n&& - process.ancestors.file.path not in [~\"/usr/bin/apt*\", \"/usr/bin/dpkg\", \"/usr/bin/rpm\", - \"/usr/bin/unattended-upgrade\", \"/usr/bin/npm\", ~\"/usr/bin/pip*\", \"/usr/bin/yum\", - \"/sbin/apk\", \"/usr/lib/snapd/snapd\"]","category":"File Activity","creationDate":1627392837049,"updateDate":1699605532961,"filters":[],"actions":[],"agentConstraint":"","enabled":true,"defaultRule":true,"creator":{"name":"","handle":""},"updater":{"name":"","handle":""}},"type":"agent_rule"},{"id":"4ym-hxb-nfc","attributes":{"version":27,"name":"pci_11_5_critical_binaries_utimes","description":"Critical - system binaries may have been modified","expression":"(\n (utimes.file.path - in [ ~\"/bin/*\", ~\"/sbin/*\", ~\"/usr/bin/*\", ~\"/usr/sbin/*\", ~\"/usr/local/bin/*\", - ~\"/usr/local/sbin/*\", ~\"/boot/**\" ])\n && process.file.path not in [~\"/usr/bin/apt*\", - \"/usr/bin/dpkg\", \"/usr/bin/rpm\", \"/usr/bin/unattended-upgrade\", \"/usr/bin/containerd\", - \"/usr/local/bin/containerd\", \"/usr/bin/dockerd\", \"/usr/bin/npm\", ~\"/usr/bin/pip*\"]\n && - process.ancestors.file.path not in [~\"/usr/bin/apt*\", \"/usr/bin/dpkg\", \"/usr/bin/rpm\", - \"/usr/bin/unattended-upgrade\", \"/usr/bin/npm\", ~\"/usr/bin/pip*\", \"/usr/bin/yum\", - \"/sbin/apk\", \"/usr/lib/snapd/snapd\"]\n)","category":"File Activity","creationDate":1642158535079,"updateDate":1699605532927,"filters":[],"actions":[],"agentConstraint":"","enabled":true,"defaultRule":true,"creator":{"name":"","handle":""},"updater":{"name":"","handle":""}},"type":"agent_rule"},{"id":"39x-fmc-9sw","attributes":{"version":27,"name":"pci_11_5_critical_binaries_chown","description":"Critical - system binaries may have been modified","expression":"(\n (chown.file.path - in [ ~\"/bin/*\", ~\"/sbin/*\", ~\"/usr/bin/*\", ~\"/usr/sbin/*\", ~\"/usr/local/bin/*\", - ~\"/usr/local/sbin/*\", ~\"/boot/**\" ])\n && process.file.path not in [~\"/usr/bin/apt*\", - \"/usr/bin/dpkg\", \"/usr/bin/rpm\", \"/usr/bin/unattended-upgrade\", \"/usr/bin/containerd\", - \"/usr/local/bin/containerd\", \"/usr/bin/dockerd\", \"/usr/bin/npm\", ~\"/usr/bin/pip*\"]\n && - process.ancestors.file.path not in [~\"/usr/bin/apt*\", \"/usr/bin/dpkg\", \"/usr/bin/rpm\", - \"/usr/bin/unattended-upgrade\", \"/usr/bin/npm\", ~\"/usr/bin/pip*\", \"/usr/bin/yum\", - \"/sbin/apk\", \"/usr/lib/snapd/snapd\"]\n) && (chown.file.destination.uid != - chown.file.uid || chown.file.destination.gid != chown.file.gid)","category":"File - Activity","creationDate":1642158535097,"updateDate":1699605532862,"filters":[],"actions":[],"agentConstraint":"","enabled":true,"defaultRule":true,"creator":{"name":"","handle":""},"updater":{"name":"","handle":""}},"type":"agent_rule"},{"id":"3xp-uvx-hxk","attributes":{"version":13,"name":"apparmor_modified_tty","description":"An - AppArmor profile was modified in an interactive session","expression":"exec.file.name - in [\"aa-disable\", \"aa-complain\", \"aa-audit\"] && exec.tty_name !=\"\"","category":"Process - Activity","creationDate":1627392836162,"updateAuthorUuId":"f4183a42-8a64-11ea-93df-c318904b3ca4","updateDate":1699605532856,"filters":["os - == \"linux\""],"actions":[],"agentConstraint":"","enabled":true,"defaultRule":true,"creator":{"name":"","handle":""},"updater":{"name":"","handle":""}},"type":"agent_rule"},{"id":"v4a-bat-ppk","attributes":{"version":27,"name":"pci_11_5_critical_binaries_chmod","description":"Critical - system binaries may have been modified","expression":"(\n (chmod.file.path - in [ ~\"/bin/*\", ~\"/sbin/*\", ~\"/usr/bin/*\", ~\"/usr/sbin/*\", ~\"/usr/local/bin/*\", - ~\"/usr/local/sbin/*\", ~\"/boot/**\" ])\n && process.file.path not in [~\"/usr/bin/apt*\", - \"/usr/bin/dpkg\", \"/usr/bin/rpm\", \"/usr/bin/unattended-upgrade\", \"/usr/bin/containerd\", - \"/usr/local/bin/containerd\", \"/usr/bin/dockerd\", \"/usr/bin/npm\", ~\"/usr/bin/pip*\"]\n && - process.ancestors.file.path not in [~\"/usr/bin/apt*\", \"/usr/bin/dpkg\", \"/usr/bin/rpm\", - \"/usr/bin/unattended-upgrade\", \"/usr/bin/npm\", ~\"/usr/bin/pip*\", \"/usr/bin/yum\", - \"/sbin/apk\", \"/usr/lib/snapd/snapd\"]\n) && chmod.file.destination.mode != - chmod.file.mode","category":"File Activity","creationDate":1642158535079,"updateDate":1699605532822,"filters":[],"actions":[],"agentConstraint":"","enabled":true,"defaultRule":true,"creator":{"name":"","handle":""},"updater":{"name":"","handle":""}},"type":"agent_rule"},{"id":"ylg-dxo-yuk","attributes":{"version":2,"name":"rc_scripts_modified","description":"RC - scripts modified","expression":"(open.flags & (O_CREAT|O_TRUNC|O_RDWR|O_WRONLY) - > 0 && (open.file.path in [\"/etc/rc.common\", \"/etc/rc.local\"])) && process.ancestors.file.path - not in [~\"/usr/bin/apt*\", \"/usr/bin/dpkg\", \"/usr/bin/rpm\", \"/usr/bin/unattended-upgrade\", - \"/usr/bin/npm\", ~\"/usr/bin/pip*\", \"/usr/bin/yum\", \"/sbin/apk\", \"/usr/lib/snapd/snapd\"]","category":"File - Activity","creationDate":0,"updateDate":1699605532814,"filters":[],"actions":[],"agentConstraint":"","enabled":true,"defaultRule":true,"creator":{"name":"","handle":""},"updater":{"name":"","handle":""}},"type":"agent_rule"},{"id":"mal-nic-u3y","attributes":{"version":3,"name":"Deno_unauthorized_subprocess_created","description":"Unauthorized - subprocess created by deno runtime","expression":"exec.comm !=\"\" && process.ancestors.comm==\"deno\" - && process.ancestors.args not in [r\".*(allow-run|-A|allow-all).*\"]","category":"Process - Activity","creationAuthorUuId":"9b3398f3-af79-49aa-b643-8a607ee6f848","creationDate":1691743022082,"updateAuthorUuId":"9b3398f3-af79-49aa-b643-8a607ee6f848","updateDate":1692012153553,"filters":[],"actions":[],"agentConstraint":"","enabled":true,"defaultRule":false,"creator":{"name":"Threat - Detection Engineering CI/CD","handle":"9b3398f3-af79-49aa-b643-8a607ee6f848"},"updater":{"name":"Threat - Detection Engineering CI/CD","handle":"9b3398f3-af79-49aa-b643-8a607ee6f848"}},"type":"agent_rule"},{"id":"cwq-z6j-igp","attributes":{"version":2,"name":"Deno_unauthorized_network_access_performed","description":"Unauthorized - network access by deno runtime","expression":"bind.addr.family>=0 && process.comm==\"deno\" - && process.args not in [r\".*(allow-net|allow-ffi|-A|allow-all).*\"]","category":"Kernel - Activity","creationAuthorUuId":"9b3398f3-af79-49aa-b643-8a607ee6f848","creationDate":1691743022106,"updateAuthorUuId":"9b3398f3-af79-49aa-b643-8a607ee6f848","updateDate":1692012153529,"filters":[],"actions":[],"agentConstraint":"","enabled":true,"defaultRule":false,"creator":{"name":"Threat - Detection Engineering CI/CD","handle":"9b3398f3-af79-49aa-b643-8a607ee6f848"},"updater":{"name":"Threat - Detection Engineering CI/CD","handle":"9b3398f3-af79-49aa-b643-8a607ee6f848"}},"type":"agent_rule"},{"id":"hfc-a0c-8yl","attributes":{"version":1,"name":"executable_bit_added","description":"The - executable bit was added to a newly created file","expression":"chmod.file.in_upper_layer - &&\nchmod.file.change_time < 30s &&\ncontainer.id != \"\" &&\nchmod.file.destination.mode - != chmod.file.mode &&\nchmod.file.destination.mode & S_IXUSR|S_IXGRP|S_IXOTH - > 0 &&\nprocess.argv in [\"+x\"]","category":"File Activity","creationDate":0,"updateDate":1690311003102,"filters":[],"actions":[],"agentConstraint":"","enabled":true,"defaultRule":true,"creator":{"name":"","handle":""},"updater":{"name":"","handle":""}},"type":"agent_rule"},{"id":"osi-fya-a5p","attributes":{"version":19,"name":"ssh_authorized_keys_link","description":"SSH - modified keys may have been modified","expression":"(\n link.file.name in - [ \"authorized_keys\", \"authorized_keys2\" ] && (link.file.path in [ ~\"/root/.ssh/*\", - ~\"/home/*/.ssh/*\", ~\"/var/lib/*/.ssh/*\" ]\n || link.file.destination.path - in [ ~\"/root/.ssh/*\", ~\"/home/*/.ssh/*\", ~\"/var/lib/*/.ssh/*\" ])\n)","category":"File - Activity","creationDate":1642158535286,"updateDate":1690311003028,"filters":[],"actions":[],"agentConstraint":"","enabled":true,"defaultRule":true,"creator":{"name":"","handle":""},"updater":{"name":"","handle":""}},"type":"agent_rule"},{"id":"o5j-dvu-sdy","attributes":{"version":19,"name":"ssh_authorized_keys_utimes","description":"SSH - modified keys may have been modified","expression":"(\n utimes.file.name - in [ \"authorized_keys\", \"authorized_keys2\" ] && (utimes.file.path in [ ~\"/root/.ssh/*\", - ~\"/home/*/.ssh/*\", ~\"/var/lib/*/.ssh/*\" ])\n)","category":"File Activity","creationDate":1642158535278,"updateDate":1690311003028,"filters":[],"actions":[],"agentConstraint":"","enabled":true,"defaultRule":true,"creator":{"name":"","handle":""},"updater":{"name":"","handle":""}},"type":"agent_rule"},{"id":"rut-8bg-ycb","attributes":{"version":31,"name":"credential_modified_utimes","description":"Sensitive - credential files were modified using a non-standard tool","expression":"(\n (utimes.file.path - in [ \"/etc/shadow\", \"/etc/gshadow\" ])\n && process.file.path not in [ - \"/sbin/vipw\", \"/usr/sbin/vipw\", \"/sbin/vigr\", \"/usr/sbin/vigr\", \"/usr/bin/containerd\", - \"/usr/local/bin/containerd\", \"/usr/bin/dockerd\", \"/usr/local/bin/dockerd\", - \"/usr/sbin/groupadd\", \"/usr/sbin/useradd\", \"/usr/sbin/usermod\", \"/usr/sbin/userdel\", - \"/usr/bin/gpasswd\", \"/usr/bin/chage\", \"/usr/sbin/chpasswd\", \"/usr/bin/passwd\" - ]\n && process.ancestors.file.path not in [~\"/usr/bin/apt*\", \"/usr/bin/dpkg\", - \"/usr/bin/rpm\", \"/usr/bin/unattended-upgrade\", \"/usr/bin/npm\", ~\"/usr/bin/pip*\", - \"/usr/bin/yum\", \"/sbin/apk\", \"/usr/lib/snapd/snapd\"]\n)","category":"File - Activity","creationDate":1642158535200,"updateDate":1690311003028,"filters":[],"actions":[],"agentConstraint":"","enabled":true,"defaultRule":true,"creator":{"name":"","handle":""},"updater":{"name":"","handle":""}},"type":"agent_rule"},{"id":"qka-g4s-khh","attributes":{"version":19,"name":"ssh_authorized_keys_open","description":"SSH - modified keys may have been modified","expression":"(\n open.flags & (O_CREAT|O_TRUNC|O_RDWR|O_WRONLY) - > 0 &&\n open.file.name in [ \"authorized_keys\", \"authorized_keys2\" ] - && (open.file.path in [ ~\"/root/.ssh/*\", ~\"/home/*/.ssh/*\", ~\"/var/lib/*/.ssh/*\" - ])\n)","category":"File Activity","creationDate":1642158534864,"updateDate":1690311003028,"filters":[],"actions":[],"agentConstraint":"","enabled":true,"defaultRule":true,"creator":{"name":"","handle":""},"updater":{"name":"","handle":""}},"type":"agent_rule"},{"id":"g5n-jhl-zge","attributes":{"version":17,"name":"pam_modification_rename","description":"PAM - may have been modified without authorization","expression":"(\n (rename.file.path - in [ ~\"/etc/pam.d/**\", \"/etc/pam.conf\" ]\n || rename.file.destination.path - in [ ~\"/etc/pam.d/**\", \"/etc/pam.conf\" ])\n)","category":"File Activity","creationDate":1606142936138,"updateDate":1690311003028,"filters":[],"actions":[],"agentConstraint":"","enabled":true,"defaultRule":true,"creator":{"name":"","handle":""},"updater":{"name":"","handle":""}},"type":"agent_rule"},{"id":"xrg-evq-ka5","attributes":{"version":17,"name":"pam_modification_unlink","description":"PAM - may have been modified without authorization","expression":"(\n (unlink.file.path - in [ ~\"/etc/pam.d/**\", \"/etc/pam.conf\" ])\n)","category":"File Activity","creationDate":1606142936138,"updateDate":1690311003028,"filters":[],"actions":[],"agentConstraint":"","enabled":true,"defaultRule":true,"creator":{"name":"","handle":""},"updater":{"name":"","handle":""}},"type":"agent_rule"},{"id":"nnu-ch5-3gm","attributes":{"version":1,"name":"deploy_priv_container","description":"A - privileged container was created","expression":"exec.file.name != \"\" && container.created_at - < 1s && process.cap_permitted & CAP_SYS_ADMIN > 0","category":"Process Activity","creationDate":0,"updateDate":1688748464067,"filters":[],"actions":[],"agentConstraint":"","enabled":true,"defaultRule":true,"creator":{"name":"","handle":""},"updater":{"name":"","handle":""}},"type":"agent_rule"},{"id":"6ln-wqy-y8b","attributes":{"version":1,"name":"net_util_in_container_v2","description":"A - network utility was executed in a container","expression":"(exec.comm in [\"socat\", - \"dig\", \"nslookup\", \"host\", ~\"netcat*\", ~\"nc*\", \"ncat\"] ||\n exec.comm - in [\"wget\", \"curl\", \"lwp-download\"]) &&\ncontainer.id != \"\" && exec.args - not in [ ~\"*localhost*\", ~\"*127.0.0.1*\", ~\"*motd.ubuntu.com*\" ] && container.created_at - > 180s","category":"Process Activity","creationDate":0,"updateDate":1688748463994,"filters":[],"actions":[],"agentConstraint":"","enabled":true,"defaultRule":true,"creator":{"name":"","handle":""},"updater":{"name":"","handle":""}},"type":"agent_rule"},{"id":"hmy-il6-bk5","attributes":{"version":1,"name":"hidden_file_executed","description":"A - hidden file was executed in a suspicious folder","expression":"exec.file.name - =~ \".*\" && exec.file.path in [~\"/home/**\", ~\"/tmp/**\", ~\"/var/tmp/**\", - ~\"/dev/shm/**\"]","category":"Process Activity","creationDate":0,"updateDate":1688748463951,"filters":[],"actions":[],"agentConstraint":"","enabled":true,"defaultRule":true,"creator":{"name":"","handle":""},"updater":{"name":"","handle":""}},"type":"agent_rule"},{"id":"iwa-79s-pb3","attributes":{"version":1,"name":"shell_profile_modification","description":"Shell - profile was modified","expression":"open.file.path in [~\"/home/*/*profile\", - ~\"/home/*/*rc\"] && open.flags & ((O_CREAT|O_TRUNC|O_RDWR|O_WRONLY)) > 0","category":"File - Activity","creationDate":0,"updateDate":1688748463951,"filters":[],"actions":[],"agentConstraint":"","enabled":true,"defaultRule":true,"creator":{"name":"","handle":""},"updater":{"name":"","handle":""}},"type":"agent_rule"},{"id":"mr2-bwg-0jr","attributes":{"version":1,"name":"suid_file_execution","description":"a - SUID file was executed","expression":"(setuid.euid == 0 || setuid.uid == 0) && - process.file.mode & S_ISUID > 0 && process.file.uid == 0 && process.uid != - 0 && process.file.path != \"/usr/bin/sudo\"","category":"File Activity","creationDate":0,"updateDate":1688748463947,"filters":[],"actions":[],"agentConstraint":"","enabled":true,"defaultRule":true,"creator":{"name":"","handle":""},"updater":{"name":"","handle":""}},"type":"agent_rule"},{"id":"zdz-pje-kbg","attributes":{"version":4,"name":"python_cli_code","description":"Python - code was provided on the command line","expression":"exec.file.name == ~\"python*\" - && exec.args_flags in [\"c\"] && exec.args in [~\"*-c*SOCK_STREAM*\", ~\"*-c*subprocess*\", - \"*-c*/bash*\", \"*-c*/bin/sh*\", \"*-c*pty.spawn*\"] && exec.args !~ \"*setuptools*\"","category":"Process - Activity","creationDate":0,"updateDate":1688748460425,"filters":[],"actions":[],"agentConstraint":"","enabled":true,"defaultRule":true,"creator":{"name":"","handle":""},"updater":{"name":"","handle":""}},"type":"agent_rule"},{"id":"doi-13m-kzx","attributes":{"version":1,"name":"kubernetes_offensive_tool_executed","description":"Kubernetes - offensive tool executed","expression":"(exec.file.name in [ ~\"python*\" ] && - (\"KubiScan.py\" in exec.argv || \"kubestriker\" in exec.argv )) || exec.file.name - in [\"kubiscan\",\"kdigger\",\"kube-hunter\",\"rakkess\",\"peirates\",\"kubescape\",\"kubeaudit\",\"kube-linter\",\"stratus\",~\"botb-*\"]","category":"Process - Activity","creationAuthorUuId":"9b3398f3-af79-49aa-b643-8a607ee6f848","creationDate":1688462439963,"updateAuthorUuId":"9b3398f3-af79-49aa-b643-8a607ee6f848","updateDate":1688462439963,"filters":[],"actions":[],"agentConstraint":"","enabled":true,"defaultRule":false,"creator":{"name":"Threat - Detection Engineering CI/CD","handle":"9b3398f3-af79-49aa-b643-8a607ee6f848"},"updater":{"name":"Threat - Detection Engineering CI/CD","handle":"9b3398f3-af79-49aa-b643-8a607ee6f848"}},"type":"agent_rule"},{"id":"nrd-9be-wnm","attributes":{"version":9,"name":"compiler_in_container","description":"Compiler - Executed in Container","expression":"(exec.file.name in [\"javac\", \"clang\", - \"gcc\",\"bcc\"] || (exec.file.name == \"go\" && exec.args in [~\"*build*\", - ~\"*run*\"])) && container.id !=\"\" && process.ancestors.file.path != \"/usr/bin/cilium-agent\"","category":"Process - Activity","creationDate":1627392836759,"updateAuthorUuId":"9d3a4eb0-1e67-11ed-b20c-da7ad0900002","updateDate":1685978095211,"filters":[],"actions":[],"agentConstraint":"","enabled":true,"defaultRule":true,"creator":{"name":"","handle":""},"updater":{"name":"John - Murray","handle":"john.murray@datadoghq.com"}},"type":"agent_rule"},{"id":"jea-2m4-kyy","attributes":{"version":1,"name":"curl_docker_socket","description":"The - Docker socket was referenced in a cURL command","expression":"exec.file.name - == \"curl\" && exec.args_flags in [\"unix-socket\"] && exec.args in [\"*docker.sock*\"] - && container.id != \"\"","category":"Process Activity","creationDate":0,"updateDate":1684184973805,"filters":[],"actions":[],"agentConstraint":"","enabled":true,"defaultRule":true,"creator":{"name":"","handle":""},"updater":{"name":"","handle":""}},"type":"agent_rule"},{"id":"i1f-7yg-x6s","attributes":{"version":1,"name":"sudoers_policy_modified_link","description":"Sudoers - policy file may have been modified without authorization","expression":"(\n (link.file.path - == \"/etc/sudoers\"\n || link.file.destination.path == \"/etc/sudoers\")\n)","category":"File - Activity","creationDate":0,"updateDate":1684184973412,"filters":[],"actions":[],"agentConstraint":"","enabled":true,"defaultRule":true,"creator":{"name":"","handle":""},"updater":{"name":"","handle":""}},"type":"agent_rule"},{"id":"r5j-bb3-dmf","attributes":{"version":1,"name":"read_release_info","description":"OS - information was read from the /etc/lsb-release file","expression":"open.file.path - == \"/etc/lsb-release\" && open.flags & O_RDONLY > 0","category":"File Activity","creationDate":0,"updateDate":1684184973295,"filters":[],"actions":[],"agentConstraint":"","enabled":true,"defaultRule":true,"creator":{"name":"","handle":""},"updater":{"name":"","handle":""}},"type":"agent_rule"},{"id":"98m-cex-egg","attributes":{"version":1,"name":"user_deleted_tty","description":"A - user was deleted via an interactive session","expression":"exec.file.name in - [\"userdel\", \"deluser\"] && exec.tty_name !=\"\" && process.ancestors.file.path - not in [~\"/usr/bin/apt*\", \"/usr/bin/dpkg\", \"/usr/bin/rpm\", \"/usr/bin/unattended-upgrade\", - \"/usr/bin/npm\", ~\"/usr/bin/pip*\", \"/usr/bin/yum\", \"/sbin/apk\", \"/usr/lib/snapd/snapd\"]","category":"Process - Activity","creationDate":0,"updateDate":1684184973238,"filters":[],"actions":[],"agentConstraint":"","enabled":true,"defaultRule":true,"creator":{"name":"","handle":""},"updater":{"name":"","handle":""}},"type":"agent_rule"},{"id":"luc-at7-mvw","attributes":{"version":1,"name":"sudoers_policy_modified_chown","description":"Sudoers - policy file may have been modified without authorization","expression":"(\n (chown.file.path - == \"/etc/sudoers\")\n) && (chown.file.destination.uid != chown.file.uid || - chown.file.destination.gid != chown.file.gid)","category":"File Activity","creationDate":0,"updateDate":1684184973211,"filters":[],"actions":[],"agentConstraint":"","enabled":true,"defaultRule":true,"creator":{"name":"","handle":""},"updater":{"name":"","handle":""}},"type":"agent_rule"},{"id":"8qc-61h-epb","attributes":{"version":1,"name":"sudoers_policy_modified_unlink","description":"Sudoers - policy file may have been modified without authorization","expression":"(\n (unlink.file.path - == \"/etc/sudoers\")\n)","category":"File Activity","creationDate":0,"updateDate":1684184973209,"filters":[],"actions":[],"agentConstraint":"","enabled":true,"defaultRule":true,"creator":{"name":"","handle":""},"updater":{"name":"","handle":""}},"type":"agent_rule"},{"id":"2np-cy4-jad","attributes":{"version":1,"name":"service_stop","description":"systemctl - used to stop a service","expression":"exec.file.name == \"systemctl\" && exec.args - in [~\"*stop*\"]","category":"Process Activity","creationDate":0,"updateDate":1684184973206,"filters":[],"actions":[],"agentConstraint":"","enabled":true,"defaultRule":true,"creator":{"name":"","handle":""},"updater":{"name":"","handle":""}},"type":"agent_rule"},{"id":"azw-asm-uwe","attributes":{"version":1,"name":"read_kubeconfig","description":"The - kubeconfig file was accessed","expression":"open.file.path in [~\"/home/*/.kube/config\", - \"/root/.kube/config\"]","category":"File Activity","creationDate":0,"updateDate":1684184973196,"filters":[],"actions":[],"agentConstraint":"","enabled":true,"defaultRule":true,"creator":{"name":"","handle":""},"updater":{"name":"","handle":""}},"type":"agent_rule"},{"id":"qp4-oog-vwu","attributes":{"version":1,"name":"jupyterhub_shell","description":"A - shell command was executed from a JupyterHub code cell","expression":"exec.file.path - == \"/usr/bin/bash\" && process.ancestors.comm == \"jupyterhub-sing\"","category":"Process - Activity","creationAuthorUuId":"9b3398f3-af79-49aa-b643-8a607ee6f848","creationDate":1682687626099,"updateAuthorUuId":"9b3398f3-af79-49aa-b643-8a607ee6f848","updateDate":1682687626099,"filters":[],"actions":[],"agentConstraint":"","enabled":true,"defaultRule":false,"creator":{"name":"Threat - Detection Engineering CI/CD","handle":"9b3398f3-af79-49aa-b643-8a607ee6f848"},"updater":{"name":"Threat - Detection Engineering CI/CD","handle":"9b3398f3-af79-49aa-b643-8a607ee6f848"}},"type":"agent_rule"},{"id":"k2h-ntz-zno","attributes":{"version":3,"name":"auditctl_usage","description":"The - auditctl command was used to modify auditd","expression":"exec.file.name == - \"auditctl\"","category":"Process Activity","creationDate":0,"updateDate":1681806567456,"filters":[],"actions":[],"agentConstraint":"","enabled":true,"defaultRule":true,"creator":{"name":"","handle":""},"updater":{"name":"Cl\u00e9ment - Kuzniewycz","handle":"clement.kuzniewycz@datadoghq.com"}},"type":"agent_rule"},{"id":"fft-hfp-fuu","attributes":{"version":7,"name":"aws_eks_service_account_token_accessed","description":"The - AWS EKS service account token was accessed","expression":"open.file.path =~ - \"/var/run/secrets/eks.amazonaws.com/serviceaccount/**\" && open.file.name == - \"token\" && process.file.path not in [\"/opt/datadog-agent/embedded/bin/agent\", - \"/opt/datadog-agent/embedded/bin/system-probe\", \"/opt/datadog-agent/embedded/bin/security-agent\", - \"/opt/datadog-agent/embedded/bin/process-agent\", \"/opt/datadog-agent/bin/agent/agent\", - \"/opt/datadog/apm/inject/auto_inject_runc\", \"/usr/bin/dd-host-install\", - \"/usr/bin/dd-host-container-install\", \"/usr/bin/dd-container-install\", \"/opt/datadog-agent/bin/datadog-cluster-agent\"]","category":"File - Activity","creationDate":0,"updateDate":1681806564733,"filters":[],"actions":[],"agentConstraint":"","enabled":true,"defaultRule":true,"creator":{"name":"","handle":""},"updater":{"name":"Cl\u00e9ment - Kuzniewycz","handle":"clement.kuzniewycz@datadoghq.com"}},"type":"agent_rule"},{"id":"ucr-akl-jgo","attributes":{"version":3,"name":"aws_imds","description":"An - AWS IMDS was called via a network utility","expression":"exec.comm in [\"wget\", - \"curl\", \"lwp-download\"] && exec.args in [~\"*169.254.169.254/latest/meta-data/iam/security-credentials/*\", - \"*169.254.170.2$AWS_CONTAINER_CREDENTIALS_RELATIVE_URI\", ~\"*169.254.170.2/*/credentials?id=*\"]","category":"Process - Activity","creationDate":0,"updateDate":1681806563896,"filters":[],"actions":[],"agentConstraint":"","enabled":true,"defaultRule":true,"creator":{"name":"","handle":""},"updater":{"name":"Cl\u00e9ment - Kuzniewycz","handle":"clement.kuzniewycz@datadoghq.com"}},"type":"agent_rule"},{"id":"p6d-hln-r9c","attributes":{"version":23,"name":"ssl_certificate_tampering_chmod","description":"SSL - certificates may have been tampered with","expression":"(\n (chmod.file.path - in [ ~\"/etc/ssl/certs/**\", ~\"/etc/pki/**\" ])\n && process.file.path not - in [~\"/usr/bin/apt*\", \"/usr/bin/dpkg\", \"/usr/bin/rpm\", \"/usr/bin/unattended-upgrade\", - \"/usr/bin/npm\", ~\"/usr/bin/pip*\", \"/usr/bin/yum\", \"/sbin/apk\", \"/usr/lib/snapd/snapd\"]\n) - && chmod.file.mode != chmod.file.destination.mode\n&& process.file.path != \"/usr/sbin/update-ca-certificates\"\n&& - process.ancestors.file.path != \"/usr/sbin/update-ca-certificates\"\n&& process.ancestors.file.path - not in [~\"/usr/bin/apt*\", \"/usr/bin/dpkg\", \"/usr/bin/rpm\", \"/usr/bin/unattended-upgrade\", - \"/usr/bin/npm\", ~\"/usr/bin/pip*\", \"/usr/bin/yum\", \"/sbin/apk\", \"/usr/lib/snapd/snapd\"]\n&& - process.file.name !~ \"runc*\"","category":"File Activity","creationDate":1642158535314,"updateDate":1681490426484,"filters":[],"actions":[],"agentConstraint":"","enabled":true,"defaultRule":true,"creator":{"name":"","handle":""},"updater":{"name":"","handle":""}},"type":"agent_rule"},{"id":"9e8-rvn-6hv","attributes":{"version":23,"name":"ssl_certificate_tampering_unlink","description":"SSL - certificates may have been tampered with","expression":"(\n (unlink.file.path - in [ ~\"/etc/ssl/certs/**\" ])\n && process.file.path not in [~\"/usr/bin/apt*\", - \"/usr/bin/dpkg\", \"/usr/bin/rpm\", \"/usr/bin/unattended-upgrade\", \"/usr/bin/npm\", - ~\"/usr/bin/pip*\", \"/usr/bin/yum\", \"/sbin/apk\", \"/usr/lib/snapd/snapd\"]\n)\n&& - process.file.path != \"/usr/sbin/update-ca-certificates\"\n&& process.ancestors.file.path - != \"/usr/sbin/update-ca-certificates\"\n&& process.ancestors.file.path not - in [~\"/usr/bin/apt*\", \"/usr/bin/dpkg\", \"/usr/bin/rpm\", \"/usr/bin/unattended-upgrade\", - \"/usr/bin/npm\", ~\"/usr/bin/pip*\", \"/usr/bin/yum\", \"/sbin/apk\", \"/usr/lib/snapd/snapd\"]\n&& - process.file.name !~ \"runc*\"","category":"File Activity","creationDate":1642158535055,"updateDate":1681490425998,"filters":[],"actions":[],"agentConstraint":"","enabled":true,"defaultRule":true,"creator":{"name":"","handle":""},"updater":{"name":"","handle":""}},"type":"agent_rule"},{"id":"rim-3ys-upw","attributes":{"version":3,"name":"dynamic_linker_config_write","description":"A - process wrote to a dynamic linker config file","expression":"open.file.path - in [\"/etc/ld.so.preload\", \"/etc/ld.so.conf\", \"/etc/ld.so.conf.d/*.conf\"] - && open.flags & (O_CREAT|O_TRUNC|O_RDWR|O_WRONLY) > 0 && process.file.path not - in [~\"/usr/bin/apt*\", \"/usr/bin/dpkg\", \"/usr/bin/rpm\", \"/usr/bin/unattended-upgrade\", - \"/usr/bin/containerd\", \"/usr/local/bin/containerd\", \"/usr/bin/dockerd\", - \"/usr/bin/npm\", ~\"/usr/bin/pip*\"] && process.ancestors.file.path not in - [\"/opt/datadog-agent/embedded/bin/agent\", \"/opt/datadog-agent/embedded/bin/system-probe\", - \"/opt/datadog-agent/embedded/bin/security-agent\", \"/opt/datadog-agent/embedded/bin/process-agent\", - \"/opt/datadog-agent/bin/agent/agent\", \"/opt/datadog/apm/inject/auto_inject_runc\", - \"/usr/bin/dd-host-install\", \"/usr/bin/dd-host-container-install\", \"/usr/bin/dd-container-install\", - \"/opt/datadog-agent/bin/datadog-cluster-agent\"]","category":"File Activity","creationDate":0,"updateDate":1681490425873,"filters":[],"actions":[],"agentConstraint":"","enabled":true,"defaultRule":true,"creator":{"name":"","handle":""},"updater":{"name":"","handle":""}},"type":"agent_rule"},{"id":"twt-qsc-twv","attributes":{"version":23,"name":"ssl_certificate_tampering_link","description":"SSL - certificates may have been tampered with","expression":"(\n (link.file.path - in [ ~\"/etc/ssl/certs/**\", ~\"/etc/pki/**\" ]\n || link.file.destination.path - in [ ~\"/etc/ssl/certs/**\", ~\"/etc/pki/**\" ])\n && process.file.path not - in [~\"/usr/bin/apt*\", \"/usr/bin/dpkg\", \"/usr/bin/rpm\", \"/usr/bin/unattended-upgrade\", - \"/usr/bin/npm\", ~\"/usr/bin/pip*\", \"/usr/bin/yum\", \"/sbin/apk\", \"/usr/lib/snapd/snapd\"]\n && - process.file.path != \"/usr/sbin/update-ca-certificates\"\n && process.ancestors.file.path - != \"/usr/sbin/update-ca-certificates\"\n && process.ancestors.file.path - not in [~\"/usr/bin/apt*\", \"/usr/bin/dpkg\", \"/usr/bin/rpm\", \"/usr/bin/unattended-upgrade\", - \"/usr/bin/npm\", ~\"/usr/bin/pip*\", \"/usr/bin/yum\", \"/sbin/apk\", \"/usr/lib/snapd/snapd\"]\n && - process.file.name !~ \"runc*\"\n)","category":"File Activity","creationDate":1642158535139,"updateDate":1681490425573,"filters":[],"actions":[],"agentConstraint":"","enabled":true,"defaultRule":true,"creator":{"name":"","handle":""},"updater":{"name":"","handle":""}},"type":"agent_rule"},{"id":"1n2-xpg-6nx","attributes":{"version":23,"name":"ssl_certificate_tampering_open","description":"SSL - certificates may have been tampered with","expression":"(\n open.flags & - (O_CREAT|O_RDWR|O_WRONLY) > 0 &&\n (open.file.path in [ ~\"/etc/ssl/certs/**\", - ~\"/etc/pki/**\" ])\n)\n&& process.file.path != \"/usr/sbin/update-ca-certificates\"\n&& - process.ancestors.file.path != \"/usr/sbin/update-ca-certificates\"\n&& process.ancestors.file.path - not in [~\"/usr/bin/apt*\", \"/usr/bin/dpkg\", \"/usr/bin/rpm\", \"/usr/bin/unattended-upgrade\", - \"/usr/bin/npm\", ~\"/usr/bin/pip*\", \"/usr/bin/yum\", \"/sbin/apk\", \"/usr/lib/snapd/snapd\"]\n&& - process.file.name !~ \"runc*\"","category":"File Activity","creationDate":0,"updateDate":1681490425289,"filters":[],"actions":[],"agentConstraint":"","enabled":true,"defaultRule":true,"creator":{"name":"","handle":""},"updater":{"name":"","handle":""}},"type":"agent_rule"},{"id":"uot-9ro-hpp","attributes":{"version":2,"name":"shell_history_deleted","description":"Shell - History was Deleted","expression":"(unlink.file.name =~ r\".([dbazfi]*sh)(_history)$\") - && process.comm not in [\"dockerd\", \"containerd\"]","category":"File Activity","creationDate":0,"updateDate":1681490425280,"filters":[],"actions":[],"agentConstraint":"","enabled":true,"defaultRule":true,"creator":{"name":"","handle":""},"updater":{"name":"","handle":""}},"type":"agent_rule"},{"id":"jxj-xnb-lua","attributes":{"version":3,"name":"shell_history_truncated","description":"Shell - History was Deleted","expression":"open.flags & (O_CREAT|O_TRUNC|O_RDWR|O_WRONLY) - > 0 && open.file.name =~ r\".([dbazfi]*sh)(_history)$\" && open.file.path in - [~\"/root/*\", ~\"/home/**\"] && process.file.name == \"truncate\"","category":"File - Activity","creationDate":0,"updateDate":1681490425220,"filters":[],"actions":[],"agentConstraint":"","enabled":true,"defaultRule":true,"creator":{"name":"","handle":""},"updater":{"name":"","handle":""}},"type":"agent_rule"},{"id":"gur-w5f-2kn","attributes":{"version":23,"name":"ssl_certificate_tampering_rename","description":"SSL - certificates may have been tampered with","expression":"(\n (rename.file.path - in [ ~\"/etc/ssl/certs/**\", ~\"/etc/pki/**\" ]\n || rename.file.destination.path - in [ ~\"/etc/ssl/certs/**\", ~\"/etc/pki/**\" ])\n && process.file.path not - in [~\"/usr/bin/apt*\", \"/usr/bin/dpkg\", \"/usr/bin/rpm\", \"/usr/bin/unattended-upgrade\", - \"/usr/bin/npm\", ~\"/usr/bin/pip*\", \"/usr/bin/yum\", \"/sbin/apk\", \"/usr/lib/snapd/snapd\"]\n)\n&& - process.file.path != \"/usr/sbin/update-ca-certificates\"\n&& process.ancestors.file.path - != \"/usr/sbin/update-ca-certificates\"\n&& process.ancestors.file.path not - in [~\"/usr/bin/apt*\", \"/usr/bin/dpkg\", \"/usr/bin/rpm\", \"/usr/bin/unattended-upgrade\", - \"/usr/bin/npm\", ~\"/usr/bin/pip*\", \"/usr/bin/yum\", \"/sbin/apk\", \"/usr/lib/snapd/snapd\"]\n&& - process.file.name !~ \"runc*\"","category":"File Activity","creationDate":1642158535082,"updateDate":1681490425217,"filters":[],"actions":[],"agentConstraint":"","enabled":true,"defaultRule":true,"creator":{"name":"","handle":""},"updater":{"name":"","handle":""}},"type":"agent_rule"},{"id":"jiu-wmv-ig0","attributes":{"version":35,"name":"credential_modified_chmod","description":"Sensitive - credential files were modified using a non-standard tool","expression":"(\n (chmod.file.path - in [ \"/etc/shadow\", \"/etc/gshadow\" ])\n && process.file.path not in [ - \"/sbin/vipw\", \"/usr/sbin/vipw\", \"/sbin/vigr\", \"/usr/sbin/vigr\", \"/usr/bin/containerd\", - \"/usr/local/bin/containerd\", \"/usr/bin/dockerd\", \"/usr/local/bin/dockerd\", - \"/usr/sbin/groupadd\", \"/usr/sbin/useradd\", \"/usr/sbin/usermod\", \"/usr/sbin/userdel\", - \"/usr/bin/gpasswd\", \"/usr/bin/chage\", \"/usr/sbin/chpasswd\", \"/usr/bin/passwd\" - ]\n && process.ancestors.file.path not in [~\"/usr/bin/apt*\", \"/usr/bin/dpkg\", - \"/usr/bin/rpm\", \"/usr/bin/unattended-upgrade\", \"/usr/bin/npm\", ~\"/usr/bin/pip*\", - \"/usr/bin/yum\", \"/sbin/apk\", \"/usr/lib/snapd/snapd\"]\n) && chmod.file.destination.mode - != chmod.file.mode","category":"File Activity","creationDate":1642158535177,"updateDate":1678909084442,"filters":[],"actions":[],"agentConstraint":"","enabled":false,"defaultRule":true,"creator":{"name":"","handle":""},"updater":{"name":"Nick - Allen","handle":"nick.allen@datadoghq.com"}},"type":"agent_rule"},{"id":"bg2-noz-ouf","attributes":{"version":6,"name":"dirty_pipe_attempt","description":"Potential - Dirty pipe exploitation attempt","expression":"(splice.pipe_entry_flag & PIPE_BUF_FLAG_CAN_MERGE) - != 0 && (splice.pipe_exit_flag & PIPE_BUF_FLAG_CAN_MERGE) == 0 && (process.uid - != 0 && process.gid != 0)","category":"File Activity","creationDate":1648564123603,"updateDate":1678308032425,"filters":[],"actions":[],"agentConstraint":"","enabled":true,"defaultRule":true,"creator":{"name":"","handle":""},"updater":{"name":"Alexander - Daskalov","handle":"alexander.daskalov@datadoghq.com"}},"type":"agent_rule"},{"id":"ydj-k3d-kh3","attributes":{"version":4,"name":"ip_check_domain","description":"A - DNS lookup was done for a IP check service","expression":"dns.question.name - in [\"icanhazip.com\", \"ip-api.com\", \"myip.opendns.com\", \"checkip.amazonaws.com\", - \"whatismyip.akamai.com\"] && process.file.name != \"\"","category":"Network - Activity","creationDate":1648643213312,"updateDate":1678307295173,"filters":[],"actions":[],"agentConstraint":"","enabled":true,"defaultRule":true,"creator":{"name":"","handle":""},"updater":{"name":"Alexander - Daskalov","handle":"alexander.daskalov@datadoghq.com"}},"type":"agent_rule"},{"id":"i64-vlz-y6u","attributes":{"version":22,"name":"systemd_modification_chmod","description":"A - service may have been modified without authorization","expression":"(\n (chmod.file.path - in [ ~\"/lib/systemd/system/**\", ~\"/usr/lib/systemd/system/**\", ~\"/etc/systemd/system/**\" - ])\n && process.file.path not in [~\"/usr/bin/apt*\", \"/usr/bin/dpkg\", - \"/usr/bin/rpm\", \"/usr/bin/unattended-upgrade\", \"/usr/bin/npm\", ~\"/usr/bin/pip*\", - \"/usr/bin/yum\", \"/sbin/apk\", \"/usr/lib/snapd/snapd\"]\n) && chmod.file.destination.mode - != chmod.file.mode","category":"File Activity","creationDate":1642158535224,"updateDate":1677793411681,"filters":[],"actions":[],"agentConstraint":"","enabled":true,"defaultRule":true,"creator":{"name":"","handle":""},"updater":{"name":"","handle":""}},"type":"agent_rule"},{"id":"69h-fh3-8gd","attributes":{"version":1,"name":"tty_shell_in_container","description":"A - shell with a TTY was executed in a container","expression":"exec.file.path in - [ \"/bin/dash\",\n \"/usr/bin/dash\",\n \"/bin/sh\",\n \"/bin/static-sh\",\n \"/usr/bin/sh\",\n \"/bin/bash\",\n \"/usr/bin/bash\",\n \"/bin/bash-static\",\n \"/usr/bin/zsh\",\n \"/usr/bin/ash\",\n \"/usr/bin/csh\",\n \"/usr/bin/ksh\",\n \"/usr/bin/tcsh\",\n \"/usr/lib/initramfs-tools/bin/busybox\",\n \"/bin/busybox\",\n \"/usr/bin/fish\",\n \"/bin/ksh93\",\n \"/bin/rksh\",\n \"/bin/rksh93\",\n \"/bin/lksh\",\n \"/bin/mksh\",\n \"/bin/mksh-static\",\n \"/usr/bin/csharp\",\n \"/bin/posh\",\n \"/usr/bin/rc\",\n \"/bin/sash\",\n \"/usr/bin/yash\",\n \"/bin/zsh5\",\n \"/bin/zsh5-static\" - ] && process.tty_name != \"\" && process.container.id != \"\"","category":"Process - Activity","creationDate":0,"updateDate":1677793400846,"filters":[],"actions":[],"agentConstraint":"","enabled":true,"defaultRule":true,"creator":{"name":"","handle":""},"updater":{"name":"","handle":""}},"type":"agent_rule"},{"id":"ygs-aya-gxb","attributes":{"version":1,"name":"redis_sandbox_escape","description":"Detects - CVE-2022-0543","expression":"(open.file.path =~ \"/usr/lib/x86_64-linux-gnu/*\" - && open.file.name in [\"libc-2.29.so\", \"libc-2.30.so\", \"libc-2.31.so\", - \"libc-2.32.so\", \"libc-2.33.so\", \"libc-2.34.so\", \"libc-2.35.so\", \"libc-2.36.so\", - \"libc-2.37.so\"]) && process.ancestors.comm in [\"redis-check-rdb\", \"redis-server\"]","category":"File - Activity","creationDate":0,"updateDate":1677793399338,"filters":[],"actions":[],"agentConstraint":"","enabled":true,"defaultRule":true,"creator":{"name":"","handle":""},"updater":{"name":"","handle":""}},"type":"agent_rule"},{"id":"h2l-v6b-akf","attributes":{"version":1,"name":"base64_decode","description":"The - base64 command was used to decode information","expression":"exec.file.name - == \"base64\" && exec.args_flags in [\"d\"]","category":"Process Activity","creationDate":0,"updateDate":1677793399280,"filters":[],"actions":[],"agentConstraint":"","enabled":true,"defaultRule":true,"creator":{"name":"","handle":""},"updater":{"name":"","handle":""}},"type":"agent_rule"},{"id":"jvq-pxe-ygn","attributes":{"version":21,"name":"systemd_modification_rename","description":"A - service may have been modified without authorization","expression":"(\n (rename.file.path - in [ ~\"/lib/systemd/system/**\", ~\"/usr/lib/systemd/system/**\", ~\"/etc/systemd/system/**\" - ]\n || rename.file.destination.path in [ ~\"/lib/systemd/system/**\", ~\"/usr/lib/systemd/system/**\", - ~\"/etc/systemd/system/**\" ])\n && process.file.path not in [~\"/usr/bin/apt*\", - \"/usr/bin/dpkg\", \"/usr/bin/rpm\", \"/usr/bin/unattended-upgrade\", \"/usr/bin/npm\", - ~\"/usr/bin/pip*\", \"/usr/bin/yum\", \"/sbin/apk\", \"/usr/lib/snapd/snapd\"]\n)","category":"File - Activity","creationDate":0,"updateDate":1677793384295,"filters":[],"actions":[],"agentConstraint":"","enabled":true,"defaultRule":true,"creator":{"name":"","handle":""},"updater":{"name":"","handle":""}},"type":"agent_rule"},{"id":"esw-xou-pwg","attributes":{"version":11,"name":"package_management_in_container","description":"Package - management was detected in a container","expression":"exec.file.path in [~\"/usr/bin/apt*\", - \"/usr/bin/dpkg\", \"/usr/bin/rpm\", \"/usr/bin/unattended-upgrade\", \"/usr/bin/npm\", - ~\"/usr/bin/pip*\", \"/usr/bin/yum\", \"/sbin/apk\", \"/usr/lib/snapd/snapd\"] - && container.id != \"\"","category":"Process Activity","creationDate":1617722067648,"updateDate":1677793383505,"filters":[],"actions":[],"agentConstraint":"","enabled":true,"defaultRule":true,"creator":{"name":"","handle":""},"updater":{"name":"","handle":""}},"type":"agent_rule"},{"id":"0yf-x4j-zbg","attributes":{"version":6,"name":"user_created_tty","description":"A - user was created via an interactive session","expression":"exec.file.name in - [\"useradd\", \"newusers\", \"adduser\"] && exec.tty_name !=\"\" && process.ancestors.file.path - not in [~\"/usr/bin/apt*\", \"/usr/bin/dpkg\", \"/usr/bin/rpm\", \"/usr/bin/unattended-upgrade\", - \"/usr/bin/npm\", ~\"/usr/bin/pip*\", \"/usr/bin/yum\", \"/sbin/apk\", \"/usr/lib/snapd/snapd\"] - && exec.args_flags not in [\"D\"]","category":"Process Activity","creationDate":1627392836979,"updateDate":1677793382984,"filters":[],"actions":[],"agentConstraint":"","enabled":true,"defaultRule":true,"creator":{"name":"","handle":""},"updater":{"name":"","handle":""}},"type":"agent_rule"},{"id":"7nm-5gf-ghj","attributes":{"version":3,"name":"new_binary_execution_in_container","description":"A - container executed a new binary not found in the container image","expression":"container.id - != \"\" && process.file.in_upper_layer && process.file.modification_time < 30s - && exec.file.name != \"\"","category":"Process Activity","creationDate":1652129906455,"updateDate":1677793380182,"filters":[],"actions":[],"agentConstraint":"","enabled":true,"defaultRule":true,"creator":{"name":"","handle":""},"updater":{"name":"","handle":""}},"type":"agent_rule"},{"id":"wib-i2s-0eb","attributes":{"version":17,"name":"pam_modification_utimes","description":"PAM - may have been modified without authorization","expression":"(\n (utimes.file.path - in [ ~\"/etc/pam.d/**\", \"/etc/pam.conf\" ])\n) && process.file.path not in - [~\"/usr/bin/apt*\", \"/usr/bin/dpkg\", \"/usr/bin/rpm\", \"/usr/bin/unattended-upgrade\", - \"/usr/bin/containerd\", \"/usr/local/bin/containerd\", \"/usr/bin/dockerd\", - \"/usr/bin/npm\", ~\"/usr/bin/pip*\"]","category":"File Activity","creationDate":1606142936138,"updateDate":1677793376369,"filters":[],"actions":[],"agentConstraint":"","enabled":true,"defaultRule":true,"creator":{"name":"","handle":""},"updater":{"name":"","handle":""}},"type":"agent_rule"},{"id":"d1p-2un-5ay","attributes":{"version":21,"name":"systemd_modification_link","description":"A - service may have been modified without authorization","expression":"(\n (link.file.path - in [ ~\"/lib/systemd/system/**\", ~\"/usr/lib/systemd/system/**\", ~\"/etc/systemd/system/**\" - ]\n || link.file.destination.path in [ ~\"/lib/systemd/system/**\", ~\"/usr/lib/systemd/system/**\", - ~\"/etc/systemd/system/**\" ])\n && process.file.path not in [~\"/usr/bin/apt*\", - \"/usr/bin/dpkg\", \"/usr/bin/rpm\", \"/usr/bin/unattended-upgrade\", \"/usr/bin/npm\", - ~\"/usr/bin/pip*\", \"/usr/bin/yum\", \"/sbin/apk\", \"/usr/lib/snapd/snapd\"]\n)","category":"File - Activity","creationDate":0,"updateDate":1677793376080,"filters":[],"actions":[],"agentConstraint":"","enabled":true,"defaultRule":true,"creator":{"name":"","handle":""},"updater":{"name":"","handle":""}},"type":"agent_rule"},{"id":"aic-m2b-kbp","attributes":{"version":22,"name":"systemd_modification_chown","description":"A - service may have been modified without authorization","expression":"(\n (chown.file.path - in [ ~\"/lib/systemd/system/**\", ~\"/usr/lib/systemd/system/**\", ~\"/etc/systemd/system/**\" - ])\n && process.file.path not in [~\"/usr/bin/apt*\", \"/usr/bin/dpkg\", - \"/usr/bin/rpm\", \"/usr/bin/unattended-upgrade\", \"/usr/bin/npm\", ~\"/usr/bin/pip*\", - \"/usr/bin/yum\", \"/sbin/apk\", \"/usr/lib/snapd/snapd\"]\n) && (chown.file.destination.uid - != chown.file.uid || chown.file.destination.gid != chown.file.gid)","category":"File - Activity","creationDate":0,"updateDate":1677793375206,"filters":[],"actions":[],"agentConstraint":"","enabled":true,"defaultRule":true,"creator":{"name":"","handle":""},"updater":{"name":"","handle":""}},"type":"agent_rule"},{"id":"rxa-v6v-oyz","attributes":{"version":31,"name":"credential_modified_rename","description":"Sensitive - credential files were modified using a non-standard tool","expression":"(\n (rename.file.path - in [ \"/etc/shadow\", \"/etc/gshadow\" ]\n || rename.file.destination.path - in [ \"/etc/shadow\", \"/etc/gshadow\" ])\n && process.file.path not in [ - \"/sbin/vipw\", \"/usr/sbin/vipw\", \"/sbin/vigr\", \"/usr/sbin/vigr\", \"/usr/bin/containerd\", - \"/usr/local/bin/containerd\", \"/usr/bin/dockerd\", \"/usr/local/bin/dockerd\", - \"/usr/sbin/groupadd\", \"/usr/sbin/useradd\", \"/usr/sbin/usermod\", \"/usr/sbin/userdel\", - \"/usr/bin/gpasswd\", \"/usr/bin/chage\", \"/usr/sbin/chpasswd\", \"/usr/bin/passwd\" - ]\n && process.ancestors.file.path not in [~\"/usr/bin/apt*\", \"/usr/bin/dpkg\", - \"/usr/bin/rpm\", \"/usr/bin/unattended-upgrade\", \"/usr/bin/npm\", ~\"/usr/bin/pip*\", - \"/usr/bin/yum\", \"/sbin/apk\", \"/usr/lib/snapd/snapd\"]\n)","category":"File - Activity","creationDate":1642158535356,"updateDate":1677793375033,"filters":[],"actions":[],"agentConstraint":"","enabled":true,"defaultRule":true,"creator":{"name":"","handle":""},"updater":{"name":"","handle":""}},"type":"agent_rule"},{"id":"tys-u1m-rgt","attributes":{"version":33,"name":"kernel_module_chown","description":"A - new kernel module was added","expression":"(\n (chown.file.path in [ ~\"/lib/modules/**\", - ~\"/usr/lib/modules/**\" ])\n && process.file.path not in [~\"/usr/bin/apt*\", - \"/usr/bin/dpkg\", \"/usr/bin/rpm\", \"/usr/bin/unattended-upgrade\", \"/usr/bin/npm\", - ~\"/usr/bin/pip*\", \"/usr/bin/yum\", \"/sbin/apk\", \"/usr/lib/snapd/snapd\"]\n && - process.ancestors.file.path not in [~\"/usr/bin/apt*\", \"/usr/bin/dpkg\", \"/usr/bin/rpm\", - \"/usr/bin/unattended-upgrade\", \"/usr/bin/npm\", ~\"/usr/bin/pip*\", \"/usr/bin/yum\", - \"/sbin/apk\", \"/usr/lib/snapd/snapd\"] && process.ancestors.file.path != \"/usr/bin/kmod\"\n) - && (chown.file.destination.uid != chown.file.uid || chown.file.destination.gid - != chown.file.gid)","category":"File Activity","creationDate":1598516746168,"updateDate":1677793374885,"filters":[],"actions":[],"agentConstraint":"","enabled":true,"defaultRule":true,"creator":{"name":"","handle":""},"updater":{"name":"","handle":""}},"type":"agent_rule"},{"id":"hzz-0oh-mji","attributes":{"version":32,"name":"kernel_module_utimes","description":"A - new kernel module was added","expression":"(\n (utimes.file.path in [ ~\"/lib/modules/**\", - ~\"/usr/lib/modules/**\" ])\n && process.file.path not in [~\"/usr/bin/apt*\", - \"/usr/bin/dpkg\", \"/usr/bin/rpm\", \"/usr/bin/unattended-upgrade\", \"/usr/bin/npm\", - ~\"/usr/bin/pip*\", \"/usr/bin/yum\", \"/sbin/apk\", \"/usr/lib/snapd/snapd\"]\n && - process.ancestors.file.path not in [~\"/usr/bin/apt*\", \"/usr/bin/dpkg\", \"/usr/bin/rpm\", - \"/usr/bin/unattended-upgrade\", \"/usr/bin/npm\", ~\"/usr/bin/pip*\", \"/usr/bin/yum\", - \"/sbin/apk\", \"/usr/lib/snapd/snapd\"] && process.ancestors.file.path != \"/usr/bin/kmod\"\n)","category":"File - Activity","creationDate":1598516746168,"updateDate":1677793374395,"filters":[],"actions":[],"agentConstraint":"","enabled":true,"defaultRule":true,"creator":{"name":"","handle":""},"updater":{"name":"","handle":""}},"type":"agent_rule"},{"id":"om1-5ch-5sf","attributes":{"version":32,"name":"kernel_module_unlink","description":"A - new kernel module was added","expression":"(\n (unlink.file.path in [ ~\"/lib/modules/**\", - ~\"/usr/lib/modules/**\" ])\n && process.file.path not in [~\"/usr/bin/apt*\", - \"/usr/bin/dpkg\", \"/usr/bin/rpm\", \"/usr/bin/unattended-upgrade\", \"/usr/bin/npm\", - ~\"/usr/bin/pip*\", \"/usr/bin/yum\", \"/sbin/apk\", \"/usr/lib/snapd/snapd\"]\n && - process.ancestors.file.path not in [~\"/usr/bin/apt*\", \"/usr/bin/dpkg\", \"/usr/bin/rpm\", - \"/usr/bin/unattended-upgrade\", \"/usr/bin/npm\", ~\"/usr/bin/pip*\", \"/usr/bin/yum\", - \"/sbin/apk\", \"/usr/lib/snapd/snapd\"] && process.ancestors.file.path != \"/usr/bin/kmod\"\n)","category":"File - Activity","creationDate":1598516746168,"updateDate":1677793372622,"filters":[],"actions":[],"agentConstraint":"","enabled":true,"defaultRule":true,"creator":{"name":"","handle":""},"updater":{"name":"","handle":""}},"type":"agent_rule"},{"id":"wwu-ysx-rm7","attributes":{"version":32,"name":"kernel_module_rename","description":"A - new kernel module was added","expression":"(\n (rename.file.path in [ ~\"/lib/modules/**\", - ~\"/usr/lib/modules/**\" ]\n || rename.file.destination.path in [ ~\"/lib/modules/**\", - ~\"/usr/lib/modules/**\" ])\n && process.file.path not in [~\"/usr/bin/apt*\", - \"/usr/bin/dpkg\", \"/usr/bin/rpm\", \"/usr/bin/unattended-upgrade\", \"/usr/bin/npm\", - ~\"/usr/bin/pip*\", \"/usr/bin/yum\", \"/sbin/apk\", \"/usr/lib/snapd/snapd\"]\n && - process.ancestors.file.path not in [~\"/usr/bin/apt*\", \"/usr/bin/dpkg\", \"/usr/bin/rpm\", - \"/usr/bin/unattended-upgrade\", \"/usr/bin/npm\", ~\"/usr/bin/pip*\", \"/usr/bin/yum\", - \"/sbin/apk\", \"/usr/lib/snapd/snapd\"] && process.ancestors.file.path != \"/usr/bin/kmod\"\n)","category":"File - Activity","creationDate":1642158535229,"updateDate":1677793372373,"filters":[],"actions":[],"agentConstraint":"","enabled":true,"defaultRule":true,"creator":{"name":"","handle":""},"updater":{"name":"","handle":""}},"type":"agent_rule"},{"id":"rza-8h3-4lj","attributes":{"version":32,"name":"credential_modified_chown","description":"Sensitive - credential files were modified using a non-standard tool","expression":"(\n (chown.file.path - in [ \"/etc/shadow\", \"/etc/gshadow\" ])\n && process.file.path not in [ - \"/sbin/vipw\", \"/usr/sbin/vipw\", \"/sbin/vigr\", \"/usr/sbin/vigr\", \"/usr/bin/containerd\", - \"/usr/local/bin/containerd\", \"/usr/bin/dockerd\", \"/usr/local/bin/dockerd\", - \"/usr/sbin/groupadd\", \"/usr/sbin/useradd\", \"/usr/sbin/usermod\", \"/usr/sbin/userdel\", - \"/usr/bin/gpasswd\", \"/usr/bin/chage\", \"/usr/sbin/chpasswd\", \"/usr/bin/passwd\" - ]\n && process.ancestors.file.path not in [~\"/usr/bin/apt*\", \"/usr/bin/dpkg\", - \"/usr/bin/rpm\", \"/usr/bin/unattended-upgrade\", \"/usr/bin/npm\", ~\"/usr/bin/pip*\", - \"/usr/bin/yum\", \"/sbin/apk\", \"/usr/lib/snapd/snapd\"]\n) && (chown.file.destination.uid - != chown.file.uid || chown.file.destination.gid != chown.file.gid)","category":"File - Activity","creationDate":1642158534952,"updateDate":1677793372165,"filters":[],"actions":[],"agentConstraint":"","enabled":true,"defaultRule":true,"creator":{"name":"","handle":""},"updater":{"name":"","handle":""}},"type":"agent_rule"},{"id":"s17-cle-cuf","attributes":{"version":31,"name":"credential_modified_link","description":"Sensitive - credential files were modified using a non-standard tool","expression":"(\n (link.file.path - in [ \"/etc/shadow\", \"/etc/gshadow\" ]\n || link.file.destination.path - in [ \"/etc/shadow\", \"/etc/gshadow\" ])\n && process.file.path not in [ - \"/sbin/vipw\", \"/usr/sbin/vipw\", \"/sbin/vigr\", \"/usr/sbin/vigr\", \"/usr/bin/containerd\", - \"/usr/local/bin/containerd\", \"/usr/bin/dockerd\", \"/usr/local/bin/dockerd\", - \"/usr/sbin/groupadd\", \"/usr/sbin/useradd\", \"/usr/sbin/usermod\", \"/usr/sbin/userdel\", - \"/usr/bin/gpasswd\", \"/usr/bin/chage\", \"/usr/sbin/chpasswd\", \"/usr/bin/passwd\" - ]\n && process.ancestors.file.path not in [~\"/usr/bin/apt*\", \"/usr/bin/dpkg\", - \"/usr/bin/rpm\", \"/usr/bin/unattended-upgrade\", \"/usr/bin/npm\", ~\"/usr/bin/pip*\", - \"/usr/bin/yum\", \"/sbin/apk\", \"/usr/lib/snapd/snapd\"]\n)","category":"File - Activity","creationDate":1642158535271,"updateDate":1677793372149,"filters":[],"actions":[],"agentConstraint":"","enabled":true,"defaultRule":true,"creator":{"name":"","handle":""},"updater":{"name":"","handle":""}},"type":"agent_rule"},{"id":"ty2-qc4-drd","attributes":{"version":32,"name":"kernel_module_link","description":"A - new kernel module was added","expression":"(\n (link.file.path in [ ~\"/lib/modules/**\", - ~\"/usr/lib/modules/**\" ]\n || link.file.destination.path in [ ~\"/lib/modules/**\", - ~\"/usr/lib/modules/**\" ])\n && process.file.path not in [~\"/usr/bin/apt*\", - \"/usr/bin/dpkg\", \"/usr/bin/rpm\", \"/usr/bin/unattended-upgrade\", \"/usr/bin/npm\", - ~\"/usr/bin/pip*\", \"/usr/bin/yum\", \"/sbin/apk\", \"/usr/lib/snapd/snapd\"]\n && - process.ancestors.file.path not in [~\"/usr/bin/apt*\", \"/usr/bin/dpkg\", \"/usr/bin/rpm\", - \"/usr/bin/unattended-upgrade\", \"/usr/bin/npm\", ~\"/usr/bin/pip*\", \"/usr/bin/yum\", - \"/sbin/apk\", \"/usr/lib/snapd/snapd\"] && process.ancestors.file.path != \"/usr/bin/kmod\"\n)","category":"File - Activity","creationDate":1642158535200,"updateDate":1677793372103,"filters":[],"actions":[],"agentConstraint":"","enabled":true,"defaultRule":true,"creator":{"name":"","handle":""},"updater":{"name":"","handle":""}},"type":"agent_rule"},{"id":"hsk-ug8-fu7","attributes":{"version":32,"name":"kernel_module_open","description":"A - new kernel module was added","expression":"(\n open.flags & (O_CREAT|O_TRUNC|O_RDWR|O_WRONLY) - > 0 &&\n (open.file.path in [ ~\"/lib/modules/**\", ~\"/usr/lib/modules/**\" - ])\n && process.file.path not in [~\"/usr/bin/apt*\", \"/usr/bin/dpkg\", - \"/usr/bin/rpm\", \"/usr/bin/unattended-upgrade\", \"/usr/bin/npm\", ~\"/usr/bin/pip*\", - \"/usr/bin/yum\", \"/sbin/apk\", \"/usr/lib/snapd/snapd\"]\n && process.ancestors.file.path - not in [~\"/usr/bin/apt*\", \"/usr/bin/dpkg\", \"/usr/bin/rpm\", \"/usr/bin/unattended-upgrade\", - \"/usr/bin/npm\", ~\"/usr/bin/pip*\", \"/usr/bin/yum\", \"/sbin/apk\", \"/usr/lib/snapd/snapd\"] - && process.ancestors.file.path != \"/usr/bin/kmod\"\n)","category":"File Activity","creationDate":1598516746168,"updateDate":1677793371891,"filters":[],"actions":[],"agentConstraint":"","enabled":true,"defaultRule":true,"creator":{"name":"","handle":""},"updater":{"name":"","handle":""}},"type":"agent_rule"},{"id":"rme-dmd-trz","attributes":{"version":31,"name":"credential_modified_unlink","description":"Sensitive - credential files were modified using a non-standard tool","expression":"(\n (unlink.file.path - in [ \"/etc/shadow\", \"/etc/gshadow\" ])\n && process.file.path not in [ - \"/sbin/vipw\", \"/usr/sbin/vipw\", \"/sbin/vigr\", \"/usr/sbin/vigr\", \"/usr/bin/containerd\", - \"/usr/local/bin/containerd\", \"/usr/bin/dockerd\", \"/usr/local/bin/dockerd\", - \"/usr/sbin/groupadd\", \"/usr/sbin/useradd\", \"/usr/sbin/usermod\", \"/usr/sbin/userdel\", - \"/usr/bin/gpasswd\", \"/usr/bin/chage\", \"/usr/sbin/chpasswd\", \"/usr/bin/passwd\" - ]\n && process.ancestors.file.path not in [~\"/usr/bin/apt*\", \"/usr/bin/dpkg\", - \"/usr/bin/rpm\", \"/usr/bin/unattended-upgrade\", \"/usr/bin/npm\", ~\"/usr/bin/pip*\", - \"/usr/bin/yum\", \"/sbin/apk\", \"/usr/lib/snapd/snapd\"]\n)","category":"File - Activity","creationDate":1642158535113,"updateDate":1677793371890,"filters":[],"actions":[],"agentConstraint":"","enabled":true,"defaultRule":true,"creator":{"name":"","handle":""},"updater":{"name":"","handle":""}},"type":"agent_rule"},{"id":"bya-q5x-vjt","attributes":{"version":24,"name":"cron_at_job_creation_rename","description":"An - unauthorized job was added to cron scheduling","expression":"(\n (rename.file.path - in [ ~\"/var/spool/cron/**\", ~\"/etc/cron.*/**\", ~\"/etc/crontab\" ]\n || - rename.file.destination.path in [ ~\"/var/spool/cron/**\", ~\"/etc/cron.*/**\", - ~\"/etc/crontab\" ])\n && process.file.path not in [ \"/usr/bin/at\", \"/usr/bin/crontab\" - ]\n)\n&& process.file.path not in [~\"/usr/bin/apt*\", \"/usr/bin/dpkg\", \"/usr/bin/rpm\", - \"/usr/bin/unattended-upgrade\", \"/usr/bin/containerd\", \"/usr/local/bin/containerd\", - \"/usr/bin/dockerd\", \"/usr/bin/npm\", ~\"/usr/bin/pip*\"]","category":"File - Activity","creationDate":1606142961130,"updateDate":1674486419017,"filters":[],"actions":[],"agentConstraint":"","enabled":false,"defaultRule":true,"creator":{"name":"","handle":""},"updater":{"name":"","handle":""}},"type":"agent_rule"},{"id":"6p8-mws-jmo","attributes":{"version":1,"name":"potential_web_shell_parent","description":"A - web application spawned a shell or shell utility","expression":"(exec.file.path - in [ \"/bin/dash\",\n \"/usr/bin/dash\",\n \"/bin/sh\",\n \"/bin/static-sh\",\n \"/usr/bin/sh\",\n \"/bin/bash\",\n \"/usr/bin/bash\",\n \"/bin/bash-static\",\n \"/usr/bin/zsh\",\n \"/usr/bin/ash\",\n \"/usr/bin/csh\",\n \"/usr/bin/ksh\",\n \"/usr/bin/tcsh\",\n \"/usr/lib/initramfs-tools/bin/busybox\",\n \"/bin/busybox\",\n \"/usr/bin/fish\",\n \"/bin/ksh93\",\n \"/bin/rksh\",\n \"/bin/rksh93\",\n \"/bin/lksh\",\n \"/bin/mksh\",\n \"/bin/mksh-static\",\n \"/usr/bin/csharp\",\n \"/bin/posh\",\n \"/usr/bin/rc\",\n \"/bin/sash\",\n \"/usr/bin/yash\",\n \"/bin/zsh5\",\n \"/bin/zsh5-static\" - ] || exec.comm in [\"wget\", \"curl\", \"lwp-download\"] || exec.file.path in - [\"/bin/cat\",\"/bin/chgrp\",\"/bin/chmod\",\"/bin/chown\",\"/bin/cp\",\"/bin/date\",\"/bin/dd\",\"/bin/df\",\"/bin/dir\",\"/bin/echo\",\"/bin/ln\",\"/bin/ls\",\"/bin/mkdir\",\"/bin/mknod\",\"/bin/mktemp\",\"/bin/mv\",\"/bin/pwd\",\"/bin/readlink\",\"/bin/rm\",\"/bin/rmdir\",\"/bin/sleep\",\"/bin/stty\",\"/bin/sync\",\"/bin/touch\",\"/bin/uname\",\"/bin/vdir\",\"/usr/bin/arch\",\"/usr/bin/b2sum\",\"/usr/bin/base32\",\"/usr/bin/base64\",\"/usr/bin/basename\",\"/usr/bin/chcon\",\"/usr/bin/cksum\",\"/usr/bin/comm\",\"/usr/bin/csplit\",\"/usr/bin/cut\",\"/usr/bin/dircolors\",\"/usr/bin/dirname\",\"/usr/bin/du\",\"/usr/bin/env\",\"/usr/bin/expand\",\"/usr/bin/expr\",\"/usr/bin/factor\",\"/usr/bin/fmt\",\"/usr/bin/fold\",\"/usr/bin/groups\",\"/usr/bin/head\",\"/usr/bin/hostid\",\"/usr/bin/id\",\"/usr/bin/install\",\"/usr/bin/join\",\"/usr/bin/link\",\"/usr/bin/logname\",\"/usr/bin/md5sum\",\"/usr/bin/md5sum.textutils\",\"/usr/bin/mkfifo\",\"/usr/bin/nice\",\"/usr/bin/nl\",\"/usr/bin/nohup\",\"/usr/bin/nproc\",\"/usr/bin/numfmt\",\"/usr/bin/od\",\"/usr/bin/paste\",\"/usr/bin/pathchk\",\"/usr/bin/pinky\",\"/usr/bin/pr\",\"/usr/bin/printenv\",\"/usr/bin/printf\",\"/usr/bin/ptx\",\"/usr/bin/realpath\",\"/usr/bin/runcon\",\"/usr/bin/seq\",\"/usr/bin/sha1sum\",\"/usr/bin/sha224sum\",\"/usr/bin/sha256sum\",\"/usr/bin/sha384sum\",\"/usr/bin/sha512sum\",\"/usr/bin/shred\",\"/usr/bin/shuf\",\"/usr/bin/sort\",\"/usr/bin/split\",\"/usr/bin/stat\",\"/usr/bin/stdbuf\",\"/usr/bin/sum\",\"/usr/bin/tac\",\"/usr/bin/tail\",\"/usr/bin/tee\",\"/usr/bin/test\",\"/usr/bin/timeout\",\"/usr/bin/tr\",\"/usr/bin/truncate\",\"/usr/bin/tsort\",\"/usr/bin/tty\",\"/usr/bin/unexpand\",\"/usr/bin/uniq\",\"/usr/bin/unlink\",\"/usr/bin/users\",\"/usr/bin/wc\",\"/usr/bin/who\",\"/usr/bin/whoami\",\"/usr/sbin/chroot\"]) - &&\n(process.parent.file.name in [\"apache2\", \"nginx\", ~\"tomcat*\", \"httpd\"] - || process.parent.file.name =~ \"php*\")","category":"Process Activity","creationDate":0,"updateDate":1674486410462,"filters":[],"actions":[],"agentConstraint":"","enabled":true,"defaultRule":true,"creator":{"name":"","handle":""},"updater":{"name":"","handle":""}},"type":"agent_rule"},{"id":"c3b-qwh-lwy","attributes":{"version":1,"name":"mount_host_fs","description":"The - host file system was mounted in a container","expression":"mount.source.path - == \"/\" && mount.fs_type != \"overlay\" && container.id != \"\"","category":"File - Activity","creationDate":0,"updateDate":1674486409763,"filters":[],"actions":[],"agentConstraint":"","enabled":true,"defaultRule":true,"creator":{"name":"","handle":""},"updater":{"name":"","handle":""}},"type":"agent_rule"},{"id":"mfw-adh-mba","attributes":{"version":1,"name":"memfd_create","description":"memfd - object created","expression":"exec.file.name =~ \"memfd*\" && exec.file.path - == \"\"","category":"Process Activity","creationDate":0,"updateDate":1674486409582,"filters":[],"actions":[],"agentConstraint":"","enabled":true,"defaultRule":true,"creator":{"name":"","handle":""},"updater":{"name":"","handle":""}},"type":"agent_rule"},{"id":"ylo-d9p-7e2","attributes":{"version":25,"name":"cron_at_job_creation_chmod","description":"An - unauthorized job was added to cron scheduling","expression":"(\n (chmod.file.path - in [ ~\"/var/spool/cron/**\", ~\"/etc/cron.*/**\", ~\"/etc/crontab\" ])\n && - process.file.path not in [ \"/usr/bin/at\", \"/usr/bin/crontab\" ]\n) && chmod.file.destination.mode - != chmod.file.mode\n&& process.file.path not in [~\"/usr/bin/apt*\", \"/usr/bin/dpkg\", - \"/usr/bin/rpm\", \"/usr/bin/unattended-upgrade\", \"/usr/bin/containerd\", - \"/usr/local/bin/containerd\", \"/usr/bin/dockerd\", \"/usr/bin/npm\", ~\"/usr/bin/pip*\"]","category":"File - Activity","creationDate":1606142961130,"updateDate":1674486392555,"filters":[],"actions":[],"agentConstraint":"","enabled":false,"defaultRule":true,"creator":{"name":"","handle":""},"updater":{"name":"","handle":""}},"type":"agent_rule"},{"id":"zwi-z69-wxv","attributes":{"version":25,"name":"cron_at_job_creation_chown","description":"An - unauthorized job was added to cron scheduling","expression":"(\n (chown.file.path - in [ ~\"/var/spool/cron/**\", ~\"/etc/cron.*/**\", ~\"/etc/crontab\" ])\n && - process.file.path not in [ \"/usr/bin/at\", \"/usr/bin/crontab\" ]\n) && (chown.file.destination.uid - != chown.file.uid || chown.file.destination.gid != chown.file.gid)\n&& process.file.path - not in [~\"/usr/bin/apt*\", \"/usr/bin/dpkg\", \"/usr/bin/rpm\", \"/usr/bin/unattended-upgrade\", - \"/usr/bin/containerd\", \"/usr/local/bin/containerd\", \"/usr/bin/dockerd\", - \"/usr/bin/npm\", ~\"/usr/bin/pip*\"]","category":"File Activity","creationDate":1606142961130,"updateDate":1674486392076,"filters":[],"actions":[],"agentConstraint":"","enabled":false,"defaultRule":true,"creator":{"name":"","handle":""},"updater":{"name":"","handle":""}},"type":"agent_rule"},{"id":"abd-4hy-aep","attributes":{"version":25,"name":"cron_at_job_creation_utimes","description":"An - unauthorized job was added to cron scheduling","expression":"(\n (utimes.file.path - in [ ~\"/var/spool/cron/**\", ~\"/etc/cron.*/**\", ~\"/etc/crontab\" ])\n && - process.file.path not in [ \"/usr/bin/at\", \"/usr/bin/crontab\" ]\n)\n&& process.file.path - not in [~\"/usr/bin/apt*\", \"/usr/bin/dpkg\", \"/usr/bin/rpm\", \"/usr/bin/unattended-upgrade\", - \"/usr/bin/containerd\", \"/usr/local/bin/containerd\", \"/usr/bin/dockerd\", - \"/usr/bin/npm\", ~\"/usr/bin/pip*\"]","category":"File Activity","creationDate":1606142961130,"updateDate":1674486391087,"filters":[],"actions":[],"agentConstraint":"","enabled":false,"defaultRule":true,"creator":{"name":"","handle":""},"updater":{"name":"","handle":""}},"type":"agent_rule"},{"id":"kft-h30-mqm","attributes":{"version":25,"name":"cron_at_job_creation_unlink","description":"An - unauthorized job was added to cron scheduling","expression":"(\n (unlink.file.path - in [ ~\"/var/spool/cron/**\", ~\"/etc/cron.*/**\", ~\"/etc/crontab\" ])\n && - process.file.path not in [ \"/usr/bin/at\", \"/usr/bin/crontab\" ]\n)\n&& process.file.path - not in [~\"/usr/bin/apt*\", \"/usr/bin/dpkg\", \"/usr/bin/rpm\", \"/usr/bin/unattended-upgrade\", - \"/usr/bin/containerd\", \"/usr/local/bin/containerd\", \"/usr/bin/dockerd\", - \"/usr/bin/npm\", ~\"/usr/bin/pip*\"]","category":"File Activity","creationDate":1606142961130,"updateDate":1674486390957,"filters":[],"actions":[],"agentConstraint":"","enabled":false,"defaultRule":true,"creator":{"name":"","handle":""},"updater":{"name":"","handle":""}},"type":"agent_rule"},{"id":"xda-xrq-k9e","attributes":{"version":25,"name":"cron_at_job_creation_open","description":"An - unauthorized job was added to cron scheduling","expression":"(\n open.flags - & (O_CREAT|O_RDWR|O_WRONLY) > 0 &&\n (open.file.path in [ ~\"/var/spool/cron/**\", - ~\"/etc/cron.*/**\", ~\"/etc/crontab\" ])\n && process.file.path not in [ - \"/usr/bin/at\", \"/usr/bin/crontab\" ]\n)\n&& process.file.path not in [~\"/usr/bin/apt*\", - \"/usr/bin/dpkg\", \"/usr/bin/rpm\", \"/usr/bin/unattended-upgrade\", \"/usr/bin/containerd\", - \"/usr/local/bin/containerd\", \"/usr/bin/dockerd\", \"/usr/bin/npm\", ~\"/usr/bin/pip*\"]","category":"File - Activity","creationDate":1606142961130,"updateDate":1674486390712,"filters":[],"actions":[],"agentConstraint":"","enabled":false,"defaultRule":true,"creator":{"name":"","handle":""},"updater":{"name":"","handle":""}},"type":"agent_rule"},{"id":"vxt-pdr-0cl","attributes":{"version":25,"name":"cron_at_job_creation_link","description":"An - unauthorized job was added to cron scheduling","expression":"(\n (link.file.path - in [ ~\"/var/spool/cron/**\", ~\"/etc/cron.*/**\", ~\"/etc/crontab\" ]\n || - link.file.destination.path in [ ~\"/var/spool/cron/**\", ~\"/etc/cron.*/**\", - ~\"/etc/crontab\" ])\n && process.file.path not in [ \"/usr/bin/at\", \"/usr/bin/crontab\" - ]\n)\n&& process.file.path not in [~\"/usr/bin/apt*\", \"/usr/bin/dpkg\", \"/usr/bin/rpm\", - \"/usr/bin/unattended-upgrade\", \"/usr/bin/containerd\", \"/usr/local/bin/containerd\", - \"/usr/bin/dockerd\", \"/usr/bin/npm\", ~\"/usr/bin/pip*\"]","category":"File - Activity","creationDate":1606142961130,"updateDate":1674486390691,"filters":[],"actions":[],"agentConstraint":"","enabled":false,"defaultRule":true,"creator":{"name":"","handle":""},"updater":{"name":"","handle":""}},"type":"agent_rule"},{"id":"z01-5m6-bbi","attributes":{"version":1,"name":"gcp_imds","description":"An - GCP IMDS was called via a network utility","expression":"exec.comm in [\"wget\", - \"curl\", \"lwp-download\"] && exec.args in [~\"*metadata.google.internal/computeMetadata/v1/instance/service-accounts/default/token\", - ~\"*169.254.169.254/computeMetadata/v1/instance/service-accounts/default/token\"]","category":"Process - Activity","creationDate":0,"updateDate":1670604148337,"filters":[],"actions":[],"agentConstraint":"","enabled":true,"defaultRule":true,"creator":{"name":"","handle":""},"updater":{"name":"","handle":""}},"type":"agent_rule"},{"id":"tez-7by-uke","attributes":{"version":1,"name":"azure_imds","description":"An - Azure IMDS was called via a network utility","expression":"exec.comm in [\"wget\", - \"curl\", \"lwp-download\"] && exec.args in [~\"*169.254.169.254/metadata/identity/oauth2/token?api-version=*\"]","category":"Process - Activity","creationDate":0,"updateDate":1670604148316,"filters":[],"actions":[],"agentConstraint":"","enabled":true,"defaultRule":true,"creator":{"name":"","handle":""},"updater":{"name":"","handle":""}},"type":"agent_rule"},{"id":"fcs-rzj-p0a","attributes":{"version":1,"name":"net_unusual_request","description":"Network - utility executed with suspicious URI","expression":"exec.comm in [\"wget\", - \"curl\", \"lwp-download\"] && exec.args in [~\"*.php*\", ~\"*.jpg*\"] ","category":"Process - Activity","creationDate":0,"updateDate":1670604148316,"filters":[],"actions":[],"agentConstraint":"","enabled":true,"defaultRule":true,"creator":{"name":"","handle":""},"updater":{"name":"","handle":""}},"type":"agent_rule"},{"id":"u4x-0kv-jq1","attributes":{"version":2,"name":"ptrace_antidebug","description":"A - process uses an anti-debugging technique to block debuggers","expression":"ptrace.request - == PTRACE_TRACEME && process.file.name != \"\"","category":"Kernel Activity","creationDate":1650293718435,"updateDate":1670604142703,"filters":[],"actions":[],"agentConstraint":"","enabled":true,"defaultRule":true,"creator":{"name":"","handle":""},"updater":{"name":"","handle":""}},"type":"agent_rule"},{"id":"hyc-d0a-iat","attributes":{"version":9,"name":"passwd_execution","description":"The - passwd or chpasswd utility was used to modify an account password","expression":"exec.file.path - in [\"/usr/bin/passwd\", \"/usr/sbin/chpasswd\"] && exec.args_flags not in [\"S\", - \"status\"]","category":"Process Activity","creationDate":1617722068383,"updateDate":1666888149907,"filters":[],"actions":[],"agentConstraint":"","enabled":true,"defaultRule":true,"creator":{"name":"","handle":""},"updater":{"name":"","handle":""}},"type":"agent_rule"},{"id":"vls-ztk-8p0","attributes":{"version":2,"name":"dirty_pipe_exploitation","description":"Potential - Dirty pipe exploitation","expression":"(splice.pipe_exit_flag & PIPE_BUF_FLAG_CAN_MERGE) - > 0 && (process.uid != 0 && process.gid != 0)","category":"File Activity","creationDate":1648564123563,"updateDate":1666888149012,"filters":[],"actions":[],"agentConstraint":"","enabled":true,"defaultRule":true,"creator":{"name":"","handle":""},"updater":{"name":"","handle":""}},"type":"agent_rule"},{"id":"3ga-ibr-dlw","attributes":{"version":19,"name":"net_util_in_container","description":"A - network utility was executed in a container","expression":"(exec.comm in [\"socat\", - \"dig\", \"nslookup\", \"host\", ~\"netcat*\", ~\"nc*\", \"ncat\"] ||\n exec.comm - in [\"wget\", \"curl\", \"lwp-download\"]) &&\ncontainer.id != \"\" && exec.args - not in [ ~\"*localhost*\", ~\"*127.0.0.1*\", ~\"*motd.ubuntu.com*\" ]","category":"Process - Activity","creationDate":1617722068439,"updateDate":1666888148873,"filters":[],"actions":[],"agentConstraint":"","enabled":true,"defaultRule":true,"creator":{"name":"","handle":""},"updater":{"name":"","handle":""}},"type":"agent_rule"},{"id":"kel-je5-jhu","attributes":{"version":14,"name":"net_util","description":"A - network utility was executed","expression":"(exec.comm in [\"socat\", \"dig\", - \"nslookup\", \"host\", ~\"netcat*\", ~\"nc*\", \"ncat\"] ||\n exec.comm in - [\"wget\", \"curl\", \"lwp-download\"]) &&\ncontainer.id == \"\" && exec.args - not in [ ~\"*localhost*\", ~\"*127.0.0.1*\", ~\"*motd.ubuntu.com*\" ]","category":"Process - Activity","creationDate":1617722067377,"updateDate":1666888148817,"filters":[],"actions":[],"agentConstraint":"","enabled":true,"defaultRule":true,"creator":{"name":"","handle":""},"updater":{"name":"","handle":""}},"type":"agent_rule"},{"id":"zp1-2vr-dji","attributes":{"version":1,"name":"ld_preload_unusual_library_path","description":"The - LD_PRELOAD variable is populated by a link to a suspicious file directory","expression":"exec.envs - in [~\"LD_PRELOAD=*/tmp/*\" ,~\"LD_PRELOAD=/dev/shm/*\" ]","category":"Process - Activity","creationDate":0,"updateDate":1665475122104,"filters":[],"actions":[],"agentConstraint":"","enabled":true,"defaultRule":true,"creator":{"name":"","handle":""},"updater":{"name":"","handle":""}},"type":"agent_rule"},{"id":"iha-seu-ukg","attributes":{"version":18,"name":"pam_modification_chown","description":"PAM - may have been modified without authorization","expression":"(\n (chown.file.path - in [ ~\"/etc/pam.d/**\", \"/etc/pam.conf\" ])\n) && (chown.file.destination.uid - != chown.file.uid || chown.file.destination.gid != chown.file.gid)","category":"File - Activity","creationDate":1642158535185,"updateDate":1665475117830,"filters":[],"actions":[],"agentConstraint":"","enabled":true,"defaultRule":true,"creator":{"name":"","handle":""},"updater":{"name":"","handle":""}},"type":"agent_rule"},{"id":"5jz-f4m-ujl","attributes":{"version":17,"name":"pam_modification_chmod","description":"PAM - may have been modified without authorization","expression":"(\n (chmod.file.path - in [ ~\"/etc/pam.d/**\", \"/etc/pam.conf\" ])\n) && chmod.file.destination.mode - != chmod.file.mode","category":"File Activity","creationDate":1606142936138,"updateDate":1665475098297,"filters":[],"actions":[],"agentConstraint":"","enabled":true,"defaultRule":true,"creator":{"name":"","handle":""},"updater":{"name":"","handle":""}},"type":"agent_rule"},{"id":"hyg-xco-0yu","attributes":{"version":19,"name":"ssh_authorized_keys_chmod","description":"SSH - modified keys may have been modified","expression":"(\n chmod.file.name in - [ \"authorized_keys\", \"authorized_keys2\" ] && (chmod.file.path in [ ~\"/root/.ssh/*\", - ~\"/home/*/.ssh/*\", ~\"/var/lib/*/.ssh/*\" ])\n) && chmod.file.destination.mode - != chmod.file.mode","category":"File Activity","creationDate":1642158535014,"updateDate":1665475096405,"filters":[],"actions":[],"agentConstraint":"","enabled":true,"defaultRule":true,"creator":{"name":"","handle":""},"updater":{"name":"","handle":""}},"type":"agent_rule"},{"id":"m6c-qaa-oq5","attributes":{"version":1,"name":"shell_history_symlink","description":"A - symbolic link for shell history was created targeting /dev/null","expression":"exec.comm - == \"ln\" && exec.args in [~\"*.*history*\", \"/dev/null\"]","category":"Process - Activity","creationDate":0,"updateDate":1661193978111,"filters":[],"actions":[],"agentConstraint":"","enabled":true,"defaultRule":true,"creator":{"name":"","handle":""},"updater":{"name":"","handle":""}},"type":"agent_rule"},{"id":"e8x-hfv-opq","attributes":{"version":3,"name":"potential_cryptominer","description":"A - process resolved a DNS name associated with cryptomining activity","expression":"dns.question.name - in [~\"*minexmr.com\", ~\"*nanopool.org\", ~\"*supportxmr.com\", ~\"*c3pool.com\", - ~\"*p2pool.io\", ~\"*ethermine.org\", ~\"*f2pool.com\", ~\"*poolin.me\", ~\"*rplant.xyz\"] - && process.file.name != \"\"","category":"Network Activity","creationDate":1648643213236,"updateDate":1658502066736,"filters":[],"actions":[],"agentConstraint":"","enabled":true,"defaultRule":true,"creator":{"name":"","handle":""},"updater":{"name":"","handle":""}},"type":"agent_rule"},{"id":"o9o-bqw-xda","attributes":{"version":2,"name":"paste_site","description":"A - DNS lookup was done for a pastebin-like site","expression":"dns.question.name - in [\"pastebin.com\", \"ghostbin.com\", \"termbin.com\", \"klgrth.io\"] && process.file.name - != \"\"","category":"Network Activity","creationDate":1648643213212,"updateDate":1654020328112,"filters":[],"actions":[],"agentConstraint":"","enabled":true,"defaultRule":true,"creator":{"name":"","handle":""},"updater":{"name":"","handle":""}},"type":"agent_rule"},{"id":"ozc-4r6-5v6","attributes":{"version":2,"name":"kernel_module_load_container","description":"A - container loaded a new kernel module","expression":"load_module.name != \"\" - && container.id !=\"\"","category":"Kernel Activity","creationDate":1650293718705,"updateDate":1650371510304,"filters":[],"actions":[],"agentConstraint":"","enabled":true,"defaultRule":true,"creator":{"name":"","handle":""},"updater":{"name":"","handle":""}},"type":"agent_rule"},{"id":"qxl-uky-d3i","attributes":{"version":1,"name":"ptrace_injection","description":"A - process attempted to inject code into another process","expression":"ptrace.request - == PTRACE_POKETEXT || ptrace.request == PTRACE_POKEDATA || ptrace.request == - PTRACE_POKEUSR","category":"Kernel Activity","creationDate":1650293718540,"updateDate":1650293782685,"filters":[],"actions":[],"agentConstraint":"","enabled":true,"defaultRule":true,"creator":{"name":"","handle":""},"updater":{"name":"","handle":""}},"type":"agent_rule"},{"id":"hkb-qnu-nin","attributes":{"version":1,"name":"kernel_module_load_from_memory_container","description":"A - kernel module was loaded from memory inside a container","expression":"load_module.loaded_from_memory - == true && container.id !=\"\"","category":"Kernel Activity","creationDate":1650293718365,"updateDate":1650293782651,"filters":[],"actions":[],"agentConstraint":"","enabled":true,"defaultRule":true,"creator":{"name":"","handle":""},"updater":{"name":"","handle":""}},"type":"agent_rule"},{"id":"vgp-c7n-4ww","attributes":{"version":17,"name":"pam_modification_open","description":"PAM - may have been modified without authorization","expression":"(\n open.flags - & (O_CREAT|O_TRUNC|O_RDWR|O_WRONLY) > 0 &&\n (open.file.path in [ ~\"/etc/pam.d/**\", - \"/etc/pam.conf\" ])\n)","category":"File Activity","creationDate":1642158535331,"updateDate":1643993958380,"filters":[],"actions":[],"agentConstraint":"","enabled":true,"defaultRule":true,"creator":{"name":"","handle":""},"updater":{"name":"","handle":""}},"type":"agent_rule"},{"id":"dk5-qem-ukk","attributes":{"version":17,"name":"pam_modification_link","description":"PAM - may have been modified without authorization","expression":"(\n (link.file.path - in [ ~\"/etc/pam.d/**\", \"/etc/pam.conf\" ]\n || link.file.destination.path - in [ ~\"/etc/pam.d/**\", \"/etc/pam.conf\" ])\n)","category":"File Activity","creationDate":1642158535089,"updateDate":1643993957839,"filters":[],"actions":[],"agentConstraint":"","enabled":true,"defaultRule":true,"creator":{"name":"","handle":""},"updater":{"name":"","handle":""}},"type":"agent_rule"},{"id":"g0j-tcx-9yi","attributes":{"version":16,"name":"nsswitch_conf_mod_link","description":"Nsswitch - Configuration Modified","expression":"(\n (link.file.path in [ \"/etc/nsswitch.conf\" - ]\n || link.file.destination.path in [ \"/etc/nsswitch.conf\" ])\n)","category":"File - Activity","creationDate":1606142958657,"updateDate":1628512222322,"filters":[],"actions":[],"agentConstraint":"","enabled":true,"defaultRule":true,"creator":{"name":"","handle":""},"updater":{"name":"","handle":""}},"type":"agent_rule"},{"id":"wu3-ect-q5y","attributes":{"version":16,"name":"nsswitch_conf_mod_rename","description":"Nsswitch - Configuration Modified","expression":"(\n (rename.file.path in [ \"/etc/nsswitch.conf\" - ]\n || rename.file.destination.path in [ \"/etc/nsswitch.conf\" ])\n)","category":"File - Activity","creationDate":1606142958657,"updateDate":1628512222322,"filters":[],"actions":[],"agentConstraint":"","enabled":true,"defaultRule":true,"creator":{"name":"","handle":""},"updater":{"name":"","handle":""}},"type":"agent_rule"},{"id":"nfl-b7w-jla","attributes":{"version":16,"name":"nsswitch_conf_mod_unlink","description":"Nsswitch - Configuration Modified","expression":"(\n (unlink.file.path in [ \"/etc/nsswitch.conf\" - ])\n)","category":"File Activity","creationDate":1606142958657,"updateDate":1628512222322,"filters":[],"actions":[],"agentConstraint":"","enabled":true,"defaultRule":true,"creator":{"name":"","handle":""},"updater":{"name":"","handle":""}},"type":"agent_rule"},{"id":"vti-qnm-wg7","attributes":{"version":16,"name":"nsswitch_conf_mod_utimes","description":"Nsswitch - Configuration Modified","expression":"(\n (utimes.file.path in [ \"/etc/nsswitch.conf\" - ])\n)","category":"File Activity","creationDate":1606142958657,"updateDate":1628512222322,"filters":[],"actions":[],"agentConstraint":"","enabled":true,"defaultRule":true,"creator":{"name":"","handle":""},"updater":{"name":"","handle":""}},"type":"agent_rule"}]} - - ' - code: 200 - duration: 0ms - headers: - Content-Type: - - application/json - status: 200 OK -- request: - body: '' - form: {} - headers: - Accept: - - '*/*' - id: 2 - method: DELETE - url: https://api.datadoghq.com/api/v2/security_monitoring/cloud_workload_security/agent_rules/gd2-ogg-fyk - response: - body: '' - code: 204 - duration: 0ms - headers: {} - status: 204 No Content -version: 2 diff --git a/tests/scenarios/cassettes/TestScenarios/v2/Feature_Cloud_Workload_Security/Scenario_Get_the_latest_CSM_Threats_policy_returns_OK_response.freeze b/tests/scenarios/cassettes/TestScenarios/v2/Feature_Cloud_Workload_Security/Scenario_Get_the_latest_CSM_Threats_policy_returns_OK_response.freeze deleted file mode 100644 index bfb813f093f..00000000000 --- a/tests/scenarios/cassettes/TestScenarios/v2/Feature_Cloud_Workload_Security/Scenario_Get_the_latest_CSM_Threats_policy_returns_OK_response.freeze +++ /dev/null @@ -1 +0,0 @@ -2024-03-08T14:19:14.825Z \ No newline at end of file diff --git a/tests/scenarios/cassettes/TestScenarios/v2/Feature_Cloud_Workload_Security/Scenario_Get_the_latest_CSM_Threats_policy_returns_OK_response.yaml b/tests/scenarios/cassettes/TestScenarios/v2/Feature_Cloud_Workload_Security/Scenario_Get_the_latest_CSM_Threats_policy_returns_OK_response.yaml deleted file mode 100644 index b5e6167713c..00000000000 --- a/tests/scenarios/cassettes/TestScenarios/v2/Feature_Cloud_Workload_Security/Scenario_Get_the_latest_CSM_Threats_policy_returns_OK_response.yaml +++ /dev/null @@ -1,19 +0,0 @@ -interactions: -- request: - body: '' - form: {} - headers: - Accept: - - application/zip, application/json - id: 0 - method: GET - url: https://api.datadoghq.com/api/v2/remote_config/products/cws/policy/download - response: - body: UEsDBBQACAAIAAAAAAAAAAAAAAAAAAAAAAAOAAAAZGVmYXVsdC5wb2xpY3nsfftz4zaS8O/7VyD8rnK2biiNPY/dpG52P2fs3czNy2V5NrcV+2NBJCQiIgEGACVrzjd/+1d48AEKlGjJr5koVRkLYOPV6G4AjUb3/wFv3p9+PDs/+nD+IziJsOBAUCBizMEYJwjMcZIAQgUYIcDQOEGhQBHABIgYgWMoYEQn4CjLACSRBh4hQGeIzRkWAhEwxyIGBM1BRhMcLnStEZ2ThMKI98FpgiBHIKURHi8AyxPEXdWPKQPjPEnAOCehwJTABItF/08zxDim5Edw0D886D/1Wfji2Z9ULT/+CQAAfICjHwHMMshSygLVDEZRIMRCfQcgQjxkOBOqliMiWzuSsCBjVKMAclCUk12DBGAiEIOhwDMEOOKyB6a2MU4EYqZx3QHKwatXwEswya88k4+uMqbL/QjQFQr7sqU+gSmSLfzqQehHmMNRgrwnQKZCmmYJxMQkYR5h4V2C77/XxYVYBKr0d6+8og1TQfQjGMOEozo6ZOlQJEHO4QS58HAeoxIKhDRN1fRCDnKOIkkhZr4UTHRrY5ewRbNeOTjIJjwYJ3DCFSUqBHGJiMS77DbWKAgpGeNJOf8rxxwBDZ0zKL+AZSqQRE1zAXKOyaRE1OZooBkiGg0ZFLGCHSARDlTN+t+oLzulkKKhFT6+B3sfg9dnJ0fn1x+D87NPH15ffwzOjn85u/4Y/HL28cO7f+2Dv4KnslTGaIg4r2H7uzq2uyJS8lYg6+iKS83S945DRSU1JKpu9COd6quUJKEmms2XywfE85wHaMoDjtgMhyiAYUhzIgJBp4jIFOK8HelHvwzBydshMKWBKQ1UaTUBjRq2x/SrL8AbzCAbsJwMOAoZEnyAprwPU/iZEjjn/ZCmA9Mj06FBr1ejZUsAqK56S6hUbZX8P6CZGER6gfDhBBExQOkIRRGKBiNMBipLTfAaQL7gAqV+xugIdYJHYc6wWPidWzCjWFmg7LK74wOYpQNMfkOhJFNBA/07YDkJFWzOmaojivyYcuFjwgVMEue3kBIBMUGsDcoN4O50kRMmOReImUF2EMtzHuA04m2L8C9D8Ob98VBRbAiTBEVghiGAgCAxp2wKcoHlDmBzKlZLi1zaNEHNJ0ihPcyZGm8yz/xim1JbaOVapAp88XoHL3/oH7543jd/BwkUiItBigT0JV4GGKYVvYQMRYgIDBM+6MkWqvJ/fto//LejX4bB648fzo/efDg5k7Lm+OTD+Zujd8Pg7OTd0fmbf54En87eeE/Al0bJQW9Qq/tvOHrV6zIBn3OGVk6BBPj6JkFiXyNfYUQsBhTmIj4cKLHyN5hh3+wZO6FpBDl6+TyIUEij1p2SBnLuk3RBgMmYslRtJ7ZEli0rdcvOrZJCaNRhiCFiQk5k+27wtYFQI5Pt5EKPTjBIeIoFoKwYKQQZFZoWkwVIYYJDTHO9AVg79DkmEZ3zjoMvOt5HV0ihYG9P01MaJZggtTD1cpaEMIxRr0KS9Z1nCRY9bx9cXzu+6kH1vP31WIyhYJSmAUO/54gLJ1fJg1CyACFDUGJQbYqUtFWnKlhWAiKaQrwFqUSE91U3MCW1Y0WEeUiZ3Eqm6iCR4b5ACZowmPYpmyjWi0jfgMEsU5CXS2sxJkGeZYgFCVwgtvQ5jCGZoEDgFIH/BC+f8vXYo2lKSUCQCDARLJejCOTctqHRkj9gj6Qw2ze1JAvNfVid03RdAAoBwym3KHhz9LqObLILEoEp5DyE6qA2zjBRSP08YXBU/jiUv1jORQGXEfXrcuWJ558S0oiuLlxN00zu0uFYIBZEKMEzxNxn3gKWgTmjQrIwz3lW41t16gXltmBzvF37JbC1uTZ7a7mFLgEkP5cJAPZcu06RZi0bSbM69KdUrZj9nne5X6vt+tp1Xvii97GmVlluEKHZgMdpmWaUiiLRUzsg80HunxIawmSQ4JGEuCyb27fGVHBKter9BmdQbePCBGp6mYSh98QbhaF3KbtaFIEkRFxQ1rmw1fLywaSkrQxnahTZQsSU1Pv+/ffVvPdxpM4y688wBUEFmARNsmmlvfraggnHEQJ0fDt0t+di2LVob5aSTUyo59yGjHKcRIYsWC5RuL/vQJ5nnWuq+azoUCK43IyHOMF5ajbV67HOYDhNYRbI3gUNKWeh/S2hcwLoeIwIxzMEBKVJWVwNrruQXLdmF+upQVTRivxm8BWmqMtWrNrkVmq8ME6pc4RDOTKln6uKKVnGwRwxVKkhjPoBEEp8LiCJIIsUPtYOvIuUq0swAPZUdxtCx+ggeAwjOi9VEhOTBpbYWuZj61QMvAGXZDPD2bw81Nk5JjVhze+1HEV5Bd1GZbaWbi0f1VmQhlN3geYX1eaE0TyDUSM354g5M1PqyIyQfXqdZJDzud2tMIYTZBcNYwecyQKXbQh3sWuB+i9VPTATPRsv2XRiZbAstdI5gUIgEqHIz7MJgxGyPhMFXmshw5ndwiJPq9mF2bSaAjwacAKzSP9bX5SUdKroMZKbRaJOKP1UbuS/e1X/nNaOPzfkUDonXxOH0nlzW7Dj0B2HPhSH1gmyzqK53ovVvsqc62vQAj9Zgp/gqMOp1sHRCSbTr4ehZW9vyM9WBdfXoKqijtHO1e3Ew0483IV42Ih55ak3mB1+Nfxr38HVLuGsy7fiUm6/uIWzZYDjqL9j2h3TPgTT2joBowgOoAB/BT900ZM6WJohAlOn3v5RcvSe7u8N+bG5Jtcr2a3KOwZ/NAy+EQvn5OvaVOv+3pCFdxy347jHw3ECp8hp+vBIOU71d8dxO477OjiOkgCK4Dc6CtQeF1PSfldzREBOYC5iyvBnFIHf6EhbKkaRNjOR1QEexijKE0wmd8FfzpsZcx/MM0qTgexEeQ0s+Uxm9HtLWQKObsx65fwLm/zK6ircb6y2X9OLu6TC25AI7dTc5ebQSY4tFxOPgxwd1xCPlRzvRUe9I1+bfNsODI+Bel2Hgy2I16q8gz5+i6bujE92VOykYpqhxyqD215/OF992PTv0jfviPKrIcp2heojIMsW9ekW5NUUr+tVq1s0tqPl+6Xlds3iY6Bltx5xR15fD3m1qtEeBXk5lWY78nqc5LXIBE1lIwFkEzdNFbgBCcyJJB3tXgCySZ4iIjiAnNMQq8c16kutVr45hTmfVoVZ7mcMU4bFQmIgogQK5CdophSLXzwGSUTTK/9gMvIzOFGviotHRnXTcS4YFHn6HyLMNNGVOZwnds7BMtDBMtThMtRhDYrgEMWQxya5QDyjc8RuOkmIzJyTdGqmCJEZZpTIeQEzyLCskoMUirCYljBnDJFwAVSFW06P7I6emNOPH98Fn4YnZ3JWdOLsXfn79Gg4lInjjx+Ozk+Cdyf/PHnXZeQ5SwJN7wGXf5wPvM5jBI4VENBASuQxNEZyoMZ9BAg/nb0rHgtuOWolI6oHcTlzu01QeMkJvvJ1t1xvKb2eHl5fgvQ0ROP1QpenHxEUcAQ5CniMksS8QqiePTb4uYAGMMsSHGp/CzyDc6Lew6k6nug/xWOvJ4Ay8PP5+en2r0/rK0eFzvr1ipJykMfek5rkrwnA5U8y250poMCh31qXs9CovW3HpyLb1221FPzcWmV7Y2Hrl2nrF+EulODRABMsGEzH3BeUJlx3POeLEb1yDcn5pWhmjJ14mPL4h2eOfLbc4SLbCZ+44dP27NXYD3kMWeYomtFWTLJmZYpe2mdr4SaNzzx+0ZJd9BnIJaqCuNnz7KWSNjvp1kK5GzI/44nERJFQt3RFgs5JmShhIihQ+bsEjsblL8yKnyiMafE7KatKePErndaA0ymp2k6nAqVlk+ms+JXNSxCGYCQPLmU6rX7VquUJQmVFXMhtgvm9IGHxW9A8jItELkV5kZiZqkruZBqwFACHPE+tDMjRs8NmzsvnzZyikZIk45ASK2PaqFmSgJVWr6atnNxKRpiFNKGMNzKbTUd5PYXIzEpeZZBEjRwLJWMYCmrnpFY/xjSxKlAXx1anYgQtiJhyga2cRqpwiVFl/Uaxhb6CNMo0nTTHnUYvGijWOX2BrtSbdquP6XSMx7SeI/dwVtrqEKFxnlkZct9sZeRpA1PUGmUGuUB2hojD2BpWhsl0YWUwO4WJaMyoyhtbOeKqnmQIJrIpKy8nDfrk6HcrGcODBjZ5DA8PnzsyX7xcznz2Fwfki4Mme/GYocjOyK2xcMoslC4xiRSydjoaNaqwmxQwtJPYmmeBkJ3kVvXy9EttvhTMTuUkhPZEi+YojNwqkjlZZsuc4N/tdJMFco5sWTC3BjaPaSMJU1zkGLMLRqnwLvfryvbipJxBhoiobYbVcpMu+O+JOpymlEy0CUhGuZgw4+CprOe7vdaa5P5R7laikVcvUW2dJYAfAnVWRsCH3v4Nai6701r3F6+XTYI5TLr4oIhQggQKtEujIKGFUqXlEK3BI+M2AehiIKETbe5kCm+wr3aq9SofUblIlacElZHQyWDezBg1MxLIRUInVt4Y4qSZxxe8mZUiztXp24JDYc6QlQVzEfebhUeUiqXMKWJEZVqOMdQ2qXxRX1ON1JQn68+ZEcoSuggyhmfrXs5LGJygiZpBA6ld9Wir8s3nr3G0VAe/VsP1/wQH3MIDzIIMsRQLSVvfg9dHp8HwX8Pg6Pj9mw81Dw8rcICZWAQZzlAAhdyMOc/ap4WbGXAs4YGEl6NIKBb6HGkX3gAPe1KCh6ivuoKIYAt1ngbfg9M3pyfBT5/+Hvz93dE/gtdHH4L3J2f/ONmXuFJe4OyiV1isLfmqKFkg0phPWE7ljInE0w6yoEJiHSkbYfK2MNgFDX8FT8FtomFBYIpDZS6BWOEGcsWtSCkdNYxSQ5hKgK7EeIdUQnJzzLTISCTCQRL1Oe1nDKlz1RNQz1VOIEvNdJXXjwY9/XHZW8+96ZDvwNrwpjM7Z1i4r27LidVObgS9o4lt9UPZYVrXzOotOKS8N1q44/uErsa1a70zdnbjuHMU+SCOIpUvm4S3mA6/RYygBKQ0yksD/QRzUZrnixgBVfqWFO5ql6fAZKXr1eGq+/o84+r/eYyA/mp5D+zsfKdjZ82BqmNvWcqdW07VWflRct6EwfT2+ylr79bNXMiPwQiLQF0pt3W4ggUjLOwraOjwx7f5UGq3CTUL7CVXeS4g22Hes6fcglu6hGmppYMteNeS34Nh8Oa/Pw3PruXff5ydqr8fz39u2ruVMphNZlrg/sdVB66ehNkq36P/eH36+D2PFp5G+xNKJ2qmBWIEJoOQplku0PvCE+nsQGsNSYgKL8i+cYPMBxEawzwR2j2pvpFtujTdor71MxHjKEJEe/Re5TLsyEAqJmk6a2u4DKRJtPV9bk1R8gV4/Zr7Tntv9cUbxDRFpcFG3XnfCmd+6xFT8/Fv7jLXOrNrBAZQt5YSU1xAdgde7WoCZ3d7ubu93N1eAqcHVSXfsdOgoYM9A86CMEbhNLBc8jZE4/GHIUgoneaZ4veIEqQilkDw5hSo4oVDflN+A25vcemLQ0hi+BlnhVNfnPkww0UqXeCsL8+NsrjJUx3Cme2fX36Yx1BgrorAKUwhbnH/W2kFO6BP7b14gCZyJAFMEjp3rzAnCgIIBsdjHAIDafbxRT2b48/eaRb12f44i9Wdef3ex0/np5/O+729vcMXvz71X1xe7x3++tR/fnl9cBFd/3rg/3B5vX8R7V/0/3Yx2v+f5//b7x29fn1yet44nLKaE1/m7R0c/vmiv3+9d/BU//nz4UX/4NeX/g+XVVq2Y9L/T2U8+/Wpf2AAfpAFXv5FJ17+cCG3CBf9/Q4r2m9wBptmOYG+l3CTtSxQqk12Vjm7da0osVvX7ntd21nl7KxydlY5tZydVc7OKme0s8oxyYe2yimXmNrO12nxIreU608Nv+XZQiDWzYb8vzSw3GSjEaXTSjFltqqm2AZbUWfcAL1WFstksUIWi6NaF82SqFZDtRDqRcMsf2rlU7KkWO+Kpa5c5dQCp9e22rKmVrRiMSvWMbOEmdWrWLiKNcssV2aVKhanck0ql6LaClQsPMV6Y5aZcnXRi0p9LamWELVyaPFSEqRZHspVQYs4swaUot9I/FLQ639KsW6kuUFEJbtLkV0X0aVkNgJZyeFC/BZStxS2CvOFaK0kaiFIVedrYrOUllpI1mRjKRK1JKwEYF3u1cVdXcrVhVsh04woM7xf4N/Iq1JMmfEroWRkkRZBRvJUAkfJmZp4KaSKpqCaDDGio5QYhaBQ8kGLhVIaFDKgfNvUYJe121NnKX2G8/Q/1RlNZ+hDVv1Pubv31DnK01/UUcdTZwJPn3u88tRS+6XPKp45a3j6LOIVZw9PnzW8tPpTtVacGzx9TvDkmcDTZwBP7/c9vb/36vt5ZcXouL6uRXXRMs03Mk3irchK4KjDWX/6Fx5kNNowiuTbfIQYQQJxkNHoPoNJ4ioMTz2c5LTsUB9TRyhJpd6/SYGaPQXeBZ/8tmwKVs6enL6iOSu8jmwmpAxFhFt9MkA0QwyqBQx4gxQSOEH69zjJERH+COs+VUnPYfeS0DzyCY2QX6/CEK0vpQDyQ45Vrplw+4sfMTxDTJLMDEdyzPNGd2GCQ6raKDEH53yglb2+6sEcijCuT777mypPJphc+Zgo5ayaHUaTxHS8RHwuKA9hMztjNKNMqGjdTZgYZoxeLdpqlvyrxCXyUyQYDnkD2f5kinx0Jes3RUbqKKrvYH2DOD0EiW+BWGquuP0YkihZmj53jTOYJ66plB0MhaZOlaunRAo1ZPtDnGCRwJHPclL/UtWkWnBZSQkGQ6QnPMEE+cq2zVUDQxOsHvrKwTUQ2STApQnbmVJ9I2Jv/Z5AGUsF2lhqhTtGFa5/WresqsxmNl/ob+57McGjgbHsKtf43Oiqa/k3cstwlyaPd2D+ujSib8GR6LrxWCHwpjUzu23cX3Zniza3kPfPFm4fkDu2WB7Rji3uyQ1nVzZqf19xz1zU4mCqMxNZtXVzPtm57h2DflVjWzeeVQx6U/ahsGVvtsw6EnYb3pHlTbuNsMBkHBgrmSelxUygW9A5L5tZo8z6bBU3wES7wyLjgCG1ocbZ7LlpIDg7+a+T1+f15hicr8S81eMv3hgmISVqht2UATPR1+ePqB9BnCjfTVe6n36CJjBc+GmeCHUG59xoB/w5ZVN5WNpgHte946web+qZ1Gbp9kTf4uw6XnN2tYVzjG3MaBqkKKVtscXb6BXIksAqueXodL31HsmyguU33QI2B7ZuArsMsbD9vRXD326jvo05bvXPe8/L+EYv36wa2pzy7hbr5RHtFmv1X1cmWeEv+J7ZpN05cGcyt+rr6g24c+07JvqqxrZuPLfIRKue5N8zE7V6Jd6R+fKIdmSu/utM5u0Ok++dzNu8I+/IfHlEOzJX/60nc866+OAwrnn0M2xE1PNsWUw92aeS/FHi8wyFeIxDoO83t3fhXL7+SWmkLx9B86XOqy/A66Wc9dTzIz0U3utwbEppFCSYO1/SdPJSML0DJwVqEoHr8bJsvssr2MqOJogIDxDJU8RaPQnV7IaOPwzBMvQGI1p+9ybBIVn05f98FvbNPWhfXXOr4VplxCJTZYZn/3Qcibs8YkuiwLhtCXKS8xwmQYJHDLJFIBnHhYnzGIF3x8Hp2cm7j0fHpQNsgDnIaJYnyt/AaAGgUihrZwT1J9Q4QSDCDIViK/0Islxjf/GqLr3q6afRHnhiZVePpKvDwArM4FEG0wCNsnEQU+rcv73TqDKwfU6BhCxpH/10+vfNBzjKxv0wjSTQT6d/D94fnWrdwMkSZ2Pzrq/sRr8L/SeUErQIRE7MM0btFss5TgUKzg0o2Hv9zxP/8OnhM//5DwcH+4VHrUr2bT7qymKy8tYw/PTmuHD5U33PscJNlVt3p9Wkjt4/3r356XVw/unD0U/vToZd8JOidBzpeBBOka++Azr6DYXi1h3TSWGtGnB6B3jVibdTTHCUp1mQczhxDqFwaG+0a+qBb55mlvAuagHjnISymNb9hTTls5D3ow5G6HNMIjrn7UI9jRJM9KB77zHBx3madViZZNfIJMgoTQL9Rtk1yGppZojTZKbU0FKGK0S3hlVQEXBDgWdbvfh0P23+4vVSTNBVysz75C9ej0BC5Uj6lE10Ds+zjDJhQYXPFEyZzg5VGlOdRCJWxmCoqmV82ChBaYJJP0U6ybIEEtG/Wnze7jV0qmxwY8pFMHYeAuSyIT/rBcB45JQUp0qWAQS2VyGr+vqc5iyssctA8ZH+NuaBWjnlyOgMsQQuXNcG3YctkRbEOFrJZMbJiOYsVW7bMap/M4qJMOP8AjxlHzboLdv56rn8ApQtfwfmIkho1ymFRbubt5oru5xRubUUiOhNwK25takd9yyduVGZN33CdX1FWlb6/ffWMbKpVVfINS5XwLKFtWHrPo81X/VD85cb1uxPqWcdK6+vWyzE5TmlOJzKk049YM8N/L90OdrISS72fQwpQeWa5g/2HFbPkJTIrJHAp7M3m0/wv9/s9a9r79/P4iI8TP+3bNLzLsG/d0OCwImbwBv0e0tOzJY8AVTD5jTU98gRVudrwvXaJn9LAaqGR5AIodBDlews4WSxLZ5T77d65npV3KtW+C5jQckDlzycyJ4ZzB8c/rn/tP+0f2DSKRVRPx/lROSyM51238WcBOhKYrf9XHZS+17sP5VDrVuTO56NxQuFxgvvCbhQiNS/6qi80MR5QSp3LVT1lhuUXSjv2L5k/Fc9Wb7IiaCAZc55+St69X+Ln3kmW7CL/v2VTPZ0s7VWKy3ORX2STKnaNF14l93WAzUja31FrWSZW1vmvyoO+u4BOag+X8HscDdlDzVloM3P+F/BD095lwmVUxRwgsdjee4RlDrXrHeya+WLNv0MVWvmCq2VPAKNhXYLbAx0lCM3UJ6gNphd11tHEWby7CjxLngM2bTDuZugeTDCBLJFzZfPeqFTDQVVj6QJmgNdl5q8Mc2JImd5sK0K4LQ6H28wcDfZWJvvJVeZ9ueURnhsYoTZrjKbWO12KiGcz7EIY+U6Okhp1P4kogAFKVyAGM4QGCFEgO6R2eHRXIAi3uWWKs8bPpXQm96ij9pfdP1yZgOj+Ye7zCnp5G78Rm9EFS0vAh4RVTheCnSiiru1Gd9RUUVFbdYNj4aIXDYPbhqyynUwiV9LiRugs80w8bGg0zZY3GtYKF4bdcx+d1PFtUjcMZtNHS27+D82gbTvrHfkU5FPu0HnY6GeFkPPbvJ6vUnnWlraAKntBn6PBqluw787QUarGdjjQYbTPOwWkCEirk+qytQlwcTJaR/Oj4f6ssQOn71c7JauVGW/+hEWHW596HiMCMczFEz/wls1DEdgSuic1ExoQIaIUAw3AbIUiCHX07u9rtzlqgx88bKFiCkpFCt73tt8hIchJP1s4UmYQm8zk4LBk13lguEpYo2v+2C/xVWTKoV5CIn3xJtGeKK8mqiq/Dgn6jGYx+B0ijj3nngZwgwKxA0ID2GGzG+YR8rBlSqaYFNUR7Dn3pMv3oiKkd9FpNMUT9wn+Y8pVg+6tDtjDqAVRi/GSVSsgptPBSrsLP7aCFvmeroma6KmUx0oT25sShu7FjvS4iZfAisFT4s5Hdh7PzzbN1GvcnM7MN4qBkrzOvAV8AZ8wY3Z6CDlbJBBBlMkKx7Ubexq14X2lWXbK59OoQQzGE7hBAXa206KiFirJDvVRUBVRJt8IIHC29TzNqxV7nqXdduGpBuYAayZjJYNe9f5gEKpKWkuiiAbDb1tcDt6229ktrbUs2cwDSyFbKvu9PTo/YPvZdo8zMi9TAbTfqRNBKqM29ChboLDFk3j48Ch2x3JDXF4txrHm+O87VDyGFDe8gxpHcatSjro5zpUeZMN/hKK23R1jwDFd/eu+E4x2q6geAQ4bX+Eug4nTcJdr6joUOlWiG5XWjwGRLc+VLxbnLTqLh4FTtpetd0AJ39cXWgGOZ9Hqz2un8fIwAHKQBib33WjmJzrl11q+hcAktLQQgFTtoWiw7ETrw1T9aVEhXFSb3Kd0cFKZzdDWYoLpWvohCiBAt760K09IpgqOcLET/AUgVoNG+CiJSZY0UQR12sSUy5qaYFYWktOkwkTcR/T7YzbsxAHBwfBiyBkWOAQJtpABSPefjh4bUALU/eiRIsY2RxTNz8bSNIxdsO89rugtFqy+bni2KXMOuiIUvGo3tHej/BZGuS38LTWXjtu+5y4irFaToyPgrHcB8YdY+0Ya0PGemjlQTsjth0THgEftpwR7pENrf50U0jcY+92QuLbERLbsHCbmurhWXh7LVWLkuoeuWzHZDsmM0zWctG347Mdn+34rHmU3OKKtp0L2+8PHp4J268PHoqLut5E3GP/dnvWb4fNt2Hk9vupR8DIrddTO0bZMcp9M0rrpeVjYJS2O8sdo+wY5U4YhQpEBIZJMEcjE2Vbh+t2ccgRmKMRgFmWGBMAbTxdBdgGlJkfW/sRWfJ+0GAKzRM6OnBtMmszsvxppKLCuzKrwMLOupyFRu1tOz4V2WXIYGfBz61VtjcWtn6Ztn4R7kKSlDDBgsF0zH1BacJ1x4sQyctDcn4pmtEBlZcKmYDKS/lsucNFthM+ccOn7dmrsV8EcV4qqoM6O8uwZmWKXtpna+EmDR0c2pld9BlUMbK7+uuwX2rUzCTUaFX0cP3TxLA3CR3I3iR0NHudKGFMXHv9uwRWEe71LxVsXv00se71hJVVqfDsZlpqwEX8e5MwQfB1alb80uHwNfarmPg6nVa/atUWIfJ1Qkc51791sHz1u4iYrxJF2HyVMLHzK17UQfQrdjfh2uv8r8PqWzkqvr6VUzRSEqCJuF9lTBs1mxj8NZI1weCrnNxK1sPz1zObTauA/WVKR7ivkkU8+HqOhZIyqH+Vk1r9MGH+y3QZ77/MMYH/qzTlAls5jVQRH7XK+o1iC30FaZRpOmmOO41eNFCsc/oCXQm5ill9TKdjPKb1HIJDqz5idYjQOM+sDLnRsDLytIEpao1SmfDYGSIOY2tYGSbThZXB7BQmojGjKm9s5YirepIhmMimrLycNOiTo9+tZAwPGtjkMTw8fO7IfPFyOfPZXxyQLw6a7MVjhiI7I7fGwimzULrEJFKk2ulo1KjCblLA0E5ia54FQnaSW9XLbT21+VIwO5WTENoTLZqjMHKrSOZkmS1zgn+3000WyDmyZcHcGtg8po0kTHGRo7aeYcwoFQ1fUHvF/llvHvV6U9mhwQyGMTqUC5QKI662uoKmxj+VFwuRmeWqtaJXX4Cn/BV22NUyGipXvivNF4/008vCRFF57S1ezBkXvzd/lrnupWkDMbK9lJI+upJTX/RbJTuYHvIgwjykM+SOuWZcqbY6ms/4bbuZz7jlA2xWGVX6yquV72d4dfwBYsUd/D2HyYLrePRVCG8Tpb6MyWdXuEQ4ZW1sWjxDBd5v6uQSoyRT6S/ezFSm6PEUco7IBLGjos0ijP48grMIolSKQeCF8VQyw1TH+Bdc1aDOn3P4OY994+g/Wi4pYIJI5DOUUoF8JLkC+RyxmVpOZM0onCpPuSpoIkFzhhIc+qaGDsShgsYHkAgcoVE+cXNAQe+5pBJIgAT3FfxEUQkKY4J/z5FkkFFCwynQH7cKwaC71jceVCXs6fnZ0euTQP37/mQr21M9bB2ivZXxi2Fb0Sd0GRDSSDKnoAASKmLEtn8H3Drg049vT85P/vtcCb5VQMdH50drgT4Nz9bjZ06mWATlW+cA8RAmcD2q5pCXp33lxxaTCIdQci6gY2B82mutAB0D4/L+wH/+9NnzzTHXPPq/qkcmyabyayVx6g7shz+fvHundVu906Pzn3s1o28FVyl1esdvhqfvjv5loI9Phm/PP54Gw5Ph8M3HD/WChcv8DiuQem0fhAkOQtri6FqBaHKTyM0YneEIRYAWDveUaAadHBx0MJIvHpnXXAE4rOCVoAxb/AX7YW/48fXbYHh+dnL03uDLD3s8HxkyUdJTZildRy2lNmllOhOLviKmXrOl774Ar8eRyDOlfejgg4FBwmk6hwwFhLqt8E8p53iUoBqsnH9UxCEAOYmUe8c0pUTKQlaG3MBoC77v4IO7BLB8ZJcn9S/eIKYpKh1XM6OmfVIqhZuaYJOmmWj1hJ3QiZ3Go6W8EQyneWZlzedz22G226038/b+hvf7vT2m1nV0zZDaolzLs/q1PLSxXInm65jOA0Gv9aRcy9VFFlvQnAXXKrCAyruW1Rug/b4hmEa7BTMzr9+76MtS/9ZhiWRhoImEBw2lvkU9Z6+BAbsF3f/eRqYlzseFemKZ3n7pXUWRozTl3uX+/jeq2l4xpwhGwTQfIe3MwjWf5zECFYTyc6Hjq4Vqt7zF5K5i4EFftjnQjaoBKl62cjsOj6EEQS43OWPqGuDHIZCfWKpXYzk2WU5HIpFLiyKThI98U9Md+PpotOBy6nF23Nl7B0MR5gGHJBrRq0D7inGN/Fj5guDF7uPQf/ri+bPNB+YMalDQ5dVfXgYvn/uqsD8h+aA10IGX4FHoH/YPf9DhDYr0s6eN9EEjfdhIP2uknzfSLxrpl430n2X6skUoVDplhW1fnUB8Fo1kDTpLnk86xT4v5muGAitsuS1XJVAR4LA8aW8dGmhDCeua6vXxKzR65C9Ix+bXEo4b1HAL6M1JaD3FbRNzErDw6KyDx5hXuMpXCpGHaAFJBFkE5vB2LuucC1W5cuQkLIU7X8oZlXe4vsp3bDVu7BLoD3CF/Udb43kYIyk0okBAPtUxx1rPryUwkMCKC7qKmBvq8qAwajwexrIt3lGNx5Hiq8BABEiu3aFycOQa0vDknQQHNTCgXyvrB8amnbWja2Vm05++aaBvKtf6SsRSzDmeqekv2mrT6OkTnTxy9n46ef3x/Yk//PT69clw2OFYxxHhWOAZCgSDISZrFFiYAwNX9+OWlRpQygDncaSeXmfFcTBkKNLmD0r7WzWyAdb22lUzJydv1yt5Tk7erlfynJy8/TQ804uLBlL/oj6qh/crJkKt6KX2M0pmas6SmdmzwDR6+dxTb91lJfLXRC9HSRKNuq9GRmsZcEGdEeW0OVUoKlW7hASwKLg5zpeVG17ZmDvaqWy5i/sDbQkTY0nHiyBCCRLuw+FQWbv8rAEVAx5bwBuMyjKXVAOTuxHm9fd+jUbw8xhf9ni8v1f0bv/fvP22WZfTXi0otSXnphjgi7Q9KjtfpCOa4FBHMB2XNkBxDSuFpkVANkHK76UKwkXyDgERO14+JMQ95/2e6YhekIpmb4yD4o7uvuhg231scWu2inLa1U5a06QX9UIF1eIVQo6ivMDsiNSMUVnB2l2sxquBtvaw2yK25ZjeM23VRz7osbCud6o56149KfudTrecx0HhDgdFwRQtVjjKGA5/rrbxEvT+zFNr7gpqTl8bPZc81sg6LJzOtnnY0JoQzmOb4KysQlFZ5t61Uz73rLR4WXjQWSnfrm86K273DLczKw/8Ut81i20r2QNOYmPBv/Ectryv2HAKra51e6a/YUs38T/mmsq2p9oPOJUbLduOGjYnhpa3pw84RS0PfXezdBezBLZ7Leqaw/Znog84hfWnmJtNQesD0w0noSk3Oz0W3bCtbdmy/cHgA07p0sn3xlPa+tTwodDc+tzsIdFce2a2IZrbHqrdE5qxUNE2An1xqiMHuJB8rgxp6mENCsOOhfbCSGR1YE5ZujmenVceGhEZI5MmJup5Gkr3cOACtj85zqBdlq4OKE2CEDGhj+IoEDDNEMNksuoc+g7UijSpV9dgbMU2R+3NvTUiEQ44Twayb9wygcmm+FG9cLyDO5Plk7Dj9Ns8HP9pJSa+e1W/rsuzCArkh9Cvz73nqsJ1FXWrlX21c+Q2b/0CPJaTsMvVyApubdVPPDS3tscM+KNz671oSHbcfV9zenfc3b5hf1jmXuF7fg1vW/V0UzR1qPVblhitI7oZ84H1DHjrFX5TOHdzdbfjSxt/tyszH5S/284b61Vkq0KidObh3Qp23/TejdY3pfBWXfCOyMGOyB8ZkYOtleltrLBKpf6gnLA6atMNN3SdNOAd6v2Wt3Q73r9vjHfj/U24etWtysNy9coQYRb37bjtthjkViv7ajF+h9y24nLtgbltVfC5HbfdCYPcamVfLca35rY8oojxIKMJDhflw+gVF4G6ANAF9HPa+4n96O1dEOC6C3z1ClwYVtOdu/D2wQXZwEq0M5lc2HRy4T0BFzalNLJYljZylqmlAUB0kXpbkmIaUIu8qLigmhpAg24uvMttKKLtsunBKKL7BdSr4pGyGZ33yMxWW3Deurt8hChv7DeXMG5Br1b+r5qtjXHZqm59OFw+ryHz5mYelkO2tkf5JQYfMLjtHSx8N5/+FQqYhyOA7kqZtey0UvVyJwy14vD7CDG6dCC+G5y0H1EeI06ax5Z1y+TDyI/7eVi/arJxFMghr3YwCcHw05tjPbNzyLs7kWx/GsqRyHFUe+57fQ1MnsxSefvLhwC9lQXD4I3qkVwrlmDKKutfCo9n685vI+UxNaJddpM8wyGmOQ9GWHAYpZgEOYcTpyg+qsGDEr70jXaX/jkldNmiesoPitelYRolmJReQGAUyWJab93TdwQmwRDPU9SNpkq8lBQchAludcVfQoEUEjjRjgDqsdcLnADl7KMEX4uirs+tlZ2rZivJVcqlkki0jWp1ZaIJqIPnxhoCiIi4HEk7XQwrqlAwgI5BUWrtAG9GA0W1K0lAAjXm/0ZTriTKSmFyhkJERLIAc4albASUVQuELK7lzM05ol3Y7K2RIcsrgO6Qfs0byLUE/Cd49pTvl2irUKuIouvxWvuzi6CAEZ1oP60DlI5QFKFILzGFn9Z1gNo/gJ8xOkKd4FGYMywWfucWzHhWFii77O74AGbpQLsjHcBcUOPONFh2lhP5MeXCL12hO76VrNgG5QZwd7rICZOcC8QK/7vrSV2hPbKee7erlI4K1xAPviFqszJXxxA9JvPX8sS44rPaTC19+sa1wDdXvG1KUS0qqcdEUW5L6B1F3ZiiHlpH56LAFV5SHgkBtlwD3z79Wc12M+69/U5800ywGYm26T0fDYnevi3ejq7uga7aFaqPhrLabdtun0Ka4q+TKdztd2NHqEuE2q6nfjyE2mqutaOQ+6CQVq39I6KQNhOjHYXcLoUIyFar5s4hA5CFMZ6hzr5lOyhZqwuYYngCshVBO1TL3hMv7KCPEWJhor1iEjRVw02CVy74VMwXCM7P/3U3yuUaoaNduNdduNdduFfL26ZkWLfefIOrFpETgpJAMDge47AAt0SagsBkApS/ZCbAmLI5ZJGKClaEzTMlN+D2vT3bd2uGZ1QQGIbYs4Pcyo8TyoXt47Z078q8fm/Pf3ftv772z1R0mH1Zvla7ko1cTgKQf5q+qu2Kzq5lXcfX8zLQjANwb+/wxa9P/ReX13uHvz71n19eH1xE178e+D9c7l9E+xf9v12M9v/n+f96l6DZGTkazuNciAR5K/rBrn0TGu7aT659X4XuI87xqSppCMWK+s5fnz73370Znp98+PF6+PH122E7qjCNMFHrrv6lbswjwlW0YODFkPDir5+PciJymcw0SflkovE8ln+eZYxeLTwV9JHRqTNMX9WwFqLAi8xf80f/qwUY8Myfz/rPVP9RYudy/UKec8SC4gmXEM6YiUc6/FPdZfEMQwAJwEQgBkMhV3mu6Xhz+nddpcqGYaTwTdDcxOkEHowi+bsWKKsmC7pfoX0tGzPX/qa8BjzusLVRs2w8dneYZQN5r7McIXXHFqHkjzSza2dunuJARYXDZKJ3p665e21sP8odqJy5X96/WTtN3a/9NVYzOkdMdaMnd9VppOM5OIRYVVK280uKT9lseKLAWwb9/wMAAP//UEsHCF4/Fq5+LgAAbm8BAFBLAwQUAAgACAAAAAAAAAAAAAAAAAAAAAAADQAAAGN1c3RvbS5wb2xpY3m0WG1z27jxf3+fYo//mxvJf5O2HCeXeEbtuE46TZNcPInzynY5ILEUEYEAD1hYVsrms3cAUo+RHFmXvhGB1f7w8NvFLhb/B6/fXb7/cHX++9UZvOKCLJAGKoWFQkiEiZASlCbIEAwWEnNCDkIBlQgvGTGuR3Be18AUb5UzBH2HZmIEESqYCCpB4QRqLUU+bUfleqKkZtwmcCmRWYRKc1FMwTiJdtPwhTZQOCmhcConoRWTgqbJT3dorNDqDKLTJ8+jnwL+7CcAgBgEP4OXqHTqFHNUaiO+IE8V0kSbccryHK1NazSFNhXyAALgaHMjagqDfloCQgeEFgjZFDgqDcYpEhV28EJIQtMtoV2GtjAcQiSFcvdRJ8f72qBtV54JxRPGuUkKVgk5/cvwGH79FWqj/TxJrqtqOIz8XNGynJmRDZYRCq5NlBz0mJR6Eiukpm0VhWji867DpOwnB9HtbJvCskwiP4OCSYsPMmaQ8RTvMXe0A03ewHZqCSvwwB/H0zZCdI0qKSQb2eHw6cnpyfPnC6mQmChW4YyoJfLudiHT72AHDsm4hym0LuumSnODbBceFxDoID+OSm/MwCP8PIxWvUrlaEmbB/xurrGVNKd24Oz7fudDCO7leAH54+j6vufBr4PhcLCLR4Wl7UDPmkt9dvWU0JQuS22JUm5i4xzCX+CXGcIxszBjDwqjK2Dwz3acf7gMcs0R8sVYexAT/CgcsppRGXSPnDVHmVBHGbPlA64VlBe7iq1Qo+i7TjJ2GRqFhDbVRYHKijtMSWv5oJu8maNgjgKPgjXUHhT0FhyEQOPNDV+jekqlVgcR3HoKetEbl4mPOVNJPY28TkCFKNQ0EPltWTJijGbt337fK2yYw2OEzZmKDqMxF6MRGt9yGcalUxR6ho3HaG10GNUoDCO0nYrNWY1dmzkuaAaVooNaMoycjQ6/RpmmLN7lBBPHtGJywgymOPIMpWRYUYg8Dc6OPBU1ebDdZKXZf+Ascn8LCSBoR4JupP0NtYh5Xm022bcpdXZe33+6uvx0lRz0eidPr4/jp7dN7+T6OD69bQY3vLkexC9um/4N798kf73J+v8+/U9ycH5x8eryKrp9IA70Bie/3ST9pjc4bj+/ndwkg+tn8YvbRd/P0/X/FQRPro/jQafwwgOePW87z17cJCdPT2+S/iPtE4Jl6i9nKd6TPxJaPZib3jlJopbYhtn2WrdAzlOUUxxNiEBaeUMa4MJgTtqIudX3MJ5B7/hLocaz+TU6KnWFRwcH0SF8jY6M1jTv+BA0a89C0qx/x8yR1KPVvsi+kWUsH7v6aEkymUy8RrDw8po4WhKKeaoWR9REN4m3JIu/3P7/LzuAltPFTdKTOh83PKOqbqQeNZ+1M4rJRijR2LL5bLVqppVs/P9Wsbqhe2rqad5YYtSUuWyCG/VnUy9nsflUXaDyISI0nkSHERuh8hHBYu6MoGk8E/gQkZPsWhK9jLeX9DiXzraho9aW/Jl9pEeOfYiWaaW5k5j66gB56rNWSlW9MaoHALQAaAFtmuvcj6r6x3ifH7tb2JoLer+gql7xmq4Pj9u+FFnNqrTUeow8dT4dppjVxaadvw26idUgRWaYmUILgwCDJdgem83qIskr7pX+dvn39N35ZXrx4dX51autkVLOlrPTPW9507URd0LiCHnajewTu0mtLbnPHfnmWHQ+WweIkBhyv+vFWDAfC7QBP1YoH2ttrcgk+ljFUZFgEriraqFG+7PV69VhnUn4xQSd4MOugFv5wwlP6XG/aVbl4TS20ezAL/Uguu1vP61c3j2aYn0/zUsmlH3wjnQ51/NkEualEn84DMl4f3pWk+7SWr5/1VvehGHK6io0lfaXv+51YYtzzAy9gHkG8X+dpBYl559PUbpe6CHle6euLblrrTqe1ygm3NCxMZjrOzTTxhfAFTZCWTIuPLw0pZ6kpJuWXF+8HELATrUzaZObaU1NSF2iqrUhpqjv0xnd0y+P9N22mkulHtmU+3zzvXDQKc1M21WDUo/aW8v+pnVKCjVeM25Lq3HqyFFVR4ewMM9kXZCtCySzJPVoRVYwIddldmrXRRVay0b+Mr+s55M1roh8bZysgzOt6Ruhz71B+O1F4edhxHU+RsMfd2TJKYXSZzGmeOodIS20mTDDvWweX9Kl+LJi1KsZPrwsejws8G3x9udCU6+3FpzEnSbF8lxE85Jr/udIW4r6WzNgL37bxBdN/CHU8v2mWRo7eIq1pSfcB/gN5cFimA+NH+llMwkDbVF8oCJZKUiiWwjV49pGrS0dkcTtpU8vNk0cG6w0YRPLJo6lsISq3d2mIXXO6IHxri4uT+O3rz9evfr9rPn4/uLNx41DBaqE5kIFR25b3De5sn6GQ4hKpuzsG7vMKXK+W7f+FqtRy3PhP09CwvEtNTJ6vEpozQwqWpo4PFj4ubpv92l/KW+/3edL+xm3n0LYMrrt73Q+lEVfYqe14IOUI2EIqptOQKfZlsNCQa4VMaHQ+Nq4S+XtI45u38vff4TL1y8H+x+JtWcGr9stIth29iphUx2W2Bo4ImZGSMNBoGk4aFmeLzYRPDwy7kSOQZ4Ssirlugo3lm3R4UIr1TLnyTDIwcOghe1PAFc2+cP5smy5jvsaHSThXYTllNgyAp9SDxLNLCW10St9Ke5wRWAFrQq0TyWrosKplX41/ztzps61lCzThpE2iUJaVhXF1HtwJ8qZYmZKeozKLokTg2FTmVDLeK58ZklytTUr/zcAAP//UEsHCEx0fdwXCAAAHRoAAFBLAQIUABQACAAIAAAAAABePxaufi4AAG5vAQAOAAAAAAAAAAAAAAAAAAAAAABkZWZhdWx0LnBvbGljeVBLAQIUABQACAAIAAAAAABMdH3cFwgAAB0aAAANAAAAAAAAAAAAAAAAALouAABjdXN0b20ucG9saWN5UEsFBgAAAAACAAIAdwAAAAw3AAAAAA== - code: 200 - duration: 0ms - headers: - Content-Type: - - application/zip - status: 200 OK -version: 2 diff --git a/tests/scenarios/cassettes/TestScenarios/v2/Feature_Cloud_Workload_Security/Scenario_Get_the_latest_Cloud_Workload_Security_policy_returns_OK_response.freeze b/tests/scenarios/cassettes/TestScenarios/v2/Feature_Cloud_Workload_Security/Scenario_Get_the_latest_Cloud_Workload_Security_policy_returns_OK_response.freeze deleted file mode 100644 index 70ab598aa1b..00000000000 --- a/tests/scenarios/cassettes/TestScenarios/v2/Feature_Cloud_Workload_Security/Scenario_Get_the_latest_Cloud_Workload_Security_policy_returns_OK_response.freeze +++ /dev/null @@ -1 +0,0 @@ -2024-03-08T14:19:15.311Z \ No newline at end of file diff --git a/tests/scenarios/cassettes/TestScenarios/v2/Feature_Cloud_Workload_Security/Scenario_Get_the_latest_Cloud_Workload_Security_policy_returns_OK_response.yaml b/tests/scenarios/cassettes/TestScenarios/v2/Feature_Cloud_Workload_Security/Scenario_Get_the_latest_Cloud_Workload_Security_policy_returns_OK_response.yaml deleted file mode 100644 index 7630a6c1969..00000000000 --- a/tests/scenarios/cassettes/TestScenarios/v2/Feature_Cloud_Workload_Security/Scenario_Get_the_latest_Cloud_Workload_Security_policy_returns_OK_response.yaml +++ /dev/null @@ -1,1167 +0,0 @@ -interactions: -- request: - body: '' - form: {} - headers: - Accept: - - application/yaml, application/json - id: 0 - method: GET - url: https://api.datadoghq.com/api/v2/security/cloud_workload/policy/download - response: - body: "# IMPORTANT: Edits to this file will not be reflected in the Datadog App\ - \ and will be overwritten with new policy file downloads. Please modify rules\ - \ in the Datadog App for full functionality.\nversion: '1709907555575'\nrules:\n\ - - id: Deno_unauthorized_network_access_performed\n version: 482a395e\n description:\ - \ Unauthorized network access by deno runtime\n expression: bind.addr.family>=0\ - \ && process.comm==\"deno\" && process.args not in [r\".*(allow-net|allow-ffi|-A|allow-all).*\"\ - ]\n agent_version: ''\n filters: []\n- id: Deno_unauthorized_subprocess_created\n\ - \ version: d2d82b09\n description: Unauthorized subprocess created by deno\ - \ runtime\n expression: exec.comm !=\"\" && process.ancestors.comm==\"deno\"\ - \ && process.ancestors.args\n not in [r\".*(allow-run|-A|allow-all).*\"]\n\ - \ agent_version: ''\n filters: []\n- id: apparmor_modified_tty\n version:\ - \ a7f3b5c2\n description: An AppArmor profile was modified in an interactive\ - \ session\n expression: exec.file.name in [\"aa-disable\", \"aa-complain\"\ - , \"aa-audit\"] && exec.tty_name\n !=\"\"\n agent_version: ''\n filters:\n\ - \ - os == \"linux\"\n- id: auditctl_usage\n version: fdc2412d\n description:\ - \ The auditctl command was used to modify auditd\n expression: exec.file.name\ - \ == \"auditctl\"\n agent_version: ''\n filters: []\n- id: auditd_config_modified\n\ - \ version: c7f52a7a\n description: The auditd configuration file was modified\ - \ without using auditctl\n expression: open.file.path == \"/etc/audit/auditd.conf\"\ - \ && open.flags & (O_CREAT|O_TRUNC|O_RDWR|O_WRONLY)\n > 0 && process.file.name\ - \ != \"auditctl\"\n agent_version: ''\n filters:\n - os == \"linux\"\n- id:\ - \ auditd_rule_file_modified\n version: c533115d\n description: The auditd\ - \ rules file was modified without using auditctl\n expression: open.file.path\ - \ in [\"/etc/audit/rules.d/audit.rules\", \"/etc/audit/audit.rules\"]\n &&\ - \ open.flags & (O_CREAT|O_TRUNC|O_RDWR|O_WRONLY) > 0 && process.file.name !=\n\ - \ \"auditctl\"\n agent_version: ''\n filters:\n - os == \"linux\"\n- id:\ - \ aws_eks_service_account_token_accessed\n version: d6a7a4a0\n description:\ - \ The AWS EKS service account token was accessed\n expression: open.file.path\ - \ =~ \"/var/run/secrets/eks.amazonaws.com/serviceaccount/**\"\n && open.file.name\ - \ == \"token\" && process.file.path not in [\"/opt/datadog-agent/embedded/bin/agent\"\ - ,\n \"/opt/datadog-agent/embedded/bin/system-probe\", \"/opt/datadog-agent/embedded/bin/security-agent\"\ - ,\n \"/opt/datadog-agent/embedded/bin/process-agent\", \"/opt/datadog-agent/bin/agent/agent\"\ - ,\n \"/opt/datadog/apm/inject/auto_inject_runc\", \"/usr/bin/dd-host-install\"\ - , \"/usr/bin/dd-host-container-install\",\n \"/usr/bin/dd-container-install\"\ - , \"/opt/datadog-agent/bin/datadog-cluster-agent\"]\n agent_version: ''\n \ - \ filters: []\n- id: aws_imds\n version: 6d47fcfe\n description: An AWS IMDS\ - \ was called via a network utility\n expression: exec.comm in [\"wget\", \"\ - curl\", \"lwp-download\"] && exec.args in [~\"*169.254.169.254/latest/meta-data/iam/security-credentials/*\"\ - ,\n \"*169.254.170.2$AWS_CONTAINER_CREDENTIALS_RELATIVE_URI\", ~\"*169.254.170.2/*/credentials?id=*\"\ - ]\n agent_version: ''\n filters: []\n- id: azure_imds\n version: 784f9a83\n\ - \ description: An Azure IMDS was called via a network utility\n expression:\ - \ exec.comm in [\"wget\", \"curl\", \"lwp-download\"] && exec.args in [~\"*169.254.169.254/metadata/identity/oauth2/token?api-version=*\"\ - ]\n agent_version: ''\n filters: []\n- id: base64_decode\n version: dd942ef2\n\ - \ description: The base64 command was used to decode information\n expression:\ - \ exec.file.name == \"base64\" && exec.args_flags in [\"d\"]\n agent_version:\ - \ ''\n filters: []\n- id: certutil_usage\n version: 4b9c58b5\n description:\ - \ Certutil was executed to transmit or decode a potentially malicious\n file\n\ - \ expression: exec.file.name == \"certutil.exe\" && ((exec.cmdline =~ \"*urlcache*\"\ - \ &&\n exec.cmdline =~ \"*split*\") || exec.cmdline =~ \"*decode*\")\n agent_version:\ - \ ''\n filters:\n - os == \"windows\"\n- id: chatroom_request\n version:\ - \ 91aa2a0f\n description: A newly created file contacted a chatroom domain\n\ - \ expression: dns.question.name in [\"discord.com\", \"api.telegram.org\",\ - \ \"cdn.discordapp.com\"]\n && process.file.in_upper_layer && process.file.change_time\ - \ < 60s\n agent_version: ''\n filters:\n - os == \"linux\"\n- id: compile_after_delivery\n\ - \ version: f41c1e36\n description: A compiler wrote a suspicious file in a\ - \ container\n expression: |-\n open.flags & O_CREAT > 0\n && (\n \ - \ (open.file.path =~ \"/tmp/**\" && open.file.name in [~\"*.ko\", ~\".*\"])\n\ - \ || open.file.path in [~\"/var/tmp/**\", ~\"/dev/shm/**\", ~\"/root/**\"\ - , ~\"*/bin/*\", ~\"/usr/local/lib/**\"]\n )\n && (process.comm in [\"\ - javac\", \"clang\", \"gcc\",\"bcc\"] || process.ancestors.comm in [\"javac\"\ - , \"clang\", \"gcc\",\"bcc\"])\n && process.file.name not in [\"pip\", ~\"\ - python*\"]\n && container.id != \"\"\n agent_version: ''\n filters:\n \ - \ - os == \"linux\"\n- id: compiler_in_container\n version: 441a7e85\n description:\ - \ Compiler Executed in Container\n expression: (exec.file.name in [\"javac\"\ - , \"clang\", \"gcc\",\"bcc\"] || (exec.file.name\n == \"go\" && exec.args\ - \ in [~\"*build*\", ~\"*run*\"])) && container.id !=\"\" && process.ancestors.file.path\n\ - \ != \"/usr/bin/cilium-agent\"\n agent_version: ''\n filters: []\n- id:\ - \ crackmap_exec_executed\n version: 62b05d89\n description: Known offensive\ - \ tool crackmap exec executed\n expression: exec.cmdline in [~\"*crackmapexec*\"\ - , ~\"*cme*\"]\n agent_version: ''\n filters:\n - os == \"windows\"\n- id:\ - \ credential_modified_chown\n version: b5e2cf51\n description: Sensitive credential\ - \ files were modified using a non-standard tool\n expression: |-\n (\n \ - \ (chown.file.path in [ \"/etc/shadow\", \"/etc/gshadow\" ])\n \ - \ && process.file.path not in [ \"/sbin/vipw\", \"/usr/sbin/vipw\", \"/sbin/vigr\"\ - , \"/usr/sbin/vigr\", \"/usr/bin/containerd\", \"/usr/local/bin/containerd\"\ - , \"/usr/bin/dockerd\", \"/usr/local/bin/dockerd\", \"/usr/sbin/groupadd\",\ - \ \"/usr/sbin/useradd\", \"/usr/sbin/usermod\", \"/usr/sbin/userdel\", \"/usr/bin/gpasswd\"\ - , \"/usr/bin/chage\", \"/usr/sbin/chpasswd\", \"/usr/bin/passwd\" ]\n \ - \ && process.ancestors.file.path not in [~\"/usr/bin/apt*\", \"/usr/bin/dpkg\"\ - , \"/usr/bin/rpm\", \"/usr/bin/unattended-upgrade\", \"/usr/bin/npm\", ~\"/usr/bin/pip*\"\ - , \"/usr/bin/yum\", \"/sbin/apk\", \"/usr/lib/snapd/snapd\"]\n ) && (chown.file.destination.uid\ - \ != chown.file.uid || chown.file.destination.gid != chown.file.gid)\n agent_version:\ - \ ''\n filters: []\n- id: credential_modified_link\n version: 5fe23f72\n \ - \ description: Sensitive credential files were modified using a non-standard\ - \ tool\n expression: |-\n (\n (link.file.path in [ \"/etc/shadow\"\ - , \"/etc/gshadow\" ]\n || link.file.destination.path in [ \"/etc/shadow\"\ - , \"/etc/gshadow\" ])\n && process.file.path not in [ \"/sbin/vipw\"\ - , \"/usr/sbin/vipw\", \"/sbin/vigr\", \"/usr/sbin/vigr\", \"/usr/bin/containerd\"\ - , \"/usr/local/bin/containerd\", \"/usr/bin/dockerd\", \"/usr/local/bin/dockerd\"\ - , \"/usr/sbin/groupadd\", \"/usr/sbin/useradd\", \"/usr/sbin/usermod\", \"/usr/sbin/userdel\"\ - , \"/usr/bin/gpasswd\", \"/usr/bin/chage\", \"/usr/sbin/chpasswd\", \"/usr/bin/passwd\"\ - \ ]\n && process.ancestors.file.path not in [~\"/usr/bin/apt*\", \"/usr/bin/dpkg\"\ - , \"/usr/bin/rpm\", \"/usr/bin/unattended-upgrade\", \"/usr/bin/npm\", ~\"/usr/bin/pip*\"\ - , \"/usr/bin/yum\", \"/sbin/apk\", \"/usr/lib/snapd/snapd\"]\n )\n agent_version:\ - \ ''\n filters: []\n- id: credential_modified_open_v2\n version: 5aec9afe\n\ - \ description: Sensitive credential files were modified using a non-standard\ - \ tool\n expression: |-\n (\n open.flags & ((O_CREAT|O_RDWR|O_WRONLY|O_TRUNC))\ - \ > 0 &&\n (open.file.path in [ \"/etc/shadow\", \"/etc/gshadow\" ])\n\ - \ && process.file.path not in [ \"/sbin/vipw\", \"/usr/sbin/vipw\", \"\ - /sbin/vigr\", \"/usr/sbin/vigr\", \"/usr/bin/containerd\", \"/usr/local/bin/containerd\"\ - , \"/usr/bin/dockerd\", \"/usr/local/bin/dockerd\", \"/usr/sbin/groupadd\",\ - \ \"/usr/sbin/useradd\", \"/usr/sbin/usermod\", \"/usr/sbin/userdel\", \"/usr/bin/gpasswd\"\ - , \"/usr/bin/chage\", \"/usr/sbin/chpasswd\", \"/usr/bin/passwd\" ]\n \ - \ && process.ancestors.file.path not in [~\"/usr/bin/apt*\", \"/usr/bin/dpkg\"\ - , \"/usr/bin/rpm\", \"/usr/bin/unattended-upgrade\", \"/usr/bin/npm\", ~\"/usr/bin/pip*\"\ - , \"/usr/bin/yum\", \"/sbin/apk\", \"/usr/lib/snapd/snapd\"]\n ) && container.created_at\ - \ > 90s\n agent_version: ''\n filters:\n - os == \"linux\"\n- id: credential_modified_rename\n\ - \ version: b7458786\n description: Sensitive credential files were modified\ - \ using a non-standard tool\n expression: |-\n (\n (rename.file.path\ - \ in [ \"/etc/shadow\", \"/etc/gshadow\" ]\n || rename.file.destination.path\ - \ in [ \"/etc/shadow\", \"/etc/gshadow\" ])\n && process.file.path not\ - \ in [ \"/sbin/vipw\", \"/usr/sbin/vipw\", \"/sbin/vigr\", \"/usr/sbin/vigr\"\ - , \"/usr/bin/containerd\", \"/usr/local/bin/containerd\", \"/usr/bin/dockerd\"\ - , \"/usr/local/bin/dockerd\", \"/usr/sbin/groupadd\", \"/usr/sbin/useradd\"\ - , \"/usr/sbin/usermod\", \"/usr/sbin/userdel\", \"/usr/bin/gpasswd\", \"/usr/bin/chage\"\ - , \"/usr/sbin/chpasswd\", \"/usr/bin/passwd\" ]\n && process.ancestors.file.path\ - \ not in [~\"/usr/bin/apt*\", \"/usr/bin/dpkg\", \"/usr/bin/rpm\", \"/usr/bin/unattended-upgrade\"\ - , \"/usr/bin/npm\", ~\"/usr/bin/pip*\", \"/usr/bin/yum\", \"/sbin/apk\", \"\ - /usr/lib/snapd/snapd\"]\n )\n agent_version: ''\n filters: []\n- id: credential_modified_unlink\n\ - \ version: 557758b6\n description: Sensitive credential files were modified\ - \ using a non-standard tool\n expression: |-\n (\n (unlink.file.path\ - \ in [ \"/etc/shadow\", \"/etc/gshadow\" ])\n && process.file.path not\ - \ in [ \"/sbin/vipw\", \"/usr/sbin/vipw\", \"/sbin/vigr\", \"/usr/sbin/vigr\"\ - , \"/usr/bin/containerd\", \"/usr/local/bin/containerd\", \"/usr/bin/dockerd\"\ - , \"/usr/local/bin/dockerd\", \"/usr/sbin/groupadd\", \"/usr/sbin/useradd\"\ - , \"/usr/sbin/usermod\", \"/usr/sbin/userdel\", \"/usr/bin/gpasswd\", \"/usr/bin/chage\"\ - , \"/usr/sbin/chpasswd\", \"/usr/bin/passwd\" ]\n && process.ancestors.file.path\ - \ not in [~\"/usr/bin/apt*\", \"/usr/bin/dpkg\", \"/usr/bin/rpm\", \"/usr/bin/unattended-upgrade\"\ - , \"/usr/bin/npm\", ~\"/usr/bin/pip*\", \"/usr/bin/yum\", \"/sbin/apk\", \"\ - /usr/lib/snapd/snapd\"]\n )\n agent_version: ''\n filters: []\n- id: credential_modified_utimes\n\ - \ version: de8d14c5\n description: Sensitive credential files were modified\ - \ using a non-standard tool\n expression: |-\n (\n (utimes.file.path\ - \ in [ \"/etc/shadow\", \"/etc/gshadow\" ])\n && process.file.path not\ - \ in [ \"/sbin/vipw\", \"/usr/sbin/vipw\", \"/sbin/vigr\", \"/usr/sbin/vigr\"\ - , \"/usr/bin/containerd\", \"/usr/local/bin/containerd\", \"/usr/bin/dockerd\"\ - , \"/usr/local/bin/dockerd\", \"/usr/sbin/groupadd\", \"/usr/sbin/useradd\"\ - , \"/usr/sbin/usermod\", \"/usr/sbin/userdel\", \"/usr/bin/gpasswd\", \"/usr/bin/chage\"\ - , \"/usr/sbin/chpasswd\", \"/usr/bin/passwd\" ]\n && process.ancestors.file.path\ - \ not in [~\"/usr/bin/apt*\", \"/usr/bin/dpkg\", \"/usr/bin/rpm\", \"/usr/bin/unattended-upgrade\"\ - , \"/usr/bin/npm\", ~\"/usr/bin/pip*\", \"/usr/bin/yum\", \"/sbin/apk\", \"\ - /usr/lib/snapd/snapd\"]\n )\n agent_version: ''\n filters: []\n- id: cryptominer_envs\n\ - \ version: 735b7690\n description: Process environment variables match cryptocurrency\ - \ miner\n expression: exec.envs in [~\"*POOL_USER*\", ~\"*POOL_URL*\", ~\"\ - *POOL_PASS*\", ~\"*DONATE_LEVEL*\"]\n agent_version: ''\n filters:\n - os\ - \ == \"linux\"\n- id: curl_docker_socket\n version: f736b6e6\n description:\ - \ The Docker socket was referenced in a cURL command\n expression: exec.file.name\ - \ == \"curl\" && exec.args_flags in [\"unix-socket\"] && exec.args\n in [\"\ - *docker.sock*\"] && container.id != \"\"\n agent_version: ''\n filters: []\n\ - - id: database_shell_execution\n version: 3508c713\n description: A database\ - \ application spawned a shell, shell utility, or HTTP utility\n expression:\ - \ |-\n (exec.file.path in [ \"/bin/dash\",\n \"/usr/bin/dash\",\n \ - \ \"/bin/sh\",\n \"/bin/static-sh\",\n \"/usr/bin/sh\",\n \ - \ \"/bin/bash\",\n \"/usr/bin/bash\",\n \"/bin/bash-static\",\n \ - \ \"/usr/bin/zsh\",\n \"/usr/bin/ash\",\n \"/usr/bin/csh\",\n \ - \ \"/usr/bin/ksh\",\n \"/usr/bin/tcsh\",\n \"/usr/lib/initramfs-tools/bin/busybox\"\ - ,\n \"/bin/busybox\",\n \"/usr/bin/fish\",\n \"/bin/ksh93\",\n\ - \ \"/bin/rksh\",\n \"/bin/rksh93\",\n \"/bin/lksh\",\n \"\ - /bin/mksh\",\n \"/bin/mksh-static\",\n \"/usr/bin/csharp\",\n \ - \ \"/bin/posh\",\n \"/usr/bin/rc\",\n \"/bin/sash\",\n \"/usr/bin/yash\"\ - ,\n \"/bin/zsh5\",\n \"/bin/zsh5-static\" ] ||\n exec.comm in\ - \ [\"wget\", \"curl\", \"lwp-download\"] ||\n exec.file.path in [\"/bin/cat\"\ - ,\"/bin/chgrp\",\"/bin/chmod\",\"/bin/chown\",\"/bin/cp\",\"/bin/date\",\"/bin/dd\"\ - ,\"/bin/df\",\"/bin/dir\",\"/bin/echo\",\"/bin/ln\",\"/bin/ls\",\"/bin/mkdir\"\ - ,\"/bin/mknod\",\"/bin/mktemp\",\"/bin/mv\",\"/bin/pwd\",\"/bin/readlink\",\"\ - /bin/rm\",\"/bin/rmdir\",\"/bin/sleep\",\"/bin/stty\",\"/bin/sync\",\"/bin/touch\"\ - ,\"/bin/uname\",\"/bin/vdir\",\"/usr/bin/arch\",\"/usr/bin/b2sum\",\"/usr/bin/base32\"\ - ,\"/usr/bin/base64\",\"/usr/bin/basename\",\"/usr/bin/chcon\",\"/usr/bin/cksum\"\ - ,\"/usr/bin/comm\",\"/usr/bin/csplit\",\"/usr/bin/cut\",\"/usr/bin/dircolors\"\ - ,\"/usr/bin/dirname\",\"/usr/bin/du\",\"/usr/bin/env\",\"/usr/bin/expand\",\"\ - /usr/bin/expr\",\"/usr/bin/factor\",\"/usr/bin/fmt\",\"/usr/bin/fold\",\"/usr/bin/groups\"\ - ,\"/usr/bin/head\",\"/usr/bin/hostid\",\"/usr/bin/id\",\"/usr/bin/install\"\ - ,\"/usr/bin/join\",\"/usr/bin/link\",\"/usr/bin/logname\",\"/usr/bin/md5sum\"\ - ,\"/usr/bin/md5sum.textutils\",\"/usr/bin/mkfifo\",\"/usr/bin/nice\",\"/usr/bin/nl\"\ - ,\"/usr/bin/nohup\",\"/usr/bin/nproc\",\"/usr/bin/numfmt\",\"/usr/bin/od\",\"\ - /usr/bin/paste\",\"/usr/bin/pathchk\",\"/usr/bin/pinky\",\"/usr/bin/pr\",\"\ - /usr/bin/printenv\",\"/usr/bin/printf\",\"/usr/bin/ptx\",\"/usr/bin/realpath\"\ - ,\"/usr/bin/runcon\",\"/usr/bin/seq\",\"/usr/bin/sha1sum\",\"/usr/bin/sha224sum\"\ - ,\"/usr/bin/sha256sum\",\"/usr/bin/sha384sum\",\"/usr/bin/sha512sum\",\"/usr/bin/shred\"\ - ,\"/usr/bin/shuf\",\"/usr/bin/sort\",\"/usr/bin/split\",\"/usr/bin/stat\",\"\ - /usr/bin/stdbuf\",\"/usr/bin/sum\",\"/usr/bin/tac\",\"/usr/bin/tail\",\"/usr/bin/tee\"\ - ,\"/usr/bin/test\",\"/usr/bin/timeout\",\"/usr/bin/tr\",\"/usr/bin/truncate\"\ - ,\"/usr/bin/tsort\",\"/usr/bin/tty\",\"/usr/bin/unexpand\",\"/usr/bin/uniq\"\ - ,\"/usr/bin/unlink\",\"/usr/bin/users\",\"/usr/bin/wc\",\"/usr/bin/who\",\"\ - /usr/bin/whoami\",\"/usr/sbin/chroot\"]) &&\n process.parent.file.name in\ - \ [\"mysqld\", \"mongod\", \"postgres\"] &&\n !(process.parent.file.name\ - \ == \"initdb\" &&\n exec.args == \"-c locale -a\") &&\n !(process.parent.file.name\ - \ == \"postgres\" &&\n exec.args == ~\"*pg_wal*\")\n agent_version: ''\n\ - \ filters:\n - os == \"linux\"\n- id: delete_system_log\n version: 5436807c\n\ - \ description: A process deleted common system log files\n expression: unlink.file.path\ - \ in [\"/var/run/utmp\", \"/var/log/wtmp\", \"/var/log/btmp\",\n \"/var/log/lastlog\"\ - , \"/var/log/faillog\", \"/var/log/syslog\", \"/var/log/messages\",\n \"\ - /var/log/secure\", \"/var/log/auth.log\", \"/var/log/boot.log\", \"/var/log/kern.log\"\ - ]\n && process.comm not in [\"dockerd\", \"containerd\"]\n agent_version:\ - \ ''\n filters:\n - os == \"linux\"\n- id: deploy_priv_container\n version:\ - \ 356d5ee7\n description: A privileged container was created\n expression:\ - \ exec.file.name != \"\" && container.created_at < 1s && process.cap_permitted\n\ - \ & CAP_SYS_ADMIN > 0\n agent_version: ''\n filters: []\n- id: dirty_pipe_attempt\n\ - \ version: 8814807c\n description: Potential Dirty pipe exploitation attempt\n\ - \ expression: (splice.pipe_entry_flag & PIPE_BUF_FLAG_CAN_MERGE) != 0 && (splice.pipe_exit_flag\n\ - \ & PIPE_BUF_FLAG_CAN_MERGE) == 0 && (process.uid != 0 && process.gid !=\ - \ 0)\n agent_version: ''\n filters: []\n- id: dirty_pipe_exploitation\n version:\ - \ 9bcacfe3\n description: Potential Dirty pipe exploitation\n expression:\ - \ (splice.pipe_exit_flag & PIPE_BUF_FLAG_CAN_MERGE) > 0 && (process.uid\n \ - \ != 0 && process.gid != 0)\n agent_version: ''\n filters: []\n- id: dynamic_linker_config_unlink\n\ - \ version: 1924611e\n description: A process unlinked a dynamic linker config\ - \ file\n expression: unlink.file.path in [\"/etc/ld.so.preload\", \"/etc/ld.so.conf\"\ - , ~\"/etc/ld.so.conf.d/*.conf\"]\n && process.file.path not in [~\"/usr/bin/apt*\"\ - , \"/usr/bin/dpkg\", \"/usr/bin/rpm\",\n \"/usr/bin/unattended-upgrade\"\ - , \"/usr/bin/npm\", ~\"/usr/bin/pip*\", \"/usr/bin/yum\",\n \"/sbin/apk\"\ - , \"/usr/lib/snapd/snapd\"]\n agent_version: ''\n filters:\n - os == \"linux\"\ - \n- id: dynamic_linker_config_write\n version: 764fc516\n description: A process\ - \ wrote to a dynamic linker config file\n expression: open.file.path in [\"\ - /etc/ld.so.preload\", \"/etc/ld.so.conf\", \"/etc/ld.so.conf.d/*.conf\"]\n \ - \ && open.flags & (O_CREAT|O_TRUNC|O_RDWR|O_WRONLY) > 0 && process.file.path\ - \ not\n in [~\"/usr/bin/apt*\", \"/usr/bin/dpkg\", \"/usr/bin/rpm\", \"/usr/bin/unattended-upgrade\"\ - ,\n \"/usr/bin/containerd\", \"/usr/local/bin/containerd\", \"/usr/bin/dockerd\"\ - , \"/usr/bin/npm\",\n ~\"/usr/bin/pip*\"] && process.ancestors.file.path\ - \ not in [\"/opt/datadog-agent/embedded/bin/agent\",\n \"/opt/datadog-agent/embedded/bin/system-probe\"\ - , \"/opt/datadog-agent/embedded/bin/security-agent\",\n \"/opt/datadog-agent/embedded/bin/process-agent\"\ - , \"/opt/datadog-agent/bin/agent/agent\",\n \"/opt/datadog/apm/inject/auto_inject_runc\"\ - , \"/usr/bin/dd-host-install\", \"/usr/bin/dd-host-container-install\",\n \ - \ \"/usr/bin/dd-container-install\", \"/opt/datadog-agent/bin/datadog-cluster-agent\"\ - ]\n agent_version: ''\n filters: []\n- id: exec_lsmod\n version: 1a14c811\n\ - \ description: Kernel modules were listed using the lsmod command\n expression:\ - \ exec.comm == \"lsmod\"\n agent_version: ''\n filters:\n - os == \"linux\"\ - \n- id: exec_whoami\n version: 90ea91b6\n description: The whoami command\ - \ was executed\n expression: exec.comm == \"whoami\"\n agent_version: ''\n\ - \ filters:\n - os == \"linux\"\n- id: exec_wrmsr\n version: 13ea7d84\n description:\ - \ The wrmsr program executed\n expression: exec.comm == \"wrmsr\"\n agent_version:\ - \ ''\n filters:\n - os == \"linux\"\n- id: executable_bit_added\n version:\ - \ 6f8761f\n description: The executable bit was added to a newly created file\n\ - \ expression: |-\n chmod.file.in_upper_layer &&\n chmod.file.change_time\ - \ < 30s &&\n container.id != \"\" &&\n chmod.file.destination.mode !=\ - \ chmod.file.mode &&\n chmod.file.destination.mode & S_IXUSR|S_IXGRP|S_IXOTH\ - \ > 0 &&\n process.argv in [\"+x\"]\n agent_version: ''\n filters: []\n\ - - id: gcp_imds\n version: 3035dbbf\n description: An GCP IMDS was called via\ - \ a network utility\n expression: exec.comm in [\"wget\", \"curl\", \"lwp-download\"\ - ] && exec.args in [~\"*metadata.google.internal/computeMetadata/v1/instance/service-accounts/default/token\"\ - ,\n ~\"*169.254.169.254/computeMetadata/v1/instance/service-accounts/default/token\"\ - ]\n agent_version: ''\n filters: []\n- id: hidden_file_executed\n version:\ - \ 60fd84a9\n description: A hidden file was executed in a suspicious folder\n\ - \ expression: exec.file.name =~ \".*\" && exec.file.path in [~\"/home/**\"\ - , ~\"/tmp/**\",\n ~\"/var/tmp/**\", ~\"/dev/shm/**\"]\n agent_version: ''\n\ - \ filters: []\n- id: interactive_shell_in_container\n version: f8bc8845\n\ - \ description: An interactive shell was started inside of a container\n expression:\ - \ |-\n exec.file.path in [ \"/bin/dash\",\n \"/usr/bin/dash\",\n \ - \ \"/bin/sh\",\n \"/bin/static-sh\",\n \"/usr/bin/sh\",\n \"\ - /bin/bash\",\n \"/usr/bin/bash\",\n \"/bin/bash-static\",\n \"\ - /usr/bin/zsh\",\n \"/usr/bin/ash\",\n \"/usr/bin/csh\",\n \"\ - /usr/bin/ksh\",\n \"/usr/bin/tcsh\",\n \"/usr/lib/initramfs-tools/bin/busybox\"\ - ,\n \"/bin/busybox\",\n \"/usr/bin/fish\",\n \"/bin/ksh93\",\n\ - \ \"/bin/rksh\",\n \"/bin/rksh93\",\n \"/bin/lksh\",\n \"\ - /bin/mksh\",\n \"/bin/mksh-static\",\n \"/usr/bin/csharp\",\n \ - \ \"/bin/posh\",\n \"/usr/bin/rc\",\n \"/bin/sash\",\n \"/usr/bin/yash\"\ - ,\n \"/bin/zsh5\",\n \"/bin/zsh5-static\" ] && exec.args_flags in\ - \ [\"i\"] && container.id !=\"\"\n agent_version: ''\n filters:\n - os ==\ - \ \"linux\"\n- id: ip_check_domain\n version: d8a9934\n description: A DNS\ - \ lookup was done for a IP check service\n expression: dns.question.name in\ - \ [\"icanhazip.com\", \"ip-api.com\", \"myip.opendns.com\",\n \"checkip.amazonaws.com\"\ - , \"whatismyip.akamai.com\"] && process.file.name != \"\"\n agent_version:\ - \ ''\n filters: []\n- id: iptables_egress_allowed\n version: a5be0ef9\n description:\ - \ Egress traffic allowed using iptables\n expression: exec.comm == \"iptables\"\ - \ && process.args in [r\".*OUTPUT.*((25[0-5]|(2[0-4]|1\\d|[1-9]|)\\d)\\.?\\\ - b){4}.*ACCEPT\"]\n && process.args not in [r\"(127\\.)|(10\\.)|(172\\.1[6-9]\\\ - .)|(172\\.2[0-9]\\.)|(^172\\.3[0-1]\\.)|(192\\.168\\.)|(169\\.254\\.)\"]\n \ - \ agent_version: ''\n filters:\n - os == \"linux\"\n- id: java_shell_execution_parent\n\ - \ version: 1bcff0aa\n description: A java process spawned a shell, shell utility,\ - \ or HTTP utility\n expression: |-\n (exec.file.path in [ \"/bin/dash\"\ - ,\n \"/usr/bin/dash\",\n \"/bin/sh\",\n \"/bin/static-sh\",\n\ - \ \"/usr/bin/sh\",\n \"/bin/bash\",\n \"/usr/bin/bash\",\n \ - \ \"/bin/bash-static\",\n \"/usr/bin/zsh\",\n \"/usr/bin/ash\"\ - ,\n \"/usr/bin/csh\",\n \"/usr/bin/ksh\",\n \"/usr/bin/tcsh\"\ - ,\n \"/usr/lib/initramfs-tools/bin/busybox\",\n \"/bin/busybox\",\n\ - \ \"/usr/bin/fish\",\n \"/bin/ksh93\",\n \"/bin/rksh\",\n \ - \ \"/bin/rksh93\",\n \"/bin/lksh\",\n \"/bin/mksh\",\n \"/bin/mksh-static\"\ - ,\n \"/usr/bin/csharp\",\n \"/bin/posh\",\n \"/usr/bin/rc\",\n\ - \ \"/bin/sash\",\n \"/usr/bin/yash\",\n \"/bin/zsh5\",\n \ - \ \"/bin/zsh5-static\" ] ||\n exec.comm in [\"wget\", \"curl\", \"lwp-download\"\ - ] ||\n exec.file.path in [\"/bin/cat\",\"/bin/chgrp\",\"/bin/chmod\",\"\ - /bin/chown\",\"/bin/cp\",\"/bin/date\",\"/bin/dd\",\"/bin/df\",\"/bin/dir\"\ - ,\"/bin/echo\",\"/bin/ln\",\"/bin/ls\",\"/bin/mkdir\",\"/bin/mknod\",\"/bin/mktemp\"\ - ,\"/bin/mv\",\"/bin/pwd\",\"/bin/readlink\",\"/bin/rm\",\"/bin/rmdir\",\"/bin/sleep\"\ - ,\"/bin/stty\",\"/bin/sync\",\"/bin/touch\",\"/bin/uname\",\"/bin/vdir\",\"\ - /usr/bin/arch\",\"/usr/bin/b2sum\",\"/usr/bin/base32\",\"/usr/bin/base64\",\"\ - /usr/bin/basename\",\"/usr/bin/chcon\",\"/usr/bin/cksum\",\"/usr/bin/comm\"\ - ,\"/usr/bin/csplit\",\"/usr/bin/cut\",\"/usr/bin/dircolors\",\"/usr/bin/dirname\"\ - ,\"/usr/bin/du\",\"/usr/bin/env\",\"/usr/bin/expand\",\"/usr/bin/expr\",\"/usr/bin/factor\"\ - ,\"/usr/bin/fmt\",\"/usr/bin/fold\",\"/usr/bin/groups\",\"/usr/bin/head\",\"\ - /usr/bin/hostid\",\"/usr/bin/id\",\"/usr/bin/install\",\"/usr/bin/join\",\"\ - /usr/bin/link\",\"/usr/bin/logname\",\"/usr/bin/md5sum\",\"/usr/bin/md5sum.textutils\"\ - ,\"/usr/bin/mkfifo\",\"/usr/bin/nice\",\"/usr/bin/nl\",\"/usr/bin/nohup\",\"\ - /usr/bin/nproc\",\"/usr/bin/numfmt\",\"/usr/bin/od\",\"/usr/bin/paste\",\"/usr/bin/pathchk\"\ - ,\"/usr/bin/pinky\",\"/usr/bin/pr\",\"/usr/bin/printenv\",\"/usr/bin/printf\"\ - ,\"/usr/bin/ptx\",\"/usr/bin/realpath\",\"/usr/bin/runcon\",\"/usr/bin/seq\"\ - ,\"/usr/bin/sha1sum\",\"/usr/bin/sha224sum\",\"/usr/bin/sha256sum\",\"/usr/bin/sha384sum\"\ - ,\"/usr/bin/sha512sum\",\"/usr/bin/shred\",\"/usr/bin/shuf\",\"/usr/bin/sort\"\ - ,\"/usr/bin/split\",\"/usr/bin/stat\",\"/usr/bin/stdbuf\",\"/usr/bin/sum\",\"\ - /usr/bin/tac\",\"/usr/bin/tail\",\"/usr/bin/tee\",\"/usr/bin/test\",\"/usr/bin/timeout\"\ - ,\"/usr/bin/tr\",\"/usr/bin/truncate\",\"/usr/bin/tsort\",\"/usr/bin/tty\",\"\ - /usr/bin/unexpand\",\"/usr/bin/uniq\",\"/usr/bin/unlink\",\"/usr/bin/users\"\ - ,\"/usr/bin/wc\",\"/usr/bin/who\",\"/usr/bin/whoami\",\"/usr/sbin/chroot\"])\n\ - \ && process.parent.file.name == \"java\"\n agent_version: ''\n filters:\n\ - \ - os == \"linux\"\n- id: jupyterhub_shell\n version: ee1b8429\n description:\ - \ A shell command was executed from a JupyterHub code cell\n expression: exec.file.path\ - \ == \"/usr/bin/bash\" && process.ancestors.comm == \"jupyterhub-sing\"\n agent_version:\ - \ ''\n filters: []\n- id: k8s_pod_service_account_token_accessed\n version:\ - \ 88c0ee3a\n description: The Kubernetes pod service account token was accessed\n\ - \ expression: open.file.path in [~\"/var/run/secrets/kubernetes.io/serviceaccount/**\"\ - ,\n ~\"/run/secrets/kubernetes.io/serviceaccount/**\"] && open.file.name\ - \ == \"token\"\n && process.file.path not in [\"/opt/datadog-agent/embedded/bin/agent\"\ - , \"/opt/datadog-agent/embedded/bin/system-probe\",\n \"/opt/datadog-agent/embedded/bin/security-agent\"\ - , \"/opt/datadog-agent/embedded/bin/process-agent\",\n \"/opt/datadog-agent/bin/agent/agent\"\ - , \"/opt/datadog/apm/inject/auto_inject_runc\",\n \"/usr/bin/dd-host-install\"\ - , \"/usr/bin/dd-host-container-install\", \"/usr/bin/dd-container-install\"\ - ,\n \"/opt/datadog-agent/bin/datadog-cluster-agent\"] && process.file.path\ - \ not in [\"/usr/bin/cilium-agent\",\n \"/coredns\", \"/usr/bin/cilium-operator\"\ - , \"/manager\", \"/fluent-bit/bin/fluent-bit\",\n \"/usr/local/bin/cloud-node-manager\"\ - , \"/secrets-store-csi\", \"/bin/secrets-store-csi-driver-provider-aws\",\n\ - \ \"/usr/bin/calico-node\", \"/opt/aws/amazon-cloudwatch-agent/bin/amazon-cloudwatch-agent\"\ - ,\n \"/nginx-ingress-controller\", \"/cluster-autoscaler\", \"/cluster-proportional-autoscaler\"\ - ,\n \"/haproxy-ingress-controller\", \"/kube-state-metrics\", \"/fluent-bit-gke-exporter\"\ - ,\n \"/bin/external-secrets\", \"/node-termination-handler\", \"/fluent-bit-gke-exporter\"\ - ]\n && process.ancestors.file.path not in [\"/opt/datadog-agent/embedded/bin/agent\"\ - ,\n \"/opt/datadog-agent/embedded/bin/system-probe\", \"/opt/datadog-agent/embedded/bin/security-agent\"\ - ,\n \"/opt/datadog-agent/embedded/bin/process-agent\", \"/opt/datadog-agent/bin/agent/agent\"\ - ,\n \"/opt/datadog/apm/inject/auto_inject_runc\", \"/usr/bin/dd-host-install\"\ - , \"/usr/bin/dd-host-container-install\",\n \"/usr/bin/dd-container-install\"\ - , \"/opt/datadog-agent/bin/datadog-cluster-agent\"]\n agent_version: ''\n \ - \ filters:\n - os == \"linux\"\n- id: kernel_module_chmod\n version: 93da2ba6\n\ - \ description: A new kernel module was added\n expression: |-\n (\n \ - \ (chmod.file.path in [ ~\"/lib/modules/**\", ~\"/usr/lib/modules/**\" ])\n\ - \ && process.file.path not in [~\"/usr/bin/apt*\", \"/usr/bin/dpkg\"\ - , \"/usr/bin/rpm\", \"/usr/bin/unattended-upgrade\", \"/usr/bin/npm\", ~\"/usr/bin/pip*\"\ - , \"/usr/bin/yum\", \"/sbin/apk\", \"/usr/lib/snapd/snapd\"]\n && process.ancestors.file.path\ - \ not in [~\"/usr/bin/apt*\", \"/usr/bin/dpkg\", \"/usr/bin/rpm\", \"/usr/bin/unattended-upgrade\"\ - , \"/usr/bin/npm\", ~\"/usr/bin/pip*\", \"/usr/bin/yum\", \"/sbin/apk\", \"\ - /usr/lib/snapd/snapd\"] && process.ancestors.file.path != \"/usr/bin/kmod\"\n\ - \ ) && chmod.file.destination.mode != chmod.file.mode\n agent_version: ''\n\ - \ filters:\n - os == \"linux\"\n- id: kernel_module_chown\n version: ca2cf124\n\ - \ description: A new kernel module was added\n expression: |-\n (\n \ - \ (chown.file.path in [ ~\"/lib/modules/**\", ~\"/usr/lib/modules/**\" ])\n\ - \ && process.file.path not in [~\"/usr/bin/apt*\", \"/usr/bin/dpkg\"\ - , \"/usr/bin/rpm\", \"/usr/bin/unattended-upgrade\", \"/usr/bin/npm\", ~\"/usr/bin/pip*\"\ - , \"/usr/bin/yum\", \"/sbin/apk\", \"/usr/lib/snapd/snapd\"]\n && process.ancestors.file.path\ - \ not in [~\"/usr/bin/apt*\", \"/usr/bin/dpkg\", \"/usr/bin/rpm\", \"/usr/bin/unattended-upgrade\"\ - , \"/usr/bin/npm\", ~\"/usr/bin/pip*\", \"/usr/bin/yum\", \"/sbin/apk\", \"\ - /usr/lib/snapd/snapd\"] && process.ancestors.file.path != \"/usr/bin/kmod\"\n\ - \ ) && (chown.file.destination.uid != chown.file.uid || chown.file.destination.gid\ - \ != chown.file.gid)\n agent_version: ''\n filters: []\n- id: kernel_module_link\n\ - \ version: ae6469e5\n description: A new kernel module was added\n expression:\ - \ |-\n (\n (link.file.path in [ ~\"/lib/modules/**\", ~\"/usr/lib/modules/**\"\ - \ ]\n || link.file.destination.path in [ ~\"/lib/modules/**\", ~\"/usr/lib/modules/**\"\ - \ ])\n && process.file.path not in [~\"/usr/bin/apt*\", \"/usr/bin/dpkg\"\ - , \"/usr/bin/rpm\", \"/usr/bin/unattended-upgrade\", \"/usr/bin/npm\", ~\"/usr/bin/pip*\"\ - , \"/usr/bin/yum\", \"/sbin/apk\", \"/usr/lib/snapd/snapd\"]\n && process.ancestors.file.path\ - \ not in [~\"/usr/bin/apt*\", \"/usr/bin/dpkg\", \"/usr/bin/rpm\", \"/usr/bin/unattended-upgrade\"\ - , \"/usr/bin/npm\", ~\"/usr/bin/pip*\", \"/usr/bin/yum\", \"/sbin/apk\", \"\ - /usr/lib/snapd/snapd\"] && process.ancestors.file.path != \"/usr/bin/kmod\"\n\ - \ )\n agent_version: ''\n filters: []\n- id: kernel_module_load\n version:\ - \ 904592b4\n description: A kernel module was loaded\n expression: load_module.name\ - \ not in [\"nf_tables\", \"iptable_filter\", \"ip6table_filter\",\n \"bpfilter\"\ - , \"ip6_tables\", \"ip6table_nat\", \"nf_reject_ipv4\", \"ipt_REJECT\", \"iptable_raw\"\ - ]\n && process.ancestors.file.name not in [~\"falcon*\", \"unattended-upgrade\"\ - , \"apt.systemd.daily\",\n \"xtables-legacy-multi\", \"ssm-agent-worker\"\ - ]\n agent_version: ''\n filters:\n - os == \"linux\"\n- id: kernel_module_load_container\n\ - \ version: 139b666a\n description: A container loaded a new kernel module\n\ - \ expression: load_module.name != \"\" && container.id !=\"\"\n agent_version:\ - \ ''\n filters: []\n- id: kernel_module_load_from_memory\n version: 78122acd\n\ - \ description: A kernel module was loaded from memory\n expression: load_module.loaded_from_memory\ - \ == true\n agent_version: ''\n filters:\n - os == \"linux\"\n- id: kernel_module_load_from_memory_container\n\ - \ version: a277c753\n description: A kernel module was loaded from memory\ - \ inside a container\n expression: load_module.loaded_from_memory == true &&\ - \ container.id !=\"\"\n agent_version: ''\n filters: []\n- id: kernel_module_open\n\ - \ version: 55f9569\n description: A new kernel module was added\n expression:\ - \ |-\n (\n open.flags & (O_CREAT|O_TRUNC|O_RDWR|O_WRONLY) > 0 &&\n\ - \ (open.file.path in [ ~\"/lib/modules/**\", ~\"/usr/lib/modules/**\"\ - \ ])\n && process.file.path not in [~\"/usr/bin/apt*\", \"/usr/bin/dpkg\"\ - , \"/usr/bin/rpm\", \"/usr/bin/unattended-upgrade\", \"/usr/bin/npm\", ~\"/usr/bin/pip*\"\ - , \"/usr/bin/yum\", \"/sbin/apk\", \"/usr/lib/snapd/snapd\"]\n && process.ancestors.file.path\ - \ not in [~\"/usr/bin/apt*\", \"/usr/bin/dpkg\", \"/usr/bin/rpm\", \"/usr/bin/unattended-upgrade\"\ - , \"/usr/bin/npm\", ~\"/usr/bin/pip*\", \"/usr/bin/yum\", \"/sbin/apk\", \"\ - /usr/lib/snapd/snapd\"] && process.ancestors.file.path != \"/usr/bin/kmod\"\n\ - \ )\n agent_version: ''\n filters: []\n- id: kernel_module_rename\n version:\ - \ 8dd78e74\n description: A new kernel module was added\n expression: |-\n\ - \ (\n (rename.file.path in [ ~\"/lib/modules/**\", ~\"/usr/lib/modules/**\"\ - \ ]\n || rename.file.destination.path in [ ~\"/lib/modules/**\", ~\"\ - /usr/lib/modules/**\" ])\n && process.file.path not in [~\"/usr/bin/apt*\"\ - , \"/usr/bin/dpkg\", \"/usr/bin/rpm\", \"/usr/bin/unattended-upgrade\", \"/usr/bin/npm\"\ - , ~\"/usr/bin/pip*\", \"/usr/bin/yum\", \"/sbin/apk\", \"/usr/lib/snapd/snapd\"\ - ]\n && process.ancestors.file.path not in [~\"/usr/bin/apt*\", \"/usr/bin/dpkg\"\ - , \"/usr/bin/rpm\", \"/usr/bin/unattended-upgrade\", \"/usr/bin/npm\", ~\"/usr/bin/pip*\"\ - , \"/usr/bin/yum\", \"/sbin/apk\", \"/usr/lib/snapd/snapd\"] && process.ancestors.file.path\ - \ != \"/usr/bin/kmod\"\n )\n agent_version: ''\n filters: []\n- id: kernel_module_unlink\n\ - \ version: 652391be\n description: A new kernel module was added\n expression:\ - \ |-\n (\n (unlink.file.path in [ ~\"/lib/modules/**\", ~\"/usr/lib/modules/**\"\ - \ ])\n && process.file.path not in [~\"/usr/bin/apt*\", \"/usr/bin/dpkg\"\ - , \"/usr/bin/rpm\", \"/usr/bin/unattended-upgrade\", \"/usr/bin/npm\", ~\"/usr/bin/pip*\"\ - , \"/usr/bin/yum\", \"/sbin/apk\", \"/usr/lib/snapd/snapd\"]\n && process.ancestors.file.path\ - \ not in [~\"/usr/bin/apt*\", \"/usr/bin/dpkg\", \"/usr/bin/rpm\", \"/usr/bin/unattended-upgrade\"\ - , \"/usr/bin/npm\", ~\"/usr/bin/pip*\", \"/usr/bin/yum\", \"/sbin/apk\", \"\ - /usr/lib/snapd/snapd\"] && process.ancestors.file.path != \"/usr/bin/kmod\"\n\ - \ )\n agent_version: ''\n filters: []\n- id: kernel_module_utimes\n version:\ - \ 405d45e7\n description: A new kernel module was added\n expression: |-\n\ - \ (\n (utimes.file.path in [ ~\"/lib/modules/**\", ~\"/usr/lib/modules/**\"\ - \ ])\n && process.file.path not in [~\"/usr/bin/apt*\", \"/usr/bin/dpkg\"\ - , \"/usr/bin/rpm\", \"/usr/bin/unattended-upgrade\", \"/usr/bin/npm\", ~\"/usr/bin/pip*\"\ - , \"/usr/bin/yum\", \"/sbin/apk\", \"/usr/lib/snapd/snapd\"]\n && process.ancestors.file.path\ - \ not in [~\"/usr/bin/apt*\", \"/usr/bin/dpkg\", \"/usr/bin/rpm\", \"/usr/bin/unattended-upgrade\"\ - , \"/usr/bin/npm\", ~\"/usr/bin/pip*\", \"/usr/bin/yum\", \"/sbin/apk\", \"\ - /usr/lib/snapd/snapd\"] && process.ancestors.file.path != \"/usr/bin/kmod\"\n\ - \ )\n agent_version: ''\n filters: []\n- id: kernel_msr_write\n version:\ - \ 2c433a21\n description: A process attempted to enable writing to model-specific\ - \ registers\n expression: exec.comm == \"modprobe\" && process.args =~ \"*msr*allow_writes*\"\ - \n agent_version: ''\n filters:\n - os == \"linux\"\n- id: kmod_list\n version:\ - \ c353a548\n description: Kernel modules were listed using the kmod command\n\ - \ expression: exec.comm == \"kmod\" && exec.args in [~\"*list*\"]\n agent_version:\ - \ ''\n filters:\n - os == \"linux\"\n- id: kubernetes_dns_enumeration\n version:\ - \ 70a1304\n description: Kubernetes DNS enumeration\n expression: dns.question.name\ - \ == \"any.any.svc.cluster.local\" && dns.question.type\n == SRV && container.id\ - \ != \"\"\n agent_version: ''\n filters:\n - os == \"linux\"\n- id: kubernetes_offensive_tool_executed\n\ - \ version: 18130cbb\n description: Kubernetes offensive tool executed\n expression:\ - \ (exec.file.name in [ ~\"python*\" ] && (\"KubiScan.py\" in exec.argv ||\n\ - \ \"kubestriker\" in exec.argv )) || exec.file.name in [\"kubiscan\",\"kdigger\"\ - ,\"kube-hunter\",\"rakkess\",\"peirates\",\"kubescape\",\"kubeaudit\",\"kube-linter\"\ - ,\"stratus\",~\"botb-*\"]\n agent_version: ''\n filters: []\n- id: ld_preload_unusual_library_path\n\ - \ version: cc6fd0c4\n description: The LD_PRELOAD variable is populated by\ - \ a link to a suspicious file\n directory\n expression: exec.envs in [~\"\ - LD_PRELOAD=*/tmp/*\" ,~\"LD_PRELOAD=/dev/shm/*\" ]\n agent_version: ''\n filters:\ - \ []\n- id: libpam_ebpf_hook\n version: adbe1bb1\n description: Library libpam.so\ - \ hooked using eBPF\n expression: bpf.cmd == BPF_MAP_CREATE && process.args\ - \ in [r\".*libpam.so.*\"]\n agent_version: ''\n filters:\n - os == \"linux\"\ - \n- id: looney_tunables_exploit\n version: 7e9f4346\n description: Looney\ - \ Tunables (CVE-2023-4911) exploit attempted\n expression: exec.file.mode &\ - \ S_ISUID > 0 && exec.file.uid == 0 && exec.uid != 0\n && exec.envs in [~\"\ - *GLIBC_TUNABLES*\"]\n agent_version: ''\n filters:\n - os == \"linux\"\n\ - - id: memfd_create\n version: 5908512a\n description: memfd object created\n\ - \ expression: exec.file.name =~ \"memfd*\" && exec.file.path == \"\"\n agent_version:\ - \ ''\n filters: []\n- id: minidump_usage\n version: 3de40e55\n description:\ - \ Process memory was dumped using the minidump function from comsvcs.dll\n \ - \ expression: exec.cmdline =~ \"*MiniDump*\"\n agent_version: ''\n filters:\n\ - \ - os == \"windows\"\n- id: mount_host_fs\n version: accb4f\n description:\ - \ The host file system was mounted in a container\n expression: mount.source.path\ - \ == \"/\" && mount.fs_type != \"overlay\" && container.id\n != \"\"\n agent_version:\ - \ ''\n filters: []\n- id: net_file_download\n version: 75b930ad\n description:\ - \ A suspicious file was written by a network utility\n expression: |-\n \ - \ open.flags & O_CREAT > 0 && process.comm in [\"wget\", \"curl\", \"lwp-download\"\ - ]\n && (\n (open.file.path =~ \"/tmp/**\" && open.file.name in [~\"\ - *.sh\", ~\"*.c\", ~\"*.so\", ~\"*.ko\"])\n || open.file.path in [~\"/usr/**\"\ - , ~\"/lib/**\", ~\"/etc/**\", ~\"/var/tmp/**\", ~\"/dev/shm/**\"]\n )\n \ - \ agent_version: ''\n filters:\n - os == \"linux\"\n- id: net_unusual_request\n\ - \ version: 3df2d9ef\n description: Network utility executed with suspicious\ - \ URI\n expression: 'exec.comm in [\"wget\", \"curl\", \"lwp-download\"] &&\ - \ exec.args in [~\"*.php*\",\n ~\"*.jpg*\"] '\n agent_version: ''\n filters:\ - \ []\n- id: net_util\n version: c3f2117b\n description: A network utility\ - \ was executed\n expression: |-\n (exec.comm in [\"socat\", \"dig\", \"\ - nslookup\", \"host\", ~\"netcat*\", ~\"nc*\", \"ncat\"] ||\n exec.comm in\ - \ [\"wget\", \"curl\", \"lwp-download\"]) &&\n container.id == \"\" && exec.args\ - \ not in [ ~\"*localhost*\", ~\"*127.0.0.1*\", ~\"*motd.ubuntu.com*\" ]\n agent_version:\ - \ ''\n filters: []\n- id: net_util_exfiltration\n version: 5f7c8871\n description:\ - \ Exfiltration attempt via network utility\n expression: \"exec.comm in [\\\ - \"wget\\\", \\\"curl\\\", \\\"lwp-download\\\"] && \\nexec.args_options\\\n\ - \ \\ in [ ~\\\"post-file=*\\\", ~\\\"post-data=*\\\", ~\\\"T=*\\\", ~\\\"\ - d=@*\\\", ~\\\"upload-file=*\\\"\\\n , ~\\\"F=file*\\\"] &&\\nexec.args not\ - \ in [~\\\"*localhost*\\\", ~\\\"*127.0.0.1*\\\"]\"\n agent_version: ''\n \ - \ filters:\n - os == \"linux\"\n- id: net_util_in_container\n version: 69e03ac1\n\ - \ description: A network utility was executed in a container\n expression:\ - \ |-\n (exec.comm in [\"socat\", \"dig\", \"nslookup\", \"host\", ~\"netcat*\"\ - , ~\"nc*\", \"ncat\"] ||\n exec.comm in [\"wget\", \"curl\", \"lwp-download\"\ - ]) &&\n container.id != \"\" && exec.args not in [ ~\"*localhost*\", ~\"\ - *127.0.0.1*\", ~\"*motd.ubuntu.com*\" ]\n agent_version: ''\n filters: []\n\ - - id: net_util_in_container_v2\n version: 26d8eba1\n description: A network\ - \ utility was executed in a container\n expression: |-\n (exec.comm in [\"\ - socat\", \"dig\", \"nslookup\", \"host\", ~\"netcat*\", ~\"nc*\", \"ncat\"]\ - \ ||\n exec.comm in [\"wget\", \"curl\", \"lwp-download\"]) &&\n container.id\ - \ != \"\" && exec.args not in [ ~\"*localhost*\", ~\"*127.0.0.1*\", ~\"*motd.ubuntu.com*\"\ - \ ] && container.created_at > 180s\n agent_version: ''\n filters: []\n- id:\ - \ network_sniffing_tool\n version: 4ae409bf\n description: Local account groups\ - \ were enumerated after container start up\n expression: exec.file.name in\ - \ [\"tcpdump\", \"tshark\"]\n agent_version: ''\n filters:\n - os == \"linux\"\ - \n- id: new_binary_execution_in_container\n version: 9dc42e1d\n description:\ - \ A container executed a new binary not found in the container image\n expression:\ - \ container.id != \"\" && process.file.in_upper_layer && process.file.modification_time\n\ - \ < 30s && exec.file.name != \"\"\n agent_version: ''\n filters: []\n-\ - \ id: nsswitch_conf_mod_chmod\n version: d301aedf\n description: nsswitch\ - \ may have been modified without authorization\n expression: |-\n (\n \ - \ (chmod.file.path in [ \"/etc/nsswitch.conf\" ])\n ) && chmod.file.destination.mode\ - \ != chmod.file.mode && process.file.path not in [~\"/usr/bin/apt*\", \"/usr/bin/dpkg\"\ - , \"/usr/bin/rpm\", \"/usr/bin/unattended-upgrade\", \"/usr/bin/containerd\"\ - , \"/usr/local/bin/containerd\", \"/usr/bin/dockerd\", \"/usr/bin/npm\", ~\"\ - /usr/bin/pip*\"]\n agent_version: ''\n filters:\n - os == \"linux\"\n- id:\ - \ nsswitch_conf_mod_chown\n version: '69383592'\n description: nsswitch may\ - \ have been modified without authorization\n expression: |-\n (\n \ - \ (chown.file.path in [ \"/etc/nsswitch.conf\" ])\n ) && (chown.file.destination.uid\ - \ != chown.file.uid || chown.file.destination.gid != chown.file.gid) && process.file.path\ - \ not in [~\"/usr/bin/apt*\", \"/usr/bin/dpkg\", \"/usr/bin/rpm\", \"/usr/bin/unattended-upgrade\"\ - , \"/usr/bin/containerd\", \"/usr/local/bin/containerd\", \"/usr/bin/dockerd\"\ - , \"/usr/bin/npm\", ~\"/usr/bin/pip*\"]\n agent_version: ''\n filters:\n \ - \ - os == \"linux\"\n- id: nsswitch_conf_mod_link\n version: e0565b29\n description:\ - \ Nsswitch Configuration Modified\n expression: |-\n (\n (link.file.path\ - \ in [ \"/etc/nsswitch.conf\" ]\n || link.file.destination.path in [\ - \ \"/etc/nsswitch.conf\" ])\n )\n agent_version: ''\n filters: []\n- id:\ - \ nsswitch_conf_mod_open\n version: b5602c6f\n description: nsswitch may have\ - \ been modified without authorization\n expression: |-\n (\n open.flags\ - \ & ((O_RDWR|O_WRONLY|O_CREAT)) > 0 &&\n (open.file.path in [ \"/etc/nsswitch.conf\"\ - \ ])\n ) && process.file.path not in [~\"/usr/bin/apt*\", \"/usr/bin/dpkg\"\ - , \"/usr/bin/rpm\", \"/usr/bin/unattended-upgrade\", \"/usr/bin/containerd\"\ - , \"/usr/local/bin/containerd\", \"/usr/bin/dockerd\", \"/usr/bin/npm\", ~\"\ - /usr/bin/pip*\"]\n agent_version: ''\n filters:\n - os == \"linux\"\n- id:\ - \ nsswitch_conf_mod_open_v2\n version: abef53c9\n description: nsswitch may\ - \ have been modified without authorization\n expression: |-\n (\n \ - \ open.flags & ((O_RDWR|O_WRONLY|O_CREAT)) > 0 &&\n (open.file.path\ - \ in [ \"/etc/nsswitch.conf\" ])\n ) && container.created_at > 90s && process.file.path\ - \ not in [~\"/usr/bin/apt*\", \"/usr/bin/dpkg\", \"/usr/bin/rpm\", \"/usr/bin/unattended-upgrade\"\ - , \"/usr/bin/containerd\", \"/usr/local/bin/containerd\", \"/usr/bin/dockerd\"\ - , \"/usr/bin/npm\", ~\"/usr/bin/pip*\"]\n agent_version: ''\n filters:\n \ - \ - os == \"linux\"\n- id: nsswitch_conf_mod_rename\n version: aad34176\n \ - \ description: Nsswitch Configuration Modified\n expression: |-\n (\n \ - \ (rename.file.path in [ \"/etc/nsswitch.conf\" ]\n || rename.file.destination.path\ - \ in [ \"/etc/nsswitch.conf\" ])\n )\n agent_version: ''\n filters: []\n\ - - id: nsswitch_conf_mod_unlink\n version: 8a3e2fbb\n description: Nsswitch\ - \ Configuration Modified\n expression: |-\n (\n (unlink.file.path\ - \ in [ \"/etc/nsswitch.conf\" ])\n )\n agent_version: ''\n filters: []\n\ - - id: nsswitch_conf_mod_utimes\n version: 902597c0\n description: Nsswitch\ - \ Configuration Modified\n expression: |-\n (\n (utimes.file.path\ - \ in [ \"/etc/nsswitch.conf\" ])\n )\n agent_version: ''\n filters: []\n\ - - id: ntds_in_commandline\n version: 5cdd4bba\n description: NTDS file referenced\ - \ in commandline\n expression: exec.cmdline =~ \"*ntds.dit*\"\n agent_version:\ - \ ''\n filters:\n - os == \"windows\"\n- id: offensive_k8s_tool\n version:\ - \ b83fba22\n description: A known kubernetes pentesting tool has been executed\n\ - \ expression: (exec.file.name in [ ~\"python*\" ] && (\"KubiScan.py\" in exec.argv\ - \ ||\n \"kubestriker\" in exec.argv ) ) || exec.file.name in [ \"kubiscan\"\ - ,\"kdigger\",\"kube-hunter\",\"rakkess\",\"peirates\",\"kubescape\",\"kubeaudit\"\ - ,\"kube-linter\",\"stratus\",~\"botb-*\"]\n agent_version: ''\n filters: []\n\ - - id: omigod\n version: 2064b3b4\n description: Omiagent spawns a privileged\ - \ child process\n expression: exec.uid >= 0 && process.ancestors.file.name\ - \ == \"omiagent\"\n agent_version: ''\n filters:\n - os == \"linux\"\n- id:\ - \ open_msr_writes\n version: 261f8f98\n description: A process opened a model-specific\ - \ register (MSR) configuration file\n expression: open.file.path == \"/sys/module/msr/parameters/allow_writes\"\ - \ && open.flags\n & O_CREAT|O_TRUNC|O_RDWR|O_WRONLY > 0\n agent_version:\ - \ ''\n filters:\n - os == \"linux\"\n- id: package_management_in_container\n\ - \ version: c152fcaf\n description: Package management was detected in a container\n\ - \ expression: exec.file.path in [~\"/usr/bin/apt*\", \"/usr/bin/dpkg\", \"\ - /usr/bin/rpm\",\n \"/usr/bin/unattended-upgrade\", \"/usr/bin/npm\", ~\"\ - /usr/bin/pip*\", \"/usr/bin/yum\",\n \"/sbin/apk\", \"/usr/lib/snapd/snapd\"\ - ] && container.id != \"\"\n agent_version: ''\n filters: []\n- id: package_management_in_container_v2\n\ - \ version: 7eb85510\n description: Package management was detected in a conatiner\ - \ outside of container\n start_up\n expression: exec.file.path in [~\"/usr/bin/apt*\"\ - , \"/usr/bin/dpkg\", \"/usr/bin/rpm\",\n \"/usr/bin/unattended-upgrade\"\ - , \"/usr/bin/npm\", ~\"/usr/bin/pip*\", \"/usr/bin/yum\",\n \"/sbin/apk\"\ - , \"/usr/lib/snapd/snapd\"] && container.id != \"\" && container.created_at\n\ - \ > 90s\n agent_version: ''\n filters:\n - os == \"linux\"\n- id: pam_modification_chmod\n\ - \ version: 974a676e\n description: PAM may have been modified without authorization\n\ - \ expression: |-\n (\n (chmod.file.path in [ ~\"/etc/pam.d/**\",\ - \ \"/etc/pam.conf\" ])\n ) && chmod.file.destination.mode != chmod.file.mode\n\ - \ agent_version: ''\n filters: []\n- id: pam_modification_chown\n version:\ - \ d89aa0a7\n description: PAM may have been modified without authorization\n\ - \ expression: |-\n (\n (chown.file.path in [ ~\"/etc/pam.d/**\",\ - \ \"/etc/pam.conf\" ])\n ) && (chown.file.destination.uid != chown.file.uid\ - \ || chown.file.destination.gid != chown.file.gid)\n agent_version: ''\n filters:\ - \ []\n- id: pam_modification_link\n version: aa68153f\n description: PAM may\ - \ have been modified without authorization\n expression: |-\n (\n \ - \ (link.file.path in [ ~\"/etc/pam.d/**\", \"/etc/pam.conf\" ]\n ||\ - \ link.file.destination.path in [ ~\"/etc/pam.d/**\", \"/etc/pam.conf\" ])\n\ - \ )\n agent_version: ''\n filters: []\n- id: pam_modification_open\n version:\ - \ e22e05b7\n description: PAM may have been modified without authorization\n\ - \ expression: |-\n (\n open.flags & (O_CREAT|O_TRUNC|O_RDWR|O_WRONLY)\ - \ > 0 &&\n (open.file.path in [ ~\"/etc/pam.d/**\", \"/etc/pam.conf\"\ - \ ])\n )\n agent_version: ''\n filters: []\n- id: pam_modification_rename\n\ - \ version: bd1d257a\n description: PAM may have been modified without authorization\n\ - \ expression: |-\n (\n (rename.file.path in [ ~\"/etc/pam.d/**\"\ - , \"/etc/pam.conf\" ]\n || rename.file.destination.path in [ ~\"/etc/pam.d/**\"\ - , \"/etc/pam.conf\" ])\n )\n agent_version: ''\n filters: []\n- id: pam_modification_unlink\n\ - \ version: c3dc53e1\n description: PAM may have been modified without authorization\n\ - \ expression: |-\n (\n (unlink.file.path in [ ~\"/etc/pam.d/**\"\ - , \"/etc/pam.conf\" ])\n )\n agent_version: ''\n filters: []\n- id: pam_modification_utimes\n\ - \ version: d377b599\n description: PAM may have been modified without authorization\n\ - \ expression: |-\n (\n (utimes.file.path in [ ~\"/etc/pam.d/**\"\ - , \"/etc/pam.conf\" ])\n ) && process.file.path not in [~\"/usr/bin/apt*\"\ - , \"/usr/bin/dpkg\", \"/usr/bin/rpm\", \"/usr/bin/unattended-upgrade\", \"/usr/bin/containerd\"\ - , \"/usr/local/bin/containerd\", \"/usr/bin/dockerd\", \"/usr/bin/npm\", ~\"\ - /usr/bin/pip*\"]\n agent_version: ''\n filters: []\n- id: passwd_execution\n\ - \ version: e1d41f5e\n description: The passwd or chpasswd utility was used\ - \ to modify an account password\n expression: exec.file.path in [\"/usr/bin/passwd\"\ - , \"/usr/sbin/chpasswd\"] && exec.args_flags\n not in [\"S\", \"status\"\ - ]\n agent_version: ''\n filters: []\n- id: paste_site\n version: 3dcef11\n\ - \ description: A DNS lookup was done for a pastebin-like site\n expression:\ - \ dns.question.name in [\"pastebin.com\", \"ghostbin.com\", \"termbin.com\"\ - ,\n \"klgrth.io\"] && process.file.name != \"\"\n agent_version: ''\n filters:\ - \ []\n- id: pci_11_5_critical_binaries_chmod\n version: b858137e\n description:\ - \ Critical system binaries may have been modified\n expression: |-\n (\n\ - \ (chmod.file.path in [ ~\"/bin/*\", ~\"/sbin/*\", ~\"/usr/bin/*\", ~\"\ - /usr/sbin/*\", ~\"/usr/local/bin/*\", ~\"/usr/local/sbin/*\", ~\"/boot/**\"\ - \ ])\n && process.file.path not in [~\"/usr/bin/apt*\", \"/usr/bin/dpkg\"\ - , \"/usr/bin/rpm\", \"/usr/bin/unattended-upgrade\", \"/usr/bin/containerd\"\ - , \"/usr/local/bin/containerd\", \"/usr/bin/dockerd\", \"/usr/bin/npm\", ~\"\ - /usr/bin/pip*\"]\n && process.ancestors.file.path not in [~\"/usr/bin/apt*\"\ - , \"/usr/bin/dpkg\", \"/usr/bin/rpm\", \"/usr/bin/unattended-upgrade\", \"/usr/bin/npm\"\ - , ~\"/usr/bin/pip*\", \"/usr/bin/yum\", \"/sbin/apk\", \"/usr/lib/snapd/snapd\"\ - ]\n ) && chmod.file.destination.mode != chmod.file.mode\n agent_version:\ - \ ''\n filters: []\n- id: pci_11_5_critical_binaries_chown\n version: d6630ebc\n\ - \ description: Critical system binaries may have been modified\n expression:\ - \ |-\n (\n (chown.file.path in [ ~\"/bin/*\", ~\"/sbin/*\", ~\"/usr/bin/*\"\ - , ~\"/usr/sbin/*\", ~\"/usr/local/bin/*\", ~\"/usr/local/sbin/*\", ~\"/boot/**\"\ - \ ])\n && process.file.path not in [~\"/usr/bin/apt*\", \"/usr/bin/dpkg\"\ - , \"/usr/bin/rpm\", \"/usr/bin/unattended-upgrade\", \"/usr/bin/containerd\"\ - , \"/usr/local/bin/containerd\", \"/usr/bin/dockerd\", \"/usr/bin/npm\", ~\"\ - /usr/bin/pip*\"]\n && process.ancestors.file.path not in [~\"/usr/bin/apt*\"\ - , \"/usr/bin/dpkg\", \"/usr/bin/rpm\", \"/usr/bin/unattended-upgrade\", \"/usr/bin/npm\"\ - , ~\"/usr/bin/pip*\", \"/usr/bin/yum\", \"/sbin/apk\", \"/usr/lib/snapd/snapd\"\ - ]\n ) && (chown.file.destination.uid != chown.file.uid || chown.file.destination.gid\ - \ != chown.file.gid)\n agent_version: ''\n filters: []\n- id: pci_11_5_critical_binaries_link\n\ - \ version: 9b8182c6\n description: Critical system binaries may have been\ - \ modified\n expression: |-\n (\n (link.file.path in [ ~\"/bin/*\"\ - , ~\"/sbin/*\", ~\"/usr/bin/*\", ~\"/usr/sbin/*\", ~\"/usr/local/bin/*\", ~\"\ - /usr/local/sbin/*\", ~\"/boot/**\" ]\n || link.file.destination.path\ - \ in [ ~\"/bin/*\", ~\"/sbin/*\", ~\"/usr/bin/*\", ~\"/usr/sbin/*\", ~\"/usr/local/bin/*\"\ - , ~\"/usr/local/sbin/*\", ~\"/boot/**\" ])\n && process.file.path not\ - \ in [~\"/usr/bin/apt*\", \"/usr/bin/dpkg\", \"/usr/bin/rpm\", \"/usr/bin/unattended-upgrade\"\ - , \"/usr/bin/containerd\", \"/usr/local/bin/containerd\", \"/usr/bin/dockerd\"\ - , \"/usr/bin/npm\", ~\"/usr/bin/pip*\"]\n && process.ancestors.file.path\ - \ not in [~\"/usr/bin/apt*\", \"/usr/bin/dpkg\", \"/usr/bin/rpm\", \"/usr/bin/unattended-upgrade\"\ - , \"/usr/bin/npm\", ~\"/usr/bin/pip*\", \"/usr/bin/yum\", \"/sbin/apk\", \"\ - /usr/lib/snapd/snapd\"]\n )\n agent_version: ''\n filters: []\n- id: pci_11_5_critical_binaries_open\n\ - \ version: ce1c6918\n description: Critical system binaries may have been\ - \ modified\n expression: |-\n (\n open.flags & (O_CREAT|O_TRUNC|O_RDWR|O_WRONLY)\ - \ > 0 &&\n open.file.path in [ ~\"/bin/*\", ~\"/sbin/*\", ~\"/usr/bin/*\"\ - , ~\"/usr/sbin/*\", ~\"/usr/local/bin/*\", ~\"/usr/local/sbin/*\", ~\"/boot/**\"\ - \ ]\n && process.file.path not in [~\"/usr/bin/apt*\", \"/usr/bin/dpkg\"\ - , \"/usr/bin/rpm\", \"/usr/bin/unattended-upgrade\", \"/usr/bin/containerd\"\ - , \"/usr/local/bin/containerd\", \"/usr/bin/dockerd\", \"/usr/bin/npm\", ~\"\ - /usr/bin/pip*\"]\n && process.ancestors.file.path not in [~\"/usr/bin/apt*\"\ - , \"/usr/bin/dpkg\", \"/usr/bin/rpm\", \"/usr/bin/unattended-upgrade\", \"/usr/bin/npm\"\ - , ~\"/usr/bin/pip*\", \"/usr/bin/yum\", \"/sbin/apk\", \"/usr/lib/snapd/snapd\"\ - ]\n )\n agent_version: ''\n filters:\n - os == \"linux\"\n- id: pci_11_5_critical_binaries_open_v2\n\ - \ version: 45abd074\n description: Critical system binaries may have been\ - \ modified\n expression: |-\n (\n open.flags & (O_CREAT|O_TRUNC|O_RDWR|O_WRONLY)\ - \ > 0 &&\n open.file.path in [ ~\"/bin/*\", ~\"/sbin/*\", ~\"/usr/bin/*\"\ - , ~\"/usr/sbin/*\", ~\"/usr/local/bin/*\", ~\"/usr/local/sbin/*\", ~\"/boot/**\"\ - \ ]\n && process.file.path not in [~\"/usr/bin/apt*\", \"/usr/bin/dpkg\"\ - , \"/usr/bin/rpm\", \"/usr/bin/unattended-upgrade\", \"/usr/bin/containerd\"\ - , \"/usr/local/bin/containerd\", \"/usr/bin/dockerd\", \"/usr/bin/npm\", ~\"\ - /usr/bin/pip*\"]\n && process.ancestors.file.path not in [~\"/usr/bin/apt*\"\ - , \"/usr/bin/dpkg\", \"/usr/bin/rpm\", \"/usr/bin/unattended-upgrade\", \"/usr/bin/npm\"\ - , ~\"/usr/bin/pip*\", \"/usr/bin/yum\", \"/sbin/apk\", \"/usr/lib/snapd/snapd\"\ - ]\n ) && container.created_at > 90s\n agent_version: ''\n filters:\n -\ - \ os == \"linux\"\n- id: pci_11_5_critical_binaries_rename\n version: 2a133ffc\n\ - \ description: Critical system binaries may have been modified\n expression:\ - \ |-\n (\n (rename.file.path in [ ~\"/bin/*\", ~\"/sbin/*\", ~\"/usr/bin/*\"\ - , ~\"/usr/sbin/*\", ~\"/usr/local/bin/*\", ~\"/usr/local/sbin/*\", ~\"/boot/**\"\ - \ ]\n || rename.file.destination.path in [ ~\"/bin/*\", ~\"/sbin/*\"\ - , ~\"/usr/bin/*\", ~\"/usr/sbin/*\", ~\"/usr/local/bin/*\", ~\"/usr/local/sbin/*\"\ - , ~\"/boot/**\" ])\n && process.file.path not in [~\"/usr/bin/apt*\"\ - , \"/usr/bin/dpkg\", \"/usr/bin/rpm\", \"/usr/bin/unattended-upgrade\", \"/usr/bin/containerd\"\ - , \"/usr/local/bin/containerd\", \"/usr/bin/dockerd\", \"/usr/bin/npm\", ~\"\ - /usr/bin/pip*\"]\n && process.ancestors.file.path not in [~\"/usr/bin/apt*\"\ - , \"/usr/bin/dpkg\", \"/usr/bin/rpm\", \"/usr/bin/unattended-upgrade\", \"/usr/bin/npm\"\ - , ~\"/usr/bin/pip*\", \"/usr/bin/yum\", \"/sbin/apk\", \"/usr/lib/snapd/snapd\"\ - ]\n )\n agent_version: ''\n filters: []\n- id: pci_11_5_critical_binaries_unlink\n\ - \ version: a750ab26\n description: Critical system binaries may have been\ - \ modified\n expression: |-\n (\n (unlink.file.path in [ ~\"/bin/*\"\ - , ~\"/sbin/*\", ~\"/usr/bin/*\", ~\"/usr/sbin/*\", ~\"/usr/local/bin/*\", ~\"\ - /usr/local/sbin/*\", ~\"/boot/**\" ])\n && process.file.path not in [~\"\ - /usr/bin/apt*\", \"/usr/bin/dpkg\", \"/usr/bin/rpm\", \"/usr/bin/unattended-upgrade\"\ - , \"/usr/bin/containerd\", \"/usr/local/bin/containerd\", \"/usr/bin/dockerd\"\ - , \"/usr/bin/npm\", ~\"/usr/bin/pip*\"]\n && process.ancestors.file.path\ - \ not in [~\"/usr/bin/apt*\", \"/usr/bin/dpkg\", \"/usr/bin/rpm\", \"/usr/bin/unattended-upgrade\"\ - , \"/usr/bin/npm\", ~\"/usr/bin/pip*\", \"/usr/bin/yum\", \"/sbin/apk\", \"\ - /usr/lib/snapd/snapd\"]\n )\n agent_version: ''\n filters:\n - os == \"\ - linux\"\n- id: pci_11_5_critical_binaries_utimes\n version: 5e2a9d6f\n description:\ - \ Critical system binaries may have been modified\n expression: |-\n (\n\ - \ (utimes.file.path in [ ~\"/bin/*\", ~\"/sbin/*\", ~\"/usr/bin/*\",\ - \ ~\"/usr/sbin/*\", ~\"/usr/local/bin/*\", ~\"/usr/local/sbin/*\", ~\"/boot/**\"\ - \ ])\n && process.file.path not in [~\"/usr/bin/apt*\", \"/usr/bin/dpkg\"\ - , \"/usr/bin/rpm\", \"/usr/bin/unattended-upgrade\", \"/usr/bin/containerd\"\ - , \"/usr/local/bin/containerd\", \"/usr/bin/dockerd\", \"/usr/bin/npm\", ~\"\ - /usr/bin/pip*\"]\n && process.ancestors.file.path not in [~\"/usr/bin/apt*\"\ - , \"/usr/bin/dpkg\", \"/usr/bin/rpm\", \"/usr/bin/unattended-upgrade\", \"/usr/bin/npm\"\ - , ~\"/usr/bin/pip*\", \"/usr/bin/yum\", \"/sbin/apk\", \"/usr/lib/snapd/snapd\"\ - ]\n )\n agent_version: ''\n filters: []\n- id: potential_cryptominer\n\ - \ version: 47048a42\n description: A process resolved a DNS name associated\ - \ with cryptomining activity\n expression: dns.question.name in [~\"*minexmr.com\"\ - , ~\"*nanopool.org\", ~\"*supportxmr.com\",\n ~\"*c3pool.com\", ~\"*p2pool.io\"\ - , ~\"*ethermine.org\", ~\"*f2pool.com\", ~\"*poolin.me\",\n ~\"*rplant.xyz\"\ - ] && process.file.name != \"\"\n agent_version: ''\n filters: []\n- id: potential_web_shell_parent\n\ - \ version: b67ffbcd\n description: A web application spawned a shell or shell\ - \ utility\n expression: |-\n (exec.file.path in [ \"/bin/dash\",\n \ - \ \"/usr/bin/dash\",\n \"/bin/sh\",\n \"/bin/static-sh\",\n \"\ - /usr/bin/sh\",\n \"/bin/bash\",\n \"/usr/bin/bash\",\n \"/bin/bash-static\"\ - ,\n \"/usr/bin/zsh\",\n \"/usr/bin/ash\",\n \"/usr/bin/csh\"\ - ,\n \"/usr/bin/ksh\",\n \"/usr/bin/tcsh\",\n \"/usr/lib/initramfs-tools/bin/busybox\"\ - ,\n \"/bin/busybox\",\n \"/usr/bin/fish\",\n \"/bin/ksh93\",\n\ - \ \"/bin/rksh\",\n \"/bin/rksh93\",\n \"/bin/lksh\",\n \"\ - /bin/mksh\",\n \"/bin/mksh-static\",\n \"/usr/bin/csharp\",\n \ - \ \"/bin/posh\",\n \"/usr/bin/rc\",\n \"/bin/sash\",\n \"/usr/bin/yash\"\ - ,\n \"/bin/zsh5\",\n \"/bin/zsh5-static\" ] || exec.comm in [\"wget\"\ - , \"curl\", \"lwp-download\"] || exec.file.path in [\"/bin/cat\",\"/bin/chgrp\"\ - ,\"/bin/chmod\",\"/bin/chown\",\"/bin/cp\",\"/bin/date\",\"/bin/dd\",\"/bin/df\"\ - ,\"/bin/dir\",\"/bin/echo\",\"/bin/ln\",\"/bin/ls\",\"/bin/mkdir\",\"/bin/mknod\"\ - ,\"/bin/mktemp\",\"/bin/mv\",\"/bin/pwd\",\"/bin/readlink\",\"/bin/rm\",\"/bin/rmdir\"\ - ,\"/bin/sleep\",\"/bin/stty\",\"/bin/sync\",\"/bin/touch\",\"/bin/uname\",\"\ - /bin/vdir\",\"/usr/bin/arch\",\"/usr/bin/b2sum\",\"/usr/bin/base32\",\"/usr/bin/base64\"\ - ,\"/usr/bin/basename\",\"/usr/bin/chcon\",\"/usr/bin/cksum\",\"/usr/bin/comm\"\ - ,\"/usr/bin/csplit\",\"/usr/bin/cut\",\"/usr/bin/dircolors\",\"/usr/bin/dirname\"\ - ,\"/usr/bin/du\",\"/usr/bin/env\",\"/usr/bin/expand\",\"/usr/bin/expr\",\"/usr/bin/factor\"\ - ,\"/usr/bin/fmt\",\"/usr/bin/fold\",\"/usr/bin/groups\",\"/usr/bin/head\",\"\ - /usr/bin/hostid\",\"/usr/bin/id\",\"/usr/bin/install\",\"/usr/bin/join\",\"\ - /usr/bin/link\",\"/usr/bin/logname\",\"/usr/bin/md5sum\",\"/usr/bin/md5sum.textutils\"\ - ,\"/usr/bin/mkfifo\",\"/usr/bin/nice\",\"/usr/bin/nl\",\"/usr/bin/nohup\",\"\ - /usr/bin/nproc\",\"/usr/bin/numfmt\",\"/usr/bin/od\",\"/usr/bin/paste\",\"/usr/bin/pathchk\"\ - ,\"/usr/bin/pinky\",\"/usr/bin/pr\",\"/usr/bin/printenv\",\"/usr/bin/printf\"\ - ,\"/usr/bin/ptx\",\"/usr/bin/realpath\",\"/usr/bin/runcon\",\"/usr/bin/seq\"\ - ,\"/usr/bin/sha1sum\",\"/usr/bin/sha224sum\",\"/usr/bin/sha256sum\",\"/usr/bin/sha384sum\"\ - ,\"/usr/bin/sha512sum\",\"/usr/bin/shred\",\"/usr/bin/shuf\",\"/usr/bin/sort\"\ - ,\"/usr/bin/split\",\"/usr/bin/stat\",\"/usr/bin/stdbuf\",\"/usr/bin/sum\",\"\ - /usr/bin/tac\",\"/usr/bin/tail\",\"/usr/bin/tee\",\"/usr/bin/test\",\"/usr/bin/timeout\"\ - ,\"/usr/bin/tr\",\"/usr/bin/truncate\",\"/usr/bin/tsort\",\"/usr/bin/tty\",\"\ - /usr/bin/unexpand\",\"/usr/bin/uniq\",\"/usr/bin/unlink\",\"/usr/bin/users\"\ - ,\"/usr/bin/wc\",\"/usr/bin/who\",\"/usr/bin/whoami\",\"/usr/sbin/chroot\"])\ - \ &&\n (process.parent.file.name in [\"apache2\", \"nginx\", ~\"tomcat*\"\ - , \"httpd\"] || process.parent.file.name =~ \"php*\")\n agent_version: ''\n\ - \ filters: []\n- id: procdump_execution\n version: bfcebb5c\n description:\ - \ A tool used to dump process memory has been executed\n expression: exec.file.name\ - \ in [\"procmon.exe\",\"procdump.exe\"]\n agent_version: ''\n filters:\n \ - \ - os == \"windows\"\n- id: ptrace_antidebug\n version: a6289ff7\n description:\ - \ A process uses an anti-debugging technique to block debuggers\n expression:\ - \ ptrace.request == PTRACE_TRACEME && process.file.name != \"\"\n agent_version:\ - \ ''\n filters: []\n- id: ptrace_injection\n version: 6d290a43\n description:\ - \ A process attempted to inject code into another process\n expression: ptrace.request\ - \ == PTRACE_POKETEXT || ptrace.request == PTRACE_POKEDATA\n || ptrace.request\ - \ == PTRACE_POKEUSR\n agent_version: ''\n filters: []\n- id: pwnkit_privilege_escalation\n\ - \ version: c83bbabc\n description: A process was spawned with indicators of\ - \ exploitation of CVE-2021-4034\n expression: (exec.file.path == \"/usr/bin/pkexec\"\ - \ && exec.envs in [~\"*SHELL*\", ~\"*PATH*\"]\n && exec.envs not in [~\"\ - *DISPLAY*\", ~\"*DESKTOP_SESSION*\"] && exec.uid != 0)\n agent_version: ''\n\ - \ filters:\n - os == \"linux\"\n- id: python_cli_code\n version: '989474'\n\ - \ description: Python code was provided on the command line\n expression:\ - \ exec.file.name == ~\"python*\" && exec.args_flags in [\"c\"] && exec.args\n\ - \ in [~\"*-c*SOCK_STREAM*\", ~\"*-c*subprocess*\", \"*-c*/bash*\", \"*-c*/bin/sh*\"\ - , \"*-c*pty.spawn*\"]\n && exec.args !~ \"*setuptools*\"\n agent_version:\ - \ ''\n filters: []\n- id: ransomware_note\n version: ffd9b885\n description:\ - \ Possible ransomware note created under common user directories\n expression:\ - \ open.flags & O_CREAT > 0 && open.file.path in [~\"/home/**\", ~\"/root/**\"\ - ,\n ~\"/bin/**\", ~\"/usr/bin/**\", ~\"/opt/**\", ~\"/etc/**\", ~\"/var/log/**\"\ - , ~\"/var/lib/log/**\",\n ~\"/var/backup/**\", ~\"/var/www/**\"] && open.file.name\ - \ in [r\"(?i).*(restore|recovery|readme|instruction|how_to|ransom).*|.*(your_|crypt|lock|important).*\\\ - .txt$\"]\n && open.file.name != \"README.md\"\n agent_version: ''\n filters:\n\ - \ - os == \"linux\"\n- id: rc_scripts_modified\n version: af295b08\n description:\ - \ RC scripts modified\n expression: (open.flags & (O_CREAT|O_TRUNC|O_RDWR|O_WRONLY)\ - \ > 0 && (open.file.path\n in [\"/etc/rc.common\", \"/etc/rc.local\"])) &&\ - \ process.ancestors.file.path not in\n [~\"/usr/bin/apt*\", \"/usr/bin/dpkg\"\ - , \"/usr/bin/rpm\", \"/usr/bin/unattended-upgrade\",\n \"/usr/bin/npm\",\ - \ ~\"/usr/bin/pip*\", \"/usr/bin/yum\", \"/sbin/apk\", \"/usr/lib/snapd/snapd\"\ - ]\n agent_version: ''\n filters: []\n- id: read_kubeconfig\n version: '80926379'\n\ - \ description: The kubeconfig file was accessed\n expression: open.file.path\ - \ in [~\"/home/*/.kube/config\", \"/root/.kube/config\"]\n agent_version: ''\n\ - \ filters: []\n- id: read_release_info\n version: d0cc9710\n description:\ - \ OS information was read from the /etc/lsb-release file\n expression: open.file.path\ - \ == \"/etc/lsb-release\" && open.flags & O_RDONLY > 0\n agent_version: ''\n\ - \ filters: []\n- id: redis_sandbox_escape\n version: d7eb615a\n description:\ - \ Detects CVE-2022-0543\n expression: (open.file.path =~ \"/usr/lib/x86_64-linux-gnu/*\"\ - \ && open.file.name in\n [\"libc-2.29.so\", \"libc-2.30.so\", \"libc-2.31.so\"\ - , \"libc-2.32.so\", \"libc-2.33.so\",\n \"libc-2.34.so\", \"libc-2.35.so\"\ - , \"libc-2.36.so\", \"libc-2.37.so\"]) && process.ancestors.comm\n in [\"\ - redis-check-rdb\", \"redis-server\"]\n agent_version: ''\n filters: []\n-\ - \ id: redis_save_module\n version: b1cb9110\n description: Redis module has\ - \ been created\n expression: (open.flags & (O_CREAT|O_TRUNC|O_RDWR|O_WRONLY)\ - \ > 0 && open.file.path\n =~ \"/tmp/**\" && open.file.name in [~\"*.rdb\"\ - , ~\"*.aof\", ~\"*.so\"]) && process.file.name\n in [\"redis-check-rdb\"\ - , \"redis-server\"]\n agent_version: ''\n filters: []\n- id: runc_modification\n\ - \ version: c7144439\n description: The runc binary was modified in a non-standard\ - \ way\n expression: |-\n open.file.path in [\"/usr/bin/runc\", \"/usr/sbin/runc\"\ - , \"/usr/bin/docker-runc\"]\n && open.flags & O_CREAT|O_TRUNC|O_RDWR|O_WRONLY\ - \ > 0\n && process.file.path not in [~\"/usr/bin/apt*\", \"/usr/bin/dpkg\"\ - , \"/usr/bin/rpm\", \"/usr/bin/unattended-upgrade\", \"/usr/bin/containerd\"\ - , \"/usr/local/bin/containerd\", \"/usr/bin/dockerd\", \"/usr/bin/npm\", ~\"\ - /usr/bin/pip*\"]\n && process.ancestors.file.path not in [~\"/usr/bin/apt*\"\ - , \"/usr/bin/dpkg\", \"/usr/bin/rpm\", \"/usr/bin/unattended-upgrade\", \"/usr/bin/npm\"\ - , ~\"/usr/bin/pip*\", \"/usr/bin/yum\", \"/sbin/apk\", \"/usr/lib/snapd/snapd\"\ - ]\n agent_version: ''\n filters: []\n- id: scheduled_task_creation\n version:\ - \ 9c3f2289\n description: A scheduled task was created\n expression: exec.file.name\ - \ in [\"at.exe\",\"schtasks.exe\"]\n agent_version: ''\n filters:\n - os\ - \ == \"windows\"\n- id: selinux_disable_enforcement\n version: afa9a8ba\n \ - \ description: SELinux enforcement status was disabled\n expression: selinux.enforce.status\ - \ in [\"permissive\", \"disabled\"] && process.ancestors.args\n != ~\"*BECOME-SUCCESS*\"\ - \n agent_version: ''\n filters: []\n- id: sensitive_tracing\n version: c4585b20\n\ - \ description: A process is tracing privileged processes or sshd for possible\ - \ credential\n dumping\n expression: (ptrace.request == PTRACE_PEEKTEXT\ - \ || ptrace.request == PTRACE_PEEKDATA\n || ptrace.request == PTRACE_PEEKUSR)\ - \ && ptrace.tracee.euid == 0 && process.comm\n not in [\"dlv\", \"dlv-linux-amd64\"\ - , \"strace\", \"gdb\", \"lldb-server\"]\n agent_version: ''\n filters:\n \ - \ - os == \"linux\"\n- id: service_stop\n version: 8e434232\n description:\ - \ systemctl used to stop a service\n expression: exec.file.name == \"systemctl\"\ - \ && exec.args in [~\"*stop*\"]\n agent_version: ''\n filters: []\n- id: shell_history_deleted\n\ - \ version: ff763e6\n description: Shell History was Deleted\n expression:\ - \ (unlink.file.name =~ r\".([dbazfi]*sh)(_history)$\") && process.comm\n \ - \ not in [\"dockerd\", \"containerd\"]\n agent_version: ''\n filters: []\n\ - - id: shell_history_symlink\n version: 31982e4d\n description: A symbolic\ - \ link for shell history was created targeting /dev/null\n expression: exec.comm\ - \ == \"ln\" && exec.args in [~\"*.*history*\", \"/dev/null\"]\n agent_version:\ - \ ''\n filters: []\n- id: shell_history_truncated\n version: 38ec83e8\n description:\ - \ Shell History was Deleted\n expression: open.flags & (O_CREAT|O_TRUNC|O_RDWR|O_WRONLY)\ - \ > 0 && open.file.name\n =~ r\".([dbazfi]*sh)(_history)$\" && open.file.path\ - \ in [~\"/root/*\", ~\"/home/**\"]\n && process.file.name == \"truncate\"\ - \n agent_version: ''\n filters: []\n- id: shell_profile_modification\n version:\ - \ d1cecdac\n description: Shell profile was modified\n expression: open.file.path\ - \ in [~\"/home/*/*profile\", ~\"/home/*/*rc\"] && open.flags\n & ((O_CREAT|O_TRUNC|O_RDWR|O_WRONLY))\ - \ > 0\n agent_version: ''\n filters: []\n- id: ssh_authorized_keys_chmod\n\ - \ version: 79be8a18\n description: SSH modified keys may have been modified\n\ - \ expression: |-\n (\n chmod.file.name in [ \"authorized_keys\",\ - \ \"authorized_keys2\" ] && (chmod.file.path in [ ~\"/root/.ssh/*\", ~\"/home/*/.ssh/*\"\ - , ~\"/var/lib/*/.ssh/*\" ])\n ) && chmod.file.destination.mode != chmod.file.mode\n\ - \ agent_version: ''\n filters: []\n- id: ssh_authorized_keys_chown\n version:\ - \ 7c835bfd\n description: SSH modified keys may have been modified\n expression:\ - \ |-\n (\n chown.file.name in [ \"authorized_keys\", \"authorized_keys2\"\ - \ ] && (chown.file.path in [ ~\"/root/.ssh/*\", ~\"/home/*/.ssh/*\", ~\"/var/lib/*/.ssh/*\"\ - \ ])\n ) && (chown.file.destination.uid != chown.file.uid || chown.file.destination.gid\ - \ != chown.file.gid)\n agent_version: ''\n filters:\n - os == \"linux\"\n\ - - id: ssh_authorized_keys_link\n version: 979d56a1\n description: SSH modified\ - \ keys may have been modified\n expression: |-\n (\n link.file.name\ - \ in [ \"authorized_keys\", \"authorized_keys2\" ] && (link.file.path in [ ~\"\ - /root/.ssh/*\", ~\"/home/*/.ssh/*\", ~\"/var/lib/*/.ssh/*\" ]\n || link.file.destination.path\ - \ in [ ~\"/root/.ssh/*\", ~\"/home/*/.ssh/*\", ~\"/var/lib/*/.ssh/*\" ])\n \ - \ )\n agent_version: ''\n filters: []\n- id: ssh_authorized_keys_open\n\ - \ version: c4fa7b8f\n description: SSH modified keys may have been modified\n\ - \ expression: |-\n (\n open.flags & (O_CREAT|O_TRUNC|O_RDWR|O_WRONLY)\ - \ > 0 &&\n open.file.name in [ \"authorized_keys\", \"authorized_keys2\"\ - \ ] && (open.file.path in [ ~\"/root/.ssh/*\", ~\"/home/*/.ssh/*\", ~\"/var/lib/*/.ssh/*\"\ - \ ])\n )\n agent_version: ''\n filters: []\n- id: ssh_authorized_keys_open_v2\n\ - \ version: 513f8108\n description: SSH modified keys may have been modified\n\ - \ expression: |-\n (\n open.flags & (O_CREAT|O_TRUNC|O_RDWR|O_WRONLY)\ - \ > 0 &&\n open.file.name in [ \"authorized_keys\", \"authorized_keys2\"\ - \ ] && (open.file.path in [ ~\"/root/.ssh/*\", ~\"/home/*/.ssh/*\", ~\"/var/lib/*/.ssh/*\"\ - \ ])\n ) && container.created_at > 90s\n agent_version: ''\n filters:\n\ - \ - os == \"linux\"\n- id: ssh_authorized_keys_rename\n version: 6f58449a\n\ - \ description: SSH modified keys may have been modified\n expression: |-\n\ - \ (\n rename.file.name in [ \"authorized_keys\", \"authorized_keys2\"\ - \ ] && (rename.file.path in [ ~\"/root/.ssh/*\", ~\"/home/*/.ssh/*\", ~\"/var/lib/*/.ssh/*\"\ - \ ]\n || rename.file.destination.path in [ ~\"/root/.ssh/*\", ~\"/home/*/.ssh/*\"\ - , ~\"/var/lib/*/.ssh/*\" ])\n )\n agent_version: ''\n filters:\n - os\ - \ == \"linux\"\n- id: ssh_authorized_keys_unlink\n version: 41090e4e\n description:\ - \ SSH modified keys may have been modified\n expression: |-\n (\n \ - \ unlink.file.name in [ \"authorized_keys\", \"authorized_keys2\" ] && (unlink.file.path\ - \ in [ ~\"/root/.ssh/*\", ~\"/home/*/.ssh/*\", ~\"/var/lib/*/.ssh/*\" ])\n \ - \ )\n agent_version: ''\n filters:\n - os == \"linux\"\n- id: ssh_authorized_keys_utimes\n\ - \ version: c614f0d\n description: SSH modified keys may have been modified\n\ - \ expression: |-\n (\n utimes.file.name in [ \"authorized_keys\"\ - , \"authorized_keys2\" ] && (utimes.file.path in [ ~\"/root/.ssh/*\", ~\"/home/*/.ssh/*\"\ - , ~\"/var/lib/*/.ssh/*\" ])\n )\n agent_version: ''\n filters: []\n- id:\ - \ ssl_certificate_tampering_chmod\n version: 128236e9\n description: SSL certificates\ - \ may have been tampered with\n expression: |-\n (\n (chmod.file.path\ - \ in [ ~\"/etc/ssl/certs/**\", ~\"/etc/pki/**\" ])\n && process.file.path\ - \ not in [~\"/usr/bin/apt*\", \"/usr/bin/dpkg\", \"/usr/bin/rpm\", \"/usr/bin/unattended-upgrade\"\ - , \"/usr/bin/npm\", ~\"/usr/bin/pip*\", \"/usr/bin/yum\", \"/sbin/apk\", \"\ - /usr/lib/snapd/snapd\"]\n ) && chmod.file.mode != chmod.file.destination.mode\n\ - \ && process.file.path != \"/usr/sbin/update-ca-certificates\"\n && process.ancestors.file.path\ - \ != \"/usr/sbin/update-ca-certificates\"\n && process.ancestors.file.path\ - \ not in [~\"/usr/bin/apt*\", \"/usr/bin/dpkg\", \"/usr/bin/rpm\", \"/usr/bin/unattended-upgrade\"\ - , \"/usr/bin/npm\", ~\"/usr/bin/pip*\", \"/usr/bin/yum\", \"/sbin/apk\", \"\ - /usr/lib/snapd/snapd\"]\n && process.file.name !~ \"runc*\"\n agent_version:\ - \ ''\n filters: []\n- id: ssl_certificate_tampering_chown\n version: 5af3db18\n\ - \ description: SSL certificates may have been tampered with\n expression:\ - \ |-\n (\n (chown.file.path in [ ~\"/etc/ssl/certs/**\", ~\"/etc/pki/**\"\ - \ ])\n && process.file.path not in [~\"/usr/bin/apt*\", \"/usr/bin/dpkg\"\ - , \"/usr/bin/rpm\", \"/usr/bin/unattended-upgrade\", \"/usr/bin/npm\", ~\"/usr/bin/pip*\"\ - , \"/usr/bin/yum\", \"/sbin/apk\", \"/usr/lib/snapd/snapd\"]\n ) && (chown.file.destination.uid\ - \ != chown.file.uid || chown.file.destination.gid != chown.file.gid)\n &&\ - \ process.file.path != \"/usr/sbin/update-ca-certificates\"\n && process.ancestors.file.path\ - \ != \"/usr/sbin/update-ca-certificates\"\n && process.ancestors.file.path\ - \ not in [~\"/usr/bin/apt*\", \"/usr/bin/dpkg\", \"/usr/bin/rpm\", \"/usr/bin/unattended-upgrade\"\ - , \"/usr/bin/npm\", ~\"/usr/bin/pip*\", \"/usr/bin/yum\", \"/sbin/apk\", \"\ - /usr/lib/snapd/snapd\"]\n && process.file.name !~ \"runc*\"\n agent_version:\ - \ ''\n filters:\n - os == \"linux\"\n- id: ssl_certificate_tampering_link\n\ - \ version: 1f02b72d\n description: SSL certificates may have been tampered\ - \ with\n expression: |-\n (\n (link.file.path in [ ~\"/etc/ssl/certs/**\"\ - , ~\"/etc/pki/**\" ]\n || link.file.destination.path in [ ~\"/etc/ssl/certs/**\"\ - , ~\"/etc/pki/**\" ])\n && process.file.path not in [~\"/usr/bin/apt*\"\ - , \"/usr/bin/dpkg\", \"/usr/bin/rpm\", \"/usr/bin/unattended-upgrade\", \"/usr/bin/npm\"\ - , ~\"/usr/bin/pip*\", \"/usr/bin/yum\", \"/sbin/apk\", \"/usr/lib/snapd/snapd\"\ - ]\n && process.file.path != \"/usr/sbin/update-ca-certificates\"\n \ - \ && process.ancestors.file.path != \"/usr/sbin/update-ca-certificates\"\ - \n && process.ancestors.file.path not in [~\"/usr/bin/apt*\", \"/usr/bin/dpkg\"\ - , \"/usr/bin/rpm\", \"/usr/bin/unattended-upgrade\", \"/usr/bin/npm\", ~\"/usr/bin/pip*\"\ - , \"/usr/bin/yum\", \"/sbin/apk\", \"/usr/lib/snapd/snapd\"]\n && process.file.name\ - \ !~ \"runc*\"\n )\n agent_version: ''\n filters: []\n- id: ssl_certificate_tampering_open\n\ - \ version: c34bcf3a\n description: SSL certificates may have been tampered\ - \ with\n expression: |-\n (\n open.flags & (O_CREAT|O_RDWR|O_WRONLY)\ - \ > 0 &&\n (open.file.path in [ ~\"/etc/ssl/certs/**\", ~\"/etc/pki/**\"\ - \ ])\n )\n && process.file.path != \"/usr/sbin/update-ca-certificates\"\ - \n && process.ancestors.file.path != \"/usr/sbin/update-ca-certificates\"\ - \n && process.ancestors.file.path not in [~\"/usr/bin/apt*\", \"/usr/bin/dpkg\"\ - , \"/usr/bin/rpm\", \"/usr/bin/unattended-upgrade\", \"/usr/bin/npm\", ~\"/usr/bin/pip*\"\ - , \"/usr/bin/yum\", \"/sbin/apk\", \"/usr/lib/snapd/snapd\"]\n && process.file.name\ - \ !~ \"runc*\"\n agent_version: ''\n filters: []\n- id: ssl_certificate_tampering_open_v2\n\ - \ version: a90058eb\n description: SSL certificates may have been tampered\ - \ with\n expression: |-\n (\n open.flags & (O_CREAT|O_RDWR|O_WRONLY)\ - \ > 0 &&\n (open.file.path in [ ~\"/etc/ssl/certs/**\", ~\"/etc/pki/**\"\ - \ ])\n )\n && process.file.path != \"/usr/sbin/update-ca-certificates\"\ - \n && process.ancestors.file.path != \"/usr/sbin/update-ca-certificates\"\ - \n && process.ancestors.file.path not in [~\"/usr/bin/apt*\", \"/usr/bin/dpkg\"\ - , \"/usr/bin/rpm\", \"/usr/bin/unattended-upgrade\", \"/usr/bin/npm\", ~\"/usr/bin/pip*\"\ - , \"/usr/bin/yum\", \"/sbin/apk\", \"/usr/lib/snapd/snapd\"]\n && process.file.name\ - \ !~ \"runc*\"\n && container.created_at > 90s\n agent_version: ''\n filters:\n\ - \ - os == \"linux\"\n- id: ssl_certificate_tampering_rename\n version: e74f2226\n\ - \ description: SSL certificates may have been tampered with\n expression:\ - \ |-\n (\n (rename.file.path in [ ~\"/etc/ssl/certs/**\", ~\"/etc/pki/**\"\ - \ ]\n || rename.file.destination.path in [ ~\"/etc/ssl/certs/**\", ~\"\ - /etc/pki/**\" ])\n && process.file.path not in [~\"/usr/bin/apt*\", \"\ - /usr/bin/dpkg\", \"/usr/bin/rpm\", \"/usr/bin/unattended-upgrade\", \"/usr/bin/npm\"\ - , ~\"/usr/bin/pip*\", \"/usr/bin/yum\", \"/sbin/apk\", \"/usr/lib/snapd/snapd\"\ - ]\n )\n && process.file.path != \"/usr/sbin/update-ca-certificates\"\n\ - \ && process.ancestors.file.path != \"/usr/sbin/update-ca-certificates\"\n\ - \ && process.ancestors.file.path not in [~\"/usr/bin/apt*\", \"/usr/bin/dpkg\"\ - , \"/usr/bin/rpm\", \"/usr/bin/unattended-upgrade\", \"/usr/bin/npm\", ~\"/usr/bin/pip*\"\ - , \"/usr/bin/yum\", \"/sbin/apk\", \"/usr/lib/snapd/snapd\"]\n && process.file.name\ - \ !~ \"runc*\"\n agent_version: ''\n filters: []\n- id: ssl_certificate_tampering_unlink\n\ - \ version: 774e2aea\n description: SSL certificates may have been tampered\ - \ with\n expression: |-\n (\n (unlink.file.path in [ ~\"/etc/ssl/certs/**\"\ - \ ])\n && process.file.path not in [~\"/usr/bin/apt*\", \"/usr/bin/dpkg\"\ - , \"/usr/bin/rpm\", \"/usr/bin/unattended-upgrade\", \"/usr/bin/npm\", ~\"/usr/bin/pip*\"\ - , \"/usr/bin/yum\", \"/sbin/apk\", \"/usr/lib/snapd/snapd\"]\n )\n &&\ - \ process.file.path != \"/usr/sbin/update-ca-certificates\"\n && process.ancestors.file.path\ - \ != \"/usr/sbin/update-ca-certificates\"\n && process.ancestors.file.path\ - \ not in [~\"/usr/bin/apt*\", \"/usr/bin/dpkg\", \"/usr/bin/rpm\", \"/usr/bin/unattended-upgrade\"\ - , \"/usr/bin/npm\", ~\"/usr/bin/pip*\", \"/usr/bin/yum\", \"/sbin/apk\", \"\ - /usr/lib/snapd/snapd\"]\n && process.file.name !~ \"runc*\"\n agent_version:\ - \ ''\n filters: []\n- id: ssl_certificate_tampering_utimes\n version: 29db81c1\n\ - \ description: SSL certificates may have been tampered with\n expression:\ - \ |-\n (\n (utimes.file.path in [ ~\"/etc/ssl/certs/**\" ])\n \ - \ && process.file.path not in [~\"/usr/bin/apt*\", \"/usr/bin/dpkg\", \"\ - /usr/bin/rpm\", \"/usr/bin/unattended-upgrade\", \"/usr/bin/npm\", ~\"/usr/bin/pip*\"\ - , \"/usr/bin/yum\", \"/sbin/apk\", \"/usr/lib/snapd/snapd\"]\n )\n &&\ - \ process.file.path != \"/usr/sbin/update-ca-certificates\"\n && process.ancestors.file.path\ - \ != \"/usr/sbin/update-ca-certificates\"\n && process.ancestors.file.path\ - \ not in [~\"/usr/bin/apt*\", \"/usr/bin/dpkg\", \"/usr/bin/rpm\", \"/usr/bin/unattended-upgrade\"\ - , \"/usr/bin/npm\", ~\"/usr/bin/pip*\", \"/usr/bin/yum\", \"/sbin/apk\", \"\ - /usr/lib/snapd/snapd\"]\n && process.file.name !~ \"runc*\"\n agent_version:\ - \ ''\n filters:\n - os == \"linux\"\n- id: sudoers_policy_modified_chmod\n\ - \ version: ae70daab\n description: Sudoers policy file may have been modified\ - \ without authorization\n expression: \"(\\n (chmod.file.path == \\\"/etc/sudoers\\\ - \") \\n) && chmod.file.destination.mode\\\n \\ != chmod.file.mode && process.ancestors.file.path\ - \ not in [~\\\"/usr/bin/apt*\\\"\\\n , \\\"/usr/bin/dpkg\\\", \\\"/usr/bin/rpm\\\ - \", \\\"/usr/bin/unattended-upgrade\\\", \\\"/usr/bin/npm\\\"\\\n , ~\\\"\ - /usr/bin/pip*\\\", \\\"/usr/bin/yum\\\", \\\"/sbin/apk\\\", \\\"/usr/lib/snapd/snapd\\\ - \"\\\n ]\"\n agent_version: ''\n filters:\n - os == \"linux\"\n- id: sudoers_policy_modified_chown\n\ - \ version: 898b1aa0\n description: Sudoers policy file may have been modified\ - \ without authorization\n expression: |-\n (\n (chown.file.path ==\ - \ \"/etc/sudoers\")\n ) && (chown.file.destination.uid != chown.file.uid\ - \ || chown.file.destination.gid != chown.file.gid)\n agent_version: ''\n filters:\ - \ []\n- id: sudoers_policy_modified_link\n version: 1f1b8962\n description:\ - \ Sudoers policy file may have been modified without authorization\n expression:\ - \ |-\n (\n (link.file.path == \"/etc/sudoers\"\n || link.file.destination.path\ - \ == \"/etc/sudoers\")\n )\n agent_version: ''\n filters: []\n- id: sudoers_policy_modified_open\n\ - \ version: af2610b6\n description: Sudoers policy file may have been modified\ - \ without authorization\n expression: |2-\n\n (open.flags & (O_CREAT|O_TRUNC|O_RDWR|O_WRONLY)\ - \ > 0 &&\n (open.file.path == \"/etc/sudoers\")) && process.file.path not\ - \ in [~\"/usr/bin/apt*\", \"/usr/bin/dpkg\", \"/usr/bin/rpm\", \"/usr/bin/unattended-upgrade\"\ - , \"/usr/bin/npm\", ~\"/usr/bin/pip*\", \"/usr/bin/yum\", \"/sbin/apk\", \"\ - /usr/lib/snapd/snapd\"]\n agent_version: ''\n filters:\n - os == \"linux\"\ - \n- id: sudoers_policy_modified_rename\n version: 531fc9ae\n description:\ - \ Sudoers policy file may have been modified without authorization\n expression:\ - \ |-\n (\n (rename.file.path == \"/etc/sudoers\"\n || rename.file.destination.path\ - \ == \"/etc/sudoers\")\n )\n agent_version: ''\n filters:\n - os == \"\ - linux\"\n- id: sudoers_policy_modified_unlink\n version: 5568da57\n description:\ - \ Sudoers policy file may have been modified without authorization\n expression:\ - \ |-\n (\n (unlink.file.path == \"/etc/sudoers\")\n )\n agent_version:\ - \ ''\n filters: []\n- id: sudoers_policy_modified_utimes\n version: d99c2466\n\ - \ description: Sudoers policy file may have been modified without authorization\n\ - \ expression: |-\n (\n (utimes.file.path == \"/etc/sudoers\")\n \ - \ ) && process.file.path not in [~\"/usr/bin/apt*\", \"/usr/bin/dpkg\", \"\ - /usr/bin/rpm\", \"/usr/bin/unattended-upgrade\", \"/usr/bin/containerd\", \"\ - /usr/local/bin/containerd\", \"/usr/bin/dockerd\", \"/usr/bin/npm\", ~\"/usr/bin/pip*\"\ - ]\n agent_version: ''\n filters:\n - os == \"linux\"\n- id: suid_file_execution\n\ - \ version: 1b4f4075\n description: a SUID file was executed\n expression:\ - \ (setuid.euid == 0 || setuid.uid == 0) && process.file.mode & S_ISUID\n \ - \ > 0 && process.file.uid == 0 && process.uid != 0 && process.file.path\ - \ != \"/usr/bin/sudo\"\n agent_version: ''\n filters: []\n- id: suspicious_bitsadmin_usage\n\ - \ version: 86c03d62\n description: A suspicious bitsadmin command has been\ - \ executed\n expression: exec.file.name == \"bitsadmin.exe\" && exec.cmdline\ - \ in [~\"*addfile*\",\n ~\"*create*\", ~\"*resume*\"]\n agent_version: ''\n\ - \ filters:\n - os == \"windows\"\n- id: suspicious_container_client\n version:\ - \ 8b9461f4\n description: A container management utility was executed in a\ - \ container\n expression: exec.file.name in [\"docker\", \"kubectl\"] && container.id\ - \ != \"\"\n agent_version: ''\n filters:\n - os == \"linux\"\n- id: suspicious_suid_execution\n\ - \ version: 216c8207\n description: Recently written or modified suid file\ - \ has been executed\n expression: ((process.file.mode & S_ISUID > 0) && process.file.modification_time\n\ - \ < 30s) && exec.file.name != \"\" && process.ancestors.file.path not in\ - \ [\"/opt/datadog-agent/embedded/bin/agent\",\n \"/opt/datadog-agent/embedded/bin/system-probe\"\ - , \"/opt/datadog-agent/embedded/bin/security-agent\",\n \"/opt/datadog-agent/embedded/bin/process-agent\"\ - , \"/opt/datadog-agent/bin/agent/agent\",\n \"/opt/datadog/apm/inject/auto_inject_runc\"\ - , \"/usr/bin/dd-host-install\", \"/usr/bin/dd-host-container-install\",\n \ - \ \"/usr/bin/dd-container-install\", \"/opt/datadog-agent/bin/datadog-cluster-agent\"\ - ]\n agent_version: ''\n filters:\n - os == \"linux\"\n- id: systemd_modification_chmod\n\ - \ version: e555b2b0\n description: A service may have been modified without\ - \ authorization\n expression: |-\n (\n (chmod.file.path in [ ~\"\ - /lib/systemd/system/**\", ~\"/usr/lib/systemd/system/**\", ~\"/etc/systemd/system/**\"\ - \ ])\n && process.file.path not in [~\"/usr/bin/apt*\", \"/usr/bin/dpkg\"\ - , \"/usr/bin/rpm\", \"/usr/bin/unattended-upgrade\", \"/usr/bin/npm\", ~\"/usr/bin/pip*\"\ - , \"/usr/bin/yum\", \"/sbin/apk\", \"/usr/lib/snapd/snapd\"]\n ) && chmod.file.destination.mode\ - \ != chmod.file.mode\n agent_version: ''\n filters: []\n- id: systemd_modification_chown\n\ - \ version: a0497885\n description: A service may have been modified without\ - \ authorization\n expression: |-\n (\n (chown.file.path in [ ~\"\ - /lib/systemd/system/**\", ~\"/usr/lib/systemd/system/**\", ~\"/etc/systemd/system/**\"\ - \ ])\n && process.file.path not in [~\"/usr/bin/apt*\", \"/usr/bin/dpkg\"\ - , \"/usr/bin/rpm\", \"/usr/bin/unattended-upgrade\", \"/usr/bin/npm\", ~\"/usr/bin/pip*\"\ - , \"/usr/bin/yum\", \"/sbin/apk\", \"/usr/lib/snapd/snapd\"]\n ) && (chown.file.destination.uid\ - \ != chown.file.uid || chown.file.destination.gid != chown.file.gid)\n agent_version:\ - \ ''\n filters: []\n- id: systemd_modification_link\n version: 11a77f5b\n\ - \ description: A service may have been modified without authorization\n expression:\ - \ |-\n (\n (link.file.path in [ ~\"/lib/systemd/system/**\", ~\"/usr/lib/systemd/system/**\"\ - , ~\"/etc/systemd/system/**\" ]\n || link.file.destination.path in [\ - \ ~\"/lib/systemd/system/**\", ~\"/usr/lib/systemd/system/**\", ~\"/etc/systemd/system/**\"\ - \ ])\n && process.file.path not in [~\"/usr/bin/apt*\", \"/usr/bin/dpkg\"\ - , \"/usr/bin/rpm\", \"/usr/bin/unattended-upgrade\", \"/usr/bin/npm\", ~\"/usr/bin/pip*\"\ - , \"/usr/bin/yum\", \"/sbin/apk\", \"/usr/lib/snapd/snapd\"]\n )\n agent_version:\ - \ ''\n filters: []\n- id: systemd_modification_open\n version: 13b2daf3\n\ - \ description: A service may have been modified without authorization\n expression:\ - \ |-\n (\n open.flags & (O_CREAT|O_RDWR|O_WRONLY) > 0 &&\n \ - \ (open.file.path in [ ~\"/lib/systemd/system/**\", ~\"/usr/lib/systemd/system/**\"\ - , ~\"/etc/systemd/system/**\" ])\n && process.file.path not in [~\"/usr/bin/apt*\"\ - , \"/usr/bin/dpkg\", \"/usr/bin/rpm\", \"/usr/bin/unattended-upgrade\", \"/usr/bin/npm\"\ - , ~\"/usr/bin/pip*\", \"/usr/bin/yum\", \"/sbin/apk\", \"/usr/lib/snapd/snapd\"\ - ]\n )\n agent_version: ''\n filters:\n - os == \"linux\"\n- id: systemd_modification_rename\n\ - \ version: 9759ce6\n description: A service may have been modified without\ - \ authorization\n expression: |-\n (\n (rename.file.path in [ ~\"\ - /lib/systemd/system/**\", ~\"/usr/lib/systemd/system/**\", ~\"/etc/systemd/system/**\"\ - \ ]\n || rename.file.destination.path in [ ~\"/lib/systemd/system/**\"\ - , ~\"/usr/lib/systemd/system/**\", ~\"/etc/systemd/system/**\" ])\n &&\ - \ process.file.path not in [~\"/usr/bin/apt*\", \"/usr/bin/dpkg\", \"/usr/bin/rpm\"\ - , \"/usr/bin/unattended-upgrade\", \"/usr/bin/npm\", ~\"/usr/bin/pip*\", \"\ - /usr/bin/yum\", \"/sbin/apk\", \"/usr/lib/snapd/snapd\"]\n )\n agent_version:\ - \ ''\n filters: []\n- id: systemd_modification_unlink\n version: 8400ece8\n\ - \ description: A service may have been modified without authorization\n expression:\ - \ |-\n (\n (unlink.file.path in [ ~\"/lib/systemd/system/**\", ~\"\ - /usr/lib/systemd/system/**\", ~\"/etc/systemd/system/**\" ])\n && process.file.path\ - \ not in [~\"/usr/bin/apt*\", \"/usr/bin/dpkg\", \"/usr/bin/rpm\", \"/usr/bin/unattended-upgrade\"\ - , \"/usr/bin/npm\", ~\"/usr/bin/pip*\", \"/usr/bin/yum\", \"/sbin/apk\", \"\ - /usr/lib/snapd/snapd\"]\n )\n agent_version: ''\n filters:\n - os == \"\ - linux\"\n- id: systemd_modification_utimes\n version: 82acf2d\n description:\ - \ A service may have been modified without authorization\n expression: |-\n\ - \ (\n (utimes.file.path in [ ~\"/lib/systemd/system/**\", ~\"/usr/lib/systemd/system/**\"\ - , ~\"/etc/systemd/system/**\" ])\n && process.file.path not in [~\"/usr/bin/apt*\"\ - , \"/usr/bin/dpkg\", \"/usr/bin/rpm\", \"/usr/bin/unattended-upgrade\", \"/usr/bin/npm\"\ - , ~\"/usr/bin/pip*\", \"/usr/bin/yum\", \"/sbin/apk\", \"/usr/lib/snapd/snapd\"\ - ]\n )\n agent_version: ''\n filters:\n - os == \"linux\"\n- id: tar_execution\n\ - \ version: e63af392\n description: Tar archive created\n expression: exec.file.path\ - \ == \"/usr/bin/tar\" && exec.args_flags in [\"create\",\"c\"]\n agent_version:\ - \ ''\n filters:\n - os == \"linux\"\n- id: tde_malware_egress_traffic_allowed_iptables\n\ - \ version: 14f124d7\n description: iptables used to allow egress traffic\n\ - \ expression: exec.comm == \"iptables\" && process.args in [r\".*OUTPUT.*((25[0-5]|(2[0-4]|1\\\ - d|[1-9]|)\\d)\\.?\\b){4}.*ACCEPT\"]\n && process.args not in [r\"(127\\.)|(10\\\ - .)|(172\\.1[6-9]\\.)|(172\\.2[0-9]\\.)|(172\\.3[0-1]|\\.)|(192\\.168\\.)|(169\\\ - .254\\.)\"]\n agent_version: ''\n filters:\n - os == \"linux\"\n- id: tde_malware_files_with_extensions_created\n\ - \ version: 161c317f\n description: Multiple files with extensions created\ - \ under common user directories\n expression: rename.file.path in [~\"/home/**\"\ - , ~\"/root/**\", ~\"/bin/**\", ~\"/usr/bin/**\",\n ~\"/var/log/**\", ~\"\ - /var/lib/log/**\", ~\"/var/backup/*\", ~\"/var/www/**\"] && rename.file.destination.name\n\ - \ in [r\"\\.[0-9a-z]+$\"] && rename.file.destination.name not in [r\".*\\\ - .(lock|dbtmp|log|journal|ini|sh|json|yml|tmp|snap|txt|pyc|stat|hcl|[0-9])+$\"\ - ]\n && process.comm not in [\"python\",\"python3\",\"agent\",\"security-agent\"\ - ,\"kubectl\",\"kubelet\",\"datadog-cluster\"]\n agent_version: ''\n filters:\n\ - \ - os == \"linux\"\n- id: tde_malware_kernel_module_loaded_from_tmp\n version:\ - \ 7673f399\n description: Kernel module loaded from common tmp directories\n\ - \ expression: load_module.file.path in [ ~\"/tmp/**\", ~\"/var/tmp/**\" ]\n\ - \ agent_version: ''\n filters:\n - os == \"linux\"\n- id: tde_malware_libpam_hooked_using_ebpf\n\ - \ version: adbe1bb1\n description: Libpam.so library hooked using ebpf\n \ - \ expression: bpf.cmd == BPF_MAP_CREATE && process.args in [r\".*libpam.so.*\"\ - ]\n agent_version: ''\n filters:\n - os == \"linux\"\n- id: tde_malware_privileged_processes_or_sshd_traced\n\ - \ version: eda95b21\n description: A process is tracing privileged processes\ - \ or sshd for possible credential\n dumping\n expression: ((ptrace.tracee.euid==0\ - \ && ptrace.tracee.uid ==0)||ptrace.tracee.comm\n in [~\"*sshd*\"]) && process.comm\ - \ not in [\"dlv\"]\n agent_version: ''\n filters:\n - os == \"linux\"\n-\ - \ id: tde_malware_proxychains_executed\n version: 192a7f03\n description:\ - \ Proxychaining technique used\n expression: exec.comm == \"proxychains\"\n\ - \ agent_version: ''\n filters:\n - os == \"linux\"\n- id: tde_malware_ransomware_notes_written\n\ - \ version: 6d3052dc\n description: A possible ransomware note created under\ - \ common user directories\n expression: open.file.path in [~\"/home/**\", ~\"\ - /root/**\", ~\"/bin/**\", ~\"/usr/bin/**\",\n ~\"/opt/**\", ~\"/etc/**\"\ - , ~\"/var/log/**\", ~\"/var/lib/log/**\", ~\"/var/backup/**\",\n ~\"/var/www/**\"\ - ] && open.file.name in [r\".*(restore|recovery|readme|instruction|how_to|ransom).*\"\ - ,\n r\".*(your_|crypt|lock|important).*\\.txt$\"]\n agent_version: ''\n\ - \ filters:\n - os == \"linux\"\n- id: tde_malware_system_logs_deleted\n version:\ - \ f5fec42d\n description: A process deleted common system log files\n expression:\ - \ unlink.file.path in [\"/var/run/utmp\", \"/var/log/wtmp\", \"/var/log/btmp\"\ - ,\n \"/var/log/lastlog\", \"/var/log/faillog\", \"/var/log/syslog\", \"/var/log/messages\"\ - ,\n \"/var/log/secure\", \"/var/log/auth.log\", \"/var/log/boot.log\", \"\ - /var/log/kern.log\"]\n && process.comm !=\"dockerd\"\n agent_version: ''\n\ - \ filters:\n - os == \"linux\"\n- id: tde_malware_tunneling_and_port_forwarding_technique_used\n\ - \ version: e253fced\n description: Tunneling and port forwarding tool used\n\ - \ expression: ((exec.comm == \"pivotnacci\" || exec.comm == \"gost\") && process.args\n\ - \ in [r\".*(-L|-C|-R).*\"])||(exec.comm in [\"ssh\", \"sshd\"] && process.args\ - \ in [r\".*(-R|-L|-D|w).*\"]\n && process.args in [r\"((25[0-5]|(2[0-4]|1\\\ - d|[1-9])\\d)\\.?\\b){4}\"] ) || (exec.comm\n == \"sshuttle\" && process.args\ - \ in [r\".*(-r|--remote|-l|--listen).*\"]) || (exec.comm\n == \"socat\" &&\ - \ process.args in [r\".*(TCP4-LISTEN:|SOCKS).*\"]) || (exec.comm in\n [\"\ - iodine\", \"iodined\", \"dnscat\", \"hans\", \"hans-ubuntu\", \"ptunnel-ng\"\ - , \"ssf\", \"3proxy\",\n \"ngrok\"] && process.parent.comm in [\"bash\",\ - \ \"dash\", \"ash\", \"sh\", \"tcsh\", \"csh\",\n \"zsh\", \"ksh\", \"fish\"\ - ])\n agent_version: ''\n filters:\n - os == \"linux\"\n- id: tde_nsenter_pid1_detection\n\ - \ version: 7a2d42c7\n description: nsenter used in container to execute code\ - \ on the OS PID1\n expression: exec.file.name == \"nsenter\" && exec.args_options\ - \ in [\"target=1\", \"t=1\"]\n && container.id !=\"\"\n agent_version: ''\n\ - \ filters:\n - os == \"linux\"\n- id: tde_red_team_domains_used\n version:\ - \ 1b507607\n description: Connection to red team domain\n expression: dns.question.name\ - \ in [~\"*.interact.sh\" , ~\"*.oast.pro\" , ~\"*.oast.live\"\n , ~\"*.oast.site\"\ - \ , ~\"*.oast.online\" , ~\"*.oast.fun\" , ~\"*.oast.me\" , ~\"*.burpcollaborator.net\"\ - \n , ~\"*.oastify.com\" , ~\"*canarytokens.com\" , ~\"*.requestbin.net\"\ - \ , ~\"*.dnslog.cn\"]\n agent_version: ''\n filters:\n - os == \"linux\"\n\ - - id: tde_testing_tampering\n version: c2be3b92\n description: testing only\n\ - \ expression: exec.comm == \"abcdefgh\"\n agent_version: ''\n filters:\n\ - \ - os == \"linux\"\n- id: tty_shell_in_container\n version: 3d9489bb\n description:\ - \ A shell with a TTY was executed in a container\n expression: |-\n exec.file.path\ - \ in [ \"/bin/dash\",\n \"/usr/bin/dash\",\n \"/bin/sh\",\n \"\ - /bin/static-sh\",\n \"/usr/bin/sh\",\n \"/bin/bash\",\n \"/usr/bin/bash\"\ - ,\n \"/bin/bash-static\",\n \"/usr/bin/zsh\",\n \"/usr/bin/ash\"\ - ,\n \"/usr/bin/csh\",\n \"/usr/bin/ksh\",\n \"/usr/bin/tcsh\"\ - ,\n \"/usr/lib/initramfs-tools/bin/busybox\",\n \"/bin/busybox\",\n\ - \ \"/usr/bin/fish\",\n \"/bin/ksh93\",\n \"/bin/rksh\",\n \ - \ \"/bin/rksh93\",\n \"/bin/lksh\",\n \"/bin/mksh\",\n \"/bin/mksh-static\"\ - ,\n \"/usr/bin/csharp\",\n \"/bin/posh\",\n \"/usr/bin/rc\",\n\ - \ \"/bin/sash\",\n \"/usr/bin/yash\",\n \"/bin/zsh5\",\n \ - \ \"/bin/zsh5-static\" ] && process.tty_name != \"\" && process.container.id\ - \ != \"\"\n agent_version: ''\n filters: []\n- id: tunnel_traffic\n version:\ - \ 816201a5\n description: Tunneling or port forwarding tool used\n expression:\ - \ ((exec.comm == \"pivotnacci\" || exec.comm == \"gost\") && process.args\n\ - \ in [r\".*(-L|-C|-R).*\"]) || (exec.comm in [\"ssh\", \"sshd\"] && process.args\ - \ in [r\".*(-R|-L|-D|w).*\"]\n && process.args in [r\"((25[0-5]|(2[0-4]|1\\\ - d|[1-9])\\d)\\.?\\b){4}\"] ) || (exec.comm\n == \"sshuttle\" && process.args\ - \ in [r\".*(-r|--remote|-l|--listen).*\"]) || (exec.comm\n == \"socat\" &&\ - \ process.args in [r\".*(TCP4-LISTEN:|SOCKS).*\"]) || (exec.comm in\n [\"\ - iodine\", \"iodined\", \"dnscat\", \"hans\", \"hans-ubuntu\", \"ptunnel-ng\"\ - , \"ssf\", \"3proxy\",\n \"ngrok\"] && process.parent.comm in [\"bash\",\ - \ \"dash\", \"ash\", \"sh\", \"tcsh\", \"csh\",\n \"zsh\", \"ksh\", \"fish\"\ - ])\n agent_version: ''\n filters:\n - os == \"linux\"\n- id: user_created_tty\n\ - \ version: 5b5f4a52\n description: A user was created via an interactive session\n\ - \ expression: exec.file.name in [\"useradd\", \"newusers\", \"adduser\"] &&\ - \ exec.tty_name\n !=\"\" && process.ancestors.file.path not in [~\"/usr/bin/apt*\"\ - , \"/usr/bin/dpkg\",\n \"/usr/bin/rpm\", \"/usr/bin/unattended-upgrade\"\ - , \"/usr/bin/npm\", ~\"/usr/bin/pip*\",\n \"/usr/bin/yum\", \"/sbin/apk\"\ - , \"/usr/lib/snapd/snapd\"] && exec.args_flags not in\n [\"D\"]\n agent_version:\ - \ ''\n filters: []\n- id: user_deleted_tty\n version: ad8edbe\n description:\ - \ A user was deleted via an interactive session\n expression: exec.file.name\ - \ in [\"userdel\", \"deluser\"] && exec.tty_name !=\"\" && process.ancestors.file.path\n\ - \ not in [~\"/usr/bin/apt*\", \"/usr/bin/dpkg\", \"/usr/bin/rpm\", \"/usr/bin/unattended-upgrade\"\ - ,\n \"/usr/bin/npm\", ~\"/usr/bin/pip*\", \"/usr/bin/yum\", \"/sbin/apk\"\ - , \"/usr/lib/snapd/snapd\"]\n agent_version: ''\n filters: []\n- id: wmi_spawning_shell\n\ - \ version: 6b9ff5c7\n description: Command executed via WMI\n expression:\ - \ exec.file.name in [~\"powershell*\",\"cmd.exe\"] && process.parent.file.name\n\ - \ == \"WmiPrvSE.exe\"\n agent_version: ''\n filters:\n - os == \"windows\"\ - \n" - code: 200 - duration: 0ms - headers: - Content-Type: - - application/yaml - status: 200 OK -version: 2 diff --git a/tests/scenarios/cassettes/TestScenarios/v2/Feature_Cloud_Workload_Security/Scenario_Update_a_CSM_Threats_Agent_rule_returns_Bad_Request_response.freeze b/tests/scenarios/cassettes/TestScenarios/v2/Feature_Cloud_Workload_Security/Scenario_Update_a_CSM_Threats_Agent_rule_returns_Bad_Request_response.freeze deleted file mode 100644 index 36950db3c90..00000000000 --- a/tests/scenarios/cassettes/TestScenarios/v2/Feature_Cloud_Workload_Security/Scenario_Update_a_CSM_Threats_Agent_rule_returns_Bad_Request_response.freeze +++ /dev/null @@ -1 +0,0 @@ -2024-03-08T14:19:15.935Z \ No newline at end of file diff --git a/tests/scenarios/cassettes/TestScenarios/v2/Feature_Cloud_Workload_Security/Scenario_Update_a_CSM_Threats_Agent_rule_returns_Bad_Request_response.yaml b/tests/scenarios/cassettes/TestScenarios/v2/Feature_Cloud_Workload_Security/Scenario_Update_a_CSM_Threats_Agent_rule_returns_Bad_Request_response.yaml deleted file mode 100644 index 790baef7ea2..00000000000 --- a/tests/scenarios/cassettes/TestScenarios/v2/Feature_Cloud_Workload_Security/Scenario_Update_a_CSM_Threats_Agent_rule_returns_Bad_Request_response.yaml +++ /dev/null @@ -1,65 +0,0 @@ -interactions: -- request: - body: | - {"data":{"attributes":{"description":"My Agent rule","enabled":true,"expression":"exec.file.name == \"sh\"","name":"testupdateacsmthreatsagentrulereturnsbadrequestresponse1709907555"},"type":"agent_rule"}} - form: {} - headers: - Accept: - - application/json - Content-Type: - - application/json - id: 0 - method: POST - url: https://api.datadoghq.com/api/v2/remote_config/products/cws/agent_rules - response: - body: '{"data":{"id":"oes-jfu-tm8","type":"agent_rule","attributes":{"category":"Process - Activity","creationDate":1709907556177,"creator":{"name":"Malo Le Goff","handle":"malo.legoff@datadoghq.com"},"defaultRule":false,"description":"My - Agent rule","enabled":true,"expression":"exec.file.name == \"sh\"","filters":["os - == \"linux\""],"name":"testupdateacsmthreatsagentrulereturnsbadrequestresponse1709907555","updateDate":1709907556177,"updater":{"name":"Malo - Le Goff","handle":"malo.legoff@datadoghq.com"}}}}' - code: 200 - duration: 0ms - headers: - Content-Type: - - application/json - status: 200 OK -- request: - body: | - {"data":{"attributes":{"description":"Test Agent rule","enabled":true,"expression":"open.file.path = sh"},"id":"abc-123-xyz","type":"agent_rule"}} - form: {} - headers: - Accept: - - application/json - Content-Type: - - application/json - id: 1 - method: PATCH - url: https://api.datadoghq.com/api/v2/remote_config/products/cws/agent_rules/oes-jfu-tm8 - response: - body: '{"errors":[{"title":"failed to update rule"}]} - - ' - code: 400 - duration: 0ms - headers: - Content-Type: - - application/json - status: 400 Bad Request -- request: - body: '' - form: {} - headers: - Accept: - - '*/*' - id: 2 - method: DELETE - url: https://api.datadoghq.com/api/v2/remote_config/products/cws/agent_rules/oes-jfu-tm8 - response: - body: '' - code: 204 - duration: 0ms - headers: - Content-Type: - - application/json - status: 204 No Content -version: 2 diff --git a/tests/scenarios/cassettes/TestScenarios/v2/Feature_Cloud_Workload_Security/Scenario_Update_a_CSM_Threats_Agent_rule_returns_Not_Found_response.freeze b/tests/scenarios/cassettes/TestScenarios/v2/Feature_Cloud_Workload_Security/Scenario_Update_a_CSM_Threats_Agent_rule_returns_Not_Found_response.freeze deleted file mode 100644 index 205d72408c0..00000000000 --- a/tests/scenarios/cassettes/TestScenarios/v2/Feature_Cloud_Workload_Security/Scenario_Update_a_CSM_Threats_Agent_rule_returns_Not_Found_response.freeze +++ /dev/null @@ -1 +0,0 @@ -2024-03-08T14:19:17.581Z \ No newline at end of file diff --git a/tests/scenarios/cassettes/TestScenarios/v2/Feature_Cloud_Workload_Security/Scenario_Update_a_CSM_Threats_Agent_rule_returns_Not_Found_response.yaml b/tests/scenarios/cassettes/TestScenarios/v2/Feature_Cloud_Workload_Security/Scenario_Update_a_CSM_Threats_Agent_rule_returns_Not_Found_response.yaml deleted file mode 100644 index 51148f379d1..00000000000 --- a/tests/scenarios/cassettes/TestScenarios/v2/Feature_Cloud_Workload_Security/Scenario_Update_a_CSM_Threats_Agent_rule_returns_Not_Found_response.yaml +++ /dev/null @@ -1,24 +0,0 @@ -interactions: -- request: - body: | - {"data":{"attributes":{"description":"My Agent rule","enabled":true,"expression":"exec.file.name == \"sh\""},"id":"abc-123-xyz","type":"agent_rule"}} - form: {} - headers: - Accept: - - application/json - Content-Type: - - application/json - id: 0 - method: PATCH - url: https://api.datadoghq.com/api/v2/remote_config/products/cws/agent_rules/abc-123-xyz - response: - body: '{"errors":[{"title":"failed to update rule"}]} - - ' - code: 404 - duration: 0ms - headers: - Content-Type: - - application/json - status: 404 Not Found -version: 2 diff --git a/tests/scenarios/cassettes/TestScenarios/v2/Feature_Cloud_Workload_Security/Scenario_Update_a_CSM_Threats_Agent_rule_returns_OK_response.freeze b/tests/scenarios/cassettes/TestScenarios/v2/Feature_Cloud_Workload_Security/Scenario_Update_a_CSM_Threats_Agent_rule_returns_OK_response.freeze deleted file mode 100644 index 0c7bf42c8f1..00000000000 --- a/tests/scenarios/cassettes/TestScenarios/v2/Feature_Cloud_Workload_Security/Scenario_Update_a_CSM_Threats_Agent_rule_returns_OK_response.freeze +++ /dev/null @@ -1 +0,0 @@ -2024-03-08T14:19:17.965Z \ No newline at end of file diff --git a/tests/scenarios/cassettes/TestScenarios/v2/Feature_Cloud_Workload_Security/Scenario_Update_a_CSM_Threats_Agent_rule_returns_OK_response.yaml b/tests/scenarios/cassettes/TestScenarios/v2/Feature_Cloud_Workload_Security/Scenario_Update_a_CSM_Threats_Agent_rule_returns_OK_response.yaml deleted file mode 100644 index f7f5c89c814..00000000000 --- a/tests/scenarios/cassettes/TestScenarios/v2/Feature_Cloud_Workload_Security/Scenario_Update_a_CSM_Threats_Agent_rule_returns_OK_response.yaml +++ /dev/null @@ -1,67 +0,0 @@ -interactions: -- request: - body: | - {"data":{"attributes":{"description":"My Agent rule","enabled":true,"expression":"exec.file.name == \"sh\"","name":"testupdateacsmthreatsagentrulereturnsokresponse1709907557"},"type":"agent_rule"}} - form: {} - headers: - Accept: - - application/json - Content-Type: - - application/json - id: 0 - method: POST - url: https://api.datadoghq.com/api/v2/remote_config/products/cws/agent_rules - response: - body: '{"data":{"id":"qp6-ix5-6o6","type":"agent_rule","attributes":{"category":"Process - Activity","creationDate":1709907558307,"creator":{"name":"Malo Le Goff","handle":"malo.legoff@datadoghq.com"},"defaultRule":false,"description":"My - Agent rule","enabled":true,"expression":"exec.file.name == \"sh\"","filters":["os - == \"linux\""],"name":"testupdateacsmthreatsagentrulereturnsokresponse1709907557","updateDate":1709907558307,"updater":{"name":"Malo - Le Goff","handle":"malo.legoff@datadoghq.com"}}}}' - code: 200 - duration: 0ms - headers: - Content-Type: - - application/json - status: 200 OK -- request: - body: | - {"data":{"attributes":{"description":"Test Agent rule","enabled":true,"expression":"exec.file.name == \"sh\""},"id":"qp6-ix5-6o6","type":"agent_rule"}} - form: {} - headers: - Accept: - - application/json - Content-Type: - - application/json - id: 1 - method: PATCH - url: https://api.datadoghq.com/api/v2/remote_config/products/cws/agent_rules/qp6-ix5-6o6 - response: - body: '{"data":{"id":"qp6-ix5-6o6","type":"agent_rule","attributes":{"category":"Process - Activity","creationDate":1709907558000,"creator":{"name":"Malo Le Goff","handle":"malo.legoff@datadoghq.com"},"defaultRule":false,"description":"Test - Agent rule","enabled":true,"expression":"exec.file.name == \"sh\"","filters":["os - == \"linux\""],"name":"testupdateacsmthreatsagentrulereturnsokresponse1709907557","updateDate":1709907559088,"updater":{"name":"Malo - Le Goff","handle":"malo.legoff@datadoghq.com"}}}}' - code: 200 - duration: 0ms - headers: - Content-Type: - - application/json - status: 200 OK -- request: - body: '' - form: {} - headers: - Accept: - - '*/*' - id: 2 - method: DELETE - url: https://api.datadoghq.com/api/v2/remote_config/products/cws/agent_rules/qp6-ix5-6o6 - response: - body: '' - code: 204 - duration: 0ms - headers: - Content-Type: - - application/json - status: 204 No Content -version: 2 diff --git a/tests/scenarios/cassettes/TestScenarios/v2/Feature_Cloud_Workload_Security/Scenario_Update_a_Cloud_Workload_Security_Agent_rule_returns_Bad_Request_response.freeze b/tests/scenarios/cassettes/TestScenarios/v2/Feature_Cloud_Workload_Security/Scenario_Update_a_Cloud_Workload_Security_Agent_rule_returns_Bad_Request_response.freeze deleted file mode 100644 index 2d0f6f108f8..00000000000 --- a/tests/scenarios/cassettes/TestScenarios/v2/Feature_Cloud_Workload_Security/Scenario_Update_a_Cloud_Workload_Security_Agent_rule_returns_Bad_Request_response.freeze +++ /dev/null @@ -1 +0,0 @@ -2024-03-08T14:19:20.303Z \ No newline at end of file diff --git a/tests/scenarios/cassettes/TestScenarios/v2/Feature_Cloud_Workload_Security/Scenario_Update_a_Cloud_Workload_Security_Agent_rule_returns_Bad_Request_response.yaml b/tests/scenarios/cassettes/TestScenarios/v2/Feature_Cloud_Workload_Security/Scenario_Update_a_Cloud_Workload_Security_Agent_rule_returns_Bad_Request_response.yaml deleted file mode 100644 index 8b99165b583..00000000000 --- a/tests/scenarios/cassettes/TestScenarios/v2/Feature_Cloud_Workload_Security/Scenario_Update_a_Cloud_Workload_Security_Agent_rule_returns_Bad_Request_response.yaml +++ /dev/null @@ -1,66 +0,0 @@ -interactions: -- request: - body: | - {"data":{"attributes":{"description":"My Agent rule","enabled":true,"expression":"exec.file.name == \"sh\"","name":"testupdateacloudworkloadsecurityagentrulereturnsbadrequestresponse1709907560"},"type":"agent_rule"}} - form: {} - headers: - Accept: - - application/json - Content-Type: - - application/json - id: 0 - method: POST - url: https://api.datadoghq.com/api/v2/security_monitoring/cloud_workload_security/agent_rules - response: - body: '{"data":{"id":"bvz-vbk-lmb","attributes":{"version":1,"name":"testupdateacloudworkloadsecurityagentrulereturnsbadrequestresponse1709907560","description":"My - Agent rule","expression":"exec.file.name == \"sh\"","category":"Process Activity","creationAuthorUuId":"cc32ddea-b5e4-11ec-93be-da7ad0900002","creationDate":1709907560595,"updateAuthorUuId":"cc32ddea-b5e4-11ec-93be-da7ad0900002","updateDate":1709907560595,"filters":["os - == \"linux\""],"actions":[],"agentConstraint":"","enabled":true,"defaultRule":false,"creator":{"name":"Malo - Le Goff","handle":"malo.legoff@datadoghq.com"},"updater":{"name":"Malo Le Goff","handle":"malo.legoff@datadoghq.com"}},"type":"agent_rule"}} - - ' - code: 200 - duration: 0ms - headers: - Content-Type: - - application/json - status: 200 OK -- request: - body: | - {"data":{"attributes":{"description":"Test Agent rule","enabled":true,"expression":"open.file.path = sh"},"type":"agent_rule"}} - form: {} - headers: - Accept: - - application/json - Content-Type: - - application/json - id: 1 - method: PATCH - url: https://api.datadoghq.com/api/v2/security_monitoring/cloud_workload_security/agent_rules/bvz-vbk-lmb - response: - body: '{"errors":["input_validation_error(Field ''expression'' is invalid: rule - `testupdateacloudworkloadsecurityagentrulereturnsbadrequestresponse1709907560` - error: syntax error `1:18: unexpected token \"sh\" (expected \"~\")`)"]} - - ' - code: 400 - duration: 0ms - headers: - Content-Type: - - application/json - status: 400 Bad Request -- request: - body: '' - form: {} - headers: - Accept: - - '*/*' - id: 2 - method: DELETE - url: https://api.datadoghq.com/api/v2/security_monitoring/cloud_workload_security/agent_rules/bvz-vbk-lmb - response: - body: '' - code: 204 - duration: 0ms - headers: {} - status: 204 No Content -version: 2 diff --git a/tests/scenarios/cassettes/TestScenarios/v2/Feature_Cloud_Workload_Security/Scenario_Update_a_Cloud_Workload_Security_Agent_rule_returns_Not_Found_response.freeze b/tests/scenarios/cassettes/TestScenarios/v2/Feature_Cloud_Workload_Security/Scenario_Update_a_Cloud_Workload_Security_Agent_rule_returns_Not_Found_response.freeze deleted file mode 100644 index aab8c031377..00000000000 --- a/tests/scenarios/cassettes/TestScenarios/v2/Feature_Cloud_Workload_Security/Scenario_Update_a_Cloud_Workload_Security_Agent_rule_returns_Not_Found_response.freeze +++ /dev/null @@ -1 +0,0 @@ -2024-03-08T14:19:21.451Z \ No newline at end of file diff --git a/tests/scenarios/cassettes/TestScenarios/v2/Feature_Cloud_Workload_Security/Scenario_Update_a_Cloud_Workload_Security_Agent_rule_returns_Not_Found_response.yaml b/tests/scenarios/cassettes/TestScenarios/v2/Feature_Cloud_Workload_Security/Scenario_Update_a_Cloud_Workload_Security_Agent_rule_returns_Not_Found_response.yaml deleted file mode 100644 index bccbb853aea..00000000000 --- a/tests/scenarios/cassettes/TestScenarios/v2/Feature_Cloud_Workload_Security/Scenario_Update_a_Cloud_Workload_Security_Agent_rule_returns_Not_Found_response.yaml +++ /dev/null @@ -1,24 +0,0 @@ -interactions: -- request: - body: | - {"data":{"attributes":{"description":"Test Agent rule","enabled":true,"expression":"exec.file.name == \"sh\""},"type":"agent_rule"}} - form: {} - headers: - Accept: - - application/json - Content-Type: - - application/json - id: 0 - method: PATCH - url: https://api.datadoghq.com/api/v2/security_monitoring/cloud_workload_security/agent_rules/abc-123-xyz - response: - body: '{"errors":["not_found(Agent rule not found: agentRuleId=abc-123-xyz)"]} - - ' - code: 404 - duration: 0ms - headers: - Content-Type: - - application/json - status: 404 Not Found -version: 2 diff --git a/tests/scenarios/cassettes/TestScenarios/v2/Feature_Cloud_Workload_Security/Scenario_Update_a_Cloud_Workload_Security_Agent_rule_returns_OK_response.freeze b/tests/scenarios/cassettes/TestScenarios/v2/Feature_Cloud_Workload_Security/Scenario_Update_a_Cloud_Workload_Security_Agent_rule_returns_OK_response.freeze deleted file mode 100644 index 944438cc312..00000000000 --- a/tests/scenarios/cassettes/TestScenarios/v2/Feature_Cloud_Workload_Security/Scenario_Update_a_Cloud_Workload_Security_Agent_rule_returns_OK_response.freeze +++ /dev/null @@ -1 +0,0 @@ -2024-03-08T14:19:21.789Z \ No newline at end of file diff --git a/tests/scenarios/cassettes/TestScenarios/v2/Feature_Cloud_Workload_Security/Scenario_Update_a_Cloud_Workload_Security_Agent_rule_returns_OK_response.yaml b/tests/scenarios/cassettes/TestScenarios/v2/Feature_Cloud_Workload_Security/Scenario_Update_a_Cloud_Workload_Security_Agent_rule_returns_OK_response.yaml deleted file mode 100644 index 6531e6911d6..00000000000 --- a/tests/scenarios/cassettes/TestScenarios/v2/Feature_Cloud_Workload_Security/Scenario_Update_a_Cloud_Workload_Security_Agent_rule_returns_OK_response.yaml +++ /dev/null @@ -1,67 +0,0 @@ -interactions: -- request: - body: | - {"data":{"attributes":{"description":"My Agent rule","enabled":true,"expression":"exec.file.name == \"sh\"","name":"testupdateacloudworkloadsecurityagentrulereturnsokresponse1709907561"},"type":"agent_rule"}} - form: {} - headers: - Accept: - - application/json - Content-Type: - - application/json - id: 0 - method: POST - url: https://api.datadoghq.com/api/v2/security_monitoring/cloud_workload_security/agent_rules - response: - body: '{"data":{"id":"usl-wf5-qjp","attributes":{"version":1,"name":"testupdateacloudworkloadsecurityagentrulereturnsokresponse1709907561","description":"My - Agent rule","expression":"exec.file.name == \"sh\"","category":"Process Activity","creationAuthorUuId":"cc32ddea-b5e4-11ec-93be-da7ad0900002","creationDate":1709907562158,"updateAuthorUuId":"cc32ddea-b5e4-11ec-93be-da7ad0900002","updateDate":1709907562158,"filters":["os - == \"linux\""],"actions":[],"agentConstraint":"","enabled":true,"defaultRule":false,"creator":{"name":"Malo - Le Goff","handle":"malo.legoff@datadoghq.com"},"updater":{"name":"Malo Le Goff","handle":"malo.legoff@datadoghq.com"}},"type":"agent_rule"}} - - ' - code: 200 - duration: 0ms - headers: - Content-Type: - - application/json - status: 200 OK -- request: - body: | - {"data":{"attributes":{"description":"Test Agent rule","enabled":true,"expression":"exec.file.name == \"sh\""},"type":"agent_rule"}} - form: {} - headers: - Accept: - - application/json - Content-Type: - - application/json - id: 1 - method: PATCH - url: https://api.datadoghq.com/api/v2/security_monitoring/cloud_workload_security/agent_rules/usl-wf5-qjp - response: - body: '{"data":{"id":"usl-wf5-qjp","attributes":{"version":2,"name":"testupdateacloudworkloadsecurityagentrulereturnsokresponse1709907561","description":"Test - Agent rule","expression":"exec.file.name == \"sh\"","category":"Process Activity","creationAuthorUuId":"cc32ddea-b5e4-11ec-93be-da7ad0900002","creationDate":1709907562158,"updateAuthorUuId":"cc32ddea-b5e4-11ec-93be-da7ad0900002","updateDate":1709907562613,"filters":["os - == \"linux\""],"actions":[],"agentConstraint":"","enabled":true,"defaultRule":false,"creator":{"name":"Malo - Le Goff","handle":"malo.legoff@datadoghq.com"},"updater":{"name":"Malo Le Goff","handle":"malo.legoff@datadoghq.com"}},"type":"agent_rule"}} - - ' - code: 200 - duration: 0ms - headers: - Content-Type: - - application/json - status: 200 OK -- request: - body: '' - form: {} - headers: - Accept: - - '*/*' - id: 2 - method: DELETE - url: https://api.datadoghq.com/api/v2/security_monitoring/cloud_workload_security/agent_rules/usl-wf5-qjp - response: - body: '' - code: 204 - duration: 0ms - headers: {} - status: 204 No Content -version: 2 diff --git a/tests/scenarios/features/v2/csm_threats.feature b/tests/scenarios/features/v2/csm_threats.feature index 9de7fc15e0a..739dee5a604 100644 --- a/tests/scenarios/features/v2/csm_threats.feature +++ b/tests/scenarios/features/v2/csm_threats.feature @@ -28,7 +28,7 @@ Feature: CSM Threats @team:DataDog/k9-cloud-security-platform @team:DataDog/k9-cws-backend Scenario: Create a CSM Threats Agent rule returns "OK" response Given new "CreateCSMThreatsAgentRule" request - And body with value {"data": {"attributes": {"description": "My Agent rule", "enabled": true, "expression": "exec.file.name == \"sh\"", "name": "{{ unique_lower_alnum }}"}, "type": "agent_rule"}} + And body with value {"data": {"attributes": {"description": "My Agent rule", "enabled": true, "expression": "exec.file.name == \"sh\"", "filters": ["os == \"linux\""], "name": "{{ unique_lower_alnum }}"}, "type": "agent_rule"}} When the request is sent Then the response status is 200 OK