diff --git a/.apigentools-info b/.apigentools-info index 8c2c8ba94..6035e1f9b 100644 --- a/.apigentools-info +++ b/.apigentools-info @@ -4,13 +4,13 @@ "spec_versions": { "v1": { "apigentools_version": "1.6.6", - "regenerated": "2025-05-14 15:44:18.586011", - "spec_repo_commit": "64f5e7ee" + "regenerated": "2025-05-15 12:25:27.446694", + "spec_repo_commit": "7d24e85a" }, "v2": { "apigentools_version": "1.6.6", - "regenerated": "2025-05-14 15:44:18.601730", - "spec_repo_commit": "64f5e7ee" + "regenerated": "2025-05-15 12:25:27.463131", + "spec_repo_commit": "7d24e85a" } } } \ No newline at end of file diff --git a/.generator/schemas/v2/openapi.yaml b/.generator/schemas/v2/openapi.yaml index 094dc6eb7..fb8c8481b 100644 --- a/.generator/schemas/v2/openapi.yaml +++ b/.generator/schemas/v2/openapi.yaml @@ -7469,6 +7469,50 @@ components: type: string kill: $ref: '#/components/schemas/CloudWorkloadSecurityAgentRuleKill' + metadata: + $ref: '#/components/schemas/CloudWorkloadSecurityAgentRuleActionMetadata' + set: + $ref: '#/components/schemas/CloudWorkloadSecurityAgentRuleActionSet' + type: object + CloudWorkloadSecurityAgentRuleActionMetadata: + description: The metadata action applied on the scope matching the rule + properties: + image_tag: + description: The image tag of the metadata action + type: string + service: + description: The service of the metadata action + type: string + short_image: + description: The short image of the metadata action + type: string + type: object + CloudWorkloadSecurityAgentRuleActionSet: + description: The set action applied on the scope matching the rule + properties: + append: + description: Whether the value should be appended to the field + type: boolean + field: + description: The field of the set action + type: string + name: + description: The name of the set action + type: string + scope: + description: The scope of the set action + type: string + size: + description: The size of the set action + format: int64 + type: integer + ttl: + description: The time to live of the set action + format: int64 + type: integer + value: + description: The value of the set action + type: string type: object CloudWorkloadSecurityAgentRuleActions: description: The array of actions the rule can perform if triggered @@ -7484,6 +7528,11 @@ components: agentConstraint: description: The version of the Agent type: string + blocking: + description: The blocking policies that the rule belongs to + items: + type: string + type: array category: description: The category of the Agent rule example: Process Activity @@ -7507,6 +7556,11 @@ components: description: The description of the Agent rule example: My Agent rule type: string + disabled: + description: The disabled policies that the rule belongs to + items: + type: string + type: array enabled: description: Whether the Agent rule is enabled example: true @@ -7520,6 +7574,11 @@ components: items: type: string type: array + monitoring: + description: The monitoring policies that the rule belongs to + items: + type: string + type: array name: description: The name of the Agent rule example: my_agent_rule @@ -7554,10 +7613,20 @@ components: CloudWorkloadSecurityAgentRuleCreateAttributes: description: Create a new Cloud Workload Security Agent rule. properties: + blocking: + description: The blocking policies that the rule belongs to + items: + type: string + type: array description: description: The description of the Agent rule. example: My Agent rule type: string + disabled: + description: The disabled policies that the rule belongs to + items: + type: string + type: array enabled: description: Whether the Agent rule is enabled example: true @@ -7571,6 +7640,11 @@ components: items: type: string type: array + monitoring: + description: The monitoring policies that the rule belongs to + items: + type: string + type: array name: description: The name of the Agent rule. example: my_agent_rule @@ -7661,10 +7735,20 @@ components: CloudWorkloadSecurityAgentRuleUpdateAttributes: description: Update an existing Cloud Workload Security Agent rule properties: + blocking: + description: The blocking policies that the rule belongs to + items: + type: string + type: array description: description: The description of the Agent rule example: My Agent rule type: string + disabled: + description: The disabled policies that the rule belongs to + items: + type: string + type: array enabled: description: Whether the Agent rule is enabled example: true @@ -7673,6 +7757,11 @@ components: description: The SECL expression of the Agent rule example: exec.file.name == "sh" type: string + monitoring: + description: The monitoring policies that the rule belongs to + items: + type: string + type: array policy_id: description: The ID of the policy where the Agent rule is saved example: a8c8e364-6556-434d-b798-a4c23de29c0b diff --git a/src/datadogV2/model/mod.rs b/src/datadogV2/model/mod.rs index e8f4de43f..045218f30 100644 --- a/src/datadogV2/model/mod.rs +++ b/src/datadogV2/model/mod.rs @@ -3100,6 +3100,10 @@ pub mod model_cloud_workload_security_agent_rule_action; pub use self::model_cloud_workload_security_agent_rule_action::CloudWorkloadSecurityAgentRuleAction; pub mod model_cloud_workload_security_agent_rule_kill; pub use self::model_cloud_workload_security_agent_rule_kill::CloudWorkloadSecurityAgentRuleKill; +pub mod model_cloud_workload_security_agent_rule_action_metadata; +pub use self::model_cloud_workload_security_agent_rule_action_metadata::CloudWorkloadSecurityAgentRuleActionMetadata; +pub mod model_cloud_workload_security_agent_rule_action_set; +pub use self::model_cloud_workload_security_agent_rule_action_set::CloudWorkloadSecurityAgentRuleActionSet; pub mod model_cloud_workload_security_agent_rule_creator_attributes; pub use self::model_cloud_workload_security_agent_rule_creator_attributes::CloudWorkloadSecurityAgentRuleCreatorAttributes; pub mod model_cloud_workload_security_agent_rule_updater_attributes; diff --git a/src/datadogV2/model/model_cloud_workload_security_agent_rule_action.rs b/src/datadogV2/model/model_cloud_workload_security_agent_rule_action.rs index 8d7b67c06..a393a88fa 100644 --- a/src/datadogV2/model/model_cloud_workload_security_agent_rule_action.rs +++ b/src/datadogV2/model/model_cloud_workload_security_agent_rule_action.rs @@ -17,6 +17,12 @@ pub struct CloudWorkloadSecurityAgentRuleAction { /// Kill system call applied on the container matching the rule #[serde(rename = "kill")] pub kill: Option, + /// The metadata action applied on the scope matching the rule + #[serde(rename = "metadata")] + pub metadata: Option, + /// The set action applied on the scope matching the rule + #[serde(rename = "set")] + pub set: Option, #[serde(flatten)] pub additional_properties: std::collections::BTreeMap, #[serde(skip)] @@ -29,6 +35,8 @@ impl CloudWorkloadSecurityAgentRuleAction { CloudWorkloadSecurityAgentRuleAction { filter: None, kill: None, + metadata: None, + set: None, additional_properties: std::collections::BTreeMap::new(), _unparsed: false, } @@ -47,6 +55,22 @@ impl CloudWorkloadSecurityAgentRuleAction { self } + pub fn metadata( + mut self, + value: crate::datadogV2::model::CloudWorkloadSecurityAgentRuleActionMetadata, + ) -> Self { + self.metadata = Some(value); + self + } + + pub fn set( + mut self, + value: crate::datadogV2::model::CloudWorkloadSecurityAgentRuleActionSet, + ) -> Self { + self.set = Some(value); + self + } + pub fn additional_properties( mut self, value: std::collections::BTreeMap, @@ -82,6 +106,12 @@ impl<'de> Deserialize<'de> for CloudWorkloadSecurityAgentRuleAction { let mut filter: Option = None; let mut kill: Option = None; + let mut metadata: Option< + crate::datadogV2::model::CloudWorkloadSecurityAgentRuleActionMetadata, + > = None; + let mut set: Option< + crate::datadogV2::model::CloudWorkloadSecurityAgentRuleActionSet, + > = None; let mut additional_properties: std::collections::BTreeMap< String, serde_json::Value, @@ -102,6 +132,18 @@ impl<'de> Deserialize<'de> for CloudWorkloadSecurityAgentRuleAction { } kill = Some(serde_json::from_value(v).map_err(M::Error::custom)?); } + "metadata" => { + if v.is_null() { + continue; + } + metadata = Some(serde_json::from_value(v).map_err(M::Error::custom)?); + } + "set" => { + if v.is_null() { + continue; + } + set = Some(serde_json::from_value(v).map_err(M::Error::custom)?); + } &_ => { if let Ok(value) = serde_json::from_value(v.clone()) { additional_properties.insert(k, value); @@ -113,6 +155,8 @@ impl<'de> Deserialize<'de> for CloudWorkloadSecurityAgentRuleAction { let content = CloudWorkloadSecurityAgentRuleAction { filter, kill, + metadata, + set, additional_properties, _unparsed, }; diff --git a/src/datadogV2/model/model_cloud_workload_security_agent_rule_action_metadata.rs b/src/datadogV2/model/model_cloud_workload_security_agent_rule_action_metadata.rs new file mode 100644 index 000000000..6123806fb --- /dev/null +++ b/src/datadogV2/model/model_cloud_workload_security_agent_rule_action_metadata.rs @@ -0,0 +1,140 @@ +// Unless explicitly stated otherwise all files in this repository are licensed under the Apache-2.0 License. +// This product includes software developed at Datadog (https://www.datadoghq.com/). +// Copyright 2019-Present Datadog, Inc. +use serde::de::{Error, MapAccess, Visitor}; +use serde::{Deserialize, Deserializer, Serialize}; +use serde_with::skip_serializing_none; +use std::fmt::{self, Formatter}; + +/// The metadata action applied on the scope matching the rule +#[non_exhaustive] +#[skip_serializing_none] +#[derive(Clone, Debug, PartialEq, Serialize)] +pub struct CloudWorkloadSecurityAgentRuleActionMetadata { + /// The image tag of the metadata action + #[serde(rename = "image_tag")] + pub image_tag: Option, + /// The service of the metadata action + #[serde(rename = "service")] + pub service: Option, + /// The short image of the metadata action + #[serde(rename = "short_image")] + pub short_image: Option, + #[serde(flatten)] + pub additional_properties: std::collections::BTreeMap, + #[serde(skip)] + #[serde(default)] + pub(crate) _unparsed: bool, +} + +impl CloudWorkloadSecurityAgentRuleActionMetadata { + pub fn new() -> CloudWorkloadSecurityAgentRuleActionMetadata { + CloudWorkloadSecurityAgentRuleActionMetadata { + image_tag: None, + service: None, + short_image: None, + additional_properties: std::collections::BTreeMap::new(), + _unparsed: false, + } + } + + pub fn image_tag(mut self, value: String) -> Self { + self.image_tag = Some(value); + self + } + + pub fn service(mut self, value: String) -> Self { + self.service = Some(value); + self + } + + pub fn short_image(mut self, value: String) -> Self { + self.short_image = Some(value); + self + } + + pub fn additional_properties( + mut self, + value: std::collections::BTreeMap, + ) -> Self { + self.additional_properties = value; + self + } +} + +impl Default for CloudWorkloadSecurityAgentRuleActionMetadata { + fn default() -> Self { + Self::new() + } +} + +impl<'de> Deserialize<'de> for CloudWorkloadSecurityAgentRuleActionMetadata { + fn deserialize(deserializer: D) -> Result + where + D: Deserializer<'de>, + { + struct CloudWorkloadSecurityAgentRuleActionMetadataVisitor; + impl<'a> Visitor<'a> for CloudWorkloadSecurityAgentRuleActionMetadataVisitor { + type Value = CloudWorkloadSecurityAgentRuleActionMetadata; + + fn expecting(&self, f: &mut Formatter<'_>) -> fmt::Result { + f.write_str("a mapping") + } + + fn visit_map(self, mut map: M) -> Result + where + M: MapAccess<'a>, + { + let mut image_tag: Option = None; + let mut service: Option = None; + let mut short_image: Option = None; + let mut additional_properties: std::collections::BTreeMap< + String, + serde_json::Value, + > = std::collections::BTreeMap::new(); + let mut _unparsed = false; + + while let Some((k, v)) = map.next_entry::()? { + match k.as_str() { + "image_tag" => { + if v.is_null() { + continue; + } + image_tag = Some(serde_json::from_value(v).map_err(M::Error::custom)?); + } + "service" => { + if v.is_null() { + continue; + } + service = Some(serde_json::from_value(v).map_err(M::Error::custom)?); + } + "short_image" => { + if v.is_null() { + continue; + } + short_image = + Some(serde_json::from_value(v).map_err(M::Error::custom)?); + } + &_ => { + if let Ok(value) = serde_json::from_value(v.clone()) { + additional_properties.insert(k, value); + } + } + } + } + + let content = CloudWorkloadSecurityAgentRuleActionMetadata { + image_tag, + service, + short_image, + additional_properties, + _unparsed, + }; + + Ok(content) + } + } + + deserializer.deserialize_any(CloudWorkloadSecurityAgentRuleActionMetadataVisitor) + } +} diff --git a/src/datadogV2/model/model_cloud_workload_security_agent_rule_action_set.rs b/src/datadogV2/model/model_cloud_workload_security_agent_rule_action_set.rs new file mode 100644 index 000000000..e3277a92e --- /dev/null +++ b/src/datadogV2/model/model_cloud_workload_security_agent_rule_action_set.rs @@ -0,0 +1,207 @@ +// Unless explicitly stated otherwise all files in this repository are licensed under the Apache-2.0 License. +// This product includes software developed at Datadog (https://www.datadoghq.com/). +// Copyright 2019-Present Datadog, Inc. +use serde::de::{Error, MapAccess, Visitor}; +use serde::{Deserialize, Deserializer, Serialize}; +use serde_with::skip_serializing_none; +use std::fmt::{self, Formatter}; + +/// The set action applied on the scope matching the rule +#[non_exhaustive] +#[skip_serializing_none] +#[derive(Clone, Debug, PartialEq, Serialize)] +pub struct CloudWorkloadSecurityAgentRuleActionSet { + /// Whether the value should be appended to the field + #[serde(rename = "append")] + pub append: Option, + /// The field of the set action + #[serde(rename = "field")] + pub field: Option, + /// The name of the set action + #[serde(rename = "name")] + pub name: Option, + /// The scope of the set action + #[serde(rename = "scope")] + pub scope: Option, + /// The size of the set action + #[serde(rename = "size")] + pub size: Option, + /// The time to live of the set action + #[serde(rename = "ttl")] + pub ttl: Option, + /// The value of the set action + #[serde(rename = "value")] + pub value: Option, + #[serde(flatten)] + pub additional_properties: std::collections::BTreeMap, + #[serde(skip)] + #[serde(default)] + pub(crate) _unparsed: bool, +} + +impl CloudWorkloadSecurityAgentRuleActionSet { + pub fn new() -> CloudWorkloadSecurityAgentRuleActionSet { + CloudWorkloadSecurityAgentRuleActionSet { + append: None, + field: None, + name: None, + scope: None, + size: None, + ttl: None, + value: None, + additional_properties: std::collections::BTreeMap::new(), + _unparsed: false, + } + } + + pub fn append(mut self, value: bool) -> Self { + self.append = Some(value); + self + } + + pub fn field(mut self, value: String) -> Self { + self.field = Some(value); + self + } + + pub fn name(mut self, value: String) -> Self { + self.name = Some(value); + self + } + + pub fn scope(mut self, value: String) -> Self { + self.scope = Some(value); + self + } + + pub fn size(mut self, value: i64) -> Self { + self.size = Some(value); + self + } + + pub fn ttl(mut self, value: i64) -> Self { + self.ttl = Some(value); + self + } + + pub fn value(mut self, value: String) -> Self { + self.value = Some(value); + self + } + + pub fn additional_properties( + mut self, + value: std::collections::BTreeMap, + ) -> Self { + self.additional_properties = value; + self + } +} + +impl Default for CloudWorkloadSecurityAgentRuleActionSet { + fn default() -> Self { + Self::new() + } +} + +impl<'de> Deserialize<'de> for CloudWorkloadSecurityAgentRuleActionSet { + fn deserialize(deserializer: D) -> Result + where + D: Deserializer<'de>, + { + struct CloudWorkloadSecurityAgentRuleActionSetVisitor; + impl<'a> Visitor<'a> for CloudWorkloadSecurityAgentRuleActionSetVisitor { + type Value = CloudWorkloadSecurityAgentRuleActionSet; + + fn expecting(&self, f: &mut Formatter<'_>) -> fmt::Result { + f.write_str("a mapping") + } + + fn visit_map(self, mut map: M) -> Result + where + M: MapAccess<'a>, + { + let mut append: Option = None; + let mut field: Option = None; + let mut name: Option = None; + let mut scope: Option = None; + let mut size: Option = None; + let mut ttl: Option = None; + let mut value: Option = None; + let mut additional_properties: std::collections::BTreeMap< + String, + serde_json::Value, + > = std::collections::BTreeMap::new(); + let mut _unparsed = false; + + while let Some((k, v)) = map.next_entry::()? { + match k.as_str() { + "append" => { + if v.is_null() { + continue; + } + append = Some(serde_json::from_value(v).map_err(M::Error::custom)?); + } + "field" => { + if v.is_null() { + continue; + } + field = Some(serde_json::from_value(v).map_err(M::Error::custom)?); + } + "name" => { + if v.is_null() { + continue; + } + name = Some(serde_json::from_value(v).map_err(M::Error::custom)?); + } + "scope" => { + if v.is_null() { + continue; + } + scope = Some(serde_json::from_value(v).map_err(M::Error::custom)?); + } + "size" => { + if v.is_null() { + continue; + } + size = Some(serde_json::from_value(v).map_err(M::Error::custom)?); + } + "ttl" => { + if v.is_null() { + continue; + } + ttl = Some(serde_json::from_value(v).map_err(M::Error::custom)?); + } + "value" => { + if v.is_null() { + continue; + } + value = Some(serde_json::from_value(v).map_err(M::Error::custom)?); + } + &_ => { + if let Ok(value) = serde_json::from_value(v.clone()) { + additional_properties.insert(k, value); + } + } + } + } + + let content = CloudWorkloadSecurityAgentRuleActionSet { + append, + field, + name, + scope, + size, + ttl, + value, + additional_properties, + _unparsed, + }; + + Ok(content) + } + } + + deserializer.deserialize_any(CloudWorkloadSecurityAgentRuleActionSetVisitor) + } +} diff --git a/src/datadogV2/model/model_cloud_workload_security_agent_rule_attributes.rs b/src/datadogV2/model/model_cloud_workload_security_agent_rule_attributes.rs index 6fc350e6e..e6383ed35 100644 --- a/src/datadogV2/model/model_cloud_workload_security_agent_rule_attributes.rs +++ b/src/datadogV2/model/model_cloud_workload_security_agent_rule_attributes.rs @@ -21,6 +21,9 @@ pub struct CloudWorkloadSecurityAgentRuleAttributes { /// The version of the Agent #[serde(rename = "agentConstraint")] pub agent_constraint: Option, + /// The blocking policies that the rule belongs to + #[serde(rename = "blocking")] + pub blocking: Option>, /// The category of the Agent rule #[serde(rename = "category")] pub category: Option, @@ -39,6 +42,9 @@ pub struct CloudWorkloadSecurityAgentRuleAttributes { /// The description of the Agent rule #[serde(rename = "description")] pub description: Option, + /// The disabled policies that the rule belongs to + #[serde(rename = "disabled")] + pub disabled: Option>, /// Whether the Agent rule is enabled #[serde(rename = "enabled")] pub enabled: Option, @@ -48,6 +54,9 @@ pub struct CloudWorkloadSecurityAgentRuleAttributes { /// The platforms the Agent rule is supported on #[serde(rename = "filters")] pub filters: Option>, + /// The monitoring policies that the rule belongs to + #[serde(rename = "monitoring")] + pub monitoring: Option>, /// The name of the Agent rule #[serde(rename = "name")] pub name: Option, @@ -81,15 +90,18 @@ impl CloudWorkloadSecurityAgentRuleAttributes { CloudWorkloadSecurityAgentRuleAttributes { actions: None, agent_constraint: None, + blocking: None, category: None, creation_author_uu_id: None, creation_date: None, creator: None, default_rule: None, description: None, + disabled: None, enabled: None, expression: None, filters: None, + monitoring: None, name: None, product_tags: None, update_author_uu_id: None, @@ -115,6 +127,11 @@ impl CloudWorkloadSecurityAgentRuleAttributes { self } + pub fn blocking(mut self, value: Vec) -> Self { + self.blocking = Some(value); + self + } + pub fn category(mut self, value: String) -> Self { self.category = Some(value); self @@ -148,6 +165,11 @@ impl CloudWorkloadSecurityAgentRuleAttributes { self } + pub fn disabled(mut self, value: Vec) -> Self { + self.disabled = Some(value); + self + } + pub fn enabled(mut self, value: bool) -> Self { self.enabled = Some(value); self @@ -163,6 +185,11 @@ impl CloudWorkloadSecurityAgentRuleAttributes { self } + pub fn monitoring(mut self, value: Vec) -> Self { + self.monitoring = Some(value); + self + } + pub fn name(mut self, value: String) -> Self { self.name = Some(value); self @@ -237,6 +264,7 @@ impl<'de> Deserialize<'de> for CloudWorkloadSecurityAgentRuleAttributes { Option>, > = None; let mut agent_constraint: Option = None; + let mut blocking: Option> = None; let mut category: Option = None; let mut creation_author_uu_id: Option = None; let mut creation_date: Option = None; @@ -245,9 +273,11 @@ impl<'de> Deserialize<'de> for CloudWorkloadSecurityAgentRuleAttributes { > = None; let mut default_rule: Option = None; let mut description: Option = None; + let mut disabled: Option> = None; let mut enabled: Option = None; let mut expression: Option = None; let mut filters: Option> = None; + let mut monitoring: Option> = None; let mut name: Option = None; let mut product_tags: Option> = None; let mut update_author_uu_id: Option = None; @@ -275,6 +305,12 @@ impl<'de> Deserialize<'de> for CloudWorkloadSecurityAgentRuleAttributes { agent_constraint = Some(serde_json::from_value(v).map_err(M::Error::custom)?); } + "blocking" => { + if v.is_null() { + continue; + } + blocking = Some(serde_json::from_value(v).map_err(M::Error::custom)?); + } "category" => { if v.is_null() { continue; @@ -315,6 +351,12 @@ impl<'de> Deserialize<'de> for CloudWorkloadSecurityAgentRuleAttributes { description = Some(serde_json::from_value(v).map_err(M::Error::custom)?); } + "disabled" => { + if v.is_null() { + continue; + } + disabled = Some(serde_json::from_value(v).map_err(M::Error::custom)?); + } "enabled" => { if v.is_null() { continue; @@ -333,6 +375,12 @@ impl<'de> Deserialize<'de> for CloudWorkloadSecurityAgentRuleAttributes { } filters = Some(serde_json::from_value(v).map_err(M::Error::custom)?); } + "monitoring" => { + if v.is_null() { + continue; + } + monitoring = Some(serde_json::from_value(v).map_err(M::Error::custom)?); + } "name" => { if v.is_null() { continue; @@ -389,15 +437,18 @@ impl<'de> Deserialize<'de> for CloudWorkloadSecurityAgentRuleAttributes { let content = CloudWorkloadSecurityAgentRuleAttributes { actions, agent_constraint, + blocking, category, creation_author_uu_id, creation_date, creator, default_rule, description, + disabled, enabled, expression, filters, + monitoring, name, product_tags, update_author_uu_id, diff --git a/src/datadogV2/model/model_cloud_workload_security_agent_rule_create_attributes.rs b/src/datadogV2/model/model_cloud_workload_security_agent_rule_create_attributes.rs index e6b384a2f..27aa274a9 100644 --- a/src/datadogV2/model/model_cloud_workload_security_agent_rule_create_attributes.rs +++ b/src/datadogV2/model/model_cloud_workload_security_agent_rule_create_attributes.rs @@ -11,9 +11,15 @@ use std::fmt::{self, Formatter}; #[skip_serializing_none] #[derive(Clone, Debug, PartialEq, Serialize)] pub struct CloudWorkloadSecurityAgentRuleCreateAttributes { + /// The blocking policies that the rule belongs to + #[serde(rename = "blocking")] + pub blocking: Option>, /// The description of the Agent rule. #[serde(rename = "description")] pub description: Option, + /// The disabled policies that the rule belongs to + #[serde(rename = "disabled")] + pub disabled: Option>, /// Whether the Agent rule is enabled #[serde(rename = "enabled")] pub enabled: Option, @@ -23,6 +29,9 @@ pub struct CloudWorkloadSecurityAgentRuleCreateAttributes { /// The platforms the Agent rule is supported on #[serde(rename = "filters")] pub filters: Option>, + /// The monitoring policies that the rule belongs to + #[serde(rename = "monitoring")] + pub monitoring: Option>, /// The name of the Agent rule. #[serde(rename = "name")] pub name: String, @@ -42,10 +51,13 @@ pub struct CloudWorkloadSecurityAgentRuleCreateAttributes { impl CloudWorkloadSecurityAgentRuleCreateAttributes { pub fn new(expression: String, name: String) -> CloudWorkloadSecurityAgentRuleCreateAttributes { CloudWorkloadSecurityAgentRuleCreateAttributes { + blocking: None, description: None, + disabled: None, enabled: None, expression, filters: None, + monitoring: None, name, policy_id: None, product_tags: None, @@ -54,11 +66,21 @@ impl CloudWorkloadSecurityAgentRuleCreateAttributes { } } + pub fn blocking(mut self, value: Vec) -> Self { + self.blocking = Some(value); + self + } + pub fn description(mut self, value: String) -> Self { self.description = Some(value); self } + pub fn disabled(mut self, value: Vec) -> Self { + self.disabled = Some(value); + self + } + pub fn enabled(mut self, value: bool) -> Self { self.enabled = Some(value); self @@ -69,6 +91,11 @@ impl CloudWorkloadSecurityAgentRuleCreateAttributes { self } + pub fn monitoring(mut self, value: Vec) -> Self { + self.monitoring = Some(value); + self + } + pub fn policy_id(mut self, value: String) -> Self { self.policy_id = Some(value); self @@ -105,10 +132,13 @@ impl<'de> Deserialize<'de> for CloudWorkloadSecurityAgentRuleCreateAttributes { where M: MapAccess<'a>, { + let mut blocking: Option> = None; let mut description: Option = None; + let mut disabled: Option> = None; let mut enabled: Option = None; let mut expression: Option = None; let mut filters: Option> = None; + let mut monitoring: Option> = None; let mut name: Option = None; let mut policy_id: Option = None; let mut product_tags: Option> = None; @@ -120,6 +150,12 @@ impl<'de> Deserialize<'de> for CloudWorkloadSecurityAgentRuleCreateAttributes { while let Some((k, v)) = map.next_entry::()? { match k.as_str() { + "blocking" => { + if v.is_null() { + continue; + } + blocking = Some(serde_json::from_value(v).map_err(M::Error::custom)?); + } "description" => { if v.is_null() { continue; @@ -127,6 +163,12 @@ impl<'de> Deserialize<'de> for CloudWorkloadSecurityAgentRuleCreateAttributes { description = Some(serde_json::from_value(v).map_err(M::Error::custom)?); } + "disabled" => { + if v.is_null() { + continue; + } + disabled = Some(serde_json::from_value(v).map_err(M::Error::custom)?); + } "enabled" => { if v.is_null() { continue; @@ -142,6 +184,12 @@ impl<'de> Deserialize<'de> for CloudWorkloadSecurityAgentRuleCreateAttributes { } filters = Some(serde_json::from_value(v).map_err(M::Error::custom)?); } + "monitoring" => { + if v.is_null() { + continue; + } + monitoring = Some(serde_json::from_value(v).map_err(M::Error::custom)?); + } "name" => { name = Some(serde_json::from_value(v).map_err(M::Error::custom)?); } @@ -169,10 +217,13 @@ impl<'de> Deserialize<'de> for CloudWorkloadSecurityAgentRuleCreateAttributes { let name = name.ok_or_else(|| M::Error::missing_field("name"))?; let content = CloudWorkloadSecurityAgentRuleCreateAttributes { + blocking, description, + disabled, enabled, expression, filters, + monitoring, name, policy_id, product_tags, diff --git a/src/datadogV2/model/model_cloud_workload_security_agent_rule_update_attributes.rs b/src/datadogV2/model/model_cloud_workload_security_agent_rule_update_attributes.rs index 3ad65c7f9..3108c7723 100644 --- a/src/datadogV2/model/model_cloud_workload_security_agent_rule_update_attributes.rs +++ b/src/datadogV2/model/model_cloud_workload_security_agent_rule_update_attributes.rs @@ -11,15 +11,24 @@ use std::fmt::{self, Formatter}; #[skip_serializing_none] #[derive(Clone, Debug, PartialEq, Serialize)] pub struct CloudWorkloadSecurityAgentRuleUpdateAttributes { + /// The blocking policies that the rule belongs to + #[serde(rename = "blocking")] + pub blocking: Option>, /// The description of the Agent rule #[serde(rename = "description")] pub description: Option, + /// The disabled policies that the rule belongs to + #[serde(rename = "disabled")] + pub disabled: Option>, /// Whether the Agent rule is enabled #[serde(rename = "enabled")] pub enabled: Option, /// The SECL expression of the Agent rule #[serde(rename = "expression")] pub expression: Option, + /// The monitoring policies that the rule belongs to + #[serde(rename = "monitoring")] + pub monitoring: Option>, /// The ID of the policy where the Agent rule is saved #[serde(rename = "policy_id")] pub policy_id: Option, @@ -36,9 +45,12 @@ pub struct CloudWorkloadSecurityAgentRuleUpdateAttributes { impl CloudWorkloadSecurityAgentRuleUpdateAttributes { pub fn new() -> CloudWorkloadSecurityAgentRuleUpdateAttributes { CloudWorkloadSecurityAgentRuleUpdateAttributes { + blocking: None, description: None, + disabled: None, enabled: None, expression: None, + monitoring: None, policy_id: None, product_tags: None, additional_properties: std::collections::BTreeMap::new(), @@ -46,11 +58,21 @@ impl CloudWorkloadSecurityAgentRuleUpdateAttributes { } } + pub fn blocking(mut self, value: Vec) -> Self { + self.blocking = Some(value); + self + } + pub fn description(mut self, value: String) -> Self { self.description = Some(value); self } + pub fn disabled(mut self, value: Vec) -> Self { + self.disabled = Some(value); + self + } + pub fn enabled(mut self, value: bool) -> Self { self.enabled = Some(value); self @@ -61,6 +83,11 @@ impl CloudWorkloadSecurityAgentRuleUpdateAttributes { self } + pub fn monitoring(mut self, value: Vec) -> Self { + self.monitoring = Some(value); + self + } + pub fn policy_id(mut self, value: String) -> Self { self.policy_id = Some(value); self @@ -103,9 +130,12 @@ impl<'de> Deserialize<'de> for CloudWorkloadSecurityAgentRuleUpdateAttributes { where M: MapAccess<'a>, { + let mut blocking: Option> = None; let mut description: Option = None; + let mut disabled: Option> = None; let mut enabled: Option = None; let mut expression: Option = None; + let mut monitoring: Option> = None; let mut policy_id: Option = None; let mut product_tags: Option> = None; let mut additional_properties: std::collections::BTreeMap< @@ -116,6 +146,12 @@ impl<'de> Deserialize<'de> for CloudWorkloadSecurityAgentRuleUpdateAttributes { while let Some((k, v)) = map.next_entry::()? { match k.as_str() { + "blocking" => { + if v.is_null() { + continue; + } + blocking = Some(serde_json::from_value(v).map_err(M::Error::custom)?); + } "description" => { if v.is_null() { continue; @@ -123,6 +159,12 @@ impl<'de> Deserialize<'de> for CloudWorkloadSecurityAgentRuleUpdateAttributes { description = Some(serde_json::from_value(v).map_err(M::Error::custom)?); } + "disabled" => { + if v.is_null() { + continue; + } + disabled = Some(serde_json::from_value(v).map_err(M::Error::custom)?); + } "enabled" => { if v.is_null() { continue; @@ -135,6 +177,12 @@ impl<'de> Deserialize<'de> for CloudWorkloadSecurityAgentRuleUpdateAttributes { } expression = Some(serde_json::from_value(v).map_err(M::Error::custom)?); } + "monitoring" => { + if v.is_null() { + continue; + } + monitoring = Some(serde_json::from_value(v).map_err(M::Error::custom)?); + } "policy_id" => { if v.is_null() { continue; @@ -157,9 +205,12 @@ impl<'de> Deserialize<'de> for CloudWorkloadSecurityAgentRuleUpdateAttributes { } let content = CloudWorkloadSecurityAgentRuleUpdateAttributes { + blocking, description, + disabled, enabled, expression, + monitoring, policy_id, product_tags, additional_properties, diff --git a/tests/scenarios/cassettes/v2/csm_threats/Create-a-CSM-Threats-Agent-policy-returns-Bad-Request-response.frozen b/tests/scenarios/cassettes/v2/csm_threats/Create-a-CSM-Threats-Agent-policy-returns-Bad-Request-response.frozen index c290cdbad..0ea50fe83 100644 --- a/tests/scenarios/cassettes/v2/csm_threats/Create-a-CSM-Threats-Agent-policy-returns-Bad-Request-response.frozen +++ b/tests/scenarios/cassettes/v2/csm_threats/Create-a-CSM-Threats-Agent-policy-returns-Bad-Request-response.frozen @@ -1 +1 @@ -2025-04-15T09:10:06.353Z \ No newline at end of file +2025-05-15T11:49:04.463Z \ No newline at end of file diff --git a/tests/scenarios/cassettes/v2/csm_threats/Create-a-CSM-Threats-Agent-policy-returns-Bad-Request-response.json b/tests/scenarios/cassettes/v2/csm_threats/Create-a-CSM-Threats-Agent-policy-returns-Bad-Request-response.json index 0254f082b..5947b49a9 100644 --- a/tests/scenarios/cassettes/v2/csm_threats/Create-a-CSM-Threats-Agent-policy-returns-Bad-Request-response.json +++ b/tests/scenarios/cassettes/v2/csm_threats/Create-a-CSM-Threats-Agent-policy-returns-Bad-Request-response.json @@ -19,7 +19,7 @@ }, "response": { "body": { - "string": "{\"errors\":[{\"title\":\"failed to create policy\"}]}\n", + "string": "{\"errors\":[\"input_validation_error(Field 'tags' is invalid: cannot have both the new and the legacy field populated)\"]}", "encoding": null }, "headers": { @@ -32,7 +32,7 @@ "message": "Bad Request" } }, - "recorded_at": "Tue, 15 Apr 2025 09:10:06 GMT" + "recorded_at": "Thu, 15 May 2025 11:49:04 GMT" } ], "recorded_with": "VCR 6.0.0" diff --git a/tests/scenarios/cassettes/v2/csm_threats/Create-a-CSM-Threats-Agent-policy-returns-OK-response.frozen b/tests/scenarios/cassettes/v2/csm_threats/Create-a-CSM-Threats-Agent-policy-returns-OK-response.frozen index 3eef66a9c..1047e7a08 100644 --- a/tests/scenarios/cassettes/v2/csm_threats/Create-a-CSM-Threats-Agent-policy-returns-OK-response.frozen +++ b/tests/scenarios/cassettes/v2/csm_threats/Create-a-CSM-Threats-Agent-policy-returns-OK-response.frozen @@ -1 +1 @@ -2025-04-15T09:10:06.769Z \ No newline at end of file +2025-05-15T11:49:04.847Z \ No newline at end of file diff --git a/tests/scenarios/cassettes/v2/csm_threats/Create-a-CSM-Threats-Agent-policy-returns-OK-response.json b/tests/scenarios/cassettes/v2/csm_threats/Create-a-CSM-Threats-Agent-policy-returns-OK-response.json index 7af95a8ad..92be795c3 100644 --- a/tests/scenarios/cassettes/v2/csm_threats/Create-a-CSM-Threats-Agent-policy-returns-OK-response.json +++ b/tests/scenarios/cassettes/v2/csm_threats/Create-a-CSM-Threats-Agent-policy-returns-OK-response.json @@ -19,7 +19,7 @@ }, "response": { "body": { - "string": "{\"data\":{\"id\":\"4op-0bb-yom\",\"type\":\"policy\",\"attributes\":{\"blockingRulesCount\":0,\"datadogManaged\":false,\"description\":\"My agent policy\",\"disabledRulesCount\":1,\"enabled\":true,\"hostTagsLists\":[[\"env:test\"]],\"monitoringRulesCount\":225,\"name\":\"my_agent_policy\",\"policyVersion\":\"1\",\"priority\":1000000001,\"ruleCount\":226,\"updateDate\":1744708206895,\"updater\":{\"name\":\"CI Account\",\"handle\":\"9919ec9b-ebc7-49ee-8dc8-03626e717cca\"}}}}", + "string": "{\"data\":{\"id\":\"oem-itj-6yc\",\"type\":\"policy\",\"attributes\":{\"blockingRulesCount\":0,\"datadogManaged\":false,\"description\":\"My agent policy\",\"disabledRulesCount\":1,\"enabled\":true,\"hostTagsLists\":[[\"env:test\"]],\"monitoringRulesCount\":225,\"name\":\"my_agent_policy\",\"policyVersion\":\"1\",\"priority\":1000000070,\"ruleCount\":226,\"updateDate\":1747309744898,\"updater\":{\"name\":\"CI Account\",\"handle\":\"9919ec9b-ebc7-49ee-8dc8-03626e717cca\"}}}}", "encoding": null }, "headers": { @@ -32,7 +32,7 @@ "message": "OK" } }, - "recorded_at": "Tue, 15 Apr 2025 09:10:06 GMT" + "recorded_at": "Thu, 15 May 2025 11:49:04 GMT" }, { "request": { @@ -43,7 +43,7 @@ ] }, "method": "delete", - "uri": "https://api.datadoghq.com/api/v2/remote_config/products/cws/policy/4op-0bb-yom" + "uri": "https://api.datadoghq.com/api/v2/remote_config/products/cws/policy/oem-itj-6yc" }, "response": { "body": { @@ -60,7 +60,7 @@ "message": "No Content" } }, - "recorded_at": "Tue, 15 Apr 2025 09:10:06 GMT" + "recorded_at": "Thu, 15 May 2025 11:49:04 GMT" } ], "recorded_with": "VCR 6.0.0" diff --git a/tests/scenarios/cassettes/v2/csm_threats/Create-a-CSM-Threats-Agent-rule-returns-Bad-Request-response.frozen b/tests/scenarios/cassettes/v2/csm_threats/Create-a-CSM-Threats-Agent-rule-returns-Bad-Request-response.frozen index f989accc0..f6fa6b7c0 100644 --- a/tests/scenarios/cassettes/v2/csm_threats/Create-a-CSM-Threats-Agent-rule-returns-Bad-Request-response.frozen +++ b/tests/scenarios/cassettes/v2/csm_threats/Create-a-CSM-Threats-Agent-rule-returns-Bad-Request-response.frozen @@ -1 +1 @@ -2025-04-01T14:30:45.280Z \ No newline at end of file +2025-05-15T11:49:06.272Z \ No newline at end of file diff --git a/tests/scenarios/cassettes/v2/csm_threats/Create-a-CSM-Threats-Agent-rule-returns-Bad-Request-response.json b/tests/scenarios/cassettes/v2/csm_threats/Create-a-CSM-Threats-Agent-rule-returns-Bad-Request-response.json index e5e2c198b..1223c71b8 100644 --- a/tests/scenarios/cassettes/v2/csm_threats/Create-a-CSM-Threats-Agent-rule-returns-Bad-Request-response.json +++ b/tests/scenarios/cassettes/v2/csm_threats/Create-a-CSM-Threats-Agent-rule-returns-Bad-Request-response.json @@ -3,7 +3,7 @@ { "request": { "body": { - "string": "{\"data\":{\"attributes\":{\"description\":\"My agent policy\",\"enabled\":true,\"hostTags\":[\"env:staging\"],\"name\":\"testcreateacsmthreatsagentrulereturnsbadrequestresponse1743517845\"},\"type\":\"policy\"}}", + "string": "{\"data\":{\"attributes\":{\"description\":\"My agent policy\",\"enabled\":true,\"hostTags\":[\"env:staging\"],\"name\":\"testcreateacsmthreatsagentrulereturnsbadrequestresponse1747309746\"},\"type\":\"policy\"}}", "encoding": null }, "headers": { @@ -19,7 +19,7 @@ }, "response": { "body": { - "string": "{\"data\":{\"id\":\"mrs-qdn-jq8\",\"type\":\"policy\",\"attributes\":{\"blockingRulesCount\":0,\"datadogManaged\":false,\"description\":\"My agent policy\",\"disabledRulesCount\":1,\"enabled\":true,\"hostTags\":[\"env:staging\"],\"monitoringRulesCount\":225,\"name\":\"testcreateacsmthreatsagentrulereturnsbadrequestresponse1743517845\",\"policyVersion\":\"1\",\"priority\":1000000001,\"ruleCount\":226,\"updateDate\":1743517845323,\"updater\":{\"name\":\"CI Account\",\"handle\":\"9919ec9b-ebc7-49ee-8dc8-03626e717cca\"}}}}", + "string": "{\"data\":{\"id\":\"bdb-fa5-mym\",\"type\":\"policy\",\"attributes\":{\"blockingRulesCount\":0,\"datadogManaged\":false,\"description\":\"My agent policy\",\"disabledRulesCount\":1,\"enabled\":true,\"hostTags\":[\"env:staging\"],\"monitoringRulesCount\":225,\"name\":\"testcreateacsmthreatsagentrulereturnsbadrequestresponse1747309746\",\"policyVersion\":\"1\",\"priority\":1000000070,\"ruleCount\":226,\"updateDate\":1747309746340,\"updater\":{\"name\":\"CI Account\",\"handle\":\"9919ec9b-ebc7-49ee-8dc8-03626e717cca\"}}}}", "encoding": null }, "headers": { @@ -32,12 +32,12 @@ "message": "OK" } }, - "recorded_at": "Tue, 01 Apr 2025 14:30:45 GMT" + "recorded_at": "Thu, 15 May 2025 11:49:06 GMT" }, { "request": { "body": { - "string": "{\"data\":{\"attributes\":{\"description\":\"My Agent rule\",\"enabled\":true,\"expression\":\"exec.file.name\",\"filters\":[],\"name\":\"my_agent_rule\",\"policy_id\":\"mrs-qdn-jq8\",\"product_tags\":[]},\"type\":\"agent_rule\"}}", + "string": "{\"data\":{\"attributes\":{\"description\":\"My Agent rule\",\"enabled\":true,\"expression\":\"exec.file.name\",\"filters\":[],\"name\":\"my_agent_rule\",\"policy_id\":\"bdb-fa5-mym\",\"product_tags\":[]},\"type\":\"agent_rule\"}}", "encoding": null }, "headers": { @@ -53,7 +53,7 @@ }, "response": { "body": { - "string": "{\"errors\":[\"input_validation_error(Field 'name' is invalid: rule `my_agent_rule` error: multiple definition with the same ID)\"]}", + "string": "{\"errors\":[\"input_validation_error(Field 'expression' is invalid: rule `my_agent_rule` error: rule syntax error: bool expected: 1:1: exec.file.name\\n^)\"]}", "encoding": null }, "headers": { @@ -66,7 +66,7 @@ "message": "Bad Request" } }, - "recorded_at": "Tue, 01 Apr 2025 14:30:45 GMT" + "recorded_at": "Thu, 15 May 2025 11:49:06 GMT" }, { "request": { @@ -77,7 +77,7 @@ ] }, "method": "delete", - "uri": "https://api.datadoghq.com/api/v2/remote_config/products/cws/policy/mrs-qdn-jq8" + "uri": "https://api.datadoghq.com/api/v2/remote_config/products/cws/policy/bdb-fa5-mym" }, "response": { "body": { @@ -94,7 +94,7 @@ "message": "No Content" } }, - "recorded_at": "Tue, 01 Apr 2025 14:30:45 GMT" + "recorded_at": "Thu, 15 May 2025 11:49:06 GMT" } ], "recorded_with": "VCR 6.0.0" diff --git a/tests/scenarios/cassettes/v2/csm_threats/Create-a-CSM-Threats-Agent-rule-returns-OK-response.frozen b/tests/scenarios/cassettes/v2/csm_threats/Create-a-CSM-Threats-Agent-rule-returns-OK-response.frozen index d00c1e7e9..ff7237615 100644 --- a/tests/scenarios/cassettes/v2/csm_threats/Create-a-CSM-Threats-Agent-rule-returns-OK-response.frozen +++ b/tests/scenarios/cassettes/v2/csm_threats/Create-a-CSM-Threats-Agent-rule-returns-OK-response.frozen @@ -1 +1 @@ -2025-04-01T14:30:46.809Z \ No newline at end of file +2025-05-15T11:49:07.692Z \ No newline at end of file diff --git a/tests/scenarios/cassettes/v2/csm_threats/Create-a-CSM-Threats-Agent-rule-returns-OK-response.json b/tests/scenarios/cassettes/v2/csm_threats/Create-a-CSM-Threats-Agent-rule-returns-OK-response.json index 9ddbdc5da..cea75b8ee 100644 --- a/tests/scenarios/cassettes/v2/csm_threats/Create-a-CSM-Threats-Agent-rule-returns-OK-response.json +++ b/tests/scenarios/cassettes/v2/csm_threats/Create-a-CSM-Threats-Agent-rule-returns-OK-response.json @@ -3,7 +3,7 @@ { "request": { "body": { - "string": "{\"data\":{\"attributes\":{\"description\":\"My agent policy\",\"enabled\":true,\"hostTags\":[\"env:staging\"],\"name\":\"testcreateacsmthreatsagentrulereturnsokresponse1743517846\"},\"type\":\"policy\"}}", + "string": "{\"data\":{\"attributes\":{\"description\":\"My agent policy\",\"enabled\":true,\"hostTags\":[\"env:staging\"],\"name\":\"testcreateacsmthreatsagentrulereturnsokresponse1747309747\"},\"type\":\"policy\"}}", "encoding": null }, "headers": { @@ -19,7 +19,7 @@ }, "response": { "body": { - "string": "{\"data\":{\"id\":\"eeq-02h-jhh\",\"type\":\"policy\",\"attributes\":{\"blockingRulesCount\":0,\"datadogManaged\":false,\"description\":\"My agent policy\",\"disabledRulesCount\":1,\"enabled\":true,\"hostTags\":[\"env:staging\"],\"monitoringRulesCount\":225,\"name\":\"testcreateacsmthreatsagentrulereturnsokresponse1743517846\",\"policyVersion\":\"1\",\"priority\":1000000001,\"ruleCount\":226,\"updateDate\":1743517846856,\"updater\":{\"name\":\"CI Account\",\"handle\":\"9919ec9b-ebc7-49ee-8dc8-03626e717cca\"}}}}", + "string": "{\"data\":{\"id\":\"nto-1nm-yyn\",\"type\":\"policy\",\"attributes\":{\"blockingRulesCount\":0,\"datadogManaged\":false,\"description\":\"My agent policy\",\"disabledRulesCount\":1,\"enabled\":true,\"hostTags\":[\"env:staging\"],\"monitoringRulesCount\":225,\"name\":\"testcreateacsmthreatsagentrulereturnsokresponse1747309747\",\"policyVersion\":\"1\",\"priority\":1000000070,\"ruleCount\":226,\"updateDate\":1747309747726,\"updater\":{\"name\":\"CI Account\",\"handle\":\"9919ec9b-ebc7-49ee-8dc8-03626e717cca\"}}}}", "encoding": null }, "headers": { @@ -32,12 +32,12 @@ "message": "OK" } }, - "recorded_at": "Tue, 01 Apr 2025 14:30:46 GMT" + "recorded_at": "Thu, 15 May 2025 11:49:07 GMT" }, { "request": { "body": { - "string": "{\"data\":{\"attributes\":{\"description\":\"My Agent rule\",\"enabled\":true,\"expression\":\"exec.file.name == \\\"sh\\\"\",\"filters\":[],\"name\":\"testcreateacsmthreatsagentrulereturnsokresponse1743517846\",\"policy_id\":\"eeq-02h-jhh\",\"product_tags\":[]},\"type\":\"agent_rule\"}}", + "string": "{\"data\":{\"attributes\":{\"description\":\"My Agent rule\",\"enabled\":true,\"expression\":\"exec.file.name == \\\"sh\\\"\",\"filters\":[],\"name\":\"testcreateacsmthreatsagentrulereturnsokresponse1747309747\",\"policy_id\":\"nto-1nm-yyn\",\"product_tags\":[]},\"type\":\"agent_rule\"}}", "encoding": null }, "headers": { @@ -53,7 +53,7 @@ }, "response": { "body": { - "string": "{\"data\":{\"id\":\"ree-4gw-dk6\",\"type\":\"agent_rule\",\"attributes\":{\"category\":\"Process Activity\",\"creationDate\":1743517847344,\"creator\":{\"name\":\"CI Account\",\"handle\":\"9919ec9b-ebc7-49ee-8dc8-03626e717cca\"},\"defaultRule\":false,\"description\":\"My Agent rule\",\"enabled\":true,\"expression\":\"exec.file.name == \\\"sh\\\"\",\"filters\":[\"os == \\\"linux\\\"\"],\"name\":\"testcreateacsmthreatsagentrulereturnsokresponse1743517846\",\"updateDate\":1743517847344,\"updater\":{\"name\":\"CI Account\",\"handle\":\"9919ec9b-ebc7-49ee-8dc8-03626e717cca\"}}}}", + "string": "{\"data\":{\"id\":\"uqt-hyg-2ve\",\"type\":\"agent_rule\",\"attributes\":{\"category\":\"Process Activity\",\"creationDate\":1747309748100,\"creator\":{\"name\":\"CI Account\",\"handle\":\"9919ec9b-ebc7-49ee-8dc8-03626e717cca\"},\"defaultRule\":false,\"description\":\"My Agent rule\",\"enabled\":true,\"expression\":\"exec.file.name == \\\"sh\\\"\",\"filters\":[\"os == \\\"linux\\\"\"],\"monitoring\":[\"nto-1nm-yyn\"],\"name\":\"testcreateacsmthreatsagentrulereturnsokresponse1747309747\",\"product_tags\":[],\"updateDate\":1747309748100,\"updater\":{\"name\":\"CI Account\",\"handle\":\"9919ec9b-ebc7-49ee-8dc8-03626e717cca\"}}}}", "encoding": null }, "headers": { @@ -66,7 +66,7 @@ "message": "OK" } }, - "recorded_at": "Tue, 01 Apr 2025 14:30:46 GMT" + "recorded_at": "Thu, 15 May 2025 11:49:07 GMT" }, { "request": { @@ -77,7 +77,7 @@ ] }, "method": "delete", - "uri": "https://api.datadoghq.com/api/v2/remote_config/products/cws/agent_rules/ree-4gw-dk6" + "uri": "https://api.datadoghq.com/api/v2/remote_config/products/cws/agent_rules/uqt-hyg-2ve" }, "response": { "body": { @@ -94,7 +94,7 @@ "message": "No Content" } }, - "recorded_at": "Tue, 01 Apr 2025 14:30:46 GMT" + "recorded_at": "Thu, 15 May 2025 11:49:07 GMT" }, { "request": { @@ -105,7 +105,7 @@ ] }, "method": "delete", - "uri": "https://api.datadoghq.com/api/v2/remote_config/products/cws/policy/eeq-02h-jhh" + "uri": "https://api.datadoghq.com/api/v2/remote_config/products/cws/policy/nto-1nm-yyn" }, "response": { "body": { @@ -122,7 +122,7 @@ "message": "No Content" } }, - "recorded_at": "Tue, 01 Apr 2025 14:30:46 GMT" + "recorded_at": "Thu, 15 May 2025 11:49:07 GMT" } ], "recorded_with": "VCR 6.0.0" diff --git a/tests/scenarios/cassettes/v2/csm_threats/Create-a-CSM-Threats-Agent-rule-with-set-action-returns-OK-response.frozen b/tests/scenarios/cassettes/v2/csm_threats/Create-a-CSM-Threats-Agent-rule-with-set-action-returns-OK-response.frozen new file mode 100644 index 000000000..222e6fcb2 --- /dev/null +++ b/tests/scenarios/cassettes/v2/csm_threats/Create-a-CSM-Threats-Agent-rule-with-set-action-returns-OK-response.frozen @@ -0,0 +1 @@ +2025-05-15T11:49:10.442Z \ No newline at end of file diff --git a/tests/scenarios/cassettes/v2/csm_threats/Create-a-CSM-Threats-Agent-rule-with-set-action-returns-OK-response.json b/tests/scenarios/cassettes/v2/csm_threats/Create-a-CSM-Threats-Agent-rule-with-set-action-returns-OK-response.json new file mode 100644 index 000000000..93a57ece5 --- /dev/null +++ b/tests/scenarios/cassettes/v2/csm_threats/Create-a-CSM-Threats-Agent-rule-with-set-action-returns-OK-response.json @@ -0,0 +1,129 @@ +{ + "http_interactions": [ + { + "request": { + "body": { + "string": "{\"data\":{\"attributes\":{\"description\":\"My agent policy\",\"enabled\":true,\"hostTags\":[\"env:staging\"],\"name\":\"testcreateacsmthreatsagentrulewithsetactionreturnsokresponse1747309750\"},\"type\":\"policy\"}}", + "encoding": null + }, + "headers": { + "Accept": [ + "application/json" + ], + "Content-Type": [ + "application/json" + ] + }, + "method": "post", + "uri": "https://api.datadoghq.com/api/v2/remote_config/products/cws/policy" + }, + "response": { + "body": { + "string": "{\"data\":{\"id\":\"xyq-ard-uy3\",\"type\":\"policy\",\"attributes\":{\"blockingRulesCount\":0,\"datadogManaged\":false,\"description\":\"My agent policy\",\"disabledRulesCount\":1,\"enabled\":true,\"hostTags\":[\"env:staging\"],\"monitoringRulesCount\":225,\"name\":\"testcreateacsmthreatsagentrulewithsetactionreturnsokresponse1747309750\",\"policyVersion\":\"1\",\"priority\":1000000070,\"ruleCount\":226,\"updateDate\":1747309750488,\"updater\":{\"name\":\"CI Account\",\"handle\":\"9919ec9b-ebc7-49ee-8dc8-03626e717cca\"}}}}", + "encoding": null + }, + "headers": { + "Content-Type": [ + "application/json" + ] + }, + "status": { + "code": 200, + "message": "OK" + } + }, + "recorded_at": "Thu, 15 May 2025 11:49:10 GMT" + }, + { + "request": { + "body": { + "string": "{\"data\":{\"attributes\":{\"actions\":[{\"set\":{\"name\":\"test_set\",\"scope\":\"process\",\"value\":\"test_value\"}}],\"description\":\"My Agent rule with set action\",\"enabled\":true,\"expression\":\"exec.file.name == \\\"sh\\\"\",\"filters\":[],\"name\":\"testcreateacsmthreatsagentrulewithsetactionreturnsokresponse1747309750\",\"policy_id\":\"xyq-ard-uy3\",\"product_tags\":[]},\"type\":\"agent_rule\"}}", + "encoding": null + }, + "headers": { + "Accept": [ + "application/json" + ], + "Content-Type": [ + "application/json" + ] + }, + "method": "post", + "uri": "https://api.datadoghq.com/api/v2/remote_config/products/cws/agent_rules" + }, + "response": { + "body": { + "string": "{\"data\":{\"id\":\"0xd-0i0-cnc\",\"type\":\"agent_rule\",\"attributes\":{\"actions\":[{\"set\":{\"name\":\"test_set\",\"value\":\"test_value\",\"scope\":\"process\"},\"disabled\":false}],\"category\":\"Process Activity\",\"creationDate\":1747309750900,\"creator\":{\"name\":\"CI Account\",\"handle\":\"9919ec9b-ebc7-49ee-8dc8-03626e717cca\"},\"defaultRule\":false,\"description\":\"My Agent rule with set action\",\"enabled\":true,\"expression\":\"exec.file.name == \\\"sh\\\"\",\"filters\":[\"os == \\\"linux\\\"\"],\"monitoring\":[\"xyq-ard-uy3\"],\"name\":\"testcreateacsmthreatsagentrulewithsetactionreturnsokresponse1747309750\",\"product_tags\":[],\"updateDate\":1747309750900,\"updater\":{\"name\":\"CI Account\",\"handle\":\"9919ec9b-ebc7-49ee-8dc8-03626e717cca\"}}}}", + "encoding": null + }, + "headers": { + "Content-Type": [ + "application/json" + ] + }, + "status": { + "code": 200, + "message": "OK" + } + }, + "recorded_at": "Thu, 15 May 2025 11:49:10 GMT" + }, + { + "request": { + "body": "", + "headers": { + "Accept": [ + "*/*" + ] + }, + "method": "delete", + "uri": "https://api.datadoghq.com/api/v2/remote_config/products/cws/agent_rules/0xd-0i0-cnc" + }, + "response": { + "body": { + "string": "", + "encoding": null + }, + "headers": { + "Content-Type": [ + "application/json" + ] + }, + "status": { + "code": 204, + "message": "No Content" + } + }, + "recorded_at": "Thu, 15 May 2025 11:49:10 GMT" + }, + { + "request": { + "body": "", + "headers": { + "Accept": [ + "*/*" + ] + }, + "method": "delete", + "uri": "https://api.datadoghq.com/api/v2/remote_config/products/cws/policy/xyq-ard-uy3" + }, + "response": { + "body": { + "string": "", + "encoding": null + }, + "headers": { + "Content-Type": [ + "application/json" + ] + }, + "status": { + "code": 204, + "message": "No Content" + } + }, + "recorded_at": "Thu, 15 May 2025 11:49:10 GMT" + } + ], + "recorded_with": "VCR 6.0.0" +} \ No newline at end of file diff --git a/tests/scenarios/cassettes/v2/csm_threats/Create-a-Cloud-Workload-Security-Agent-rule-returns-Bad-Request-response.frozen b/tests/scenarios/cassettes/v2/csm_threats/Create-a-Cloud-Workload-Security-Agent-rule-returns-Bad-Request-response.frozen index 569f1f189..aa54f5c7d 100644 --- a/tests/scenarios/cassettes/v2/csm_threats/Create-a-Cloud-Workload-Security-Agent-rule-returns-Bad-Request-response.frozen +++ b/tests/scenarios/cassettes/v2/csm_threats/Create-a-Cloud-Workload-Security-Agent-rule-returns-Bad-Request-response.frozen @@ -1 +1 @@ -2025-04-18T09:10:11.610Z \ No newline at end of file +2025-05-15T11:49:13.094Z \ No newline at end of file diff --git a/tests/scenarios/cassettes/v2/csm_threats/Create-a-Cloud-Workload-Security-Agent-rule-returns-Bad-Request-response.json b/tests/scenarios/cassettes/v2/csm_threats/Create-a-Cloud-Workload-Security-Agent-rule-returns-Bad-Request-response.json index a560eee58..991e1fafd 100644 --- a/tests/scenarios/cassettes/v2/csm_threats/Create-a-Cloud-Workload-Security-Agent-rule-returns-Bad-Request-response.json +++ b/tests/scenarios/cassettes/v2/csm_threats/Create-a-Cloud-Workload-Security-Agent-rule-returns-Bad-Request-response.json @@ -3,7 +3,7 @@ { "request": { "body": { - "string": "{\"data\":{\"attributes\":{\"description\":\"My agent policy\",\"enabled\":true,\"hostTags\":[\"env:staging\"],\"name\":\"testcreateacloudworkloadsecurityagentrulereturnsbadrequestresponse1744967411\"},\"type\":\"policy\"}}", + "string": "{\"data\":{\"attributes\":{\"description\":\"My agent policy\",\"enabled\":true,\"hostTags\":[\"env:staging\"],\"name\":\"testcreateacloudworkloadsecurityagentrulereturnsbadrequestresponse1747309753\"},\"type\":\"policy\"}}", "encoding": null }, "headers": { @@ -19,7 +19,7 @@ }, "response": { "body": { - "string": "{\"data\":{\"id\":\"byc-7rh-p5l\",\"type\":\"policy\",\"attributes\":{\"blockingRulesCount\":0,\"datadogManaged\":false,\"description\":\"My agent policy\",\"disabledRulesCount\":1,\"enabled\":true,\"hostTags\":[\"env:staging\"],\"monitoringRulesCount\":225,\"name\":\"testcreateacloudworkloadsecurityagentrulereturnsbadrequestresponse1744967411\",\"policyVersion\":\"1\",\"priority\":1000000002,\"ruleCount\":226,\"updateDate\":1744967411964,\"updater\":{\"name\":\"CI Account\",\"handle\":\"9919ec9b-ebc7-49ee-8dc8-03626e717cca\"}}}}", + "string": "{\"data\":{\"id\":\"ouu-6xr-bab\",\"type\":\"policy\",\"attributes\":{\"blockingRulesCount\":0,\"datadogManaged\":false,\"description\":\"My agent policy\",\"disabledRulesCount\":1,\"enabled\":true,\"hostTags\":[\"env:staging\"],\"monitoringRulesCount\":225,\"name\":\"testcreateacloudworkloadsecurityagentrulereturnsbadrequestresponse1747309753\",\"policyVersion\":\"1\",\"priority\":1000000070,\"ruleCount\":226,\"updateDate\":1747309753145,\"updater\":{\"name\":\"CI Account\",\"handle\":\"9919ec9b-ebc7-49ee-8dc8-03626e717cca\"}}}}", "encoding": null }, "headers": { @@ -32,7 +32,7 @@ "message": "OK" } }, - "recorded_at": "Fri, 18 Apr 2025 09:10:11 GMT" + "recorded_at": "Thu, 15 May 2025 11:49:13 GMT" }, { "request": { @@ -66,7 +66,7 @@ "message": "Bad Request" } }, - "recorded_at": "Fri, 18 Apr 2025 09:10:11 GMT" + "recorded_at": "Thu, 15 May 2025 11:49:13 GMT" }, { "request": { @@ -77,7 +77,7 @@ ] }, "method": "delete", - "uri": "https://api.datadoghq.com/api/v2/remote_config/products/cws/policy/byc-7rh-p5l" + "uri": "https://api.datadoghq.com/api/v2/remote_config/products/cws/policy/ouu-6xr-bab" }, "response": { "body": { @@ -94,7 +94,7 @@ "message": "No Content" } }, - "recorded_at": "Fri, 18 Apr 2025 09:10:11 GMT" + "recorded_at": "Thu, 15 May 2025 11:49:13 GMT" } ], "recorded_with": "VCR 6.0.0" diff --git a/tests/scenarios/cassettes/v2/csm_threats/Create-a-Cloud-Workload-Security-Agent-rule-returns-OK-response.frozen b/tests/scenarios/cassettes/v2/csm_threats/Create-a-Cloud-Workload-Security-Agent-rule-returns-OK-response.frozen index 8ad981fd2..9d74bc860 100644 --- a/tests/scenarios/cassettes/v2/csm_threats/Create-a-Cloud-Workload-Security-Agent-rule-returns-OK-response.frozen +++ b/tests/scenarios/cassettes/v2/csm_threats/Create-a-Cloud-Workload-Security-Agent-rule-returns-OK-response.frozen @@ -1 +1 @@ -2025-04-01T14:30:49.909Z \ No newline at end of file +2025-05-15T11:49:14.223Z \ No newline at end of file diff --git a/tests/scenarios/cassettes/v2/csm_threats/Create-a-Cloud-Workload-Security-Agent-rule-returns-OK-response.json b/tests/scenarios/cassettes/v2/csm_threats/Create-a-Cloud-Workload-Security-Agent-rule-returns-OK-response.json index f1d5e85cc..229e213e8 100644 --- a/tests/scenarios/cassettes/v2/csm_threats/Create-a-Cloud-Workload-Security-Agent-rule-returns-OK-response.json +++ b/tests/scenarios/cassettes/v2/csm_threats/Create-a-Cloud-Workload-Security-Agent-rule-returns-OK-response.json @@ -3,7 +3,7 @@ { "request": { "body": { - "string": "{\"data\":{\"attributes\":{\"description\":\"My agent policy\",\"enabled\":true,\"hostTags\":[\"env:staging\"],\"name\":\"testcreateacloudworkloadsecurityagentrulereturnsokresponse1743517849\"},\"type\":\"policy\"}}", + "string": "{\"data\":{\"attributes\":{\"description\":\"My agent policy\",\"enabled\":true,\"hostTags\":[\"env:staging\"],\"name\":\"testcreateacloudworkloadsecurityagentrulereturnsokresponse1747309754\"},\"type\":\"policy\"}}", "encoding": null }, "headers": { @@ -19,7 +19,7 @@ }, "response": { "body": { - "string": "{\"data\":{\"id\":\"4o4-2ha-t4b\",\"type\":\"policy\",\"attributes\":{\"blockingRulesCount\":0,\"datadogManaged\":false,\"description\":\"My agent policy\",\"disabledRulesCount\":1,\"enabled\":true,\"hostTags\":[\"env:staging\"],\"monitoringRulesCount\":225,\"name\":\"testcreateacloudworkloadsecurityagentrulereturnsokresponse1743517849\",\"policyVersion\":\"1\",\"priority\":1000000001,\"ruleCount\":226,\"updateDate\":1743517849954,\"updater\":{\"name\":\"CI Account\",\"handle\":\"9919ec9b-ebc7-49ee-8dc8-03626e717cca\"}}}}", + "string": "{\"data\":{\"id\":\"ub7-nwt-ghr\",\"type\":\"policy\",\"attributes\":{\"blockingRulesCount\":0,\"datadogManaged\":false,\"description\":\"My agent policy\",\"disabledRulesCount\":1,\"enabled\":true,\"hostTags\":[\"env:staging\"],\"monitoringRulesCount\":225,\"name\":\"testcreateacloudworkloadsecurityagentrulereturnsokresponse1747309754\",\"policyVersion\":\"1\",\"priority\":1000000070,\"ruleCount\":226,\"updateDate\":1747309754274,\"updater\":{\"name\":\"CI Account\",\"handle\":\"9919ec9b-ebc7-49ee-8dc8-03626e717cca\"}}}}", "encoding": null }, "headers": { @@ -32,12 +32,12 @@ "message": "OK" } }, - "recorded_at": "Tue, 01 Apr 2025 14:30:49 GMT" + "recorded_at": "Thu, 15 May 2025 11:49:14 GMT" }, { "request": { "body": { - "string": "{\"data\":{\"attributes\":{\"description\":\"My Agent rule\",\"enabled\":true,\"expression\":\"exec.file.name == \\\"sh\\\"\",\"filters\":[],\"name\":\"testcreateacloudworkloadsecurityagentrulereturnsokresponse1743517849\"},\"type\":\"agent_rule\"}}", + "string": "{\"data\":{\"attributes\":{\"description\":\"My Agent rule\",\"enabled\":true,\"expression\":\"exec.file.name == \\\"sh\\\"\",\"filters\":[],\"name\":\"testcreateacloudworkloadsecurityagentrulereturnsokresponse1747309754\"},\"type\":\"agent_rule\"}}", "encoding": null }, "headers": { @@ -53,7 +53,7 @@ }, "response": { "body": { - "string": "{\"data\":{\"id\":\"amk-lsa-s1q\",\"attributes\":{\"version\":1,\"name\":\"testcreateacloudworkloadsecurityagentrulereturnsokresponse1743517849\",\"description\":\"My Agent rule\",\"expression\":\"exec.file.name == \\\"sh\\\"\",\"category\":\"Process Activity\",\"defaultRule\":false,\"enabled\":true,\"creationAuthorUuId\":\"9919ec9b-ebc7-49ee-8dc8-03626e717cca\",\"creationDate\":1743517850483,\"updateAuthorUuId\":\"9919ec9b-ebc7-49ee-8dc8-03626e717cca\",\"updateDate\":1743517850483,\"filters\":[],\"actions\":[],\"agentConstraint\":\"\",\"creator\":{\"name\":\"CI Account\",\"handle\":\"9919ec9b-ebc7-49ee-8dc8-03626e717cca\"},\"updater\":{\"name\":\"CI Account\",\"handle\":\"9919ec9b-ebc7-49ee-8dc8-03626e717cca\"}},\"type\":\"agent_rule\"}}\n", + "string": "{\"data\":{\"id\":\"sgv-vge-luo\",\"attributes\":{\"version\":1,\"name\":\"testcreateacloudworkloadsecurityagentrulereturnsokresponse1747309754\",\"description\":\"My Agent rule\",\"expression\":\"exec.file.name == \\\"sh\\\"\",\"category\":\"Process Activity\",\"defaultRule\":false,\"enabled\":true,\"creationAuthorUuId\":\"9919ec9b-ebc7-49ee-8dc8-03626e717cca\",\"creationDate\":1747309755217,\"updateAuthorUuId\":\"9919ec9b-ebc7-49ee-8dc8-03626e717cca\",\"updateDate\":1747309755217,\"filters\":[],\"actions\":[],\"agentConstraint\":\"\",\"creator\":{\"name\":\"CI Account\",\"handle\":\"9919ec9b-ebc7-49ee-8dc8-03626e717cca\"},\"updater\":{\"name\":\"CI Account\",\"handle\":\"9919ec9b-ebc7-49ee-8dc8-03626e717cca\"}},\"type\":\"agent_rule\"}}\n", "encoding": null }, "headers": { @@ -66,7 +66,7 @@ "message": "OK" } }, - "recorded_at": "Tue, 01 Apr 2025 14:30:49 GMT" + "recorded_at": "Thu, 15 May 2025 11:49:14 GMT" }, { "request": { @@ -77,7 +77,7 @@ ] }, "method": "delete", - "uri": "https://api.datadoghq.com/api/v2/security_monitoring/cloud_workload_security/agent_rules/amk-lsa-s1q" + "uri": "https://api.datadoghq.com/api/v2/security_monitoring/cloud_workload_security/agent_rules/sgv-vge-luo" }, "response": { "body": { @@ -90,7 +90,7 @@ "message": "No Content" } }, - "recorded_at": "Tue, 01 Apr 2025 14:30:49 GMT" + "recorded_at": "Thu, 15 May 2025 11:49:14 GMT" }, { "request": { @@ -101,7 +101,7 @@ ] }, "method": "delete", - "uri": "https://api.datadoghq.com/api/v2/remote_config/products/cws/policy/4o4-2ha-t4b" + "uri": "https://api.datadoghq.com/api/v2/remote_config/products/cws/policy/ub7-nwt-ghr" }, "response": { "body": { @@ -118,7 +118,7 @@ "message": "No Content" } }, - "recorded_at": "Tue, 01 Apr 2025 14:30:49 GMT" + "recorded_at": "Thu, 15 May 2025 11:49:14 GMT" } ], "recorded_with": "VCR 6.0.0" diff --git a/tests/scenarios/cassettes/v2/csm_threats/Delete-a-CSM-Threats-Agent-policy-returns-Not-Found-response.frozen b/tests/scenarios/cassettes/v2/csm_threats/Delete-a-CSM-Threats-Agent-policy-returns-Not-Found-response.frozen index 2907715a1..862ea7397 100644 --- a/tests/scenarios/cassettes/v2/csm_threats/Delete-a-CSM-Threats-Agent-policy-returns-Not-Found-response.frozen +++ b/tests/scenarios/cassettes/v2/csm_threats/Delete-a-CSM-Threats-Agent-policy-returns-Not-Found-response.frozen @@ -1 +1 @@ -2025-04-01T14:30:50.953Z \ No newline at end of file +2025-05-15T11:49:15.782Z \ No newline at end of file diff --git a/tests/scenarios/cassettes/v2/csm_threats/Delete-a-CSM-Threats-Agent-policy-returns-Not-Found-response.json b/tests/scenarios/cassettes/v2/csm_threats/Delete-a-CSM-Threats-Agent-policy-returns-Not-Found-response.json index 66c673a69..7d5cbf974 100644 --- a/tests/scenarios/cassettes/v2/csm_threats/Delete-a-CSM-Threats-Agent-policy-returns-Not-Found-response.json +++ b/tests/scenarios/cassettes/v2/csm_threats/Delete-a-CSM-Threats-Agent-policy-returns-Not-Found-response.json @@ -26,7 +26,7 @@ "message": "Not Found" } }, - "recorded_at": "Tue, 01 Apr 2025 14:30:50 GMT" + "recorded_at": "Thu, 15 May 2025 11:49:15 GMT" } ], "recorded_with": "VCR 6.0.0" diff --git a/tests/scenarios/cassettes/v2/csm_threats/Delete-a-CSM-Threats-Agent-policy-returns-OK-response.frozen b/tests/scenarios/cassettes/v2/csm_threats/Delete-a-CSM-Threats-Agent-policy-returns-OK-response.frozen index b90ca64b4..528c29f52 100644 --- a/tests/scenarios/cassettes/v2/csm_threats/Delete-a-CSM-Threats-Agent-policy-returns-OK-response.frozen +++ b/tests/scenarios/cassettes/v2/csm_threats/Delete-a-CSM-Threats-Agent-policy-returns-OK-response.frozen @@ -1 +1 @@ -2025-04-01T14:30:51.116Z \ No newline at end of file +2025-05-15T11:49:15.901Z \ No newline at end of file diff --git a/tests/scenarios/cassettes/v2/csm_threats/Delete-a-CSM-Threats-Agent-policy-returns-OK-response.json b/tests/scenarios/cassettes/v2/csm_threats/Delete-a-CSM-Threats-Agent-policy-returns-OK-response.json index f5414cd9e..f44f46205 100644 --- a/tests/scenarios/cassettes/v2/csm_threats/Delete-a-CSM-Threats-Agent-policy-returns-OK-response.json +++ b/tests/scenarios/cassettes/v2/csm_threats/Delete-a-CSM-Threats-Agent-policy-returns-OK-response.json @@ -3,7 +3,7 @@ { "request": { "body": { - "string": "{\"data\":{\"attributes\":{\"description\":\"My agent policy\",\"enabled\":true,\"hostTags\":[\"env:staging\"],\"name\":\"testdeleteacsmthreatsagentpolicyreturnsokresponse1743517851\"},\"type\":\"policy\"}}", + "string": "{\"data\":{\"attributes\":{\"description\":\"My agent policy\",\"enabled\":true,\"hostTags\":[\"env:staging\"],\"name\":\"testdeleteacsmthreatsagentpolicyreturnsokresponse1747309755\"},\"type\":\"policy\"}}", "encoding": null }, "headers": { @@ -19,7 +19,7 @@ }, "response": { "body": { - "string": "{\"data\":{\"id\":\"794-4tf-osj\",\"type\":\"policy\",\"attributes\":{\"blockingRulesCount\":0,\"datadogManaged\":false,\"description\":\"My agent policy\",\"disabledRulesCount\":1,\"enabled\":true,\"hostTags\":[\"env:staging\"],\"monitoringRulesCount\":225,\"name\":\"testdeleteacsmthreatsagentpolicyreturnsokresponse1743517851\",\"policyVersion\":\"1\",\"priority\":1000000001,\"ruleCount\":226,\"updateDate\":1743517851168,\"updater\":{\"name\":\"CI Account\",\"handle\":\"9919ec9b-ebc7-49ee-8dc8-03626e717cca\"}}}}", + "string": "{\"data\":{\"id\":\"sqz-yz1-wkv\",\"type\":\"policy\",\"attributes\":{\"blockingRulesCount\":0,\"datadogManaged\":false,\"description\":\"My agent policy\",\"disabledRulesCount\":1,\"enabled\":true,\"hostTags\":[\"env:staging\"],\"monitoringRulesCount\":225,\"name\":\"testdeleteacsmthreatsagentpolicyreturnsokresponse1747309755\",\"policyVersion\":\"1\",\"priority\":1000000070,\"ruleCount\":226,\"updateDate\":1747309755933,\"updater\":{\"name\":\"CI Account\",\"handle\":\"9919ec9b-ebc7-49ee-8dc8-03626e717cca\"}}}}", "encoding": null }, "headers": { @@ -32,7 +32,7 @@ "message": "OK" } }, - "recorded_at": "Tue, 01 Apr 2025 14:30:51 GMT" + "recorded_at": "Thu, 15 May 2025 11:49:15 GMT" }, { "request": { @@ -43,7 +43,7 @@ ] }, "method": "delete", - "uri": "https://api.datadoghq.com/api/v2/remote_config/products/cws/policy/794-4tf-osj" + "uri": "https://api.datadoghq.com/api/v2/remote_config/products/cws/policy/sqz-yz1-wkv" }, "response": { "body": { @@ -60,7 +60,7 @@ "message": "No Content" } }, - "recorded_at": "Tue, 01 Apr 2025 14:30:51 GMT" + "recorded_at": "Thu, 15 May 2025 11:49:15 GMT" }, { "request": { @@ -71,7 +71,7 @@ ] }, "method": "delete", - "uri": "https://api.datadoghq.com/api/v2/remote_config/products/cws/policy/794-4tf-osj" + "uri": "https://api.datadoghq.com/api/v2/remote_config/products/cws/policy/sqz-yz1-wkv" }, "response": { "body": { @@ -88,7 +88,7 @@ "message": "Not Found" } }, - "recorded_at": "Tue, 01 Apr 2025 14:30:51 GMT" + "recorded_at": "Thu, 15 May 2025 11:49:15 GMT" } ], "recorded_with": "VCR 6.0.0" diff --git a/tests/scenarios/cassettes/v2/csm_threats/Delete-a-CSM-Threats-Agent-rule-returns-Not-Found-response.frozen b/tests/scenarios/cassettes/v2/csm_threats/Delete-a-CSM-Threats-Agent-rule-returns-Not-Found-response.frozen index 9c683d57f..e66ea7c85 100644 --- a/tests/scenarios/cassettes/v2/csm_threats/Delete-a-CSM-Threats-Agent-rule-returns-Not-Found-response.frozen +++ b/tests/scenarios/cassettes/v2/csm_threats/Delete-a-CSM-Threats-Agent-rule-returns-Not-Found-response.frozen @@ -1 +1 @@ -2025-04-01T14:30:52.038Z \ No newline at end of file +2025-05-15T11:49:16.718Z \ No newline at end of file diff --git a/tests/scenarios/cassettes/v2/csm_threats/Delete-a-CSM-Threats-Agent-rule-returns-Not-Found-response.json b/tests/scenarios/cassettes/v2/csm_threats/Delete-a-CSM-Threats-Agent-rule-returns-Not-Found-response.json index ecccd6367..fe484c975 100644 --- a/tests/scenarios/cassettes/v2/csm_threats/Delete-a-CSM-Threats-Agent-rule-returns-Not-Found-response.json +++ b/tests/scenarios/cassettes/v2/csm_threats/Delete-a-CSM-Threats-Agent-rule-returns-Not-Found-response.json @@ -26,7 +26,7 @@ "message": "Not Found" } }, - "recorded_at": "Tue, 01 Apr 2025 14:30:52 GMT" + "recorded_at": "Thu, 15 May 2025 11:49:16 GMT" } ], "recorded_with": "VCR 6.0.0" diff --git a/tests/scenarios/cassettes/v2/csm_threats/Delete-a-CSM-Threats-Agent-rule-returns-OK-response.frozen b/tests/scenarios/cassettes/v2/csm_threats/Delete-a-CSM-Threats-Agent-rule-returns-OK-response.frozen index 369e24ad1..5fb765052 100644 --- a/tests/scenarios/cassettes/v2/csm_threats/Delete-a-CSM-Threats-Agent-rule-returns-OK-response.frozen +++ b/tests/scenarios/cassettes/v2/csm_threats/Delete-a-CSM-Threats-Agent-rule-returns-OK-response.frozen @@ -1 +1 @@ -2025-04-01T14:30:52.133Z \ No newline at end of file +2025-05-15T11:49:17.005Z \ No newline at end of file diff --git a/tests/scenarios/cassettes/v2/csm_threats/Delete-a-CSM-Threats-Agent-rule-returns-OK-response.json b/tests/scenarios/cassettes/v2/csm_threats/Delete-a-CSM-Threats-Agent-rule-returns-OK-response.json index 400fd1f53..31bfe9860 100644 --- a/tests/scenarios/cassettes/v2/csm_threats/Delete-a-CSM-Threats-Agent-rule-returns-OK-response.json +++ b/tests/scenarios/cassettes/v2/csm_threats/Delete-a-CSM-Threats-Agent-rule-returns-OK-response.json @@ -3,7 +3,7 @@ { "request": { "body": { - "string": "{\"data\":{\"attributes\":{\"description\":\"My agent policy\",\"enabled\":true,\"hostTags\":[\"env:staging\"],\"name\":\"testdeleteacsmthreatsagentrulereturnsokresponse1743517852\"},\"type\":\"policy\"}}", + "string": "{\"data\":{\"attributes\":{\"description\":\"My agent policy\",\"enabled\":true,\"hostTags\":[\"env:staging\"],\"name\":\"testdeleteacsmthreatsagentrulereturnsokresponse1747309757\"},\"type\":\"policy\"}}", "encoding": null }, "headers": { @@ -19,7 +19,7 @@ }, "response": { "body": { - "string": "{\"data\":{\"id\":\"kqm-fhb-eay\",\"type\":\"policy\",\"attributes\":{\"blockingRulesCount\":0,\"datadogManaged\":false,\"description\":\"My agent policy\",\"disabledRulesCount\":1,\"enabled\":true,\"hostTags\":[\"env:staging\"],\"monitoringRulesCount\":225,\"name\":\"testdeleteacsmthreatsagentrulereturnsokresponse1743517852\",\"policyVersion\":\"1\",\"priority\":1000000001,\"ruleCount\":226,\"updateDate\":1743517852178,\"updater\":{\"name\":\"CI Account\",\"handle\":\"9919ec9b-ebc7-49ee-8dc8-03626e717cca\"}}}}", + "string": "{\"data\":{\"id\":\"esf-fbh-ofa\",\"type\":\"policy\",\"attributes\":{\"blockingRulesCount\":0,\"datadogManaged\":false,\"description\":\"My agent policy\",\"disabledRulesCount\":1,\"enabled\":true,\"hostTags\":[\"env:staging\"],\"monitoringRulesCount\":225,\"name\":\"testdeleteacsmthreatsagentrulereturnsokresponse1747309757\",\"policyVersion\":\"1\",\"priority\":1000000070,\"ruleCount\":226,\"updateDate\":1747309757037,\"updater\":{\"name\":\"CI Account\",\"handle\":\"9919ec9b-ebc7-49ee-8dc8-03626e717cca\"}}}}", "encoding": null }, "headers": { @@ -32,12 +32,12 @@ "message": "OK" } }, - "recorded_at": "Tue, 01 Apr 2025 14:30:52 GMT" + "recorded_at": "Thu, 15 May 2025 11:49:17 GMT" }, { "request": { "body": { - "string": "{\"data\":{\"attributes\":{\"description\":\"My Agent rule\",\"enabled\":true,\"expression\":\"exec.file.name == \\\"sh\\\"\",\"name\":\"testdeleteacsmthreatsagentrulereturnsokresponse1743517852\",\"policy_id\":\"kqm-fhb-eay\",\"product_tags\":[\"security:attack\",\"technique:T1059\"]},\"type\":\"agent_rule\"}}", + "string": "{\"data\":{\"attributes\":{\"actions\":[{\"set\":{\"name\":\"test_set\",\"scope\":\"process\",\"value\":\"test_value\"}}],\"description\":\"My Agent rule\",\"enabled\":true,\"expression\":\"exec.file.name == \\\"sh\\\"\",\"name\":\"testdeleteacsmthreatsagentrulereturnsokresponse1747309757\",\"policy_id\":\"esf-fbh-ofa\",\"product_tags\":[\"security:attack\",\"technique:T1059\"]},\"type\":\"agent_rule\"}}", "encoding": null }, "headers": { @@ -53,7 +53,7 @@ }, "response": { "body": { - "string": "{\"data\":{\"id\":\"pjy-nkm-0wb\",\"type\":\"agent_rule\",\"attributes\":{\"category\":\"Process Activity\",\"creationDate\":1743517852458,\"creator\":{\"name\":\"CI Account\",\"handle\":\"9919ec9b-ebc7-49ee-8dc8-03626e717cca\"},\"defaultRule\":false,\"description\":\"My Agent rule\",\"enabled\":true,\"expression\":\"exec.file.name == \\\"sh\\\"\",\"filters\":[\"os == \\\"linux\\\"\"],\"name\":\"testdeleteacsmthreatsagentrulereturnsokresponse1743517852\",\"updateDate\":1743517852458,\"updater\":{\"name\":\"CI Account\",\"handle\":\"9919ec9b-ebc7-49ee-8dc8-03626e717cca\"}}}}", + "string": "{\"data\":{\"id\":\"pdb-88d-vs4\",\"type\":\"agent_rule\",\"attributes\":{\"actions\":[{\"set\":{\"name\":\"test_set\",\"value\":\"test_value\",\"scope\":\"process\"},\"disabled\":false}],\"category\":\"Process Activity\",\"creationDate\":1747309757421,\"creator\":{\"name\":\"CI Account\",\"handle\":\"9919ec9b-ebc7-49ee-8dc8-03626e717cca\"},\"defaultRule\":false,\"description\":\"My Agent rule\",\"enabled\":true,\"expression\":\"exec.file.name == \\\"sh\\\"\",\"filters\":[\"os == \\\"linux\\\"\"],\"monitoring\":[\"esf-fbh-ofa\"],\"name\":\"testdeleteacsmthreatsagentrulereturnsokresponse1747309757\",\"product_tags\":[\"security:attack\",\"technique:T1059\"],\"updateDate\":1747309757421,\"updater\":{\"name\":\"CI Account\",\"handle\":\"9919ec9b-ebc7-49ee-8dc8-03626e717cca\"}}}}", "encoding": null }, "headers": { @@ -66,7 +66,7 @@ "message": "OK" } }, - "recorded_at": "Tue, 01 Apr 2025 14:30:52 GMT" + "recorded_at": "Thu, 15 May 2025 11:49:17 GMT" }, { "request": { @@ -77,7 +77,7 @@ ] }, "method": "delete", - "uri": "https://api.datadoghq.com/api/v2/remote_config/products/cws/agent_rules/pjy-nkm-0wb?policy_id=kqm-fhb-eay" + "uri": "https://api.datadoghq.com/api/v2/remote_config/products/cws/agent_rules/pdb-88d-vs4?policy_id=esf-fbh-ofa" }, "response": { "body": { @@ -94,7 +94,7 @@ "message": "No Content" } }, - "recorded_at": "Tue, 01 Apr 2025 14:30:52 GMT" + "recorded_at": "Thu, 15 May 2025 11:49:17 GMT" }, { "request": { @@ -105,7 +105,7 @@ ] }, "method": "delete", - "uri": "https://api.datadoghq.com/api/v2/remote_config/products/cws/agent_rules/pjy-nkm-0wb" + "uri": "https://api.datadoghq.com/api/v2/remote_config/products/cws/agent_rules/pdb-88d-vs4" }, "response": { "body": { @@ -122,7 +122,7 @@ "message": "Not Found" } }, - "recorded_at": "Tue, 01 Apr 2025 14:30:52 GMT" + "recorded_at": "Thu, 15 May 2025 11:49:17 GMT" }, { "request": { @@ -133,7 +133,7 @@ ] }, "method": "delete", - "uri": "https://api.datadoghq.com/api/v2/remote_config/products/cws/policy/kqm-fhb-eay" + "uri": "https://api.datadoghq.com/api/v2/remote_config/products/cws/policy/esf-fbh-ofa" }, "response": { "body": { @@ -150,7 +150,7 @@ "message": "No Content" } }, - "recorded_at": "Tue, 01 Apr 2025 14:30:52 GMT" + "recorded_at": "Thu, 15 May 2025 11:49:17 GMT" } ], "recorded_with": "VCR 6.0.0" diff --git a/tests/scenarios/cassettes/v2/csm_threats/Delete-a-Cloud-Workload-Security-Agent-rule-returns-Not-Found-response.frozen b/tests/scenarios/cassettes/v2/csm_threats/Delete-a-Cloud-Workload-Security-Agent-rule-returns-Not-Found-response.frozen index c943cdfcd..73c521ff2 100644 --- a/tests/scenarios/cassettes/v2/csm_threats/Delete-a-Cloud-Workload-Security-Agent-rule-returns-Not-Found-response.frozen +++ b/tests/scenarios/cassettes/v2/csm_threats/Delete-a-Cloud-Workload-Security-Agent-rule-returns-Not-Found-response.frozen @@ -1 +1 @@ -2025-04-01T14:30:54.389Z \ No newline at end of file +2025-05-15T11:49:19.503Z \ No newline at end of file diff --git a/tests/scenarios/cassettes/v2/csm_threats/Delete-a-Cloud-Workload-Security-Agent-rule-returns-Not-Found-response.json b/tests/scenarios/cassettes/v2/csm_threats/Delete-a-Cloud-Workload-Security-Agent-rule-returns-Not-Found-response.json index 6cb31b428..118d57fd9 100644 --- a/tests/scenarios/cassettes/v2/csm_threats/Delete-a-Cloud-Workload-Security-Agent-rule-returns-Not-Found-response.json +++ b/tests/scenarios/cassettes/v2/csm_threats/Delete-a-Cloud-Workload-Security-Agent-rule-returns-Not-Found-response.json @@ -26,7 +26,7 @@ "message": "Not Found" } }, - "recorded_at": "Tue, 01 Apr 2025 14:30:54 GMT" + "recorded_at": "Thu, 15 May 2025 11:49:19 GMT" } ], "recorded_with": "VCR 6.0.0" diff --git a/tests/scenarios/cassettes/v2/csm_threats/Delete-a-Cloud-Workload-Security-Agent-rule-returns-OK-response.frozen b/tests/scenarios/cassettes/v2/csm_threats/Delete-a-Cloud-Workload-Security-Agent-rule-returns-OK-response.frozen index 5d9212342..4acf4fd12 100644 --- a/tests/scenarios/cassettes/v2/csm_threats/Delete-a-Cloud-Workload-Security-Agent-rule-returns-OK-response.frozen +++ b/tests/scenarios/cassettes/v2/csm_threats/Delete-a-Cloud-Workload-Security-Agent-rule-returns-OK-response.frozen @@ -1 +1 @@ -2025-04-18T09:10:13.237Z \ No newline at end of file +2025-05-15T11:49:19.551Z \ No newline at end of file diff --git a/tests/scenarios/cassettes/v2/csm_threats/Delete-a-Cloud-Workload-Security-Agent-rule-returns-OK-response.json b/tests/scenarios/cassettes/v2/csm_threats/Delete-a-Cloud-Workload-Security-Agent-rule-returns-OK-response.json index 87b454b85..86e8f23b3 100644 --- a/tests/scenarios/cassettes/v2/csm_threats/Delete-a-Cloud-Workload-Security-Agent-rule-returns-OK-response.json +++ b/tests/scenarios/cassettes/v2/csm_threats/Delete-a-Cloud-Workload-Security-Agent-rule-returns-OK-response.json @@ -3,7 +3,7 @@ { "request": { "body": { - "string": "{\"data\":{\"attributes\":{\"description\":\"My Agent rule\",\"enabled\":true,\"expression\":\"exec.file.name == \\\"sh\\\"\",\"name\":\"testdeleteacloudworkloadsecurityagentrulereturnsokresponse1744967413\"},\"type\":\"agent_rule\"}}", + "string": "{\"data\":{\"attributes\":{\"description\":\"My Agent rule\",\"enabled\":true,\"expression\":\"exec.file.name == \\\"sh\\\"\",\"name\":\"testdeleteacloudworkloadsecurityagentrulereturnsokresponse1747309759\"},\"type\":\"agent_rule\"}}", "encoding": null }, "headers": { @@ -19,7 +19,7 @@ }, "response": { "body": { - "string": "{\"data\":{\"id\":\"ghk-tsf-neq\",\"attributes\":{\"version\":1,\"name\":\"testdeleteacloudworkloadsecurityagentrulereturnsokresponse1744967413\",\"description\":\"My Agent rule\",\"expression\":\"exec.file.name == \\\"sh\\\"\",\"category\":\"Process Activity\",\"defaultRule\":false,\"enabled\":true,\"creationAuthorUuId\":\"9919ec9b-ebc7-49ee-8dc8-03626e717cca\",\"creationDate\":1744967413434,\"updateAuthorUuId\":\"9919ec9b-ebc7-49ee-8dc8-03626e717cca\",\"updateDate\":1744967413434,\"filters\":[\"os == \\\"linux\\\"\"],\"actions\":[],\"agentConstraint\":\"\",\"creator\":{\"name\":\"CI Account\",\"handle\":\"9919ec9b-ebc7-49ee-8dc8-03626e717cca\"},\"updater\":{\"name\":\"CI Account\",\"handle\":\"9919ec9b-ebc7-49ee-8dc8-03626e717cca\"}},\"type\":\"agent_rule\"}}\n", + "string": "{\"data\":{\"id\":\"mdm-2ki-w2c\",\"attributes\":{\"version\":1,\"name\":\"testdeleteacloudworkloadsecurityagentrulereturnsokresponse1747309759\",\"description\":\"My Agent rule\",\"expression\":\"exec.file.name == \\\"sh\\\"\",\"category\":\"Process Activity\",\"defaultRule\":false,\"enabled\":true,\"creationAuthorUuId\":\"9919ec9b-ebc7-49ee-8dc8-03626e717cca\",\"creationDate\":1747309759860,\"updateAuthorUuId\":\"9919ec9b-ebc7-49ee-8dc8-03626e717cca\",\"updateDate\":1747309759860,\"filters\":[\"os == \\\"linux\\\"\"],\"actions\":[],\"agentConstraint\":\"\",\"creator\":{\"name\":\"CI Account\",\"handle\":\"9919ec9b-ebc7-49ee-8dc8-03626e717cca\"},\"updater\":{\"name\":\"CI Account\",\"handle\":\"9919ec9b-ebc7-49ee-8dc8-03626e717cca\"}},\"type\":\"agent_rule\"}}\n", "encoding": null }, "headers": { @@ -32,7 +32,7 @@ "message": "OK" } }, - "recorded_at": "Fri, 18 Apr 2025 09:10:13 GMT" + "recorded_at": "Thu, 15 May 2025 11:49:19 GMT" }, { "request": { @@ -43,7 +43,7 @@ ] }, "method": "delete", - "uri": "https://api.datadoghq.com/api/v2/security_monitoring/cloud_workload_security/agent_rules/ghk-tsf-neq" + "uri": "https://api.datadoghq.com/api/v2/security_monitoring/cloud_workload_security/agent_rules/mdm-2ki-w2c" }, "response": { "body": { @@ -56,7 +56,7 @@ "message": "No Content" } }, - "recorded_at": "Fri, 18 Apr 2025 09:10:13 GMT" + "recorded_at": "Thu, 15 May 2025 11:49:19 GMT" }, { "request": { @@ -67,11 +67,11 @@ ] }, "method": "delete", - "uri": "https://api.datadoghq.com/api/v2/security_monitoring/cloud_workload_security/agent_rules/ghk-tsf-neq" + "uri": "https://api.datadoghq.com/api/v2/security_monitoring/cloud_workload_security/agent_rules/mdm-2ki-w2c" }, "response": { "body": { - "string": "{\"errors\":[\"not_found(Agent rule not found: agentRuleId=ghk-tsf-neq)\"]}\n", + "string": "{\"errors\":[\"not_found(Agent rule not found: agentRuleId=mdm-2ki-w2c)\"]}\n", "encoding": null }, "headers": { @@ -84,7 +84,7 @@ "message": "Not Found" } }, - "recorded_at": "Fri, 18 Apr 2025 09:10:13 GMT" + "recorded_at": "Thu, 15 May 2025 11:49:19 GMT" } ], "recorded_with": "VCR 6.0.0" diff --git a/tests/scenarios/cassettes/v2/csm_threats/Get-a-CSM-Threats-Agent-policy-returns-Not-Found-response.frozen b/tests/scenarios/cassettes/v2/csm_threats/Get-a-CSM-Threats-Agent-policy-returns-Not-Found-response.frozen index 24a790d0a..42e197266 100644 --- a/tests/scenarios/cassettes/v2/csm_threats/Get-a-CSM-Threats-Agent-policy-returns-Not-Found-response.frozen +++ b/tests/scenarios/cassettes/v2/csm_threats/Get-a-CSM-Threats-Agent-policy-returns-Not-Found-response.frozen @@ -1 +1 @@ -2025-04-01T14:30:54.462Z \ No newline at end of file +2025-05-15T11:49:20.081Z \ No newline at end of file diff --git a/tests/scenarios/cassettes/v2/csm_threats/Get-a-CSM-Threats-Agent-policy-returns-Not-Found-response.json b/tests/scenarios/cassettes/v2/csm_threats/Get-a-CSM-Threats-Agent-policy-returns-Not-Found-response.json index 8f2f21bf8..9c8d150fa 100644 --- a/tests/scenarios/cassettes/v2/csm_threats/Get-a-CSM-Threats-Agent-policy-returns-Not-Found-response.json +++ b/tests/scenarios/cassettes/v2/csm_threats/Get-a-CSM-Threats-Agent-policy-returns-Not-Found-response.json @@ -26,7 +26,7 @@ "message": "Not Found" } }, - "recorded_at": "Tue, 01 Apr 2025 14:30:54 GMT" + "recorded_at": "Thu, 15 May 2025 11:49:20 GMT" } ], "recorded_with": "VCR 6.0.0" diff --git a/tests/scenarios/cassettes/v2/csm_threats/Get-a-CSM-Threats-Agent-policy-returns-OK-response.frozen b/tests/scenarios/cassettes/v2/csm_threats/Get-a-CSM-Threats-Agent-policy-returns-OK-response.frozen index 76a831283..f6298625d 100644 --- a/tests/scenarios/cassettes/v2/csm_threats/Get-a-CSM-Threats-Agent-policy-returns-OK-response.frozen +++ b/tests/scenarios/cassettes/v2/csm_threats/Get-a-CSM-Threats-Agent-policy-returns-OK-response.frozen @@ -1 +1 @@ -2025-04-01T14:30:54.711Z \ No newline at end of file +2025-05-15T11:49:20.203Z \ No newline at end of file diff --git a/tests/scenarios/cassettes/v2/csm_threats/Get-a-CSM-Threats-Agent-policy-returns-OK-response.json b/tests/scenarios/cassettes/v2/csm_threats/Get-a-CSM-Threats-Agent-policy-returns-OK-response.json index ee7b55360..310044c41 100644 --- a/tests/scenarios/cassettes/v2/csm_threats/Get-a-CSM-Threats-Agent-policy-returns-OK-response.json +++ b/tests/scenarios/cassettes/v2/csm_threats/Get-a-CSM-Threats-Agent-policy-returns-OK-response.json @@ -3,7 +3,7 @@ { "request": { "body": { - "string": "{\"data\":{\"attributes\":{\"description\":\"My agent policy\",\"enabled\":true,\"hostTags\":[\"env:staging\"],\"name\":\"testgetacsmthreatsagentpolicyreturnsokresponse1743517854\"},\"type\":\"policy\"}}", + "string": "{\"data\":{\"attributes\":{\"description\":\"My agent policy\",\"enabled\":true,\"hostTags\":[\"env:staging\"],\"name\":\"testgetacsmthreatsagentpolicyreturnsokresponse1747309760\"},\"type\":\"policy\"}}", "encoding": null }, "headers": { @@ -19,7 +19,7 @@ }, "response": { "body": { - "string": "{\"data\":{\"id\":\"egv-qkr-ihb\",\"type\":\"policy\",\"attributes\":{\"blockingRulesCount\":0,\"datadogManaged\":false,\"description\":\"My agent policy\",\"disabledRulesCount\":1,\"enabled\":true,\"hostTags\":[\"env:staging\"],\"monitoringRulesCount\":225,\"name\":\"testgetacsmthreatsagentpolicyreturnsokresponse1743517854\",\"policyVersion\":\"1\",\"priority\":1000000001,\"ruleCount\":226,\"updateDate\":1743517854753,\"updater\":{\"name\":\"CI Account\",\"handle\":\"9919ec9b-ebc7-49ee-8dc8-03626e717cca\"}}}}", + "string": "{\"data\":{\"id\":\"6v0-ufi-yxu\",\"type\":\"policy\",\"attributes\":{\"blockingRulesCount\":0,\"datadogManaged\":false,\"description\":\"My agent policy\",\"disabledRulesCount\":1,\"enabled\":true,\"hostTags\":[\"env:staging\"],\"monitoringRulesCount\":225,\"name\":\"testgetacsmthreatsagentpolicyreturnsokresponse1747309760\",\"policyVersion\":\"1\",\"priority\":1000000070,\"ruleCount\":226,\"updateDate\":1747309760242,\"updater\":{\"name\":\"CI Account\",\"handle\":\"9919ec9b-ebc7-49ee-8dc8-03626e717cca\"}}}}", "encoding": null }, "headers": { @@ -32,7 +32,7 @@ "message": "OK" } }, - "recorded_at": "Tue, 01 Apr 2025 14:30:54 GMT" + "recorded_at": "Thu, 15 May 2025 11:49:20 GMT" }, { "request": { @@ -43,11 +43,11 @@ ] }, "method": "get", - "uri": "https://api.datadoghq.com/api/v2/remote_config/products/cws/policy/egv-qkr-ihb" + "uri": "https://api.datadoghq.com/api/v2/remote_config/products/cws/policy/6v0-ufi-yxu" }, "response": { "body": { - "string": "{\"data\":{\"id\":\"egv-qkr-ihb\",\"type\":\"policy\",\"attributes\":{\"blockingRulesCount\":0,\"datadogManaged\":false,\"description\":\"My agent policy\",\"disabledRulesCount\":1,\"enabled\":true,\"hostTags\":[\"env:staging\"],\"monitoringRulesCount\":225,\"name\":\"testgetacsmthreatsagentpolicyreturnsokresponse1743517854\",\"policyVersion\":\"1\",\"priority\":1000000001,\"ruleCount\":226,\"updateDate\":1743517854753,\"updater\":{\"name\":\"CI Account\",\"handle\":\"9919ec9b-ebc7-49ee-8dc8-03626e717cca\"}}}}", + "string": "{\"data\":{\"id\":\"6v0-ufi-yxu\",\"type\":\"policy\",\"attributes\":{\"blockingRulesCount\":0,\"datadogManaged\":false,\"description\":\"My agent policy\",\"disabledRulesCount\":1,\"enabled\":true,\"hostTags\":[\"env:staging\"],\"monitoringRulesCount\":225,\"name\":\"testgetacsmthreatsagentpolicyreturnsokresponse1747309760\",\"policyVersion\":\"1\",\"priority\":1000000070,\"ruleCount\":226,\"updateDate\":1747309760242,\"updater\":{\"name\":\"CI Account\",\"handle\":\"9919ec9b-ebc7-49ee-8dc8-03626e717cca\"}}}}", "encoding": null }, "headers": { @@ -60,7 +60,7 @@ "message": "OK" } }, - "recorded_at": "Tue, 01 Apr 2025 14:30:54 GMT" + "recorded_at": "Thu, 15 May 2025 11:49:20 GMT" }, { "request": { @@ -71,7 +71,7 @@ ] }, "method": "delete", - "uri": "https://api.datadoghq.com/api/v2/remote_config/products/cws/policy/egv-qkr-ihb" + "uri": "https://api.datadoghq.com/api/v2/remote_config/products/cws/policy/6v0-ufi-yxu" }, "response": { "body": { @@ -88,7 +88,7 @@ "message": "No Content" } }, - "recorded_at": "Tue, 01 Apr 2025 14:30:54 GMT" + "recorded_at": "Thu, 15 May 2025 11:49:20 GMT" } ], "recorded_with": "VCR 6.0.0" diff --git a/tests/scenarios/cassettes/v2/csm_threats/Get-a-CSM-Threats-Agent-rule-returns-Not-Found-response.frozen b/tests/scenarios/cassettes/v2/csm_threats/Get-a-CSM-Threats-Agent-rule-returns-Not-Found-response.frozen index a63285714..d33c6da2e 100644 --- a/tests/scenarios/cassettes/v2/csm_threats/Get-a-CSM-Threats-Agent-rule-returns-Not-Found-response.frozen +++ b/tests/scenarios/cassettes/v2/csm_threats/Get-a-CSM-Threats-Agent-rule-returns-Not-Found-response.frozen @@ -1 +1 @@ -2025-04-01T14:30:55.749Z \ No newline at end of file +2025-05-15T11:49:21.248Z \ No newline at end of file diff --git a/tests/scenarios/cassettes/v2/csm_threats/Get-a-CSM-Threats-Agent-rule-returns-Not-Found-response.json b/tests/scenarios/cassettes/v2/csm_threats/Get-a-CSM-Threats-Agent-rule-returns-Not-Found-response.json index 5fa7f883c..b4060b8f4 100644 --- a/tests/scenarios/cassettes/v2/csm_threats/Get-a-CSM-Threats-Agent-rule-returns-Not-Found-response.json +++ b/tests/scenarios/cassettes/v2/csm_threats/Get-a-CSM-Threats-Agent-rule-returns-Not-Found-response.json @@ -26,7 +26,7 @@ "message": "Not Found" } }, - "recorded_at": "Tue, 01 Apr 2025 14:30:55 GMT" + "recorded_at": "Thu, 15 May 2025 11:49:21 GMT" } ], "recorded_with": "VCR 6.0.0" diff --git a/tests/scenarios/cassettes/v2/csm_threats/Get-a-CSM-Threats-Agent-rule-returns-OK-response.frozen b/tests/scenarios/cassettes/v2/csm_threats/Get-a-CSM-Threats-Agent-rule-returns-OK-response.frozen index 5c6928697..e8cd8cf20 100644 --- a/tests/scenarios/cassettes/v2/csm_threats/Get-a-CSM-Threats-Agent-rule-returns-OK-response.frozen +++ b/tests/scenarios/cassettes/v2/csm_threats/Get-a-CSM-Threats-Agent-rule-returns-OK-response.frozen @@ -1 +1 @@ -2025-04-01T14:30:56.067Z \ No newline at end of file +2025-05-15T11:49:21.436Z \ No newline at end of file diff --git a/tests/scenarios/cassettes/v2/csm_threats/Get-a-CSM-Threats-Agent-rule-returns-OK-response.json b/tests/scenarios/cassettes/v2/csm_threats/Get-a-CSM-Threats-Agent-rule-returns-OK-response.json index 854cb3264..d39aef3f7 100644 --- a/tests/scenarios/cassettes/v2/csm_threats/Get-a-CSM-Threats-Agent-rule-returns-OK-response.json +++ b/tests/scenarios/cassettes/v2/csm_threats/Get-a-CSM-Threats-Agent-rule-returns-OK-response.json @@ -3,7 +3,7 @@ { "request": { "body": { - "string": "{\"data\":{\"attributes\":{\"description\":\"My agent policy\",\"enabled\":true,\"hostTags\":[\"env:staging\"],\"name\":\"testgetacsmthreatsagentrulereturnsokresponse1743517856\"},\"type\":\"policy\"}}", + "string": "{\"data\":{\"attributes\":{\"description\":\"My agent policy\",\"enabled\":true,\"hostTags\":[\"env:staging\"],\"name\":\"testgetacsmthreatsagentrulereturnsokresponse1747309761\"},\"type\":\"policy\"}}", "encoding": null }, "headers": { @@ -19,7 +19,7 @@ }, "response": { "body": { - "string": "{\"data\":{\"id\":\"lxh-tyq-n9u\",\"type\":\"policy\",\"attributes\":{\"blockingRulesCount\":0,\"datadogManaged\":false,\"description\":\"My agent policy\",\"disabledRulesCount\":1,\"enabled\":true,\"hostTags\":[\"env:staging\"],\"monitoringRulesCount\":225,\"name\":\"testgetacsmthreatsagentrulereturnsokresponse1743517856\",\"policyVersion\":\"1\",\"priority\":1000000001,\"ruleCount\":226,\"updateDate\":1743517856115,\"updater\":{\"name\":\"CI Account\",\"handle\":\"9919ec9b-ebc7-49ee-8dc8-03626e717cca\"}}}}", + "string": "{\"data\":{\"id\":\"1jz-taz-md3\",\"type\":\"policy\",\"attributes\":{\"blockingRulesCount\":0,\"datadogManaged\":false,\"description\":\"My agent policy\",\"disabledRulesCount\":1,\"enabled\":true,\"hostTags\":[\"env:staging\"],\"monitoringRulesCount\":225,\"name\":\"testgetacsmthreatsagentrulereturnsokresponse1747309761\",\"policyVersion\":\"1\",\"priority\":1000000070,\"ruleCount\":226,\"updateDate\":1747309761485,\"updater\":{\"name\":\"CI Account\",\"handle\":\"9919ec9b-ebc7-49ee-8dc8-03626e717cca\"}}}}", "encoding": null }, "headers": { @@ -32,12 +32,12 @@ "message": "OK" } }, - "recorded_at": "Tue, 01 Apr 2025 14:30:56 GMT" + "recorded_at": "Thu, 15 May 2025 11:49:21 GMT" }, { "request": { "body": { - "string": "{\"data\":{\"attributes\":{\"description\":\"My Agent rule\",\"enabled\":true,\"expression\":\"exec.file.name == \\\"sh\\\"\",\"name\":\"testgetacsmthreatsagentrulereturnsokresponse1743517856\",\"policy_id\":\"lxh-tyq-n9u\",\"product_tags\":[\"security:attack\",\"technique:T1059\"]},\"type\":\"agent_rule\"}}", + "string": "{\"data\":{\"attributes\":{\"actions\":[{\"set\":{\"name\":\"test_set\",\"scope\":\"process\",\"value\":\"test_value\"}}],\"description\":\"My Agent rule\",\"enabled\":true,\"expression\":\"exec.file.name == \\\"sh\\\"\",\"name\":\"testgetacsmthreatsagentrulereturnsokresponse1747309761\",\"policy_id\":\"1jz-taz-md3\",\"product_tags\":[\"security:attack\",\"technique:T1059\"]},\"type\":\"agent_rule\"}}", "encoding": null }, "headers": { @@ -53,7 +53,7 @@ }, "response": { "body": { - "string": "{\"data\":{\"id\":\"k1m-gqh-zqm\",\"type\":\"agent_rule\",\"attributes\":{\"category\":\"Process Activity\",\"creationDate\":1743517856488,\"creator\":{\"name\":\"CI Account\",\"handle\":\"9919ec9b-ebc7-49ee-8dc8-03626e717cca\"},\"defaultRule\":false,\"description\":\"My Agent rule\",\"enabled\":true,\"expression\":\"exec.file.name == \\\"sh\\\"\",\"filters\":[\"os == \\\"linux\\\"\"],\"name\":\"testgetacsmthreatsagentrulereturnsokresponse1743517856\",\"updateDate\":1743517856488,\"updater\":{\"name\":\"CI Account\",\"handle\":\"9919ec9b-ebc7-49ee-8dc8-03626e717cca\"}}}}", + "string": "{\"data\":{\"id\":\"lko-dbx-hgq\",\"type\":\"agent_rule\",\"attributes\":{\"actions\":[{\"set\":{\"name\":\"test_set\",\"value\":\"test_value\",\"scope\":\"process\"},\"disabled\":false}],\"category\":\"Process Activity\",\"creationDate\":1747309762008,\"creator\":{\"name\":\"CI Account\",\"handle\":\"9919ec9b-ebc7-49ee-8dc8-03626e717cca\"},\"defaultRule\":false,\"description\":\"My Agent rule\",\"enabled\":true,\"expression\":\"exec.file.name == \\\"sh\\\"\",\"filters\":[\"os == \\\"linux\\\"\"],\"monitoring\":[\"1jz-taz-md3\"],\"name\":\"testgetacsmthreatsagentrulereturnsokresponse1747309761\",\"product_tags\":[\"security:attack\",\"technique:T1059\"],\"updateDate\":1747309762008,\"updater\":{\"name\":\"CI Account\",\"handle\":\"9919ec9b-ebc7-49ee-8dc8-03626e717cca\"}}}}", "encoding": null }, "headers": { @@ -66,7 +66,7 @@ "message": "OK" } }, - "recorded_at": "Tue, 01 Apr 2025 14:30:56 GMT" + "recorded_at": "Thu, 15 May 2025 11:49:21 GMT" }, { "request": { @@ -77,11 +77,11 @@ ] }, "method": "get", - "uri": "https://api.datadoghq.com/api/v2/remote_config/products/cws/agent_rules/k1m-gqh-zqm?policy_id=lxh-tyq-n9u" + "uri": "https://api.datadoghq.com/api/v2/remote_config/products/cws/agent_rules/lko-dbx-hgq?policy_id=1jz-taz-md3" }, "response": { "body": { - "string": "{\"data\":{\"id\":\"k1m-gqh-zqm\",\"type\":\"agent_rule\",\"attributes\":{\"category\":\"Process Activity\",\"creationDate\":1743517856000,\"creator\":{\"name\":\"CI Account\",\"handle\":\"9919ec9b-ebc7-49ee-8dc8-03626e717cca\"},\"defaultRule\":false,\"description\":\"My Agent rule\",\"enabled\":true,\"expression\":\"exec.file.name == \\\"sh\\\"\",\"filters\":[\"os == \\\"linux\\\"\"],\"name\":\"testgetacsmthreatsagentrulereturnsokresponse1743517856\",\"updateDate\":1743517856000,\"updater\":{\"name\":\"CI Account\",\"handle\":\"9919ec9b-ebc7-49ee-8dc8-03626e717cca\"}}}}", + "string": "{\"data\":{\"id\":\"lko-dbx-hgq\",\"type\":\"agent_rule\",\"attributes\":{\"actions\":[{\"set\":{\"name\":\"test_set\",\"value\":\"test_value\",\"scope\":\"process\"},\"disabled\":false}],\"category\":\"Process Activity\",\"creationDate\":1747309762008,\"creator\":{\"name\":\"CI Account\",\"handle\":\"9919ec9b-ebc7-49ee-8dc8-03626e717cca\"},\"defaultRule\":false,\"description\":\"My Agent rule\",\"enabled\":true,\"expression\":\"exec.file.name == \\\"sh\\\"\",\"filters\":[\"os == \\\"linux\\\"\"],\"monitoring\":[\"1jz-taz-md3\"],\"name\":\"testgetacsmthreatsagentrulereturnsokresponse1747309761\",\"product_tags\":[\"security:attack\",\"technique:T1059\"],\"updateDate\":1747309762008,\"updater\":{\"name\":\"CI Account\",\"handle\":\"9919ec9b-ebc7-49ee-8dc8-03626e717cca\"}}}}", "encoding": null }, "headers": { @@ -94,7 +94,7 @@ "message": "OK" } }, - "recorded_at": "Tue, 01 Apr 2025 14:30:56 GMT" + "recorded_at": "Thu, 15 May 2025 11:49:21 GMT" }, { "request": { @@ -105,7 +105,7 @@ ] }, "method": "delete", - "uri": "https://api.datadoghq.com/api/v2/remote_config/products/cws/agent_rules/k1m-gqh-zqm" + "uri": "https://api.datadoghq.com/api/v2/remote_config/products/cws/agent_rules/lko-dbx-hgq" }, "response": { "body": { @@ -122,7 +122,7 @@ "message": "No Content" } }, - "recorded_at": "Tue, 01 Apr 2025 14:30:56 GMT" + "recorded_at": "Thu, 15 May 2025 11:49:21 GMT" }, { "request": { @@ -133,7 +133,7 @@ ] }, "method": "delete", - "uri": "https://api.datadoghq.com/api/v2/remote_config/products/cws/policy/lxh-tyq-n9u" + "uri": "https://api.datadoghq.com/api/v2/remote_config/products/cws/policy/1jz-taz-md3" }, "response": { "body": { @@ -150,7 +150,7 @@ "message": "No Content" } }, - "recorded_at": "Tue, 01 Apr 2025 14:30:56 GMT" + "recorded_at": "Thu, 15 May 2025 11:49:21 GMT" } ], "recorded_with": "VCR 6.0.0" diff --git a/tests/scenarios/cassettes/v2/csm_threats/Get-a-Cloud-Workload-Security-Agent-rule-returns-Not-Found-response.frozen b/tests/scenarios/cassettes/v2/csm_threats/Get-a-Cloud-Workload-Security-Agent-rule-returns-Not-Found-response.frozen index 881abb756..b35f56d6b 100644 --- a/tests/scenarios/cassettes/v2/csm_threats/Get-a-Cloud-Workload-Security-Agent-rule-returns-Not-Found-response.frozen +++ b/tests/scenarios/cassettes/v2/csm_threats/Get-a-Cloud-Workload-Security-Agent-rule-returns-Not-Found-response.frozen @@ -1 +1 @@ -2025-04-01T14:30:58.452Z \ No newline at end of file +2025-05-15T11:49:24.504Z \ No newline at end of file diff --git a/tests/scenarios/cassettes/v2/csm_threats/Get-a-Cloud-Workload-Security-Agent-rule-returns-Not-Found-response.json b/tests/scenarios/cassettes/v2/csm_threats/Get-a-Cloud-Workload-Security-Agent-rule-returns-Not-Found-response.json index fe5c475b1..baaabf2ec 100644 --- a/tests/scenarios/cassettes/v2/csm_threats/Get-a-Cloud-Workload-Security-Agent-rule-returns-Not-Found-response.json +++ b/tests/scenarios/cassettes/v2/csm_threats/Get-a-Cloud-Workload-Security-Agent-rule-returns-Not-Found-response.json @@ -26,7 +26,7 @@ "message": "Not Found" } }, - "recorded_at": "Tue, 01 Apr 2025 14:30:58 GMT" + "recorded_at": "Thu, 15 May 2025 11:49:24 GMT" } ], "recorded_with": "VCR 6.0.0" diff --git a/tests/scenarios/cassettes/v2/csm_threats/Get-a-Cloud-Workload-Security-Agent-rule-returns-OK-response.frozen b/tests/scenarios/cassettes/v2/csm_threats/Get-a-Cloud-Workload-Security-Agent-rule-returns-OK-response.frozen index 72cbb497c..97ebf84ef 100644 --- a/tests/scenarios/cassettes/v2/csm_threats/Get-a-Cloud-Workload-Security-Agent-rule-returns-OK-response.frozen +++ b/tests/scenarios/cassettes/v2/csm_threats/Get-a-Cloud-Workload-Security-Agent-rule-returns-OK-response.frozen @@ -1 +1 @@ -2025-04-18T09:10:13.933Z \ No newline at end of file +2025-05-15T11:49:24.574Z \ No newline at end of file diff --git a/tests/scenarios/cassettes/v2/csm_threats/Get-a-Cloud-Workload-Security-Agent-rule-returns-OK-response.json b/tests/scenarios/cassettes/v2/csm_threats/Get-a-Cloud-Workload-Security-Agent-rule-returns-OK-response.json index 5c8a2216f..83c4bd520 100644 --- a/tests/scenarios/cassettes/v2/csm_threats/Get-a-Cloud-Workload-Security-Agent-rule-returns-OK-response.json +++ b/tests/scenarios/cassettes/v2/csm_threats/Get-a-Cloud-Workload-Security-Agent-rule-returns-OK-response.json @@ -3,7 +3,7 @@ { "request": { "body": { - "string": "{\"data\":{\"attributes\":{\"description\":\"My Agent rule\",\"enabled\":true,\"expression\":\"exec.file.name == \\\"sh\\\"\",\"name\":\"testgetacloudworkloadsecurityagentrulereturnsokresponse1744967413\"},\"type\":\"agent_rule\"}}", + "string": "{\"data\":{\"attributes\":{\"description\":\"My Agent rule\",\"enabled\":true,\"expression\":\"exec.file.name == \\\"sh\\\"\",\"name\":\"testgetacloudworkloadsecurityagentrulereturnsokresponse1747309764\"},\"type\":\"agent_rule\"}}", "encoding": null }, "headers": { @@ -19,7 +19,7 @@ }, "response": { "body": { - "string": "{\"data\":{\"id\":\"ajb-znb-t3g\",\"attributes\":{\"version\":1,\"name\":\"testgetacloudworkloadsecurityagentrulereturnsokresponse1744967413\",\"description\":\"My Agent rule\",\"expression\":\"exec.file.name == \\\"sh\\\"\",\"category\":\"Process Activity\",\"defaultRule\":false,\"enabled\":true,\"creationAuthorUuId\":\"9919ec9b-ebc7-49ee-8dc8-03626e717cca\",\"creationDate\":1744967414208,\"updateAuthorUuId\":\"9919ec9b-ebc7-49ee-8dc8-03626e717cca\",\"updateDate\":1744967414208,\"filters\":[\"os == \\\"linux\\\"\"],\"actions\":[],\"agentConstraint\":\"\",\"creator\":{\"name\":\"CI Account\",\"handle\":\"9919ec9b-ebc7-49ee-8dc8-03626e717cca\"},\"updater\":{\"name\":\"CI Account\",\"handle\":\"9919ec9b-ebc7-49ee-8dc8-03626e717cca\"}},\"type\":\"agent_rule\"}}\n", + "string": "{\"data\":{\"id\":\"axj-sqc-arv\",\"attributes\":{\"version\":1,\"name\":\"testgetacloudworkloadsecurityagentrulereturnsokresponse1747309764\",\"description\":\"My Agent rule\",\"expression\":\"exec.file.name == \\\"sh\\\"\",\"category\":\"Process Activity\",\"defaultRule\":false,\"enabled\":true,\"creationAuthorUuId\":\"9919ec9b-ebc7-49ee-8dc8-03626e717cca\",\"creationDate\":1747309765074,\"updateAuthorUuId\":\"9919ec9b-ebc7-49ee-8dc8-03626e717cca\",\"updateDate\":1747309765074,\"filters\":[\"os == \\\"linux\\\"\"],\"actions\":[],\"agentConstraint\":\"\",\"creator\":{\"name\":\"CI Account\",\"handle\":\"9919ec9b-ebc7-49ee-8dc8-03626e717cca\"},\"updater\":{\"name\":\"CI Account\",\"handle\":\"9919ec9b-ebc7-49ee-8dc8-03626e717cca\"}},\"type\":\"agent_rule\"}}\n", "encoding": null }, "headers": { @@ -32,7 +32,7 @@ "message": "OK" } }, - "recorded_at": "Fri, 18 Apr 2025 09:10:13 GMT" + "recorded_at": "Thu, 15 May 2025 11:49:24 GMT" }, { "request": { @@ -43,11 +43,11 @@ ] }, "method": "get", - "uri": "https://api.datadoghq.com/api/v2/security_monitoring/cloud_workload_security/agent_rules/ajb-znb-t3g" + "uri": "https://api.datadoghq.com/api/v2/security_monitoring/cloud_workload_security/agent_rules/axj-sqc-arv" }, "response": { "body": { - "string": "{\"data\":{\"id\":\"ajb-znb-t3g\",\"attributes\":{\"version\":1,\"name\":\"testgetacloudworkloadsecurityagentrulereturnsokresponse1744967413\",\"description\":\"My Agent rule\",\"expression\":\"exec.file.name == \\\"sh\\\"\",\"category\":\"Process Activity\",\"defaultRule\":false,\"enabled\":true,\"creationAuthorUuId\":\"9919ec9b-ebc7-49ee-8dc8-03626e717cca\",\"creationDate\":1744967414208,\"updateAuthorUuId\":\"9919ec9b-ebc7-49ee-8dc8-03626e717cca\",\"updateDate\":1744967414208,\"filters\":[\"os == \\\"linux\\\"\"],\"actions\":[],\"agentConstraint\":\"\",\"creator\":{\"name\":\"CI Account\",\"handle\":\"9919ec9b-ebc7-49ee-8dc8-03626e717cca\"},\"updater\":{\"name\":\"CI Account\",\"handle\":\"9919ec9b-ebc7-49ee-8dc8-03626e717cca\"}},\"type\":\"agent_rule\"}}\n", + "string": "{\"data\":{\"id\":\"axj-sqc-arv\",\"attributes\":{\"version\":1,\"name\":\"testgetacloudworkloadsecurityagentrulereturnsokresponse1747309764\",\"description\":\"My Agent rule\",\"expression\":\"exec.file.name == \\\"sh\\\"\",\"category\":\"Process Activity\",\"defaultRule\":false,\"enabled\":true,\"creationAuthorUuId\":\"9919ec9b-ebc7-49ee-8dc8-03626e717cca\",\"creationDate\":1747309765074,\"updateAuthorUuId\":\"9919ec9b-ebc7-49ee-8dc8-03626e717cca\",\"updateDate\":1747309765074,\"filters\":[\"os == \\\"linux\\\"\"],\"actions\":[],\"agentConstraint\":\"\",\"creator\":{\"name\":\"CI Account\",\"handle\":\"9919ec9b-ebc7-49ee-8dc8-03626e717cca\"},\"updater\":{\"name\":\"CI Account\",\"handle\":\"9919ec9b-ebc7-49ee-8dc8-03626e717cca\"}},\"type\":\"agent_rule\"}}\n", "encoding": null }, "headers": { @@ -60,7 +60,7 @@ "message": "OK" } }, - "recorded_at": "Fri, 18 Apr 2025 09:10:13 GMT" + "recorded_at": "Thu, 15 May 2025 11:49:24 GMT" }, { "request": { @@ -71,7 +71,7 @@ ] }, "method": "delete", - "uri": "https://api.datadoghq.com/api/v2/security_monitoring/cloud_workload_security/agent_rules/ajb-znb-t3g" + "uri": "https://api.datadoghq.com/api/v2/security_monitoring/cloud_workload_security/agent_rules/axj-sqc-arv" }, "response": { "body": { @@ -84,7 +84,7 @@ "message": "No Content" } }, - "recorded_at": "Fri, 18 Apr 2025 09:10:13 GMT" + "recorded_at": "Thu, 15 May 2025 11:49:24 GMT" } ], "recorded_with": "VCR 6.0.0" diff --git a/tests/scenarios/cassettes/v2/csm_threats/Get-all-CSM-Threats-Agent-policies-returns-OK-response.frozen b/tests/scenarios/cassettes/v2/csm_threats/Get-all-CSM-Threats-Agent-policies-returns-OK-response.frozen index 8fe4f3f19..39a682280 100644 --- a/tests/scenarios/cassettes/v2/csm_threats/Get-all-CSM-Threats-Agent-policies-returns-OK-response.frozen +++ b/tests/scenarios/cassettes/v2/csm_threats/Get-all-CSM-Threats-Agent-policies-returns-OK-response.frozen @@ -1 +1 @@ -2025-04-01T14:30:58.530Z \ No newline at end of file +2025-05-15T11:49:25.280Z \ No newline at end of file diff --git a/tests/scenarios/cassettes/v2/csm_threats/Get-all-CSM-Threats-Agent-policies-returns-OK-response.json b/tests/scenarios/cassettes/v2/csm_threats/Get-all-CSM-Threats-Agent-policies-returns-OK-response.json index 3ee29f4ba..fb03ad8f6 100644 --- a/tests/scenarios/cassettes/v2/csm_threats/Get-all-CSM-Threats-Agent-policies-returns-OK-response.json +++ b/tests/scenarios/cassettes/v2/csm_threats/Get-all-CSM-Threats-Agent-policies-returns-OK-response.json @@ -13,7 +13,7 @@ }, "response": { "body": { - "string": "{\"data\":[{\"id\":\"CWS_CUSTOM-canary\",\"type\":\"policy\",\"attributes\":{\"blockingRulesCount\":0,\"datadogManaged\":false,\"disabledRulesCount\":1,\"enabled\":false,\"hostTags\":[],\"monitoringRulesCount\":418,\"name\":\"Datadog Managed Policy\",\"policyVersion\":\"53221\",\"priority\":1000000000,\"ruleCount\":419,\"updateDate\":1742473183000,\"updater\":{\"name\":\"frog\",\"handle\":\"frog@datadoghq.com\"}}},{\"id\":\"CWS_DD\",\"type\":\"policy\",\"attributes\":{\"blockingRulesCount\":0,\"datadogManaged\":true,\"disabledRulesCount\":1,\"enabled\":true,\"monitoringRulesCount\":225,\"name\":\"Datadog Managed Policy\",\"policyVersion\":\"1.40.0-rc76\",\"priority\":0,\"ruleCount\":226,\"updateDate\":1737661272000,\"updater\":{\"name\":\"Datadog\",\"handle\":\"\"}}}]}", + "string": "{\"data\":[{\"id\":\"gxu-c6v-pka\",\"type\":\"policy\",\"attributes\":{\"blockingRulesCount\":0,\"datadogManaged\":false,\"description\":\"My agent policy\",\"disabledRulesCount\":1,\"enabled\":true,\"hostTags\":[\"env:staging\"],\"monitoringRulesCount\":226,\"name\":\"examplegetacsmthreatsagentrulereturnsokresponse1747260251\",\"policyVersion\":\"2\",\"priority\":1000000069,\"ruleCount\":227,\"updateDate\":1747260252444,\"updater\":{\"name\":\"frog\",\"handle\":\"frog@datadoghq.com\"}}},{\"id\":\"1os-ptz-he9\",\"type\":\"policy\",\"attributes\":{\"blockingRulesCount\":0,\"datadogManaged\":false,\"description\":\"My agent policy\",\"disabledRulesCount\":1,\"enabled\":true,\"hostTags\":[\"env:staging\"],\"monitoringRulesCount\":226,\"name\":\"examplegetacsmthreatsagentrulereturnsokresponse1747217050\",\"policyVersion\":\"2\",\"priority\":1000000066,\"ruleCount\":227,\"updateDate\":1747217052175,\"updater\":{\"name\":\"frog\",\"handle\":\"frog@datadoghq.com\"}}},{\"id\":\"ddu-dat-9cx\",\"type\":\"policy\",\"attributes\":{\"blockingRulesCount\":0,\"datadogManaged\":false,\"description\":\"My agent policy\",\"disabledRulesCount\":1,\"enabled\":true,\"hostTags\":[\"env:staging\"],\"monitoringRulesCount\":226,\"name\":\"examplegetacsmthreatsagentrulereturnsokresponse1747188251\",\"policyVersion\":\"2\",\"priority\":1000000061,\"ruleCount\":227,\"updateDate\":1747188252541,\"updater\":{\"name\":\"frog\",\"handle\":\"frog@datadoghq.com\"}}},{\"id\":\"oiv-iar-6uj\",\"type\":\"policy\",\"attributes\":{\"blockingRulesCount\":0,\"datadogManaged\":false,\"description\":\"My agent policy\",\"disabledRulesCount\":1,\"enabled\":true,\"hostTags\":[\"env:staging\"],\"monitoringRulesCount\":225,\"name\":\"examplecreateacsmthreatsagentrulereturnsokresponse1747188247\",\"policyVersion\":\"3\",\"priority\":1000000058,\"ruleCount\":226,\"updateDate\":1747188247541,\"updater\":{\"name\":\"frog\",\"handle\":\"frog@datadoghq.com\"}}},{\"id\":\"n6v-uoj-6jv\",\"type\":\"policy\",\"attributes\":{\"blockingRulesCount\":0,\"datadogManaged\":false,\"description\":\"My agent policy\",\"disabledRulesCount\":1,\"enabled\":true,\"hostTags\":[\"env:staging\"],\"monitoringRulesCount\":225,\"name\":\"exampledeleteacsmthreatsagentrulereturnsokresponse1747173848\",\"policyVersion\":\"3\",\"priority\":1000000056,\"ruleCount\":226,\"updateDate\":1747173848994,\"updater\":{\"name\":\"frog\",\"handle\":\"frog@datadoghq.com\"}}},{\"id\":\"zay-klh-gzk\",\"type\":\"policy\",\"attributes\":{\"blockingRulesCount\":0,\"datadogManaged\":false,\"description\":\"My agent policy\",\"disabledRulesCount\":1,\"enabled\":true,\"hostTags\":[\"env:staging\"],\"monitoringRulesCount\":225,\"name\":\"examplecreateacloudworkloadsecurityagentrulereturnsokresponse1747145048\",\"policyVersion\":\"1\",\"priority\":1000000053,\"ruleCount\":226,\"updateDate\":1747145052780,\"updater\":{\"name\":\"frog\",\"handle\":\"frog@datadoghq.com\"}}},{\"id\":\"t0c-318-ksc\",\"type\":\"policy\",\"attributes\":{\"blockingRulesCount\":0,\"datadogManaged\":false,\"description\":\"My agent policy\",\"disabledRulesCount\":1,\"enabled\":true,\"hostTags\":[\"env:staging\"],\"monitoringRulesCount\":225,\"name\":\"examplecreateacloudworkloadsecurityagentrulereturnsokresponse1747130648\",\"policyVersion\":\"1\",\"priority\":1000000048,\"ruleCount\":226,\"updateDate\":1747130648466,\"updater\":{\"name\":\"frog\",\"handle\":\"frog@datadoghq.com\"}}},{\"id\":\"mnq-jea-ord\",\"type\":\"policy\",\"attributes\":{\"blockingRulesCount\":0,\"datadogManaged\":false,\"description\":\"My agent policy\",\"disabledRulesCount\":1,\"enabled\":true,\"hostTags\":[\"env:staging\"],\"monitoringRulesCount\":225,\"name\":\"examplegetacsmthreatsagentrulereturnsokresponse1747116251\",\"policyVersion\":\"3\",\"priority\":1000000045,\"ruleCount\":226,\"updateDate\":1747116251418,\"updater\":{\"name\":\"frog\",\"handle\":\"frog@datadoghq.com\"}}},{\"id\":\"hjq-1ou-gxj\",\"type\":\"policy\",\"attributes\":{\"blockingRulesCount\":0,\"datadogManaged\":false,\"description\":\"My agent policy\",\"disabledRulesCount\":1,\"enabled\":true,\"hostTags\":[\"env:staging\"],\"monitoringRulesCount\":225,\"name\":\"examplecreateacloudworkloadsecurityagentrulereturnsokresponse1747116248\",\"policyVersion\":\"1\",\"priority\":1000000044,\"ruleCount\":226,\"updateDate\":1747116249173,\"updater\":{\"name\":\"frog\",\"handle\":\"frog@datadoghq.com\"}}},{\"id\":\"zt3-q2u-xka\",\"type\":\"policy\",\"attributes\":{\"blockingRulesCount\":0,\"datadogManaged\":false,\"description\":\"My agent policy\",\"disabledRulesCount\":1,\"enabled\":true,\"hostTags\":[\"env:staging\"],\"monitoringRulesCount\":226,\"name\":\"examplegetacsmthreatsagentrulereturnsokresponse1747058651\",\"policyVersion\":\"2\",\"priority\":1000000041,\"ruleCount\":227,\"updateDate\":1747058653022,\"updater\":{\"name\":\"frog\",\"handle\":\"frog@datadoghq.com\"}}},{\"id\":\"n52-kmk-gy5\",\"type\":\"policy\",\"attributes\":{\"blockingRulesCount\":0,\"datadogManaged\":false,\"description\":\"My agent policy\",\"disabledRulesCount\":1,\"enabled\":true,\"hostTags\":[\"env:staging\"],\"monitoringRulesCount\":226,\"name\":\"examplecreateacsmthreatsagentrulereturnsokresponse1747058647\",\"policyVersion\":\"2\",\"priority\":1000000039,\"ruleCount\":227,\"updateDate\":1747058651011,\"updater\":{\"name\":\"frog\",\"handle\":\"frog@datadoghq.com\"}}},{\"id\":\"lwi-ota-cdp\",\"type\":\"policy\",\"attributes\":{\"blockingRulesCount\":0,\"datadogManaged\":false,\"description\":\"My agent policy\",\"disabledRulesCount\":1,\"enabled\":true,\"hostTags\":[\"env:staging\"],\"monitoringRulesCount\":226,\"name\":\"examplecreateacsmthreatsagentrulereturnsokresponse1747029847\",\"policyVersion\":\"2\",\"priority\":1000000037,\"ruleCount\":227,\"updateDate\":1747029850531,\"updater\":{\"name\":\"frog\",\"handle\":\"frog@datadoghq.com\"}}},{\"id\":\"eme-xsc-20m\",\"type\":\"policy\",\"attributes\":{\"blockingRulesCount\":0,\"datadogManaged\":false,\"description\":\"My agent policy\",\"disabledRulesCount\":1,\"enabled\":true,\"hostTags\":[\"env:staging\"],\"monitoringRulesCount\":226,\"name\":\"examplegetacsmthreatsagentrulereturnsokresponse1747001050\",\"policyVersion\":\"2\",\"priority\":1000000035,\"ruleCount\":227,\"updateDate\":1747001052678,\"updater\":{\"name\":\"frog\",\"handle\":\"frog@datadoghq.com\"}}},{\"id\":\"acr-3t9-p0d\",\"type\":\"policy\",\"attributes\":{\"blockingRulesCount\":0,\"datadogManaged\":false,\"description\":\"My agent policy\",\"disabledRulesCount\":1,\"enabled\":true,\"hostTags\":[\"env:staging\"],\"monitoringRulesCount\":225,\"name\":\"examplecreateacloudworkloadsecurityagentrulereturnsokresponse1747001048\",\"policyVersion\":\"1\",\"priority\":1000000033,\"ruleCount\":226,\"updateDate\":1747001048728,\"updater\":{\"name\":\"frog\",\"handle\":\"frog@datadoghq.com\"}}},{\"id\":\"hw2-pev-bdl\",\"type\":\"policy\",\"attributes\":{\"blockingRulesCount\":0,\"datadogManaged\":false,\"description\":\"My agent policy\",\"disabledRulesCount\":1,\"enabled\":true,\"hostTags\":[\"env:staging\"],\"monitoringRulesCount\":225,\"name\":\"examplegetacsmthreatsagentrulereturnsokresponse1746986651\",\"policyVersion\":\"3\",\"priority\":1000000030,\"ruleCount\":226,\"updateDate\":1746986651360,\"updater\":{\"name\":\"frog\",\"handle\":\"frog@datadoghq.com\"}}},{\"id\":\"mm8-gf5-1mh\",\"type\":\"policy\",\"attributes\":{\"blockingRulesCount\":0,\"datadogManaged\":false,\"description\":\"My agent policy\",\"disabledRulesCount\":1,\"enabled\":true,\"hostTags\":[\"env:staging\"],\"monitoringRulesCount\":225,\"name\":\"exampledeleteacsmthreatsagentrulereturnsokresponse1746986648\",\"policyVersion\":\"3\",\"priority\":1000000029,\"ruleCount\":226,\"updateDate\":1746986649139,\"updater\":{\"name\":\"frog\",\"handle\":\"frog@datadoghq.com\"}}},{\"id\":\"wfe-tga-w8i\",\"type\":\"policy\",\"attributes\":{\"blockingRulesCount\":0,\"datadogManaged\":false,\"description\":\"My agent policy\",\"disabledRulesCount\":1,\"enabled\":true,\"hostTags\":[\"env:staging\"],\"monitoringRulesCount\":225,\"name\":\"examplecreateacloudworkloadsecurityagentrulereturnsokresponse1746943448\",\"policyVersion\":\"1\",\"priority\":1000000025,\"ruleCount\":226,\"updateDate\":1746943448597,\"updater\":{\"name\":\"frog\",\"handle\":\"frog@datadoghq.com\"}}},{\"id\":\"kz9-gsr-aet\",\"type\":\"policy\",\"attributes\":{\"blockingRulesCount\":0,\"datadogManaged\":false,\"description\":\"My agent policy\",\"disabledRulesCount\":1,\"enabled\":true,\"hostTags\":[\"env:staging\"],\"monitoringRulesCount\":225,\"name\":\"exampledeleteacsmthreatsagentrulereturnsokresponse1746929048\",\"policyVersion\":\"3\",\"priority\":1000000022,\"ruleCount\":226,\"updateDate\":1746929049088,\"updater\":{\"name\":\"frog\",\"handle\":\"frog@datadoghq.com\"}}},{\"id\":\"u2n-mby-zu5\",\"type\":\"policy\",\"attributes\":{\"blockingRulesCount\":0,\"datadogManaged\":false,\"description\":\"My agent policy\",\"disabledRulesCount\":1,\"enabled\":true,\"hostTags\":[\"env:staging\"],\"monitoringRulesCount\":225,\"name\":\"examplegetacsmthreatsagentpolicyreturnsokresponse1746914646\",\"policyVersion\":\"1\",\"priority\":1000000018,\"ruleCount\":226,\"updateDate\":1746914646907,\"updater\":{\"name\":\"frog\",\"handle\":\"frog@datadoghq.com\"}}},{\"id\":\"ygu-bj5-cnb\",\"type\":\"policy\",\"attributes\":{\"blockingRulesCount\":0,\"datadogManaged\":false,\"description\":\"My agent policy\",\"disabledRulesCount\":1,\"enabled\":true,\"hostTags\":[\"env:staging\"],\"monitoringRulesCount\":226,\"name\":\"examplegetacsmthreatsagentrulereturnsokresponse1746900250\",\"policyVersion\":\"2\",\"priority\":1000000017,\"ruleCount\":227,\"updateDate\":1746900252089,\"updater\":{\"name\":\"frog\",\"handle\":\"frog@datadoghq.com\"}}},{\"id\":\"8h9-6l9-ofq\",\"type\":\"policy\",\"attributes\":{\"blockingRulesCount\":0,\"datadogManaged\":false,\"description\":\"My agent policy\",\"disabledRulesCount\":1,\"enabled\":true,\"hostTags\":[\"env:staging\"],\"monitoringRulesCount\":225,\"name\":\"exampledeleteacsmthreatsagentrulereturnsokresponse1746885848\",\"policyVersion\":\"3\",\"priority\":1000000012,\"ruleCount\":226,\"updateDate\":1746885849173,\"updater\":{\"name\":\"frog\",\"handle\":\"frog@datadoghq.com\"}}},{\"id\":\"x6i-kv0-iby\",\"type\":\"policy\",\"attributes\":{\"blockingRulesCount\":0,\"datadogManaged\":false,\"description\":\"My agent policy\",\"disabledRulesCount\":1,\"enabled\":true,\"hostTags\":[\"env:staging\"],\"monitoringRulesCount\":225,\"name\":\"examplecreateacloudworkloadsecurityagentrulereturnsokresponse1746871448\",\"policyVersion\":\"1\",\"priority\":1000000009,\"ruleCount\":226,\"updateDate\":1746871448758,\"updater\":{\"name\":\"frog\",\"handle\":\"frog@datadoghq.com\"}}},{\"id\":\"wry-lqz-m1l\",\"type\":\"policy\",\"attributes\":{\"blockingRulesCount\":0,\"datadogManaged\":false,\"description\":\"My agent policy\",\"disabledRulesCount\":1,\"enabled\":true,\"hostTags\":[\"env:staging\"],\"monitoringRulesCount\":225,\"name\":\"examplegetacsmthreatsagentpolicyreturnsokresponse1746842646\",\"policyVersion\":\"1\",\"priority\":1000000006,\"ruleCount\":226,\"updateDate\":1746842646921,\"updater\":{\"name\":\"frog\",\"handle\":\"frog@datadoghq.com\"}}},{\"id\":\"ljy-djc-pxw\",\"type\":\"policy\",\"attributes\":{\"blockingRulesCount\":0,\"datadogManaged\":false,\"description\":\"My agent policy\",\"disabledRulesCount\":1,\"enabled\":true,\"hostTags\":[\"env:staging\"],\"monitoringRulesCount\":226,\"name\":\"examplecreateacsmthreatsagentrulereturnsokresponse1746828247\",\"policyVersion\":\"2\",\"priority\":1000000005,\"ruleCount\":227,\"updateDate\":1746828252931,\"updater\":{\"name\":\"frog\",\"handle\":\"frog@datadoghq.com\"}}},{\"id\":\"kmt-lzi-f6r\",\"type\":\"policy\",\"attributes\":{\"blockingRulesCount\":0,\"datadogManaged\":false,\"description\":\"My agent policy\",\"disabledRulesCount\":1,\"enabled\":true,\"hostTags\":[\"env:staging\"],\"monitoringRulesCount\":225,\"name\":\"examplegetacsmthreatsagentpolicyreturnsokresponse1746813847\",\"policyVersion\":\"1\",\"priority\":1000000003,\"ruleCount\":226,\"updateDate\":1746813847517,\"updater\":{\"name\":\"frog\",\"handle\":\"frog@datadoghq.com\"}}},{\"id\":\"CWS_CUSTOM-canary\",\"type\":\"policy\",\"attributes\":{\"blockingRulesCount\":0,\"datadogManaged\":false,\"disabledRulesCount\":2,\"enabled\":false,\"monitoringRulesCount\":491,\"name\":\"Datadog Managed Policy\",\"policyVersion\":\"58193\",\"priority\":1000000002,\"ruleCount\":493,\"updateDate\":1746789273109,\"updater\":{\"name\":\"CI Account\",\"handle\":\"9919ec9b-ebc7-49ee-8dc8-03626e717cca\"}}},{\"id\":\"hdo-seh-iaa\",\"type\":\"policy\",\"attributes\":{\"blockingRulesCount\":0,\"datadogManaged\":false,\"description\":\"My agent policy\",\"disabledRulesCount\":1,\"enabled\":true,\"hostTags\":[\"env:staging\"],\"monitoringRulesCount\":225,\"name\":\"testupdateacsmthreatsagentrulereturnsokresponse1744718519\",\"policyVersion\":\"1\",\"priority\":1000000001,\"ruleCount\":226,\"updateDate\":1744718520126,\"updater\":{\"name\":\"CI Account\",\"handle\":\"9919ec9b-ebc7-49ee-8dc8-03626e717cca\"}}},{\"id\":\"CWS_DD\",\"type\":\"policy\",\"attributes\":{\"blockingRulesCount\":0,\"datadogManaged\":true,\"disabledRulesCount\":1,\"enabled\":true,\"monitoringRulesCount\":225,\"name\":\"Datadog Managed Policy\",\"policyVersion\":\"1.43.0-rc80\",\"priority\":0,\"ruleCount\":226,\"updateDate\":1742407951000,\"updater\":{\"name\":\"Datadog\",\"handle\":\"\"}}}]}", "encoding": null }, "headers": { @@ -26,7 +26,7 @@ "message": "OK" } }, - "recorded_at": "Tue, 01 Apr 2025 14:30:58 GMT" + "recorded_at": "Thu, 15 May 2025 11:49:25 GMT" } ], "recorded_with": "VCR 6.0.0" diff --git a/tests/scenarios/cassettes/v2/csm_threats/Get-all-CSM-Threats-Agent-rules-returns-OK-response.frozen b/tests/scenarios/cassettes/v2/csm_threats/Get-all-CSM-Threats-Agent-rules-returns-OK-response.frozen index 7ee9fb802..0fb29cfc5 100644 --- a/tests/scenarios/cassettes/v2/csm_threats/Get-all-CSM-Threats-Agent-rules-returns-OK-response.frozen +++ b/tests/scenarios/cassettes/v2/csm_threats/Get-all-CSM-Threats-Agent-rules-returns-OK-response.frozen @@ -1 +1 @@ -2025-04-01T14:30:58.771Z \ No newline at end of file +2025-05-15T11:49:25.503Z \ No newline at end of file diff --git a/tests/scenarios/cassettes/v2/csm_threats/Get-all-CSM-Threats-Agent-rules-returns-OK-response.json b/tests/scenarios/cassettes/v2/csm_threats/Get-all-CSM-Threats-Agent-rules-returns-OK-response.json index ca508a7a2..66c68fdde 100644 --- a/tests/scenarios/cassettes/v2/csm_threats/Get-all-CSM-Threats-Agent-rules-returns-OK-response.json +++ b/tests/scenarios/cassettes/v2/csm_threats/Get-all-CSM-Threats-Agent-rules-returns-OK-response.json @@ -1,5 +1,39 @@ { "http_interactions": [ + { + "request": { + "body": { + "string": "{\"data\":{\"attributes\":{\"description\":\"My agent policy\",\"enabled\":true,\"hostTags\":[\"env:staging\"],\"name\":\"testgetallcsmthreatsagentrulesreturnsokresponse1747309765\"},\"type\":\"policy\"}}", + "encoding": null + }, + "headers": { + "Accept": [ + "application/json" + ], + "Content-Type": [ + "application/json" + ] + }, + "method": "post", + "uri": "https://api.datadoghq.com/api/v2/remote_config/products/cws/policy" + }, + "response": { + "body": { + "string": "{\"data\":{\"id\":\"v5l-ynv-guh\",\"type\":\"policy\",\"attributes\":{\"blockingRulesCount\":0,\"datadogManaged\":false,\"description\":\"My agent policy\",\"disabledRulesCount\":1,\"enabled\":true,\"hostTags\":[\"env:staging\"],\"monitoringRulesCount\":225,\"name\":\"testgetallcsmthreatsagentrulesreturnsokresponse1747309765\",\"policyVersion\":\"1\",\"priority\":1000000070,\"ruleCount\":226,\"updateDate\":1747309765555,\"updater\":{\"name\":\"CI Account\",\"handle\":\"9919ec9b-ebc7-49ee-8dc8-03626e717cca\"}}}}", + "encoding": null + }, + "headers": { + "Content-Type": [ + "application/json" + ] + }, + "status": { + "code": 200, + "message": "OK" + } + }, + "recorded_at": "Thu, 15 May 2025 11:49:25 GMT" + }, { "request": { "body": "", @@ -9,11 +43,11 @@ ] }, "method": "get", - "uri": "https://api.datadoghq.com/api/v2/remote_config/products/cws/agent_rules" + "uri": "https://api.datadoghq.com/api/v2/remote_config/products/cws/agent_rules?policy_id=v5l-ynv-guh" }, "response": { "body": { - "string": "{\"data\":[{\"id\":\"50t-g20-n4o\",\"type\":\"agent_rule\",\"attributes\":{\"category\":\"File Activity\",\"creationDate\":1710772096000,\"creator\":{\"name\":\"\",\"handle\":\"frog@datadoghq.com\"},\"defaultRule\":false,\"description\":\"\",\"enabled\":true,\"expression\":\"open.file.name == \\\"etc/shadow/password\\\"\",\"filters\":[\"os == \\\"linux\\\"\"],\"name\":\"Randomname\",\"updateDate\":1710772096000,\"updater\":{\"name\":\"\",\"handle\":\"frog@datadoghq.com\"}}},{\"id\":\"4mc-0xr-vlw\",\"type\":\"agent_rule\",\"attributes\":{\"category\":\"Process Activity\",\"creationDate\":1714264624000,\"creator\":{\"name\":\"\",\"handle\":\"frog@datadoghq.com\"},\"defaultRule\":false,\"description\":\"My Agent rule\",\"enabled\":true,\"expression\":\"exec.file.name == \\\"sh\\\"\",\"filters\":[\"os == \\\"linux\\\"\"],\"name\":\"examplecreateacsmthreatsagentrulereturnsokresponse1714264624\",\"updateDate\":1714264624000,\"updater\":{\"name\":\"\",\"handle\":\"frog@datadoghq.com\"}}},{\"id\":\"zu3-7yi-3w0\",\"type\":\"agent_rule\",\"attributes\":{\"category\":\"Process Activity\",\"creationDate\":1714696626000,\"creator\":{\"name\":\"\",\"handle\":\"frog@datadoghq.com\"},\"defaultRule\":false,\"description\":\"My Agent rule\",\"enabled\":true,\"expression\":\"exec.file.name == \\\"sh\\\"\",\"filters\":[\"os == \\\"linux\\\"\"],\"name\":\"examplecreateacsmthreatsagentrulereturnsokresponse1714696624\",\"updateDate\":1714696626000,\"updater\":{\"name\":\"\",\"handle\":\"frog@datadoghq.com\"}}},{\"id\":\"xg2-lum-j2a\",\"type\":\"agent_rule\",\"attributes\":{\"category\":\"Process Activity\",\"creationDate\":1714783024000,\"creator\":{\"name\":\"\",\"handle\":\"frog@datadoghq.com\"},\"defaultRule\":false,\"description\":\"My Agent rule\",\"enabled\":true,\"expression\":\"exec.file.name == \\\"sh\\\"\",\"filters\":[\"os == \\\"linux\\\"\"],\"name\":\"examplecreateacsmthreatsagentrulereturnsokresponse1714783024\",\"updateDate\":1714783024000,\"updater\":{\"name\":\"\",\"handle\":\"frog@datadoghq.com\"}}},{\"id\":\"rsm-fam-pfp\",\"type\":\"agent_rule\",\"attributes\":{\"category\":\"Process Activity\",\"creationDate\":1714869424000,\"creator\":{\"name\":\"\",\"handle\":\"frog@datadoghq.com\"},\"defaultRule\":false,\"description\":\"My Agent rule\",\"enabled\":true,\"expression\":\"exec.file.name == \\\"sh\\\"\",\"filters\":[\"os == \\\"linux\\\"\"],\"name\":\"examplecreateacsmthreatsagentrulereturnsokresponse1714869424\",\"updateDate\":1714869424000,\"updater\":{\"name\":\"\",\"handle\":\"frog@datadoghq.com\"}}},{\"id\":\"ulx-voj-zk3\",\"type\":\"agent_rule\",\"attributes\":{\"category\":\"Process Activity\",\"creationDate\":1714883824000,\"creator\":{\"name\":\"\",\"handle\":\"frog@datadoghq.com\"},\"defaultRule\":false,\"description\":\"My Agent rule\",\"enabled\":true,\"expression\":\"exec.file.name == \\\"sh\\\"\",\"filters\":[\"os == \\\"linux\\\"\"],\"name\":\"examplecreateacsmthreatsagentrulereturnsokresponse1714883824\",\"updateDate\":1714883824000,\"updater\":{\"name\":\"\",\"handle\":\"frog@datadoghq.com\"}}},{\"id\":\"nio-59w-ip8\",\"type\":\"agent_rule\",\"attributes\":{\"category\":\"Process Activity\",\"creationDate\":1714927026000,\"creator\":{\"name\":\"\",\"handle\":\"frog@datadoghq.com\"},\"defaultRule\":false,\"description\":\"My Agent rule\",\"enabled\":true,\"expression\":\"exec.file.name == \\\"sh\\\"\",\"filters\":[\"os == \\\"linux\\\"\"],\"name\":\"examplecreateacsmthreatsagentrulereturnsokresponse1714927026\",\"updateDate\":1714927026000,\"updater\":{\"name\":\"\",\"handle\":\"frog@datadoghq.com\"}}},{\"id\":\"5zt-j5u-aqm\",\"type\":\"agent_rule\",\"attributes\":{\"category\":\"Process Activity\",\"creationDate\":1715287024000,\"creator\":{\"name\":\"\",\"handle\":\"frog@datadoghq.com\"},\"defaultRule\":false,\"description\":\"My Agent rule\",\"enabled\":true,\"expression\":\"exec.file.name == \\\"sh\\\"\",\"filters\":[\"os == \\\"linux\\\"\"],\"name\":\"examplecreateacsmthreatsagentrulereturnsokresponse1715287024\",\"updateDate\":1715287024000,\"updater\":{\"name\":\"\",\"handle\":\"frog@datadoghq.com\"}}},{\"id\":\"k8w-brg-51l\",\"type\":\"agent_rule\",\"attributes\":{\"category\":\"Process Activity\",\"creationDate\":1715445426000,\"creator\":{\"name\":\"\",\"handle\":\"frog@datadoghq.com\"},\"defaultRule\":false,\"description\":\"My Agent rule\",\"enabled\":true,\"expression\":\"exec.file.name == \\\"sh\\\"\",\"filters\":[\"os == \\\"linux\\\"\"],\"name\":\"examplecreateacsmthreatsagentrulereturnsokresponse1715445424\",\"updateDate\":1715445426000,\"updater\":{\"name\":\"\",\"handle\":\"frog@datadoghq.com\"}}},{\"id\":\"eue-gqs-59v\",\"type\":\"agent_rule\",\"attributes\":{\"category\":\"Process Activity\",\"creationDate\":1715503024000,\"creator\":{\"name\":\"\",\"handle\":\"frog@datadoghq.com\"},\"defaultRule\":false,\"description\":\"My Agent rule\",\"enabled\":true,\"expression\":\"exec.file.name == \\\"sh\\\"\",\"filters\":[\"os == \\\"linux\\\"\"],\"name\":\"examplecreateacsmthreatsagentrulereturnsokresponse1715503024\",\"updateDate\":1715503024000,\"updater\":{\"name\":\"\",\"handle\":\"frog@datadoghq.com\"}}},{\"id\":\"9wz-mgt-zkp\",\"type\":\"agent_rule\",\"attributes\":{\"category\":\"Process Activity\",\"creationDate\":1715546226000,\"creator\":{\"name\":\"\",\"handle\":\"frog@datadoghq.com\"},\"defaultRule\":false,\"description\":\"My Agent rule\",\"enabled\":true,\"expression\":\"exec.file.name == \\\"sh\\\"\",\"filters\":[\"os == \\\"linux\\\"\"],\"name\":\"examplecreateacsmthreatsagentrulereturnsokresponse1715546226\",\"updateDate\":1715546226000,\"updater\":{\"name\":\"\",\"handle\":\"frog@datadoghq.com\"}}},{\"id\":\"fii-ysi-7bu\",\"type\":\"agent_rule\",\"attributes\":{\"category\":\"Process Activity\",\"creationDate\":1715618226000,\"creator\":{\"name\":\"\",\"handle\":\"frog@datadoghq.com\"},\"defaultRule\":false,\"description\":\"My Agent rule\",\"enabled\":true,\"expression\":\"exec.file.name == \\\"sh\\\"\",\"filters\":[\"os == \\\"linux\\\"\"],\"name\":\"examplecreateacsmthreatsagentrulereturnsokresponse1715618224\",\"updateDate\":1715618226000,\"updater\":{\"name\":\"\",\"handle\":\"frog@datadoghq.com\"}}},{\"id\":\"hhl-9nk-8ls\",\"type\":\"agent_rule\",\"attributes\":{\"category\":\"Process Activity\",\"creationDate\":1715819826000,\"creator\":{\"name\":\"\",\"handle\":\"frog@datadoghq.com\"},\"defaultRule\":false,\"description\":\"My Agent rule\",\"enabled\":true,\"expression\":\"exec.file.name == \\\"sh\\\"\",\"filters\":[\"os == \\\"linux\\\"\"],\"name\":\"examplecreateacsmthreatsagentrulereturnsokresponse1715819824\",\"updateDate\":1715819826000,\"updater\":{\"name\":\"\",\"handle\":\"frog@datadoghq.com\"}}},{\"id\":\"rc4-b53-3sj\",\"type\":\"agent_rule\",\"attributes\":{\"category\":\"Process Activity\",\"creationDate\":1715863024000,\"creator\":{\"name\":\"\",\"handle\":\"frog@datadoghq.com\"},\"defaultRule\":false,\"description\":\"My Agent rule\",\"enabled\":true,\"expression\":\"exec.file.name == \\\"sh\\\"\",\"filters\":[\"os == \\\"linux\\\"\"],\"name\":\"examplecreateacsmthreatsagentrulereturnsokresponse1715863024\",\"updateDate\":1715863024000,\"updater\":{\"name\":\"\",\"handle\":\"frog@datadoghq.com\"}}},{\"id\":\"w3d-qp8-3yb\",\"type\":\"agent_rule\",\"attributes\":{\"category\":\"Process Activity\",\"creationDate\":1716309424000,\"creator\":{\"name\":\"\",\"handle\":\"frog@datadoghq.com\"},\"defaultRule\":false,\"description\":\"My Agent rule\",\"enabled\":true,\"expression\":\"exec.file.name == \\\"sh\\\"\",\"filters\":[\"os == \\\"linux\\\"\"],\"name\":\"examplecreateacsmthreatsagentrulereturnsokresponse1716309424\",\"updateDate\":1716309424000,\"updater\":{\"name\":\"\",\"handle\":\"frog@datadoghq.com\"}}},{\"id\":\"cvn-qsw-ibn\",\"type\":\"agent_rule\",\"attributes\":{\"category\":\"Process Activity\",\"creationDate\":1716410225000,\"creator\":{\"name\":\"\",\"handle\":\"frog@datadoghq.com\"},\"defaultRule\":false,\"description\":\"My Agent rule\",\"enabled\":true,\"expression\":\"exec.file.name == \\\"sh\\\"\",\"filters\":[\"os == \\\"linux\\\"\"],\"name\":\"examplecreateacsmthreatsagentrulereturnsokresponse1716410224\",\"updateDate\":1716410225000,\"updater\":{\"name\":\"\",\"handle\":\"frog@datadoghq.com\"}}},{\"id\":\"vyd-2vb-tnk\",\"type\":\"agent_rule\",\"attributes\":{\"category\":\"Process Activity\",\"creationDate\":1738469890000,\"creator\":{\"name\":\"frog\",\"handle\":\"frog@datadoghq.com\"},\"defaultRule\":false,\"description\":\"My Agent rule\",\"enabled\":true,\"expression\":\"exec.file.name == \\\"sh\\\"\",\"filters\":[\"os == \\\"linux\\\"\"],\"name\":\"examplecreateacsmthreatsagentrulereturnsokresponse1738469890\",\"updateDate\":1738469890000,\"updater\":{\"name\":\"frog\",\"handle\":\"frog@datadoghq.com\"}}},{\"id\":\"ulc-hn1-cz5\",\"type\":\"agent_rule\",\"attributes\":{\"category\":\"Process Activity\",\"creationDate\":1725295024000,\"creator\":{\"name\":\"\",\"handle\":\"frog@datadoghq.com\"},\"defaultRule\":false,\"description\":\"My Agent rule\",\"enabled\":true,\"expression\":\"exec.file.name == \\\"sh\\\"\",\"filters\":[\"os == \\\"linux\\\"\"],\"name\":\"exampledeleteacsmthreatsagentrulereturnsokresponse1725295023\",\"updateDate\":1725295024000,\"updater\":{\"name\":\"\",\"handle\":\"frog@datadoghq.com\"}}},{\"id\":\"jbe-827-tq7\",\"type\":\"agent_rule\",\"attributes\":{\"category\":\"Process Activity\",\"creationDate\":1732768624000,\"creator\":{\"name\":\"\",\"handle\":\"frog@datadoghq.com\"},\"defaultRule\":false,\"description\":\"My Agent rule\",\"enabled\":true,\"expression\":\"exec.file.name == \\\"sh\\\"\",\"filters\":[\"os == \\\"linux\\\"\"],\"name\":\"exampledeleteacsmthreatsagentrulereturnsokresponse1732768624\",\"updateDate\":1732768624000,\"updater\":{\"name\":\"\",\"handle\":\"frog@datadoghq.com\"}}},{\"id\":\"ezw-7rm-wca\",\"type\":\"agent_rule\",\"attributes\":{\"category\":\"Process Activity\",\"creationDate\":1735634224000,\"creator\":{\"name\":\"frog\",\"handle\":\"frog@datadoghq.com\"},\"defaultRule\":false,\"description\":\"My Agent rule\",\"enabled\":true,\"expression\":\"exec.file.name == \\\"sh\\\"\",\"filters\":[\"os == \\\"linux\\\"\"],\"name\":\"exampledeleteacsmthreatsagentrulereturnsokresponse1735634224\",\"updateDate\":1735634224000,\"updater\":{\"name\":\"frog\",\"handle\":\"frog@datadoghq.com\"}}},{\"id\":\"p4n-ijm-zeu\",\"type\":\"agent_rule\",\"attributes\":{\"category\":\"Process Activity\",\"creationDate\":1714155721000,\"creator\":{\"name\":\"\",\"handle\":\"frog@datadoghq.com\"},\"defaultRule\":false,\"description\":\"My Agent rule\",\"enabled\":true,\"expression\":\"exec.file.name == \\\"sh\\\"\",\"filters\":[\"os == \\\"linux\\\"\"],\"name\":\"examplegetacsmthreatsagentrulereturnsokresponse1714155721\",\"updateDate\":1714155721000,\"updater\":{\"name\":\"\",\"handle\":\"frog@datadoghq.com\"}}},{\"id\":\"piq-bha-m6t\",\"type\":\"agent_rule\",\"attributes\":{\"category\":\"Process Activity\",\"creationDate\":1714279024000,\"creator\":{\"name\":\"\",\"handle\":\"frog@datadoghq.com\"},\"defaultRule\":false,\"description\":\"My Agent rule\",\"enabled\":true,\"expression\":\"exec.file.name == \\\"sh\\\"\",\"filters\":[\"os == \\\"linux\\\"\"],\"name\":\"examplegetacsmthreatsagentrulereturnsokresponse1714279024\",\"updateDate\":1714279024000,\"updater\":{\"name\":\"\",\"handle\":\"frog@datadoghq.com\"}}},{\"id\":\"rno-53m-mf3\",\"type\":\"agent_rule\",\"attributes\":{\"category\":\"Process Activity\",\"creationDate\":1714538225000,\"creator\":{\"name\":\"\",\"handle\":\"frog@datadoghq.com\"},\"defaultRule\":false,\"description\":\"My Agent rule\",\"enabled\":true,\"expression\":\"exec.file.name == \\\"sh\\\"\",\"filters\":[\"os == \\\"linux\\\"\"],\"name\":\"examplegetacsmthreatsagentrulereturnsokresponse1714538225\",\"updateDate\":1714538225000,\"updater\":{\"name\":\"\",\"handle\":\"frog@datadoghq.com\"}}},{\"id\":\"bwj-n0m-ut5\",\"type\":\"agent_rule\",\"attributes\":{\"category\":\"Process Activity\",\"creationDate\":1714653425000,\"creator\":{\"name\":\"\",\"handle\":\"frog@datadoghq.com\"},\"defaultRule\":false,\"description\":\"My Agent rule\",\"enabled\":true,\"expression\":\"exec.file.name == \\\"sh\\\"\",\"filters\":[\"os == \\\"linux\\\"\"],\"name\":\"examplegetacsmthreatsagentrulereturnsokresponse1714653424\",\"updateDate\":1714653425000,\"updater\":{\"name\":\"\",\"handle\":\"frog@datadoghq.com\"}}},{\"id\":\"hk2-qrd-3jt\",\"type\":\"agent_rule\",\"attributes\":{\"category\":\"Process Activity\",\"creationDate\":1714667824000,\"creator\":{\"name\":\"\",\"handle\":\"frog@datadoghq.com\"},\"defaultRule\":false,\"description\":\"My Agent rule\",\"enabled\":true,\"expression\":\"exec.file.name == \\\"sh\\\"\",\"filters\":[\"os == \\\"linux\\\"\"],\"name\":\"examplegetacsmthreatsagentrulereturnsokresponse1714667824\",\"updateDate\":1714667824000,\"updater\":{\"name\":\"\",\"handle\":\"frog@datadoghq.com\"}}},{\"id\":\"zdz-ued-luw\",\"type\":\"agent_rule\",\"attributes\":{\"category\":\"Process Activity\",\"creationDate\":1714797424000,\"creator\":{\"name\":\"\",\"handle\":\"frog@datadoghq.com\"},\"defaultRule\":false,\"description\":\"My Agent rule\",\"enabled\":true,\"expression\":\"exec.file.name == \\\"sh\\\"\",\"filters\":[\"os == \\\"linux\\\"\"],\"name\":\"examplegetacsmthreatsagentrulereturnsokresponse1714797424\",\"updateDate\":1714797424000,\"updater\":{\"name\":\"\",\"handle\":\"frog@datadoghq.com\"}}},{\"id\":\"tf1-bgq-7bb\",\"type\":\"agent_rule\",\"attributes\":{\"category\":\"Process Activity\",\"creationDate\":1714883824000,\"creator\":{\"name\":\"\",\"handle\":\"frog@datadoghq.com\"},\"defaultRule\":false,\"description\":\"My Agent rule\",\"enabled\":true,\"expression\":\"exec.file.name == \\\"sh\\\"\",\"filters\":[\"os == \\\"linux\\\"\"],\"name\":\"examplegetacsmthreatsagentrulereturnsokresponse1714883824\",\"updateDate\":1714883824000,\"updater\":{\"name\":\"\",\"handle\":\"frog@datadoghq.com\"}}},{\"id\":\"35e-29w-qhu\",\"type\":\"agent_rule\",\"attributes\":{\"category\":\"Process Activity\",\"creationDate\":1715128624000,\"creator\":{\"name\":\"\",\"handle\":\"frog@datadoghq.com\"},\"defaultRule\":false,\"description\":\"My Agent rule\",\"enabled\":true,\"expression\":\"exec.file.name == \\\"sh\\\"\",\"filters\":[\"os == \\\"linux\\\"\"],\"name\":\"examplegetacsmthreatsagentrulereturnsokresponse1715128624\",\"updateDate\":1715128624000,\"updater\":{\"name\":\"\",\"handle\":\"frog@datadoghq.com\"}}},{\"id\":\"iyj-haq-dvu\",\"type\":\"agent_rule\",\"attributes\":{\"category\":\"Process Activity\",\"creationDate\":1715373426000,\"creator\":{\"name\":\"\",\"handle\":\"frog@datadoghq.com\"},\"defaultRule\":false,\"description\":\"My Agent rule\",\"enabled\":true,\"expression\":\"exec.file.name == \\\"sh\\\"\",\"filters\":[\"os == \\\"linux\\\"\"],\"name\":\"examplegetacsmthreatsagentrulereturnsokresponse1715373425\",\"updateDate\":1715373426000,\"updater\":{\"name\":\"\",\"handle\":\"frog@datadoghq.com\"}}},{\"id\":\"rgf-wo7-4fj\",\"type\":\"agent_rule\",\"attributes\":{\"category\":\"Process Activity\",\"creationDate\":1715402226000,\"creator\":{\"name\":\"\",\"handle\":\"frog@datadoghq.com\"},\"defaultRule\":false,\"description\":\"My Agent rule\",\"enabled\":true,\"expression\":\"exec.file.name == \\\"sh\\\"\",\"filters\":[\"os == \\\"linux\\\"\"],\"name\":\"examplegetacsmthreatsagentrulereturnsokresponse1715402224\",\"updateDate\":1715402226000,\"updater\":{\"name\":\"\",\"handle\":\"frog@datadoghq.com\"}}},{\"id\":\"stq-uwx-efd\",\"type\":\"agent_rule\",\"attributes\":{\"category\":\"Process Activity\",\"creationDate\":1715531824000,\"creator\":{\"name\":\"\",\"handle\":\"frog@datadoghq.com\"},\"defaultRule\":false,\"description\":\"My Agent rule\",\"enabled\":true,\"expression\":\"exec.file.name == \\\"sh\\\"\",\"filters\":[\"os == \\\"linux\\\"\"],\"name\":\"examplegetacsmthreatsagentrulereturnsokresponse1715531824\",\"updateDate\":1715531824000,\"updater\":{\"name\":\"\",\"handle\":\"frog@datadoghq.com\"}}},{\"id\":\"i0b-hk0-7h3\",\"type\":\"agent_rule\",\"attributes\":{\"category\":\"Process Activity\",\"creationDate\":1715560625000,\"creator\":{\"name\":\"\",\"handle\":\"frog@datadoghq.com\"},\"defaultRule\":false,\"description\":\"My Agent rule\",\"enabled\":true,\"expression\":\"exec.file.name == \\\"sh\\\"\",\"filters\":[\"os == \\\"linux\\\"\"],\"name\":\"examplegetacsmthreatsagentrulereturnsokresponse1715560625\",\"updateDate\":1715560625000,\"updater\":{\"name\":\"\",\"handle\":\"frog@datadoghq.com\"}}},{\"id\":\"0zl-ilo-guv\",\"type\":\"agent_rule\",\"attributes\":{\"category\":\"Process Activity\",\"creationDate\":1716050224000,\"creator\":{\"name\":\"\",\"handle\":\"frog@datadoghq.com\"},\"defaultRule\":false,\"description\":\"My Agent rule\",\"enabled\":true,\"expression\":\"exec.file.name == \\\"sh\\\"\",\"filters\":[\"os == \\\"linux\\\"\"],\"name\":\"examplegetacsmthreatsagentrulereturnsokresponse1716050224\",\"updateDate\":1716050224000,\"updater\":{\"name\":\"\",\"handle\":\"frog@datadoghq.com\"}}},{\"id\":\"e7g-3t1-hpu\",\"type\":\"agent_rule\",\"attributes\":{\"category\":\"Process Activity\",\"creationDate\":1716352624000,\"creator\":{\"name\":\"\",\"handle\":\"frog@datadoghq.com\"},\"defaultRule\":false,\"description\":\"My Agent rule\",\"enabled\":true,\"expression\":\"exec.file.name == \\\"sh\\\"\",\"filters\":[\"os == \\\"linux\\\"\"],\"name\":\"examplegetacsmthreatsagentrulereturnsokresponse1716352624\",\"updateDate\":1716352624000,\"updater\":{\"name\":\"\",\"handle\":\"frog@datadoghq.com\"}}},{\"id\":\"qoe-y42-hqp\",\"type\":\"agent_rule\",\"attributes\":{\"category\":\"Process Activity\",\"creationDate\":1716554224000,\"creator\":{\"name\":\"\",\"handle\":\"frog@datadoghq.com\"},\"defaultRule\":false,\"description\":\"My Agent rule\",\"enabled\":true,\"expression\":\"exec.file.name == \\\"sh\\\"\",\"filters\":[\"os == \\\"linux\\\"\"],\"name\":\"examplegetacsmthreatsagentrulereturnsokresponse1716554224\",\"updateDate\":1716554224000,\"updater\":{\"name\":\"\",\"handle\":\"frog@datadoghq.com\"}}},{\"id\":\"sic-1px-69u\",\"type\":\"agent_rule\",\"attributes\":{\"category\":\"Process Activity\",\"creationDate\":1717418225000,\"creator\":{\"name\":\"\",\"handle\":\"frog@datadoghq.com\"},\"defaultRule\":false,\"description\":\"My Agent rule\",\"enabled\":true,\"expression\":\"exec.file.name == \\\"sh\\\"\",\"filters\":[\"os == \\\"linux\\\"\"],\"name\":\"examplegetacsmthreatsagentrulereturnsokresponse1717418224\",\"updateDate\":1717418225000,\"updater\":{\"name\":\"\",\"handle\":\"frog@datadoghq.com\"}}},{\"id\":\"3kk-4rm-qug\",\"type\":\"agent_rule\",\"attributes\":{\"category\":\"Process Activity\",\"creationDate\":1718426224000,\"creator\":{\"name\":\"\",\"handle\":\"frog@datadoghq.com\"},\"defaultRule\":false,\"description\":\"My Agent rule\",\"enabled\":true,\"expression\":\"exec.file.name == \\\"sh\\\"\",\"filters\":[\"os == \\\"linux\\\"\"],\"name\":\"examplegetacsmthreatsagentrulereturnsokresponse1718426224\",\"updateDate\":1718426224000,\"updater\":{\"name\":\"\",\"handle\":\"frog@datadoghq.com\"}}},{\"id\":\"b79-xcg-63p\",\"type\":\"agent_rule\",\"attributes\":{\"category\":\"Process Activity\",\"creationDate\":1719059824000,\"creator\":{\"name\":\"\",\"handle\":\"frog@datadoghq.com\"},\"defaultRule\":false,\"description\":\"My Agent rule\",\"enabled\":true,\"expression\":\"exec.file.name == \\\"sh\\\"\",\"filters\":[\"os == \\\"linux\\\"\"],\"name\":\"examplegetacsmthreatsagentrulereturnsokresponse1719059824\",\"updateDate\":1719059824000,\"updater\":{\"name\":\"\",\"handle\":\"frog@datadoghq.com\"}}},{\"id\":\"veg-qf4-lgr\",\"type\":\"agent_rule\",\"attributes\":{\"category\":\"Process Activity\",\"creationDate\":1719967025000,\"creator\":{\"name\":\"\",\"handle\":\"frog@datadoghq.com\"},\"defaultRule\":false,\"description\":\"My Agent rule\",\"enabled\":true,\"expression\":\"exec.file.name == \\\"sh\\\"\",\"filters\":[\"os == \\\"linux\\\"\"],\"name\":\"examplegetacsmthreatsagentrulereturnsokresponse1719967024\",\"updateDate\":1719967025000,\"updater\":{\"name\":\"\",\"handle\":\"frog@datadoghq.com\"}}},{\"id\":\"ukn-yjf-h6a\",\"type\":\"agent_rule\",\"attributes\":{\"category\":\"Process Activity\",\"creationDate\":1719981424000,\"creator\":{\"name\":\"\",\"handle\":\"frog@datadoghq.com\"},\"defaultRule\":false,\"description\":\"My Agent rule\",\"enabled\":true,\"expression\":\"exec.file.name == \\\"sh\\\"\",\"filters\":[\"os == \\\"linux\\\"\"],\"name\":\"examplegetacsmthreatsagentrulereturnsokresponse1719981423\",\"updateDate\":1719981424000,\"updater\":{\"name\":\"\",\"handle\":\"frog@datadoghq.com\"}}},{\"id\":\"ssm-zlm-vqh\",\"type\":\"agent_rule\",\"attributes\":{\"category\":\"Process Activity\",\"creationDate\":1720312626000,\"creator\":{\"name\":\"\",\"handle\":\"frog@datadoghq.com\"},\"defaultRule\":false,\"description\":\"My Agent rule\",\"enabled\":true,\"expression\":\"exec.file.name == \\\"sh\\\"\",\"filters\":[\"os == \\\"linux\\\"\"],\"name\":\"examplegetacsmthreatsagentrulereturnsokresponse1720312624\",\"updateDate\":1720312626000,\"updater\":{\"name\":\"\",\"handle\":\"frog@datadoghq.com\"}}},{\"id\":\"qba-1qm-uj5\",\"type\":\"agent_rule\",\"attributes\":{\"category\":\"Process Activity\",\"creationDate\":1721075824000,\"creator\":{\"name\":\"\",\"handle\":\"frog@datadoghq.com\"},\"defaultRule\":false,\"description\":\"My Agent rule\",\"enabled\":true,\"expression\":\"exec.file.name == \\\"sh\\\"\",\"filters\":[\"os == \\\"linux\\\"\"],\"name\":\"examplegetacsmthreatsagentrulereturnsokresponse1721075824\",\"updateDate\":1721075824000,\"updater\":{\"name\":\"\",\"handle\":\"frog@datadoghq.com\"}}},{\"id\":\"uhw-kuq-ute\",\"type\":\"agent_rule\",\"attributes\":{\"category\":\"Process Activity\",\"creationDate\":1721119025000,\"creator\":{\"name\":\"\",\"handle\":\"frog@datadoghq.com\"},\"defaultRule\":false,\"description\":\"My Agent rule\",\"enabled\":true,\"expression\":\"exec.file.name == \\\"sh\\\"\",\"filters\":[\"os == \\\"linux\\\"\"],\"name\":\"examplegetacsmthreatsagentrulereturnsokresponse1721119024\",\"updateDate\":1721119025000,\"updater\":{\"name\":\"\",\"handle\":\"frog@datadoghq.com\"}}},{\"id\":\"ftd-d3e-byt\",\"type\":\"agent_rule\",\"attributes\":{\"category\":\"Process Activity\",\"creationDate\":1721666224000,\"creator\":{\"name\":\"\",\"handle\":\"frog@datadoghq.com\"},\"defaultRule\":false,\"description\":\"My Agent rule\",\"enabled\":true,\"expression\":\"exec.file.name == \\\"sh\\\"\",\"filters\":[\"os == \\\"linux\\\"\"],\"name\":\"examplegetacsmthreatsagentrulereturnsokresponse1721666224\",\"updateDate\":1721666224000,\"updater\":{\"name\":\"\",\"handle\":\"frog@datadoghq.com\"}}},{\"id\":\"9n1-l1g-u4k\",\"type\":\"agent_rule\",\"attributes\":{\"category\":\"Process Activity\",\"creationDate\":1721853424000,\"creator\":{\"name\":\"\",\"handle\":\"frog@datadoghq.com\"},\"defaultRule\":false,\"description\":\"My Agent rule\",\"enabled\":true,\"expression\":\"exec.file.name == \\\"sh\\\"\",\"filters\":[\"os == \\\"linux\\\"\"],\"name\":\"examplegetacsmthreatsagentrulereturnsokresponse1721853423\",\"updateDate\":1721853424000,\"updater\":{\"name\":\"\",\"handle\":\"frog@datadoghq.com\"}}},{\"id\":\"4qm-ikt-fpr\",\"type\":\"agent_rule\",\"attributes\":{\"category\":\"Process Activity\",\"creationDate\":1721954224000,\"creator\":{\"name\":\"\",\"handle\":\"frog@datadoghq.com\"},\"defaultRule\":false,\"description\":\"My Agent rule\",\"enabled\":true,\"expression\":\"exec.file.name == \\\"sh\\\"\",\"filters\":[\"os == \\\"linux\\\"\"],\"name\":\"examplegetacsmthreatsagentrulereturnsokresponse1721954223\",\"updateDate\":1721954224000,\"updater\":{\"name\":\"\",\"handle\":\"frog@datadoghq.com\"}}},{\"id\":\"d7t-4i4-tex\",\"type\":\"agent_rule\",\"attributes\":{\"category\":\"Process Activity\",\"creationDate\":1722659826000,\"creator\":{\"name\":\"\",\"handle\":\"frog@datadoghq.com\"},\"defaultRule\":false,\"description\":\"My Agent rule\",\"enabled\":true,\"expression\":\"exec.file.name == \\\"sh\\\"\",\"filters\":[\"os == \\\"linux\\\"\"],\"name\":\"examplegetacsmthreatsagentrulereturnsokresponse1722659824\",\"updateDate\":1722659826000,\"updater\":{\"name\":\"\",\"handle\":\"frog@datadoghq.com\"}}},{\"id\":\"mda-uab-xow\",\"type\":\"agent_rule\",\"attributes\":{\"category\":\"Process Activity\",\"creationDate\":1723178226000,\"creator\":{\"name\":\"\",\"handle\":\"frog@datadoghq.com\"},\"defaultRule\":false,\"description\":\"My Agent rule\",\"enabled\":true,\"expression\":\"exec.file.name == \\\"sh\\\"\",\"filters\":[\"os == \\\"linux\\\"\"],\"name\":\"examplegetacsmthreatsagentrulereturnsokresponse1723178224\",\"updateDate\":1723178226000,\"updater\":{\"name\":\"\",\"handle\":\"frog@datadoghq.com\"}}},{\"id\":\"3cv-rwp-2t7\",\"type\":\"agent_rule\",\"attributes\":{\"category\":\"Process Activity\",\"creationDate\":1724215024000,\"creator\":{\"name\":\"\",\"handle\":\"frog@datadoghq.com\"},\"defaultRule\":false,\"description\":\"My Agent rule\",\"enabled\":true,\"expression\":\"exec.file.name == \\\"sh\\\"\",\"filters\":[\"os == \\\"linux\\\"\"],\"name\":\"examplegetacsmthreatsagentrulereturnsokresponse1724215024\",\"updateDate\":1724215024000,\"updater\":{\"name\":\"\",\"handle\":\"frog@datadoghq.com\"}}},{\"id\":\"vvb-sfk-jn1\",\"type\":\"agent_rule\",\"attributes\":{\"category\":\"Process Activity\",\"creationDate\":1724647024000,\"creator\":{\"name\":\"\",\"handle\":\"frog@datadoghq.com\"},\"defaultRule\":false,\"description\":\"My Agent rule\",\"enabled\":true,\"expression\":\"exec.file.name == \\\"sh\\\"\",\"filters\":[\"os == \\\"linux\\\"\"],\"name\":\"examplegetacsmthreatsagentrulereturnsokresponse1724647024\",\"updateDate\":1724647024000,\"updater\":{\"name\":\"\",\"handle\":\"frog@datadoghq.com\"}}},{\"id\":\"li0-j5t-0hv\",\"type\":\"agent_rule\",\"attributes\":{\"category\":\"Process Activity\",\"creationDate\":1724848624000,\"creator\":{\"name\":\"\",\"handle\":\"frog@datadoghq.com\"},\"defaultRule\":false,\"description\":\"My Agent rule\",\"enabled\":true,\"expression\":\"exec.file.name == \\\"sh\\\"\",\"filters\":[\"os == \\\"linux\\\"\"],\"name\":\"examplegetacsmthreatsagentrulereturnsokresponse1724848624\",\"updateDate\":1724848624000,\"updater\":{\"name\":\"\",\"handle\":\"frog@datadoghq.com\"}}},{\"id\":\"hlp-8dr-0i3\",\"type\":\"agent_rule\",\"attributes\":{\"category\":\"Process Activity\",\"creationDate\":1725467825000,\"creator\":{\"name\":\"\",\"handle\":\"frog@datadoghq.com\"},\"defaultRule\":false,\"description\":\"My Agent rule\",\"enabled\":true,\"expression\":\"exec.file.name == \\\"sh\\\"\",\"filters\":[\"os == \\\"linux\\\"\"],\"name\":\"examplegetacsmthreatsagentrulereturnsokresponse1725467823\",\"updateDate\":1725467825000,\"updater\":{\"name\":\"\",\"handle\":\"frog@datadoghq.com\"}}},{\"id\":\"xw4-uw8-mmx\",\"type\":\"agent_rule\",\"attributes\":{\"category\":\"Process Activity\",\"creationDate\":1725885424000,\"creator\":{\"name\":\"\",\"handle\":\"frog@datadoghq.com\"},\"defaultRule\":false,\"description\":\"My Agent rule\",\"enabled\":true,\"expression\":\"exec.file.name == \\\"sh\\\"\",\"filters\":[\"os == \\\"linux\\\"\"],\"name\":\"examplegetacsmthreatsagentrulereturnsokresponse1725885424\",\"updateDate\":1725885424000,\"updater\":{\"name\":\"\",\"handle\":\"frog@datadoghq.com\"}}},{\"id\":\"3gw-vkx-b7s\",\"type\":\"agent_rule\",\"attributes\":{\"category\":\"Process Activity\",\"creationDate\":1728419826000,\"creator\":{\"name\":\"\",\"handle\":\"frog@datadoghq.com\"},\"defaultRule\":false,\"description\":\"My Agent rule\",\"enabled\":true,\"expression\":\"exec.file.name == \\\"sh\\\"\",\"filters\":[\"os == \\\"linux\\\"\"],\"name\":\"examplegetacsmthreatsagentrulereturnsokresponse1728419824\",\"updateDate\":1728419826000,\"updater\":{\"name\":\"\",\"handle\":\"frog@datadoghq.com\"}}},{\"id\":\"xxc-35o-apy\",\"type\":\"agent_rule\",\"attributes\":{\"category\":\"Process Activity\",\"creationDate\":1729427824000,\"creator\":{\"name\":\"\",\"handle\":\"frog@datadoghq.com\"},\"defaultRule\":false,\"description\":\"My Agent rule\",\"enabled\":true,\"expression\":\"exec.file.name == \\\"sh\\\"\",\"filters\":[\"os == \\\"linux\\\"\"],\"name\":\"examplegetacsmthreatsagentrulereturnsokresponse1729427824\",\"updateDate\":1729427824000,\"updater\":{\"name\":\"\",\"handle\":\"frog@datadoghq.com\"}}},{\"id\":\"3hj-2t8-ydm\",\"type\":\"agent_rule\",\"attributes\":{\"category\":\"Process Activity\",\"creationDate\":1729787824000,\"creator\":{\"name\":\"\",\"handle\":\"frog@datadoghq.com\"},\"defaultRule\":false,\"description\":\"My Agent rule\",\"enabled\":true,\"expression\":\"exec.file.name == \\\"sh\\\"\",\"filters\":[\"os == \\\"linux\\\"\"],\"name\":\"examplegetacsmthreatsagentrulereturnsokresponse1729787824\",\"updateDate\":1729787824000,\"updater\":{\"name\":\"\",\"handle\":\"frog@datadoghq.com\"}}},{\"id\":\"zt8-od0-yxu\",\"type\":\"agent_rule\",\"attributes\":{\"category\":\"Process Activity\",\"creationDate\":1730205424000,\"creator\":{\"name\":\"\",\"handle\":\"frog@datadoghq.com\"},\"defaultRule\":false,\"description\":\"My Agent rule\",\"enabled\":true,\"expression\":\"exec.file.name == \\\"sh\\\"\",\"filters\":[\"os == \\\"linux\\\"\"],\"name\":\"examplegetacsmthreatsagentrulereturnsokresponse1730205423\",\"updateDate\":1730205424000,\"updater\":{\"name\":\"\",\"handle\":\"frog@datadoghq.com\"}}},{\"id\":\"svl-2s4-jd4\",\"type\":\"agent_rule\",\"attributes\":{\"category\":\"Process Activity\",\"creationDate\":1730450224000,\"creator\":{\"name\":\"\",\"handle\":\"frog@datadoghq.com\"},\"defaultRule\":false,\"description\":\"My Agent rule\",\"enabled\":true,\"expression\":\"exec.file.name == \\\"sh\\\"\",\"filters\":[\"os == \\\"linux\\\"\"],\"name\":\"examplegetacsmthreatsagentrulereturnsokresponse1730450223\",\"updateDate\":1730450224000,\"updater\":{\"name\":\"\",\"handle\":\"frog@datadoghq.com\"}}},{\"id\":\"ycc-lv0-6oj\",\"type\":\"agent_rule\",\"attributes\":{\"category\":\"Process Activity\",\"creationDate\":1730939824000,\"creator\":{\"name\":\"\",\"handle\":\"frog@datadoghq.com\"},\"defaultRule\":false,\"description\":\"My Agent rule\",\"enabled\":true,\"expression\":\"exec.file.name == \\\"sh\\\"\",\"filters\":[\"os == \\\"linux\\\"\"],\"name\":\"examplegetacsmthreatsagentrulereturnsokresponse1730939824\",\"updateDate\":1730939824000,\"updater\":{\"name\":\"\",\"handle\":\"frog@datadoghq.com\"}}},{\"id\":\"d2g-d0v-w1l\",\"type\":\"agent_rule\",\"attributes\":{\"category\":\"Process Activity\",\"creationDate\":1732019824000,\"creator\":{\"name\":\"\",\"handle\":\"frog@datadoghq.com\"},\"defaultRule\":false,\"description\":\"My Agent rule\",\"enabled\":true,\"expression\":\"exec.file.name == \\\"sh\\\"\",\"filters\":[\"os == \\\"linux\\\"\"],\"name\":\"examplegetacsmthreatsagentrulereturnsokresponse1732019824\",\"updateDate\":1732019824000,\"updater\":{\"name\":\"\",\"handle\":\"frog@datadoghq.com\"}}},{\"id\":\"7s9-sfq-2km\",\"type\":\"agent_rule\",\"attributes\":{\"category\":\"Process Activity\",\"creationDate\":1732552624000,\"creator\":{\"name\":\"\",\"handle\":\"frog@datadoghq.com\"},\"defaultRule\":false,\"description\":\"My Agent rule\",\"enabled\":true,\"expression\":\"exec.file.name == \\\"sh\\\"\",\"filters\":[\"os == \\\"linux\\\"\"],\"name\":\"examplegetacsmthreatsagentrulereturnsokresponse1732552624\",\"updateDate\":1732552624000,\"updater\":{\"name\":\"\",\"handle\":\"frog@datadoghq.com\"}}},{\"id\":\"tb2-3ij-eep\",\"type\":\"agent_rule\",\"attributes\":{\"category\":\"Process Activity\",\"creationDate\":1732667824000,\"creator\":{\"name\":\"\",\"handle\":\"frog@datadoghq.com\"},\"defaultRule\":false,\"description\":\"My Agent rule\",\"enabled\":true,\"expression\":\"exec.file.name == \\\"sh\\\"\",\"filters\":[\"os == \\\"linux\\\"\"],\"name\":\"examplegetacsmthreatsagentrulereturnsokresponse1732667824\",\"updateDate\":1732667824000,\"updater\":{\"name\":\"\",\"handle\":\"frog@datadoghq.com\"}}},{\"id\":\"sfj-gky-roy\",\"type\":\"agent_rule\",\"attributes\":{\"category\":\"Process Activity\",\"creationDate\":1732869424000,\"creator\":{\"name\":\"\",\"handle\":\"frog@datadoghq.com\"},\"defaultRule\":false,\"description\":\"My Agent rule\",\"enabled\":true,\"expression\":\"exec.file.name == \\\"sh\\\"\",\"filters\":[\"os == \\\"linux\\\"\"],\"name\":\"examplegetacsmthreatsagentrulereturnsokresponse1732869424\",\"updateDate\":1732869424000,\"updater\":{\"name\":\"\",\"handle\":\"frog@datadoghq.com\"}}},{\"id\":\"sz5-kvy-3kd\",\"type\":\"agent_rule\",\"attributes\":{\"category\":\"Process Activity\",\"creationDate\":1732927024000,\"creator\":{\"name\":\"\",\"handle\":\"frog@datadoghq.com\"},\"defaultRule\":false,\"description\":\"My Agent rule\",\"enabled\":true,\"expression\":\"exec.file.name == \\\"sh\\\"\",\"filters\":[\"os == \\\"linux\\\"\"],\"name\":\"examplegetacsmthreatsagentrulereturnsokresponse1732927024\",\"updateDate\":1732927024000,\"updater\":{\"name\":\"\",\"handle\":\"frog@datadoghq.com\"}}},{\"id\":\"2vn-l1s-b0y\",\"type\":\"agent_rule\",\"attributes\":{\"category\":\"Process Activity\",\"creationDate\":1733013424000,\"creator\":{\"name\":\"\",\"handle\":\"frog@datadoghq.com\"},\"defaultRule\":false,\"description\":\"My Agent rule\",\"enabled\":true,\"expression\":\"exec.file.name == \\\"sh\\\"\",\"filters\":[\"os == \\\"linux\\\"\"],\"name\":\"examplegetacsmthreatsagentrulereturnsokresponse1733013424\",\"updateDate\":1733013424000,\"updater\":{\"name\":\"\",\"handle\":\"frog@datadoghq.com\"}}},{\"id\":\"nco-423-hiu\",\"type\":\"agent_rule\",\"attributes\":{\"category\":\"Process Activity\",\"creationDate\":1733531824000,\"creator\":{\"name\":\"\",\"handle\":\"frog@datadoghq.com\"},\"defaultRule\":false,\"description\":\"My Agent rule\",\"enabled\":true,\"expression\":\"exec.file.name == \\\"sh\\\"\",\"filters\":[\"os == \\\"linux\\\"\"],\"name\":\"examplegetacsmthreatsagentrulereturnsokresponse1733531824\",\"updateDate\":1733531824000,\"updater\":{\"name\":\"\",\"handle\":\"frog@datadoghq.com\"}}},{\"id\":\"l57-d8u-edg\",\"type\":\"agent_rule\",\"attributes\":{\"category\":\"Process Activity\",\"creationDate\":1733546224000,\"creator\":{\"name\":\"\",\"handle\":\"frog@datadoghq.com\"},\"defaultRule\":false,\"description\":\"My Agent rule\",\"enabled\":true,\"expression\":\"exec.file.name == \\\"sh\\\"\",\"filters\":[\"os == \\\"linux\\\"\"],\"name\":\"examplegetacsmthreatsagentrulereturnsokresponse1733546224\",\"updateDate\":1733546224000,\"updater\":{\"name\":\"\",\"handle\":\"frog@datadoghq.com\"}}},{\"id\":\"4sz-cc7-ukd\",\"type\":\"agent_rule\",\"attributes\":{\"category\":\"Process Activity\",\"creationDate\":1733560627000,\"creator\":{\"name\":\"\",\"handle\":\"frog@datadoghq.com\"},\"defaultRule\":false,\"description\":\"My Agent rule\",\"enabled\":true,\"expression\":\"exec.file.name == \\\"sh\\\"\",\"filters\":[\"os == \\\"linux\\\"\"],\"name\":\"examplegetacsmthreatsagentrulereturnsokresponse1733560624\",\"updateDate\":1733560627000,\"updater\":{\"name\":\"\",\"handle\":\"frog@datadoghq.com\"}}},{\"id\":\"o9g-ptk-2zv\",\"type\":\"agent_rule\",\"attributes\":{\"category\":\"Process Activity\",\"creationDate\":1733575024000,\"creator\":{\"name\":\"\",\"handle\":\"frog@datadoghq.com\"},\"defaultRule\":false,\"description\":\"My Agent rule\",\"enabled\":true,\"expression\":\"exec.file.name == \\\"sh\\\"\",\"filters\":[\"os == \\\"linux\\\"\"],\"name\":\"examplegetacsmthreatsagentrulereturnsokresponse1733575024\",\"updateDate\":1733575024000,\"updater\":{\"name\":\"\",\"handle\":\"frog@datadoghq.com\"}}},{\"id\":\"xg0-u09-xir\",\"type\":\"agent_rule\",\"attributes\":{\"category\":\"Process Activity\",\"creationDate\":1733603824000,\"creator\":{\"name\":\"\",\"handle\":\"frog@datadoghq.com\"},\"defaultRule\":false,\"description\":\"My Agent rule\",\"enabled\":true,\"expression\":\"exec.file.name == \\\"sh\\\"\",\"filters\":[\"os == \\\"linux\\\"\"],\"name\":\"examplegetacsmthreatsagentrulereturnsokresponse1733603824\",\"updateDate\":1733603824000,\"updater\":{\"name\":\"\",\"handle\":\"frog@datadoghq.com\"}}},{\"id\":\"fog-8k1-fzi\",\"type\":\"agent_rule\",\"attributes\":{\"category\":\"Process Activity\",\"creationDate\":1733704624000,\"creator\":{\"name\":\"\",\"handle\":\"frog@datadoghq.com\"},\"defaultRule\":false,\"description\":\"My Agent rule\",\"enabled\":true,\"expression\":\"exec.file.name == \\\"sh\\\"\",\"filters\":[\"os == \\\"linux\\\"\"],\"name\":\"examplegetacsmthreatsagentrulereturnsokresponse1733704624\",\"updateDate\":1733704624000,\"updater\":{\"name\":\"\",\"handle\":\"frog@datadoghq.com\"}}},{\"id\":\"wzz-ni8-56v\",\"type\":\"agent_rule\",\"attributes\":{\"category\":\"Process Activity\",\"creationDate\":1733963824000,\"creator\":{\"name\":\"frog\",\"handle\":\"frog@datadoghq.com\"},\"defaultRule\":false,\"description\":\"My Agent rule\",\"enabled\":true,\"expression\":\"exec.file.name == \\\"sh\\\"\",\"filters\":[\"os == \\\"linux\\\"\"],\"name\":\"examplegetacsmthreatsagentrulereturnsokresponse1733963824\",\"updateDate\":1733963824000,\"updater\":{\"name\":\"frog\",\"handle\":\"frog@datadoghq.com\"}}},{\"id\":\"mdn-0hh-uw1\",\"type\":\"agent_rule\",\"attributes\":{\"category\":\"Process Activity\",\"creationDate\":1734050226000,\"creator\":{\"name\":\"frog\",\"handle\":\"frog@datadoghq.com\"},\"defaultRule\":false,\"description\":\"My Agent rule\",\"enabled\":true,\"expression\":\"exec.file.name == \\\"sh\\\"\",\"filters\":[\"os == \\\"linux\\\"\"],\"name\":\"examplegetacsmthreatsagentrulereturnsokresponse1734050223\",\"updateDate\":1734050226000,\"updater\":{\"name\":\"frog\",\"handle\":\"frog@datadoghq.com\"}}},{\"id\":\"3ox-06e-x4c\",\"type\":\"agent_rule\",\"attributes\":{\"category\":\"Process Activity\",\"creationDate\":1734093424000,\"creator\":{\"name\":\"frog\",\"handle\":\"frog@datadoghq.com\"},\"defaultRule\":false,\"description\":\"My Agent rule\",\"enabled\":true,\"expression\":\"exec.file.name == \\\"sh\\\"\",\"filters\":[\"os == \\\"linux\\\"\"],\"name\":\"examplegetacsmthreatsagentrulereturnsokresponse1734093423\",\"updateDate\":1734093424000,\"updater\":{\"name\":\"frog\",\"handle\":\"frog@datadoghq.com\"}}},{\"id\":\"uyv-a9k-8l7\",\"type\":\"agent_rule\",\"attributes\":{\"category\":\"Process Activity\",\"creationDate\":1734395826000,\"creator\":{\"name\":\"frog\",\"handle\":\"frog@datadoghq.com\"},\"defaultRule\":false,\"description\":\"My Agent rule\",\"enabled\":true,\"expression\":\"exec.file.name == \\\"sh\\\"\",\"filters\":[\"os == \\\"linux\\\"\"],\"name\":\"examplegetacsmthreatsagentrulereturnsokresponse1734395824\",\"updateDate\":1734395826000,\"updater\":{\"name\":\"frog\",\"handle\":\"frog@datadoghq.com\"}}},{\"id\":\"5b4-k0v-rzw\",\"type\":\"agent_rule\",\"attributes\":{\"category\":\"Process Activity\",\"creationDate\":1734424624000,\"creator\":{\"name\":\"frog\",\"handle\":\"frog@datadoghq.com\"},\"defaultRule\":false,\"description\":\"My Agent rule\",\"enabled\":true,\"expression\":\"exec.file.name == \\\"sh\\\"\",\"filters\":[\"os == \\\"linux\\\"\"],\"name\":\"examplegetacsmthreatsagentrulereturnsokresponse1734424623\",\"updateDate\":1734424624000,\"updater\":{\"name\":\"frog\",\"handle\":\"frog@datadoghq.com\"}}},{\"id\":\"w60-a8d-qrd\",\"type\":\"agent_rule\",\"attributes\":{\"category\":\"Process Activity\",\"creationDate\":1734439024000,\"creator\":{\"name\":\"frog\",\"handle\":\"frog@datadoghq.com\"},\"defaultRule\":false,\"description\":\"My Agent rule\",\"enabled\":true,\"expression\":\"exec.file.name == \\\"sh\\\"\",\"filters\":[\"os == \\\"linux\\\"\"],\"name\":\"examplegetacsmthreatsagentrulereturnsokresponse1734439023\",\"updateDate\":1734439024000,\"updater\":{\"name\":\"frog\",\"handle\":\"frog@datadoghq.com\"}}},{\"id\":\"zsr-y94-6u2\",\"type\":\"agent_rule\",\"attributes\":{\"category\":\"Process Activity\",\"creationDate\":1734482226000,\"creator\":{\"name\":\"frog\",\"handle\":\"frog@datadoghq.com\"},\"defaultRule\":false,\"description\":\"My Agent rule\",\"enabled\":true,\"expression\":\"exec.file.name == \\\"sh\\\"\",\"filters\":[\"os == \\\"linux\\\"\"],\"name\":\"examplegetacsmthreatsagentrulereturnsokresponse1734482224\",\"updateDate\":1734482226000,\"updater\":{\"name\":\"frog\",\"handle\":\"frog@datadoghq.com\"}}},{\"id\":\"0t6-uce-ee0\",\"type\":\"agent_rule\",\"attributes\":{\"category\":\"Process Activity\",\"creationDate\":1734899824000,\"creator\":{\"name\":\"frog\",\"handle\":\"frog@datadoghq.com\"},\"defaultRule\":false,\"description\":\"My Agent rule\",\"enabled\":true,\"expression\":\"exec.file.name == \\\"sh\\\"\",\"filters\":[\"os == \\\"linux\\\"\"],\"name\":\"examplegetacsmthreatsagentrulereturnsokresponse1734899824\",\"updateDate\":1734899824000,\"updater\":{\"name\":\"frog\",\"handle\":\"frog@datadoghq.com\"}}},{\"id\":\"fiw-wuv-ueg\",\"type\":\"agent_rule\",\"attributes\":{\"category\":\"Process Activity\",\"creationDate\":1734914224000,\"creator\":{\"name\":\"frog\",\"handle\":\"frog@datadoghq.com\"},\"defaultRule\":false,\"description\":\"My Agent rule\",\"enabled\":true,\"expression\":\"exec.file.name == \\\"sh\\\"\",\"filters\":[\"os == \\\"linux\\\"\"],\"name\":\"examplegetacsmthreatsagentrulereturnsokresponse1734914224\",\"updateDate\":1734914224000,\"updater\":{\"name\":\"frog\",\"handle\":\"frog@datadoghq.com\"}}},{\"id\":\"n8l-rby-b42\",\"type\":\"agent_rule\",\"attributes\":{\"category\":\"Process Activity\",\"creationDate\":1735072624000,\"creator\":{\"name\":\"frog\",\"handle\":\"frog@datadoghq.com\"},\"defaultRule\":false,\"description\":\"My Agent rule\",\"enabled\":true,\"expression\":\"exec.file.name == \\\"sh\\\"\",\"filters\":[\"os == \\\"linux\\\"\"],\"name\":\"examplegetacsmthreatsagentrulereturnsokresponse1735072624\",\"updateDate\":1735072624000,\"updater\":{\"name\":\"frog\",\"handle\":\"frog@datadoghq.com\"}}},{\"id\":\"v14-hvg-0fd\",\"type\":\"agent_rule\",\"attributes\":{\"category\":\"Process Activity\",\"creationDate\":1735216626000,\"creator\":{\"name\":\"frog\",\"handle\":\"frog@datadoghq.com\"},\"defaultRule\":false,\"description\":\"My Agent rule\",\"enabled\":true,\"expression\":\"exec.file.name == \\\"sh\\\"\",\"filters\":[\"os == \\\"linux\\\"\"],\"name\":\"examplegetacsmthreatsagentrulereturnsokresponse1735216624\",\"updateDate\":1735216626000,\"updater\":{\"name\":\"frog\",\"handle\":\"frog@datadoghq.com\"}}},{\"id\":\"shf-bur-1id\",\"type\":\"agent_rule\",\"attributes\":{\"category\":\"Process Activity\",\"creationDate\":1735288624000,\"creator\":{\"name\":\"frog\",\"handle\":\"frog@datadoghq.com\"},\"defaultRule\":false,\"description\":\"My Agent rule\",\"enabled\":true,\"expression\":\"exec.file.name == \\\"sh\\\"\",\"filters\":[\"os == \\\"linux\\\"\"],\"name\":\"examplegetacsmthreatsagentrulereturnsokresponse1735288624\",\"updateDate\":1735288624000,\"updater\":{\"name\":\"frog\",\"handle\":\"frog@datadoghq.com\"}}},{\"id\":\"18r-273-a6u\",\"type\":\"agent_rule\",\"attributes\":{\"category\":\"Process Activity\",\"creationDate\":1735547824000,\"creator\":{\"name\":\"frog\",\"handle\":\"frog@datadoghq.com\"},\"defaultRule\":false,\"description\":\"My Agent rule\",\"enabled\":true,\"expression\":\"exec.file.name == \\\"sh\\\"\",\"filters\":[\"os == \\\"linux\\\"\"],\"name\":\"examplegetacsmthreatsagentrulereturnsokresponse1735547824\",\"updateDate\":1735547824000,\"updater\":{\"name\":\"frog\",\"handle\":\"frog@datadoghq.com\"}}},{\"id\":\"1ys-tf8-u32\",\"type\":\"agent_rule\",\"attributes\":{\"category\":\"Process Activity\",\"creationDate\":1735562224000,\"creator\":{\"name\":\"frog\",\"handle\":\"frog@datadoghq.com\"},\"defaultRule\":false,\"description\":\"My Agent rule\",\"enabled\":true,\"expression\":\"exec.file.name == \\\"sh\\\"\",\"filters\":[\"os == \\\"linux\\\"\"],\"name\":\"examplegetacsmthreatsagentrulereturnsokresponse1735562224\",\"updateDate\":1735562224000,\"updater\":{\"name\":\"frog\",\"handle\":\"frog@datadoghq.com\"}}},{\"id\":\"1ej-lz6-3iy\",\"type\":\"agent_rule\",\"attributes\":{\"category\":\"Process Activity\",\"creationDate\":1735648624000,\"creator\":{\"name\":\"frog\",\"handle\":\"frog@datadoghq.com\"},\"defaultRule\":false,\"description\":\"My Agent rule\",\"enabled\":true,\"expression\":\"exec.file.name == \\\"sh\\\"\",\"filters\":[\"os == \\\"linux\\\"\"],\"name\":\"examplegetacsmthreatsagentrulereturnsokresponse1735648624\",\"updateDate\":1735648624000,\"updater\":{\"name\":\"frog\",\"handle\":\"frog@datadoghq.com\"}}},{\"id\":\"981-x7o-izo\",\"type\":\"agent_rule\",\"attributes\":{\"category\":\"Process Activity\",\"creationDate\":1735749424000,\"creator\":{\"name\":\"frog\",\"handle\":\"frog@datadoghq.com\"},\"defaultRule\":false,\"description\":\"My Agent rule\",\"enabled\":true,\"expression\":\"exec.file.name == \\\"sh\\\"\",\"filters\":[\"os == \\\"linux\\\"\"],\"name\":\"examplegetacsmthreatsagentrulereturnsokresponse1735749424\",\"updateDate\":1735749424000,\"updater\":{\"name\":\"frog\",\"handle\":\"frog@datadoghq.com\"}}},{\"id\":\"897-56j-4uj\",\"type\":\"agent_rule\",\"attributes\":{\"category\":\"Process Activity\",\"creationDate\":1735907824000,\"creator\":{\"name\":\"frog\",\"handle\":\"frog@datadoghq.com\"},\"defaultRule\":false,\"description\":\"My Agent rule\",\"enabled\":true,\"expression\":\"exec.file.name == \\\"sh\\\"\",\"filters\":[\"os == \\\"linux\\\"\"],\"name\":\"examplegetacsmthreatsagentrulereturnsokresponse1735907823\",\"updateDate\":1735907824000,\"updater\":{\"name\":\"frog\",\"handle\":\"frog@datadoghq.com\"}}},{\"id\":\"f5p-men-xz3\",\"type\":\"agent_rule\",\"attributes\":{\"category\":\"Process Activity\",\"creationDate\":1735994224000,\"creator\":{\"name\":\"frog\",\"handle\":\"frog@datadoghq.com\"},\"defaultRule\":false,\"description\":\"My Agent rule\",\"enabled\":true,\"expression\":\"exec.file.name == \\\"sh\\\"\",\"filters\":[\"os == \\\"linux\\\"\"],\"name\":\"examplegetacsmthreatsagentrulereturnsokresponse1735994224\",\"updateDate\":1735994224000,\"updater\":{\"name\":\"frog\",\"handle\":\"frog@datadoghq.com\"}}},{\"id\":\"wt2-84b-uy6\",\"type\":\"agent_rule\",\"attributes\":{\"category\":\"Process Activity\",\"creationDate\":1737433133000,\"creator\":{\"name\":\"frog\",\"handle\":\"frog@datadoghq.com\"},\"defaultRule\":false,\"description\":\"My Agent rule\",\"enabled\":true,\"expression\":\"exec.file.name == \\\"sh\\\"\",\"filters\":[\"os == \\\"linux\\\"\"],\"name\":\"examplegetacsmthreatsagentrulereturnsokresponse1737433133\",\"updateDate\":1737433133000,\"updater\":{\"name\":\"frog\",\"handle\":\"frog@datadoghq.com\"}}},{\"id\":\"269-p6y-i3p\",\"type\":\"agent_rule\",\"attributes\":{\"category\":\"Process Activity\",\"creationDate\":1742473183000,\"creator\":{\"name\":\"frog\",\"handle\":\"frog@datadoghq.com\"},\"defaultRule\":false,\"description\":\"My Agent rule\",\"enabled\":true,\"expression\":\"exec.file.name == \\\"sh\\\"\",\"filters\":[\"os == \\\"linux\\\"\"],\"name\":\"examplegetacsmthreatsagentrulereturnsokresponse1742473182\",\"updateDate\":1742473183000,\"updater\":{\"name\":\"frog\",\"handle\":\"frog@datadoghq.com\"}}},{\"id\":\"vxv-90c-vm4\",\"type\":\"agent_rule\",\"attributes\":{\"category\":\"Process Activity\",\"creationDate\":1714279023000,\"creator\":{\"name\":\"\",\"handle\":\"frog@datadoghq.com\"},\"defaultRule\":false,\"description\":\"Test Agent rule\",\"enabled\":true,\"expression\":\"exec.file.name == \\\"sh\\\"\",\"filters\":[\"os == \\\"linux\\\"\"],\"name\":\"exampleupdateacsmthreatsagentrulereturnsokresponse1714279022\",\"updateDate\":1714279024000,\"updater\":{\"name\":\"\",\"handle\":\"frog@datadoghq.com\"}}},{\"id\":\"rta-b8v-4uf\",\"type\":\"agent_rule\",\"attributes\":{\"category\":\"Process Activity\",\"creationDate\":1714322223000,\"creator\":{\"name\":\"\",\"handle\":\"frog@datadoghq.com\"},\"defaultRule\":false,\"description\":\"Test Agent rule\",\"enabled\":true,\"expression\":\"exec.file.name == \\\"sh\\\"\",\"filters\":[\"os == \\\"linux\\\"\"],\"name\":\"exampleupdateacsmthreatsagentrulereturnsokresponse1714322222\",\"updateDate\":1714322224000,\"updater\":{\"name\":\"\",\"handle\":\"frog@datadoghq.com\"}}},{\"id\":\"qo2-qin-6hg\",\"type\":\"agent_rule\",\"attributes\":{\"category\":\"Process Activity\",\"creationDate\":1714351023000,\"creator\":{\"name\":\"\",\"handle\":\"frog@datadoghq.com\"},\"defaultRule\":false,\"description\":\"Test Agent rule\",\"enabled\":true,\"expression\":\"exec.file.name == \\\"sh\\\"\",\"filters\":[\"os == \\\"linux\\\"\"],\"name\":\"exampleupdateacsmthreatsagentrulereturnsokresponse1714351022\",\"updateDate\":1714351024000,\"updater\":{\"name\":\"\",\"handle\":\"frog@datadoghq.com\"}}},{\"id\":\"aoo-snu-t5u\",\"type\":\"agent_rule\",\"attributes\":{\"category\":\"Process Activity\",\"creationDate\":1714423023000,\"creator\":{\"name\":\"\",\"handle\":\"frog@datadoghq.com\"},\"defaultRule\":false,\"description\":\"Test Agent rule\",\"enabled\":true,\"expression\":\"exec.file.name == \\\"sh\\\"\",\"filters\":[\"os == \\\"linux\\\"\"],\"name\":\"exampleupdateacsmthreatsagentrulereturnsokresponse1714423023\",\"updateDate\":1714423024000,\"updater\":{\"name\":\"\",\"handle\":\"frog@datadoghq.com\"}}},{\"id\":\"vsk-ewy-s83\",\"type\":\"agent_rule\",\"attributes\":{\"category\":\"Process Activity\",\"creationDate\":1714451823000,\"creator\":{\"name\":\"\",\"handle\":\"frog@datadoghq.com\"},\"defaultRule\":false,\"description\":\"Test Agent rule\",\"enabled\":true,\"expression\":\"exec.file.name == \\\"sh\\\"\",\"filters\":[\"os == \\\"linux\\\"\"],\"name\":\"exampleupdateacsmthreatsagentrulereturnsokresponse1714451823\",\"updateDate\":1714451824000,\"updater\":{\"name\":\"\",\"handle\":\"frog@datadoghq.com\"}}},{\"id\":\"o4r-6tp-yk0\",\"type\":\"agent_rule\",\"attributes\":{\"category\":\"Process Activity\",\"creationDate\":1714466223000,\"creator\":{\"name\":\"\",\"handle\":\"frog@datadoghq.com\"},\"defaultRule\":false,\"description\":\"Test Agent rule\",\"enabled\":true,\"expression\":\"exec.file.name == \\\"sh\\\"\",\"filters\":[\"os == \\\"linux\\\"\"],\"name\":\"exampleupdateacsmthreatsagentrulereturnsokresponse1714466223\",\"updateDate\":1714466224000,\"updater\":{\"name\":\"\",\"handle\":\"frog@datadoghq.com\"}}},{\"id\":\"710-xzg-ays\",\"type\":\"agent_rule\",\"attributes\":{\"category\":\"Process Activity\",\"creationDate\":1714480623000,\"creator\":{\"name\":\"\",\"handle\":\"frog@datadoghq.com\"},\"defaultRule\":false,\"description\":\"Test Agent rule\",\"enabled\":true,\"expression\":\"exec.file.name == \\\"sh\\\"\",\"filters\":[\"os == \\\"linux\\\"\"],\"name\":\"exampleupdateacsmthreatsagentrulereturnsokresponse1714480623\",\"updateDate\":1714480624000,\"updater\":{\"name\":\"\",\"handle\":\"frog@datadoghq.com\"}}},{\"id\":\"tjr-ib4-gya\",\"type\":\"agent_rule\",\"attributes\":{\"category\":\"Process Activity\",\"creationDate\":1714509423000,\"creator\":{\"name\":\"\",\"handle\":\"frog@datadoghq.com\"},\"defaultRule\":false,\"description\":\"Test Agent rule\",\"enabled\":true,\"expression\":\"exec.file.name == \\\"sh\\\"\",\"filters\":[\"os == \\\"linux\\\"\"],\"name\":\"exampleupdateacsmthreatsagentrulereturnsokresponse1714509423\",\"updateDate\":1714509424000,\"updater\":{\"name\":\"\",\"handle\":\"frog@datadoghq.com\"}}},{\"id\":\"yep-euy-ttp\",\"type\":\"agent_rule\",\"attributes\":{\"category\":\"Process Activity\",\"creationDate\":1714552623000,\"creator\":{\"name\":\"\",\"handle\":\"frog@datadoghq.com\"},\"defaultRule\":false,\"description\":\"Test Agent rule\",\"enabled\":true,\"expression\":\"exec.file.name == \\\"sh\\\"\",\"filters\":[\"os == \\\"linux\\\"\"],\"name\":\"exampleupdateacsmthreatsagentrulereturnsokresponse1714552623\",\"updateDate\":1714552624000,\"updater\":{\"name\":\"\",\"handle\":\"frog@datadoghq.com\"}}},{\"id\":\"ps4-63s-bzc\",\"type\":\"agent_rule\",\"attributes\":{\"category\":\"Process Activity\",\"creationDate\":1714567023000,\"creator\":{\"name\":\"\",\"handle\":\"frog@datadoghq.com\"},\"defaultRule\":false,\"description\":\"Test Agent rule\",\"enabled\":true,\"expression\":\"exec.file.name == \\\"sh\\\"\",\"filters\":[\"os == \\\"linux\\\"\"],\"name\":\"exampleupdateacsmthreatsagentrulereturnsokresponse1714567023\",\"updateDate\":1714567024000,\"updater\":{\"name\":\"\",\"handle\":\"frog@datadoghq.com\"}}},{\"id\":\"kax-qcg-qu0\",\"type\":\"agent_rule\",\"attributes\":{\"category\":\"Process Activity\",\"creationDate\":1714581423000,\"creator\":{\"name\":\"\",\"handle\":\"frog@datadoghq.com\"},\"defaultRule\":false,\"description\":\"Test Agent rule\",\"enabled\":true,\"expression\":\"exec.file.name == \\\"sh\\\"\",\"filters\":[\"os == \\\"linux\\\"\"],\"name\":\"exampleupdateacsmthreatsagentrulereturnsokresponse1714581423\",\"updateDate\":1714581424000,\"updater\":{\"name\":\"\",\"handle\":\"frog@datadoghq.com\"}}},{\"id\":\"245-ynt-xcy\",\"type\":\"agent_rule\",\"attributes\":{\"category\":\"Process Activity\",\"creationDate\":1714610223000,\"creator\":{\"name\":\"\",\"handle\":\"frog@datadoghq.com\"},\"defaultRule\":false,\"description\":\"Test Agent rule\",\"enabled\":true,\"expression\":\"exec.file.name == \\\"sh\\\"\",\"filters\":[\"os == \\\"linux\\\"\"],\"name\":\"exampleupdateacsmthreatsagentrulereturnsokresponse1714610223\",\"updateDate\":1714610224000,\"updater\":{\"name\":\"\",\"handle\":\"frog@datadoghq.com\"}}},{\"id\":\"1m6-dg0-lq9\",\"type\":\"agent_rule\",\"attributes\":{\"category\":\"Process Activity\",\"creationDate\":1714624623000,\"creator\":{\"name\":\"\",\"handle\":\"frog@datadoghq.com\"},\"defaultRule\":false,\"description\":\"Test Agent rule\",\"enabled\":true,\"expression\":\"exec.file.name == \\\"sh\\\"\",\"filters\":[\"os == \\\"linux\\\"\"],\"name\":\"exampleupdateacsmthreatsagentrulereturnsokresponse1714624623\",\"updateDate\":1714624624000,\"updater\":{\"name\":\"\",\"handle\":\"frog@datadoghq.com\"}}},{\"id\":\"3xf-404-qez\",\"type\":\"agent_rule\",\"attributes\":{\"category\":\"Process Activity\",\"creationDate\":1714667823000,\"creator\":{\"name\":\"\",\"handle\":\"frog@datadoghq.com\"},\"defaultRule\":false,\"description\":\"Test Agent rule\",\"enabled\":true,\"expression\":\"exec.file.name == \\\"sh\\\"\",\"filters\":[\"os == \\\"linux\\\"\"],\"name\":\"exampleupdateacsmthreatsagentrulereturnsokresponse1714667823\",\"updateDate\":1714667824000,\"updater\":{\"name\":\"\",\"handle\":\"frog@datadoghq.com\"}}},{\"id\":\"e6l-qo1-y2e\",\"type\":\"agent_rule\",\"attributes\":{\"category\":\"Process Activity\",\"creationDate\":1714682223000,\"creator\":{\"name\":\"\",\"handle\":\"frog@datadoghq.com\"},\"defaultRule\":false,\"description\":\"Test Agent rule\",\"enabled\":true,\"expression\":\"exec.file.name == \\\"sh\\\"\",\"filters\":[\"os == \\\"linux\\\"\"],\"name\":\"exampleupdateacsmthreatsagentrulereturnsokresponse1714682223\",\"updateDate\":1714682224000,\"updater\":{\"name\":\"\",\"handle\":\"frog@datadoghq.com\"}}},{\"id\":\"k95-kl4-jxt\",\"type\":\"agent_rule\",\"attributes\":{\"category\":\"Process Activity\",\"creationDate\":1714696623000,\"creator\":{\"name\":\"\",\"handle\":\"frog@datadoghq.com\"},\"defaultRule\":false,\"description\":\"Test Agent rule\",\"enabled\":true,\"expression\":\"exec.file.name == \\\"sh\\\"\",\"filters\":[\"os == \\\"linux\\\"\"],\"name\":\"exampleupdateacsmthreatsagentrulereturnsokresponse1714696623\",\"updateDate\":1714696627000,\"updater\":{\"name\":\"\",\"handle\":\"frog@datadoghq.com\"}}},{\"id\":\"es7-rhv-nra\",\"type\":\"agent_rule\",\"attributes\":{\"category\":\"Process Activity\",\"creationDate\":1714797423000,\"creator\":{\"name\":\"\",\"handle\":\"frog@datadoghq.com\"},\"defaultRule\":false,\"description\":\"Test Agent rule\",\"enabled\":true,\"expression\":\"exec.file.name == \\\"sh\\\"\",\"filters\":[\"os == \\\"linux\\\"\"],\"name\":\"exampleupdateacsmthreatsagentrulereturnsokresponse1714797422\",\"updateDate\":1714797424000,\"updater\":{\"name\":\"\",\"handle\":\"frog@datadoghq.com\"}}},{\"id\":\"syl-o29-0dq\",\"type\":\"agent_rule\",\"attributes\":{\"category\":\"Process Activity\",\"creationDate\":1714826223000,\"creator\":{\"name\":\"\",\"handle\":\"frog@datadoghq.com\"},\"defaultRule\":false,\"description\":\"My Agent rule\",\"enabled\":true,\"expression\":\"exec.file.name == \\\"sh\\\"\",\"filters\":[\"os == \\\"linux\\\"\"],\"name\":\"exampleupdateacsmthreatsagentrulereturnsokresponse1714826223\",\"updateDate\":1714826223000,\"updater\":{\"name\":\"\",\"handle\":\"frog@datadoghq.com\"}}},{\"id\":\"7sd-d1r-ts5\",\"type\":\"agent_rule\",\"attributes\":{\"category\":\"Process Activity\",\"creationDate\":1714840623000,\"creator\":{\"name\":\"\",\"handle\":\"frog@datadoghq.com\"},\"defaultRule\":false,\"description\":\"Test Agent rule\",\"enabled\":true,\"expression\":\"exec.file.name == \\\"sh\\\"\",\"filters\":[\"os == \\\"linux\\\"\"],\"name\":\"exampleupdateacsmthreatsagentrulereturnsokresponse1714840622\",\"updateDate\":1714840624000,\"updater\":{\"name\":\"\",\"handle\":\"frog@datadoghq.com\"}}},{\"id\":\"97d-p9d-x1d\",\"type\":\"agent_rule\",\"attributes\":{\"category\":\"Process Activity\",\"creationDate\":1714941423000,\"creator\":{\"name\":\"\",\"handle\":\"frog@datadoghq.com\"},\"defaultRule\":false,\"description\":\"Test Agent rule\",\"enabled\":true,\"expression\":\"exec.file.name == \\\"sh\\\"\",\"filters\":[\"os == \\\"linux\\\"\"],\"name\":\"exampleupdateacsmthreatsagentrulereturnsokresponse1714941422\",\"updateDate\":1714941424000,\"updater\":{\"name\":\"\",\"handle\":\"frog@datadoghq.com\"}}},{\"id\":\"mgl-xtg-ctl\",\"type\":\"agent_rule\",\"attributes\":{\"category\":\"Process Activity\",\"creationDate\":1715027823000,\"creator\":{\"name\":\"\",\"handle\":\"frog@datadoghq.com\"},\"defaultRule\":false,\"description\":\"Test Agent rule\",\"enabled\":true,\"expression\":\"exec.file.name == \\\"sh\\\"\",\"filters\":[\"os == \\\"linux\\\"\"],\"name\":\"exampleupdateacsmthreatsagentrulereturnsokresponse1715027822\",\"updateDate\":1715027824000,\"updater\":{\"name\":\"\",\"handle\":\"frog@datadoghq.com\"}}},{\"id\":\"a9f-o95-atg\",\"type\":\"agent_rule\",\"attributes\":{\"category\":\"Process Activity\",\"creationDate\":1715128623000,\"creator\":{\"name\":\"\",\"handle\":\"frog@datadoghq.com\"},\"defaultRule\":false,\"description\":\"Test Agent rule\",\"enabled\":true,\"expression\":\"exec.file.name == \\\"sh\\\"\",\"filters\":[\"os == \\\"linux\\\"\"],\"name\":\"exampleupdateacsmthreatsagentrulereturnsokresponse1715128622\",\"updateDate\":1715128624000,\"updater\":{\"name\":\"\",\"handle\":\"frog@datadoghq.com\"}}},{\"id\":\"rjm-biu-bqq\",\"type\":\"agent_rule\",\"attributes\":{\"category\":\"Process Activity\",\"creationDate\":1715272623000,\"creator\":{\"name\":\"\",\"handle\":\"frog@datadoghq.com\"},\"defaultRule\":false,\"description\":\"Test Agent rule\",\"enabled\":true,\"expression\":\"exec.file.name == \\\"sh\\\"\",\"filters\":[\"os == \\\"linux\\\"\"],\"name\":\"exampleupdateacsmthreatsagentrulereturnsokresponse1715272622\",\"updateDate\":1715272624000,\"updater\":{\"name\":\"\",\"handle\":\"frog@datadoghq.com\"}}},{\"id\":\"nor-y5a-3sn\",\"type\":\"agent_rule\",\"attributes\":{\"category\":\"Process Activity\",\"creationDate\":1715373423000,\"creator\":{\"name\":\"\",\"handle\":\"frog@datadoghq.com\"},\"defaultRule\":false,\"description\":\"Test Agent rule\",\"enabled\":true,\"expression\":\"exec.file.name == \\\"sh\\\"\",\"filters\":[\"os == \\\"linux\\\"\"],\"name\":\"exampleupdateacsmthreatsagentrulereturnsokresponse1715373422\",\"updateDate\":1715373424000,\"updater\":{\"name\":\"\",\"handle\":\"frog@datadoghq.com\"}}},{\"id\":\"4fo-giq-5f8\",\"type\":\"agent_rule\",\"attributes\":{\"category\":\"Process Activity\",\"creationDate\":1715416623000,\"creator\":{\"name\":\"\",\"handle\":\"frog@datadoghq.com\"},\"defaultRule\":false,\"description\":\"Test Agent rule\",\"enabled\":true,\"expression\":\"exec.file.name == \\\"sh\\\"\",\"filters\":[\"os == \\\"linux\\\"\"],\"name\":\"exampleupdateacsmthreatsagentrulereturnsokresponse1715416622\",\"updateDate\":1715416624000,\"updater\":{\"name\":\"\",\"handle\":\"frog@datadoghq.com\"}}},{\"id\":\"c79-8dg-klx\",\"type\":\"agent_rule\",\"attributes\":{\"category\":\"Process Activity\",\"creationDate\":1715445423000,\"creator\":{\"name\":\"\",\"handle\":\"frog@datadoghq.com\"},\"defaultRule\":false,\"description\":\"Test Agent rule\",\"enabled\":true,\"expression\":\"exec.file.name == \\\"sh\\\"\",\"filters\":[\"os == \\\"linux\\\"\"],\"name\":\"exampleupdateacsmthreatsagentrulereturnsokresponse1715445422\",\"updateDate\":1715445424000,\"updater\":{\"name\":\"\",\"handle\":\"frog@datadoghq.com\"}}},{\"id\":\"f4p-2wj-hrf\",\"type\":\"agent_rule\",\"attributes\":{\"category\":\"Process Activity\",\"creationDate\":1715459823000,\"creator\":{\"name\":\"\",\"handle\":\"frog@datadoghq.com\"},\"defaultRule\":false,\"description\":\"Test Agent rule\",\"enabled\":true,\"expression\":\"exec.file.name == \\\"sh\\\"\",\"filters\":[\"os == \\\"linux\\\"\"],\"name\":\"exampleupdateacsmthreatsagentrulereturnsokresponse1715459822\",\"updateDate\":1715459824000,\"updater\":{\"name\":\"\",\"handle\":\"frog@datadoghq.com\"}}},{\"id\":\"bou-hvm-24h\",\"type\":\"agent_rule\",\"attributes\":{\"category\":\"Process Activity\",\"creationDate\":1715474223000,\"creator\":{\"name\":\"\",\"handle\":\"frog@datadoghq.com\"},\"defaultRule\":false,\"description\":\"Test Agent rule\",\"enabled\":true,\"expression\":\"exec.file.name == \\\"sh\\\"\",\"filters\":[\"os == \\\"linux\\\"\"],\"name\":\"exampleupdateacsmthreatsagentrulereturnsokresponse1715474222\",\"updateDate\":1715474224000,\"updater\":{\"name\":\"\",\"handle\":\"frog@datadoghq.com\"}}},{\"id\":\"lf1-s8g-yf7\",\"type\":\"agent_rule\",\"attributes\":{\"category\":\"Process Activity\",\"creationDate\":1715503023000,\"creator\":{\"name\":\"\",\"handle\":\"frog@datadoghq.com\"},\"defaultRule\":false,\"description\":\"Test Agent rule\",\"enabled\":true,\"expression\":\"exec.file.name == \\\"sh\\\"\",\"filters\":[\"os == \\\"linux\\\"\"],\"name\":\"exampleupdateacsmthreatsagentrulereturnsokresponse1715503022\",\"updateDate\":1715503024000,\"updater\":{\"name\":\"\",\"handle\":\"frog@datadoghq.com\"}}},{\"id\":\"krx-co0-pz2\",\"type\":\"agent_rule\",\"attributes\":{\"category\":\"Process Activity\",\"creationDate\":1715531823000,\"creator\":{\"name\":\"\",\"handle\":\"frog@datadoghq.com\"},\"defaultRule\":false,\"description\":\"Test Agent rule\",\"enabled\":true,\"expression\":\"exec.file.name == \\\"sh\\\"\",\"filters\":[\"os == \\\"linux\\\"\"],\"name\":\"exampleupdateacsmthreatsagentrulereturnsokresponse1715531822\",\"updateDate\":1715531824000,\"updater\":{\"name\":\"\",\"handle\":\"frog@datadoghq.com\"}}},{\"id\":\"uqg-z0t-83n\",\"type\":\"agent_rule\",\"attributes\":{\"category\":\"Process Activity\",\"creationDate\":1715575023000,\"creator\":{\"name\":\"\",\"handle\":\"frog@datadoghq.com\"},\"defaultRule\":false,\"description\":\"Test Agent rule\",\"enabled\":true,\"expression\":\"exec.file.name == \\\"sh\\\"\",\"filters\":[\"os == \\\"linux\\\"\"],\"name\":\"exampleupdateacsmthreatsagentrulereturnsokresponse1715575022\",\"updateDate\":1715575024000,\"updater\":{\"name\":\"\",\"handle\":\"frog@datadoghq.com\"}}},{\"id\":\"kid-vkk-fj9\",\"type\":\"agent_rule\",\"attributes\":{\"category\":\"Process Activity\",\"creationDate\":1715603823000,\"creator\":{\"name\":\"\",\"handle\":\"frog@datadoghq.com\"},\"defaultRule\":false,\"description\":\"Test Agent rule\",\"enabled\":true,\"expression\":\"exec.file.name == \\\"sh\\\"\",\"filters\":[\"os == \\\"linux\\\"\"],\"name\":\"exampleupdateacsmthreatsagentrulereturnsokresponse1715603822\",\"updateDate\":1715603824000,\"updater\":{\"name\":\"\",\"handle\":\"frog@datadoghq.com\"}}},{\"id\":\"h4n-yuq-2mp\",\"type\":\"agent_rule\",\"attributes\":{\"category\":\"Process Activity\",\"creationDate\":1715632623000,\"creator\":{\"name\":\"\",\"handle\":\"frog@datadoghq.com\"},\"defaultRule\":false,\"description\":\"Test Agent rule\",\"enabled\":true,\"expression\":\"exec.file.name == \\\"sh\\\"\",\"filters\":[\"os == \\\"linux\\\"\"],\"name\":\"exampleupdateacsmthreatsagentrulereturnsokresponse1715632622\",\"updateDate\":1715632624000,\"updater\":{\"name\":\"\",\"handle\":\"frog@datadoghq.com\"}}},{\"id\":\"ocv-we5-g5y\",\"type\":\"agent_rule\",\"attributes\":{\"category\":\"Process Activity\",\"creationDate\":1715661423000,\"creator\":{\"name\":\"\",\"handle\":\"frog@datadoghq.com\"},\"defaultRule\":false,\"description\":\"My Agent rule\",\"enabled\":true,\"expression\":\"exec.file.name == \\\"sh\\\"\",\"filters\":[\"os == \\\"linux\\\"\"],\"name\":\"exampleupdateacsmthreatsagentrulereturnsokresponse1715661422\",\"updateDate\":1715661423000,\"updater\":{\"name\":\"\",\"handle\":\"frog@datadoghq.com\"}}},{\"id\":\"mzh-gda-c24\",\"type\":\"agent_rule\",\"attributes\":{\"category\":\"Process Activity\",\"creationDate\":1715762223000,\"creator\":{\"name\":\"\",\"handle\":\"frog@datadoghq.com\"},\"defaultRule\":false,\"description\":\"Test Agent rule\",\"enabled\":true,\"expression\":\"exec.file.name == \\\"sh\\\"\",\"filters\":[\"os == \\\"linux\\\"\"],\"name\":\"exampleupdateacsmthreatsagentrulereturnsokresponse1715762222\",\"updateDate\":1715762224000,\"updater\":{\"name\":\"\",\"handle\":\"frog@datadoghq.com\"}}},{\"id\":\"mtg-s1f-xy5\",\"type\":\"agent_rule\",\"attributes\":{\"category\":\"Process Activity\",\"creationDate\":1716050223000,\"creator\":{\"name\":\"\",\"handle\":\"frog@datadoghq.com\"},\"defaultRule\":false,\"description\":\"Test Agent rule\",\"enabled\":true,\"expression\":\"exec.file.name == \\\"sh\\\"\",\"filters\":[\"os == \\\"linux\\\"\"],\"name\":\"exampleupdateacsmthreatsagentrulereturnsokresponse1716050222\",\"updateDate\":1716050224000,\"updater\":{\"name\":\"\",\"handle\":\"frog@datadoghq.com\"}}},{\"id\":\"6ak-6po-dd6\",\"type\":\"agent_rule\",\"attributes\":{\"category\":\"Process Activity\",\"creationDate\":1716640623000,\"creator\":{\"name\":\"\",\"handle\":\"frog@datadoghq.com\"},\"defaultRule\":false,\"description\":\"Test Agent rule\",\"enabled\":true,\"expression\":\"exec.file.name == \\\"sh\\\"\",\"filters\":[\"os == \\\"linux\\\"\"],\"name\":\"exampleupdateacsmthreatsagentrulereturnsokresponse1716640622\",\"updateDate\":1716640624000,\"updater\":{\"name\":\"\",\"handle\":\"frog@datadoghq.com\"}}},{\"id\":\"5rb-4q9-p5g\",\"type\":\"agent_rule\",\"attributes\":{\"category\":\"Process Activity\",\"creationDate\":1716813423000,\"creator\":{\"name\":\"\",\"handle\":\"frog@datadoghq.com\"},\"defaultRule\":false,\"description\":\"Test Agent rule\",\"enabled\":true,\"expression\":\"exec.file.name == \\\"sh\\\"\",\"filters\":[\"os == \\\"linux\\\"\"],\"name\":\"exampleupdateacsmthreatsagentrulereturnsokresponse1716813422\",\"updateDate\":1716813424000,\"updater\":{\"name\":\"\",\"handle\":\"frog@datadoghq.com\"}}},{\"id\":\"b7w-xgg-ocq\",\"type\":\"agent_rule\",\"attributes\":{\"category\":\"Process Activity\",\"creationDate\":1717130223000,\"creator\":{\"name\":\"\",\"handle\":\"frog@datadoghq.com\"},\"defaultRule\":false,\"description\":\"Test Agent rule\",\"enabled\":true,\"expression\":\"exec.file.name == \\\"sh\\\"\",\"filters\":[\"os == \\\"linux\\\"\"],\"name\":\"exampleupdateacsmthreatsagentrulereturnsokresponse1717130222\",\"updateDate\":1717130226000,\"updater\":{\"name\":\"\",\"handle\":\"frog@datadoghq.com\"}}},{\"id\":\"1l2-7qh-mfa\",\"type\":\"agent_rule\",\"attributes\":{\"category\":\"Process Activity\",\"creationDate\":1717432623000,\"creator\":{\"name\":\"\",\"handle\":\"frog@datadoghq.com\"},\"defaultRule\":false,\"description\":\"Test Agent rule\",\"enabled\":true,\"expression\":\"exec.file.name == \\\"sh\\\"\",\"filters\":[\"os == \\\"linux\\\"\"],\"name\":\"exampleupdateacsmthreatsagentrulereturnsokresponse1717432622\",\"updateDate\":1717432626000,\"updater\":{\"name\":\"\",\"handle\":\"frog@datadoghq.com\"}}},{\"id\":\"m77-qgu-c48\",\"type\":\"agent_rule\",\"attributes\":{\"category\":\"Process Activity\",\"creationDate\":1717677423000,\"creator\":{\"name\":\"\",\"handle\":\"frog@datadoghq.com\"},\"defaultRule\":false,\"description\":\"Test Agent rule\",\"enabled\":true,\"expression\":\"exec.file.name == \\\"sh\\\"\",\"filters\":[\"os == \\\"linux\\\"\"],\"name\":\"exampleupdateacsmthreatsagentrulereturnsokresponse1717677422\",\"updateDate\":1717677424000,\"updater\":{\"name\":\"\",\"handle\":\"frog@datadoghq.com\"}}},{\"id\":\"f2b-qds-3f4\",\"type\":\"agent_rule\",\"attributes\":{\"category\":\"Process Activity\",\"creationDate\":1718815023000,\"creator\":{\"name\":\"\",\"handle\":\"frog@datadoghq.com\"},\"defaultRule\":false,\"description\":\"Test Agent rule\",\"enabled\":true,\"expression\":\"exec.file.name == \\\"sh\\\"\",\"filters\":[\"os == \\\"linux\\\"\"],\"name\":\"exampleupdateacsmthreatsagentrulereturnsokresponse1718815022\",\"updateDate\":1718815024000,\"updater\":{\"name\":\"\",\"handle\":\"frog@datadoghq.com\"}}},{\"id\":\"xh4-cv2-cfa\",\"type\":\"agent_rule\",\"attributes\":{\"category\":\"Process Activity\",\"creationDate\":1719031023000,\"creator\":{\"name\":\"\",\"handle\":\"frog@datadoghq.com\"},\"defaultRule\":false,\"description\":\"Test Agent rule\",\"enabled\":true,\"expression\":\"exec.file.name == \\\"sh\\\"\",\"filters\":[\"os == \\\"linux\\\"\"],\"name\":\"exampleupdateacsmthreatsagentrulereturnsokresponse1719031022\",\"updateDate\":1719031024000,\"updater\":{\"name\":\"\",\"handle\":\"frog@datadoghq.com\"}}},{\"id\":\"fxe-inc-9zj\",\"type\":\"agent_rule\",\"attributes\":{\"category\":\"Process Activity\",\"creationDate\":1719938223000,\"creator\":{\"name\":\"\",\"handle\":\"frog@datadoghq.com\"},\"defaultRule\":false,\"description\":\"Test Agent rule\",\"enabled\":true,\"expression\":\"exec.file.name == \\\"sh\\\"\",\"filters\":[\"os == \\\"linux\\\"\"],\"name\":\"exampleupdateacsmthreatsagentrulereturnsokresponse1719938222\",\"updateDate\":1719938225000,\"updater\":{\"name\":\"\",\"handle\":\"frog@datadoghq.com\"}}},{\"id\":\"pb3-26n-452\",\"type\":\"agent_rule\",\"attributes\":{\"category\":\"Process Activity\",\"creationDate\":1719981423000,\"creator\":{\"name\":\"\",\"handle\":\"frog@datadoghq.com\"},\"defaultRule\":false,\"description\":\"Test Agent rule\",\"enabled\":true,\"expression\":\"exec.file.name == \\\"sh\\\"\",\"filters\":[\"os == \\\"linux\\\"\"],\"name\":\"exampleupdateacsmthreatsagentrulereturnsokresponse1719981422\",\"updateDate\":1719981424000,\"updater\":{\"name\":\"\",\"handle\":\"frog@datadoghq.com\"}}},{\"id\":\"hgr-nny-7zr\",\"type\":\"agent_rule\",\"attributes\":{\"category\":\"Process Activity\",\"creationDate\":1720471023000,\"creator\":{\"name\":\"\",\"handle\":\"frog@datadoghq.com\"},\"defaultRule\":false,\"description\":\"Test Agent rule\",\"enabled\":true,\"expression\":\"exec.file.name == \\\"sh\\\"\",\"filters\":[\"os == \\\"linux\\\"\"],\"name\":\"exampleupdateacsmthreatsagentrulereturnsokresponse1720471022\",\"updateDate\":1720471024000,\"updater\":{\"name\":\"\",\"handle\":\"frog@datadoghq.com\"}}},{\"id\":\"wvg-hbj-6o2\",\"type\":\"agent_rule\",\"attributes\":{\"category\":\"Process Activity\",\"creationDate\":1720600623000,\"creator\":{\"name\":\"\",\"handle\":\"frog@datadoghq.com\"},\"defaultRule\":false,\"description\":\"Test Agent rule\",\"enabled\":true,\"expression\":\"exec.file.name == \\\"sh\\\"\",\"filters\":[\"os == \\\"linux\\\"\"],\"name\":\"exampleupdateacsmthreatsagentrulereturnsokresponse1720600622\",\"updateDate\":1720600624000,\"updater\":{\"name\":\"\",\"handle\":\"frog@datadoghq.com\"}}},{\"id\":\"9ji-2p2-v00\",\"type\":\"agent_rule\",\"attributes\":{\"category\":\"Process Activity\",\"creationDate\":1721248623000,\"creator\":{\"name\":\"\",\"handle\":\"frog@datadoghq.com\"},\"defaultRule\":false,\"description\":\"Test Agent rule\",\"enabled\":true,\"expression\":\"exec.file.name == \\\"sh\\\"\",\"filters\":[\"os == \\\"linux\\\"\"],\"name\":\"exampleupdateacsmthreatsagentrulereturnsokresponse1721248623\",\"updateDate\":1721248625000,\"updater\":{\"name\":\"\",\"handle\":\"frog@datadoghq.com\"}}},{\"id\":\"dou-40j-cpw\",\"type\":\"agent_rule\",\"attributes\":{\"category\":\"Process Activity\",\"creationDate\":1721378223000,\"creator\":{\"name\":\"\",\"handle\":\"frog@datadoghq.com\"},\"defaultRule\":false,\"description\":\"Test Agent rule\",\"enabled\":true,\"expression\":\"exec.file.name == \\\"sh\\\"\",\"filters\":[\"os == \\\"linux\\\"\"],\"name\":\"exampleupdateacsmthreatsagentrulereturnsokresponse1721378223\",\"updateDate\":1721378224000,\"updater\":{\"name\":\"\",\"handle\":\"frog@datadoghq.com\"}}},{\"id\":\"qd9-39s-51s\",\"type\":\"agent_rule\",\"attributes\":{\"category\":\"Process Activity\",\"creationDate\":1721666223000,\"creator\":{\"name\":\"\",\"handle\":\"frog@datadoghq.com\"},\"defaultRule\":false,\"description\":\"Test Agent rule\",\"enabled\":true,\"expression\":\"exec.file.name == \\\"sh\\\"\",\"filters\":[\"os == \\\"linux\\\"\"],\"name\":\"exampleupdateacsmthreatsagentrulereturnsokresponse1721666223\",\"updateDate\":1721666224000,\"updater\":{\"name\":\"\",\"handle\":\"frog@datadoghq.com\"}}},{\"id\":\"g9j-hhf-7at\",\"type\":\"agent_rule\",\"attributes\":{\"category\":\"Process Activity\",\"creationDate\":1722703023000,\"creator\":{\"name\":\"\",\"handle\":\"frog@datadoghq.com\"},\"defaultRule\":false,\"description\":\"Test Agent rule\",\"enabled\":true,\"expression\":\"exec.file.name == \\\"sh\\\"\",\"filters\":[\"os == \\\"linux\\\"\"],\"name\":\"exampleupdateacsmthreatsagentrulereturnsokresponse1722703023\",\"updateDate\":1722703024000,\"updater\":{\"name\":\"\",\"handle\":\"frog@datadoghq.com\"}}},{\"id\":\"ybg-c9d-29b\",\"type\":\"agent_rule\",\"attributes\":{\"category\":\"Process Activity\",\"creationDate\":1723034223000,\"creator\":{\"name\":\"\",\"handle\":\"frog@datadoghq.com\"},\"defaultRule\":false,\"description\":\"Test Agent rule\",\"enabled\":true,\"expression\":\"exec.file.name == \\\"sh\\\"\",\"filters\":[\"os == \\\"linux\\\"\"],\"name\":\"exampleupdateacsmthreatsagentrulereturnsokresponse1723034223\",\"updateDate\":1723034224000,\"updater\":{\"name\":\"\",\"handle\":\"frog@datadoghq.com\"}}},{\"id\":\"hsg-toh-i57\",\"type\":\"agent_rule\",\"attributes\":{\"category\":\"Process Activity\",\"creationDate\":1723610223000,\"creator\":{\"name\":\"\",\"handle\":\"frog@datadoghq.com\"},\"defaultRule\":false,\"description\":\"Test Agent rule\",\"enabled\":true,\"expression\":\"exec.file.name == \\\"sh\\\"\",\"filters\":[\"os == \\\"linux\\\"\"],\"name\":\"exampleupdateacsmthreatsagentrulereturnsokresponse1723610223\",\"updateDate\":1723610224000,\"updater\":{\"name\":\"\",\"handle\":\"frog@datadoghq.com\"}}},{\"id\":\"tiy-95c-mkc\",\"type\":\"agent_rule\",\"attributes\":{\"category\":\"Process Activity\",\"creationDate\":1723797423000,\"creator\":{\"name\":\"\",\"handle\":\"frog@datadoghq.com\"},\"defaultRule\":false,\"description\":\"Test Agent rule\",\"enabled\":true,\"expression\":\"exec.file.name == \\\"sh\\\"\",\"filters\":[\"os == \\\"linux\\\"\"],\"name\":\"exampleupdateacsmthreatsagentrulereturnsokresponse1723797423\",\"updateDate\":1723797424000,\"updater\":{\"name\":\"\",\"handle\":\"frog@datadoghq.com\"}}},{\"id\":\"7rw-grx-l7u\",\"type\":\"agent_rule\",\"attributes\":{\"category\":\"Process Activity\",\"creationDate\":1726331823000,\"creator\":{\"name\":\"\",\"handle\":\"frog@datadoghq.com\"},\"defaultRule\":false,\"description\":\"My Agent rule\",\"enabled\":true,\"expression\":\"exec.file.name == \\\"sh\\\"\",\"filters\":[\"os == \\\"linux\\\"\"],\"name\":\"exampleupdateacsmthreatsagentrulereturnsokresponse1726331822\",\"updateDate\":1726331823000,\"updater\":{\"name\":\"\",\"handle\":\"frog@datadoghq.com\"}}},{\"id\":\"k1r-tva-i6e\",\"type\":\"agent_rule\",\"attributes\":{\"category\":\"Process Activity\",\"creationDate\":1727829423000,\"creator\":{\"name\":\"\",\"handle\":\"frog@datadoghq.com\"},\"defaultRule\":false,\"description\":\"Test Agent rule\",\"enabled\":true,\"expression\":\"exec.file.name == \\\"sh\\\"\",\"filters\":[\"os == \\\"linux\\\"\"],\"name\":\"exampleupdateacsmthreatsagentrulereturnsokresponse1727829422\",\"updateDate\":1727829425000,\"updater\":{\"name\":\"\",\"handle\":\"frog@datadoghq.com\"}}},{\"id\":\"4bk-eaa-j5w\",\"type\":\"agent_rule\",\"attributes\":{\"category\":\"Process Activity\",\"creationDate\":1728664623000,\"creator\":{\"name\":\"\",\"handle\":\"frog@datadoghq.com\"},\"defaultRule\":false,\"description\":\"My Agent rule\",\"enabled\":true,\"expression\":\"exec.file.name == \\\"sh\\\"\",\"filters\":[\"os == \\\"linux\\\"\"],\"name\":\"exampleupdateacsmthreatsagentrulereturnsokresponse1728664622\",\"updateDate\":1728664623000,\"updater\":{\"name\":\"\",\"handle\":\"frog@datadoghq.com\"}}},{\"id\":\"qk2-gkn-517\",\"type\":\"agent_rule\",\"attributes\":{\"category\":\"Process Activity\",\"creationDate\":1730162223000,\"creator\":{\"name\":\"\",\"handle\":\"frog@datadoghq.com\"},\"defaultRule\":false,\"description\":\"Test Agent rule\",\"enabled\":true,\"expression\":\"exec.file.name == \\\"sh\\\"\",\"filters\":[\"os == \\\"linux\\\"\"],\"name\":\"exampleupdateacsmthreatsagentrulereturnsokresponse1730162223\",\"updateDate\":1730162225000,\"updater\":{\"name\":\"\",\"handle\":\"frog@datadoghq.com\"}}},{\"id\":\"ybl-tp8-aab\",\"type\":\"agent_rule\",\"attributes\":{\"category\":\"Process Activity\",\"creationDate\":1730263023000,\"creator\":{\"name\":\"\",\"handle\":\"frog@datadoghq.com\"},\"defaultRule\":false,\"description\":\"Test Agent rule\",\"enabled\":true,\"expression\":\"exec.file.name == \\\"sh\\\"\",\"filters\":[\"os == \\\"linux\\\"\"],\"name\":\"exampleupdateacsmthreatsagentrulereturnsokresponse1730263022\",\"updateDate\":1730263025000,\"updater\":{\"name\":\"\",\"handle\":\"frog@datadoghq.com\"}}},{\"id\":\"3xd-vam-hd2\",\"type\":\"agent_rule\",\"attributes\":{\"category\":\"Process Activity\",\"creationDate\":1730479023000,\"creator\":{\"name\":\"\",\"handle\":\"frog@datadoghq.com\"},\"defaultRule\":false,\"description\":\"Test Agent rule\",\"enabled\":true,\"expression\":\"exec.file.name == \\\"sh\\\"\",\"filters\":[\"os == \\\"linux\\\"\"],\"name\":\"exampleupdateacsmthreatsagentrulereturnsokresponse1730479022\",\"updateDate\":1730479024000,\"updater\":{\"name\":\"\",\"handle\":\"frog@datadoghq.com\"}}},{\"id\":\"ro3-z56-52j\",\"type\":\"agent_rule\",\"attributes\":{\"category\":\"Process Activity\",\"creationDate\":1732221423000,\"creator\":{\"name\":\"\",\"handle\":\"frog@datadoghq.com\"},\"defaultRule\":false,\"description\":\"Test Agent rule\",\"enabled\":true,\"expression\":\"exec.file.name == \\\"sh\\\"\",\"filters\":[\"os == \\\"linux\\\"\"],\"name\":\"exampleupdateacsmthreatsagentrulereturnsokresponse1732221423\",\"updateDate\":1732221424000,\"updater\":{\"name\":\"\",\"handle\":\"frog@datadoghq.com\"}}},{\"id\":\"3ay-9ve-3i3\",\"type\":\"agent_rule\",\"attributes\":{\"category\":\"Process Activity\",\"creationDate\":1732451823000,\"creator\":{\"name\":\"\",\"handle\":\"frog@datadoghq.com\"},\"defaultRule\":false,\"description\":\"My Agent rule\",\"enabled\":true,\"expression\":\"exec.file.name == \\\"sh\\\"\",\"filters\":[\"os == \\\"linux\\\"\"],\"name\":\"exampleupdateacsmthreatsagentrulereturnsokresponse1732451822\",\"updateDate\":1732451823000,\"updater\":{\"name\":\"\",\"handle\":\"frog@datadoghq.com\"}}},{\"id\":\"a66-2qy-xwe\",\"type\":\"agent_rule\",\"attributes\":{\"category\":\"Process Activity\",\"creationDate\":1733128623000,\"creator\":{\"name\":\"\",\"handle\":\"frog@datadoghq.com\"},\"defaultRule\":false,\"description\":\"Test Agent rule\",\"enabled\":true,\"expression\":\"exec.file.name == \\\"sh\\\"\",\"filters\":[\"os == \\\"linux\\\"\"],\"name\":\"exampleupdateacsmthreatsagentrulereturnsokresponse1733128622\",\"updateDate\":1733128625000,\"updater\":{\"name\":\"\",\"handle\":\"frog@datadoghq.com\"}}},{\"id\":\"9of-ebc-ypn\",\"type\":\"agent_rule\",\"attributes\":{\"category\":\"Process Activity\",\"creationDate\":1733143023000,\"creator\":{\"name\":\"\",\"handle\":\"frog@datadoghq.com\"},\"defaultRule\":false,\"description\":\"My Agent rule\",\"enabled\":true,\"expression\":\"exec.file.name == \\\"sh\\\"\",\"filters\":[\"os == \\\"linux\\\"\"],\"name\":\"exampleupdateacsmthreatsagentrulereturnsokresponse1733143022\",\"updateDate\":1733143023000,\"updater\":{\"name\":\"\",\"handle\":\"frog@datadoghq.com\"}}},{\"id\":\"b68-yq9-x3q\",\"type\":\"agent_rule\",\"attributes\":{\"category\":\"Process Activity\",\"creationDate\":1733200623000,\"creator\":{\"name\":\"\",\"handle\":\"frog@datadoghq.com\"},\"defaultRule\":false,\"description\":\"Test Agent rule\",\"enabled\":true,\"expression\":\"exec.file.name == \\\"sh\\\"\",\"filters\":[\"os == \\\"linux\\\"\"],\"name\":\"exampleupdateacsmthreatsagentrulereturnsokresponse1733200622\",\"updateDate\":1733200625000,\"updater\":{\"name\":\"\",\"handle\":\"frog@datadoghq.com\"}}},{\"id\":\"ev9-rxn-om1\",\"type\":\"agent_rule\",\"attributes\":{\"category\":\"Process Activity\",\"creationDate\":1733272623000,\"creator\":{\"name\":\"\",\"handle\":\"frog@datadoghq.com\"},\"defaultRule\":false,\"description\":\"Test Agent rule\",\"enabled\":true,\"expression\":\"exec.file.name == \\\"sh\\\"\",\"filters\":[\"os == \\\"linux\\\"\"],\"name\":\"exampleupdateacsmthreatsagentrulereturnsokresponse1733272622\",\"updateDate\":1733272626000,\"updater\":{\"name\":\"\",\"handle\":\"frog@datadoghq.com\"}}},{\"id\":\"gds-0mc-sle\",\"type\":\"agent_rule\",\"attributes\":{\"category\":\"Process Activity\",\"creationDate\":1733330223000,\"creator\":{\"name\":\"\",\"handle\":\"frog@datadoghq.com\"},\"defaultRule\":false,\"description\":\"Test Agent rule\",\"enabled\":true,\"expression\":\"exec.file.name == \\\"sh\\\"\",\"filters\":[\"os == \\\"linux\\\"\"],\"name\":\"exampleupdateacsmthreatsagentrulereturnsokresponse1733330222\",\"updateDate\":1733330225000,\"updater\":{\"name\":\"\",\"handle\":\"frog@datadoghq.com\"}}},{\"id\":\"rwf-5af-jaw\",\"type\":\"agent_rule\",\"attributes\":{\"category\":\"Process Activity\",\"creationDate\":1733618223000,\"creator\":{\"name\":\"\",\"handle\":\"frog@datadoghq.com\"},\"defaultRule\":false,\"description\":\"My Agent rule\",\"enabled\":true,\"expression\":\"exec.file.name == \\\"sh\\\"\",\"filters\":[\"os == \\\"linux\\\"\"],\"name\":\"exampleupdateacsmthreatsagentrulereturnsokresponse1733618222\",\"updateDate\":1733618223000,\"updater\":{\"name\":\"\",\"handle\":\"frog@datadoghq.com\"}}},{\"id\":\"z2v-n54-g9a\",\"type\":\"agent_rule\",\"attributes\":{\"category\":\"Process Activity\",\"creationDate\":1733661423000,\"creator\":{\"name\":\"\",\"handle\":\"frog@datadoghq.com\"},\"defaultRule\":false,\"description\":\"Test Agent rule\",\"enabled\":true,\"expression\":\"exec.file.name == \\\"sh\\\"\",\"filters\":[\"os == \\\"linux\\\"\"],\"name\":\"exampleupdateacsmthreatsagentrulereturnsokresponse1733661422\",\"updateDate\":1733661424000,\"updater\":{\"name\":\"\",\"handle\":\"frog@datadoghq.com\"}}},{\"id\":\"vma-z5w-bi9\",\"type\":\"agent_rule\",\"attributes\":{\"category\":\"Process Activity\",\"creationDate\":1734179823000,\"creator\":{\"name\":\"frog\",\"handle\":\"frog@datadoghq.com\"},\"defaultRule\":false,\"description\":\"Test Agent rule\",\"enabled\":true,\"expression\":\"exec.file.name == \\\"sh\\\"\",\"filters\":[\"os == \\\"linux\\\"\"],\"name\":\"exampleupdateacsmthreatsagentrulereturnsokresponse1734179822\",\"updateDate\":1734179825000,\"updater\":{\"name\":\"frog\",\"handle\":\"frog@datadoghq.com\"}}},{\"id\":\"ya9-48i-611\",\"type\":\"agent_rule\",\"attributes\":{\"category\":\"Process Activity\",\"creationDate\":1734496623000,\"creator\":{\"name\":\"frog\",\"handle\":\"frog@datadoghq.com\"},\"defaultRule\":false,\"description\":\"Test Agent rule\",\"enabled\":true,\"expression\":\"exec.file.name == \\\"sh\\\"\",\"filters\":[\"os == \\\"linux\\\"\"],\"name\":\"exampleupdateacsmthreatsagentrulereturnsokresponse1734496623\",\"updateDate\":1734496625000,\"updater\":{\"name\":\"frog\",\"handle\":\"frog@datadoghq.com\"}}},{\"id\":\"l9m-5ce-g9i\",\"type\":\"agent_rule\",\"attributes\":{\"category\":\"Process Activity\",\"creationDate\":1734525423000,\"creator\":{\"name\":\"frog\",\"handle\":\"frog@datadoghq.com\"},\"defaultRule\":false,\"description\":\"My Agent rule\",\"enabled\":true,\"expression\":\"exec.file.name == \\\"sh\\\"\",\"filters\":[\"os == \\\"linux\\\"\"],\"name\":\"exampleupdateacsmthreatsagentrulereturnsokresponse1734525422\",\"updateDate\":1734525423000,\"updater\":{\"name\":\"frog\",\"handle\":\"frog@datadoghq.com\"}}},{\"id\":\"kbx-ylg-k86\",\"type\":\"agent_rule\",\"attributes\":{\"category\":\"Process Activity\",\"creationDate\":1734597423000,\"creator\":{\"name\":\"frog\",\"handle\":\"frog@datadoghq.com\"},\"defaultRule\":false,\"description\":\"Test Agent rule\",\"enabled\":true,\"expression\":\"exec.file.name == \\\"sh\\\"\",\"filters\":[\"os == \\\"linux\\\"\"],\"name\":\"exampleupdateacsmthreatsagentrulereturnsokresponse1734597422\",\"updateDate\":1734597424000,\"updater\":{\"name\":\"frog\",\"handle\":\"frog@datadoghq.com\"}}},{\"id\":\"rec-v3q-e1c\",\"type\":\"agent_rule\",\"attributes\":{\"category\":\"Process Activity\",\"creationDate\":1734770223000,\"creator\":{\"name\":\"frog\",\"handle\":\"frog@datadoghq.com\"},\"defaultRule\":false,\"description\":\"Test Agent rule\",\"enabled\":true,\"expression\":\"exec.file.name == \\\"sh\\\"\",\"filters\":[\"os == \\\"linux\\\"\"],\"name\":\"exampleupdateacsmthreatsagentrulereturnsokresponse1734770223\",\"updateDate\":1734770227000,\"updater\":{\"name\":\"frog\",\"handle\":\"frog@datadoghq.com\"}}},{\"id\":\"tr5-g9p-4jx\",\"type\":\"agent_rule\",\"attributes\":{\"category\":\"Process Activity\",\"creationDate\":1734799023000,\"creator\":{\"name\":\"frog\",\"handle\":\"frog@datadoghq.com\"},\"defaultRule\":false,\"description\":\"Test Agent rule\",\"enabled\":true,\"expression\":\"exec.file.name == \\\"sh\\\"\",\"filters\":[\"os == \\\"linux\\\"\"],\"name\":\"exampleupdateacsmthreatsagentrulereturnsokresponse1734799023\",\"updateDate\":1734799025000,\"updater\":{\"name\":\"frog\",\"handle\":\"frog@datadoghq.com\"}}},{\"id\":\"tps-9zv-vpp\",\"type\":\"agent_rule\",\"attributes\":{\"category\":\"Process Activity\",\"creationDate\":1734899823000,\"creator\":{\"name\":\"frog\",\"handle\":\"frog@datadoghq.com\"},\"defaultRule\":false,\"description\":\"Test Agent rule\",\"enabled\":true,\"expression\":\"exec.file.name == \\\"sh\\\"\",\"filters\":[\"os == \\\"linux\\\"\"],\"name\":\"exampleupdateacsmthreatsagentrulereturnsokresponse1734899823\",\"updateDate\":1734899825000,\"updater\":{\"name\":\"frog\",\"handle\":\"frog@datadoghq.com\"}}},{\"id\":\"0rc-s4t-d0f\",\"type\":\"agent_rule\",\"attributes\":{\"category\":\"Process Activity\",\"creationDate\":1735562223000,\"creator\":{\"name\":\"frog\",\"handle\":\"frog@datadoghq.com\"},\"defaultRule\":false,\"description\":\"Test Agent rule\",\"enabled\":true,\"expression\":\"exec.file.name == \\\"sh\\\"\",\"filters\":[\"os == \\\"linux\\\"\"],\"name\":\"exampleupdateacsmthreatsagentrulereturnsokresponse1735562223\",\"updateDate\":1735562225000,\"updater\":{\"name\":\"frog\",\"handle\":\"frog@datadoghq.com\"}}},{\"id\":\"ekr-3xj-8yj\",\"type\":\"agent_rule\",\"attributes\":{\"category\":\"Process Activity\",\"creationDate\":1735619823000,\"creator\":{\"name\":\"frog\",\"handle\":\"frog@datadoghq.com\"},\"defaultRule\":false,\"description\":\"Test Agent rule\",\"enabled\":true,\"expression\":\"exec.file.name == \\\"sh\\\"\",\"filters\":[\"os == \\\"linux\\\"\"],\"name\":\"exampleupdateacsmthreatsagentrulereturnsokresponse1735619823\",\"updateDate\":1735619825000,\"updater\":{\"name\":\"frog\",\"handle\":\"frog@datadoghq.com\"}}},{\"id\":\"p6o-t98-nm1\",\"type\":\"agent_rule\",\"attributes\":{\"category\":\"Process Activity\",\"creationDate\":1735691823000,\"creator\":{\"name\":\"frog\",\"handle\":\"frog@datadoghq.com\"},\"defaultRule\":false,\"description\":\"Test Agent rule\",\"enabled\":true,\"expression\":\"exec.file.name == \\\"sh\\\"\",\"filters\":[\"os == \\\"linux\\\"\"],\"name\":\"exampleupdateacsmthreatsagentrulereturnsokresponse1735691823\",\"updateDate\":1735691824000,\"updater\":{\"name\":\"frog\",\"handle\":\"frog@datadoghq.com\"}}},{\"id\":\"nue-wxi-y3i\",\"type\":\"agent_rule\",\"attributes\":{\"category\":\"Process Activity\",\"creationDate\":1735720623000,\"creator\":{\"name\":\"frog\",\"handle\":\"frog@datadoghq.com\"},\"defaultRule\":false,\"description\":\"Test Agent rule\",\"enabled\":true,\"expression\":\"exec.file.name == \\\"sh\\\"\",\"filters\":[\"os == \\\"linux\\\"\"],\"name\":\"exampleupdateacsmthreatsagentrulereturnsokresponse1735720623\",\"updateDate\":1735720626000,\"updater\":{\"name\":\"frog\",\"handle\":\"frog@datadoghq.com\"}}},{\"id\":\"w95-d3h-c3r\",\"type\":\"agent_rule\",\"attributes\":{\"category\":\"Process Activity\",\"creationDate\":1735864623000,\"creator\":{\"name\":\"frog\",\"handle\":\"frog@datadoghq.com\"},\"defaultRule\":false,\"description\":\"Test Agent rule\",\"enabled\":true,\"expression\":\"exec.file.name == \\\"sh\\\"\",\"filters\":[\"os == \\\"linux\\\"\"],\"name\":\"exampleupdateacsmthreatsagentrulereturnsokresponse1735864622\",\"updateDate\":1735864625000,\"updater\":{\"name\":\"frog\",\"handle\":\"frog@datadoghq.com\"}}},{\"id\":\"6w8-3xn-j4c\",\"type\":\"agent_rule\",\"attributes\":{\"category\":\"Process Activity\",\"creationDate\":1736066223000,\"creator\":{\"name\":\"frog\",\"handle\":\"frog@datadoghq.com\"},\"defaultRule\":false,\"description\":\"Test Agent rule\",\"enabled\":true,\"expression\":\"exec.file.name == \\\"sh\\\"\",\"filters\":[\"os == \\\"linux\\\"\"],\"name\":\"exampleupdateacsmthreatsagentrulereturnsokresponse1736066222\",\"updateDate\":1736066224000,\"updater\":{\"name\":\"frog\",\"handle\":\"frog@datadoghq.com\"}}},{\"id\":\"hcr-3py-6it\",\"type\":\"agent_rule\",\"attributes\":{\"category\":\"Process Activity\",\"creationDate\":1736807340000,\"creator\":{\"name\":\"frog\",\"handle\":\"frog@datadoghq.com\"},\"defaultRule\":false,\"description\":\"Test Agent rule\",\"enabled\":true,\"expression\":\"exec.file.name == \\\"sh\\\"\",\"filters\":[\"os == \\\"linux\\\"\"],\"name\":\"exampleupdateacsmthreatsagentrulereturnsokresponse1736807340\",\"updateDate\":1736807342000,\"updater\":{\"name\":\"frog\",\"handle\":\"frog@datadoghq.com\"}}},{\"id\":\"00d-kfn-fwm\",\"type\":\"agent_rule\",\"attributes\":{\"category\":\"Process Activity\",\"creationDate\":1740025013000,\"creator\":{\"name\":\"frog\",\"handle\":\"frog@datadoghq.com\"},\"defaultRule\":false,\"description\":\"Test Agent rule\",\"enabled\":true,\"expression\":\"exec.file.name == \\\"sh\\\"\",\"filters\":[\"os == \\\"linux\\\"\"],\"name\":\"exampleupdateacsmthreatsagentrulereturnsokresponse1740025013\",\"updateDate\":1740025019000,\"updater\":{\"name\":\"frog\",\"handle\":\"frog@datadoghq.com\"}}},{\"id\":\"ceu-3h6-qug\",\"type\":\"agent_rule\",\"attributes\":{\"category\":\"Process Activity\",\"creationDate\":1740269813000,\"creator\":{\"name\":\"frog\",\"handle\":\"frog@datadoghq.com\"},\"defaultRule\":false,\"description\":\"Test Agent rule\",\"enabled\":true,\"expression\":\"exec.file.name == \\\"sh\\\"\",\"filters\":[\"os == \\\"linux\\\"\"],\"name\":\"exampleupdateacsmthreatsagentrulereturnsokresponse1740269813\",\"updateDate\":1740269814000,\"updater\":{\"name\":\"frog\",\"handle\":\"frog@datadoghq.com\"}}},{\"id\":\"oed-ka8-syl\",\"type\":\"agent_rule\",\"attributes\":{\"category\":\"Process Activity\",\"creationDate\":1711550899000,\"creator\":{\"name\":\"CI Account\",\"handle\":\"9919ec9b-ebc7-49ee-8dc8-03626e717cca\"},\"defaultRule\":false,\"description\":\"My Agent rule\",\"enabled\":true,\"expression\":\"exec.file.name == \\\"sh\\\"\",\"filters\":[\"os == \\\"linux\\\"\"],\"name\":\"my_agent_rule\",\"updateDate\":1711550899000,\"updater\":{\"name\":\"CI Account\",\"handle\":\"9919ec9b-ebc7-49ee-8dc8-03626e717cca\"}}},{\"id\":\"v9x-9ib-tr7\",\"type\":\"agent_rule\",\"attributes\":{\"category\":\"File Activity\",\"creationDate\":1737288363000,\"creator\":{\"name\":\"CI Account\",\"handle\":\"9919ec9b-ebc7-49ee-8dc8-03626e717cca\"},\"defaultRule\":false,\"description\":\"im a rule\",\"enabled\":true,\"expression\":\"open.file.name == \\\"etc/shadow/password\\\"\",\"filters\":[\"os == \\\"linux\\\"\"],\"name\":\"qljifimbbh\",\"updateDate\":1737288363000,\"updater\":{\"name\":\"CI Account\",\"handle\":\"9919ec9b-ebc7-49ee-8dc8-03626e717cca\"}}},{\"id\":\"ast-isd-tty\",\"type\":\"agent_rule\",\"attributes\":{\"category\":\"Process Activity\",\"creationDate\":1715645381000,\"creator\":{\"name\":\"CI Account\",\"handle\":\"9919ec9b-ebc7-49ee-8dc8-03626e717cca\"},\"defaultRule\":false,\"description\":\"My Agent rule\",\"enabled\":true,\"expression\":\"exec.file.name == \\\"sh\\\"\",\"filters\":[\"os == \\\"linux\\\"\"],\"name\":\"testgocreateacsmthreatsagentrulereturnsokresponse1715645381\",\"updateDate\":1715645381000,\"updater\":{\"name\":\"CI Account\",\"handle\":\"9919ec9b-ebc7-49ee-8dc8-03626e717cca\"}}},{\"id\":\"9l7-am7-hy6\",\"type\":\"agent_rule\",\"attributes\":{\"category\":\"Process Activity\",\"creationDate\":1736986169000,\"creator\":{\"name\":\"CI Account\",\"handle\":\"9919ec9b-ebc7-49ee-8dc8-03626e717cca\"},\"defaultRule\":false,\"description\":\"My Agent rule\",\"enabled\":true,\"expression\":\"exec.file.name == \\\"sh\\\"\",\"filters\":[\"os == \\\"linux\\\"\"],\"name\":\"testgocreateacsmthreatsagentrulereturnsokresponse1736986169\",\"updateDate\":1736986169000,\"updater\":{\"name\":\"CI Account\",\"handle\":\"9919ec9b-ebc7-49ee-8dc8-03626e717cca\"}}},{\"id\":\"tw0-y2e-9wf\",\"type\":\"agent_rule\",\"attributes\":{\"category\":\"Process Activity\",\"creationDate\":1738627773000,\"creator\":{\"name\":\"CI Account\",\"handle\":\"9919ec9b-ebc7-49ee-8dc8-03626e717cca\"},\"defaultRule\":false,\"description\":\"My Agent rule\",\"enabled\":true,\"expression\":\"exec.file.name == \\\"sh\\\"\",\"filters\":[\"os == \\\"linux\\\"\"],\"name\":\"testgocreateacsmthreatsagentrulereturnsokresponse1738627773\",\"updateDate\":1738627773000,\"updater\":{\"name\":\"CI Account\",\"handle\":\"9919ec9b-ebc7-49ee-8dc8-03626e717cca\"}}},{\"id\":\"cdy-cvp-oqz\",\"type\":\"agent_rule\",\"attributes\":{\"category\":\"Process Activity\",\"creationDate\":1728617680000,\"creator\":{\"name\":\"CI Account\",\"handle\":\"9919ec9b-ebc7-49ee-8dc8-03626e717cca\"},\"defaultRule\":false,\"description\":\"My Agent rule\",\"enabled\":true,\"expression\":\"exec.file.name == \\\"sh\\\"\",\"filters\":[\"os == \\\"linux\\\"\"],\"name\":\"testjavacreateacsmthreatsagentrulereturnsokresponse1728617679\",\"updateDate\":1728617680000,\"updater\":{\"name\":\"CI Account\",\"handle\":\"9919ec9b-ebc7-49ee-8dc8-03626e717cca\"}}},{\"id\":\"tth-j42-vc4\",\"type\":\"agent_rule\",\"attributes\":{\"category\":\"Process Activity\",\"creationDate\":1732591470000,\"creator\":{\"name\":\"CI Account\",\"handle\":\"9919ec9b-ebc7-49ee-8dc8-03626e717cca\"},\"defaultRule\":false,\"description\":\"My Agent rule\",\"enabled\":true,\"expression\":\"exec.file.name == \\\"sh\\\"\",\"filters\":[\"os == \\\"linux\\\"\"],\"name\":\"testjavacreateacsmthreatsagentrulereturnsokresponse1732591469\",\"updateDate\":1732591470000,\"updater\":{\"name\":\"CI Account\",\"handle\":\"9919ec9b-ebc7-49ee-8dc8-03626e717cca\"}}},{\"id\":\"lhe-ksz-xyj\",\"type\":\"agent_rule\",\"attributes\":{\"category\":\"Process Activity\",\"creationDate\":1711595493000,\"creator\":{\"name\":\"CI Account\",\"handle\":\"9919ec9b-ebc7-49ee-8dc8-03626e717cca\"},\"defaultRule\":false,\"description\":\"My Agent rule\",\"enabled\":true,\"expression\":\"exec.file.name == \\\"sh\\\"\",\"filters\":[\"os == \\\"linux\\\"\"],\"name\":\"testjavagetacsmthreatsagentrulereturnsokresponse1711595493\",\"updateDate\":1711595493000,\"updater\":{\"name\":\"CI Account\",\"handle\":\"9919ec9b-ebc7-49ee-8dc8-03626e717cca\"}}},{\"id\":\"73h-yo0-427\",\"type\":\"agent_rule\",\"attributes\":{\"category\":\"Process Activity\",\"creationDate\":1725240870000,\"creator\":{\"name\":\"CI Account\",\"handle\":\"9919ec9b-ebc7-49ee-8dc8-03626e717cca\"},\"defaultRule\":false,\"description\":\"My Agent rule\",\"enabled\":true,\"expression\":\"exec.file.name == \\\"sh\\\"\",\"filters\":[\"os == \\\"linux\\\"\"],\"name\":\"testpythoncreateacsmthreatsagentrulereturnsokresponse1725240869\",\"updateDate\":1725240870000,\"updater\":{\"name\":\"CI Account\",\"handle\":\"9919ec9b-ebc7-49ee-8dc8-03626e717cca\"}}},{\"id\":\"ohq-oxe-jb4\",\"type\":\"agent_rule\",\"attributes\":{\"category\":\"Process Activity\",\"creationDate\":1726883002000,\"creator\":{\"name\":\"CI Account\",\"handle\":\"9919ec9b-ebc7-49ee-8dc8-03626e717cca\"},\"defaultRule\":false,\"description\":\"My Agent rule\",\"enabled\":true,\"expression\":\"exec.file.name == \\\"sh\\\"\",\"filters\":[\"os == \\\"linux\\\"\"],\"name\":\"testpythoncreateacsmthreatsagentrulereturnsokresponse1726883002\",\"updateDate\":1726883002000,\"updater\":{\"name\":\"CI Account\",\"handle\":\"9919ec9b-ebc7-49ee-8dc8-03626e717cca\"}}},{\"id\":\"912-lu2-2sg\",\"type\":\"agent_rule\",\"attributes\":{\"category\":\"Process Activity\",\"creationDate\":1731203077000,\"creator\":{\"name\":\"CI Account\",\"handle\":\"9919ec9b-ebc7-49ee-8dc8-03626e717cca\"},\"defaultRule\":false,\"description\":\"My Agent rule\",\"enabled\":true,\"expression\":\"exec.file.name == \\\"sh\\\"\",\"filters\":[\"os == \\\"linux\\\"\"],\"name\":\"testpythoncreateacsmthreatsagentrulereturnsokresponse1731203077\",\"updateDate\":1731203077000,\"updater\":{\"name\":\"CI Account\",\"handle\":\"9919ec9b-ebc7-49ee-8dc8-03626e717cca\"}}},{\"id\":\"5c8-aij-182\",\"type\":\"agent_rule\",\"attributes\":{\"category\":\"Process Activity\",\"creationDate\":1720156180000,\"creator\":{\"name\":\"\",\"handle\":\"frog@datadoghq.com\"},\"defaultRule\":false,\"description\":\"My Agent rule\",\"enabled\":true,\"expression\":\"exec.file.name == \\\"sh\\\"\",\"filters\":[\"os == \\\"linux\\\"\"],\"name\":\"testrustgetacsmthreatsagentrulereturnsokresponse1720156180\",\"updateDate\":1720156180000,\"updater\":{\"name\":\"\",\"handle\":\"frog@datadoghq.com\"}}},{\"id\":\"5jy-8qa-vwx\",\"type\":\"agent_rule\",\"attributes\":{\"category\":\"Process Activity\",\"creationDate\":1724216976000,\"creator\":{\"name\":\"\",\"handle\":\"frog@datadoghq.com\"},\"defaultRule\":false,\"description\":\"My Agent rule\",\"enabled\":true,\"expression\":\"exec.file.name == \\\"sh\\\"\",\"filters\":[\"os == \\\"linux\\\"\"],\"name\":\"testrustupdateacsmthreatsagentrulereturnsbadrequestresponse1724216976\",\"updateDate\":1724216976000,\"updater\":{\"name\":\"\",\"handle\":\"frog@datadoghq.com\"}}},{\"id\":\"24l-rs9-d0x\",\"type\":\"agent_rule\",\"attributes\":{\"category\":\"Process Activity\",\"creationDate\":1710500975000,\"creator\":{\"name\":\"CI Account\",\"handle\":\"9919ec9b-ebc7-49ee-8dc8-03626e717cca\"},\"defaultRule\":false,\"description\":\"My Agent rule\",\"enabled\":true,\"expression\":\"exec.file.name == \\\"sh\\\"\",\"filters\":[\"os == \\\"linux\\\"\"],\"name\":\"testtypescriptgetacsmthreatsagentrulereturnsokresponse1710500975\",\"updateDate\":1710500975000,\"updater\":{\"name\":\"CI Account\",\"handle\":\"9919ec9b-ebc7-49ee-8dc8-03626e717cca\"}}},{\"id\":\"pz7-rvb-ckm\",\"type\":\"agent_rule\",\"attributes\":{\"category\":\"Process Activity\",\"creationDate\":1734692969000,\"creator\":{\"name\":\"CI Account\",\"handle\":\"9919ec9b-ebc7-49ee-8dc8-03626e717cca\"},\"defaultRule\":false,\"description\":\"Test Agent rule\",\"enabled\":true,\"expression\":\"exec.file.name == \\\"sh\\\"\",\"filters\":[\"os == \\\"linux\\\"\"],\"name\":\"testtypescriptupdateacsmthreatsagentrulereturnsokresponse1734692969\",\"updateDate\":1734692970000,\"updater\":{\"name\":\"CI Account\",\"handle\":\"9919ec9b-ebc7-49ee-8dc8-03626e717cca\"}}},{\"id\":\"ctc-pux-luh\",\"type\":\"agent_rule\",\"attributes\":{\"category\":\"Process Activity\",\"creationDate\":1737951387000,\"creator\":{\"name\":\"CI Account\",\"handle\":\"9919ec9b-ebc7-49ee-8dc8-03626e717cca\"},\"defaultRule\":false,\"description\":\"Test Agent rule\",\"enabled\":true,\"expression\":\"exec.file.name == \\\"sh\\\"\",\"filters\":[\"os == \\\"linux\\\"\"],\"name\":\"testtypescriptupdateacsmthreatsagentrulereturnsokresponse1737951387\",\"updateDate\":1737951389000,\"updater\":{\"name\":\"CI Account\",\"handle\":\"9919ec9b-ebc7-49ee-8dc8-03626e717cca\"}}},{\"id\":\"v64-qmf-tal\",\"type\":\"agent_rule\",\"attributes\":{\"category\":\"Process Activity\",\"creationDate\":1740543488000,\"creator\":{\"name\":\"CI Account\",\"handle\":\"9919ec9b-ebc7-49ee-8dc8-03626e717cca\"},\"defaultRule\":false,\"description\":\"My Agent rule\",\"enabled\":true,\"expression\":\"exec.file.name == \\\"sh\\\"\",\"filters\":[\"os == \\\"linux\\\"\"],\"name\":\"testtypescriptupdateacsmthreatsagentrulereturnsokresponse1740543488\",\"updateDate\":1740543488000,\"updater\":{\"name\":\"CI Account\",\"handle\":\"9919ec9b-ebc7-49ee-8dc8-03626e717cca\"}}},{\"id\":\"7ts-208-rn4\",\"type\":\"agent_rule\",\"attributes\":{\"category\":\"Process Activity\",\"creationDate\":1737661272000,\"creator\":{\"name\":\"Datadog\",\"handle\":\"\"},\"defaultRule\":true,\"description\":\"An AppArmor profile was modified in an interactive session\",\"enabled\":true,\"expression\":\"exec.file.name in [\\\"aa-disable\\\", \\\"aa-complain\\\", \\\"aa-audit\\\"] \\u0026\\u0026 exec.tty_name !=\\\"\\\"\",\"filters\":[\"os == \\\"linux\\\"\"],\"name\":\"apparmor_modified_tty\",\"updateDate\":1737661272000,\"updater\":{\"name\":\"Datadog\",\"handle\":\"\"}}},{\"id\":\"def-000-7m7\",\"type\":\"agent_rule\",\"attributes\":{\"category\":\"Process Activity\",\"creationDate\":1737661272000,\"creator\":{\"name\":\"Datadog\",\"handle\":\"\"},\"defaultRule\":true,\"description\":\"The auditctl command was used to modify auditd\",\"enabled\":true,\"expression\":\"exec.file.name == \\\"auditctl\\\" \\u0026\\u0026 exec.args_flags not in [\\\"s\\\", \\\"l\\\"]\",\"filters\":[\"os == \\\"linux\\\"\"],\"name\":\"auditctl_usage\",\"updateDate\":1737661272000,\"updater\":{\"name\":\"Datadog\",\"handle\":\"\"}}},{\"id\":\"def-000-ly8\",\"type\":\"agent_rule\",\"attributes\":{\"category\":\"Process Activity\",\"creationDate\":1737661272000,\"creator\":{\"name\":\"Datadog\",\"handle\":\"\"},\"defaultRule\":true,\"description\":\"The auditd configuration file was modified without using auditctl\",\"enabled\":true,\"expression\":\"open.file.path == \\\"/etc/audit/auditd.conf\\\" \\u0026\\u0026 open.flags \\u0026 (O_CREAT|O_TRUNC|O_APPEND|O_RDWR|O_WRONLY) \\u003e 0 \\u0026\\u0026 process.file.name != \\\"auditctl\\\"\",\"filters\":[\"os == \\\"linux\\\"\"],\"name\":\"auditd_config_modified\",\"updateDate\":1737661272000,\"updater\":{\"name\":\"Datadog\",\"handle\":\"\"}}},{\"id\":\"def-000-ehx\",\"type\":\"agent_rule\",\"attributes\":{\"category\":\"Process Activity\",\"creationDate\":1737661272000,\"creator\":{\"name\":\"Datadog\",\"handle\":\"\"},\"defaultRule\":true,\"description\":\"The auditd rules file was modified without using auditctl\",\"enabled\":true,\"expression\":\"open.file.path in [\\\"/etc/audit/rules.d/audit.rules\\\", \\\"/etc/audit/audit.rules\\\"] \\u0026\\u0026 open.flags \\u0026 (O_CREAT|O_TRUNC|O_APPEND|O_RDWR|O_WRONLY) \\u003e 0 \\u0026\\u0026 process.file.name != \\\"auditctl\\\"\",\"filters\":[\"os == \\\"linux\\\"\"],\"name\":\"auditd_rule_file_modified\",\"updateDate\":1737661272000,\"updater\":{\"name\":\"Datadog\",\"handle\":\"\"}}},{\"id\":\"def-000-dnj\",\"type\":\"agent_rule\",\"attributes\":{\"category\":\"Process Activity\",\"creationDate\":1737661272000,\"creator\":{\"name\":\"Datadog\",\"handle\":\"\"},\"defaultRule\":true,\"description\":\"The AWS CLI utility was executed\",\"enabled\":true,\"expression\":\"exec.file.name == \\\"aws\\\"\",\"filters\":[\"os == \\\"linux\\\"\"],\"name\":\"aws_cli_usage\",\"updateDate\":1737661272000,\"updater\":{\"name\":\"Datadog\",\"handle\":\"\"}}},{\"id\":\"9f3-haw-91q\",\"type\":\"agent_rule\",\"attributes\":{\"category\":\"File Activity\",\"creationDate\":1737661272000,\"creator\":{\"name\":\"Datadog\",\"handle\":\"\"},\"defaultRule\":true,\"description\":\"The AWS EKS service account token was accessed\",\"enabled\":true,\"expression\":\"open.file.path =~ \\\"/var/run/secrets/eks.amazonaws.com/serviceaccount/**\\\" \\u0026\\u0026 open.file.name == \\\"token\\\" \\u0026\\u0026 process.file.path not in [\\\"/opt/datadog-agent/embedded/bin/agent\\\", \\\"/opt/datadog-agent/embedded/bin/system-probe\\\", \\\"/opt/datadog-agent/embedded/bin/security-agent\\\", \\\"/opt/datadog-agent/embedded/bin/process-agent\\\", \\\"/opt/datadog-agent/embedded/bin/trace-agent\\\", \\\"/opt/datadog-agent/bin/agent/agent\\\", \\\"/opt/datadog/apm/inject/auto_inject_runc\\\", \\\"/usr/bin/dd-host-install\\\", \\\"/usr/bin/dd-host-container-install\\\", \\\"/usr/bin/dd-container-install\\\", \\\"/opt/datadog-agent/bin/datadog-cluster-agent\\\", ~\\\"/opt/datadog-packages/**\\\", ~\\\"/opt/datadog-installer/**\\\"]\",\"filters\":[\"os == \\\"linux\\\"\"],\"name\":\"aws_eks_service_account_token_accessed\",\"updateDate\":1737661272000,\"updater\":{\"name\":\"Datadog\",\"handle\":\"\"}}},{\"id\":\"wgv-wsb-pse\",\"type\":\"agent_rule\",\"attributes\":{\"category\":\"Process Activity\",\"creationDate\":1737661272000,\"creator\":{\"name\":\"Datadog\",\"handle\":\"\"},\"defaultRule\":true,\"description\":\"An AWS IMDS was called via a network utility\",\"enabled\":true,\"expression\":\"exec.comm in [\\\"wget\\\", \\\"curl\\\", \\\"lwp-download\\\"] \\u0026\\u0026 exec.args in [~\\\"*169.254.169.254/latest/meta-data/iam/security-credentials/*\\\", ~\\\"*169.254.170.2$AWS_CONTAINER_CREDENTIALS_RELATIVE_URI\\\", ~\\\"*169.254.170.2/*/credentials?id=*\\\"]\",\"filters\":[\"os == \\\"linux\\\"\"],\"name\":\"aws_imds\",\"updateDate\":1737661272000,\"updater\":{\"name\":\"Datadog\",\"handle\":\"\"}}},{\"id\":\"c2g-31u-jpk\",\"type\":\"agent_rule\",\"attributes\":{\"category\":\"Process Activity\",\"creationDate\":1737661272000,\"creator\":{\"name\":\"Datadog\",\"handle\":\"\"},\"defaultRule\":true,\"description\":\"An Azure IMDS was called via a network utility\",\"enabled\":true,\"expression\":\"exec.comm in [\\\"wget\\\", \\\"curl\\\", \\\"lwp-download\\\"] \\u0026\\u0026 exec.args in [~\\\"*169.254.169.254/metadata/identity/oauth2/token?api-version=*\\\"]\",\"filters\":[\"os == \\\"linux\\\"\"],\"name\":\"azure_imds\",\"updateDate\":1737661272000,\"updater\":{\"name\":\"Datadog\",\"handle\":\"\"}}},{\"id\":\"def-000-a41\",\"type\":\"agent_rule\",\"attributes\":{\"category\":\"Process Activity\",\"creationDate\":1737661272000,\"creator\":{\"name\":\"Datadog\",\"handle\":\"\"},\"defaultRule\":true,\"description\":\"The base64 command was used to decode information\",\"enabled\":true,\"expression\":\"exec.file.name == \\\"base64\\\" \\u0026\\u0026 exec.args_flags in [\\\"d\\\"]\",\"filters\":[\"os == \\\"linux\\\"\"],\"name\":\"base64_decode\",\"updateDate\":1737661272000,\"updater\":{\"name\":\"Datadog\",\"handle\":\"\"}}},{\"id\":\"def-000-4tl\",\"type\":\"agent_rule\",\"attributes\":{\"category\":\"Process Activity\",\"creationDate\":1737661272000,\"creator\":{\"name\":\"Datadog\",\"handle\":\"\"},\"defaultRule\":true,\"description\":\"Certutil was executed to transmit or decode a potentially malicious file\",\"enabled\":true,\"expression\":\"exec.file.name == \\\"certutil.exe\\\" \\u0026\\u0026 ((exec.cmdline =~ \\\"*urlcache*\\\" \\u0026\\u0026 exec.cmdline =~ \\\"*split*\\\") || exec.cmdline =~ \\\"*decode*\\\")\",\"filters\":[\"os == \\\"windows\\\"\"],\"name\":\"certutil_usage\",\"updateDate\":1737661272000,\"updater\":{\"name\":\"Datadog\",\"handle\":\"\"}}},{\"id\":\"def-000-nin\",\"type\":\"agent_rule\",\"attributes\":{\"category\":\"Network Activity\",\"creationDate\":1737661272000,\"creator\":{\"name\":\"Datadog\",\"handle\":\"\"},\"defaultRule\":true,\"description\":\"A DNS request was made for a chatroom domain\",\"enabled\":true,\"expression\":\"dns.question.name in [\\\"discord.com\\\", \\\"api.telegram.org\\\", \\\"cdn.discordapp.com\\\"]\",\"filters\":[\"os == \\\"linux\\\"\"],\"name\":\"chatroom_request\",\"updateDate\":1737661272000,\"updater\":{\"name\":\"Datadog\",\"handle\":\"\"}}},{\"id\":\"647-nlb-uld\",\"type\":\"agent_rule\",\"attributes\":{\"category\":\"Process Activity\",\"creationDate\":1737661272000,\"creator\":{\"name\":\"Datadog\",\"handle\":\"\"},\"defaultRule\":true,\"description\":\"A network utility (nmap) commonly used in intrusion attacks was executed\",\"enabled\":true,\"expression\":\"exec.file.name in [\\\"nmap\\\", \\\"masscan\\\", \\\"fping\\\", \\\"zgrab\\\", \\\"zgrab2\\\", \\\"rustscan\\\", \\\"pnscan\\\"] \\u0026\\u0026 exec.args_flags not in [\\\"V\\\", \\\"version\\\"]\",\"filters\":[\"os == \\\"linux\\\"\"],\"name\":\"common_net_intrusion_util\",\"updateDate\":1737661272000,\"updater\":{\"name\":\"Datadog\",\"handle\":\"\"}}},{\"id\":\"smg-le8-msf\",\"type\":\"agent_rule\",\"attributes\":{\"category\":\"File Activity\",\"creationDate\":1737661272000,\"creator\":{\"name\":\"Datadog\",\"handle\":\"\"},\"defaultRule\":true,\"description\":\"A compiler wrote a suspicious file in a container\",\"enabled\":true,\"expression\":\"open.flags \\u0026 O_CREAT \\u003e 0\\n\\u0026\\u0026 (\\n (open.file.path =~ \\\"/tmp/**\\\" \\u0026\\u0026 open.file.name in [~\\\"*.ko\\\", ~\\\".*\\\"])\\n || open.file.path in [~\\\"/var/tmp/**\\\", ~\\\"/root/**\\\", ~\\\"*/bin/*\\\", ~\\\"/usr/local/lib/**\\\"]\\n)\\n\\u0026\\u0026 (process.comm in [\\\"javac\\\", \\\"clang\\\", \\\"gcc\\\", \\\"bcc\\\"] || process.ancestors.comm in [\\\"javac\\\", \\\"clang\\\", \\\"gcc\\\", \\\"bcc\\\"] || process.file.name in [\\\"javac\\\", \\\"clang\\\", \\\"gcc\\\", \\\"bcc\\\"] || process.ancestors.file.name in [\\\"javac\\\", \\\"clang\\\", \\\"gcc\\\", \\\"bcc\\\"])\\n\\u0026\\u0026 process.file.name not in [\\\"pip\\\", ~\\\"python*\\\"]\\n\\u0026\\u0026 container.id != \\\"\\\"\",\"filters\":[\"os == \\\"linux\\\"\"],\"name\":\"compile_after_delivery\",\"updateDate\":1737661272000,\"updater\":{\"name\":\"Datadog\",\"handle\":\"\"}}},{\"id\":\"ehh-ypb-9pl\",\"type\":\"agent_rule\",\"attributes\":{\"category\":\"Process Activity\",\"creationDate\":1737661272000,\"creator\":{\"name\":\"Datadog\",\"handle\":\"\"},\"defaultRule\":true,\"description\":\"A compiler was executed inside of a container\",\"enabled\":true,\"expression\":\"(exec.comm in [\\\"javac\\\", \\\"clang\\\", \\\"gcc\\\", \\\"bcc\\\"] || exec.file.name in [\\\"javac\\\", \\\"clang\\\", \\\"gcc\\\", \\\"bcc\\\"] || (exec.file.name == \\\"go\\\" \\u0026\\u0026 exec.args in [~\\\"*build*\\\", ~\\\"*run*\\\"])) \\u0026\\u0026 container.id !=\\\"\\\" \\u0026\\u0026 process.ancestors.file.path != \\\"/usr/bin/cilium-agent\\\"\",\"filters\":[\"os == \\\"linux\\\"\"],\"name\":\"compiler_in_container\",\"updateDate\":1737661272000,\"updater\":{\"name\":\"Datadog\",\"handle\":\"\"}}},{\"id\":\"def-000-u7b\",\"type\":\"agent_rule\",\"attributes\":{\"category\":\"Process Activity\",\"creationDate\":1737661272000,\"creator\":{\"name\":\"Datadog\",\"handle\":\"\"},\"defaultRule\":true,\"description\":\"Known offensive tool crackmap exec executed\",\"enabled\":true,\"expression\":\"exec.cmdline in [~\\\"*crackmapexec*\\\", ~\\\"*cme.exe*\\\", ~\\\"*cme.py*\\\"]\",\"filters\":[\"os == \\\"windows\\\"\"],\"name\":\"crackmap_exec_executed\",\"updateDate\":1737661272000,\"updater\":{\"name\":\"Datadog\",\"handle\":\"\"}}},{\"id\":\"s9m-foq-qqz\",\"type\":\"agent_rule\",\"attributes\":{\"category\":\"File Activity\",\"creationDate\":1737661272000,\"creator\":{\"name\":\"Datadog\",\"handle\":\"\"},\"defaultRule\":true,\"description\":\"Sensitive credential files were modified using a non-standard tool\",\"enabled\":true,\"expression\":\"(\\n (chmod.file.path in [ \\\"/etc/shadow\\\", \\\"/etc/gshadow\\\" ])\\n \\u0026\\u0026 process.file.path not in [ \\\"/sbin/vipw\\\", \\\"/usr/sbin/vipw\\\", \\\"/sbin/vigr\\\", \\\"/usr/sbin/vigr\\\", \\\"/usr/bin/containerd\\\", \\\"/usr/local/bin/containerd\\\", \\\"/usr/bin/dockerd\\\", \\\"/usr/local/bin/dockerd\\\", \\\"/usr/sbin/groupadd\\\", \\\"/usr/sbin/useradd\\\", \\\"/usr/sbin/usermod\\\", \\\"/usr/sbin/userdel\\\", \\\"/usr/bin/gpasswd\\\", \\\"/usr/bin/chage\\\", \\\"/usr/sbin/chpasswd\\\", \\\"/usr/bin/passwd\\\" ]\\n \\u0026\\u0026 process.ancestors.file.path not in [~\\\"/usr/bin/apt*\\\", \\\"/usr/bin/dpkg\\\", \\\"/usr/bin/rpm\\\", \\\"/usr/bin/unattended-upgrade\\\", \\\"/usr/bin/npm\\\", ~\\\"/usr/bin/pip*\\\", ~\\\"/usr/local/bin/pip*\\\", \\\"/usr/bin/yum\\\", \\\"/sbin/apk\\\", \\\"/usr/lib/snapd/snapd\\\"]\\n) \\u0026\\u0026 chmod.file.destination.mode != chmod.file.mode\",\"filters\":[\"os == \\\"linux\\\"\"],\"name\":\"credential_modified_chmod\",\"updateDate\":1737661272000,\"updater\":{\"name\":\"Datadog\",\"handle\":\"\"}}},{\"id\":\"td2-31c-ln4\",\"type\":\"agent_rule\",\"attributes\":{\"category\":\"File Activity\",\"creationDate\":1737661272000,\"creator\":{\"name\":\"Datadog\",\"handle\":\"\"},\"defaultRule\":true,\"description\":\"Sensitive credential files were modified using a non-standard tool\",\"enabled\":true,\"expression\":\"(\\n (chown.file.path in [ \\\"/etc/shadow\\\", \\\"/etc/gshadow\\\" ])\\n \\u0026\\u0026 process.file.path not in [ \\\"/sbin/vipw\\\", \\\"/usr/sbin/vipw\\\", \\\"/sbin/vigr\\\", \\\"/usr/sbin/vigr\\\", \\\"/usr/bin/containerd\\\", \\\"/usr/local/bin/containerd\\\", \\\"/usr/bin/dockerd\\\", \\\"/usr/local/bin/dockerd\\\", \\\"/usr/sbin/groupadd\\\", \\\"/usr/sbin/useradd\\\", \\\"/usr/sbin/usermod\\\", \\\"/usr/sbin/userdel\\\", \\\"/usr/bin/gpasswd\\\", \\\"/usr/bin/chage\\\", \\\"/usr/sbin/chpasswd\\\", \\\"/usr/bin/passwd\\\" ]\\n \\u0026\\u0026 process.ancestors.file.path not in [~\\\"/usr/bin/apt*\\\", \\\"/usr/bin/dpkg\\\", \\\"/usr/bin/rpm\\\", \\\"/usr/bin/unattended-upgrade\\\", \\\"/usr/bin/npm\\\", ~\\\"/usr/bin/pip*\\\", ~\\\"/usr/local/bin/pip*\\\", \\\"/usr/bin/yum\\\", \\\"/sbin/apk\\\", \\\"/usr/lib/snapd/snapd\\\"]\\n) \\u0026\\u0026 (chown.file.destination.uid != chown.file.uid || chown.file.destination.gid != chown.file.gid)\",\"filters\":[\"os == \\\"linux\\\"\"],\"name\":\"credential_modified_chown\",\"updateDate\":1737661272000,\"updater\":{\"name\":\"Datadog\",\"handle\":\"\"}}},{\"id\":\"lli-czr-q4y\",\"type\":\"agent_rule\",\"attributes\":{\"category\":\"File Activity\",\"creationDate\":1737661272000,\"creator\":{\"name\":\"Datadog\",\"handle\":\"\"},\"defaultRule\":true,\"description\":\"Sensitive credential files were modified using a non-standard tool\",\"enabled\":true,\"expression\":\"(\\n (link.file.path in [ \\\"/etc/shadow\\\", \\\"/etc/gshadow\\\" ]\\n || link.file.destination.path in [ \\\"/etc/shadow\\\", \\\"/etc/gshadow\\\" ])\\n \\u0026\\u0026 process.file.path not in [ \\\"/sbin/vipw\\\", \\\"/usr/sbin/vipw\\\", \\\"/sbin/vigr\\\", \\\"/usr/sbin/vigr\\\", \\\"/usr/bin/containerd\\\", \\\"/usr/local/bin/containerd\\\", \\\"/usr/bin/dockerd\\\", \\\"/usr/local/bin/dockerd\\\", \\\"/usr/sbin/groupadd\\\", \\\"/usr/sbin/useradd\\\", \\\"/usr/sbin/usermod\\\", \\\"/usr/sbin/userdel\\\", \\\"/usr/bin/gpasswd\\\", \\\"/usr/bin/chage\\\", \\\"/usr/sbin/chpasswd\\\", \\\"/usr/bin/passwd\\\" ]\\n \\u0026\\u0026 process.ancestors.file.path not in [~\\\"/usr/bin/apt*\\\", \\\"/usr/bin/dpkg\\\", \\\"/usr/bin/rpm\\\", \\\"/usr/bin/unattended-upgrade\\\", \\\"/usr/bin/npm\\\", ~\\\"/usr/bin/pip*\\\", ~\\\"/usr/local/bin/pip*\\\", \\\"/usr/bin/yum\\\", \\\"/sbin/apk\\\", \\\"/usr/lib/snapd/snapd\\\"]\\n)\",\"filters\":[\"os == \\\"linux\\\"\"],\"name\":\"credential_modified_link\",\"updateDate\":1737661272000,\"updater\":{\"name\":\"Datadog\",\"handle\":\"\"}}},{\"id\":\"def-000-3b9\",\"type\":\"agent_rule\",\"attributes\":{\"category\":\"File Activity\",\"creationDate\":1737661272000,\"creator\":{\"name\":\"Datadog\",\"handle\":\"\"},\"defaultRule\":true,\"description\":\"Sensitive credential files were modified using a non-standard tool\",\"enabled\":true,\"expression\":\"(\\n open.flags \\u0026 ((O_CREAT|O_RDWR|O_WRONLY|O_TRUNC)) \\u003e 0 \\u0026\\u0026\\n (open.file.path in [ \\\"/etc/shadow\\\", \\\"/etc/gshadow\\\" ])\\n \\u0026\\u0026 process.file.path not in [ \\\"/sbin/vipw\\\", \\\"/usr/sbin/vipw\\\", \\\"/sbin/vigr\\\", \\\"/usr/sbin/vigr\\\", \\\"/usr/bin/containerd\\\", \\\"/usr/local/bin/containerd\\\", \\\"/usr/bin/dockerd\\\", \\\"/usr/local/bin/dockerd\\\", \\\"/usr/sbin/groupadd\\\", \\\"/usr/sbin/useradd\\\", \\\"/usr/sbin/usermod\\\", \\\"/usr/sbin/userdel\\\", \\\"/usr/bin/gpasswd\\\", \\\"/usr/bin/chage\\\", \\\"/usr/sbin/chpasswd\\\", \\\"/usr/bin/passwd\\\" ]\\n \\u0026\\u0026 process.ancestors.file.path not in [~\\\"/usr/bin/apt*\\\", \\\"/usr/bin/dpkg\\\", \\\"/usr/bin/rpm\\\", \\\"/usr/bin/unattended-upgrade\\\", \\\"/usr/bin/npm\\\", ~\\\"/usr/bin/pip*\\\", ~\\\"/usr/local/bin/pip*\\\", \\\"/usr/bin/yum\\\", \\\"/sbin/apk\\\", \\\"/usr/lib/snapd/snapd\\\"]\\n) \\u0026\\u0026 container.created_at \\u003e 90s\",\"filters\":[\"os == \\\"linux\\\"\"],\"name\":\"credential_modified_open_v2\",\"updateDate\":1737661272000,\"updater\":{\"name\":\"Datadog\",\"handle\":\"\"}}},{\"id\":\"0yj-grp-cmx\",\"type\":\"agent_rule\",\"attributes\":{\"category\":\"File Activity\",\"creationDate\":1737661272000,\"creator\":{\"name\":\"Datadog\",\"handle\":\"\"},\"defaultRule\":true,\"description\":\"Sensitive credential files were modified using a non-standard tool\",\"enabled\":true,\"expression\":\"(\\n (rename.file.path in [ \\\"/etc/shadow\\\", \\\"/etc/gshadow\\\" ]\\n || rename.file.destination.path in [ \\\"/etc/shadow\\\", \\\"/etc/gshadow\\\" ])\\n \\u0026\\u0026 process.file.path not in [ \\\"/sbin/vipw\\\", \\\"/usr/sbin/vipw\\\", \\\"/sbin/vigr\\\", \\\"/usr/sbin/vigr\\\", \\\"/usr/bin/containerd\\\", \\\"/usr/local/bin/containerd\\\", \\\"/usr/bin/dockerd\\\", \\\"/usr/local/bin/dockerd\\\", \\\"/usr/sbin/groupadd\\\", \\\"/usr/sbin/useradd\\\", \\\"/usr/sbin/usermod\\\", \\\"/usr/sbin/userdel\\\", \\\"/usr/bin/gpasswd\\\", \\\"/usr/bin/chage\\\", \\\"/usr/sbin/chpasswd\\\", \\\"/usr/bin/passwd\\\" ]\\n \\u0026\\u0026 process.ancestors.file.path not in [~\\\"/usr/bin/apt*\\\", \\\"/usr/bin/dpkg\\\", \\\"/usr/bin/rpm\\\", \\\"/usr/bin/unattended-upgrade\\\", \\\"/usr/bin/npm\\\", ~\\\"/usr/bin/pip*\\\", ~\\\"/usr/local/bin/pip*\\\", \\\"/usr/bin/yum\\\", \\\"/sbin/apk\\\", \\\"/usr/lib/snapd/snapd\\\"]\\n)\",\"filters\":[\"os == \\\"linux\\\"\"],\"name\":\"credential_modified_rename\",\"updateDate\":1737661272000,\"updater\":{\"name\":\"Datadog\",\"handle\":\"\"}}},{\"id\":\"q08-c9l-rsp\",\"type\":\"agent_rule\",\"attributes\":{\"category\":\"File Activity\",\"creationDate\":1737661272000,\"creator\":{\"name\":\"Datadog\",\"handle\":\"\"},\"defaultRule\":true,\"description\":\"Sensitive credential files were modified using a non-standard tool\",\"enabled\":true,\"expression\":\"(\\n (unlink.file.path in [ \\\"/etc/shadow\\\", \\\"/etc/gshadow\\\" ])\\n \\u0026\\u0026 process.file.path not in [ \\\"/sbin/vipw\\\", \\\"/usr/sbin/vipw\\\", \\\"/sbin/vigr\\\", \\\"/usr/sbin/vigr\\\", \\\"/usr/bin/containerd\\\", \\\"/usr/local/bin/containerd\\\", \\\"/usr/bin/dockerd\\\", \\\"/usr/local/bin/dockerd\\\", \\\"/usr/sbin/groupadd\\\", \\\"/usr/sbin/useradd\\\", \\\"/usr/sbin/usermod\\\", \\\"/usr/sbin/userdel\\\", \\\"/usr/bin/gpasswd\\\", \\\"/usr/bin/chage\\\", \\\"/usr/sbin/chpasswd\\\", \\\"/usr/bin/passwd\\\" ]\\n \\u0026\\u0026 process.ancestors.file.path not in [~\\\"/usr/bin/apt*\\\", \\\"/usr/bin/dpkg\\\", \\\"/usr/bin/rpm\\\", \\\"/usr/bin/unattended-upgrade\\\", \\\"/usr/bin/npm\\\", ~\\\"/usr/bin/pip*\\\", ~\\\"/usr/local/bin/pip*\\\", \\\"/usr/bin/yum\\\", \\\"/sbin/apk\\\", \\\"/usr/lib/snapd/snapd\\\"]\\n)\",\"filters\":[\"os == \\\"linux\\\"\"],\"name\":\"credential_modified_unlink\",\"updateDate\":1737661272000,\"updater\":{\"name\":\"Datadog\",\"handle\":\"\"}}},{\"id\":\"kv9-026-vhz\",\"type\":\"agent_rule\",\"attributes\":{\"category\":\"File Activity\",\"creationDate\":1737661272000,\"creator\":{\"name\":\"Datadog\",\"handle\":\"\"},\"defaultRule\":true,\"description\":\"Sensitive credential files were modified using a non-standard tool\",\"enabled\":true,\"expression\":\"(\\n (utimes.file.path in [ \\\"/etc/shadow\\\", \\\"/etc/gshadow\\\" ])\\n \\u0026\\u0026 process.file.path not in [ \\\"/sbin/vipw\\\", \\\"/usr/sbin/vipw\\\", \\\"/sbin/vigr\\\", \\\"/usr/sbin/vigr\\\", \\\"/usr/bin/containerd\\\", \\\"/usr/local/bin/containerd\\\", \\\"/usr/bin/dockerd\\\", \\\"/usr/local/bin/dockerd\\\", \\\"/usr/sbin/groupadd\\\", \\\"/usr/sbin/useradd\\\", \\\"/usr/sbin/usermod\\\", \\\"/usr/sbin/userdel\\\", \\\"/usr/bin/gpasswd\\\", \\\"/usr/bin/chage\\\", \\\"/usr/sbin/chpasswd\\\", \\\"/usr/bin/passwd\\\" ]\\n \\u0026\\u0026 process.ancestors.file.path not in [~\\\"/usr/bin/apt*\\\", \\\"/usr/bin/dpkg\\\", \\\"/usr/bin/rpm\\\", \\\"/usr/bin/unattended-upgrade\\\", \\\"/usr/bin/npm\\\", ~\\\"/usr/bin/pip*\\\", ~\\\"/usr/local/bin/pip*\\\", \\\"/usr/bin/yum\\\", \\\"/sbin/apk\\\", \\\"/usr/lib/snapd/snapd\\\"]\\n)\",\"filters\":[\"os == \\\"linux\\\"\"],\"name\":\"credential_modified_utimes\",\"updateDate\":1737661272000,\"updater\":{\"name\":\"Datadog\",\"handle\":\"\"}}},{\"id\":\"def-000-brb\",\"type\":\"agent_rule\",\"attributes\":{\"category\":\"Process Activity\",\"creationDate\":1737661272000,\"creator\":{\"name\":\"Datadog\",\"handle\":\"\"},\"defaultRule\":true,\"description\":\"regedit used to export critical registry hive\",\"enabled\":true,\"expression\":\"exec.file.name in [\\\"reg.exe\\\", \\\"regedit.exe\\\"] \\u0026\\u0026 exec.cmdline in [~\\\"*hklm*\\\", ~\\\"*hkey_local_machine*\\\", ~\\\"*system*\\\", ~\\\"*sam*\\\", ~\\\"*security*\\\"]\",\"filters\":[\"os == \\\"windows\\\"\"],\"name\":\"critical_registry_export\",\"updateDate\":1737661272000,\"updater\":{\"name\":\"Datadog\",\"handle\":\"\"}}},{\"id\":\"def-000-xg6\",\"type\":\"agent_rule\",\"attributes\":{\"category\":\"File Activity\",\"creationDate\":1737661272000,\"creator\":{\"name\":\"Datadog\",\"handle\":\"\"},\"defaultRule\":true,\"description\":\"a critical windows file was modified\",\"enabled\":true,\"expression\":\"write.file.device_path in [~\\\"\\\\Device\\\\*\\\\windows\\\\system32\\\\**\\\"]\",\"filters\":[\"os == \\\"windows\\\"\"],\"name\":\"critical_windows_files_modified\",\"updateDate\":1737661272000,\"updater\":{\"name\":\"Datadog\",\"handle\":\"\"}}},{\"id\":\"ogb-clp-hot\",\"type\":\"agent_rule\",\"attributes\":{\"category\":\"File Activity\",\"creationDate\":1737661272000,\"creator\":{\"name\":\"Datadog\",\"handle\":\"\"},\"defaultRule\":true,\"description\":\"An unauthorized job was added to cron scheduling\",\"enabled\":true,\"expression\":\"(\\n (chmod.file.path in [ ~\\\"/var/spool/cron/**\\\", ~\\\"/etc/cron.*/**\\\", ~\\\"/etc/crontab\\\", ~\\\"/etc/crontabs/**\\\"])\\n \\u0026\\u0026 process.file.path not in [ \\\"/usr/bin/at\\\", \\\"/usr/bin/crontab\\\" ]\\n) \\u0026\\u0026 chmod.file.destination.mode != chmod.file.mode\\n\\u0026\\u0026 process.file.path not in [~\\\"/usr/bin/apt*\\\", \\\"/usr/bin/dpkg\\\", \\\"/usr/bin/rpm\\\", \\\"/usr/bin/unattended-upgrade\\\", \\\"/usr/bin/containerd\\\", \\\"/usr/local/bin/containerd\\\", \\\"/usr/bin/dockerd\\\", \\\"/usr/bin/npm\\\", ~\\\"/usr/bin/pip*\\\", ~\\\"/usr/local/bin/pip*\\\"]\",\"filters\":[\"os == \\\"linux\\\"\"],\"name\":\"cron_at_job_creation_chmod\",\"updateDate\":1737661272000,\"updater\":{\"name\":\"Datadog\",\"handle\":\"\"}}},{\"id\":\"wnk-nli-nbp\",\"type\":\"agent_rule\",\"attributes\":{\"category\":\"File Activity\",\"creationDate\":1737661272000,\"creator\":{\"name\":\"Datadog\",\"handle\":\"\"},\"defaultRule\":true,\"description\":\"An unauthorized job was added to cron scheduling\",\"enabled\":true,\"expression\":\"(\\n (chown.file.path in [ ~\\\"/var/spool/cron/**\\\", ~\\\"/etc/cron.*/**\\\", ~\\\"/etc/crontab\\\", ~\\\"/etc/crontabs/**\\\"])\\n \\u0026\\u0026 process.file.path not in [ \\\"/usr/bin/at\\\", \\\"/usr/bin/crontab\\\" ]\\n) \\u0026\\u0026 (chown.file.destination.uid != chown.file.uid || chown.file.destination.gid != chown.file.gid)\\n\\u0026\\u0026 process.file.path not in [~\\\"/usr/bin/apt*\\\", \\\"/usr/bin/dpkg\\\", \\\"/usr/bin/rpm\\\", \\\"/usr/bin/unattended-upgrade\\\", \\\"/usr/bin/containerd\\\", \\\"/usr/local/bin/containerd\\\", \\\"/usr/bin/dockerd\\\", \\\"/usr/bin/npm\\\", ~\\\"/usr/bin/pip*\\\", ~\\\"/usr/local/bin/pip*\\\"]\",\"filters\":[\"os == \\\"linux\\\"\"],\"name\":\"cron_at_job_creation_chown\",\"updateDate\":1737661272000,\"updater\":{\"name\":\"Datadog\",\"handle\":\"\"}}},{\"id\":\"mcv-y5o-zg5\",\"type\":\"agent_rule\",\"attributes\":{\"category\":\"File Activity\",\"creationDate\":1737661272000,\"creator\":{\"name\":\"Datadog\",\"handle\":\"\"},\"defaultRule\":true,\"description\":\"An unauthorized job was added to cron scheduling\",\"enabled\":true,\"expression\":\"(\\n (link.file.path in [ ~\\\"/var/spool/cron/**\\\", ~\\\"/etc/cron.*/**\\\", ~\\\"/etc/crontab\\\", ~\\\"/etc/crontabs/**\\\"]\\n || link.file.destination.path in [ ~\\\"/var/spool/cron/**\\\", ~\\\"/etc/cron.*/**\\\", ~\\\"/etc/crontab\\\" ])\\n \\u0026\\u0026 process.file.path not in [ \\\"/usr/bin/at\\\", \\\"/usr/bin/crontab\\\" ]\\n)\\n\\u0026\\u0026 process.file.path not in [~\\\"/usr/bin/apt*\\\", \\\"/usr/bin/dpkg\\\", \\\"/usr/bin/rpm\\\", \\\"/usr/bin/unattended-upgrade\\\", \\\"/usr/bin/containerd\\\", \\\"/usr/local/bin/containerd\\\", \\\"/usr/bin/dockerd\\\", \\\"/usr/bin/npm\\\", ~\\\"/usr/bin/pip*\\\", ~\\\"/usr/local/bin/pip*\\\"]\",\"filters\":[\"os == \\\"linux\\\"\"],\"name\":\"cron_at_job_creation_link\",\"updateDate\":1737661272000,\"updater\":{\"name\":\"Datadog\",\"handle\":\"\"}}},{\"id\":\"uis-h13-41q\",\"type\":\"agent_rule\",\"attributes\":{\"category\":\"File Activity\",\"creationDate\":1737661272000,\"creator\":{\"name\":\"Datadog\",\"handle\":\"\"},\"defaultRule\":true,\"description\":\"An unauthorized job was added to cron scheduling\",\"enabled\":true,\"expression\":\"(\\n open.flags \\u0026 (O_CREAT|O_RDWR|O_WRONLY) \\u003e 0 \\u0026\\u0026\\n (open.file.path in [ ~\\\"/var/spool/cron/**\\\", ~\\\"/etc/cron.*/**\\\", ~\\\"/etc/crontab\\\", ~\\\"/etc/crontabs/**\\\"])\\n \\u0026\\u0026 process.file.path not in [ \\\"/usr/bin/at\\\", \\\"/usr/bin/crontab\\\" ]\\n)\\n\\u0026\\u0026 process.file.path not in [~\\\"/usr/bin/apt*\\\", \\\"/usr/bin/dpkg\\\", \\\"/usr/bin/rpm\\\", \\\"/usr/bin/unattended-upgrade\\\", \\\"/usr/bin/containerd\\\", \\\"/usr/local/bin/containerd\\\", \\\"/usr/bin/dockerd\\\", \\\"/usr/bin/npm\\\", ~\\\"/usr/bin/pip*\\\", ~\\\"/usr/local/bin/pip*\\\"]\",\"filters\":[\"os == \\\"linux\\\"\"],\"name\":\"cron_at_job_creation_open\",\"updateDate\":1737661272000,\"updater\":{\"name\":\"Datadog\",\"handle\":\"\"}}},{\"id\":\"xa1-b6v-n2l\",\"type\":\"agent_rule\",\"attributes\":{\"category\":\"File Activity\",\"creationDate\":1737661272000,\"creator\":{\"name\":\"Datadog\",\"handle\":\"\"},\"defaultRule\":true,\"description\":\"An unauthorized job was added to cron scheduling\",\"enabled\":true,\"expression\":\"(\\n (rename.file.path in [ ~\\\"/var/spool/cron/**\\\", ~\\\"/etc/cron.*/**\\\", ~\\\"/etc/crontab\\\", ~\\\"/etc/crontabs/**\\\"]\\n || rename.file.destination.path in [ ~\\\"/var/spool/cron/**\\\", ~\\\"/etc/cron.*/**\\\", ~\\\"/etc/crontab\\\" ])\\n \\u0026\\u0026 process.file.path not in [ \\\"/usr/bin/at\\\", \\\"/usr/bin/crontab\\\" ]\\n)\\n\\u0026\\u0026 process.file.path not in [~\\\"/usr/bin/apt*\\\", \\\"/usr/bin/dpkg\\\", \\\"/usr/bin/rpm\\\", \\\"/usr/bin/unattended-upgrade\\\", \\\"/usr/bin/containerd\\\", \\\"/usr/local/bin/containerd\\\", \\\"/usr/bin/dockerd\\\", \\\"/usr/bin/npm\\\", ~\\\"/usr/bin/pip*\\\", ~\\\"/usr/local/bin/pip*\\\"]\",\"filters\":[\"os == \\\"linux\\\"\"],\"name\":\"cron_at_job_creation_rename\",\"updateDate\":1737661272000,\"updater\":{\"name\":\"Datadog\",\"handle\":\"\"}}},{\"id\":\"m23-qb9-9s8\",\"type\":\"agent_rule\",\"attributes\":{\"category\":\"File Activity\",\"creationDate\":1737661272000,\"creator\":{\"name\":\"Datadog\",\"handle\":\"\"},\"defaultRule\":true,\"description\":\"An unauthorized job was added to cron scheduling\",\"enabled\":true,\"expression\":\"(\\n (unlink.file.path in [ ~\\\"/var/spool/cron/**\\\", ~\\\"/etc/cron.*/**\\\", ~\\\"/etc/crontab\\\", ~\\\"/etc/crontabs/**\\\"])\\n \\u0026\\u0026 process.file.path not in [ \\\"/usr/bin/at\\\", \\\"/usr/bin/crontab\\\" ]\\n)\\n\\u0026\\u0026 process.file.path not in [~\\\"/usr/bin/apt*\\\", \\\"/usr/bin/dpkg\\\", \\\"/usr/bin/rpm\\\", \\\"/usr/bin/unattended-upgrade\\\", \\\"/usr/bin/containerd\\\", \\\"/usr/local/bin/containerd\\\", \\\"/usr/bin/dockerd\\\", \\\"/usr/bin/npm\\\", ~\\\"/usr/bin/pip*\\\", ~\\\"/usr/local/bin/pip*\\\"]\",\"filters\":[\"os == \\\"linux\\\"\"],\"name\":\"cron_at_job_creation_unlink\",\"updateDate\":1737661272000,\"updater\":{\"name\":\"Datadog\",\"handle\":\"\"}}},{\"id\":\"4mx-n6o-mmb\",\"type\":\"agent_rule\",\"attributes\":{\"category\":\"File Activity\",\"creationDate\":1737661272000,\"creator\":{\"name\":\"Datadog\",\"handle\":\"\"},\"defaultRule\":true,\"description\":\"An unauthorized job was added to cron scheduling\",\"enabled\":true,\"expression\":\"(\\n (utimes.file.path in [ ~\\\"/var/spool/cron/**\\\", ~\\\"/etc/cron.*/**\\\", ~\\\"/etc/crontab\\\", ~\\\"/etc/crontabs/**\\\"])\\n \\u0026\\u0026 process.file.path not in [ \\\"/usr/bin/at\\\", \\\"/usr/bin/crontab\\\" ]\\n)\\n\\u0026\\u0026 process.file.path not in [~\\\"/usr/bin/apt*\\\", \\\"/usr/bin/dpkg\\\", \\\"/usr/bin/rpm\\\", \\\"/usr/bin/unattended-upgrade\\\", \\\"/usr/bin/containerd\\\", \\\"/usr/local/bin/containerd\\\", \\\"/usr/bin/dockerd\\\", \\\"/usr/bin/npm\\\", ~\\\"/usr/bin/pip*\\\", ~\\\"/usr/local/bin/pip*\\\"]\",\"filters\":[\"os == \\\"linux\\\"\"],\"name\":\"cron_at_job_creation_utimes\",\"updateDate\":1737661272000,\"updater\":{\"name\":\"Datadog\",\"handle\":\"\"}}},{\"id\":\"jr3-0m8-jlj\",\"type\":\"agent_rule\",\"attributes\":{\"category\":\"Process Activity\",\"creationDate\":1737661272000,\"creator\":{\"name\":\"Datadog\",\"handle\":\"\"},\"defaultRule\":true,\"description\":\"A process launched with arguments associated with cryptominers\",\"enabled\":true,\"expression\":\"exec.args_options in [~\\\"cpu-priority*\\\", ~\\\"donate-level*\\\"] || exec.args_flags == \\\"randomx-1gb-pages\\\" || exec.args in [~\\\"*stratum+tcp*\\\", ~\\\"*stratum+ssl*\\\", ~\\\"*stratum1+tcp*\\\", ~\\\"*stratum1+ssl*\\\", ~\\\"*stratum2+tcp*\\\", ~\\\"*stratum2+ssl*\\\", ~\\\"*nicehash*\\\", ~\\\"*yespower*\\\"]\",\"filters\":[\"os == \\\"linux\\\"\"],\"name\":\"cryptominer_args\",\"updateDate\":1737661272000,\"updater\":{\"name\":\"Datadog\",\"handle\":\"\"}}},{\"id\":\"def-000-6jw\",\"type\":\"agent_rule\",\"attributes\":{\"category\":\"Process Activity\",\"creationDate\":1737661272000,\"creator\":{\"name\":\"Datadog\",\"handle\":\"\"},\"defaultRule\":true,\"description\":\"Process environment variables match cryptocurrency miner\",\"enabled\":true,\"expression\":\"exec.envs in [\\\"POOL_USER\\\", \\\"POOL_URL\\\", \\\"POOL_PASS\\\", \\\"DONATE_LEVEL\\\"]\",\"filters\":[\"os == \\\"linux\\\"\"],\"name\":\"cryptominer_envs\",\"updateDate\":1737661272000,\"updater\":{\"name\":\"Datadog\",\"handle\":\"\"}}},{\"id\":\"def-000-0fx\",\"type\":\"agent_rule\",\"attributes\":{\"category\":\"Process Activity\",\"creationDate\":1737661272000,\"creator\":{\"name\":\"Datadog\",\"handle\":\"\"},\"defaultRule\":true,\"description\":\"Shell process spawned from print server\",\"enabled\":true,\"expression\":\"exec.file.name != \\\"\\\" \\u0026\\u0026 process.parent.file.name == \\\"foomatic-rip\\\"\",\"filters\":[\"os == \\\"linux\\\"\"],\"name\":\"cups_spawned_shell\",\"updateDate\":1737661272000,\"updater\":{\"name\":\"Datadog\",\"handle\":\"\"}}},{\"id\":\"def-000-h1x\",\"type\":\"agent_rule\",\"attributes\":{\"category\":\"Process Activity\",\"creationDate\":1737661272000,\"creator\":{\"name\":\"Datadog\",\"handle\":\"\"},\"defaultRule\":true,\"description\":\"The Docker socket was referenced in a cURL command\",\"enabled\":true,\"expression\":\"exec.file.name == \\\"curl\\\" \\u0026\\u0026 exec.args_flags in [\\\"unix-socket\\\"] \\u0026\\u0026 exec.args in [~\\\"*docker.sock*\\\"] \\u0026\\u0026 container.id != \\\"\\\"\",\"filters\":[\"os == \\\"linux\\\"\"],\"name\":\"curl_docker_socket\",\"updateDate\":1737661272000,\"updater\":{\"name\":\"Datadog\",\"handle\":\"\"}}},{\"id\":\"mq1-y7n-kf2\",\"type\":\"agent_rule\",\"attributes\":{\"category\":\"Process Activity\",\"creationDate\":1737661272000,\"creator\":{\"name\":\"Datadog\",\"handle\":\"\"},\"defaultRule\":true,\"description\":\"A database application spawned a shell, shell utility, or HTTP utility\",\"enabled\":true,\"expression\":\"(exec.file.path in [ \\\"/bin/dash\\\",\\n \\\"/usr/bin/dash\\\",\\n \\\"/bin/sh\\\",\\n \\\"/bin/static-sh\\\",\\n \\\"/usr/bin/sh\\\",\\n \\\"/bin/bash\\\",\\n \\\"/usr/bin/bash\\\",\\n \\\"/bin/bash-static\\\",\\n \\\"/usr/bin/zsh\\\",\\n \\\"/usr/bin/ash\\\",\\n \\\"/usr/bin/csh\\\",\\n \\\"/usr/bin/ksh\\\",\\n \\\"/usr/bin/tcsh\\\",\\n \\\"/usr/lib/initramfs-tools/bin/busybox\\\",\\n \\\"/bin/busybox\\\",\\n \\\"/usr/bin/fish\\\",\\n \\\"/bin/ksh93\\\",\\n \\\"/bin/rksh\\\",\\n \\\"/bin/rksh93\\\",\\n \\\"/bin/lksh\\\",\\n \\\"/bin/mksh\\\",\\n \\\"/bin/mksh-static\\\",\\n \\\"/usr/bin/csharp\\\",\\n \\\"/bin/posh\\\",\\n \\\"/usr/bin/rc\\\",\\n \\\"/bin/sash\\\",\\n \\\"/usr/bin/yash\\\",\\n \\\"/bin/zsh5\\\",\\n \\\"/bin/zsh5-static\\\" ] ||\\n exec.comm in [\\\"wget\\\", \\\"curl\\\", \\\"lwp-download\\\"] ||\\n exec.file.path in [\\\"/bin/cat\\\",\\\"/bin/chgrp\\\",\\\"/bin/chmod\\\",\\\"/bin/chown\\\",\\\"/bin/cp\\\",\\\"/bin/date\\\",\\\"/bin/dd\\\",\\\"/bin/df\\\",\\\"/bin/dir\\\",\\\"/bin/echo\\\",\\\"/bin/ln\\\",\\\"/bin/ls\\\",\\\"/bin/mkdir\\\",\\\"/bin/mknod\\\",\\\"/bin/mktemp\\\",\\\"/bin/mv\\\",\\\"/bin/pwd\\\",\\\"/bin/readlink\\\",\\\"/bin/rm\\\",\\\"/bin/rmdir\\\",\\\"/bin/sleep\\\",\\\"/bin/stty\\\",\\\"/bin/sync\\\",\\\"/bin/touch\\\",\\\"/bin/uname\\\",\\\"/bin/vdir\\\",\\\"/usr/bin/arch\\\",\\\"/usr/bin/b2sum\\\",\\\"/usr/bin/base32\\\",\\\"/usr/bin/base64\\\",\\\"/usr/bin/basename\\\",\\\"/usr/bin/chcon\\\",\\\"/usr/bin/cksum\\\",\\\"/usr/bin/comm\\\",\\\"/usr/bin/csplit\\\",\\\"/usr/bin/cut\\\",\\\"/usr/bin/dircolors\\\",\\\"/usr/bin/dirname\\\",\\\"/usr/bin/du\\\",\\\"/usr/bin/env\\\",\\\"/usr/bin/expand\\\",\\\"/usr/bin/expr\\\",\\\"/usr/bin/factor\\\",\\\"/usr/bin/fmt\\\",\\\"/usr/bin/fold\\\",\\\"/usr/bin/groups\\\",\\\"/usr/bin/head\\\",\\\"/usr/bin/hostid\\\",\\\"/usr/bin/id\\\",\\\"/usr/bin/install\\\",\\\"/usr/bin/join\\\",\\\"/usr/bin/link\\\",\\\"/usr/bin/logname\\\",\\\"/usr/bin/md5sum\\\",\\\"/usr/bin/md5sum.textutils\\\",\\\"/usr/bin/mkfifo\\\",\\\"/usr/bin/nice\\\",\\\"/usr/bin/nl\\\",\\\"/usr/bin/nohup\\\",\\\"/usr/bin/nproc\\\",\\\"/usr/bin/numfmt\\\",\\\"/usr/bin/od\\\",\\\"/usr/bin/paste\\\",\\\"/usr/bin/pathchk\\\",\\\"/usr/bin/pinky\\\",\\\"/usr/bin/pr\\\",\\\"/usr/bin/printenv\\\",\\\"/usr/bin/printf\\\",\\\"/usr/bin/ptx\\\",\\\"/usr/bin/realpath\\\",\\\"/usr/bin/runcon\\\",\\\"/usr/bin/seq\\\",\\\"/usr/bin/sha1sum\\\",\\\"/usr/bin/sha224sum\\\",\\\"/usr/bin/sha256sum\\\",\\\"/usr/bin/sha384sum\\\",\\\"/usr/bin/sha512sum\\\",\\\"/usr/bin/shred\\\",\\\"/usr/bin/shuf\\\",\\\"/usr/bin/sort\\\",\\\"/usr/bin/split\\\",\\\"/usr/bin/stat\\\",\\\"/usr/bin/stdbuf\\\",\\\"/usr/bin/sum\\\",\\\"/usr/bin/tac\\\",\\\"/usr/bin/tail\\\",\\\"/usr/bin/tee\\\",\\\"/usr/bin/test\\\",\\\"/usr/bin/timeout\\\",\\\"/usr/bin/tr\\\",\\\"/usr/bin/truncate\\\",\\\"/usr/bin/tsort\\\",\\\"/usr/bin/tty\\\",\\\"/usr/bin/unexpand\\\",\\\"/usr/bin/uniq\\\",\\\"/usr/bin/unlink\\\",\\\"/usr/bin/users\\\",\\\"/usr/bin/wc\\\",\\\"/usr/bin/who\\\",\\\"/usr/bin/whoami\\\",\\\"/usr/sbin/chroot\\\",\\\"/bin/busybox\\\"]) \\u0026\\u0026\\nprocess.parent.file.name in [\\\"mysqld\\\", \\\"mongod\\\", \\\"postgres\\\"] \\u0026\\u0026\\n!(process.parent.file.name == \\\"initdb\\\" \\u0026\\u0026\\nexec.args == \\\"-c locale -a\\\") \\u0026\\u0026\\n!(process.parent.file.name == \\\"postgres\\\" \\u0026\\u0026\\nexec.args == ~\\\"*pg_wal*\\\")\",\"filters\":[\"os == \\\"linux\\\"\"],\"name\":\"database_shell_execution\",\"updateDate\":1737661272000,\"updater\":{\"name\":\"Datadog\",\"handle\":\"\"}}},{\"id\":\"def-000-0en\",\"type\":\"agent_rule\",\"attributes\":{\"category\":\"Process Activity\",\"creationDate\":1737661272000,\"creator\":{\"name\":\"Datadog\",\"handle\":\"\"},\"defaultRule\":true,\"description\":\"The debugfs was executed in a container\",\"enabled\":true,\"expression\":\"exec.comm == \\\"debugfs\\\" \\u0026\\u0026 container.id != \\\"\\\"\",\"filters\":[\"os == \\\"linux\\\"\"],\"name\":\"debugfs_in_container\",\"updateDate\":1737661272000,\"updater\":{\"name\":\"Datadog\",\"handle\":\"\"}}},{\"id\":\"def-000-u1r\",\"type\":\"agent_rule\",\"attributes\":{\"category\":\"File Activity\",\"creationDate\":1737661272000,\"creator\":{\"name\":\"Datadog\",\"handle\":\"\"},\"defaultRule\":true,\"description\":\"A process deleted common system log files\",\"enabled\":true,\"expression\":\"unlink.file.path in [\\\"/var/run/utmp\\\", \\\"/var/log/wtmp\\\", \\\"/var/log/btmp\\\", \\\"/var/log/lastlog\\\", \\\"/var/log/faillog\\\", \\\"/var/log/syslog\\\", \\\"/var/log/messages\\\", \\\"/var/log/secure\\\", \\\"/var/log/auth.log\\\", \\\"/var/log/boot.log\\\", \\\"/var/log/kern.log\\\"] \\u0026\\u0026 process.comm not in [\\\"dockerd\\\", \\\"containerd\\\"]\",\"filters\":[\"os == \\\"linux\\\"\"],\"name\":\"delete_system_log\",\"updateDate\":1737661272000,\"updater\":{\"name\":\"Datadog\",\"handle\":\"\"}}},{\"id\":\"def-000-juz\",\"type\":\"agent_rule\",\"attributes\":{\"category\":\"Process Activity\",\"creationDate\":1737661272000,\"creator\":{\"name\":\"Datadog\",\"handle\":\"\"},\"defaultRule\":true,\"description\":\"A privileged container was created\",\"enabled\":true,\"expression\":\"exec.file.name != \\\"\\\" \\u0026\\u0026 container.created_at \\u003c 1s \\u0026\\u0026 process.cap_permitted \\u0026 CAP_SYS_ADMIN \\u003e 0\",\"filters\":[\"os == \\\"linux\\\"\"],\"name\":\"deploy_priv_container\",\"updateDate\":1737661272000,\"updater\":{\"name\":\"Datadog\",\"handle\":\"\"}}},{\"id\":\"def-000-d4w\",\"type\":\"agent_rule\",\"attributes\":{\"category\":\"File Activity\",\"creationDate\":1737661272000,\"creator\":{\"name\":\"Datadog\",\"handle\":\"\"},\"defaultRule\":true,\"description\":\"A file executed from /dev/shm/ directory\",\"enabled\":true,\"expression\":\"exec.file.path == \\\"/dev/shm/**\\\"\",\"filters\":[\"os == \\\"linux\\\"\"],\"name\":\"devshm_execution\",\"updateDate\":1737661272000,\"updater\":{\"name\":\"Datadog\",\"handle\":\"\"}}},{\"id\":\"sej-11b-ey6\",\"type\":\"agent_rule\",\"attributes\":{\"category\":\"File Activity\",\"creationDate\":1737661272000,\"creator\":{\"name\":\"Datadog\",\"handle\":\"\"},\"defaultRule\":true,\"description\":\"Potential Dirty pipe exploitation attempt\",\"enabled\":true,\"expression\":\"(splice.pipe_entry_flag \\u0026 PIPE_BUF_FLAG_CAN_MERGE) != 0 \\u0026\\u0026 (splice.pipe_exit_flag \\u0026 PIPE_BUF_FLAG_CAN_MERGE) == 0 \\u0026\\u0026 (process.uid != 0 \\u0026\\u0026 process.gid != 0)\",\"filters\":[\"os == \\\"linux\\\"\"],\"name\":\"dirty_pipe_attempt\",\"updateDate\":1737661272000,\"updater\":{\"name\":\"Datadog\",\"handle\":\"\"}}},{\"id\":\"422-svi-03v\",\"type\":\"agent_rule\",\"attributes\":{\"category\":\"File Activity\",\"creationDate\":1737661272000,\"creator\":{\"name\":\"Datadog\",\"handle\":\"\"},\"defaultRule\":true,\"description\":\"Potential Dirty pipe exploitation\",\"enabled\":true,\"expression\":\"(splice.pipe_exit_flag \\u0026 PIPE_BUF_FLAG_CAN_MERGE) \\u003e 0 \\u0026\\u0026 (process.uid != 0 \\u0026\\u0026 process.gid != 0)\",\"filters\":[\"os == \\\"linux\\\"\"],\"name\":\"dirty_pipe_exploitation\",\"updateDate\":1737661272000,\"updater\":{\"name\":\"Datadog\",\"handle\":\"\"}}},{\"id\":\"def-000-beh\",\"type\":\"agent_rule\",\"attributes\":{\"category\":\"Process Activity\",\"creationDate\":1737661272000,\"creator\":{\"name\":\"Datadog\",\"handle\":\"\"},\"defaultRule\":true,\"description\":\"Dotnet_dump was used to dump a process memory\",\"enabled\":true,\"expression\":\"exec.cmdline =~ \\\"*dotnet-dump*\\\" \\u0026\\u0026 exec.cmdline =~ \\\"*collect*\\\"\",\"filters\":[\"os == \\\"windows\\\"\"],\"name\":\"dotnet_dump_execution\",\"updateDate\":1737661272000,\"updater\":{\"name\":\"Datadog\",\"handle\":\"\"}}},{\"id\":\"2rq-drz-11u\",\"type\":\"agent_rule\",\"attributes\":{\"category\":\"File Activity\",\"creationDate\":1737661272000,\"creator\":{\"name\":\"Datadog\",\"handle\":\"\"},\"defaultRule\":true,\"description\":\"A process unlinked a dynamic linker config file\",\"enabled\":true,\"expression\":\"unlink.file.path in [\\\"/etc/ld.so.preload\\\", \\\"/etc/ld.so.conf\\\", ~\\\"/etc/ld.so.conf.d/*.conf\\\"] \\u0026\\u0026 process.file.path not in [~\\\"/usr/bin/apt*\\\", \\\"/usr/bin/dpkg\\\", \\\"/usr/bin/rpm\\\", \\\"/usr/bin/unattended-upgrade\\\", \\\"/usr/bin/npm\\\", ~\\\"/usr/bin/pip*\\\", ~\\\"/usr/local/bin/pip*\\\", \\\"/usr/bin/yum\\\", \\\"/sbin/apk\\\", \\\"/usr/lib/snapd/snapd\\\"]\",\"filters\":[\"os == \\\"linux\\\"\"],\"name\":\"dynamic_linker_config_unlink\",\"updateDate\":1737661272000,\"updater\":{\"name\":\"Datadog\",\"handle\":\"\"}}},{\"id\":\"2s5-ipa-ooo\",\"type\":\"agent_rule\",\"attributes\":{\"category\":\"File Activity\",\"creationDate\":1737661272000,\"creator\":{\"name\":\"Datadog\",\"handle\":\"\"},\"defaultRule\":true,\"description\":\"A process wrote to a dynamic linker config file\",\"enabled\":true,\"expression\":\"open.file.path in [\\\"/etc/ld.so.preload\\\", \\\"/etc/ld.so.conf\\\", ~\\\"/etc/ld.so.conf.d/*.conf\\\"] \\u0026\\u0026 open.flags \\u0026 (O_CREAT|O_TRUNC|O_APPEND|O_RDWR|O_WRONLY) \\u003e 0 \\u0026\\u0026 process.file.path not in [~\\\"/usr/bin/apt*\\\", \\\"/usr/bin/dpkg\\\", \\\"/usr/bin/rpm\\\", \\\"/usr/bin/unattended-upgrade\\\", \\\"/usr/bin/containerd\\\", \\\"/usr/local/bin/containerd\\\", \\\"/usr/bin/dockerd\\\", \\\"/usr/bin/npm\\\", ~\\\"/usr/bin/pip*\\\", ~\\\"/usr/local/bin/pip*\\\"] \\u0026\\u0026 process.ancestors.file.path not in [\\\"/opt/datadog-agent/embedded/bin/agent\\\", \\\"/opt/datadog-agent/embedded/bin/system-probe\\\", \\\"/opt/datadog-agent/embedded/bin/security-agent\\\", \\\"/opt/datadog-agent/embedded/bin/process-agent\\\", \\\"/opt/datadog-agent/embedded/bin/trace-agent\\\", \\\"/opt/datadog-agent/bin/agent/agent\\\", \\\"/opt/datadog/apm/inject/auto_inject_runc\\\", \\\"/usr/bin/dd-host-install\\\", \\\"/usr/bin/dd-host-container-install\\\", \\\"/usr/bin/dd-container-install\\\", \\\"/opt/datadog-agent/bin/datadog-cluster-agent\\\", ~\\\"/opt/datadog-packages/**\\\", ~\\\"/opt/datadog-installer/**\\\"]\",\"filters\":[\"os == \\\"linux\\\"\"],\"name\":\"dynamic_linker_config_write\",\"updateDate\":1737661272000,\"updater\":{\"name\":\"Datadog\",\"handle\":\"\"}}},{\"id\":\"def-000-4xu\",\"type\":\"agent_rule\",\"attributes\":{\"category\":\"Process Activity\",\"creationDate\":1737661272000,\"creator\":{\"name\":\"Datadog\",\"handle\":\"\"},\"defaultRule\":true,\"description\":\"Kernel modules were listed using the lsmod command\",\"enabled\":true,\"expression\":\"exec.comm == \\\"lsmod\\\"\",\"filters\":[\"os == \\\"linux\\\"\"],\"name\":\"exec_lsmod\",\"updateDate\":1737661272000,\"updater\":{\"name\":\"Datadog\",\"handle\":\"\"}}},{\"id\":\"def-000-fqm\",\"type\":\"agent_rule\",\"attributes\":{\"category\":\"Process Activity\",\"creationDate\":1737661272000,\"creator\":{\"name\":\"Datadog\",\"handle\":\"\"},\"defaultRule\":true,\"description\":\"The whoami command was executed\",\"enabled\":true,\"expression\":\"exec.comm == \\\"whoami\\\"\",\"filters\":[\"os == \\\"linux\\\"\"],\"name\":\"exec_whoami\",\"updateDate\":1737661272000,\"updater\":{\"name\":\"Datadog\",\"handle\":\"\"}}},{\"id\":\"def-000-ev8\",\"type\":\"agent_rule\",\"attributes\":{\"category\":\"Process Activity\",\"creationDate\":1737661272000,\"creator\":{\"name\":\"Datadog\",\"handle\":\"\"},\"defaultRule\":true,\"description\":\"The wrmsr program executed\",\"enabled\":true,\"expression\":\"exec.comm == \\\"wrmsr\\\"\",\"filters\":[\"os == \\\"linux\\\"\"],\"name\":\"exec_wrmsr\",\"updateDate\":1737661272000,\"updater\":{\"name\":\"Datadog\",\"handle\":\"\"}}},{\"id\":\"def-000-bus\",\"type\":\"agent_rule\",\"attributes\":{\"category\":\"File Activity\",\"creationDate\":1737661272000,\"creator\":{\"name\":\"Datadog\",\"handle\":\"\"},\"defaultRule\":true,\"description\":\"The executable bit was added to a newly created file\",\"enabled\":true,\"expression\":\"chmod.file.in_upper_layer \\u0026\\u0026\\nchmod.file.change_time \\u003c 30s \\u0026\\u0026\\ncontainer.id != \\\"\\\" \\u0026\\u0026\\nchmod.file.destination.mode != chmod.file.mode \\u0026\\u0026\\nchmod.file.destination.mode \\u0026 S_IXUSR|S_IXGRP|S_IXOTH \\u003e 0 \\u0026\\u0026\\nprocess.argv in [\\\"+x\\\"]\",\"filters\":[\"os == \\\"linux\\\"\"],\"name\":\"executable_bit_added\",\"updateDate\":1737661272000,\"updater\":{\"name\":\"Datadog\",\"handle\":\"\"}}},{\"id\":\"def-000-nv0\",\"type\":\"agent_rule\",\"attributes\":{\"category\":\"Process Activity\",\"creationDate\":1737661272000,\"creator\":{\"name\":\"Datadog\",\"handle\":\"\"},\"defaultRule\":true,\"description\":\"The rclone utility was executed\",\"enabled\":true,\"expression\":\"exec.file.name in [\\\"rclone\\\", \\\"rsync\\\", \\\"sftp\\\", \\\"ftp\\\", \\\"scp\\\", \\\"dcp\\\", \\\"rcp\\\"]\",\"filters\":[\"os == \\\"linux\\\"\"],\"name\":\"file_sync_exfil\",\"updateDate\":1737661272000,\"updater\":{\"name\":\"Datadog\",\"handle\":\"\"}}},{\"id\":\"def-000-t06\",\"type\":\"agent_rule\",\"attributes\":{\"category\":\"Process Activity\",\"creationDate\":1737661272000,\"creator\":{\"name\":\"Datadog\",\"handle\":\"\"},\"defaultRule\":true,\"description\":\"find command searching for sensitive files\",\"enabled\":true,\"expression\":\"exec.comm == \\\"find\\\" \\u0026\\u0026 exec.args in [~\\\"*credentials*\\\"]\",\"filters\":[\"os == \\\"linux\\\"\"],\"name\":\"find_credentials\",\"updateDate\":1737661272000,\"updater\":{\"name\":\"Datadog\",\"handle\":\"\"}}},{\"id\":\"ro4-rju-1vq\",\"type\":\"agent_rule\",\"attributes\":{\"category\":\"Process Activity\",\"creationDate\":1737661272000,\"creator\":{\"name\":\"Datadog\",\"handle\":\"\"},\"defaultRule\":true,\"description\":\"An GCP IMDS was called via a network utility\",\"enabled\":true,\"expression\":\"exec.comm in [\\\"wget\\\", \\\"curl\\\", \\\"lwp-download\\\"] \\u0026\\u0026 exec.args in [~\\\"*metadata.google.internal/computeMetadata/v1/instance/service-accounts/default/token\\\", ~\\\"*169.254.169.254/computeMetadata/v1/instance/service-accounts/default/token\\\"]\",\"filters\":[\"os == \\\"linux\\\"\"],\"name\":\"gcp_imds\",\"updateDate\":1737661272000,\"updater\":{\"name\":\"Datadog\",\"handle\":\"\"}}},{\"id\":\"def-000-bgf\",\"type\":\"agent_rule\",\"attributes\":{\"category\":\"Process Activity\",\"creationDate\":1737661272000,\"creator\":{\"name\":\"Datadog\",\"handle\":\"\"},\"defaultRule\":true,\"description\":\"A hidden file was executed in a suspicious folder\",\"enabled\":true,\"expression\":\"exec.file.name =~ \\\".*\\\" \\u0026\\u0026 exec.file.path in [~\\\"/home/**\\\", ~\\\"/tmp/**\\\", ~\\\"/var/tmp/**\\\", ~\\\"/dev/shm/**\\\"]\",\"filters\":[\"os == \\\"linux\\\"\"],\"name\":\"hidden_file_executed\",\"updateDate\":1737661272000,\"updater\":{\"name\":\"Datadog\",\"handle\":\"\"}}},{\"id\":\"lkj-jnb-khe\",\"type\":\"agent_rule\",\"attributes\":{\"category\":\"Network Activity\",\"creationDate\":1737661272000,\"creator\":{\"name\":\"Datadog\",\"handle\":\"\"},\"defaultRule\":true,\"description\":\"An AWS IMDSv1 request was issued\",\"enabled\":false,\"expression\":\"imds.cloud_provider == \\\"aws\\\" \\u0026\\u0026 imds.aws.is_imds_v2 == false \\u0026\\u0026 process.file.name not in ${imds_v1_usage_services}\",\"filters\":[\"os == \\\"linux\\\"\"],\"name\":\"imds_v1_usage\",\"updateDate\":1737661272000,\"updater\":{\"name\":\"Datadog\",\"handle\":\"\"}}},{\"id\":\"jeh-18e-m9h\",\"type\":\"agent_rule\",\"attributes\":{\"category\":\"Process Activity\",\"creationDate\":1737661272000,\"creator\":{\"name\":\"Datadog\",\"handle\":\"\"},\"defaultRule\":true,\"description\":\"An interactive shell was started inside of a container\",\"enabled\":true,\"expression\":\"exec.file.path in [ \\\"/bin/dash\\\",\\n \\\"/usr/bin/dash\\\",\\n \\\"/bin/sh\\\",\\n \\\"/bin/static-sh\\\",\\n \\\"/usr/bin/sh\\\",\\n \\\"/bin/bash\\\",\\n \\\"/usr/bin/bash\\\",\\n \\\"/bin/bash-static\\\",\\n \\\"/usr/bin/zsh\\\",\\n \\\"/usr/bin/ash\\\",\\n \\\"/usr/bin/csh\\\",\\n \\\"/usr/bin/ksh\\\",\\n \\\"/usr/bin/tcsh\\\",\\n \\\"/usr/lib/initramfs-tools/bin/busybox\\\",\\n \\\"/bin/busybox\\\",\\n \\\"/usr/bin/fish\\\",\\n \\\"/bin/ksh93\\\",\\n \\\"/bin/rksh\\\",\\n \\\"/bin/rksh93\\\",\\n \\\"/bin/lksh\\\",\\n \\\"/bin/mksh\\\",\\n \\\"/bin/mksh-static\\\",\\n \\\"/usr/bin/csharp\\\",\\n \\\"/bin/posh\\\",\\n \\\"/usr/bin/rc\\\",\\n \\\"/bin/sash\\\",\\n \\\"/usr/bin/yash\\\",\\n \\\"/bin/zsh5\\\",\\n \\\"/bin/zsh5-static\\\" ] \\u0026\\u0026 exec.args_flags in [\\\"i\\\"] \\u0026\\u0026 container.id !=\\\"\\\"\",\"filters\":[\"os == \\\"linux\\\"\"],\"name\":\"interactive_shell_in_container\",\"updateDate\":1737661272000,\"updater\":{\"name\":\"Datadog\",\"handle\":\"\"}}},{\"id\":\"def-000-x7z\",\"type\":\"agent_rule\",\"attributes\":{\"category\":\"Process Activity\",\"creationDate\":1737661272000,\"creator\":{\"name\":\"Datadog\",\"handle\":\"\"},\"defaultRule\":true,\"description\":\"Process executed with arguments common with Inveigh tool usage\",\"enabled\":true,\"expression\":\"exec.cmdline in [~\\\"*SpooferIP*\\\", ~\\\"*ReplyToIPs*\\\", ~\\\"*ReplyToDomains*\\\", ~\\\"*ReplyToMACs*\\\", ~\\\"*SnifferIP*\\\"]\",\"filters\":[\"os == \\\"windows\\\"\"],\"name\":\"inveigh_tool_usage\",\"updateDate\":1737661272000,\"updater\":{\"name\":\"Datadog\",\"handle\":\"\"}}},{\"id\":\"4ov-ang-2gx\",\"type\":\"agent_rule\",\"attributes\":{\"category\":\"Network Activity\",\"creationDate\":1737661272000,\"creator\":{\"name\":\"Datadog\",\"handle\":\"\"},\"defaultRule\":true,\"description\":\"A DNS lookup was done for a IP check service\",\"enabled\":true,\"expression\":\"dns.question.name in [\\\"icanhazip.com\\\", \\\"ip-api.com\\\", \\\"myip.opendns.com\\\", \\\"checkip.amazonaws.com\\\", \\\"whatismyip.akamai.com\\\"] \\u0026\\u0026 process.file.name != \\\"\\\"\",\"filters\":[\"os == \\\"linux\\\"\"],\"name\":\"ip_check_domain\",\"updateDate\":1737661272000,\"updater\":{\"name\":\"Datadog\",\"handle\":\"\"}}},{\"id\":\"def-000-88h\",\"type\":\"agent_rule\",\"attributes\":{\"category\":\"Process Activity\",\"creationDate\":1737661272000,\"creator\":{\"name\":\"Datadog\",\"handle\":\"\"},\"defaultRule\":true,\"description\":\"Egress traffic allowed using iptables\",\"enabled\":true,\"expression\":\"exec.comm == \\\"iptables\\\" \\u0026\\u0026 process.args in [r\\\"OUTPUT.*((25[0-5]|(2[0-4]|1\\\\d|[1-9]|)\\\\d)\\\\.?\\\\b){4}.*ACCEPT\\\"] \\u0026\\u0026 process.args not in [r\\\"(127\\\\.)|(10\\\\.)|(172\\\\.1[6-9]\\\\.)|(172\\\\.2[0-9]\\\\.)|(^172\\\\.3[0-1]\\\\.)|(192\\\\.168\\\\.)|(169\\\\.254\\\\.)\\\"]\",\"filters\":[\"os == \\\"linux\\\"\"],\"name\":\"iptables_egress_allowed\",\"updateDate\":1737661272000,\"updater\":{\"name\":\"Datadog\",\"handle\":\"\"}}},{\"id\":\"def-000-qnj\",\"type\":\"agent_rule\",\"attributes\":{\"category\":\"Kernel Activity\",\"creationDate\":1737661272000,\"creator\":{\"name\":\"Datadog\",\"handle\":\"\"},\"defaultRule\":true,\"description\":\"A process made an outbound IRC connection\",\"enabled\":true,\"expression\":\"connect.addr.port == 6667 \\u0026\\u0026 connect.addr.is_public == true\",\"filters\":[\"os == \\\"linux\\\"\"],\"name\":\"irc_connection\",\"updateDate\":1737661272000,\"updater\":{\"name\":\"Datadog\",\"handle\":\"\"}}},{\"id\":\"def-000-but\",\"type\":\"agent_rule\",\"attributes\":{\"category\":\"Process Activity\",\"creationDate\":1737661272000,\"creator\":{\"name\":\"Datadog\",\"handle\":\"\"},\"defaultRule\":true,\"description\":\"A java process spawned a shell, shell utility, or HTTP utility\",\"enabled\":true,\"expression\":\"(exec.file.path in [ \\\"/bin/dash\\\",\\n \\\"/usr/bin/dash\\\",\\n \\\"/bin/sh\\\",\\n \\\"/bin/static-sh\\\",\\n \\\"/usr/bin/sh\\\",\\n \\\"/bin/bash\\\",\\n \\\"/usr/bin/bash\\\",\\n \\\"/bin/bash-static\\\",\\n \\\"/usr/bin/zsh\\\",\\n \\\"/usr/bin/ash\\\",\\n \\\"/usr/bin/csh\\\",\\n \\\"/usr/bin/ksh\\\",\\n \\\"/usr/bin/tcsh\\\",\\n \\\"/usr/lib/initramfs-tools/bin/busybox\\\",\\n \\\"/bin/busybox\\\",\\n \\\"/usr/bin/fish\\\",\\n \\\"/bin/ksh93\\\",\\n \\\"/bin/rksh\\\",\\n \\\"/bin/rksh93\\\",\\n \\\"/bin/lksh\\\",\\n \\\"/bin/mksh\\\",\\n \\\"/bin/mksh-static\\\",\\n \\\"/usr/bin/csharp\\\",\\n \\\"/bin/posh\\\",\\n \\\"/usr/bin/rc\\\",\\n \\\"/bin/sash\\\",\\n \\\"/usr/bin/yash\\\",\\n \\\"/bin/zsh5\\\",\\n \\\"/bin/zsh5-static\\\" ] ||\\n exec.comm in [\\\"wget\\\", \\\"curl\\\", \\\"lwp-download\\\"] ||\\n exec.file.path in [\\\"/bin/cat\\\",\\\"/bin/chgrp\\\",\\\"/bin/chmod\\\",\\\"/bin/chown\\\",\\\"/bin/cp\\\",\\\"/bin/date\\\",\\\"/bin/dd\\\",\\\"/bin/df\\\",\\\"/bin/dir\\\",\\\"/bin/echo\\\",\\\"/bin/ln\\\",\\\"/bin/ls\\\",\\\"/bin/mkdir\\\",\\\"/bin/mknod\\\",\\\"/bin/mktemp\\\",\\\"/bin/mv\\\",\\\"/bin/pwd\\\",\\\"/bin/readlink\\\",\\\"/bin/rm\\\",\\\"/bin/rmdir\\\",\\\"/bin/sleep\\\",\\\"/bin/stty\\\",\\\"/bin/sync\\\",\\\"/bin/touch\\\",\\\"/bin/uname\\\",\\\"/bin/vdir\\\",\\\"/usr/bin/arch\\\",\\\"/usr/bin/b2sum\\\",\\\"/usr/bin/base32\\\",\\\"/usr/bin/base64\\\",\\\"/usr/bin/basename\\\",\\\"/usr/bin/chcon\\\",\\\"/usr/bin/cksum\\\",\\\"/usr/bin/comm\\\",\\\"/usr/bin/csplit\\\",\\\"/usr/bin/cut\\\",\\\"/usr/bin/dircolors\\\",\\\"/usr/bin/dirname\\\",\\\"/usr/bin/du\\\",\\\"/usr/bin/env\\\",\\\"/usr/bin/expand\\\",\\\"/usr/bin/expr\\\",\\\"/usr/bin/factor\\\",\\\"/usr/bin/fmt\\\",\\\"/usr/bin/fold\\\",\\\"/usr/bin/groups\\\",\\\"/usr/bin/head\\\",\\\"/usr/bin/hostid\\\",\\\"/usr/bin/id\\\",\\\"/usr/bin/install\\\",\\\"/usr/bin/join\\\",\\\"/usr/bin/link\\\",\\\"/usr/bin/logname\\\",\\\"/usr/bin/md5sum\\\",\\\"/usr/bin/md5sum.textutils\\\",\\\"/usr/bin/mkfifo\\\",\\\"/usr/bin/nice\\\",\\\"/usr/bin/nl\\\",\\\"/usr/bin/nohup\\\",\\\"/usr/bin/nproc\\\",\\\"/usr/bin/numfmt\\\",\\\"/usr/bin/od\\\",\\\"/usr/bin/paste\\\",\\\"/usr/bin/pathchk\\\",\\\"/usr/bin/pinky\\\",\\\"/usr/bin/pr\\\",\\\"/usr/bin/printenv\\\",\\\"/usr/bin/printf\\\",\\\"/usr/bin/ptx\\\",\\\"/usr/bin/realpath\\\",\\\"/usr/bin/runcon\\\",\\\"/usr/bin/seq\\\",\\\"/usr/bin/sha1sum\\\",\\\"/usr/bin/sha224sum\\\",\\\"/usr/bin/sha256sum\\\",\\\"/usr/bin/sha384sum\\\",\\\"/usr/bin/sha512sum\\\",\\\"/usr/bin/shred\\\",\\\"/usr/bin/shuf\\\",\\\"/usr/bin/sort\\\",\\\"/usr/bin/split\\\",\\\"/usr/bin/stat\\\",\\\"/usr/bin/stdbuf\\\",\\\"/usr/bin/sum\\\",\\\"/usr/bin/tac\\\",\\\"/usr/bin/tail\\\",\\\"/usr/bin/tee\\\",\\\"/usr/bin/test\\\",\\\"/usr/bin/timeout\\\",\\\"/usr/bin/tr\\\",\\\"/usr/bin/truncate\\\",\\\"/usr/bin/tsort\\\",\\\"/usr/bin/tty\\\",\\\"/usr/bin/unexpand\\\",\\\"/usr/bin/uniq\\\",\\\"/usr/bin/unlink\\\",\\\"/usr/bin/users\\\",\\\"/usr/bin/wc\\\",\\\"/usr/bin/who\\\",\\\"/usr/bin/whoami\\\",\\\"/usr/sbin/chroot\\\",\\\"/bin/busybox\\\"])\\n\\u0026\\u0026 process.parent.file.name in [\\\"java\\\", \\\"jspawnhelper\\\"]\",\"filters\":[\"os == \\\"linux\\\"\"],\"name\":\"java_shell_execution_parent\",\"updateDate\":1737661272000,\"updater\":{\"name\":\"Datadog\",\"handle\":\"\"}}},{\"id\":\"def-000-mfu\",\"type\":\"agent_rule\",\"attributes\":{\"category\":\"Process Activity\",\"creationDate\":1737661272000,\"creator\":{\"name\":\"Datadog\",\"handle\":\"\"},\"defaultRule\":true,\"description\":\"A Jupyter notebook executed a shell\",\"enabled\":true,\"expression\":\"(exec.file.name in [\\\"cat\\\",\\\"chgrp\\\",\\\"chmod\\\",\\\"chown\\\",\\\"cp\\\",\\\"date\\\",\\\"dd\\\",\\\"df\\\",\\\"dir\\\",\\\"echo\\\",\\\"ln\\\",\\\"ls\\\",\\\"mkdir\\\",\\\"mknod\\\",\\\"mktemp\\\",\\\"mv\\\",\\\"pwd\\\",\\\"readlink\\\",\\\"rm\\\",\\\"rmdir\\\",\\\"sleep\\\",\\\"stty\\\",\\\"sync\\\",\\\"touch\\\",\\\"uname\\\",\\\"vdir\\\",\\\"arch\\\",\\\"b2sum\\\",\\\"base32\\\",\\\"base64\\\",\\\"basename\\\",\\\"chcon\\\",\\\"cksum\\\",\\\"comm\\\",\\\"csplit\\\",\\\"cut\\\",\\\"dircolors\\\",\\\"dirname\\\",\\\"du\\\",\\\"env\\\",\\\"expand\\\",\\\"expr\\\",\\\"factor\\\",\\\"fmt\\\",\\\"fold\\\",\\\"groups\\\",\\\"head\\\",\\\"hostid\\\",\\\"id\\\",\\\"install\\\",\\\"join\\\",\\\"link\\\",\\\"logname\\\",\\\"md5sum\\\",\\\"textutils\\\",\\\"mkfifo\\\",\\\"nice\\\",\\\"nl\\\",\\\"nohup\\\",\\\"nproc\\\",\\\"numfmt\\\",\\\"od\\\",\\\"paste\\\",\\\"pathchk\\\",\\\"pinky\\\",\\\"pr\\\",\\\"printenv\\\",\\\"printf\\\",\\\"ptx\\\",\\\"realpath\\\",\\\"runcon\\\",\\\"seq\\\",\\\"sha1sum\\\",\\\"sha224sum\\\",\\\"sha256sum\\\",\\\"sha384sum\\\",\\\"sha512sum\\\",\\\"shred\\\",\\\"shuf\\\",\\\"sort\\\",\\\"split\\\",\\\"stat\\\",\\\"stdbuf\\\",\\\"sum\\\",\\\"tac\\\",\\\"tail\\\",\\\"tee\\\",\\\"test\\\",\\\"timeout\\\",\\\"tr\\\",\\\"truncate\\\",\\\"tsort\\\",\\\"tty\\\",\\\"unexpand\\\",\\\"uniq\\\",\\\"unlink\\\",\\\"users\\\",\\\"wc\\\",\\\"who\\\",\\\"whoami\\\",\\\"chroot\\\"] || exec.file.name in [\\\"wget\\\", \\\"curl\\\", \\\"lwp-download\\\"] || exec.file.name in [\\\"dash\\\",\\\"sh\\\",\\\"static-sh\\\",\\\"sh\\\",\\\"bash\\\",\\\"bash\\\",\\\"bash-static\\\",\\\"zsh\\\",\\\"ash\\\",\\\"csh\\\",\\\"ksh\\\",\\\"tcsh\\\",\\\"busybox\\\",\\\"busybox\\\",\\\"fish\\\",\\\"ksh93\\\",\\\"rksh\\\",\\\"rksh93\\\",\\\"lksh\\\",\\\"mksh\\\",\\\"mksh-static\\\",\\\"csharp\\\",\\\"posh\\\",\\\"rc\\\",\\\"sash\\\",\\\"yash\\\",\\\"zsh5\\\",\\\"zsh5-static\\\"]) \\u0026\\u0026 process.ancestors.comm in [\\\"jupyter-noteboo\\\", \\\"jupyter-lab\\\"]\",\"filters\":[\"os == \\\"linux\\\"\"],\"name\":\"jupyter_shell_execution\",\"updateDate\":1737661272000,\"updater\":{\"name\":\"Datadog\",\"handle\":\"\"}}},{\"id\":\"0i7-z9o-zed\",\"type\":\"agent_rule\",\"attributes\":{\"category\":\"File Activity\",\"creationDate\":1737661272000,\"creator\":{\"name\":\"Datadog\",\"handle\":\"\"},\"defaultRule\":true,\"description\":\"The Kubernetes pod service account token was accessed\",\"enabled\":true,\"expression\":\"open.file.path in [~\\\"/var/run/secrets/kubernetes.io/serviceaccount/**\\\", ~\\\"/run/secrets/kubernetes.io/serviceaccount/**\\\"] \\u0026\\u0026 open.file.name == \\\"token\\\" \\u0026\\u0026 process.file.path not in [\\\"/opt/datadog-agent/embedded/bin/agent\\\", \\\"/opt/datadog-agent/embedded/bin/system-probe\\\", \\\"/opt/datadog-agent/embedded/bin/security-agent\\\", \\\"/opt/datadog-agent/embedded/bin/process-agent\\\", \\\"/opt/datadog-agent/embedded/bin/trace-agent\\\", \\\"/opt/datadog-agent/bin/agent/agent\\\", \\\"/opt/datadog/apm/inject/auto_inject_runc\\\", \\\"/usr/bin/dd-host-install\\\", \\\"/usr/bin/dd-host-container-install\\\", \\\"/usr/bin/dd-container-install\\\", \\\"/opt/datadog-agent/bin/datadog-cluster-agent\\\", ~\\\"/opt/datadog-packages/**\\\", ~\\\"/opt/datadog-installer/**\\\"] \\u0026\\u0026 process.file.path not in [\\\"/usr/bin/cilium-agent\\\", \\\"/coredns\\\", \\\"/usr/bin/cilium-operator\\\", \\\"/manager\\\", \\\"/fluent-bit/bin/fluent-bit\\\", \\\"/usr/local/bin/cloud-node-manager\\\", \\\"/secrets-store-csi\\\", \\\"/bin/secrets-store-csi-driver-provider-aws\\\", \\\"/usr/bin/calico-node\\\", \\\"/opt/aws/amazon-cloudwatch-agent/bin/amazon-cloudwatch-agent\\\", \\\"/nginx-ingress-controller\\\", \\\"/cluster-autoscaler\\\", \\\"/cluster-proportional-autoscaler\\\", \\\"/haproxy-ingress-controller\\\", \\\"/kube-state-metrics\\\", \\\"/fluent-bit-gke-exporter\\\", \\\"/bin/external-secrets\\\", \\\"/node-termination-handler\\\", \\\"/fluent-bit-gke-exporter\\\", \\\"/bin/vault\\\", \\\"/usr/local/bin/kubectl\\\", \\\"/local-provisioner\\\", \\\"/usr/bin/gitlab-runner\\\", \\\"/usr/local/bin/vaultd\\\", \\\"/usr/local/bin/trace-driveline-writer\\\", \\\"/usr/local/bin/registration-controller\\\", \\\"/usr/local/bin/cluster-autoscaler\\\"] \\u0026\\u0026 process.ancestors.file.path not in [\\\"/opt/datadog-agent/embedded/bin/agent\\\", \\\"/opt/datadog-agent/embedded/bin/system-probe\\\", \\\"/opt/datadog-agent/embedded/bin/security-agent\\\", \\\"/opt/datadog-agent/embedded/bin/process-agent\\\", \\\"/opt/datadog-agent/embedded/bin/trace-agent\\\", \\\"/opt/datadog-agent/bin/agent/agent\\\", \\\"/opt/datadog/apm/inject/auto_inject_runc\\\", \\\"/usr/bin/dd-host-install\\\", \\\"/usr/bin/dd-host-container-install\\\", \\\"/usr/bin/dd-container-install\\\", \\\"/opt/datadog-agent/bin/datadog-cluster-agent\\\", ~\\\"/opt/datadog-packages/**\\\", ~\\\"/opt/datadog-installer/**\\\"]\",\"filters\":[\"os == \\\"linux\\\"\"],\"name\":\"k8s_pod_service_account_token_accessed\",\"updateDate\":1737661272000,\"updater\":{\"name\":\"Datadog\",\"handle\":\"\"}}},{\"id\":\"2dz-kyt-nme\",\"type\":\"agent_rule\",\"attributes\":{\"category\":\"File Activity\",\"creationDate\":1737661272000,\"creator\":{\"name\":\"Datadog\",\"handle\":\"\"},\"defaultRule\":true,\"description\":\"A new kernel module was added\",\"enabled\":true,\"expression\":\"(\\n (chmod.file.path in [ ~\\\"/lib/modules/**\\\", ~\\\"/usr/lib/modules/**\\\" ])\\n \\u0026\\u0026 process.file.path not in [~\\\"/usr/bin/apt*\\\", \\\"/usr/bin/dpkg\\\", \\\"/usr/bin/rpm\\\", \\\"/usr/bin/unattended-upgrade\\\", \\\"/usr/bin/npm\\\", ~\\\"/usr/bin/pip*\\\", ~\\\"/usr/local/bin/pip*\\\", \\\"/usr/bin/yum\\\", \\\"/sbin/apk\\\", \\\"/usr/lib/snapd/snapd\\\"]\\n \\u0026\\u0026 process.ancestors.file.path not in [~\\\"/usr/bin/apt*\\\", \\\"/usr/bin/dpkg\\\", \\\"/usr/bin/rpm\\\", \\\"/usr/bin/unattended-upgrade\\\", \\\"/usr/bin/npm\\\", ~\\\"/usr/bin/pip*\\\", ~\\\"/usr/local/bin/pip*\\\", \\\"/usr/bin/yum\\\", \\\"/sbin/apk\\\", \\\"/usr/lib/snapd/snapd\\\"] \\u0026\\u0026 process.ancestors.file.path != \\\"/usr/bin/kmod\\\"\\n) \\u0026\\u0026 chmod.file.destination.mode != chmod.file.mode\",\"filters\":[\"os == \\\"linux\\\"\"],\"name\":\"kernel_module_chmod\",\"updateDate\":1737661272000,\"updater\":{\"name\":\"Datadog\",\"handle\":\"\"}}},{\"id\":\"94l-lhd-e33\",\"type\":\"agent_rule\",\"attributes\":{\"category\":\"File Activity\",\"creationDate\":1737661272000,\"creator\":{\"name\":\"Datadog\",\"handle\":\"\"},\"defaultRule\":true,\"description\":\"A new kernel module was added\",\"enabled\":true,\"expression\":\"(\\n (chown.file.path in [ ~\\\"/lib/modules/**\\\", ~\\\"/usr/lib/modules/**\\\" ])\\n \\u0026\\u0026 process.file.path not in [~\\\"/usr/bin/apt*\\\", \\\"/usr/bin/dpkg\\\", \\\"/usr/bin/rpm\\\", \\\"/usr/bin/unattended-upgrade\\\", \\\"/usr/bin/npm\\\", ~\\\"/usr/bin/pip*\\\", ~\\\"/usr/local/bin/pip*\\\", \\\"/usr/bin/yum\\\", \\\"/sbin/apk\\\", \\\"/usr/lib/snapd/snapd\\\"]\\n \\u0026\\u0026 process.ancestors.file.path not in [~\\\"/usr/bin/apt*\\\", \\\"/usr/bin/dpkg\\\", \\\"/usr/bin/rpm\\\", \\\"/usr/bin/unattended-upgrade\\\", \\\"/usr/bin/npm\\\", ~\\\"/usr/bin/pip*\\\", ~\\\"/usr/local/bin/pip*\\\", \\\"/usr/bin/yum\\\", \\\"/sbin/apk\\\", \\\"/usr/lib/snapd/snapd\\\"] \\u0026\\u0026 process.ancestors.file.path != \\\"/usr/bin/kmod\\\"\\n) \\u0026\\u0026 (chown.file.destination.uid != chown.file.uid || chown.file.destination.gid != chown.file.gid)\",\"filters\":[\"os == \\\"linux\\\"\"],\"name\":\"kernel_module_chown\",\"updateDate\":1737661272000,\"updater\":{\"name\":\"Datadog\",\"handle\":\"\"}}},{\"id\":\"ucb-5zb-rmj\",\"type\":\"agent_rule\",\"attributes\":{\"category\":\"File Activity\",\"creationDate\":1737661272000,\"creator\":{\"name\":\"Datadog\",\"handle\":\"\"},\"defaultRule\":true,\"description\":\"A new kernel module was added\",\"enabled\":true,\"expression\":\"(\\n (link.file.path in [ ~\\\"/lib/modules/**\\\", ~\\\"/usr/lib/modules/**\\\" ]\\n || link.file.destination.path in [ ~\\\"/lib/modules/**\\\", ~\\\"/usr/lib/modules/**\\\" ])\\n \\u0026\\u0026 process.file.path not in [~\\\"/usr/bin/apt*\\\", \\\"/usr/bin/dpkg\\\", \\\"/usr/bin/rpm\\\", \\\"/usr/bin/unattended-upgrade\\\", \\\"/usr/bin/npm\\\", ~\\\"/usr/bin/pip*\\\", ~\\\"/usr/local/bin/pip*\\\", \\\"/usr/bin/yum\\\", \\\"/sbin/apk\\\", \\\"/usr/lib/snapd/snapd\\\"]\\n \\u0026\\u0026 process.ancestors.file.path not in [~\\\"/usr/bin/apt*\\\", \\\"/usr/bin/dpkg\\\", \\\"/usr/bin/rpm\\\", \\\"/usr/bin/unattended-upgrade\\\", \\\"/usr/bin/npm\\\", ~\\\"/usr/bin/pip*\\\", ~\\\"/usr/local/bin/pip*\\\", \\\"/usr/bin/yum\\\", \\\"/sbin/apk\\\", \\\"/usr/lib/snapd/snapd\\\"] \\u0026\\u0026 process.ancestors.file.path != \\\"/usr/bin/kmod\\\"\\n)\",\"filters\":[\"os == \\\"linux\\\"\"],\"name\":\"kernel_module_link\",\"updateDate\":1737661272000,\"updater\":{\"name\":\"Datadog\",\"handle\":\"\"}}},{\"id\":\"5t3-iiv-rv5\",\"type\":\"agent_rule\",\"attributes\":{\"category\":\"Kernel Activity\",\"creationDate\":1737661272000,\"creator\":{\"name\":\"Datadog\",\"handle\":\"\"},\"defaultRule\":true,\"description\":\"A kernel module was loaded\",\"enabled\":true,\"expression\":\"load_module.loaded_from_memory == false \\u0026\\u0026 load_module.name not in [\\\"nf_tables\\\", \\\"iptable_filter\\\", \\\"ip6table_filter\\\", \\\"bpfilter\\\", \\\"ip6_tables\\\", \\\"ip6table_nat\\\", \\\"nf_reject_ipv4\\\", \\\"ipt_REJECT\\\", \\\"iptable_raw\\\", \\\"udp_diag\\\", \\\"inet_diag\\\"] \\u0026\\u0026 process.ancestors.file.name not in [~\\\"falcon*\\\", \\\"unattended-upgrade\\\", \\\"apt.systemd.daily\\\", \\\"xtables-legacy-multi\\\", \\\"ssm-agent-worker\\\"]\",\"filters\":[\"os == \\\"linux\\\"\"],\"name\":\"kernel_module_load\",\"updateDate\":1737661272000,\"updater\":{\"name\":\"Datadog\",\"handle\":\"\"}}},{\"id\":\"dkb-9ud-0ca\",\"type\":\"agent_rule\",\"attributes\":{\"category\":\"Kernel Activity\",\"creationDate\":1737661272000,\"creator\":{\"name\":\"Datadog\",\"handle\":\"\"},\"defaultRule\":true,\"description\":\"A container loaded a new kernel module\",\"enabled\":true,\"expression\":\"load_module.name != \\\"\\\" \\u0026\\u0026 container.id !=\\\"\\\"\",\"filters\":[\"os == \\\"linux\\\"\"],\"name\":\"kernel_module_load_container\",\"updateDate\":1737661272000,\"updater\":{\"name\":\"Datadog\",\"handle\":\"\"}}},{\"id\":\"lrg-avx-x1k\",\"type\":\"agent_rule\",\"attributes\":{\"category\":\"Kernel Activity\",\"creationDate\":1737661272000,\"creator\":{\"name\":\"Datadog\",\"handle\":\"\"},\"defaultRule\":true,\"description\":\"A kernel module was loaded from memory\",\"enabled\":true,\"expression\":\"load_module.loaded_from_memory == true\",\"filters\":[\"os == \\\"linux\\\"\"],\"name\":\"kernel_module_load_from_memory\",\"updateDate\":1737661272000,\"updater\":{\"name\":\"Datadog\",\"handle\":\"\"}}},{\"id\":\"gx3-4a5-w9a\",\"type\":\"agent_rule\",\"attributes\":{\"category\":\"Kernel Activity\",\"creationDate\":1737661272000,\"creator\":{\"name\":\"Datadog\",\"handle\":\"\"},\"defaultRule\":true,\"description\":\"A kernel module was loaded from memory inside a container\",\"enabled\":true,\"expression\":\"load_module.loaded_from_memory == true \\u0026\\u0026 container.id !=\\\"\\\"\",\"filters\":[\"os == \\\"linux\\\"\"],\"name\":\"kernel_module_load_from_memory_container\",\"updateDate\":1737661272000,\"updater\":{\"name\":\"Datadog\",\"handle\":\"\"}}},{\"id\":\"56y-vsb-zqu\",\"type\":\"agent_rule\",\"attributes\":{\"category\":\"File Activity\",\"creationDate\":1737661272000,\"creator\":{\"name\":\"Datadog\",\"handle\":\"\"},\"defaultRule\":true,\"description\":\"A new kernel module was added\",\"enabled\":true,\"expression\":\"(\\n open.flags \\u0026 (O_CREAT|O_TRUNC|O_APPEND|O_RDWR|O_WRONLY) \\u003e 0 \\u0026\\u0026\\n (open.file.path in [ ~\\\"/lib/modules/**\\\", ~\\\"/usr/lib/modules/**\\\" ])\\n \\u0026\\u0026 process.file.path not in [~\\\"/usr/bin/apt*\\\", \\\"/usr/bin/dpkg\\\", \\\"/usr/bin/rpm\\\", \\\"/usr/bin/unattended-upgrade\\\", \\\"/usr/bin/npm\\\", ~\\\"/usr/bin/pip*\\\", ~\\\"/usr/local/bin/pip*\\\", \\\"/usr/bin/yum\\\", \\\"/sbin/apk\\\", \\\"/usr/lib/snapd/snapd\\\"]\\n \\u0026\\u0026 process.ancestors.file.path not in [~\\\"/usr/bin/apt*\\\", \\\"/usr/bin/dpkg\\\", \\\"/usr/bin/rpm\\\", \\\"/usr/bin/unattended-upgrade\\\", \\\"/usr/bin/npm\\\", ~\\\"/usr/bin/pip*\\\", ~\\\"/usr/local/bin/pip*\\\", \\\"/usr/bin/yum\\\", \\\"/sbin/apk\\\", \\\"/usr/lib/snapd/snapd\\\"] \\u0026\\u0026 process.ancestors.file.path != \\\"/usr/bin/kmod\\\"\\n)\",\"filters\":[\"os == \\\"linux\\\"\"],\"name\":\"kernel_module_open\",\"updateDate\":1737661272000,\"updater\":{\"name\":\"Datadog\",\"handle\":\"\"}}},{\"id\":\"3i1-zpd-ycj\",\"type\":\"agent_rule\",\"attributes\":{\"category\":\"File Activity\",\"creationDate\":1737661272000,\"creator\":{\"name\":\"Datadog\",\"handle\":\"\"},\"defaultRule\":true,\"description\":\"A new kernel module was added\",\"enabled\":true,\"expression\":\"(\\n (rename.file.path in [ ~\\\"/lib/modules/**\\\", ~\\\"/usr/lib/modules/**\\\" ]\\n || rename.file.destination.path in [ ~\\\"/lib/modules/**\\\", ~\\\"/usr/lib/modules/**\\\" ])\\n \\u0026\\u0026 process.file.path not in [~\\\"/usr/bin/apt*\\\", \\\"/usr/bin/dpkg\\\", \\\"/usr/bin/rpm\\\", \\\"/usr/bin/unattended-upgrade\\\", \\\"/usr/bin/npm\\\", ~\\\"/usr/bin/pip*\\\", ~\\\"/usr/local/bin/pip*\\\", \\\"/usr/bin/yum\\\", \\\"/sbin/apk\\\", \\\"/usr/lib/snapd/snapd\\\"]\\n \\u0026\\u0026 process.ancestors.file.path not in [~\\\"/usr/bin/apt*\\\", \\\"/usr/bin/dpkg\\\", \\\"/usr/bin/rpm\\\", \\\"/usr/bin/unattended-upgrade\\\", \\\"/usr/bin/npm\\\", ~\\\"/usr/bin/pip*\\\", ~\\\"/usr/local/bin/pip*\\\", \\\"/usr/bin/yum\\\", \\\"/sbin/apk\\\", \\\"/usr/lib/snapd/snapd\\\"] \\u0026\\u0026 process.ancestors.file.path != \\\"/usr/bin/kmod\\\"\\n)\",\"filters\":[\"os == \\\"linux\\\"\"],\"name\":\"kernel_module_rename\",\"updateDate\":1737661272000,\"updater\":{\"name\":\"Datadog\",\"handle\":\"\"}}},{\"id\":\"20v-gdb-0ha\",\"type\":\"agent_rule\",\"attributes\":{\"category\":\"File Activity\",\"creationDate\":1737661272000,\"creator\":{\"name\":\"Datadog\",\"handle\":\"\"},\"defaultRule\":true,\"description\":\"A new kernel module was added\",\"enabled\":true,\"expression\":\"(\\n (unlink.file.path in [ ~\\\"/lib/modules/**\\\", ~\\\"/usr/lib/modules/**\\\" ])\\n \\u0026\\u0026 process.file.path not in [~\\\"/usr/bin/apt*\\\", \\\"/usr/bin/dpkg\\\", \\\"/usr/bin/rpm\\\", \\\"/usr/bin/unattended-upgrade\\\", \\\"/usr/bin/npm\\\", ~\\\"/usr/bin/pip*\\\", ~\\\"/usr/local/bin/pip*\\\", \\\"/usr/bin/yum\\\", \\\"/sbin/apk\\\", \\\"/usr/lib/snapd/snapd\\\"]\\n \\u0026\\u0026 process.ancestors.file.path not in [~\\\"/usr/bin/apt*\\\", \\\"/usr/bin/dpkg\\\", \\\"/usr/bin/rpm\\\", \\\"/usr/bin/unattended-upgrade\\\", \\\"/usr/bin/npm\\\", ~\\\"/usr/bin/pip*\\\", ~\\\"/usr/local/bin/pip*\\\", \\\"/usr/bin/yum\\\", \\\"/sbin/apk\\\", \\\"/usr/lib/snapd/snapd\\\"] \\u0026\\u0026 process.ancestors.file.path != \\\"/usr/bin/kmod\\\"\\n)\",\"filters\":[\"os == \\\"linux\\\"\"],\"name\":\"kernel_module_unlink\",\"updateDate\":1737661272000,\"updater\":{\"name\":\"Datadog\",\"handle\":\"\"}}},{\"id\":\"fyq-x5u-mv1\",\"type\":\"agent_rule\",\"attributes\":{\"category\":\"File Activity\",\"creationDate\":1737661272000,\"creator\":{\"name\":\"Datadog\",\"handle\":\"\"},\"defaultRule\":true,\"description\":\"A new kernel module was added\",\"enabled\":true,\"expression\":\"(\\n (utimes.file.path in [ ~\\\"/lib/modules/**\\\", ~\\\"/usr/lib/modules/**\\\" ])\\n \\u0026\\u0026 process.file.path not in [~\\\"/usr/bin/apt*\\\", \\\"/usr/bin/dpkg\\\", \\\"/usr/bin/rpm\\\", \\\"/usr/bin/unattended-upgrade\\\", \\\"/usr/bin/npm\\\", ~\\\"/usr/bin/pip*\\\", ~\\\"/usr/local/bin/pip*\\\", \\\"/usr/bin/yum\\\", \\\"/sbin/apk\\\", \\\"/usr/lib/snapd/snapd\\\"]\\n \\u0026\\u0026 process.ancestors.file.path not in [~\\\"/usr/bin/apt*\\\", \\\"/usr/bin/dpkg\\\", \\\"/usr/bin/rpm\\\", \\\"/usr/bin/unattended-upgrade\\\", \\\"/usr/bin/npm\\\", ~\\\"/usr/bin/pip*\\\", ~\\\"/usr/local/bin/pip*\\\", \\\"/usr/bin/yum\\\", \\\"/sbin/apk\\\", \\\"/usr/lib/snapd/snapd\\\"] \\u0026\\u0026 process.ancestors.file.path != \\\"/usr/bin/kmod\\\"\\n)\",\"filters\":[\"os == \\\"linux\\\"\"],\"name\":\"kernel_module_utimes\",\"updateDate\":1737661272000,\"updater\":{\"name\":\"Datadog\",\"handle\":\"\"}}},{\"id\":\"def-000-dpm\",\"type\":\"agent_rule\",\"attributes\":{\"category\":\"Process Activity\",\"creationDate\":1737661272000,\"creator\":{\"name\":\"Datadog\",\"handle\":\"\"},\"defaultRule\":true,\"description\":\"A process attempted to enable writing to model-specific registers\",\"enabled\":true,\"expression\":\"exec.comm == \\\"modprobe\\\" \\u0026\\u0026 process.args =~ \\\"*msr*allow_writes*\\\"\",\"filters\":[\"os == \\\"linux\\\"\"],\"name\":\"kernel_msr_write\",\"updateDate\":1737661272000,\"updater\":{\"name\":\"Datadog\",\"handle\":\"\"}}},{\"id\":\"def-000-xv7\",\"type\":\"agent_rule\",\"attributes\":{\"category\":\"Process Activity\",\"creationDate\":1737661272000,\"creator\":{\"name\":\"Datadog\",\"handle\":\"\"},\"defaultRule\":true,\"description\":\"Kernel modules were listed using the kmod command\",\"enabled\":true,\"expression\":\"exec.comm == \\\"kmod\\\" \\u0026\\u0026 exec.args in [~\\\"*list*\\\"]\",\"filters\":[\"os == \\\"linux\\\"\"],\"name\":\"kmod_list\",\"updateDate\":1737661272000,\"updater\":{\"name\":\"Datadog\",\"handle\":\"\"}}},{\"id\":\"def-000-j1p\",\"type\":\"agent_rule\",\"attributes\":{\"category\":\"File Activity\",\"creationDate\":1737661272000,\"creator\":{\"name\":\"Datadog\",\"handle\":\"\"},\"defaultRule\":true,\"description\":\"Windows Known DLLs location registry key modified\",\"enabled\":true,\"expression\":\"set.registry.key_path in [~\\\"HKEY_LOCAL_MACHINE\\\\SYSTEM\\\\CurrentControlSet\\\\Control\\\\Session Manager\\\\KnownDLLs*\\\"]\",\"filters\":[\"os == \\\"windows\\\"\"],\"name\":\"known_dll_registry_key_modified\",\"updateDate\":1737661272000,\"updater\":{\"name\":\"Datadog\",\"handle\":\"\"}}},{\"id\":\"def-000-b7s\",\"type\":\"agent_rule\",\"attributes\":{\"category\":\"Network Activity\",\"creationDate\":1737661272000,\"creator\":{\"name\":\"Datadog\",\"handle\":\"\"},\"defaultRule\":true,\"description\":\"Kubernetes DNS enumeration\",\"enabled\":true,\"expression\":\"dns.question.name == \\\"any.any.svc.cluster.local\\\" \\u0026\\u0026 dns.question.type == SRV \\u0026\\u0026 container.id != \\\"\\\"\",\"filters\":[\"os == \\\"linux\\\"\"],\"name\":\"kubernetes_dns_enumeration\",\"updateDate\":1737661272000,\"updater\":{\"name\":\"Datadog\",\"handle\":\"\"}}},{\"id\":\"j8a-wic-bvi\",\"type\":\"agent_rule\",\"attributes\":{\"category\":\"Process Activity\",\"creationDate\":1737661272000,\"creator\":{\"name\":\"Datadog\",\"handle\":\"\"},\"defaultRule\":true,\"description\":\"The LD_PRELOAD variable is populated by a link to a suspicious file directory\",\"enabled\":true,\"expression\":\"exec.envs in [~\\\"LD_PRELOAD=*/tmp/*\\\", ~\\\"LD_PRELOAD=/dev/shm/*\\\"]\",\"filters\":[\"os == \\\"linux\\\"\"],\"name\":\"ld_preload_unusual_library_path\",\"updateDate\":1737661272000,\"updater\":{\"name\":\"Datadog\",\"handle\":\"\"}}},{\"id\":\"def-000-fbb\",\"type\":\"agent_rule\",\"attributes\":{\"category\":\"Kernel Activity\",\"creationDate\":1737661272000,\"creator\":{\"name\":\"Datadog\",\"handle\":\"\"},\"defaultRule\":true,\"description\":\"Library libpam.so hooked using eBPF\",\"enabled\":true,\"expression\":\"bpf.cmd == BPF_MAP_CREATE \\u0026\\u0026 process.args in [r\\\"libpam\\\\.so\\\"]\",\"filters\":[\"os == \\\"linux\\\"\"],\"name\":\"libpam_ebpf_hook\",\"updateDate\":1737661272000,\"updater\":{\"name\":\"Datadog\",\"handle\":\"\"}}},{\"id\":\"def-000-j1b\",\"type\":\"agent_rule\",\"attributes\":{\"category\":\"Process Activity\",\"creationDate\":1737661272000,\"creator\":{\"name\":\"Datadog\",\"handle\":\"\"},\"defaultRule\":true,\"description\":\"Looney Tunables (CVE-2023-4911) exploit attempted\",\"enabled\":true,\"expression\":\"exec.file.mode \\u0026 S_ISUID \\u003e 0 \\u0026\\u0026 exec.file.uid == 0 \\u0026\\u0026 exec.uid != 0 \\u0026\\u0026 exec.envs in [~\\\"*GLIBC_TUNABLES*\\\"]\",\"filters\":[\"os == \\\"linux\\\"\"],\"name\":\"looney_tunables_exploit\",\"updateDate\":1737661272000,\"updater\":{\"name\":\"Datadog\",\"handle\":\"\"}}},{\"id\":\"def-000-6ql\",\"type\":\"agent_rule\",\"attributes\":{\"category\":\"Process Activity\",\"creationDate\":1737661272000,\"creator\":{\"name\":\"Datadog\",\"handle\":\"\"},\"defaultRule\":true,\"description\":\"memfd object created\",\"enabled\":true,\"expression\":\"exec.file.name =~ \\\"memfd*\\\" \\u0026\\u0026 exec.file.path == \\\"\\\"\",\"filters\":[\"os == \\\"linux\\\"\"],\"name\":\"memfd_create\",\"updateDate\":1737661272000,\"updater\":{\"name\":\"Datadog\",\"handle\":\"\"}}},{\"id\":\"def-000-d1i\",\"type\":\"agent_rule\",\"attributes\":{\"category\":\"Process Activity\",\"creationDate\":1737661272000,\"creator\":{\"name\":\"Datadog\",\"handle\":\"\"},\"defaultRule\":true,\"description\":\"Process memory was dumped using the minidump function from comsvcs.dll\",\"enabled\":true,\"expression\":\"exec.cmdline =~ \\\"*MiniDump*\\\" \\u0026\\u0026 exec.cmdline =~ \\\"*comsvcs*\\\"\",\"filters\":[\"os == \\\"windows\\\"\"],\"name\":\"minidump_usage\",\"updateDate\":1737661272000,\"updater\":{\"name\":\"Datadog\",\"handle\":\"\"}}},{\"id\":\"caz-yrk-14e\",\"type\":\"agent_rule\",\"attributes\":{\"category\":\"Network Activity\",\"creationDate\":1737661272000,\"creator\":{\"name\":\"Datadog\",\"handle\":\"\"},\"defaultRule\":true,\"description\":\"A process resolved a DNS name associated with cryptomining activity\",\"enabled\":true,\"expression\":\"dns.question.name in [~\\\"*.minexmr.com\\\", \\\"minexmr.com\\\", ~\\\"*.nanopool.org\\\", \\\"nanopool.org\\\", ~\\\"*.supportxmr.com\\\", \\\"supportxmr.com\\\", ~\\\"*.c3pool.com\\\", \\\"c3pool.com\\\", ~\\\"*.p2pool.io\\\", \\\"p2pool.io\\\", ~\\\"*.ethermine.org\\\", \\\"ethermine.org\\\", ~\\\"*.f2pool.com\\\", \\\"f2pool.com\\\", ~\\\"*.poolin.me\\\", \\\"poolin.me\\\", ~\\\"*.rplant.xyz\\\", \\\"rplant.xyz\\\", ~\\\"*.miningocean.org\\\", \\\"miningocean.org\\\"] \\u0026\\u0026 process.file.name != \\\"\\\"\",\"filters\":[\"os == \\\"linux\\\"\"],\"name\":\"mining_pool_lookup\",\"updateDate\":1737661272000,\"updater\":{\"name\":\"Datadog\",\"handle\":\"\"}}},{\"id\":\"def-000-ab6\",\"type\":\"agent_rule\",\"attributes\":{\"category\":\"Network Activity\",\"creationDate\":1737661272000,\"creator\":{\"name\":\"Datadog\",\"handle\":\"\"},\"defaultRule\":true,\"description\":\"Recently modified file requested credentials from IMDS\",\"enabled\":true,\"expression\":\"imds.url =~ \\\"/*/meta-data/iam/security-credentials/*\\\" \\u0026\\u0026 (process.parent.file.modification_time \\u003c 120s || process.file.modification_time \\u003c 30s)\",\"filters\":[\"os == \\\"linux\\\"\"],\"name\":\"modified_file_requesting_imds_creds\",\"updateDate\":1737661272000,\"updater\":{\"name\":\"Datadog\",\"handle\":\"\"}}},{\"id\":\"def-000-mxb\",\"type\":\"agent_rule\",\"attributes\":{\"category\":\"File Activity\",\"creationDate\":1737661272000,\"creator\":{\"name\":\"Datadog\",\"handle\":\"\"},\"defaultRule\":true,\"description\":\"The host file system was mounted in a container\",\"enabled\":true,\"expression\":\"mount.source.path == \\\"/\\\" \\u0026\\u0026 mount.fs_type != \\\"overlay\\\" \\u0026\\u0026 container.id != \\\"\\\"\",\"filters\":[\"os == \\\"linux\\\"\"],\"name\":\"mount_host_fs\",\"updateDate\":1737661272000,\"updater\":{\"name\":\"Datadog\",\"handle\":\"\"}}},{\"id\":\"def-000-ibc\",\"type\":\"agent_rule\",\"attributes\":{\"category\":\"Process Activity\",\"creationDate\":1737661272000,\"creator\":{\"name\":\"Datadog\",\"handle\":\"\"},\"defaultRule\":true,\"description\":\"The mount utility was executed in a container\",\"enabled\":true,\"expression\":\"exec.comm == \\\"mount\\\" \\u0026\\u0026 container.id != \\\"\\\"\",\"filters\":[\"os == \\\"linux\\\"\"],\"name\":\"mount_in_container\",\"updateDate\":1737661272000,\"updater\":{\"name\":\"Datadog\",\"handle\":\"\"}}},{\"id\":\"def-000-mr5\",\"type\":\"agent_rule\",\"attributes\":{\"category\":\"File Activity\",\"creationDate\":1737661272000,\"creator\":{\"name\":\"Datadog\",\"handle\":\"\"},\"defaultRule\":true,\"description\":\"Process hidden using mount\",\"enabled\":true,\"expression\":\"mount.mountpoint.path in [~\\\"/proc/1*\\\", ~\\\"/proc/2*\\\", ~\\\"/proc/3*\\\", ~\\\"/proc/4*\\\", ~\\\"/proc/5*\\\", ~\\\"/proc/6*\\\", ~\\\"/proc/7*\\\", ~\\\"/proc/8*\\\", ~\\\"/proc/9*\\\"]\",\"filters\":[\"os == \\\"linux\\\"\"],\"name\":\"mount_proc_hide\",\"updateDate\":1737661272000,\"updater\":{\"name\":\"Datadog\",\"handle\":\"\"}}},{\"id\":\"zfb-ixo-o4w\",\"type\":\"agent_rule\",\"attributes\":{\"category\":\"File Activity\",\"creationDate\":1737661272000,\"creator\":{\"name\":\"Datadog\",\"handle\":\"\"},\"defaultRule\":true,\"description\":\"A suspicious file was written by a network utility\",\"enabled\":true,\"expression\":\"open.flags \\u0026 O_CREAT \\u003e 0 \\u0026\\u0026 process.comm in [\\\"wget\\\", \\\"curl\\\", \\\"lwp-download\\\"]\\n\\u0026\\u0026 (\\n (open.file.path =~ \\\"/tmp/**\\\" \\u0026\\u0026 open.file.name in [~\\\"*.sh\\\", ~\\\"*.c\\\", ~\\\"*.so\\\", ~\\\"*.ko\\\"])\\n || open.file.path in [~\\\"/usr/**\\\", ~\\\"/lib/**\\\", ~\\\"/etc/**\\\", ~\\\"/var/tmp/**\\\", ~\\\"/dev/shm/**\\\"]\\n)\",\"filters\":[\"os == \\\"linux\\\"\"],\"name\":\"net_file_download\",\"updateDate\":1737661272000,\"updater\":{\"name\":\"Datadog\",\"handle\":\"\"}}},{\"id\":\"sqi-q1z-onu\",\"type\":\"agent_rule\",\"attributes\":{\"category\":\"Process Activity\",\"creationDate\":1737661272000,\"creator\":{\"name\":\"Datadog\",\"handle\":\"\"},\"defaultRule\":true,\"description\":\"Network utility executed with suspicious URI\",\"enabled\":true,\"expression\":\"exec.comm in [\\\"wget\\\", \\\"curl\\\", \\\"lwp-download\\\"] \\u0026\\u0026 exec.args in [~\\\"*.php*\\\", ~\\\"*.jpg*\\\"] \",\"filters\":[\"os == \\\"linux\\\"\"],\"name\":\"net_unusual_request\",\"updateDate\":1737661272000,\"updater\":{\"name\":\"Datadog\",\"handle\":\"\"}}},{\"id\":\"7y2-ihu-hm2\",\"type\":\"agent_rule\",\"attributes\":{\"category\":\"Process Activity\",\"creationDate\":1737661272000,\"creator\":{\"name\":\"Datadog\",\"handle\":\"\"},\"defaultRule\":true,\"description\":\"A network utility was executed\",\"enabled\":true,\"expression\":\"(exec.comm in [\\\"socat\\\", \\\"dig\\\", \\\"nslookup\\\", \\\"host\\\", ~\\\"netcat*\\\", ~\\\"nc*\\\", \\\"ncat\\\"] ||\\n exec.comm in [\\\"wget\\\", \\\"curl\\\", \\\"lwp-download\\\"]) \\u0026\\u0026\\ncontainer.id == \\\"\\\" \\u0026\\u0026 exec.args not in [ ~\\\"*localhost*\\\", ~\\\"*127.0.0.1*\\\", ~\\\"*motd.ubuntu.com*\\\" ]\",\"filters\":[\"os == \\\"linux\\\"\"],\"name\":\"net_util\",\"updateDate\":1737661272000,\"updater\":{\"name\":\"Datadog\",\"handle\":\"\"}}},{\"id\":\"a52-req-ghm\",\"type\":\"agent_rule\",\"attributes\":{\"category\":\"Process Activity\",\"creationDate\":1737661272000,\"creator\":{\"name\":\"Datadog\",\"handle\":\"\"},\"defaultRule\":true,\"description\":\"Exfiltration attempt via network utility\",\"enabled\":true,\"expression\":\"exec.comm in [\\\"wget\\\", \\\"curl\\\", \\\"lwp-download\\\"] \\u0026\\u0026\\nexec.args_options in [ ~\\\"post-file=*\\\", ~\\\"post-data=*\\\", ~\\\"T=*\\\", ~\\\"d=@*\\\", ~\\\"upload-file=*\\\", ~\\\"F=file*\\\"] \\u0026\\u0026\\nexec.args not in [~\\\"*localhost*\\\", ~\\\"*127.0.0.1*\\\"]\",\"filters\":[\"os == \\\"linux\\\"\"],\"name\":\"net_util_exfiltration\",\"updateDate\":1737661272000,\"updater\":{\"name\":\"Datadog\",\"handle\":\"\"}}},{\"id\":\"w0z-64n-bss\",\"type\":\"agent_rule\",\"attributes\":{\"category\":\"Process Activity\",\"creationDate\":1737661272000,\"creator\":{\"name\":\"Datadog\",\"handle\":\"\"},\"defaultRule\":true,\"description\":\"A network utility was executed in a container\",\"enabled\":true,\"expression\":\"(exec.comm in [\\\"socat\\\", \\\"dig\\\", \\\"nslookup\\\", \\\"host\\\", ~\\\"netcat*\\\", ~\\\"nc*\\\", \\\"ncat\\\"] ||\\n exec.comm in [\\\"wget\\\", \\\"curl\\\", \\\"lwp-download\\\"]) \\u0026\\u0026\\ncontainer.id != \\\"\\\" \\u0026\\u0026 exec.args not in [ ~\\\"*localhost*\\\", ~\\\"*127.0.0.1*\\\", ~\\\"*motd.ubuntu.com*\\\" ]\",\"filters\":[\"os == \\\"linux\\\"\"],\"name\":\"net_util_in_container\",\"updateDate\":1737661272000,\"updater\":{\"name\":\"Datadog\",\"handle\":\"\"}}},{\"id\":\"def-000-969\",\"type\":\"agent_rule\",\"attributes\":{\"category\":\"Process Activity\",\"creationDate\":1737661272000,\"creator\":{\"name\":\"Datadog\",\"handle\":\"\"},\"defaultRule\":true,\"description\":\"Process arguments indicating possible netcat shell detected\",\"enabled\":true,\"expression\":\"exec.file.name in [\\\"netcat\\\", \\\"nc\\\", \\\"ncat\\\"] \\u0026\\u0026 ((exec.args_flags in [\\\"l\\\"] \\u0026\\u0026 exec.args_flags in [\\\"p\\\"]) || (exec.args_flags in [\\\"n\\\"] \\u0026\\u0026 exec.args_flags in [\\\"v\\\"]) || (exec.args in [~\\\"*/bin/bash*\\\", ~\\\"*/bin/sh*\\\"]))\",\"filters\":[\"os == \\\"linux\\\"\"],\"name\":\"netcat_shell\",\"updateDate\":1737661272000,\"updater\":{\"name\":\"Datadog\",\"handle\":\"\"}}},{\"id\":\"def-000-9rk\",\"type\":\"agent_rule\",\"attributes\":{\"category\":\"Process Activity\",\"creationDate\":1737661272000,\"creator\":{\"name\":\"Datadog\",\"handle\":\"\"},\"defaultRule\":true,\"description\":\"Local account groups were enumerated after container start up\",\"enabled\":true,\"expression\":\"exec.file.name in [\\\"tcpdump\\\", \\\"tshark\\\"]\",\"filters\":[\"os == \\\"linux\\\"\"],\"name\":\"network_sniffing_tool\",\"updateDate\":1737661272000,\"updater\":{\"name\":\"Datadog\",\"handle\":\"\"}}},{\"id\":\"xgw-28i-480\",\"type\":\"agent_rule\",\"attributes\":{\"category\":\"Process Activity\",\"creationDate\":1737661272000,\"creator\":{\"name\":\"Datadog\",\"handle\":\"\"},\"defaultRule\":true,\"description\":\"A container executed a new binary not found in the container image\",\"enabled\":true,\"expression\":\"container.id != \\\"\\\" \\u0026\\u0026 process.file.in_upper_layer \\u0026\\u0026 process.file.modification_time \\u003c 30s \\u0026\\u0026 exec.file.name != \\\"\\\"\",\"filters\":[\"os == \\\"linux\\\"\"],\"name\":\"new_binary_execution_in_container\",\"updateDate\":1737661272000,\"updater\":{\"name\":\"Datadog\",\"handle\":\"\"}}},{\"id\":\"def-000-qn0\",\"type\":\"agent_rule\",\"attributes\":{\"category\":\"Process Activity\",\"creationDate\":1737661272000,\"creator\":{\"name\":\"Datadog\",\"handle\":\"\"},\"defaultRule\":true,\"description\":\"nsenter used to breakout of container\",\"enabled\":true,\"expression\":\"exec.file.name == \\\"nsenter\\\" \\u0026\\u0026 exec.args_options in [\\\"target=1\\\", \\\"t=1\\\"] \\u0026\\u0026 container.id != \\\"\\\"\",\"filters\":[\"os == \\\"linux\\\"\"],\"name\":\"nsenter_in_container\",\"updateDate\":1737661272000,\"updater\":{\"name\":\"Datadog\",\"handle\":\"\"}}},{\"id\":\"mqh-lgo-brj\",\"type\":\"agent_rule\",\"attributes\":{\"category\":\"File Activity\",\"creationDate\":1737661272000,\"creator\":{\"name\":\"Datadog\",\"handle\":\"\"},\"defaultRule\":true,\"description\":\"nsswitch may have been modified without authorization\",\"enabled\":true,\"expression\":\"(\\n (chmod.file.path in [ \\\"/etc/nsswitch.conf\\\" ])\\n) \\u0026\\u0026 chmod.file.destination.mode != chmod.file.mode \\u0026\\u0026 process.file.path not in [~\\\"/usr/bin/apt*\\\", \\\"/usr/bin/dpkg\\\", \\\"/usr/bin/rpm\\\", \\\"/usr/bin/unattended-upgrade\\\", \\\"/usr/bin/containerd\\\", \\\"/usr/local/bin/containerd\\\", \\\"/usr/bin/dockerd\\\", \\\"/usr/bin/npm\\\", ~\\\"/usr/bin/pip*\\\", ~\\\"/usr/local/bin/pip*\\\"]\",\"filters\":[\"os == \\\"linux\\\"\"],\"name\":\"nsswitch_conf_mod_chmod\",\"updateDate\":1737661272000,\"updater\":{\"name\":\"Datadog\",\"handle\":\"\"}}},{\"id\":\"v2b-cd3-clr\",\"type\":\"agent_rule\",\"attributes\":{\"category\":\"File Activity\",\"creationDate\":1737661272000,\"creator\":{\"name\":\"Datadog\",\"handle\":\"\"},\"defaultRule\":true,\"description\":\"nsswitch may have been modified without authorization\",\"enabled\":true,\"expression\":\"(\\n (chown.file.path in [ \\\"/etc/nsswitch.conf\\\" ])\\n) \\u0026\\u0026 (chown.file.destination.uid != chown.file.uid || chown.file.destination.gid != chown.file.gid) \\u0026\\u0026 process.file.path not in [~\\\"/usr/bin/apt*\\\", \\\"/usr/bin/dpkg\\\", \\\"/usr/bin/rpm\\\", \\\"/usr/bin/unattended-upgrade\\\", \\\"/usr/bin/containerd\\\", \\\"/usr/local/bin/containerd\\\", \\\"/usr/bin/dockerd\\\", \\\"/usr/bin/npm\\\", ~\\\"/usr/bin/pip*\\\", ~\\\"/usr/local/bin/pip*\\\"]\",\"filters\":[\"os == \\\"linux\\\"\"],\"name\":\"nsswitch_conf_mod_chown\",\"updateDate\":1737661272000,\"updater\":{\"name\":\"Datadog\",\"handle\":\"\"}}},{\"id\":\"wwc-6it-t7i\",\"type\":\"agent_rule\",\"attributes\":{\"category\":\"File Activity\",\"creationDate\":1737661272000,\"creator\":{\"name\":\"Datadog\",\"handle\":\"\"},\"defaultRule\":true,\"description\":\"nsswitch may have been modified without authorization\",\"enabled\":true,\"expression\":\"(\\n (link.file.path in [ \\\"/etc/nsswitch.conf\\\" ]\\n || link.file.destination.path in [ \\\"/etc/nsswitch.conf\\\" ])\\n)\",\"filters\":[\"os == \\\"linux\\\"\"],\"name\":\"nsswitch_conf_mod_link\",\"updateDate\":1737661272000,\"updater\":{\"name\":\"Datadog\",\"handle\":\"\"}}},{\"id\":\"e5h-onu-f7l\",\"type\":\"agent_rule\",\"attributes\":{\"category\":\"File Activity\",\"creationDate\":1737661272000,\"creator\":{\"name\":\"Datadog\",\"handle\":\"\"},\"defaultRule\":true,\"description\":\"nsswitch may have been modified without authorization\",\"enabled\":true,\"expression\":\"(\\n open.flags \\u0026 ((O_RDWR|O_WRONLY|O_CREAT)) \\u003e 0 \\u0026\\u0026\\n (open.file.path in [ \\\"/etc/nsswitch.conf\\\" ])\\n) \\u0026\\u0026 process.file.path not in [~\\\"/usr/bin/apt*\\\", \\\"/usr/bin/dpkg\\\", \\\"/usr/bin/rpm\\\", \\\"/usr/bin/unattended-upgrade\\\", \\\"/usr/bin/containerd\\\", \\\"/usr/local/bin/containerd\\\", \\\"/usr/bin/dockerd\\\", \\\"/usr/bin/npm\\\", ~\\\"/usr/bin/pip*\\\", ~\\\"/usr/local/bin/pip*\\\"]\",\"filters\":[\"os == \\\"linux\\\"\"],\"name\":\"nsswitch_conf_mod_open\",\"updateDate\":1737661272000,\"updater\":{\"name\":\"Datadog\",\"handle\":\"\"}}},{\"id\":\"def-000-i9x\",\"type\":\"agent_rule\",\"attributes\":{\"category\":\"File Activity\",\"creationDate\":1737661272000,\"creator\":{\"name\":\"Datadog\",\"handle\":\"\"},\"defaultRule\":true,\"description\":\"nsswitch may have been modified without authorization\",\"enabled\":true,\"expression\":\"(\\n open.flags \\u0026 ((O_RDWR|O_WRONLY|O_CREAT)) \\u003e 0 \\u0026\\u0026\\n (open.file.path in [ \\\"/etc/nsswitch.conf\\\" ])\\n) \\u0026\\u0026 container.created_at \\u003e 90s \\u0026\\u0026 process.file.path not in [~\\\"/usr/bin/apt*\\\", \\\"/usr/bin/dpkg\\\", \\\"/usr/bin/rpm\\\", \\\"/usr/bin/unattended-upgrade\\\", \\\"/usr/bin/containerd\\\", \\\"/usr/local/bin/containerd\\\", \\\"/usr/bin/dockerd\\\", \\\"/usr/bin/npm\\\", ~\\\"/usr/bin/pip*\\\", ~\\\"/usr/local/bin/pip*\\\"]\",\"filters\":[\"os == \\\"linux\\\"\"],\"name\":\"nsswitch_conf_mod_open_v2\",\"updateDate\":1737661272000,\"updater\":{\"name\":\"Datadog\",\"handle\":\"\"}}},{\"id\":\"sif-d9p-wzg\",\"type\":\"agent_rule\",\"attributes\":{\"category\":\"File Activity\",\"creationDate\":1737661272000,\"creator\":{\"name\":\"Datadog\",\"handle\":\"\"},\"defaultRule\":true,\"description\":\"nsswitch may have been modified without authorization\",\"enabled\":true,\"expression\":\"(\\n (rename.file.path in [ \\\"/etc/nsswitch.conf\\\" ]\\n || rename.file.destination.path in [ \\\"/etc/nsswitch.conf\\\" ])\\n)\",\"filters\":[\"os == \\\"linux\\\"\"],\"name\":\"nsswitch_conf_mod_rename\",\"updateDate\":1737661272000,\"updater\":{\"name\":\"Datadog\",\"handle\":\"\"}}},{\"id\":\"4mu-d2x-fyk\",\"type\":\"agent_rule\",\"attributes\":{\"category\":\"File Activity\",\"creationDate\":1737661272000,\"creator\":{\"name\":\"Datadog\",\"handle\":\"\"},\"defaultRule\":true,\"description\":\"nsswitch may have been modified without authorization\",\"enabled\":true,\"expression\":\"(\\n (unlink.file.path in [ \\\"/etc/nsswitch.conf\\\" ])\\n)\",\"filters\":[\"os == \\\"linux\\\"\"],\"name\":\"nsswitch_conf_mod_unlink\",\"updateDate\":1737661272000,\"updater\":{\"name\":\"Datadog\",\"handle\":\"\"}}},{\"id\":\"qt9-i99-q9p\",\"type\":\"agent_rule\",\"attributes\":{\"category\":\"File Activity\",\"creationDate\":1737661272000,\"creator\":{\"name\":\"Datadog\",\"handle\":\"\"},\"defaultRule\":true,\"description\":\"nsswitch may have been modified without authorization\",\"enabled\":true,\"expression\":\"(\\n (utimes.file.path in [ \\\"/etc/nsswitch.conf\\\" ])\\n)\",\"filters\":[\"os == \\\"linux\\\"\"],\"name\":\"nsswitch_conf_mod_utimes\",\"updateDate\":1737661272000,\"updater\":{\"name\":\"Datadog\",\"handle\":\"\"}}},{\"id\":\"def-000-d4i\",\"type\":\"agent_rule\",\"attributes\":{\"category\":\"Process Activity\",\"creationDate\":1737661272000,\"creator\":{\"name\":\"Datadog\",\"handle\":\"\"},\"defaultRule\":true,\"description\":\"NTDS file referenced in commandline\",\"enabled\":true,\"expression\":\"exec.cmdline =~ \\\"*ntds.dit*\\\"\",\"filters\":[\"os == \\\"windows\\\"\"],\"name\":\"ntds_in_commandline\",\"updateDate\":1737661272000,\"updater\":{\"name\":\"Datadog\",\"handle\":\"\"}}},{\"id\":\"def-000-49j\",\"type\":\"agent_rule\",\"attributes\":{\"category\":\"Process Activity\",\"creationDate\":1737661272000,\"creator\":{\"name\":\"Datadog\",\"handle\":\"\"},\"defaultRule\":true,\"description\":\"A known kubernetes pentesting tool has been executed\",\"enabled\":true,\"expression\":\"(exec.file.name in [ ~\\\"python*\\\" ] \\u0026\\u0026 (\\\"KubiScan.py\\\" in exec.argv || \\\"kubestriker\\\" in exec.argv ) ) || exec.file.name in [ \\\"kubiscan\\\",\\\"kdigger\\\",\\\"kube-hunter\\\",\\\"rakkess\\\",\\\"peirates\\\",\\\"kubescape\\\",\\\"kubeaudit\\\",\\\"kube-linter\\\",\\\"stratus\\\",~\\\"botb-*\\\"]\",\"filters\":[\"os == \\\"linux\\\"\"],\"name\":\"offensive_k8s_tool\",\"updateDate\":1737661272000,\"updater\":{\"name\":\"Datadog\",\"handle\":\"\"}}},{\"id\":\"4yt-ize-avz\",\"type\":\"agent_rule\",\"attributes\":{\"category\":\"Process Activity\",\"creationDate\":1737661272000,\"creator\":{\"name\":\"Datadog\",\"handle\":\"\"},\"defaultRule\":true,\"description\":\"Omiagent spawns a privileged child process\",\"enabled\":true,\"expression\":\"exec.uid \\u003e= 0 \\u0026\\u0026 process.ancestors.file.name == \\\"omiagent\\\"\",\"filters\":[\"os == \\\"linux\\\"\"],\"name\":\"omigod\",\"updateDate\":1737661272000,\"updater\":{\"name\":\"Datadog\",\"handle\":\"\"}}},{\"id\":\"def-000-tp8\",\"type\":\"agent_rule\",\"attributes\":{\"category\":\"File Activity\",\"creationDate\":1737661272000,\"creator\":{\"name\":\"Datadog\",\"handle\":\"\"},\"defaultRule\":true,\"description\":\"A process opened a model-specific register (MSR) configuration file\",\"enabled\":true,\"expression\":\"open.file.path == \\\"/sys/module/msr/parameters/allow_writes\\\" \\u0026\\u0026 open.flags \\u0026 O_CREAT|O_TRUNC|O_APPEND|O_RDWR|O_WRONLY \\u003e 0\",\"filters\":[\"os == \\\"linux\\\"\"],\"name\":\"open_msr_writes\",\"updateDate\":1737661272000,\"updater\":{\"name\":\"Datadog\",\"handle\":\"\"}}},{\"id\":\"def-000-jl7\",\"type\":\"agent_rule\",\"attributes\":{\"category\":\"Process Activity\",\"creationDate\":1737661272000,\"creator\":{\"name\":\"Datadog\",\"handle\":\"\"},\"defaultRule\":true,\"description\":\"openssl used to establish backdoor\",\"enabled\":true,\"expression\":\"exec.comm == \\\"openssl\\\" \\u0026\\u0026 exec.args =~ \\\"*s_client*\\\"\",\"filters\":[\"os == \\\"linux\\\"\"],\"name\":\"openssl_backdoor\",\"updateDate\":1737661272000,\"updater\":{\"name\":\"Datadog\",\"handle\":\"\"}}},{\"id\":\"def-000-0pf\",\"type\":\"agent_rule\",\"attributes\":{\"category\":\"File Activity\",\"creationDate\":1737661272000,\"creator\":{\"name\":\"Datadog\",\"handle\":\"\"},\"defaultRule\":true,\"description\":\"A process attempted to overwrite the container entrypoint\",\"enabled\":true,\"expression\":\"open.file.path == \\\"/proc/self/fd/1\\\" \\u0026\\u0026 open.flags \\u0026 O_CREAT|O_TRUNC|O_APPEND|O_RDWR|O_WRONLY \\u003e 0 \\u0026\\u0026 container.id != \\\"\\\"\",\"filters\":[\"os == \\\"linux\\\"\"],\"name\":\"overwrite_entrypoint\",\"updateDate\":1737661272000,\"updater\":{\"name\":\"Datadog\",\"handle\":\"\"}}},{\"id\":\"def-000-o1o\",\"type\":\"agent_rule\",\"attributes\":{\"category\":\"Kernel Activity\",\"creationDate\":1737661272000,\"creator\":{\"name\":\"Datadog\",\"handle\":\"\"},\"defaultRule\":true,\"description\":\"A process made a connection to a port associated with P2PInfect malware\",\"enabled\":true,\"expression\":\"connect.addr.family \\u0026 (AF_INET|AF_INET6) \\u003e 0 \\u0026\\u0026 connect.addr.is_public == true \\u0026\\u0026 connect.addr.port \\u003e= 60100 \\u0026\\u0026 connect.addr.port \\u003c= 60150\",\"filters\":[\"os == \\\"linux\\\"\"],\"name\":\"p2pinfect_connection\",\"updateDate\":1737661272000,\"updater\":{\"name\":\"Datadog\",\"handle\":\"\"}}},{\"id\":\"m7d-vlh-3yq\",\"type\":\"agent_rule\",\"attributes\":{\"category\":\"Process Activity\",\"creationDate\":1737661272000,\"creator\":{\"name\":\"Datadog\",\"handle\":\"\"},\"defaultRule\":true,\"description\":\"Package management was detected in a container\",\"enabled\":true,\"expression\":\"exec.file.path in [~\\\"/usr/bin/apt*\\\", \\\"/usr/bin/dpkg\\\", \\\"/usr/bin/rpm\\\", \\\"/usr/bin/unattended-upgrade\\\", \\\"/usr/bin/npm\\\", ~\\\"/usr/bin/pip*\\\", ~\\\"/usr/local/bin/pip*\\\", \\\"/usr/bin/yum\\\", \\\"/sbin/apk\\\", \\\"/usr/lib/snapd/snapd\\\"] \\u0026\\u0026 container.id != \\\"\\\"\",\"filters\":[\"os == \\\"linux\\\"\"],\"name\":\"package_management_in_container\",\"updateDate\":1737661272000,\"updater\":{\"name\":\"Datadog\",\"handle\":\"\"}}},{\"id\":\"34t-hic-8cn\",\"type\":\"agent_rule\",\"attributes\":{\"category\":\"File Activity\",\"creationDate\":1737661272000,\"creator\":{\"name\":\"Datadog\",\"handle\":\"\"},\"defaultRule\":true,\"description\":\"PAM may have been modified without authorization\",\"enabled\":true,\"expression\":\"(\\n (chmod.file.path in [ ~\\\"/etc/pam.d/**\\\", \\\"/etc/pam.conf\\\" ])\\n) \\u0026\\u0026 chmod.file.destination.mode != chmod.file.mode\",\"filters\":[\"os == \\\"linux\\\"\"],\"name\":\"pam_modification_chmod\",\"updateDate\":1737661272000,\"updater\":{\"name\":\"Datadog\",\"handle\":\"\"}}},{\"id\":\"pfu-dvh-e5w\",\"type\":\"agent_rule\",\"attributes\":{\"category\":\"File Activity\",\"creationDate\":1737661272000,\"creator\":{\"name\":\"Datadog\",\"handle\":\"\"},\"defaultRule\":true,\"description\":\"PAM may have been modified without authorization\",\"enabled\":true,\"expression\":\"(\\n (chown.file.path in [ ~\\\"/etc/pam.d/**\\\", \\\"/etc/pam.conf\\\" ])\\n) \\u0026\\u0026 (chown.file.destination.uid != chown.file.uid || chown.file.destination.gid != chown.file.gid)\",\"filters\":[\"os == \\\"linux\\\"\"],\"name\":\"pam_modification_chown\",\"updateDate\":1737661272000,\"updater\":{\"name\":\"Datadog\",\"handle\":\"\"}}},{\"id\":\"x7i-34j-1rv\",\"type\":\"agent_rule\",\"attributes\":{\"category\":\"File Activity\",\"creationDate\":1737661272000,\"creator\":{\"name\":\"Datadog\",\"handle\":\"\"},\"defaultRule\":true,\"description\":\"PAM may have been modified without authorization\",\"enabled\":true,\"expression\":\"(\\n (link.file.path in [ ~\\\"/etc/pam.d/**\\\", \\\"/etc/pam.conf\\\" ]\\n || link.file.destination.path in [ ~\\\"/etc/pam.d/**\\\", \\\"/etc/pam.conf\\\" ])\\n)\",\"filters\":[\"os == \\\"linux\\\"\"],\"name\":\"pam_modification_link\",\"updateDate\":1737661272000,\"updater\":{\"name\":\"Datadog\",\"handle\":\"\"}}},{\"id\":\"w7o-w48-j34\",\"type\":\"agent_rule\",\"attributes\":{\"category\":\"File Activity\",\"creationDate\":1737661272000,\"creator\":{\"name\":\"Datadog\",\"handle\":\"\"},\"defaultRule\":true,\"description\":\"PAM may have been modified without authorization\",\"enabled\":true,\"expression\":\"(\\n open.flags \\u0026 (O_CREAT|O_TRUNC|O_APPEND|O_RDWR|O_WRONLY) \\u003e 0 \\u0026\\u0026\\n (open.file.path in [ ~\\\"/etc/pam.d/**\\\", \\\"/etc/pam.conf\\\" ])\\n)\",\"filters\":[\"os == \\\"linux\\\"\"],\"name\":\"pam_modification_open\",\"updateDate\":1737661272000,\"updater\":{\"name\":\"Datadog\",\"handle\":\"\"}}},{\"id\":\"wri-hx3-4n3\",\"type\":\"agent_rule\",\"attributes\":{\"category\":\"File Activity\",\"creationDate\":1737661272000,\"creator\":{\"name\":\"Datadog\",\"handle\":\"\"},\"defaultRule\":true,\"description\":\"PAM may have been modified without authorization\",\"enabled\":true,\"expression\":\"(\\n (rename.file.path in [ ~\\\"/etc/pam.d/**\\\", \\\"/etc/pam.conf\\\" ]\\n || rename.file.destination.path in [ ~\\\"/etc/pam.d/**\\\", \\\"/etc/pam.conf\\\" ])\\n)\",\"filters\":[\"os == \\\"linux\\\"\"],\"name\":\"pam_modification_rename\",\"updateDate\":1737661272000,\"updater\":{\"name\":\"Datadog\",\"handle\":\"\"}}},{\"id\":\"900-1sj-xhs\",\"type\":\"agent_rule\",\"attributes\":{\"category\":\"File Activity\",\"creationDate\":1737661272000,\"creator\":{\"name\":\"Datadog\",\"handle\":\"\"},\"defaultRule\":true,\"description\":\"PAM may have been modified without authorization\",\"enabled\":true,\"expression\":\"(\\n (unlink.file.path in [ ~\\\"/etc/pam.d/**\\\", \\\"/etc/pam.conf\\\" ])\\n)\",\"filters\":[\"os == \\\"linux\\\"\"],\"name\":\"pam_modification_unlink\",\"updateDate\":1737661272000,\"updater\":{\"name\":\"Datadog\",\"handle\":\"\"}}},{\"id\":\"pxk-42u-fga\",\"type\":\"agent_rule\",\"attributes\":{\"category\":\"File Activity\",\"creationDate\":1737661272000,\"creator\":{\"name\":\"Datadog\",\"handle\":\"\"},\"defaultRule\":true,\"description\":\"PAM may have been modified without authorization\",\"enabled\":true,\"expression\":\"(\\n (utimes.file.path in [ ~\\\"/etc/pam.d/**\\\", \\\"/etc/pam.conf\\\" ])\\n) \\u0026\\u0026 process.file.path not in [~\\\"/usr/bin/apt*\\\", \\\"/usr/bin/dpkg\\\", \\\"/usr/bin/rpm\\\", \\\"/usr/bin/unattended-upgrade\\\", \\\"/usr/bin/containerd\\\", \\\"/usr/local/bin/containerd\\\", \\\"/usr/bin/dockerd\\\", \\\"/usr/bin/npm\\\", ~\\\"/usr/bin/pip*\\\", ~\\\"/usr/local/bin/pip*\\\"]\",\"filters\":[\"os == \\\"linux\\\"\"],\"name\":\"pam_modification_utimes\",\"updateDate\":1737661272000,\"updater\":{\"name\":\"Datadog\",\"handle\":\"\"}}},{\"id\":\"l2e-aka-bw6\",\"type\":\"agent_rule\",\"attributes\":{\"category\":\"Process Activity\",\"creationDate\":1737661272000,\"creator\":{\"name\":\"Datadog\",\"handle\":\"\"},\"defaultRule\":true,\"description\":\"The passwd or chpasswd utility was used to modify an account password\",\"enabled\":true,\"expression\":\"exec.file.path in [\\\"/usr/bin/passwd\\\", \\\"/usr/sbin/chpasswd\\\"] \\u0026\\u0026 exec.args_flags not in [\\\"S\\\", \\\"status\\\"]\",\"filters\":[\"os == \\\"linux\\\"\"],\"name\":\"passwd_execution\",\"updateDate\":1737661272000,\"updater\":{\"name\":\"Datadog\",\"handle\":\"\"}}},{\"id\":\"460-gys-lqp\",\"type\":\"agent_rule\",\"attributes\":{\"category\":\"Network Activity\",\"creationDate\":1737661272000,\"creator\":{\"name\":\"Datadog\",\"handle\":\"\"},\"defaultRule\":true,\"description\":\"A DNS lookup was done for a pastebin-like site\",\"enabled\":true,\"expression\":\"dns.question.name in [\\\"pastebin.com\\\", \\\"ghostbin.com\\\", \\\"termbin.com\\\", \\\"klgrth.io\\\", \\\"rentry.co\\\", \\\"transfer.sh\\\"] \\u0026\\u0026 process.file.name != \\\"\\\"\",\"filters\":[\"os == \\\"linux\\\"\"],\"name\":\"paste_site\",\"updateDate\":1737661272000,\"updater\":{\"name\":\"Datadog\",\"handle\":\"\"}}},{\"id\":\"7vi-w5r-h15\",\"type\":\"agent_rule\",\"attributes\":{\"category\":\"File Activity\",\"creationDate\":1737661272000,\"creator\":{\"name\":\"Datadog\",\"handle\":\"\"},\"defaultRule\":true,\"description\":\"Critical system binaries may have been modified\",\"enabled\":true,\"expression\":\"(\\n (chmod.file.path in [ ~\\\"/bin/*\\\", ~\\\"/sbin/*\\\", ~\\\"/usr/bin/*\\\", ~\\\"/usr/sbin/*\\\", ~\\\"/usr/local/bin/*\\\", ~\\\"/usr/local/sbin/*\\\", ~\\\"/boot/**\\\" ])\\n \\u0026\\u0026 process.file.path not in [~\\\"/usr/bin/apt*\\\", \\\"/usr/bin/dpkg\\\", \\\"/usr/bin/rpm\\\", \\\"/usr/bin/unattended-upgrade\\\", \\\"/usr/bin/containerd\\\", \\\"/usr/local/bin/containerd\\\", \\\"/usr/bin/dockerd\\\", \\\"/usr/bin/npm\\\", ~\\\"/usr/bin/pip*\\\", ~\\\"/usr/local/bin/pip*\\\"]\\n \\u0026\\u0026 process.ancestors.file.path not in [~\\\"/usr/bin/apt*\\\", \\\"/usr/bin/dpkg\\\", \\\"/usr/bin/rpm\\\", \\\"/usr/bin/unattended-upgrade\\\", \\\"/usr/bin/npm\\\", ~\\\"/usr/bin/pip*\\\", ~\\\"/usr/local/bin/pip*\\\", \\\"/usr/bin/yum\\\", \\\"/sbin/apk\\\", \\\"/usr/lib/snapd/snapd\\\"]\\n) \\u0026\\u0026 chmod.file.destination.mode != chmod.file.mode\",\"filters\":[\"os == \\\"linux\\\"\"],\"name\":\"pci_11_5_critical_binaries_chmod\",\"updateDate\":1737661272000,\"updater\":{\"name\":\"Datadog\",\"handle\":\"\"}}},{\"id\":\"xiu-ghq-4zi\",\"type\":\"agent_rule\",\"attributes\":{\"category\":\"File Activity\",\"creationDate\":1737661272000,\"creator\":{\"name\":\"Datadog\",\"handle\":\"\"},\"defaultRule\":true,\"description\":\"Critical system binaries may have been modified\",\"enabled\":true,\"expression\":\"(\\n (chown.file.path in [ ~\\\"/bin/*\\\", ~\\\"/sbin/*\\\", ~\\\"/usr/bin/*\\\", ~\\\"/usr/sbin/*\\\", ~\\\"/usr/local/bin/*\\\", ~\\\"/usr/local/sbin/*\\\", ~\\\"/boot/**\\\" ])\\n \\u0026\\u0026 process.file.path not in [~\\\"/usr/bin/apt*\\\", \\\"/usr/bin/dpkg\\\", \\\"/usr/bin/rpm\\\", \\\"/usr/bin/unattended-upgrade\\\", \\\"/usr/bin/containerd\\\", \\\"/usr/local/bin/containerd\\\", \\\"/usr/bin/dockerd\\\", \\\"/usr/bin/npm\\\", ~\\\"/usr/bin/pip*\\\", ~\\\"/usr/local/bin/pip*\\\"]\\n \\u0026\\u0026 process.ancestors.file.path not in [~\\\"/usr/bin/apt*\\\", \\\"/usr/bin/dpkg\\\", \\\"/usr/bin/rpm\\\", \\\"/usr/bin/unattended-upgrade\\\", \\\"/usr/bin/npm\\\", ~\\\"/usr/bin/pip*\\\", ~\\\"/usr/local/bin/pip*\\\", \\\"/usr/bin/yum\\\", \\\"/sbin/apk\\\", \\\"/usr/lib/snapd/snapd\\\"]\\n) \\u0026\\u0026 (chown.file.destination.uid != chown.file.uid || chown.file.destination.gid != chown.file.gid)\",\"filters\":[\"os == \\\"linux\\\"\"],\"name\":\"pci_11_5_critical_binaries_chown\",\"updateDate\":1737661272000,\"updater\":{\"name\":\"Datadog\",\"handle\":\"\"}}},{\"id\":\"9ym-18v-5zi\",\"type\":\"agent_rule\",\"attributes\":{\"category\":\"File Activity\",\"creationDate\":1737661272000,\"creator\":{\"name\":\"Datadog\",\"handle\":\"\"},\"defaultRule\":true,\"description\":\"Critical system binaries may have been modified\",\"enabled\":true,\"expression\":\"(\\n (link.file.path in [ ~\\\"/bin/*\\\", ~\\\"/sbin/*\\\", ~\\\"/usr/bin/*\\\", ~\\\"/usr/sbin/*\\\", ~\\\"/usr/local/bin/*\\\", ~\\\"/usr/local/sbin/*\\\", ~\\\"/boot/**\\\" ]\\n || link.file.destination.path in [ ~\\\"/bin/*\\\", ~\\\"/sbin/*\\\", ~\\\"/usr/bin/*\\\", ~\\\"/usr/sbin/*\\\", ~\\\"/usr/local/bin/*\\\", ~\\\"/usr/local/sbin/*\\\", ~\\\"/boot/**\\\" ])\\n \\u0026\\u0026 process.file.path not in [~\\\"/usr/bin/apt*\\\", \\\"/usr/bin/dpkg\\\", \\\"/usr/bin/rpm\\\", \\\"/usr/bin/unattended-upgrade\\\", \\\"/usr/bin/containerd\\\", \\\"/usr/local/bin/containerd\\\", \\\"/usr/bin/dockerd\\\", \\\"/usr/bin/npm\\\", ~\\\"/usr/bin/pip*\\\", ~\\\"/usr/local/bin/pip*\\\"]\\n \\u0026\\u0026 process.ancestors.file.path not in [~\\\"/usr/bin/apt*\\\", \\\"/usr/bin/dpkg\\\", \\\"/usr/bin/rpm\\\", \\\"/usr/bin/unattended-upgrade\\\", \\\"/usr/bin/npm\\\", ~\\\"/usr/bin/pip*\\\", ~\\\"/usr/local/bin/pip*\\\", \\\"/usr/bin/yum\\\", \\\"/sbin/apk\\\", \\\"/usr/lib/snapd/snapd\\\"]\\n)\",\"filters\":[\"os == \\\"linux\\\"\"],\"name\":\"pci_11_5_critical_binaries_link\",\"updateDate\":1737661272000,\"updater\":{\"name\":\"Datadog\",\"handle\":\"\"}}},{\"id\":\"fpa-r6g-2em\",\"type\":\"agent_rule\",\"attributes\":{\"category\":\"File Activity\",\"creationDate\":1737661272000,\"creator\":{\"name\":\"Datadog\",\"handle\":\"\"},\"defaultRule\":true,\"description\":\"Critical system binaries may have been modified\",\"enabled\":true,\"expression\":\"(\\n open.flags \\u0026 (O_CREAT|O_TRUNC|O_APPEND|O_RDWR|O_WRONLY) \\u003e 0 \\u0026\\u0026\\n open.file.path in [ ~\\\"/bin/*\\\", ~\\\"/sbin/*\\\", ~\\\"/usr/bin/*\\\", ~\\\"/usr/sbin/*\\\", ~\\\"/usr/local/bin/*\\\", ~\\\"/usr/local/sbin/*\\\", ~\\\"/boot/**\\\" ]\\n \\u0026\\u0026 process.file.path not in [~\\\"/usr/bin/apt*\\\", \\\"/usr/bin/dpkg\\\", \\\"/usr/bin/rpm\\\", \\\"/usr/bin/unattended-upgrade\\\", \\\"/usr/bin/containerd\\\", \\\"/usr/local/bin/containerd\\\", \\\"/usr/bin/dockerd\\\", \\\"/usr/bin/npm\\\", ~\\\"/usr/bin/pip*\\\", ~\\\"/usr/local/bin/pip*\\\"]\\n \\u0026\\u0026 process.ancestors.file.path not in [~\\\"/usr/bin/apt*\\\", \\\"/usr/bin/dpkg\\\", \\\"/usr/bin/rpm\\\", \\\"/usr/bin/unattended-upgrade\\\", \\\"/usr/bin/npm\\\", ~\\\"/usr/bin/pip*\\\", ~\\\"/usr/local/bin/pip*\\\", \\\"/usr/bin/yum\\\", \\\"/sbin/apk\\\", \\\"/usr/lib/snapd/snapd\\\"]\\n)\",\"filters\":[\"os == \\\"linux\\\"\"],\"name\":\"pci_11_5_critical_binaries_open\",\"updateDate\":1737661272000,\"updater\":{\"name\":\"Datadog\",\"handle\":\"\"}}},{\"id\":\"def-000-y7j\",\"type\":\"agent_rule\",\"attributes\":{\"category\":\"File Activity\",\"creationDate\":1737661272000,\"creator\":{\"name\":\"Datadog\",\"handle\":\"\"},\"defaultRule\":true,\"description\":\"Critical system binaries may have been modified\",\"enabled\":true,\"expression\":\"(\\n open.flags \\u0026 (O_CREAT|O_TRUNC|O_APPEND|O_RDWR|O_WRONLY) \\u003e 0 \\u0026\\u0026\\n open.file.path in [ ~\\\"/bin/*\\\", ~\\\"/sbin/*\\\", ~\\\"/usr/bin/*\\\", ~\\\"/usr/sbin/*\\\", ~\\\"/usr/local/bin/*\\\", ~\\\"/usr/local/sbin/*\\\", ~\\\"/boot/**\\\" ]\\n \\u0026\\u0026 process.file.path not in [~\\\"/usr/bin/apt*\\\", \\\"/usr/bin/dpkg\\\", \\\"/usr/bin/rpm\\\", \\\"/usr/bin/unattended-upgrade\\\", \\\"/usr/bin/containerd\\\", \\\"/usr/local/bin/containerd\\\", \\\"/usr/bin/dockerd\\\", \\\"/usr/bin/npm\\\", ~\\\"/usr/bin/pip*\\\", ~\\\"/usr/local/bin/pip*\\\"]\\n \\u0026\\u0026 process.ancestors.file.path not in [~\\\"/usr/bin/apt*\\\", \\\"/usr/bin/dpkg\\\", \\\"/usr/bin/rpm\\\", \\\"/usr/bin/unattended-upgrade\\\", \\\"/usr/bin/npm\\\", ~\\\"/usr/bin/pip*\\\", ~\\\"/usr/local/bin/pip*\\\", \\\"/usr/bin/yum\\\", \\\"/sbin/apk\\\", \\\"/usr/lib/snapd/snapd\\\"]\\n) \\u0026\\u0026 container.created_at \\u003e 90s\",\"filters\":[\"os == \\\"linux\\\"\"],\"name\":\"pci_11_5_critical_binaries_open_v2\",\"updateDate\":1737661272000,\"updater\":{\"name\":\"Datadog\",\"handle\":\"\"}}},{\"id\":\"9pu-mp3-xea\",\"type\":\"agent_rule\",\"attributes\":{\"category\":\"File Activity\",\"creationDate\":1737661272000,\"creator\":{\"name\":\"Datadog\",\"handle\":\"\"},\"defaultRule\":true,\"description\":\"Critical system binaries may have been modified\",\"enabled\":true,\"expression\":\"(\\n (rename.file.path in [ ~\\\"/bin/*\\\", ~\\\"/sbin/*\\\", ~\\\"/usr/bin/*\\\", ~\\\"/usr/sbin/*\\\", ~\\\"/usr/local/bin/*\\\", ~\\\"/usr/local/sbin/*\\\", ~\\\"/boot/**\\\" ]\\n || rename.file.destination.path in [ ~\\\"/bin/*\\\", ~\\\"/sbin/*\\\", ~\\\"/usr/bin/*\\\", ~\\\"/usr/sbin/*\\\", ~\\\"/usr/local/bin/*\\\", ~\\\"/usr/local/sbin/*\\\", ~\\\"/boot/**\\\" ])\\n \\u0026\\u0026 process.file.path not in [~\\\"/usr/bin/apt*\\\", \\\"/usr/bin/dpkg\\\", \\\"/usr/bin/rpm\\\", \\\"/usr/bin/unattended-upgrade\\\", \\\"/usr/bin/containerd\\\", \\\"/usr/local/bin/containerd\\\", \\\"/usr/bin/dockerd\\\", \\\"/usr/bin/npm\\\", ~\\\"/usr/bin/pip*\\\", ~\\\"/usr/local/bin/pip*\\\"]\\n \\u0026\\u0026 process.ancestors.file.path not in [~\\\"/usr/bin/apt*\\\", \\\"/usr/bin/dpkg\\\", \\\"/usr/bin/rpm\\\", \\\"/usr/bin/unattended-upgrade\\\", \\\"/usr/bin/npm\\\", ~\\\"/usr/bin/pip*\\\", ~\\\"/usr/local/bin/pip*\\\", \\\"/usr/bin/yum\\\", \\\"/sbin/apk\\\", \\\"/usr/lib/snapd/snapd\\\"]\\n)\",\"filters\":[\"os == \\\"linux\\\"\"],\"name\":\"pci_11_5_critical_binaries_rename\",\"updateDate\":1737661272000,\"updater\":{\"name\":\"Datadog\",\"handle\":\"\"}}},{\"id\":\"ssp-47a-p20\",\"type\":\"agent_rule\",\"attributes\":{\"category\":\"File Activity\",\"creationDate\":1737661272000,\"creator\":{\"name\":\"Datadog\",\"handle\":\"\"},\"defaultRule\":true,\"description\":\"Critical system binaries may have been modified\",\"enabled\":true,\"expression\":\"(\\n (unlink.file.path in [ ~\\\"/bin/*\\\", ~\\\"/sbin/*\\\", ~\\\"/usr/bin/*\\\", ~\\\"/usr/sbin/*\\\", ~\\\"/usr/local/bin/*\\\", ~\\\"/usr/local/sbin/*\\\", ~\\\"/boot/**\\\" ])\\n \\u0026\\u0026 process.file.path not in [~\\\"/usr/bin/apt*\\\", \\\"/usr/bin/dpkg\\\", \\\"/usr/bin/rpm\\\", \\\"/usr/bin/unattended-upgrade\\\", \\\"/usr/bin/containerd\\\", \\\"/usr/local/bin/containerd\\\", \\\"/usr/bin/dockerd\\\", \\\"/usr/bin/npm\\\", ~\\\"/usr/bin/pip*\\\", ~\\\"/usr/local/bin/pip*\\\"]\\n \\u0026\\u0026 process.ancestors.file.path not in [~\\\"/usr/bin/apt*\\\", \\\"/usr/bin/dpkg\\\", \\\"/usr/bin/rpm\\\", \\\"/usr/bin/unattended-upgrade\\\", \\\"/usr/bin/npm\\\", ~\\\"/usr/bin/pip*\\\", ~\\\"/usr/local/bin/pip*\\\", \\\"/usr/bin/yum\\\", \\\"/sbin/apk\\\", \\\"/usr/lib/snapd/snapd\\\"]\\n)\",\"filters\":[\"os == \\\"linux\\\"\"],\"name\":\"pci_11_5_critical_binaries_unlink\",\"updateDate\":1737661272000,\"updater\":{\"name\":\"Datadog\",\"handle\":\"\"}}},{\"id\":\"q0u-s8m-8pd\",\"type\":\"agent_rule\",\"attributes\":{\"category\":\"File Activity\",\"creationDate\":1737661272000,\"creator\":{\"name\":\"Datadog\",\"handle\":\"\"},\"defaultRule\":true,\"description\":\"Critical system binaries may have been modified\",\"enabled\":true,\"expression\":\"(\\n (utimes.file.path in [ ~\\\"/bin/*\\\", ~\\\"/sbin/*\\\", ~\\\"/usr/bin/*\\\", ~\\\"/usr/sbin/*\\\", ~\\\"/usr/local/bin/*\\\", ~\\\"/usr/local/sbin/*\\\", ~\\\"/boot/**\\\" ])\\n \\u0026\\u0026 process.file.path not in [~\\\"/usr/bin/apt*\\\", \\\"/usr/bin/dpkg\\\", \\\"/usr/bin/rpm\\\", \\\"/usr/bin/unattended-upgrade\\\", \\\"/usr/bin/containerd\\\", \\\"/usr/local/bin/containerd\\\", \\\"/usr/bin/dockerd\\\", \\\"/usr/bin/npm\\\", ~\\\"/usr/bin/pip*\\\", ~\\\"/usr/local/bin/pip*\\\"]\\n \\u0026\\u0026 process.ancestors.file.path not in [~\\\"/usr/bin/apt*\\\", \\\"/usr/bin/dpkg\\\", \\\"/usr/bin/rpm\\\", \\\"/usr/bin/unattended-upgrade\\\", \\\"/usr/bin/npm\\\", ~\\\"/usr/bin/pip*\\\", ~\\\"/usr/local/bin/pip*\\\", \\\"/usr/bin/yum\\\", \\\"/sbin/apk\\\", \\\"/usr/lib/snapd/snapd\\\"]\\n)\",\"filters\":[\"os == \\\"linux\\\"\"],\"name\":\"pci_11_5_critical_binaries_utimes\",\"updateDate\":1737661272000,\"updater\":{\"name\":\"Datadog\",\"handle\":\"\"}}},{\"id\":\"def-000-lel\",\"type\":\"agent_rule\",\"attributes\":{\"category\":\"Process Activity\",\"creationDate\":1737661272000,\"creator\":{\"name\":\"Datadog\",\"handle\":\"\"},\"defaultRule\":true,\"description\":\"Process arguments indicating possible perl bind shell detected\",\"enabled\":true,\"expression\":\"exec.file.name == ~\\\"perl*\\\" \\u0026\\u0026 exec.args_flags in [\\\"e\\\"] \\u0026\\u0026 ((exec.args in [~\\\"*socket*\\\", ~\\\"*bind*\\\", ~\\\"*sockaddr*\\\", ~\\\"*listen*\\\", ~\\\"*accept\\\", ~\\\"*stdin*\\\", ~\\\"*stdout\\\"]) || (exec.args in [~\\\"*/bin/sh*\\\", ~\\\"*/bin/bash*\\\"]))\",\"filters\":[\"os == \\\"linux\\\"\"],\"name\":\"perl_shell\",\"updateDate\":1737661272000,\"updater\":{\"name\":\"Datadog\",\"handle\":\"\"}}},{\"id\":\"def-000-7ez\",\"type\":\"agent_rule\",\"attributes\":{\"category\":\"Process Activity\",\"creationDate\":1737661272000,\"creator\":{\"name\":\"Datadog\",\"handle\":\"\"},\"defaultRule\":true,\"description\":\"Process arguments indicating possible php shell detected\",\"enabled\":true,\"expression\":\"exec.file.name == \\\"php\\\" \\u0026\\u0026 exec.args_flags in [\\\"r\\\"] \\u0026\\u0026 ((exec.args in [~\\\"*socket_bind*\\\", ~\\\"*socket_listen*\\\", ~\\\"*socket_accept*\\\", ~\\\"*socket_create*\\\", ~\\\"*socket_write*\\\", ~\\\"*socket_read*\\\"]) || (exec.args in [~\\\"*/bin/bash*\\\", ~\\\"*/bin/sh*\\\"]))\",\"filters\":[\"os == \\\"linux\\\"\"],\"name\":\"php_shell\",\"updateDate\":1737661272000,\"updater\":{\"name\":\"Datadog\",\"handle\":\"\"}}},{\"id\":\"def-000-zse\",\"type\":\"agent_rule\",\"attributes\":{\"category\":\"Process Activity\",\"creationDate\":1737661272000,\"creator\":{\"name\":\"Datadog\",\"handle\":\"\"},\"defaultRule\":true,\"description\":\"PHP web application spawning shell\",\"enabled\":true,\"expression\":\"exec.file.name in [~\\\"powershell*\\\",\\\"cmd.exe\\\"] \\u0026\\u0026 process.parent.file.name in [\\\"php.exe\\\",\\\"php-cgi.exe\\\"]\",\"filters\":[\"os == \\\"windows\\\"\"],\"name\":\"php_spawning_shell\",\"updateDate\":1737661272000,\"updater\":{\"name\":\"Datadog\",\"handle\":\"\"}}},{\"id\":\"def-000-8j2\",\"type\":\"agent_rule\",\"attributes\":{\"category\":\"Process Activity\",\"creationDate\":1737661272000,\"creator\":{\"name\":\"Datadog\",\"handle\":\"\"},\"defaultRule\":true,\"description\":\"A web application spawned a shell or shell utility\",\"enabled\":true,\"expression\":\"(exec.file.path in [ \\\"/bin/dash\\\",\\n \\\"/usr/bin/dash\\\",\\n \\\"/bin/sh\\\",\\n \\\"/bin/static-sh\\\",\\n \\\"/usr/bin/sh\\\",\\n \\\"/bin/bash\\\",\\n \\\"/usr/bin/bash\\\",\\n \\\"/bin/bash-static\\\",\\n \\\"/usr/bin/zsh\\\",\\n \\\"/usr/bin/ash\\\",\\n \\\"/usr/bin/csh\\\",\\n \\\"/usr/bin/ksh\\\",\\n \\\"/usr/bin/tcsh\\\",\\n \\\"/usr/lib/initramfs-tools/bin/busybox\\\",\\n \\\"/bin/busybox\\\",\\n \\\"/usr/bin/fish\\\",\\n \\\"/bin/ksh93\\\",\\n \\\"/bin/rksh\\\",\\n \\\"/bin/rksh93\\\",\\n \\\"/bin/lksh\\\",\\n \\\"/bin/mksh\\\",\\n \\\"/bin/mksh-static\\\",\\n \\\"/usr/bin/csharp\\\",\\n \\\"/bin/posh\\\",\\n \\\"/usr/bin/rc\\\",\\n \\\"/bin/sash\\\",\\n \\\"/usr/bin/yash\\\",\\n \\\"/bin/zsh5\\\",\\n \\\"/bin/zsh5-static\\\" ] || exec.comm in [\\\"wget\\\", \\\"curl\\\", \\\"lwp-download\\\"] || exec.file.path in [\\\"/bin/cat\\\",\\\"/bin/chgrp\\\",\\\"/bin/chmod\\\",\\\"/bin/chown\\\",\\\"/bin/cp\\\",\\\"/bin/date\\\",\\\"/bin/dd\\\",\\\"/bin/df\\\",\\\"/bin/dir\\\",\\\"/bin/echo\\\",\\\"/bin/ln\\\",\\\"/bin/ls\\\",\\\"/bin/mkdir\\\",\\\"/bin/mknod\\\",\\\"/bin/mktemp\\\",\\\"/bin/mv\\\",\\\"/bin/pwd\\\",\\\"/bin/readlink\\\",\\\"/bin/rm\\\",\\\"/bin/rmdir\\\",\\\"/bin/sleep\\\",\\\"/bin/stty\\\",\\\"/bin/sync\\\",\\\"/bin/touch\\\",\\\"/bin/uname\\\",\\\"/bin/vdir\\\",\\\"/usr/bin/arch\\\",\\\"/usr/bin/b2sum\\\",\\\"/usr/bin/base32\\\",\\\"/usr/bin/base64\\\",\\\"/usr/bin/basename\\\",\\\"/usr/bin/chcon\\\",\\\"/usr/bin/cksum\\\",\\\"/usr/bin/comm\\\",\\\"/usr/bin/csplit\\\",\\\"/usr/bin/cut\\\",\\\"/usr/bin/dircolors\\\",\\\"/usr/bin/dirname\\\",\\\"/usr/bin/du\\\",\\\"/usr/bin/env\\\",\\\"/usr/bin/expand\\\",\\\"/usr/bin/expr\\\",\\\"/usr/bin/factor\\\",\\\"/usr/bin/fmt\\\",\\\"/usr/bin/fold\\\",\\\"/usr/bin/groups\\\",\\\"/usr/bin/head\\\",\\\"/usr/bin/hostid\\\",\\\"/usr/bin/id\\\",\\\"/usr/bin/install\\\",\\\"/usr/bin/join\\\",\\\"/usr/bin/link\\\",\\\"/usr/bin/logname\\\",\\\"/usr/bin/md5sum\\\",\\\"/usr/bin/md5sum.textutils\\\",\\\"/usr/bin/mkfifo\\\",\\\"/usr/bin/nice\\\",\\\"/usr/bin/nl\\\",\\\"/usr/bin/nohup\\\",\\\"/usr/bin/nproc\\\",\\\"/usr/bin/numfmt\\\",\\\"/usr/bin/od\\\",\\\"/usr/bin/paste\\\",\\\"/usr/bin/pathchk\\\",\\\"/usr/bin/pinky\\\",\\\"/usr/bin/pr\\\",\\\"/usr/bin/printenv\\\",\\\"/usr/bin/printf\\\",\\\"/usr/bin/ptx\\\",\\\"/usr/bin/realpath\\\",\\\"/usr/bin/runcon\\\",\\\"/usr/bin/seq\\\",\\\"/usr/bin/sha1sum\\\",\\\"/usr/bin/sha224sum\\\",\\\"/usr/bin/sha256sum\\\",\\\"/usr/bin/sha384sum\\\",\\\"/usr/bin/sha512sum\\\",\\\"/usr/bin/shred\\\",\\\"/usr/bin/shuf\\\",\\\"/usr/bin/sort\\\",\\\"/usr/bin/split\\\",\\\"/usr/bin/stat\\\",\\\"/usr/bin/stdbuf\\\",\\\"/usr/bin/sum\\\",\\\"/usr/bin/tac\\\",\\\"/usr/bin/tail\\\",\\\"/usr/bin/tee\\\",\\\"/usr/bin/test\\\",\\\"/usr/bin/timeout\\\",\\\"/usr/bin/tr\\\",\\\"/usr/bin/truncate\\\",\\\"/usr/bin/tsort\\\",\\\"/usr/bin/tty\\\",\\\"/usr/bin/unexpand\\\",\\\"/usr/bin/uniq\\\",\\\"/usr/bin/unlink\\\",\\\"/usr/bin/users\\\",\\\"/usr/bin/wc\\\",\\\"/usr/bin/who\\\",\\\"/usr/bin/whoami\\\",\\\"/usr/sbin/chroot\\\",\\\"/bin/busybox\\\"]) \\u0026\\u0026\\n(process.parent.file.name in [\\\"apache2\\\", \\\"nginx\\\", ~\\\"tomcat*\\\", \\\"httpd\\\"] || process.parent.file.name =~ \\\"php*\\\")\",\"filters\":[\"os == \\\"linux\\\"\"],\"name\":\"potential_web_shell_parent\",\"updateDate\":1737661272000,\"updater\":{\"name\":\"Datadog\",\"handle\":\"\"}}},{\"id\":\"def-000-guo\",\"type\":\"agent_rule\",\"attributes\":{\"category\":\"Process Activity\",\"creationDate\":1737661272000,\"creator\":{\"name\":\"Datadog\",\"handle\":\"\"},\"defaultRule\":true,\"description\":\"A process was executed matching arguments for a UAC bypass technique common in powershell empire\",\"enabled\":true,\"expression\":\"exec.cmdline in [~\\\"*-NoP -NonI -w Hidden -c $x=$((gp HKCU:Software\\\\Microsoft\\\\Windows Update).Update)*\\\", ~\\\"*-NoP -NonI -c $x=$((gp HKCU:Software\\\\Microsoft\\\\Windows Update).Update);*\\\"]\",\"filters\":[\"os == \\\"windows\\\"\"],\"name\":\"powershell_empire_uac_bypass\",\"updateDate\":1737661272000,\"updater\":{\"name\":\"Datadog\",\"handle\":\"\"}}},{\"id\":\"def-000-oy4\",\"type\":\"agent_rule\",\"attributes\":{\"category\":\"Process Activity\",\"creationDate\":1737661272000,\"creator\":{\"name\":\"Datadog\",\"handle\":\"\"},\"defaultRule\":true,\"description\":\"A tool used to dump process memory has been executed\",\"enabled\":true,\"expression\":\"exec.file.name in [\\\"procmon.exe\\\",\\\"procdump.exe\\\"]\",\"filters\":[\"os == \\\"windows\\\"\"],\"name\":\"procdump_execution\",\"updateDate\":1737661272000,\"updater\":{\"name\":\"Datadog\",\"handle\":\"\"}}},{\"id\":\"pwu-7u7-iiq\",\"type\":\"agent_rule\",\"attributes\":{\"category\":\"Kernel Activity\",\"creationDate\":1737661272000,\"creator\":{\"name\":\"Datadog\",\"handle\":\"\"},\"defaultRule\":true,\"description\":\"A process uses an anti-debugging technique to block debuggers\",\"enabled\":true,\"expression\":\"ptrace.request == PTRACE_TRACEME \\u0026\\u0026 process.file.name != \\\"\\\"\",\"filters\":[\"os == \\\"linux\\\"\"],\"name\":\"ptrace_antidebug\",\"updateDate\":1737661272000,\"updater\":{\"name\":\"Datadog\",\"handle\":\"\"}}},{\"id\":\"kpm-7kh-xz5\",\"type\":\"agent_rule\",\"attributes\":{\"category\":\"Kernel Activity\",\"creationDate\":1737661272000,\"creator\":{\"name\":\"Datadog\",\"handle\":\"\"},\"defaultRule\":true,\"description\":\"A process attempted to inject code into another process\",\"enabled\":true,\"expression\":\"ptrace.request == PTRACE_POKETEXT || ptrace.request == PTRACE_POKEDATA || ptrace.request == PTRACE_POKEUSR\",\"filters\":[\"os == \\\"linux\\\"\"],\"name\":\"ptrace_injection\",\"updateDate\":1737661272000,\"updater\":{\"name\":\"Datadog\",\"handle\":\"\"}}},{\"id\":\"wpz-bim-6rb\",\"type\":\"agent_rule\",\"attributes\":{\"category\":\"Process Activity\",\"creationDate\":1737661272000,\"creator\":{\"name\":\"Datadog\",\"handle\":\"\"},\"defaultRule\":true,\"description\":\"A process was spawned with indicators of exploitation of CVE-2021-4034\",\"enabled\":true,\"expression\":\"(exec.file.path == \\\"/usr/bin/pkexec\\\" \\u0026\\u0026 exec.envs in [~\\\"*SHELL*\\\", ~\\\"*PATH*\\\"] \\u0026\\u0026 exec.envs not in [~\\\"*DISPLAY*\\\", ~\\\"*DESKTOP_SESSION*\\\"] \\u0026\\u0026 exec.uid != 0)\",\"filters\":[\"os == \\\"linux\\\"\"],\"name\":\"pwnkit_privilege_escalation\",\"updateDate\":1737661272000,\"updater\":{\"name\":\"Datadog\",\"handle\":\"\"}}},{\"id\":\"g7f-kfr-tdb\",\"type\":\"agent_rule\",\"attributes\":{\"category\":\"Process Activity\",\"creationDate\":1737661272000,\"creator\":{\"name\":\"Datadog\",\"handle\":\"\"},\"defaultRule\":true,\"description\":\"Python code was provided on the command line\",\"enabled\":true,\"expression\":\"exec.file.name == ~\\\"python*\\\" \\u0026\\u0026 exec.args_flags in [\\\"c\\\"] \\u0026\\u0026 exec.args in [~\\\"*-c*SOCK_STREAM*\\\", ~\\\"*-c*subprocess*\\\", ~\\\"*-c*/bash*\\\", ~\\\"*-c*/bin/sh*\\\", ~\\\"*-c*pty.spawn*\\\"] \\u0026\\u0026 exec.args !~ \\\"*setuptools*\\\"\",\"filters\":[\"os == \\\"linux\\\"\"],\"name\":\"python_cli_code\",\"updateDate\":1737661272000,\"updater\":{\"name\":\"Datadog\",\"handle\":\"\"}}},{\"id\":\"def-000-do7\",\"type\":\"agent_rule\",\"attributes\":{\"category\":\"File Activity\",\"creationDate\":1737661272000,\"creator\":{\"name\":\"Datadog\",\"handle\":\"\"},\"defaultRule\":true,\"description\":\"Possible ransomware note created under common user directories\",\"enabled\":true,\"expression\":\"open.flags \\u0026 O_CREAT \\u003e 0\\n\\u0026\\u0026 open.file.path in [~\\\"/home/**\\\", ~\\\"/root/**\\\", ~\\\"/bin/**\\\", ~\\\"/usr/bin/**\\\", ~\\\"/opt/**\\\", ~\\\"/etc/**\\\", ~\\\"/var/log/**\\\", ~\\\"/var/lib/log/**\\\", ~\\\"/var/backup/**\\\", ~\\\"/var/www/**\\\"]\\n\\u0026\\u0026 open.file.name in [r\\\"(?i)(restore|recover|read|instruction|how_to|ransom|lock).*(your_|crypt|lock|file|ransom)\\\"] \\u0026\\u0026 open.file.name not in [r\\\"\\\\.lock$\\\"]\",\"filters\":[\"os == \\\"linux\\\"\"],\"name\":\"ransomware_note\",\"updateDate\":1737661272000,\"updater\":{\"name\":\"Datadog\",\"handle\":\"\"}}},{\"id\":\"def-000-y27\",\"type\":\"agent_rule\",\"attributes\":{\"category\":\"File Activity\",\"creationDate\":1737661272000,\"creator\":{\"name\":\"Datadog\",\"handle\":\"\"},\"defaultRule\":true,\"description\":\"RC scripts modified\",\"enabled\":true,\"expression\":\"(open.flags \\u0026 (O_CREAT|O_TRUNC|O_APPEND|O_RDWR|O_WRONLY) \\u003e 0 \\u0026\\u0026 (open.file.path in [\\\"/etc/rc.common\\\", \\\"/etc/rc.local\\\"])) \\u0026\\u0026 process.ancestors.file.path not in [~\\\"/usr/bin/apt*\\\", \\\"/usr/bin/dpkg\\\", \\\"/usr/bin/rpm\\\", \\\"/usr/bin/unattended-upgrade\\\", \\\"/usr/bin/npm\\\", ~\\\"/usr/bin/pip*\\\", ~\\\"/usr/local/bin/pip*\\\", \\\"/usr/bin/yum\\\", \\\"/sbin/apk\\\", \\\"/usr/lib/snapd/snapd\\\"]\",\"filters\":[\"os == \\\"linux\\\"\"],\"name\":\"rc_scripts_modified\",\"updateDate\":1737661272000,\"updater\":{\"name\":\"Datadog\",\"handle\":\"\"}}},{\"id\":\"def-000-qwm\",\"type\":\"agent_rule\",\"attributes\":{\"category\":\"File Activity\",\"creationDate\":1737661272000,\"creator\":{\"name\":\"Datadog\",\"handle\":\"\"},\"defaultRule\":true,\"description\":\"The kubeconfig file was accessed\",\"enabled\":true,\"expression\":\"open.file.path in [~\\\"/home/*/.kube/config\\\", \\\"/root/.kube/config\\\"]\",\"filters\":[\"os == \\\"linux\\\"\"],\"name\":\"read_kubeconfig\",\"updateDate\":1737661272000,\"updater\":{\"name\":\"Datadog\",\"handle\":\"\"}}},{\"id\":\"def-000-npv\",\"type\":\"agent_rule\",\"attributes\":{\"category\":\"File Activity\",\"creationDate\":1737661272000,\"creator\":{\"name\":\"Datadog\",\"handle\":\"\"},\"defaultRule\":true,\"description\":\"Detects CVE-2022-0543\",\"enabled\":true,\"expression\":\"(open.file.path =~ \\\"/usr/lib/x86_64-linux-gnu/*\\\" \\u0026\\u0026 open.file.name in [\\\"libc-2.29.so\\\", \\\"libc-2.30.so\\\", \\\"libc-2.31.so\\\", \\\"libc-2.32.so\\\", \\\"libc-2.33.so\\\", \\\"libc-2.34.so\\\", \\\"libc-2.35.so\\\", \\\"libc-2.36.so\\\", \\\"libc-2.37.so\\\"]) \\u0026\\u0026 process.ancestors.comm in [\\\"redis-check-rdb\\\", \\\"redis-server\\\"]\",\"filters\":[\"os == \\\"linux\\\"\"],\"name\":\"redis_sandbox_escape\",\"updateDate\":1737661272000,\"updater\":{\"name\":\"Datadog\",\"handle\":\"\"}}},{\"id\":\"def-000-wv3\",\"type\":\"agent_rule\",\"attributes\":{\"category\":\"File Activity\",\"creationDate\":1737661272000,\"creator\":{\"name\":\"Datadog\",\"handle\":\"\"},\"defaultRule\":true,\"description\":\"Redis module has been created\",\"enabled\":true,\"expression\":\"(open.flags \\u0026 (O_CREAT|O_TRUNC|O_RDWR|O_WRONLY) \\u003e 0 \\u0026\\u0026 open.file.path =~ \\\"/tmp/**\\\" \\u0026\\u0026 open.file.name in [~\\\"*.rdb\\\", ~\\\"*.aof\\\", ~\\\"*.so\\\"]) \\u0026\\u0026 process.file.name in [\\\"redis-check-rdb\\\", \\\"redis-server\\\"]\",\"filters\":[\"os == \\\"linux\\\"\"],\"name\":\"redis_save_module\",\"updateDate\":1737661272000,\"updater\":{\"name\":\"Datadog\",\"handle\":\"\"}}},{\"id\":\"def-000-jed\",\"type\":\"agent_rule\",\"attributes\":{\"category\":\"File Activity\",\"creationDate\":1737661272000,\"creator\":{\"name\":\"Datadog\",\"handle\":\"\"},\"defaultRule\":true,\"description\":\"Windows registry hives file location key modified\",\"enabled\":true,\"expression\":\"set.registry.key_path in [~\\\"HKEY_LOCAL_MACHINE\\\\SYSTEM\\\\CurrentControlSet\\\\Control\\\\hivelist*\\\"]\",\"filters\":[\"os == \\\"windows\\\"\"],\"name\":\"registry_hives_file_path_key_modified\",\"updateDate\":1737661272000,\"updater\":{\"name\":\"Datadog\",\"handle\":\"\"}}},{\"id\":\"def-000-6oh\",\"type\":\"agent_rule\",\"attributes\":{\"category\":\"File Activity\",\"creationDate\":1737661272000,\"creator\":{\"name\":\"Datadog\",\"handle\":\"\"},\"defaultRule\":true,\"description\":\"A Registry runkey has been modified\",\"enabled\":true,\"expression\":\"set.registry.key_path in [~\\\"HKEY_LOCAL_MACHINE\\\\SOFTWARE\\\\Microsoft\\\\Windows\\\\CurrentVersion\\\\Run\\\", ~\\\"HKEY_LOCAL_MACHINE\\\\SOFTWARE\\\\Microsoft\\\\Windows\\\\CurrentVersion\\\\Runonce\\\", ~\\\"HKEY_LOCAL_MACHINE\\\\Software\\\\Wow6432Node\\\\Microsoft\\\\Windows\\\\CurrentVersion\\\\Run\\\", ~\\\"HKEY_LOCAL_MACHINE\\\\Software\\\\Microsoft\\\\Windows NT\\\\CurrentVersion\\\\Terminal Server\\\\Install\\\\Software\\\\Microsoft\\\\Windows\\\\CurrentVersion\\\\Run\\\", ~\\\"HKEY_LOCAL_MACHINE\\\\Software\\\\Microsoft\\\\Windows NT\\\\CurrentVersion\\\\Terminal Server\\\\Install\\\\Software\\\\Microsoft\\\\Windows\\\\CurrentVersion\\\\Runonce\\\", ~\\\"HKEY_LOCAL_MACHINE\\\\Software\\\\Microsoft\\\\Windows NT\\\\CurrentVersion\\\\Terminal Server\\\\Install\\\\Software\\\\Microsoft\\\\Windows\\\\CurrentVersion\\\\RunonceEx\\\"]\",\"filters\":[\"os == \\\"windows\\\"\"],\"name\":\"registry_runkey_modified\",\"updateDate\":1737661272000,\"updater\":{\"name\":\"Datadog\",\"handle\":\"\"}}},{\"id\":\"def-000-6x2\",\"type\":\"agent_rule\",\"attributes\":{\"category\":\"File Activity\",\"creationDate\":1737661272000,\"creator\":{\"name\":\"Datadog\",\"handle\":\"\"},\"defaultRule\":true,\"description\":\"Service registry runkey modified\",\"enabled\":true,\"expression\":\"set.registry.key_path in [~\\\"HKEY_LOCAL_MACHINE\\\\Software\\\\Microsoft\\\\Windows\\\\CurrentVersion\\\\RunServicesOnce\\\", ~\\\"HKEY_LOCAL_MACHINE\\\\Software\\\\Microsoft\\\\CurrentVersion\\\\RunServices\\\"]\",\"filters\":[\"os == \\\"windows\\\"\"],\"name\":\"registry_service_runkey_modified\",\"updateDate\":1737661272000,\"updater\":{\"name\":\"Datadog\",\"handle\":\"\"}}},{\"id\":\"def-000-bv2\",\"type\":\"agent_rule\",\"attributes\":{\"category\":\"Process Activity\",\"creationDate\":1737661272000,\"creator\":{\"name\":\"Datadog\",\"handle\":\"\"},\"defaultRule\":true,\"description\":\"Process matches known relay attack tool\",\"enabled\":true,\"expression\":\"exec.file.name in [~\\\"*PetitPotam*\\\", ~\\\"*RottenPotato*\\\", ~\\\"*HotPotato*\\\", ~\\\"*JuicyPotato*\\\", ~\\\"*just_dce_*\\\", ~\\\"*Juicy Potato*\\\", \\\"rot.exe\\\", \\\"Potato.exe\\\", \\\"SpoolSample.exe\\\", \\\"Responder.exe\\\", ~\\\"*smbrelayx*\\\", ~\\\"*smbrelayx*\\\", ~\\\"*ntlmrelayx*\\\", ~\\\"*LocalPotato*\\\"] || exec.cmdline in [~\\\"*Invoke-Tater*\\\", ~\\\"*smbrelay*\\\", ~\\\"*ntlmrelay*\\\", ~\\\"*cme smb*\\\", ~\\\"*ntlm:NTLMhash*\\\", ~\\\"*Invoke-PetitPotam*\\\"]\",\"filters\":[\"os == \\\"windows\\\"\"],\"name\":\"relay_attack_tool_execution\",\"updateDate\":1737661272000,\"updater\":{\"name\":\"Datadog\",\"handle\":\"\"}}},{\"id\":\"def-000-eho\",\"type\":\"agent_rule\",\"attributes\":{\"category\":\"File Activity\",\"creationDate\":1737661272000,\"creator\":{\"name\":\"Datadog\",\"handle\":\"\"},\"defaultRule\":true,\"description\":\"Container escape attempted by overwriting release_agent\",\"enabled\":true,\"expression\":\"open.file.name == \\\"release_agent\\\" \\u0026\\u0026 open.file.path in [\\\"/tmp/**\\\", \\\"/home/**\\\", \\\"/root/**\\\", \\\"/*\\\"] \\u0026\\u0026 open.flags \\u0026 O_CREAT|O_TRUNC|O_APPEND|O_RDWR|O_WRONLY \\u003e 0\",\"filters\":[\"os == \\\"linux\\\"\"],\"name\":\"release_agent_escape\",\"updateDate\":1737661272000,\"updater\":{\"name\":\"Datadog\",\"handle\":\"\"}}},{\"id\":\"def-000-b5z\",\"type\":\"agent_rule\",\"attributes\":{\"category\":\"Process Activity\",\"creationDate\":1737661272000,\"creator\":{\"name\":\"Datadog\",\"handle\":\"\"},\"defaultRule\":true,\"description\":\"process arguments match rubeus credential theft tool\",\"enabled\":true,\"expression\":\"exec.cmdline in [~\\\"*asreproast*\\\", ~\\\"*/service:krbtgt*\\\", ~\\\"*dump /luid:0x*\\\", ~\\\"*kerberoast*\\\", ~\\\"*createonly /program*\\\", ~\\\"*ptt /ticket*\\\", ~\\\"*impersonateuser*\\\", ~\\\"*renew /ticket*\\\", ~\\\"*asktgt /user*\\\", ~\\\"*harvest /interval*\\\", ~\\\"*s4u /user*\\\", ~\\\"*hash /password*\\\", ~\\\"*golden /aes256*\\\", ~\\\"*silver /user*\\\", \\\"*rubeus*\\\"]\",\"filters\":[\"os == \\\"windows\\\"\"],\"name\":\"rubeus_execution\",\"updateDate\":1737661272000,\"updater\":{\"name\":\"Datadog\",\"handle\":\"\"}}},{\"id\":\"def-000-h19\",\"type\":\"agent_rule\",\"attributes\":{\"category\":\"File Activity\",\"creationDate\":1737661272000,\"creator\":{\"name\":\"Datadog\",\"handle\":\"\"},\"defaultRule\":true,\"description\":\"The container breakout CVE-2024-21626 was successful\",\"enabled\":true,\"expression\":\"chdir.syscall.path =~ \\\"/proc/self/fd/*\\\" \\u0026\\u0026 chdir.file.path == \\\"/sys/fs/cgroup\\\" \\u0026\\u0026 process.file.name =~ \\\"runc.*\\\"\",\"filters\":[\"os == \\\"linux\\\"\"],\"name\":\"runc_leaky_fd\",\"updateDate\":1737661272000,\"updater\":{\"name\":\"Datadog\",\"handle\":\"\"}}},{\"id\":\"tlu-qlm-1ow\",\"type\":\"agent_rule\",\"attributes\":{\"category\":\"File Activity\",\"creationDate\":1737661272000,\"creator\":{\"name\":\"Datadog\",\"handle\":\"\"},\"defaultRule\":true,\"description\":\"The runc binary was modified in a non-standard way\",\"enabled\":true,\"expression\":\"open.file.path in [\\\"/usr/bin/runc\\\", \\\"/usr/sbin/runc\\\", \\\"/usr/bin/docker-runc\\\"]\\n\\u0026\\u0026 open.flags \\u0026 O_CREAT|O_TRUNC|O_APPEND|O_RDWR|O_WRONLY \\u003e 0\\n\\u0026\\u0026 process.file.path not in [~\\\"/usr/bin/apt*\\\", \\\"/usr/bin/dpkg\\\", \\\"/usr/bin/rpm\\\", \\\"/usr/bin/unattended-upgrade\\\", \\\"/usr/bin/containerd\\\", \\\"/usr/local/bin/containerd\\\", \\\"/usr/bin/dockerd\\\", \\\"/usr/bin/npm\\\", ~\\\"/usr/bin/pip*\\\", ~\\\"/usr/local/bin/pip*\\\"]\\n\\u0026\\u0026 process.ancestors.file.path not in [~\\\"/usr/bin/apt*\\\", \\\"/usr/bin/dpkg\\\", \\\"/usr/bin/rpm\\\", \\\"/usr/bin/unattended-upgrade\\\", \\\"/usr/bin/npm\\\", ~\\\"/usr/bin/pip*\\\", ~\\\"/usr/local/bin/pip*\\\", \\\"/usr/bin/yum\\\", \\\"/sbin/apk\\\", \\\"/usr/lib/snapd/snapd\\\"]\",\"filters\":[\"os == \\\"linux\\\"\"],\"name\":\"runc_modification\",\"updateDate\":1737661272000,\"updater\":{\"name\":\"Datadog\",\"handle\":\"\"}}},{\"id\":\"def-000-x51\",\"type\":\"agent_rule\",\"attributes\":{\"category\":\"File Activity\",\"creationDate\":1737661272000,\"creator\":{\"name\":\"Datadog\",\"handle\":\"\"},\"defaultRule\":true,\"description\":\"Safeboot registry modified\",\"enabled\":true,\"expression\":\"set.registry.key_path in [~\\\"HKEY_LOCAL_MACHINE\\\\System\\\\CurrentControlSet\\\\Control\\\\SafeBoot\\\"]\",\"filters\":[\"os == \\\"windows\\\"\"],\"name\":\"safeboot_modification\",\"updateDate\":1737661272000,\"updater\":{\"name\":\"Datadog\",\"handle\":\"\"}}},{\"id\":\"def-000-vqm\",\"type\":\"agent_rule\",\"attributes\":{\"category\":\"Process Activity\",\"creationDate\":1737661272000,\"creator\":{\"name\":\"Datadog\",\"handle\":\"\"},\"defaultRule\":true,\"description\":\"A scheduled task was created\",\"enabled\":true,\"expression\":\"exec.cmdline in [~\\\"*at.exe\\\",~\\\"*schtasks*\\\"] \\u0026\\u0026 exec.cmdline =~ \\\"*create*\\\"\",\"filters\":[\"os == \\\"windows\\\"\"],\"name\":\"scheduled_task_creation\",\"updateDate\":1737661272000,\"updater\":{\"name\":\"Datadog\",\"handle\":\"\"}}},{\"id\":\"wgq-lg4-tas\",\"type\":\"agent_rule\",\"attributes\":{\"category\":\"Kernel Activity\",\"creationDate\":1737661272000,\"creator\":{\"name\":\"Datadog\",\"handle\":\"\"},\"defaultRule\":true,\"description\":\"SELinux enforcement status was disabled\",\"enabled\":true,\"expression\":\"selinux.enforce.status in [\\\"permissive\\\", \\\"disabled\\\"] \\u0026\\u0026 process.ancestors.args != ~\\\"*BECOME-SUCCESS*\\\"\",\"filters\":[\"os == \\\"linux\\\"\"],\"name\":\"selinux_disable_enforcement\",\"updateDate\":1737661272000,\"updater\":{\"name\":\"Datadog\",\"handle\":\"\"}}},{\"id\":\"def-000-j45\",\"type\":\"agent_rule\",\"attributes\":{\"category\":\"Kernel Activity\",\"creationDate\":1737661272000,\"creator\":{\"name\":\"Datadog\",\"handle\":\"\"},\"defaultRule\":true,\"description\":\"A process is tracing privileged processes or sshd for possible credential dumping\",\"enabled\":true,\"expression\":\"(ptrace.request == PTRACE_PEEKTEXT || ptrace.request == PTRACE_PEEKDATA || ptrace.request == PTRACE_PEEKUSR) \\u0026\\u0026 ptrace.tracee.euid == 0 \\u0026\\u0026 process.comm not in [\\\"dlv\\\", \\\"dlv-linux-amd64\\\", \\\"strace\\\", \\\"gdb\\\", \\\"lldb-server\\\"]\",\"filters\":[\"os == \\\"linux\\\"\"],\"name\":\"sensitive_tracing\",\"updateDate\":1737661272000,\"updater\":{\"name\":\"Datadog\",\"handle\":\"\"}}},{\"id\":\"def-000-uv8\",\"type\":\"agent_rule\",\"attributes\":{\"category\":\"Process Activity\",\"creationDate\":1737661272000,\"creator\":{\"name\":\"Datadog\",\"handle\":\"\"},\"defaultRule\":true,\"description\":\"systemctl used to stop a service\",\"enabled\":true,\"expression\":\"exec.file.name == \\\"systemctl\\\" \\u0026\\u0026 exec.args in [~\\\"*stop*\\\"]\",\"filters\":[\"os == \\\"linux\\\"\"],\"name\":\"service_stop\",\"updateDate\":1737661272000,\"updater\":{\"name\":\"Datadog\",\"handle\":\"\"}}},{\"id\":\"def-000-qf8\",\"type\":\"agent_rule\",\"attributes\":{\"category\":\"Process Activity\",\"creationDate\":1737661272000,\"creator\":{\"name\":\"Datadog\",\"handle\":\"\"},\"defaultRule\":true,\"description\":\"sharpup tool used for local privilege escalation\",\"enabled\":true,\"expression\":\"exec.file.name == \\\"sharpup.exe\\\" \\u0026\\u0026 exec.cmdline in [~\\\"*HijackablePaths*\\\", ~\\\"*UnquotedServicePath*\\\", ~\\\"*ProcessDLLHijack*\\\", ~\\\"*ModifiableServiceBinaries*\\\", ~\\\"*ModifiableScheduledTask*\\\", ~\\\"*DomainGPPPassword*\\\", ~\\\"*CachedGPPPassword*\\\"]\",\"filters\":[\"os == \\\"windows\\\"\"],\"name\":\"sharpup_tool_usage\",\"updateDate\":1737661272000,\"updater\":{\"name\":\"Datadog\",\"handle\":\"\"}}},{\"id\":\"dfr-by9-sx8\",\"type\":\"agent_rule\",\"attributes\":{\"category\":\"File Activity\",\"creationDate\":1737661272000,\"creator\":{\"name\":\"Datadog\",\"handle\":\"\"},\"defaultRule\":true,\"description\":\"Shell History was Deleted\",\"enabled\":true,\"expression\":\"unlink.file.name in [\\\".bash_history\\\", \\\".zsh_history\\\", \\\".fish_history\\\", \\\"fish_history\\\", \\\".dash_history\\\", \\\".sh_history\\\"] \\u0026\\u0026 unlink.file.path in [~\\\"/root/**\\\", ~\\\"/home/**\\\"] \\u0026\\u0026 process.comm not in [\\\"dockerd\\\", \\\"containerd\\\"]\",\"filters\":[\"os == \\\"linux\\\"\"],\"name\":\"shell_history_deleted\",\"updateDate\":1737661272000,\"updater\":{\"name\":\"Datadog\",\"handle\":\"\"}}},{\"id\":\"dmf-a2c-odj\",\"type\":\"agent_rule\",\"attributes\":{\"category\":\"Process Activity\",\"creationDate\":1737661272000,\"creator\":{\"name\":\"Datadog\",\"handle\":\"\"},\"defaultRule\":true,\"description\":\"A symbolic link for shell history was created targeting /dev/null\",\"enabled\":true,\"expression\":\"exec.comm == \\\"ln\\\" \\u0026\\u0026 exec.args in [~\\\"*.*history*\\\", \\\"/dev/null\\\"]\",\"filters\":[\"os == \\\"linux\\\"\"],\"name\":\"shell_history_symlink\",\"updateDate\":1737661272000,\"updater\":{\"name\":\"Datadog\",\"handle\":\"\"}}},{\"id\":\"v5x-8l4-d6a\",\"type\":\"agent_rule\",\"attributes\":{\"category\":\"File Activity\",\"creationDate\":1737661272000,\"creator\":{\"name\":\"Datadog\",\"handle\":\"\"},\"defaultRule\":true,\"description\":\"Shell History was Deleted\",\"enabled\":true,\"expression\":\"open.flags \\u0026 (O_CREAT|O_TRUNC|O_APPEND|O_RDWR|O_WRONLY) \\u003e 0 \\u0026\\u0026 open.file.name in [\\\".bash_history\\\", \\\".zsh_history\\\", \\\".fish_history\\\", \\\"fish_history\\\", \\\".dash_history\\\", \\\".sh_history\\\"] \\u0026\\u0026 open.file.path in [~\\\"/root/*\\\", ~\\\"/home/**\\\"] \\u0026\\u0026 process.file.name == \\\"truncate\\\"\",\"filters\":[\"os == \\\"linux\\\"\"],\"name\":\"shell_history_truncated\",\"updateDate\":1737661272000,\"updater\":{\"name\":\"Datadog\",\"handle\":\"\"}}},{\"id\":\"def-000-dar\",\"type\":\"agent_rule\",\"attributes\":{\"category\":\"Kernel Activity\",\"creationDate\":1737661272000,\"creator\":{\"name\":\"Datadog\",\"handle\":\"\"},\"defaultRule\":true,\"description\":\"A shell made an outbound network connection\",\"enabled\":true,\"expression\":\"connect.addr.family \\u0026 (AF_INET|AF_INET6) \\u003e 0 \\u0026\\u0026 process.file.name in [\\\"dash\\\",\\\"sh\\\",\\\"static-sh\\\",\\\"sh\\\",\\\"bash\\\",\\\"bash\\\",\\\"bash-static\\\",\\\"zsh\\\",\\\"ash\\\",\\\"csh\\\",\\\"ksh\\\",\\\"tcsh\\\",\\\"busybox\\\",\\\"busybox\\\",\\\"fish\\\",\\\"ksh93\\\",\\\"rksh\\\",\\\"rksh93\\\",\\\"lksh\\\",\\\"mksh\\\",\\\"mksh-static\\\",\\\"csharp\\\",\\\"posh\\\",\\\"rc\\\",\\\"sash\\\",\\\"yash\\\",\\\"zsh5\\\",\\\"zsh5-static\\\"] \\u0026\\u0026 connect.addr.is_public == true\",\"filters\":[\"os == \\\"linux\\\"\"],\"name\":\"shell_net_connection\",\"updateDate\":1737661272000,\"updater\":{\"name\":\"Datadog\",\"handle\":\"\"}}},{\"id\":\"def-000-fn2\",\"type\":\"agent_rule\",\"attributes\":{\"category\":\"Process Activity\",\"creationDate\":1737661272000,\"creator\":{\"name\":\"Datadog\",\"handle\":\"\"},\"defaultRule\":true,\"description\":\"Shell profile was modified\",\"enabled\":true,\"expression\":\"open.file.path in [~\\\"/home/*/*profile\\\", ~\\\"/home/*/*rc\\\"] \\u0026\\u0026 open.flags \\u0026 ((O_CREAT|O_TRUNC|O_RDWR|O_WRONLY)) \\u003e 0\",\"filters\":[\"os == \\\"linux\\\"\"],\"name\":\"shell_profile_modification\",\"updateDate\":1737661272000,\"updater\":{\"name\":\"Datadog\",\"handle\":\"\"}}},{\"id\":\"def-000-hbr\",\"type\":\"agent_rule\",\"attributes\":{\"category\":\"Process Activity\",\"creationDate\":1737661272000,\"creator\":{\"name\":\"Datadog\",\"handle\":\"\"},\"defaultRule\":true,\"description\":\"process arguments match sliver c2 implant\",\"enabled\":true,\"expression\":\"exec.cmdline =~ \\\"*NoExit *\\\" \\u0026\\u0026 exec.cmdline =~ \\\"*Command *\\\" \\u0026\\u0026 exec.cmdline =~ \\\"*[Console]::OutputEncoding=[Text.UTF8Encoding]::UTF8*\\\"\",\"filters\":[\"os == \\\"windows\\\"\"],\"name\":\"sliver_c2_implant_execution\",\"updateDate\":1737661272000,\"updater\":{\"name\":\"Datadog\",\"handle\":\"\"}}},{\"id\":\"def-000-oi1\",\"type\":\"agent_rule\",\"attributes\":{\"category\":\"Process Activity\",\"creationDate\":1737661272000,\"creator\":{\"name\":\"Datadog\",\"handle\":\"\"},\"defaultRule\":true,\"description\":\"Process arguments indicating possible socat shell detected\",\"enabled\":true,\"expression\":\"((exec.file.name == \\\"socat\\\") || (exec.comm == \\\"socat\\\")) \\u0026\\u0026 exec.args in [~\\\"*/bin/bash*\\\", ~\\\"*/bin/sh*\\\", ~\\\"*exec*\\\", ~\\\"*pty*\\\", ~\\\"*setsid*\\\", ~\\\"*stderr*\\\"]\",\"filters\":[\"os == \\\"linux\\\"\"],\"name\":\"socat_shell\",\"updateDate\":1737661272000,\"updater\":{\"name\":\"Datadog\",\"handle\":\"\"}}},{\"id\":\"htc-275-0wt\",\"type\":\"agent_rule\",\"attributes\":{\"category\":\"File Activity\",\"creationDate\":1737661272000,\"creator\":{\"name\":\"Datadog\",\"handle\":\"\"},\"defaultRule\":true,\"description\":\"SSH modified keys may have been modified\",\"enabled\":true,\"expression\":\"(\\n chmod.file.name in [ \\\"authorized_keys\\\", \\\"authorized_keys2\\\" ] \\u0026\\u0026 (chmod.file.path in [ ~\\\"/root/.ssh/*\\\", ~\\\"/home/*/.ssh/*\\\", ~\\\"/var/lib/*/.ssh/*\\\" ])\\n) \\u0026\\u0026 chmod.file.destination.mode != chmod.file.mode\",\"filters\":[\"os == \\\"linux\\\"\"],\"name\":\"ssh_authorized_keys_chmod\",\"updateDate\":1737661272000,\"updater\":{\"name\":\"Datadog\",\"handle\":\"\"}}},{\"id\":\"7q3-6aa-pix\",\"type\":\"agent_rule\",\"attributes\":{\"category\":\"File Activity\",\"creationDate\":1737661272000,\"creator\":{\"name\":\"Datadog\",\"handle\":\"\"},\"defaultRule\":true,\"description\":\"SSH modified keys may have been modified\",\"enabled\":true,\"expression\":\"(\\n chown.file.name in [ \\\"authorized_keys\\\", \\\"authorized_keys2\\\" ] \\u0026\\u0026 (chown.file.path in [ ~\\\"/root/.ssh/*\\\", ~\\\"/home/*/.ssh/*\\\", ~\\\"/var/lib/*/.ssh/*\\\" ])\\n) \\u0026\\u0026 (chown.file.destination.uid != chown.file.uid || chown.file.destination.gid != chown.file.gid)\",\"filters\":[\"os == \\\"linux\\\"\"],\"name\":\"ssh_authorized_keys_chown\",\"updateDate\":1737661272000,\"updater\":{\"name\":\"Datadog\",\"handle\":\"\"}}},{\"id\":\"91f-pyq-54k\",\"type\":\"agent_rule\",\"attributes\":{\"category\":\"File Activity\",\"creationDate\":1737661272000,\"creator\":{\"name\":\"Datadog\",\"handle\":\"\"},\"defaultRule\":true,\"description\":\"SSH modified keys may have been modified\",\"enabled\":true,\"expression\":\"(\\n link.file.name in [ \\\"authorized_keys\\\", \\\"authorized_keys2\\\" ] \\u0026\\u0026 (link.file.path in [ ~\\\"/root/.ssh/*\\\", ~\\\"/home/*/.ssh/*\\\", ~\\\"/var/lib/*/.ssh/*\\\" ]\\n || link.file.destination.path in [ ~\\\"/root/.ssh/*\\\", ~\\\"/home/*/.ssh/*\\\", ~\\\"/var/lib/*/.ssh/*\\\" ])\\n)\",\"filters\":[\"os == \\\"linux\\\"\"],\"name\":\"ssh_authorized_keys_link\",\"updateDate\":1737661272000,\"updater\":{\"name\":\"Datadog\",\"handle\":\"\"}}},{\"id\":\"rpc-ji0-zfu\",\"type\":\"agent_rule\",\"attributes\":{\"category\":\"File Activity\",\"creationDate\":1737661272000,\"creator\":{\"name\":\"Datadog\",\"handle\":\"\"},\"defaultRule\":true,\"description\":\"SSH modified keys may have been modified\",\"enabled\":true,\"expression\":\"(\\n open.flags \\u0026 (O_CREAT|O_TRUNC|O_APPEND|O_RDWR|O_WRONLY) \\u003e 0 \\u0026\\u0026\\n open.file.name in [ \\\"authorized_keys\\\", \\\"authorized_keys2\\\" ] \\u0026\\u0026 (open.file.path in [ ~\\\"/root/.ssh/*\\\", ~\\\"/home/*/.ssh/*\\\", ~\\\"/var/lib/*/.ssh/*\\\" ])\\n)\",\"filters\":[\"os == \\\"linux\\\"\"],\"name\":\"ssh_authorized_keys_open\",\"updateDate\":1737661272000,\"updater\":{\"name\":\"Datadog\",\"handle\":\"\"}}},{\"id\":\"def-000-qwu\",\"type\":\"agent_rule\",\"attributes\":{\"category\":\"File Activity\",\"creationDate\":1737661272000,\"creator\":{\"name\":\"Datadog\",\"handle\":\"\"},\"defaultRule\":true,\"description\":\"SSH modified keys may have been modified\",\"enabled\":true,\"expression\":\"(\\n open.flags \\u0026 (O_CREAT|O_TRUNC|O_APPEND|O_RDWR|O_WRONLY) \\u003e 0 \\u0026\\u0026\\n open.file.name in [ \\\"authorized_keys\\\", \\\"authorized_keys2\\\" ] \\u0026\\u0026 (open.file.path in [ ~\\\"/root/.ssh/*\\\", ~\\\"/home/*/.ssh/*\\\", ~\\\"/var/lib/*/.ssh/*\\\" ])\\n) \\u0026\\u0026 container.created_at \\u003e 90s\",\"filters\":[\"os == \\\"linux\\\"\"],\"name\":\"ssh_authorized_keys_open_v2\",\"updateDate\":1737661272000,\"updater\":{\"name\":\"Datadog\",\"handle\":\"\"}}},{\"id\":\"t5u-qdx-650\",\"type\":\"agent_rule\",\"attributes\":{\"category\":\"File Activity\",\"creationDate\":1737661272000,\"creator\":{\"name\":\"Datadog\",\"handle\":\"\"},\"defaultRule\":true,\"description\":\"SSH modified keys may have been modified\",\"enabled\":true,\"expression\":\"(\\n rename.file.name in [ \\\"authorized_keys\\\", \\\"authorized_keys2\\\" ] \\u0026\\u0026 (rename.file.path in [ ~\\\"/root/.ssh/*\\\", ~\\\"/home/*/.ssh/*\\\", ~\\\"/var/lib/*/.ssh/*\\\" ]\\n || rename.file.destination.path in [ ~\\\"/root/.ssh/*\\\", ~\\\"/home/*/.ssh/*\\\", ~\\\"/var/lib/*/.ssh/*\\\" ])\\n)\",\"filters\":[\"os == \\\"linux\\\"\"],\"name\":\"ssh_authorized_keys_rename\",\"updateDate\":1737661272000,\"updater\":{\"name\":\"Datadog\",\"handle\":\"\"}}},{\"id\":\"y0y-3gl-645\",\"type\":\"agent_rule\",\"attributes\":{\"category\":\"File Activity\",\"creationDate\":1737661272000,\"creator\":{\"name\":\"Datadog\",\"handle\":\"\"},\"defaultRule\":true,\"description\":\"SSH modified keys may have been modified\",\"enabled\":true,\"expression\":\"(\\n unlink.file.name in [ \\\"authorized_keys\\\", \\\"authorized_keys2\\\" ] \\u0026\\u0026 (unlink.file.path in [ ~\\\"/root/.ssh/*\\\", ~\\\"/home/*/.ssh/*\\\", ~\\\"/var/lib/*/.ssh/*\\\" ])\\n)\",\"filters\":[\"os == \\\"linux\\\"\"],\"name\":\"ssh_authorized_keys_unlink\",\"updateDate\":1737661272000,\"updater\":{\"name\":\"Datadog\",\"handle\":\"\"}}},{\"id\":\"hba-kfe-1xr\",\"type\":\"agent_rule\",\"attributes\":{\"category\":\"File Activity\",\"creationDate\":1737661272000,\"creator\":{\"name\":\"Datadog\",\"handle\":\"\"},\"defaultRule\":true,\"description\":\"SSH modified keys may have been modified\",\"enabled\":true,\"expression\":\"(\\n utimes.file.name in [ \\\"authorized_keys\\\", \\\"authorized_keys2\\\" ] \\u0026\\u0026 (utimes.file.path in [ ~\\\"/root/.ssh/*\\\", ~\\\"/home/*/.ssh/*\\\", ~\\\"/var/lib/*/.ssh/*\\\" ])\\n)\",\"filters\":[\"os == \\\"linux\\\"\"],\"name\":\"ssh_authorized_keys_utimes\",\"updateDate\":1737661272000,\"updater\":{\"name\":\"Datadog\",\"handle\":\"\"}}},{\"id\":\"def-000-o13\",\"type\":\"agent_rule\",\"attributes\":{\"category\":\"File Activity\",\"creationDate\":1737661272000,\"creator\":{\"name\":\"Datadog\",\"handle\":\"\"},\"defaultRule\":true,\"description\":\"The configuration directory for an ssh worm\",\"enabled\":true,\"expression\":\"open.file.path in [~\\\"/root/.prng/*\\\", ~\\\"/home/*/.prng/*\\\", ~\\\"/root/.config/prng/*\\\", ~\\\"/home/*/.config/prng/*\\\"] \\u0026\\u0026 open.flags \\u0026 (O_CREAT|O_TRUNC|O_APPEND|O_RDWR|O_WRONLY) \\u003e 0\",\"filters\":[\"os == \\\"linux\\\"\"],\"name\":\"ssh_it_tool_config_write\",\"updateDate\":1737661272000,\"updater\":{\"name\":\"Datadog\",\"handle\":\"\"}}},{\"id\":\"def-000-41f\",\"type\":\"agent_rule\",\"attributes\":{\"category\":\"Kernel Activity\",\"creationDate\":1737661272000,\"creator\":{\"name\":\"Datadog\",\"handle\":\"\"},\"defaultRule\":true,\"description\":\"SSH initiated a connection on a nonstandard port\",\"enabled\":true,\"expression\":\"connect.addr.port in [80, 8080, 88, 443, 8443, 4444] \\u0026\\u0026 process.file.name == \\\"ssh\\\"\",\"filters\":[\"os == \\\"linux\\\"\"],\"name\":\"ssh_nonstandard_connection\",\"updateDate\":1737661272000,\"updater\":{\"name\":\"Datadog\",\"handle\":\"\"}}},{\"id\":\"def-000-g5v\",\"type\":\"agent_rule\",\"attributes\":{\"category\":\"Kernel Activity\",\"creationDate\":1737661272000,\"creator\":{\"name\":\"Datadog\",\"handle\":\"\"},\"defaultRule\":true,\"description\":\"A process connected to an SSH server\",\"enabled\":true,\"expression\":\"connect.addr.port == 22 \\u0026\\u0026 connect.addr.family \\u0026 (AF_INET|AF_INET6) \\u003e 0 \\u0026\\u0026 connect.addr.ip not in [127.0.0.0/8]\",\"filters\":[\"os == \\\"linux\\\"\"],\"name\":\"ssh_outbound_connection\",\"updateDate\":1737661272000,\"updater\":{\"name\":\"Datadog\",\"handle\":\"\"}}},{\"id\":\"y5i-yxn-27t\",\"type\":\"agent_rule\",\"attributes\":{\"category\":\"File Activity\",\"creationDate\":1737661272000,\"creator\":{\"name\":\"Datadog\",\"handle\":\"\"},\"defaultRule\":true,\"description\":\"SSL certificates may have been tampered with\",\"enabled\":true,\"expression\":\"(\\n (chmod.file.path in [ ~\\\"/etc/ssl/certs/**\\\", ~\\\"/etc/pki/**\\\" ])\\n \\u0026\\u0026 process.file.path not in [~\\\"/usr/bin/apt*\\\", \\\"/usr/bin/dpkg\\\", \\\"/usr/bin/rpm\\\", \\\"/usr/bin/unattended-upgrade\\\", \\\"/usr/bin/npm\\\", ~\\\"/usr/bin/pip*\\\", ~\\\"/usr/local/bin/pip*\\\", \\\"/usr/bin/yum\\\", \\\"/sbin/apk\\\", \\\"/usr/lib/snapd/snapd\\\"]\\n) \\u0026\\u0026 chmod.file.mode != chmod.file.destination.mode\\n\\u0026\\u0026 process.file.path != \\\"/usr/sbin/update-ca-certificates\\\"\\n\\u0026\\u0026 process.ancestors.file.path != \\\"/usr/sbin/update-ca-certificates\\\"\\n\\u0026\\u0026 process.ancestors.file.path not in [~\\\"/usr/bin/apt*\\\", \\\"/usr/bin/dpkg\\\", \\\"/usr/bin/rpm\\\", \\\"/usr/bin/unattended-upgrade\\\", \\\"/usr/bin/npm\\\", ~\\\"/usr/bin/pip*\\\", ~\\\"/usr/local/bin/pip*\\\", \\\"/usr/bin/yum\\\", \\\"/sbin/apk\\\", \\\"/usr/lib/snapd/snapd\\\"]\\n\\u0026\\u0026 process.file.name !~ \\\"runc*\\\"\",\"filters\":[\"os == \\\"linux\\\"\"],\"name\":\"ssl_certificate_tampering_chmod\",\"updateDate\":1737661272000,\"updater\":{\"name\":\"Datadog\",\"handle\":\"\"}}},{\"id\":\"kyr-sg6-us9\",\"type\":\"agent_rule\",\"attributes\":{\"category\":\"File Activity\",\"creationDate\":1737661272000,\"creator\":{\"name\":\"Datadog\",\"handle\":\"\"},\"defaultRule\":true,\"description\":\"SSL certificates may have been tampered with\",\"enabled\":true,\"expression\":\"(\\n (chown.file.path in [ ~\\\"/etc/ssl/certs/**\\\", ~\\\"/etc/pki/**\\\" ])\\n \\u0026\\u0026 process.file.path not in [~\\\"/usr/bin/apt*\\\", \\\"/usr/bin/dpkg\\\", \\\"/usr/bin/rpm\\\", \\\"/usr/bin/unattended-upgrade\\\", \\\"/usr/bin/npm\\\", ~\\\"/usr/bin/pip*\\\", ~\\\"/usr/local/bin/pip*\\\", \\\"/usr/bin/yum\\\", \\\"/sbin/apk\\\", \\\"/usr/lib/snapd/snapd\\\"]\\n) \\u0026\\u0026 (chown.file.destination.uid != chown.file.uid || chown.file.destination.gid != chown.file.gid)\\n\\u0026\\u0026 process.file.path != \\\"/usr/sbin/update-ca-certificates\\\"\\n\\u0026\\u0026 process.ancestors.file.path != \\\"/usr/sbin/update-ca-certificates\\\"\\n\\u0026\\u0026 process.ancestors.file.path not in [~\\\"/usr/bin/apt*\\\", \\\"/usr/bin/dpkg\\\", \\\"/usr/bin/rpm\\\", \\\"/usr/bin/unattended-upgrade\\\", \\\"/usr/bin/npm\\\", ~\\\"/usr/bin/pip*\\\", ~\\\"/usr/local/bin/pip*\\\", \\\"/usr/bin/yum\\\", \\\"/sbin/apk\\\", \\\"/usr/lib/snapd/snapd\\\"]\\n\\u0026\\u0026 process.file.name !~ \\\"runc*\\\"\",\"filters\":[\"os == \\\"linux\\\"\"],\"name\":\"ssl_certificate_tampering_chown\",\"updateDate\":1737661272000,\"updater\":{\"name\":\"Datadog\",\"handle\":\"\"}}},{\"id\":\"w6f-wte-i63\",\"type\":\"agent_rule\",\"attributes\":{\"category\":\"File Activity\",\"creationDate\":1737661272000,\"creator\":{\"name\":\"Datadog\",\"handle\":\"\"},\"defaultRule\":true,\"description\":\"SSL certificates may have been tampered with\",\"enabled\":true,\"expression\":\"(\\n (link.file.path in [ ~\\\"/etc/ssl/certs/**\\\", ~\\\"/etc/pki/**\\\" ]\\n || link.file.destination.path in [ ~\\\"/etc/ssl/certs/**\\\", ~\\\"/etc/pki/**\\\" ])\\n \\u0026\\u0026 process.file.path not in [~\\\"/usr/bin/apt*\\\", \\\"/usr/bin/dpkg\\\", \\\"/usr/bin/rpm\\\", \\\"/usr/bin/unattended-upgrade\\\", \\\"/usr/bin/npm\\\", ~\\\"/usr/bin/pip*\\\", ~\\\"/usr/local/bin/pip*\\\", \\\"/usr/bin/yum\\\", \\\"/sbin/apk\\\", \\\"/usr/lib/snapd/snapd\\\"]\\n \\u0026\\u0026 process.file.path != \\\"/usr/sbin/update-ca-certificates\\\"\\n \\u0026\\u0026 process.ancestors.file.path != \\\"/usr/sbin/update-ca-certificates\\\"\\n \\u0026\\u0026 process.ancestors.file.path not in [~\\\"/usr/bin/apt*\\\", \\\"/usr/bin/dpkg\\\", \\\"/usr/bin/rpm\\\", \\\"/usr/bin/unattended-upgrade\\\", \\\"/usr/bin/npm\\\", ~\\\"/usr/bin/pip*\\\", ~\\\"/usr/local/bin/pip*\\\", \\\"/usr/bin/yum\\\", \\\"/sbin/apk\\\", \\\"/usr/lib/snapd/snapd\\\"]\\n \\u0026\\u0026 process.file.name !~ \\\"runc*\\\"\\n)\",\"filters\":[\"os == \\\"linux\\\"\"],\"name\":\"ssl_certificate_tampering_link\",\"updateDate\":1737661272000,\"updater\":{\"name\":\"Datadog\",\"handle\":\"\"}}},{\"id\":\"191-ty1-ede\",\"type\":\"agent_rule\",\"attributes\":{\"category\":\"File Activity\",\"creationDate\":1737661272000,\"creator\":{\"name\":\"Datadog\",\"handle\":\"\"},\"defaultRule\":true,\"description\":\"SSL certificates may have been tampered with\",\"enabled\":true,\"expression\":\"(\\n open.flags \\u0026 (O_CREAT|O_RDWR|O_WRONLY) \\u003e 0 \\u0026\\u0026\\n (open.file.path in [ ~\\\"/etc/ssl/certs/**\\\", ~\\\"/etc/pki/**\\\" ])\\n)\\n\\u0026\\u0026 process.file.path != \\\"/usr/sbin/update-ca-certificates\\\"\\n\\u0026\\u0026 process.ancestors.file.path != \\\"/usr/sbin/update-ca-certificates\\\"\\n\\u0026\\u0026 process.ancestors.file.path not in [~\\\"/usr/bin/apt*\\\", \\\"/usr/bin/dpkg\\\", \\\"/usr/bin/rpm\\\", \\\"/usr/bin/unattended-upgrade\\\", \\\"/usr/bin/npm\\\", ~\\\"/usr/bin/pip*\\\", ~\\\"/usr/local/bin/pip*\\\", \\\"/usr/bin/yum\\\", \\\"/sbin/apk\\\", \\\"/usr/lib/snapd/snapd\\\"]\\n\\u0026\\u0026 process.file.name !~ \\\"runc*\\\"\",\"filters\":[\"os == \\\"linux\\\"\"],\"name\":\"ssl_certificate_tampering_open\",\"updateDate\":1737661272000,\"updater\":{\"name\":\"Datadog\",\"handle\":\"\"}}},{\"id\":\"def-000-qt6\",\"type\":\"agent_rule\",\"attributes\":{\"category\":\"File Activity\",\"creationDate\":1737661272000,\"creator\":{\"name\":\"Datadog\",\"handle\":\"\"},\"defaultRule\":true,\"description\":\"SSL certificates may have been tampered with\",\"enabled\":true,\"expression\":\"(\\n open.flags \\u0026 (O_CREAT|O_RDWR|O_WRONLY) \\u003e 0 \\u0026\\u0026\\n (open.file.path in [ ~\\\"/etc/ssl/certs/**\\\", ~\\\"/etc/pki/**\\\" ])\\n)\\n\\u0026\\u0026 process.file.path != \\\"/usr/sbin/update-ca-certificates\\\"\\n\\u0026\\u0026 process.ancestors.file.path != \\\"/usr/sbin/update-ca-certificates\\\"\\n\\u0026\\u0026 process.ancestors.file.path not in [~\\\"/usr/bin/apt*\\\", \\\"/usr/bin/dpkg\\\", \\\"/usr/bin/rpm\\\", \\\"/usr/bin/unattended-upgrade\\\", \\\"/usr/bin/npm\\\", ~\\\"/usr/bin/pip*\\\", ~\\\"/usr/local/bin/pip*\\\", \\\"/usr/bin/yum\\\", \\\"/sbin/apk\\\", \\\"/usr/lib/snapd/snapd\\\"]\\n\\u0026\\u0026 process.file.name !~ \\\"runc*\\\"\\n\\u0026\\u0026 container.created_at \\u003e 90s\",\"filters\":[\"os == \\\"linux\\\"\"],\"name\":\"ssl_certificate_tampering_open_v2\",\"updateDate\":1737661272000,\"updater\":{\"name\":\"Datadog\",\"handle\":\"\"}}},{\"id\":\"o5t-b08-86p\",\"type\":\"agent_rule\",\"attributes\":{\"category\":\"File Activity\",\"creationDate\":1737661272000,\"creator\":{\"name\":\"Datadog\",\"handle\":\"\"},\"defaultRule\":true,\"description\":\"SSL certificates may have been tampered with\",\"enabled\":true,\"expression\":\"(\\n (rename.file.path in [ ~\\\"/etc/ssl/certs/**\\\", ~\\\"/etc/pki/**\\\" ]\\n || rename.file.destination.path in [ ~\\\"/etc/ssl/certs/**\\\", ~\\\"/etc/pki/**\\\" ])\\n \\u0026\\u0026 process.file.path not in [~\\\"/usr/bin/apt*\\\", \\\"/usr/bin/dpkg\\\", \\\"/usr/bin/rpm\\\", \\\"/usr/bin/unattended-upgrade\\\", \\\"/usr/bin/npm\\\", ~\\\"/usr/bin/pip*\\\", ~\\\"/usr/local/bin/pip*\\\", \\\"/usr/bin/yum\\\", \\\"/sbin/apk\\\", \\\"/usr/lib/snapd/snapd\\\"]\\n)\\n\\u0026\\u0026 process.file.path != \\\"/usr/sbin/update-ca-certificates\\\"\\n\\u0026\\u0026 process.ancestors.file.path != \\\"/usr/sbin/update-ca-certificates\\\"\\n\\u0026\\u0026 process.ancestors.file.path not in [~\\\"/usr/bin/apt*\\\", \\\"/usr/bin/dpkg\\\", \\\"/usr/bin/rpm\\\", \\\"/usr/bin/unattended-upgrade\\\", \\\"/usr/bin/npm\\\", ~\\\"/usr/bin/pip*\\\", ~\\\"/usr/local/bin/pip*\\\", \\\"/usr/bin/yum\\\", \\\"/sbin/apk\\\", \\\"/usr/lib/snapd/snapd\\\"]\\n\\u0026\\u0026 process.file.name !~ \\\"runc*\\\"\",\"filters\":[\"os == \\\"linux\\\"\"],\"name\":\"ssl_certificate_tampering_rename\",\"updateDate\":1737661272000,\"updater\":{\"name\":\"Datadog\",\"handle\":\"\"}}},{\"id\":\"9y1-cbb-p03\",\"type\":\"agent_rule\",\"attributes\":{\"category\":\"File Activity\",\"creationDate\":1737661272000,\"creator\":{\"name\":\"Datadog\",\"handle\":\"\"},\"defaultRule\":true,\"description\":\"SSL certificates may have been tampered with\",\"enabled\":true,\"expression\":\"(\\n (unlink.file.path in [ ~\\\"/etc/ssl/certs/**\\\" ])\\n \\u0026\\u0026 process.file.path not in [~\\\"/usr/bin/apt*\\\", \\\"/usr/bin/dpkg\\\", \\\"/usr/bin/rpm\\\", \\\"/usr/bin/unattended-upgrade\\\", \\\"/usr/bin/npm\\\", ~\\\"/usr/bin/pip*\\\", ~\\\"/usr/local/bin/pip*\\\", \\\"/usr/bin/yum\\\", \\\"/sbin/apk\\\", \\\"/usr/lib/snapd/snapd\\\"]\\n)\\n\\u0026\\u0026 process.file.path != \\\"/usr/sbin/update-ca-certificates\\\"\\n\\u0026\\u0026 process.ancestors.file.path != \\\"/usr/sbin/update-ca-certificates\\\"\\n\\u0026\\u0026 process.ancestors.file.path not in [~\\\"/usr/bin/apt*\\\", \\\"/usr/bin/dpkg\\\", \\\"/usr/bin/rpm\\\", \\\"/usr/bin/unattended-upgrade\\\", \\\"/usr/bin/npm\\\", ~\\\"/usr/bin/pip*\\\", ~\\\"/usr/local/bin/pip*\\\", \\\"/usr/bin/yum\\\", \\\"/sbin/apk\\\", \\\"/usr/lib/snapd/snapd\\\"]\\n\\u0026\\u0026 process.file.name !~ \\\"runc*\\\"\",\"filters\":[\"os == \\\"linux\\\"\"],\"name\":\"ssl_certificate_tampering_unlink\",\"updateDate\":1737661272000,\"updater\":{\"name\":\"Datadog\",\"handle\":\"\"}}},{\"id\":\"ayv-hqe-lx8\",\"type\":\"agent_rule\",\"attributes\":{\"category\":\"File Activity\",\"creationDate\":1737661272000,\"creator\":{\"name\":\"Datadog\",\"handle\":\"\"},\"defaultRule\":true,\"description\":\"SSL certificates may have been tampered with\",\"enabled\":true,\"expression\":\"(\\n (utimes.file.path in [ ~\\\"/etc/ssl/certs/**\\\" ])\\n \\u0026\\u0026 process.file.path not in [~\\\"/usr/bin/apt*\\\", \\\"/usr/bin/dpkg\\\", \\\"/usr/bin/rpm\\\", \\\"/usr/bin/unattended-upgrade\\\", \\\"/usr/bin/npm\\\", ~\\\"/usr/bin/pip*\\\", ~\\\"/usr/local/bin/pip*\\\", \\\"/usr/bin/yum\\\", \\\"/sbin/apk\\\", \\\"/usr/lib/snapd/snapd\\\"]\\n)\\n\\u0026\\u0026 process.file.path != \\\"/usr/sbin/update-ca-certificates\\\"\\n\\u0026\\u0026 process.ancestors.file.path != \\\"/usr/sbin/update-ca-certificates\\\"\\n\\u0026\\u0026 process.ancestors.file.path not in [~\\\"/usr/bin/apt*\\\", \\\"/usr/bin/dpkg\\\", \\\"/usr/bin/rpm\\\", \\\"/usr/bin/unattended-upgrade\\\", \\\"/usr/bin/npm\\\", ~\\\"/usr/bin/pip*\\\", ~\\\"/usr/local/bin/pip*\\\", \\\"/usr/bin/yum\\\", \\\"/sbin/apk\\\", \\\"/usr/lib/snapd/snapd\\\"]\\n\\u0026\\u0026 process.file.name !~ \\\"runc*\\\"\",\"filters\":[\"os == \\\"linux\\\"\"],\"name\":\"ssl_certificate_tampering_utimes\",\"updateDate\":1737661272000,\"updater\":{\"name\":\"Datadog\",\"handle\":\"\"}}},{\"id\":\"def-000-crv\",\"type\":\"agent_rule\",\"attributes\":{\"category\":\"File Activity\",\"creationDate\":1737661272000,\"creator\":{\"name\":\"Datadog\",\"handle\":\"\"},\"defaultRule\":true,\"description\":\"Sudoers policy file may have been modified without authorization\",\"enabled\":true,\"expression\":\"(\\n (chmod.file.path == \\\"/etc/sudoers\\\")\\n) \\u0026\\u0026 chmod.file.destination.mode != chmod.file.mode \\u0026\\u0026 process.ancestors.file.path not in [~\\\"/usr/bin/apt*\\\", \\\"/usr/bin/dpkg\\\", \\\"/usr/bin/rpm\\\", \\\"/usr/bin/unattended-upgrade\\\", \\\"/usr/bin/npm\\\", ~\\\"/usr/bin/pip*\\\", ~\\\"/usr/local/bin/pip*\\\", \\\"/usr/bin/yum\\\", \\\"/sbin/apk\\\", \\\"/usr/lib/snapd/snapd\\\"]\",\"filters\":[\"os == \\\"linux\\\"\"],\"name\":\"sudoers_policy_modified_chmod\",\"updateDate\":1737661272000,\"updater\":{\"name\":\"Datadog\",\"handle\":\"\"}}},{\"id\":\"def-000-l8e\",\"type\":\"agent_rule\",\"attributes\":{\"category\":\"File Activity\",\"creationDate\":1737661272000,\"creator\":{\"name\":\"Datadog\",\"handle\":\"\"},\"defaultRule\":true,\"description\":\"Sudoers policy file may have been modified without authorization\",\"enabled\":true,\"expression\":\"(\\n (chown.file.path == \\\"/etc/sudoers\\\")\\n) \\u0026\\u0026 (chown.file.destination.uid != chown.file.uid || chown.file.destination.gid != chown.file.gid)\",\"filters\":[\"os == \\\"linux\\\"\"],\"name\":\"sudoers_policy_modified_chown\",\"updateDate\":1737661272000,\"updater\":{\"name\":\"Datadog\",\"handle\":\"\"}}},{\"id\":\"def-000-myb\",\"type\":\"agent_rule\",\"attributes\":{\"category\":\"File Activity\",\"creationDate\":1737661272000,\"creator\":{\"name\":\"Datadog\",\"handle\":\"\"},\"defaultRule\":true,\"description\":\"Sudoers policy file may have been modified without authorization\",\"enabled\":true,\"expression\":\"(\\n (link.file.path == \\\"/etc/sudoers\\\"\\n || link.file.destination.path == \\\"/etc/sudoers\\\")\\n)\",\"filters\":[\"os == \\\"linux\\\"\"],\"name\":\"sudoers_policy_modified_link\",\"updateDate\":1737661272000,\"updater\":{\"name\":\"Datadog\",\"handle\":\"\"}}},{\"id\":\"def-000-mmo\",\"type\":\"agent_rule\",\"attributes\":{\"category\":\"File Activity\",\"creationDate\":1737661272000,\"creator\":{\"name\":\"Datadog\",\"handle\":\"\"},\"defaultRule\":true,\"description\":\"Sudoers policy file may have been modified without authorization\",\"enabled\":true,\"expression\":\"(open.flags \\u0026 (O_CREAT|O_TRUNC|O_APPEND|O_RDWR|O_WRONLY) \\u003e 0 \\u0026\\u0026\\n(open.file.path == \\\"/etc/sudoers\\\")) \\u0026\\u0026 process.file.path not in [~\\\"/usr/bin/apt*\\\", \\\"/usr/bin/dpkg\\\", \\\"/usr/bin/rpm\\\", \\\"/usr/bin/unattended-upgrade\\\", \\\"/usr/bin/npm\\\", ~\\\"/usr/bin/pip*\\\", ~\\\"/usr/local/bin/pip*\\\", \\\"/usr/bin/yum\\\", \\\"/sbin/apk\\\", \\\"/usr/lib/snapd/snapd\\\"]\",\"filters\":[\"os == \\\"linux\\\"\"],\"name\":\"sudoers_policy_modified_open\",\"updateDate\":1737661272000,\"updater\":{\"name\":\"Datadog\",\"handle\":\"\"}}},{\"id\":\"def-000-550\",\"type\":\"agent_rule\",\"attributes\":{\"category\":\"File Activity\",\"creationDate\":1737661272000,\"creator\":{\"name\":\"Datadog\",\"handle\":\"\"},\"defaultRule\":true,\"description\":\"Sudoers policy file may have been modified without authorization\",\"enabled\":true,\"expression\":\"(\\n (rename.file.path == \\\"/etc/sudoers\\\"\\n || rename.file.destination.path == \\\"/etc/sudoers\\\")\\n)\",\"filters\":[\"os == \\\"linux\\\"\"],\"name\":\"sudoers_policy_modified_rename\",\"updateDate\":1737661272000,\"updater\":{\"name\":\"Datadog\",\"handle\":\"\"}}},{\"id\":\"def-000-bxs\",\"type\":\"agent_rule\",\"attributes\":{\"category\":\"File Activity\",\"creationDate\":1737661272000,\"creator\":{\"name\":\"Datadog\",\"handle\":\"\"},\"defaultRule\":true,\"description\":\"Sudoers policy file may have been modified without authorization\",\"enabled\":true,\"expression\":\"(\\n (unlink.file.path == \\\"/etc/sudoers\\\")\\n)\",\"filters\":[\"os == \\\"linux\\\"\"],\"name\":\"sudoers_policy_modified_unlink\",\"updateDate\":1737661272000,\"updater\":{\"name\":\"Datadog\",\"handle\":\"\"}}},{\"id\":\"def-000-s07\",\"type\":\"agent_rule\",\"attributes\":{\"category\":\"File Activity\",\"creationDate\":1737661272000,\"creator\":{\"name\":\"Datadog\",\"handle\":\"\"},\"defaultRule\":true,\"description\":\"Sudoers policy file may have been modified without authorization\",\"enabled\":true,\"expression\":\"(\\n (utimes.file.path == \\\"/etc/sudoers\\\")\\n) \\u0026\\u0026 process.file.path not in [~\\\"/usr/bin/apt*\\\", \\\"/usr/bin/dpkg\\\", \\\"/usr/bin/rpm\\\", \\\"/usr/bin/unattended-upgrade\\\", \\\"/usr/bin/containerd\\\", \\\"/usr/local/bin/containerd\\\", \\\"/usr/bin/dockerd\\\", \\\"/usr/bin/npm\\\", ~\\\"/usr/bin/pip*\\\", ~\\\"/usr/local/bin/pip*\\\"]\",\"filters\":[\"os == \\\"linux\\\"\"],\"name\":\"sudoers_policy_modified_utimes\",\"updateDate\":1737661272000,\"updater\":{\"name\":\"Datadog\",\"handle\":\"\"}}},{\"id\":\"def-000-5wh\",\"type\":\"agent_rule\",\"attributes\":{\"category\":\"Process Activity\",\"creationDate\":1737661272000,\"creator\":{\"name\":\"Datadog\",\"handle\":\"\"},\"defaultRule\":true,\"description\":\"a SUID file was executed\",\"enabled\":true,\"expression\":\"(setuid.euid == 0 || setuid.uid == 0) \\u0026\\u0026 process.file.mode \\u0026 S_ISUID \\u003e 0 \\u0026\\u0026 process.file.uid == 0 \\u0026\\u0026 process.uid != 0 \\u0026\\u0026 process.file.path != \\\"/usr/bin/sudo\\\"\",\"filters\":[\"os == \\\"linux\\\"\"],\"name\":\"suid_file_execution\",\"updateDate\":1737661272000,\"updater\":{\"name\":\"Datadog\",\"handle\":\"\"}}},{\"id\":\"def-000-4y4\",\"type\":\"agent_rule\",\"attributes\":{\"category\":\"Process Activity\",\"creationDate\":1737661272000,\"creator\":{\"name\":\"Datadog\",\"handle\":\"\"},\"defaultRule\":true,\"description\":\"A suspicious bitsadmin command has been executed\",\"enabled\":true,\"expression\":\"exec.file.name == \\\"bitsadmin.exe\\\" \\u0026\\u0026 exec.cmdline in [~\\\"*addfile*\\\", ~\\\"*create*\\\", ~\\\"*resume*\\\"]\",\"filters\":[\"os == \\\"windows\\\"\"],\"name\":\"suspicious_bitsadmin_usage\",\"updateDate\":1737661272000,\"updater\":{\"name\":\"Datadog\",\"handle\":\"\"}}},{\"id\":\"afj-5sv-2wb\",\"type\":\"agent_rule\",\"attributes\":{\"category\":\"Process Activity\",\"creationDate\":1737661272000,\"creator\":{\"name\":\"Datadog\",\"handle\":\"\"},\"defaultRule\":true,\"description\":\"A container management utility was executed in a container\",\"enabled\":true,\"expression\":\"exec.file.name in [\\\"docker\\\", \\\"kubectl\\\"] \\u0026\\u0026 container.id != \\\"\\\"\",\"filters\":[\"os == \\\"linux\\\"\"],\"name\":\"suspicious_container_client\",\"updateDate\":1737661272000,\"updater\":{\"name\":\"Datadog\",\"handle\":\"\"}}},{\"id\":\"def-000-eck\",\"type\":\"agent_rule\",\"attributes\":{\"category\":\"File Activity\",\"creationDate\":1737661272000,\"creator\":{\"name\":\"Datadog\",\"handle\":\"\"},\"defaultRule\":true,\"description\":\"Dll written to a suspicious directory\",\"enabled\":true,\"expression\":\"create.file.name =~ \\\"*.dll\\\" \\u0026\\u0026 create.file.device_path not in [~\\\"\\\\Device\\\\*\\\\Windows\\\\System32\\\\**\\\", ~\\\"\\\\Device\\\\*\\\\ProgramData\\\\docker\\\\**\\\"] \\u0026\\u0026 process.file.name != \\\"dockerd.exe\\\"\",\"filters\":[\"os == \\\"windows\\\"\"],\"name\":\"suspicious_dll_write\",\"updateDate\":1737661272000,\"updater\":{\"name\":\"Datadog\",\"handle\":\"\"}}},{\"id\":\"def-000-2k6\",\"type\":\"agent_rule\",\"attributes\":{\"category\":\"Process Activity\",\"creationDate\":1737661272000,\"creator\":{\"name\":\"Datadog\",\"handle\":\"\"},\"defaultRule\":true,\"description\":\"Suspicious usage of ntdsutil\",\"enabled\":true,\"expression\":\"exec.file.name == \\\"ntdsutil.exe\\\" \\u0026\\u0026 exec.cmdline in [~\\\"*ntds*\\\", ~\\\"*create*\\\"]\",\"filters\":[\"os == \\\"windows\\\"\"],\"name\":\"suspicious_ntdsutil_usage\",\"updateDate\":1737661272000,\"updater\":{\"name\":\"Datadog\",\"handle\":\"\"}}},{\"id\":\"def-000-zo8\",\"type\":\"agent_rule\",\"attributes\":{\"category\":\"Process Activity\",\"creationDate\":1737661272000,\"creator\":{\"name\":\"Datadog\",\"handle\":\"\"},\"defaultRule\":true,\"description\":\"Recently written or modified suid file has been executed\",\"enabled\":true,\"expression\":\"((process.file.mode \\u0026 S_ISUID \\u003e 0) \\u0026\\u0026 process.file.modification_time \\u003c 30s) \\u0026\\u0026 exec.file.name != \\\"\\\" \\u0026\\u0026 process.ancestors.file.path not in [\\\"/opt/datadog-agent/embedded/bin/agent\\\", \\\"/opt/datadog-agent/embedded/bin/system-probe\\\", \\\"/opt/datadog-agent/embedded/bin/security-agent\\\", \\\"/opt/datadog-agent/embedded/bin/process-agent\\\", \\\"/opt/datadog-agent/embedded/bin/trace-agent\\\", \\\"/opt/datadog-agent/bin/agent/agent\\\", \\\"/opt/datadog/apm/inject/auto_inject_runc\\\", \\\"/usr/bin/dd-host-install\\\", \\\"/usr/bin/dd-host-container-install\\\", \\\"/usr/bin/dd-container-install\\\", \\\"/opt/datadog-agent/bin/datadog-cluster-agent\\\", ~\\\"/opt/datadog-packages/**\\\", ~\\\"/opt/datadog-installer/**\\\"]\",\"filters\":[\"os == \\\"linux\\\"\"],\"name\":\"suspicious_suid_execution\",\"updateDate\":1737661272000,\"updater\":{\"name\":\"Datadog\",\"handle\":\"\"}}},{\"id\":\"48s-46n-g4w\",\"type\":\"agent_rule\",\"attributes\":{\"category\":\"File Activity\",\"creationDate\":1737661272000,\"creator\":{\"name\":\"Datadog\",\"handle\":\"\"},\"defaultRule\":true,\"description\":\"A service may have been modified without authorization\",\"enabled\":true,\"expression\":\"(\\n (chmod.file.path in [ ~\\\"/lib/systemd/system/**\\\", ~\\\"/usr/lib/systemd/system/**\\\", ~\\\"/etc/systemd/system/**\\\" ])\\n \\u0026\\u0026 process.file.path not in [~\\\"/usr/bin/apt*\\\", \\\"/usr/bin/dpkg\\\", \\\"/usr/bin/rpm\\\", \\\"/usr/bin/unattended-upgrade\\\", \\\"/usr/bin/npm\\\", ~\\\"/usr/bin/pip*\\\", ~\\\"/usr/local/bin/pip*\\\", \\\"/usr/bin/yum\\\", \\\"/sbin/apk\\\", \\\"/usr/lib/snapd/snapd\\\"]\\n) \\u0026\\u0026 chmod.file.destination.mode != chmod.file.mode\",\"filters\":[\"os == \\\"linux\\\"\"],\"name\":\"systemd_modification_chmod\",\"updateDate\":1737661272000,\"updater\":{\"name\":\"Datadog\",\"handle\":\"\"}}},{\"id\":\"wwy-h4d-pwm\",\"type\":\"agent_rule\",\"attributes\":{\"category\":\"File Activity\",\"creationDate\":1737661272000,\"creator\":{\"name\":\"Datadog\",\"handle\":\"\"},\"defaultRule\":true,\"description\":\"A service may have been modified without authorization\",\"enabled\":true,\"expression\":\"(\\n (chown.file.path in [ ~\\\"/lib/systemd/system/**\\\", ~\\\"/usr/lib/systemd/system/**\\\", ~\\\"/etc/systemd/system/**\\\" ])\\n \\u0026\\u0026 process.file.path not in [~\\\"/usr/bin/apt*\\\", \\\"/usr/bin/dpkg\\\", \\\"/usr/bin/rpm\\\", \\\"/usr/bin/unattended-upgrade\\\", \\\"/usr/bin/npm\\\", ~\\\"/usr/bin/pip*\\\", ~\\\"/usr/local/bin/pip*\\\", \\\"/usr/bin/yum\\\", \\\"/sbin/apk\\\", \\\"/usr/lib/snapd/snapd\\\"]\\n) \\u0026\\u0026 (chown.file.destination.uid != chown.file.uid || chown.file.destination.gid != chown.file.gid)\",\"filters\":[\"os == \\\"linux\\\"\"],\"name\":\"systemd_modification_chown\",\"updateDate\":1737661272000,\"updater\":{\"name\":\"Datadog\",\"handle\":\"\"}}},{\"id\":\"64n-p6m-uq1\",\"type\":\"agent_rule\",\"attributes\":{\"category\":\"File Activity\",\"creationDate\":1737661272000,\"creator\":{\"name\":\"Datadog\",\"handle\":\"\"},\"defaultRule\":true,\"description\":\"A service may have been modified without authorization\",\"enabled\":true,\"expression\":\"(\\n (link.file.path in [ ~\\\"/lib/systemd/system/**\\\", ~\\\"/usr/lib/systemd/system/**\\\", ~\\\"/etc/systemd/system/**\\\" ]\\n || link.file.destination.path in [ ~\\\"/lib/systemd/system/**\\\", ~\\\"/usr/lib/systemd/system/**\\\", ~\\\"/etc/systemd/system/**\\\" ])\\n \\u0026\\u0026 process.file.path not in [~\\\"/usr/bin/apt*\\\", \\\"/usr/bin/dpkg\\\", \\\"/usr/bin/rpm\\\", \\\"/usr/bin/unattended-upgrade\\\", \\\"/usr/bin/npm\\\", ~\\\"/usr/bin/pip*\\\", ~\\\"/usr/local/bin/pip*\\\", \\\"/usr/bin/yum\\\", \\\"/sbin/apk\\\", \\\"/usr/lib/snapd/snapd\\\"]\\n)\",\"filters\":[\"os == \\\"linux\\\"\"],\"name\":\"systemd_modification_link\",\"updateDate\":1737661272000,\"updater\":{\"name\":\"Datadog\",\"handle\":\"\"}}},{\"id\":\"7zw-qbm-y6d\",\"type\":\"agent_rule\",\"attributes\":{\"category\":\"File Activity\",\"creationDate\":1737661272000,\"creator\":{\"name\":\"Datadog\",\"handle\":\"\"},\"defaultRule\":true,\"description\":\"A service may have been modified without authorization\",\"enabled\":true,\"expression\":\"(\\n open.flags \\u0026 (O_CREAT|O_RDWR|O_WRONLY) \\u003e 0 \\u0026\\u0026\\n (open.file.path in [ ~\\\"/lib/systemd/system/**\\\", ~\\\"/usr/lib/systemd/system/**\\\", ~\\\"/etc/systemd/system/**\\\" ])\\n \\u0026\\u0026 process.file.path not in [~\\\"/usr/bin/apt*\\\", \\\"/usr/bin/dpkg\\\", \\\"/usr/bin/rpm\\\", \\\"/usr/bin/unattended-upgrade\\\", \\\"/usr/bin/npm\\\", ~\\\"/usr/bin/pip*\\\", ~\\\"/usr/local/bin/pip*\\\", \\\"/usr/bin/yum\\\", \\\"/sbin/apk\\\", \\\"/usr/lib/snapd/snapd\\\"]\\n)\",\"filters\":[\"os == \\\"linux\\\"\"],\"name\":\"systemd_modification_open\",\"updateDate\":1737661272000,\"updater\":{\"name\":\"Datadog\",\"handle\":\"\"}}},{\"id\":\"prk-6q1-g0m\",\"type\":\"agent_rule\",\"attributes\":{\"category\":\"File Activity\",\"creationDate\":1737661272000,\"creator\":{\"name\":\"Datadog\",\"handle\":\"\"},\"defaultRule\":true,\"description\":\"A service may have been modified without authorization\",\"enabled\":true,\"expression\":\"(\\n (rename.file.path in [ ~\\\"/lib/systemd/system/**\\\", ~\\\"/usr/lib/systemd/system/**\\\", ~\\\"/etc/systemd/system/**\\\" ]\\n || rename.file.destination.path in [ ~\\\"/lib/systemd/system/**\\\", ~\\\"/usr/lib/systemd/system/**\\\", ~\\\"/etc/systemd/system/**\\\" ])\\n \\u0026\\u0026 process.file.path not in [~\\\"/usr/bin/apt*\\\", \\\"/usr/bin/dpkg\\\", \\\"/usr/bin/rpm\\\", \\\"/usr/bin/unattended-upgrade\\\", \\\"/usr/bin/npm\\\", ~\\\"/usr/bin/pip*\\\", ~\\\"/usr/local/bin/pip*\\\", \\\"/usr/bin/yum\\\", \\\"/sbin/apk\\\", \\\"/usr/lib/snapd/snapd\\\"]\\n)\",\"filters\":[\"os == \\\"linux\\\"\"],\"name\":\"systemd_modification_rename\",\"updateDate\":1737661272000,\"updater\":{\"name\":\"Datadog\",\"handle\":\"\"}}},{\"id\":\"jlt-y4v-dax\",\"type\":\"agent_rule\",\"attributes\":{\"category\":\"File Activity\",\"creationDate\":1737661272000,\"creator\":{\"name\":\"Datadog\",\"handle\":\"\"},\"defaultRule\":true,\"description\":\"A service may have been modified without authorization\",\"enabled\":true,\"expression\":\"(\\n (unlink.file.path in [ ~\\\"/lib/systemd/system/**\\\", ~\\\"/usr/lib/systemd/system/**\\\", ~\\\"/etc/systemd/system/**\\\" ])\\n \\u0026\\u0026 process.file.path not in [~\\\"/usr/bin/apt*\\\", \\\"/usr/bin/dpkg\\\", \\\"/usr/bin/rpm\\\", \\\"/usr/bin/unattended-upgrade\\\", \\\"/usr/bin/npm\\\", ~\\\"/usr/bin/pip*\\\", ~\\\"/usr/local/bin/pip*\\\", \\\"/usr/bin/yum\\\", \\\"/sbin/apk\\\", \\\"/usr/lib/snapd/snapd\\\"]\\n)\",\"filters\":[\"os == \\\"linux\\\"\"],\"name\":\"systemd_modification_unlink\",\"updateDate\":1737661272000,\"updater\":{\"name\":\"Datadog\",\"handle\":\"\"}}},{\"id\":\"yjj-o5q-x00\",\"type\":\"agent_rule\",\"attributes\":{\"category\":\"File Activity\",\"creationDate\":1737661272000,\"creator\":{\"name\":\"Datadog\",\"handle\":\"\"},\"defaultRule\":true,\"description\":\"A service may have been modified without authorization\",\"enabled\":true,\"expression\":\"(\\n (utimes.file.path in [ ~\\\"/lib/systemd/system/**\\\", ~\\\"/usr/lib/systemd/system/**\\\", ~\\\"/etc/systemd/system/**\\\" ])\\n \\u0026\\u0026 process.file.path not in [~\\\"/usr/bin/apt*\\\", \\\"/usr/bin/dpkg\\\", \\\"/usr/bin/rpm\\\", \\\"/usr/bin/unattended-upgrade\\\", \\\"/usr/bin/npm\\\", ~\\\"/usr/bin/pip*\\\", ~\\\"/usr/local/bin/pip*\\\", \\\"/usr/bin/yum\\\", \\\"/sbin/apk\\\", \\\"/usr/lib/snapd/snapd\\\"]\\n)\",\"filters\":[\"os == \\\"linux\\\"\"],\"name\":\"systemd_modification_utimes\",\"updateDate\":1737661272000,\"updater\":{\"name\":\"Datadog\",\"handle\":\"\"}}},{\"id\":\"def-000-18q\",\"type\":\"agent_rule\",\"attributes\":{\"category\":\"Process Activity\",\"creationDate\":1737661272000,\"creator\":{\"name\":\"Datadog\",\"handle\":\"\"},\"defaultRule\":true,\"description\":\"Tar archive created\",\"enabled\":true,\"expression\":\"exec.file.path == \\\"/usr/bin/tar\\\" \\u0026\\u0026 exec.args_flags in [\\\"create\\\",\\\"c\\\"]\",\"filters\":[\"os == \\\"linux\\\"\"],\"name\":\"tar_execution\",\"updateDate\":1737661272000,\"updater\":{\"name\":\"Datadog\",\"handle\":\"\"}}},{\"id\":\"def-000-925\",\"type\":\"agent_rule\",\"attributes\":{\"category\":\"Process Activity\",\"creationDate\":1737661272000,\"creator\":{\"name\":\"Datadog\",\"handle\":\"\"},\"defaultRule\":true,\"description\":\"A shell with a TTY was executed in a container\",\"enabled\":true,\"expression\":\"exec.file.path in [ \\\"/bin/dash\\\",\\n \\\"/usr/bin/dash\\\",\\n \\\"/bin/sh\\\",\\n \\\"/bin/static-sh\\\",\\n \\\"/usr/bin/sh\\\",\\n \\\"/bin/bash\\\",\\n \\\"/usr/bin/bash\\\",\\n \\\"/bin/bash-static\\\",\\n \\\"/usr/bin/zsh\\\",\\n \\\"/usr/bin/ash\\\",\\n \\\"/usr/bin/csh\\\",\\n \\\"/usr/bin/ksh\\\",\\n \\\"/usr/bin/tcsh\\\",\\n \\\"/usr/lib/initramfs-tools/bin/busybox\\\",\\n \\\"/bin/busybox\\\",\\n \\\"/usr/bin/fish\\\",\\n \\\"/bin/ksh93\\\",\\n \\\"/bin/rksh\\\",\\n \\\"/bin/rksh93\\\",\\n \\\"/bin/lksh\\\",\\n \\\"/bin/mksh\\\",\\n \\\"/bin/mksh-static\\\",\\n \\\"/usr/bin/csharp\\\",\\n \\\"/bin/posh\\\",\\n \\\"/usr/bin/rc\\\",\\n \\\"/bin/sash\\\",\\n \\\"/usr/bin/yash\\\",\\n \\\"/bin/zsh5\\\",\\n \\\"/bin/zsh5-static\\\" ] \\u0026\\u0026 process.tty_name != \\\"\\\" \\u0026\\u0026 process.container.id != \\\"\\\"\",\"filters\":[\"os == \\\"linux\\\"\"],\"name\":\"tty_shell_in_container\",\"updateDate\":1737661272000,\"updater\":{\"name\":\"Datadog\",\"handle\":\"\"}}},{\"id\":\"def-000-hlr\",\"type\":\"agent_rule\",\"attributes\":{\"category\":\"Process Activity\",\"creationDate\":1737661272000,\"creator\":{\"name\":\"Datadog\",\"handle\":\"\"},\"defaultRule\":true,\"description\":\"Tunneling or port forwarding tool used\",\"enabled\":true,\"expression\":\"((exec.comm == \\\"pivotnacci\\\" || exec.comm == \\\"gost\\\") \\u0026\\u0026 process.args_flags in [\\\"L\\\", \\\"C\\\", \\\"R\\\"]) || (exec.comm in [\\\"ssh\\\", \\\"sshd\\\"] \\u0026\\u0026 process.args_flags in [\\\"R\\\", \\\"L\\\", \\\"D\\\", \\\"w\\\"] \\u0026\\u0026 process.args in [r\\\"((25[0-5]|(2[0-4]|1\\\\d|[1-9])\\\\d)\\\\.?\\\\b){4}\\\"] ) || (exec.comm == \\\"sshuttle\\\" \\u0026\\u0026 process.args_flags in [\\\"r\\\", \\\"remote\\\", \\\"l\\\", \\\"listen\\\"]) || (exec.comm == \\\"socat\\\" \\u0026\\u0026 process.args in [r\\\"(TCP4-LISTEN:|SOCKS)\\\"]) || (exec.comm in [\\\"iodine\\\", \\\"iodined\\\", \\\"dnscat\\\", \\\"hans\\\", \\\"hans-ubuntu\\\", \\\"ptunnel-ng\\\", \\\"ssf\\\", \\\"3proxy\\\", \\\"ngrok\\\"] \\u0026\\u0026 process.parent.comm in [\\\"bash\\\", \\\"dash\\\", \\\"ash\\\", \\\"sh\\\", \\\"tcsh\\\", \\\"csh\\\", \\\"zsh\\\", \\\"ksh\\\", \\\"fish\\\"])\",\"filters\":[\"os == \\\"linux\\\"\"],\"name\":\"tunnel_traffic\",\"updateDate\":1737661272000,\"updater\":{\"name\":\"Datadog\",\"handle\":\"\"}}},{\"id\":\"def-000-wok\",\"type\":\"agent_rule\",\"attributes\":{\"category\":\"File Activity\",\"creationDate\":1737661272000,\"creator\":{\"name\":\"Datadog\",\"handle\":\"\"},\"defaultRule\":true,\"description\":\"Device rule created\",\"enabled\":true,\"expression\":\"open.file.path in [~\\\"/etc/udev/rules.d/*\\\", ~\\\"/lib/udev/rules.d/*\\\", ~\\\"/usr/lib/udev/rules.d/*\\\", ~\\\"/usr/local/lib/udev/rules.d/*\\\", ~\\\"/run/udev/rules.d/*\\\"] \\u0026\\u0026 open.flags \\u0026 O_CREAT \\u003e 0\",\"filters\":[\"os == \\\"linux\\\"\"],\"name\":\"udev_modification\",\"updateDate\":1737661272000,\"updater\":{\"name\":\"Datadog\",\"handle\":\"\"}}},{\"id\":\"def-000-oil\",\"type\":\"agent_rule\",\"attributes\":{\"category\":\"Process Activity\",\"creationDate\":1737661272000,\"creator\":{\"name\":\"Datadog\",\"handle\":\"\"},\"defaultRule\":true,\"description\":\"The unshare utility was executed in a container\",\"enabled\":true,\"expression\":\"exec.comm == \\\"unshare\\\" \\u0026\\u0026 container.id != \\\"\\\"\",\"filters\":[\"os == \\\"linux\\\"\"],\"name\":\"unshare_in_container\",\"updateDate\":1737661272000,\"updater\":{\"name\":\"Datadog\",\"handle\":\"\"}}},{\"id\":\"07y-k18-cih\",\"type\":\"agent_rule\",\"attributes\":{\"category\":\"Process Activity\",\"creationDate\":1737661272000,\"creator\":{\"name\":\"Datadog\",\"handle\":\"\"},\"defaultRule\":true,\"description\":\"A user was created via an interactive session\",\"enabled\":true,\"expression\":\"exec.file.name in [\\\"useradd\\\", \\\"newusers\\\", \\\"adduser\\\"] \\u0026\\u0026 exec.tty_name !=\\\"\\\" \\u0026\\u0026 process.ancestors.file.path not in [~\\\"/usr/bin/apt*\\\", \\\"/usr/bin/dpkg\\\", \\\"/usr/bin/rpm\\\", \\\"/usr/bin/unattended-upgrade\\\", \\\"/usr/bin/npm\\\", ~\\\"/usr/bin/pip*\\\", ~\\\"/usr/local/bin/pip*\\\", \\\"/usr/bin/yum\\\", \\\"/sbin/apk\\\", \\\"/usr/lib/snapd/snapd\\\"] \\u0026\\u0026 exec.args_flags not in [\\\"D\\\"]\",\"filters\":[\"os == \\\"linux\\\"\"],\"name\":\"user_created_tty\",\"updateDate\":1737661272000,\"updater\":{\"name\":\"Datadog\",\"handle\":\"\"}}},{\"id\":\"def-000-qem\",\"type\":\"agent_rule\",\"attributes\":{\"category\":\"Process Activity\",\"creationDate\":1737661272000,\"creator\":{\"name\":\"Datadog\",\"handle\":\"\"},\"defaultRule\":true,\"description\":\"A user was deleted via an interactive session\",\"enabled\":true,\"expression\":\"exec.file.name in [\\\"userdel\\\", \\\"deluser\\\"] \\u0026\\u0026 exec.tty_name !=\\\"\\\" \\u0026\\u0026 process.ancestors.file.path not in [~\\\"/usr/bin/apt*\\\", \\\"/usr/bin/dpkg\\\", \\\"/usr/bin/rpm\\\", \\\"/usr/bin/unattended-upgrade\\\", \\\"/usr/bin/npm\\\", ~\\\"/usr/bin/pip*\\\", ~\\\"/usr/local/bin/pip*\\\", \\\"/usr/bin/yum\\\", \\\"/sbin/apk\\\", \\\"/usr/lib/snapd/snapd\\\"]\",\"filters\":[\"os == \\\"linux\\\"\"],\"name\":\"user_deleted_tty\",\"updateDate\":1737661272000,\"updater\":{\"name\":\"Datadog\",\"handle\":\"\"}}},{\"id\":\"def-000-a65\",\"type\":\"agent_rule\",\"attributes\":{\"category\":\"Network Activity\",\"creationDate\":1737661272000,\"creator\":{\"name\":\"Datadog\",\"handle\":\"\"},\"defaultRule\":true,\"description\":\"Web application requested IMDSv1 credentials\",\"enabled\":true,\"expression\":\"imds.aws.is_imds_v2 == false \\u0026\\u0026 imds.url =~ \\\"*/*/meta-data/iam/security-credentials/*\\\" \\u0026\\u0026 (process.ancestors.file.name in [\\\"apache2\\\", \\\"nginx\\\", ~\\\"tomcat*\\\", \\\"httpd\\\"] || process.ancestors.file.name =~ \\\"php*\\\" || process.ancestors.file.name == \\\"java\\\")\",\"filters\":[\"os == \\\"linux\\\"\"],\"name\":\"webapp_imds_V1_request\",\"updateDate\":1737661272000,\"updater\":{\"name\":\"Datadog\",\"handle\":\"\"}}},{\"id\":\"def-000-nip\",\"type\":\"agent_rule\",\"attributes\":{\"category\":\"Process Activity\",\"creationDate\":1737661272000,\"creator\":{\"name\":\"Datadog\",\"handle\":\"\"},\"defaultRule\":true,\"description\":\"Browser WebDriver spawned shell\",\"enabled\":true,\"expression\":\"process.parent.file.name in [~\\\"chromedriver*\\\", \\\"geckodriver\\\"] \\u0026\\u0026 exec.file.name not in [\\\"chrome\\\", \\\"google-chrome\\\", \\\"chromium\\\", \\\"firefox\\\"]\",\"filters\":[\"os == \\\"linux\\\"\"],\"name\":\"webdriver_spawned_shell\",\"updateDate\":1737661272000,\"updater\":{\"name\":\"Datadog\",\"handle\":\"\"}}},{\"id\":\"def-000-gqa\",\"type\":\"agent_rule\",\"attributes\":{\"category\":\"File Activity\",\"creationDate\":1737661272000,\"creator\":{\"name\":\"Datadog\",\"handle\":\"\"},\"defaultRule\":true,\"description\":\"Windows boot registry key modified\",\"enabled\":true,\"expression\":\"set.registry.key_path in [~\\\"HKEY_LOCAL_MACHINE\\\\SOFTWARE\\\\Microsoft\\\\Windows NT\\\\CurrentVersion\\\\IniFileMapping\\\\SYSTEM.ini\\\\boot*\\\"]\",\"filters\":[\"os == \\\"windows\\\"\"],\"name\":\"windows_boot_registry_key_modified\",\"updateDate\":1737661272000,\"updater\":{\"name\":\"Datadog\",\"handle\":\"\"}}},{\"id\":\"def-000-tat\",\"type\":\"agent_rule\",\"attributes\":{\"category\":\"File Activity\",\"creationDate\":1737661272000,\"creator\":{\"name\":\"Datadog\",\"handle\":\"\"},\"defaultRule\":true,\"description\":\"Windows RPC COM debugging registry key modified\",\"enabled\":true,\"expression\":\"set.registry.key_path in [~\\\"HKEY_LOCAL_MACHINE\\\\SOFTWARE\\\\Microsoft\\\\Windows NT\\\\CurrentVersion\\\\Windows*\\\"]\",\"filters\":[\"os == \\\"windows\\\"\"],\"name\":\"windows_com_rpc_debugging_registry_key_modified\",\"updateDate\":1737661272000,\"updater\":{\"name\":\"Datadog\",\"handle\":\"\"}}},{\"id\":\"def-000-76q\",\"type\":\"agent_rule\",\"attributes\":{\"category\":\"File Activity\",\"creationDate\":1737661272000,\"creator\":{\"name\":\"Datadog\",\"handle\":\"\"},\"defaultRule\":true,\"description\":\"Windows cryptographic blocking policy modified\",\"enabled\":true,\"expression\":\"set.registry.key_path in [~\\\"HKEY_LOCAL_MACHINE\\\\SOFTWARE\\\\Microsoft\\\\Cryptography\\\\OID\\\\EncodingType 0\\\\CryptSIPDllRemoveSignedDataMsg*\\\"]\",\"filters\":[\"os == \\\"windows\\\"\"],\"name\":\"windows_cryptographic_blocking_policy_registry_key_modified\",\"updateDate\":1737661272000,\"updater\":{\"name\":\"Datadog\",\"handle\":\"\"}}},{\"id\":\"def-000-fsq\",\"type\":\"agent_rule\",\"attributes\":{\"category\":\"Process Activity\",\"creationDate\":1737661272000,\"creator\":{\"name\":\"Datadog\",\"handle\":\"\"},\"defaultRule\":true,\"description\":\"A cryptominer was potentially executed\",\"enabled\":true,\"expression\":\"exec.cmdline in [~\\\"*cpu-priority*\\\", ~\\\"*donate-level*\\\", ~\\\"*randomx-1gb-pages*\\\", ~\\\"*stratum+tcp*\\\", ~\\\"*stratum+ssl*\\\", ~\\\"*stratum1+tcp*\\\", ~\\\"*stratum1+ssl*\\\", ~\\\"*stratum2+tcp*\\\", ~\\\"*stratum2+ssl*\\\", ~\\\"*nicehash*\\\", ~\\\"*yespower*\\\"]\",\"filters\":[\"os == \\\"windows\\\"\"],\"name\":\"windows_cryptominer_process\",\"updateDate\":1737661272000,\"updater\":{\"name\":\"Datadog\",\"handle\":\"\"}}},{\"id\":\"def-000-6lj\",\"type\":\"agent_rule\",\"attributes\":{\"category\":\"File Activity\",\"creationDate\":1737661272000,\"creator\":{\"name\":\"Datadog\",\"handle\":\"\"},\"defaultRule\":true,\"description\":\"windows explorer file has been modified\",\"enabled\":true,\"expression\":\"write.file.device_path in [~\\\"\\\\Device\\\\*\\\\windows\\\\explorer.exe\\\"]\",\"filters\":[\"os == \\\"windows\\\"\"],\"name\":\"windows_explorer_executable_modified\",\"updateDate\":1737661272000,\"updater\":{\"name\":\"Datadog\",\"handle\":\"\"}}},{\"id\":\"def-000-wnn\",\"type\":\"agent_rule\",\"attributes\":{\"category\":\"File Activity\",\"creationDate\":1737661272000,\"creator\":{\"name\":\"Datadog\",\"handle\":\"\"},\"defaultRule\":true,\"description\":\"Windows firewall configuration registry key modified\",\"enabled\":true,\"expression\":\"set.registry.key_path in [~\\\"HKEY_LOCAL_MACHINE\\\\SYSTEM\\\\CurrentControlSet\\\\Services\\\\SharedAccess\\\\Parameters\\\\FirewallPolicy\\\\*\\\"]\",\"filters\":[\"os == \\\"windows\\\"\"],\"name\":\"windows_firewall_configuration_registry_key_modified\",\"updateDate\":1737661272000,\"updater\":{\"name\":\"Datadog\",\"handle\":\"\"}}},{\"id\":\"def-000-tlf\",\"type\":\"agent_rule\",\"attributes\":{\"category\":\"File Activity\",\"creationDate\":1737661272000,\"creator\":{\"name\":\"Datadog\",\"handle\":\"\"},\"defaultRule\":true,\"description\":\"the windows hosts file was modified\",\"enabled\":true,\"expression\":\"write.file.device_path in [~\\\"\\\\Device\\\\*\\\\windows\\\\system32\\\\Drivers\\\\etc\\\\hosts\\\"]\",\"filters\":[\"os == \\\"windows\\\"\"],\"name\":\"windows_hosts_file_modified\",\"updateDate\":1737661272000,\"updater\":{\"name\":\"Datadog\",\"handle\":\"\"}}},{\"id\":\"def-000-zp4\",\"type\":\"agent_rule\",\"attributes\":{\"category\":\"File Activity\",\"creationDate\":1737661272000,\"creator\":{\"name\":\"Datadog\",\"handle\":\"\"},\"defaultRule\":true,\"description\":\"microsoft security essentials executable modified\",\"enabled\":true,\"expression\":\"write.file.device_path in [~\\\"\\\\Device\\\\*\\\\Program Files\\\\Microsoft Security Client\\\\msseces.exe\\\"]\",\"filters\":[\"os == \\\"windows\\\"\"],\"name\":\"windows_security_essentials_executable_modified\",\"updateDate\":1737661272000,\"updater\":{\"name\":\"Datadog\",\"handle\":\"\"}}},{\"id\":\"def-000-n3u\",\"type\":\"agent_rule\",\"attributes\":{\"category\":\"File Activity\",\"creationDate\":1737661272000,\"creator\":{\"name\":\"Datadog\",\"handle\":\"\"},\"defaultRule\":true,\"description\":\"Windows shell folders registry key modified\",\"enabled\":true,\"expression\":\"set.registry.key_path in [~\\\"HKEY_LOCAL_MACHINE\\\\SOFTWARE\\\\Microsoft\\\\Windows\\\\CurrentVersion\\\\Explorer\\\\Shell Folders*\\\", ~\\\"HKEY_LOCAL_MACHINE\\\\SOFTWARE\\\\Microsoft\\\\Windows\\\\CurrentVersion\\\\Explorer\\\\User Shell Folders*\\\"]\",\"filters\":[\"os == \\\"windows\\\"\"],\"name\":\"windows_shell_folders_registry_key_modified\",\"updateDate\":1737661272000,\"updater\":{\"name\":\"Datadog\",\"handle\":\"\"}}},{\"id\":\"def-000-m9i\",\"type\":\"agent_rule\",\"attributes\":{\"category\":\"File Activity\",\"creationDate\":1737661272000,\"creator\":{\"name\":\"Datadog\",\"handle\":\"\"},\"defaultRule\":true,\"description\":\"Windows environment variable registry key modified\",\"enabled\":true,\"expression\":\"set.registry.key_path in [~\\\"HKEY_LOCAL_MACHINE\\\\System\\\\CurrentControlSet\\\\Control\\\\Session Manager\\\\Environment*\\\"]\",\"filters\":[\"os == \\\"windows\\\"\"],\"name\":\"windows_system_enviroment_variable_registry_key_modified\",\"updateDate\":1737661272000,\"updater\":{\"name\":\"Datadog\",\"handle\":\"\"}}},{\"id\":\"def-000-wqf\",\"type\":\"agent_rule\",\"attributes\":{\"category\":\"File Activity\",\"creationDate\":1737661272000,\"creator\":{\"name\":\"Datadog\",\"handle\":\"\"},\"defaultRule\":true,\"description\":\"Windows update registry key modified\",\"enabled\":true,\"expression\":\"set.registry.key_path in [~\\\"HKEY_LOCAL_MACHINE\\\\SOFTWARE\\\\Policies\\\\Microsoft\\\\WindowsUpdate*\\\"]\",\"filters\":[\"os == \\\"windows\\\"\"],\"name\":\"windows_update_registry_key_modified\",\"updateDate\":1737661272000,\"updater\":{\"name\":\"Datadog\",\"handle\":\"\"}}},{\"id\":\"def-000-vez\",\"type\":\"agent_rule\",\"attributes\":{\"category\":\"File Activity\",\"creationDate\":1737661272000,\"creator\":{\"name\":\"Datadog\",\"handle\":\"\"},\"defaultRule\":true,\"description\":\"Windows winlogon registry key modified\",\"enabled\":true,\"expression\":\"set.registry.key_path in [~\\\"HKEY_LOCAL_MACHINE\\\\SOFTWARE\\\\Microsoft\\\\Windows NT\\\\CurrentVersion\\\\Winlogon*\\\"]\",\"filters\":[\"os == \\\"windows\\\"\"],\"name\":\"winlogon_registry_key_modified\",\"updateDate\":1737661272000,\"updater\":{\"name\":\"Datadog\",\"handle\":\"\"}}},{\"id\":\"def-000-vjv\",\"type\":\"agent_rule\",\"attributes\":{\"category\":\"Process Activity\",\"creationDate\":1737661272000,\"creator\":{\"name\":\"Datadog\",\"handle\":\"\"},\"defaultRule\":true,\"description\":\"Command executed via WMI\",\"enabled\":true,\"expression\":\"exec.file.name in [~\\\"powershell*\\\",\\\"cmd.exe\\\"] \\u0026\\u0026 process.parent.file.name == \\\"WmiPrvSE.exe\\\"\",\"filters\":[\"os == \\\"windows\\\"\"],\"name\":\"wmi_spawning_shell\",\"updateDate\":1737661272000,\"updater\":{\"name\":\"Datadog\",\"handle\":\"\"}}}]}", + "string": "{\"data\":[{\"id\":\"def-000-vjv\",\"type\":\"agent_rule\",\"attributes\":{\"category\":\"Process Activity\",\"creationDate\":1742407951000,\"creator\":{\"name\":\"Datadog\",\"handle\":\"\"},\"defaultRule\":true,\"description\":\"Command executed via WMI\",\"enabled\":true,\"expression\":\"exec.file.name in [~\\\"powershell*\\\",\\\"cmd.exe\\\"] \\u0026\\u0026 process.parent.file.name == \\\"WmiPrvSE.exe\\\"\",\"filters\":[\"os == \\\"windows\\\"\"],\"monitoring\":[\"v5l-ynv-guh\",\"gxu-c6v-pka\",\"1os-ptz-he9\",\"ddu-dat-9cx\",\"oiv-iar-6uj\",\"n6v-uoj-6jv\",\"zay-klh-gzk\",\"t0c-318-ksc\",\"mnq-jea-ord\",\"hjq-1ou-gxj\",\"zt3-q2u-xka\",\"n52-kmk-gy5\",\"lwi-ota-cdp\",\"eme-xsc-20m\",\"acr-3t9-p0d\",\"hw2-pev-bdl\",\"mm8-gf5-1mh\",\"wfe-tga-w8i\",\"kz9-gsr-aet\",\"u2n-mby-zu5\",\"ygu-bj5-cnb\",\"8h9-6l9-ofq\",\"x6i-kv0-iby\",\"wry-lqz-m1l\",\"ljy-djc-pxw\",\"kmt-lzi-f6r\",\"CWS_CUSTOM-canary\",\"hdo-seh-iaa\",\"CWS_DD\"],\"name\":\"wmi_spawning_shell\",\"product_tags\":[\"tactic:TA0002-execution\",\"technique:T1047-windows-management-instrumentation\",\"policy:threat-detection\"],\"updateDate\":1742407951000,\"updater\":{\"name\":\"Datadog\",\"handle\":\"\"}}},{\"id\":\"def-000-0pf\",\"type\":\"agent_rule\",\"attributes\":{\"category\":\"File Activity\",\"creationDate\":1742407951000,\"creator\":{\"name\":\"Datadog\",\"handle\":\"\"},\"defaultRule\":true,\"description\":\"A process attempted to overwrite the container entrypoint\",\"enabled\":true,\"expression\":\"open.file.path == \\\"/proc/self/fd/1\\\" \\u0026\\u0026 open.flags \\u0026 O_CREAT|O_TRUNC|O_APPEND|O_RDWR|O_WRONLY \\u003e 0 \\u0026\\u0026 container.id != \\\"\\\"\",\"filters\":[\"os == \\\"linux\\\"\"],\"monitoring\":[\"v5l-ynv-guh\",\"gxu-c6v-pka\",\"1os-ptz-he9\",\"ddu-dat-9cx\",\"oiv-iar-6uj\",\"n6v-uoj-6jv\",\"zay-klh-gzk\",\"t0c-318-ksc\",\"mnq-jea-ord\",\"hjq-1ou-gxj\",\"zt3-q2u-xka\",\"n52-kmk-gy5\",\"lwi-ota-cdp\",\"eme-xsc-20m\",\"acr-3t9-p0d\",\"hw2-pev-bdl\",\"mm8-gf5-1mh\",\"wfe-tga-w8i\",\"kz9-gsr-aet\",\"u2n-mby-zu5\",\"ygu-bj5-cnb\",\"8h9-6l9-ofq\",\"x6i-kv0-iby\",\"wry-lqz-m1l\",\"ljy-djc-pxw\",\"kmt-lzi-f6r\",\"CWS_CUSTOM-canary\",\"hdo-seh-iaa\",\"CWS_DD\"],\"name\":\"overwrite_entrypoint\",\"product_tags\":[\"tactic:TA0007-discovery\",\"technique:T1613-container-and-resource-discovery\",\"policy:threat-detection\"],\"updateDate\":1742407951000,\"updater\":{\"name\":\"Datadog\",\"handle\":\"\"}}},{\"id\":\"e5h-onu-f7l\",\"type\":\"agent_rule\",\"attributes\":{\"category\":\"File Activity\",\"creationDate\":1742407951000,\"creator\":{\"name\":\"Datadog\",\"handle\":\"\"},\"defaultRule\":true,\"description\":\"nsswitch may have been modified without authorization\",\"enabled\":true,\"expression\":\"(\\n open.flags \\u0026 ((O_RDWR|O_WRONLY|O_CREAT)) \\u003e 0 \\u0026\\u0026\\n (open.file.path in [ \\\"/etc/nsswitch.conf\\\" ])\\n) \\u0026\\u0026 process.file.path not in [~\\\"/usr/bin/apt*\\\", \\\"/usr/bin/dpkg\\\", \\\"/usr/bin/rpm\\\", \\\"/usr/bin/unattended-upgrade\\\", \\\"/usr/bin/containerd\\\", \\\"/usr/local/bin/containerd\\\", \\\"/usr/bin/dockerd\\\", \\\"/usr/bin/npm\\\", ~\\\"/usr/bin/pip*\\\", ~\\\"/usr/local/bin/pip*\\\"]\",\"filters\":[\"os == \\\"linux\\\"\"],\"monitoring\":[\"v5l-ynv-guh\",\"gxu-c6v-pka\",\"1os-ptz-he9\",\"ddu-dat-9cx\",\"oiv-iar-6uj\",\"n6v-uoj-6jv\",\"zay-klh-gzk\",\"t0c-318-ksc\",\"mnq-jea-ord\",\"hjq-1ou-gxj\",\"zt3-q2u-xka\",\"n52-kmk-gy5\",\"lwi-ota-cdp\",\"eme-xsc-20m\",\"acr-3t9-p0d\",\"hw2-pev-bdl\",\"mm8-gf5-1mh\",\"wfe-tga-w8i\",\"kz9-gsr-aet\",\"u2n-mby-zu5\",\"ygu-bj5-cnb\",\"8h9-6l9-ofq\",\"x6i-kv0-iby\",\"wry-lqz-m1l\",\"ljy-djc-pxw\",\"kmt-lzi-f6r\",\"CWS_CUSTOM-canary\",\"hdo-seh-iaa\",\"CWS_DD\"],\"name\":\"nsswitch_conf_mod_open\",\"product_tags\":[\"tactic:TA0003-persistence\",\"technique:T1556-modify-authentication-process\",\"policy:compliance\"],\"updateDate\":1742407951000,\"updater\":{\"name\":\"Datadog\",\"handle\":\"\"}}},{\"id\":\"def-000-t06\",\"type\":\"agent_rule\",\"attributes\":{\"category\":\"Process Activity\",\"creationDate\":1742407951000,\"creator\":{\"name\":\"Datadog\",\"handle\":\"\"},\"defaultRule\":true,\"description\":\"find command searching for sensitive files\",\"enabled\":true,\"expression\":\"exec.comm == \\\"find\\\" \\u0026\\u0026 exec.args in [~\\\"*credentials*\\\"]\",\"filters\":[\"os == \\\"linux\\\"\"],\"monitoring\":[\"v5l-ynv-guh\",\"gxu-c6v-pka\",\"1os-ptz-he9\",\"ddu-dat-9cx\",\"oiv-iar-6uj\",\"n6v-uoj-6jv\",\"zay-klh-gzk\",\"t0c-318-ksc\",\"mnq-jea-ord\",\"hjq-1ou-gxj\",\"zt3-q2u-xka\",\"n52-kmk-gy5\",\"lwi-ota-cdp\",\"eme-xsc-20m\",\"acr-3t9-p0d\",\"hw2-pev-bdl\",\"mm8-gf5-1mh\",\"wfe-tga-w8i\",\"kz9-gsr-aet\",\"u2n-mby-zu5\",\"ygu-bj5-cnb\",\"8h9-6l9-ofq\",\"x6i-kv0-iby\",\"wry-lqz-m1l\",\"ljy-djc-pxw\",\"kmt-lzi-f6r\",\"CWS_CUSTOM-canary\",\"hdo-seh-iaa\",\"CWS_DD\"],\"name\":\"find_credentials\",\"product_tags\":[\"tactic:TA0006-credential-access\",\"technique:T1552-unsecured-credentials\",\"policy:threat-detection\"],\"updateDate\":1742407951000,\"updater\":{\"name\":\"Datadog\",\"handle\":\"\"}}},{\"id\":\"ogb-clp-hot\",\"type\":\"agent_rule\",\"attributes\":{\"category\":\"File Activity\",\"creationDate\":1742407951000,\"creator\":{\"name\":\"Datadog\",\"handle\":\"\"},\"defaultRule\":true,\"description\":\"An unauthorized job was added to cron scheduling\",\"enabled\":true,\"expression\":\"(\\n (chmod.file.path in [ ~\\\"/var/spool/cron/**\\\", ~\\\"/etc/cron.*/**\\\", ~\\\"/etc/crontab\\\", ~\\\"/etc/crontabs/**\\\"])\\n \\u0026\\u0026 process.file.path not in [ \\\"/usr/bin/at\\\", \\\"/usr/bin/crontab\\\" ]\\n) \\u0026\\u0026 chmod.file.destination.mode != chmod.file.mode\\n\\u0026\\u0026 process.file.path not in [~\\\"/usr/bin/apt*\\\", \\\"/usr/bin/dpkg\\\", \\\"/usr/bin/rpm\\\", \\\"/usr/bin/unattended-upgrade\\\", \\\"/usr/bin/containerd\\\", \\\"/usr/local/bin/containerd\\\", \\\"/usr/bin/dockerd\\\", \\\"/usr/bin/npm\\\", ~\\\"/usr/bin/pip*\\\", ~\\\"/usr/local/bin/pip*\\\"]\",\"filters\":[\"os == \\\"linux\\\"\"],\"monitoring\":[\"v5l-ynv-guh\",\"gxu-c6v-pka\",\"1os-ptz-he9\",\"ddu-dat-9cx\",\"oiv-iar-6uj\",\"n6v-uoj-6jv\",\"zay-klh-gzk\",\"t0c-318-ksc\",\"mnq-jea-ord\",\"hjq-1ou-gxj\",\"zt3-q2u-xka\",\"n52-kmk-gy5\",\"lwi-ota-cdp\",\"eme-xsc-20m\",\"acr-3t9-p0d\",\"hw2-pev-bdl\",\"mm8-gf5-1mh\",\"wfe-tga-w8i\",\"kz9-gsr-aet\",\"u2n-mby-zu5\",\"ygu-bj5-cnb\",\"8h9-6l9-ofq\",\"x6i-kv0-iby\",\"wry-lqz-m1l\",\"ljy-djc-pxw\",\"kmt-lzi-f6r\",\"CWS_CUSTOM-canary\",\"hdo-seh-iaa\",\"CWS_DD\"],\"name\":\"cron_at_job_creation_chmod\",\"product_tags\":[\"tactic:TA0002-execution\",\"technique:T1053-scheduled-task-or-job\",\"policy:threat-detection\",\"policy:compliance\"],\"updateDate\":1742407951000,\"updater\":{\"name\":\"Datadog\",\"handle\":\"\"}}},{\"id\":\"wpz-bim-6rb\",\"type\":\"agent_rule\",\"attributes\":{\"category\":\"Process Activity\",\"creationDate\":1742407951000,\"creator\":{\"name\":\"Datadog\",\"handle\":\"\"},\"defaultRule\":true,\"description\":\"A process was spawned with indicators of exploitation of CVE-2021-4034\",\"enabled\":true,\"expression\":\"(exec.file.path == \\\"/usr/bin/pkexec\\\" \\u0026\\u0026 exec.envs in [~\\\"*SHELL*\\\", ~\\\"*PATH*\\\"] \\u0026\\u0026 exec.envs not in [~\\\"*DISPLAY*\\\", ~\\\"*DESKTOP_SESSION*\\\"] \\u0026\\u0026 exec.uid != 0)\",\"filters\":[\"os == \\\"linux\\\"\"],\"monitoring\":[\"v5l-ynv-guh\",\"gxu-c6v-pka\",\"1os-ptz-he9\",\"ddu-dat-9cx\",\"oiv-iar-6uj\",\"n6v-uoj-6jv\",\"zay-klh-gzk\",\"t0c-318-ksc\",\"mnq-jea-ord\",\"hjq-1ou-gxj\",\"zt3-q2u-xka\",\"n52-kmk-gy5\",\"lwi-ota-cdp\",\"eme-xsc-20m\",\"acr-3t9-p0d\",\"hw2-pev-bdl\",\"mm8-gf5-1mh\",\"wfe-tga-w8i\",\"kz9-gsr-aet\",\"u2n-mby-zu5\",\"ygu-bj5-cnb\",\"8h9-6l9-ofq\",\"x6i-kv0-iby\",\"wry-lqz-m1l\",\"ljy-djc-pxw\",\"kmt-lzi-f6r\",\"CWS_CUSTOM-canary\",\"hdo-seh-iaa\",\"CWS_DD\"],\"name\":\"pwnkit_privilege_escalation\",\"product_tags\":[\"tactic:TA0004-privilege-escalation\",\"technique:T1068-exploitation-for-privilege-escalation\",\"policy:threat-detection\"],\"updateDate\":1742407951000,\"updater\":{\"name\":\"Datadog\",\"handle\":\"\"}}},{\"id\":\"pxk-42u-fga\",\"type\":\"agent_rule\",\"attributes\":{\"category\":\"File Activity\",\"creationDate\":1742407951000,\"creator\":{\"name\":\"Datadog\",\"handle\":\"\"},\"defaultRule\":true,\"description\":\"PAM may have been modified without authorization\",\"enabled\":true,\"expression\":\"(\\n (utimes.file.path in [ ~\\\"/etc/pam.d/**\\\", \\\"/etc/pam.conf\\\" ])\\n) \\u0026\\u0026 process.file.path not in [~\\\"/usr/bin/apt*\\\", \\\"/usr/bin/dpkg\\\", \\\"/usr/bin/rpm\\\", \\\"/usr/bin/unattended-upgrade\\\", \\\"/usr/bin/containerd\\\", \\\"/usr/local/bin/containerd\\\", \\\"/usr/bin/dockerd\\\", \\\"/usr/bin/npm\\\", ~\\\"/usr/bin/pip*\\\", ~\\\"/usr/local/bin/pip*\\\"]\",\"filters\":[\"os == \\\"linux\\\"\"],\"monitoring\":[\"v5l-ynv-guh\",\"gxu-c6v-pka\",\"1os-ptz-he9\",\"ddu-dat-9cx\",\"oiv-iar-6uj\",\"n6v-uoj-6jv\",\"zay-klh-gzk\",\"t0c-318-ksc\",\"mnq-jea-ord\",\"hjq-1ou-gxj\",\"zt3-q2u-xka\",\"n52-kmk-gy5\",\"lwi-ota-cdp\",\"eme-xsc-20m\",\"acr-3t9-p0d\",\"hw2-pev-bdl\",\"mm8-gf5-1mh\",\"wfe-tga-w8i\",\"kz9-gsr-aet\",\"u2n-mby-zu5\",\"ygu-bj5-cnb\",\"8h9-6l9-ofq\",\"x6i-kv0-iby\",\"wry-lqz-m1l\",\"ljy-djc-pxw\",\"kmt-lzi-f6r\",\"CWS_CUSTOM-canary\",\"hdo-seh-iaa\",\"CWS_DD\"],\"name\":\"pam_modification_utimes\",\"product_tags\":[\"tactic:TA0003-persistence\",\"technique:T1556-modify-authentication-process\",\"policy:compliance\"],\"updateDate\":1742407951000,\"updater\":{\"name\":\"Datadog\",\"handle\":\"\"}}},{\"id\":\"caz-yrk-14e\",\"type\":\"agent_rule\",\"attributes\":{\"category\":\"Network Activity\",\"creationDate\":1742407951000,\"creator\":{\"name\":\"Datadog\",\"handle\":\"\"},\"defaultRule\":true,\"description\":\"A process resolved a DNS name associated with cryptomining activity\",\"enabled\":true,\"expression\":\"dns.question.name in [~\\\"*.minexmr.com\\\", \\\"minexmr.com\\\", ~\\\"*.nanopool.org\\\", \\\"nanopool.org\\\", ~\\\"*.supportxmr.com\\\", \\\"supportxmr.com\\\", ~\\\"*.c3pool.com\\\", \\\"c3pool.com\\\", ~\\\"*.p2pool.io\\\", \\\"p2pool.io\\\", ~\\\"*.ethermine.org\\\", \\\"ethermine.org\\\", ~\\\"*.f2pool.com\\\", \\\"f2pool.com\\\", ~\\\"*.poolin.me\\\", \\\"poolin.me\\\", ~\\\"*.rplant.xyz\\\", \\\"rplant.xyz\\\", ~\\\"*.miningocean.org\\\", \\\"miningocean.org\\\"] \\u0026\\u0026 process.file.name != \\\"\\\"\",\"filters\":[\"os == \\\"linux\\\"\"],\"monitoring\":[\"v5l-ynv-guh\",\"gxu-c6v-pka\",\"1os-ptz-he9\",\"ddu-dat-9cx\",\"oiv-iar-6uj\",\"n6v-uoj-6jv\",\"zay-klh-gzk\",\"t0c-318-ksc\",\"mnq-jea-ord\",\"hjq-1ou-gxj\",\"zt3-q2u-xka\",\"n52-kmk-gy5\",\"lwi-ota-cdp\",\"eme-xsc-20m\",\"acr-3t9-p0d\",\"hw2-pev-bdl\",\"mm8-gf5-1mh\",\"wfe-tga-w8i\",\"kz9-gsr-aet\",\"u2n-mby-zu5\",\"ygu-bj5-cnb\",\"8h9-6l9-ofq\",\"x6i-kv0-iby\",\"wry-lqz-m1l\",\"ljy-djc-pxw\",\"kmt-lzi-f6r\",\"CWS_CUSTOM-canary\",\"hdo-seh-iaa\",\"CWS_DD\"],\"name\":\"mining_pool_lookup\",\"product_tags\":[\"tactic:TA0040-impact\",\"technique:T1496-resource-hijacking\",\"policy:threat-detection\"],\"updateDate\":1742407951000,\"updater\":{\"name\":\"Datadog\",\"handle\":\"\"}}},{\"id\":\"sej-11b-ey6\",\"type\":\"agent_rule\",\"attributes\":{\"category\":\"File Activity\",\"creationDate\":1742407951000,\"creator\":{\"name\":\"Datadog\",\"handle\":\"\"},\"defaultRule\":true,\"description\":\"Potential Dirty pipe exploitation attempt\",\"enabled\":true,\"expression\":\"(splice.pipe_entry_flag \\u0026 PIPE_BUF_FLAG_CAN_MERGE) != 0 \\u0026\\u0026 (splice.pipe_exit_flag \\u0026 PIPE_BUF_FLAG_CAN_MERGE) == 0 \\u0026\\u0026 (process.uid != 0 \\u0026\\u0026 process.gid != 0)\",\"filters\":[\"os == \\\"linux\\\"\"],\"monitoring\":[\"v5l-ynv-guh\",\"gxu-c6v-pka\",\"1os-ptz-he9\",\"ddu-dat-9cx\",\"oiv-iar-6uj\",\"n6v-uoj-6jv\",\"zay-klh-gzk\",\"t0c-318-ksc\",\"mnq-jea-ord\",\"hjq-1ou-gxj\",\"zt3-q2u-xka\",\"n52-kmk-gy5\",\"lwi-ota-cdp\",\"eme-xsc-20m\",\"acr-3t9-p0d\",\"hw2-pev-bdl\",\"mm8-gf5-1mh\",\"wfe-tga-w8i\",\"kz9-gsr-aet\",\"u2n-mby-zu5\",\"ygu-bj5-cnb\",\"8h9-6l9-ofq\",\"x6i-kv0-iby\",\"wry-lqz-m1l\",\"ljy-djc-pxw\",\"kmt-lzi-f6r\",\"CWS_CUSTOM-canary\",\"hdo-seh-iaa\",\"CWS_DD\"],\"name\":\"dirty_pipe_attempt\",\"product_tags\":[\"tactic:TA0004-privilege-escalation\",\"technique:T1068-exploitation-for-privilege-escalation\",\"policy:threat-detection\"],\"updateDate\":1742407951000,\"updater\":{\"name\":\"Datadog\",\"handle\":\"\"}}},{\"id\":\"def-000-m9i\",\"type\":\"agent_rule\",\"attributes\":{\"category\":\"File Activity\",\"creationDate\":1742407951000,\"creator\":{\"name\":\"Datadog\",\"handle\":\"\"},\"defaultRule\":true,\"description\":\"Windows environment variable registry key modified\",\"enabled\":true,\"expression\":\"set.registry.key_path in [~\\\"HKEY_LOCAL_MACHINE\\\\System\\\\CurrentControlSet\\\\Control\\\\Session Manager\\\\Environment*\\\"]\",\"filters\":[\"os == \\\"windows\\\"\"],\"monitoring\":[\"v5l-ynv-guh\",\"gxu-c6v-pka\",\"1os-ptz-he9\",\"ddu-dat-9cx\",\"oiv-iar-6uj\",\"n6v-uoj-6jv\",\"zay-klh-gzk\",\"t0c-318-ksc\",\"mnq-jea-ord\",\"hjq-1ou-gxj\",\"zt3-q2u-xka\",\"n52-kmk-gy5\",\"lwi-ota-cdp\",\"eme-xsc-20m\",\"acr-3t9-p0d\",\"hw2-pev-bdl\",\"mm8-gf5-1mh\",\"wfe-tga-w8i\",\"kz9-gsr-aet\",\"u2n-mby-zu5\",\"ygu-bj5-cnb\",\"8h9-6l9-ofq\",\"x6i-kv0-iby\",\"wry-lqz-m1l\",\"ljy-djc-pxw\",\"kmt-lzi-f6r\",\"CWS_CUSTOM-canary\",\"hdo-seh-iaa\",\"CWS_DD\"],\"name\":\"windows_system_enviroment_variable_registry_key_modified\",\"product_tags\":[\"tactic:TA0005-defense-evasion\",\"technique:T1036-masquerading\",\"policy:compliance\"],\"updateDate\":1742407951000,\"updater\":{\"name\":\"Datadog\",\"handle\":\"\"}}},{\"id\":\"q0u-s8m-8pd\",\"type\":\"agent_rule\",\"attributes\":{\"category\":\"File Activity\",\"creationDate\":1742407951000,\"creator\":{\"name\":\"Datadog\",\"handle\":\"\"},\"defaultRule\":true,\"description\":\"Critical system binaries may have been modified\",\"enabled\":true,\"expression\":\"(\\n (utimes.file.path in [ ~\\\"/bin/*\\\", ~\\\"/sbin/*\\\", ~\\\"/usr/bin/*\\\", ~\\\"/usr/sbin/*\\\", ~\\\"/usr/local/bin/*\\\", ~\\\"/usr/local/sbin/*\\\", ~\\\"/boot/**\\\" ])\\n \\u0026\\u0026 process.file.path not in [~\\\"/usr/bin/apt*\\\", \\\"/usr/bin/dpkg\\\", \\\"/usr/bin/rpm\\\", \\\"/usr/bin/unattended-upgrade\\\", \\\"/usr/bin/containerd\\\", \\\"/usr/local/bin/containerd\\\", \\\"/usr/bin/dockerd\\\", \\\"/usr/bin/npm\\\", ~\\\"/usr/bin/pip*\\\", ~\\\"/usr/local/bin/pip*\\\"]\\n \\u0026\\u0026 process.ancestors.file.path not in [~\\\"/usr/bin/apt*\\\", \\\"/usr/bin/dpkg\\\", \\\"/usr/bin/rpm\\\", \\\"/usr/bin/unattended-upgrade\\\", \\\"/usr/bin/npm\\\", ~\\\"/usr/bin/pip*\\\", ~\\\"/usr/local/bin/pip*\\\", \\\"/usr/bin/yum\\\", \\\"/sbin/apk\\\", \\\"/usr/lib/snapd/snapd\\\"]\\n)\",\"filters\":[\"os == \\\"linux\\\"\"],\"monitoring\":[\"v5l-ynv-guh\",\"gxu-c6v-pka\",\"1os-ptz-he9\",\"ddu-dat-9cx\",\"oiv-iar-6uj\",\"n6v-uoj-6jv\",\"zay-klh-gzk\",\"t0c-318-ksc\",\"mnq-jea-ord\",\"hjq-1ou-gxj\",\"zt3-q2u-xka\",\"n52-kmk-gy5\",\"lwi-ota-cdp\",\"eme-xsc-20m\",\"acr-3t9-p0d\",\"hw2-pev-bdl\",\"mm8-gf5-1mh\",\"wfe-tga-w8i\",\"kz9-gsr-aet\",\"u2n-mby-zu5\",\"ygu-bj5-cnb\",\"8h9-6l9-ofq\",\"x6i-kv0-iby\",\"wry-lqz-m1l\",\"ljy-djc-pxw\",\"kmt-lzi-f6r\",\"CWS_CUSTOM-canary\",\"hdo-seh-iaa\",\"CWS_DD\"],\"name\":\"pci_11_5_critical_binaries_utimes\",\"product_tags\":[\"tactic:TA0005-defense-evasion\",\"technique:T1036-masquerading\",\"policy:compliance\"],\"updateDate\":1742407951000,\"updater\":{\"name\":\"Datadog\",\"handle\":\"\"}}},{\"id\":\"uis-h13-41q\",\"type\":\"agent_rule\",\"attributes\":{\"category\":\"File Activity\",\"creationDate\":1742407951000,\"creator\":{\"name\":\"Datadog\",\"handle\":\"\"},\"defaultRule\":true,\"description\":\"An unauthorized job was added to cron scheduling\",\"enabled\":true,\"expression\":\"(\\n open.flags \\u0026 (O_CREAT|O_RDWR|O_WRONLY) \\u003e 0 \\u0026\\u0026\\n (open.file.path in [ ~\\\"/var/spool/cron/**\\\", ~\\\"/etc/cron.*/**\\\", ~\\\"/etc/crontab\\\", ~\\\"/etc/crontabs/**\\\"])\\n \\u0026\\u0026 process.file.path not in [ \\\"/usr/bin/at\\\", \\\"/usr/bin/crontab\\\" ]\\n)\\n\\u0026\\u0026 process.file.path not in [~\\\"/usr/bin/apt*\\\", \\\"/usr/bin/dpkg\\\", \\\"/usr/bin/rpm\\\", \\\"/usr/bin/unattended-upgrade\\\", \\\"/usr/bin/containerd\\\", \\\"/usr/local/bin/containerd\\\", \\\"/usr/bin/dockerd\\\", \\\"/usr/bin/npm\\\", ~\\\"/usr/bin/pip*\\\", ~\\\"/usr/local/bin/pip*\\\"]\",\"filters\":[\"os == \\\"linux\\\"\"],\"monitoring\":[\"v5l-ynv-guh\",\"gxu-c6v-pka\",\"1os-ptz-he9\",\"ddu-dat-9cx\",\"oiv-iar-6uj\",\"n6v-uoj-6jv\",\"zay-klh-gzk\",\"t0c-318-ksc\",\"mnq-jea-ord\",\"hjq-1ou-gxj\",\"zt3-q2u-xka\",\"n52-kmk-gy5\",\"lwi-ota-cdp\",\"eme-xsc-20m\",\"acr-3t9-p0d\",\"hw2-pev-bdl\",\"mm8-gf5-1mh\",\"wfe-tga-w8i\",\"kz9-gsr-aet\",\"u2n-mby-zu5\",\"ygu-bj5-cnb\",\"8h9-6l9-ofq\",\"x6i-kv0-iby\",\"wry-lqz-m1l\",\"ljy-djc-pxw\",\"kmt-lzi-f6r\",\"CWS_CUSTOM-canary\",\"hdo-seh-iaa\",\"CWS_DD\"],\"name\":\"cron_at_job_creation_open\",\"product_tags\":[\"tactic:TA0002-execution\",\"technique:T1053-scheduled-task-or-job\",\"policy:threat-detection\",\"policy:compliance\"],\"updateDate\":1742407951000,\"updater\":{\"name\":\"Datadog\",\"handle\":\"\"}}},{\"id\":\"def-000-hlr\",\"type\":\"agent_rule\",\"attributes\":{\"category\":\"Process Activity\",\"creationDate\":1742407951000,\"creator\":{\"name\":\"Datadog\",\"handle\":\"\"},\"defaultRule\":true,\"description\":\"Tunneling or port forwarding tool used\",\"enabled\":true,\"expression\":\"((exec.comm == \\\"pivotnacci\\\" || exec.comm == \\\"gost\\\") \\u0026\\u0026 process.args_flags in [\\\"L\\\", \\\"C\\\", \\\"R\\\"]) || (exec.comm in [\\\"ssh\\\", \\\"sshd\\\"] \\u0026\\u0026 process.args_flags in [\\\"R\\\", \\\"L\\\", \\\"D\\\", \\\"w\\\"] \\u0026\\u0026 process.args in [r\\\"((25[0-5]|(2[0-4]|1\\\\d|[1-9])\\\\d)\\\\.?\\\\b){4}\\\"] ) || (exec.comm == \\\"sshuttle\\\" \\u0026\\u0026 process.args_flags in [\\\"r\\\", \\\"remote\\\", \\\"l\\\", \\\"listen\\\"]) || (exec.comm == \\\"socat\\\" \\u0026\\u0026 process.args in [r\\\"(TCP4-LISTEN:|SOCKS)\\\"]) || (exec.comm in [\\\"iodine\\\", \\\"iodined\\\", \\\"dnscat\\\", \\\"hans\\\", \\\"hans-ubuntu\\\", \\\"ptunnel-ng\\\", \\\"ssf\\\", \\\"3proxy\\\", \\\"ngrok\\\"] \\u0026\\u0026 process.parent.comm in [\\\"bash\\\", \\\"dash\\\", \\\"ash\\\", \\\"sh\\\", \\\"tcsh\\\", \\\"csh\\\", \\\"zsh\\\", \\\"ksh\\\", \\\"fish\\\"])\",\"filters\":[\"os == \\\"linux\\\"\"],\"monitoring\":[\"v5l-ynv-guh\",\"gxu-c6v-pka\",\"1os-ptz-he9\",\"ddu-dat-9cx\",\"oiv-iar-6uj\",\"n6v-uoj-6jv\",\"zay-klh-gzk\",\"t0c-318-ksc\",\"mnq-jea-ord\",\"hjq-1ou-gxj\",\"zt3-q2u-xka\",\"n52-kmk-gy5\",\"lwi-ota-cdp\",\"eme-xsc-20m\",\"acr-3t9-p0d\",\"hw2-pev-bdl\",\"mm8-gf5-1mh\",\"wfe-tga-w8i\",\"kz9-gsr-aet\",\"u2n-mby-zu5\",\"ygu-bj5-cnb\",\"8h9-6l9-ofq\",\"x6i-kv0-iby\",\"wry-lqz-m1l\",\"ljy-djc-pxw\",\"kmt-lzi-f6r\",\"CWS_CUSTOM-canary\",\"hdo-seh-iaa\",\"CWS_DD\"],\"name\":\"tunnel_traffic\",\"product_tags\":[\"tactic:TA0011-command-and-control\",\"technique:T1572-protocol-tunneling\",\"policy:threat-detection\"],\"updateDate\":1742407951000,\"updater\":{\"name\":\"Datadog\",\"handle\":\"\"}}},{\"id\":\"647-nlb-uld\",\"type\":\"agent_rule\",\"attributes\":{\"category\":\"Process Activity\",\"creationDate\":1742407951000,\"creator\":{\"name\":\"Datadog\",\"handle\":\"\"},\"defaultRule\":true,\"description\":\"A network utility (such as nmap) commonly used in intrusion attacks was executed\",\"enabled\":true,\"expression\":\"exec.file.name in [\\\"nmap\\\", \\\"masscan\\\", \\\"fping\\\", \\\"zgrab\\\", \\\"zgrab2\\\", \\\"rustscan\\\", \\\"pnscan\\\"] \\u0026\\u0026 exec.args_flags not in [\\\"V\\\", \\\"version\\\"]\",\"filters\":[\"os == \\\"linux\\\"\"],\"monitoring\":[\"v5l-ynv-guh\",\"gxu-c6v-pka\",\"1os-ptz-he9\",\"ddu-dat-9cx\",\"oiv-iar-6uj\",\"n6v-uoj-6jv\",\"zay-klh-gzk\",\"t0c-318-ksc\",\"mnq-jea-ord\",\"hjq-1ou-gxj\",\"zt3-q2u-xka\",\"n52-kmk-gy5\",\"lwi-ota-cdp\",\"eme-xsc-20m\",\"acr-3t9-p0d\",\"hw2-pev-bdl\",\"mm8-gf5-1mh\",\"wfe-tga-w8i\",\"kz9-gsr-aet\",\"u2n-mby-zu5\",\"ygu-bj5-cnb\",\"8h9-6l9-ofq\",\"x6i-kv0-iby\",\"wry-lqz-m1l\",\"ljy-djc-pxw\",\"kmt-lzi-f6r\",\"CWS_CUSTOM-canary\",\"hdo-seh-iaa\",\"CWS_DD\"],\"name\":\"common_net_intrusion_util\",\"product_tags\":[\"tactic:TA0007-discovery\",\"technique:T1046-network-service-discovery\",\"policy:threat-detection\"],\"updateDate\":1742407951000,\"updater\":{\"name\":\"Datadog\",\"handle\":\"\"}}},{\"id\":\"y0y-3gl-645\",\"type\":\"agent_rule\",\"attributes\":{\"category\":\"File Activity\",\"creationDate\":1742407951000,\"creator\":{\"name\":\"Datadog\",\"handle\":\"\"},\"defaultRule\":true,\"description\":\"SSH modified keys may have been modified\",\"enabled\":true,\"expression\":\"(\\n unlink.file.name in [ \\\"authorized_keys\\\", \\\"authorized_keys2\\\" ] \\u0026\\u0026 (unlink.file.path in [ ~\\\"/root/.ssh/*\\\", ~\\\"/home/*/.ssh/*\\\", ~\\\"/var/lib/*/.ssh/*\\\" ])\\n)\",\"filters\":[\"os == \\\"linux\\\"\"],\"monitoring\":[\"v5l-ynv-guh\",\"gxu-c6v-pka\",\"1os-ptz-he9\",\"ddu-dat-9cx\",\"oiv-iar-6uj\",\"n6v-uoj-6jv\",\"zay-klh-gzk\",\"t0c-318-ksc\",\"mnq-jea-ord\",\"hjq-1ou-gxj\",\"zt3-q2u-xka\",\"n52-kmk-gy5\",\"lwi-ota-cdp\",\"eme-xsc-20m\",\"acr-3t9-p0d\",\"hw2-pev-bdl\",\"mm8-gf5-1mh\",\"wfe-tga-w8i\",\"kz9-gsr-aet\",\"u2n-mby-zu5\",\"ygu-bj5-cnb\",\"8h9-6l9-ofq\",\"x6i-kv0-iby\",\"wry-lqz-m1l\",\"ljy-djc-pxw\",\"kmt-lzi-f6r\",\"CWS_CUSTOM-canary\",\"hdo-seh-iaa\",\"CWS_DD\"],\"name\":\"ssh_authorized_keys_unlink\",\"product_tags\":[\"tactic:TA0003-persistence\",\"technique:T1098-account-manipulation\",\"policy:threat-detection\",\"policy:compliance\"],\"updateDate\":1742407951000,\"updater\":{\"name\":\"Datadog\",\"handle\":\"\"}}},{\"id\":\"def-000-but\",\"type\":\"agent_rule\",\"attributes\":{\"category\":\"Process Activity\",\"creationDate\":1742407951000,\"creator\":{\"name\":\"Datadog\",\"handle\":\"\"},\"defaultRule\":true,\"description\":\"A java process spawned a shell, shell utility, or HTTP utility\",\"enabled\":true,\"expression\":\"(exec.file.path in [ \\\"/bin/dash\\\",\\n \\\"/usr/bin/dash\\\",\\n \\\"/bin/sh\\\",\\n \\\"/bin/static-sh\\\",\\n \\\"/usr/bin/sh\\\",\\n \\\"/bin/bash\\\",\\n \\\"/usr/bin/bash\\\",\\n \\\"/bin/bash-static\\\",\\n \\\"/usr/bin/zsh\\\",\\n \\\"/usr/bin/ash\\\",\\n \\\"/usr/bin/csh\\\",\\n \\\"/usr/bin/ksh\\\",\\n \\\"/usr/bin/tcsh\\\",\\n \\\"/usr/lib/initramfs-tools/bin/busybox\\\",\\n \\\"/bin/busybox\\\",\\n \\\"/usr/bin/fish\\\",\\n \\\"/bin/ksh93\\\",\\n \\\"/bin/rksh\\\",\\n \\\"/bin/rksh93\\\",\\n \\\"/bin/lksh\\\",\\n \\\"/bin/mksh\\\",\\n \\\"/bin/mksh-static\\\",\\n \\\"/usr/bin/csharp\\\",\\n \\\"/bin/posh\\\",\\n \\\"/usr/bin/rc\\\",\\n \\\"/bin/sash\\\",\\n \\\"/usr/bin/yash\\\",\\n \\\"/bin/zsh5\\\",\\n \\\"/bin/zsh5-static\\\" ] ||\\n exec.comm in [\\\"wget\\\", \\\"curl\\\", \\\"lwp-download\\\"] ||\\n exec.file.path in [\\\"/bin/cat\\\",\\\"/bin/chgrp\\\",\\\"/bin/chmod\\\",\\\"/bin/chown\\\",\\\"/bin/cp\\\",\\\"/bin/date\\\",\\\"/bin/dd\\\",\\\"/bin/df\\\",\\\"/bin/dir\\\",\\\"/bin/echo\\\",\\\"/bin/ln\\\",\\\"/bin/ls\\\",\\\"/bin/mkdir\\\",\\\"/bin/mknod\\\",\\\"/bin/mktemp\\\",\\\"/bin/mv\\\",\\\"/bin/pwd\\\",\\\"/bin/readlink\\\",\\\"/bin/rm\\\",\\\"/bin/rmdir\\\",\\\"/bin/sleep\\\",\\\"/bin/stty\\\",\\\"/bin/sync\\\",\\\"/bin/touch\\\",\\\"/bin/uname\\\",\\\"/bin/vdir\\\",\\\"/usr/bin/arch\\\",\\\"/usr/bin/b2sum\\\",\\\"/usr/bin/base32\\\",\\\"/usr/bin/base64\\\",\\\"/usr/bin/basename\\\",\\\"/usr/bin/chcon\\\",\\\"/usr/bin/cksum\\\",\\\"/usr/bin/comm\\\",\\\"/usr/bin/csplit\\\",\\\"/usr/bin/cut\\\",\\\"/usr/bin/dircolors\\\",\\\"/usr/bin/dirname\\\",\\\"/usr/bin/du\\\",\\\"/usr/bin/env\\\",\\\"/usr/bin/expand\\\",\\\"/usr/bin/expr\\\",\\\"/usr/bin/factor\\\",\\\"/usr/bin/fmt\\\",\\\"/usr/bin/fold\\\",\\\"/usr/bin/groups\\\",\\\"/usr/bin/head\\\",\\\"/usr/bin/hostid\\\",\\\"/usr/bin/id\\\",\\\"/usr/bin/install\\\",\\\"/usr/bin/join\\\",\\\"/usr/bin/link\\\",\\\"/usr/bin/logname\\\",\\\"/usr/bin/md5sum\\\",\\\"/usr/bin/md5sum.textutils\\\",\\\"/usr/bin/mkfifo\\\",\\\"/usr/bin/nice\\\",\\\"/usr/bin/nl\\\",\\\"/usr/bin/nohup\\\",\\\"/usr/bin/nproc\\\",\\\"/usr/bin/numfmt\\\",\\\"/usr/bin/od\\\",\\\"/usr/bin/paste\\\",\\\"/usr/bin/pathchk\\\",\\\"/usr/bin/pinky\\\",\\\"/usr/bin/pr\\\",\\\"/usr/bin/printenv\\\",\\\"/usr/bin/printf\\\",\\\"/usr/bin/ptx\\\",\\\"/usr/bin/realpath\\\",\\\"/usr/bin/runcon\\\",\\\"/usr/bin/seq\\\",\\\"/usr/bin/sha1sum\\\",\\\"/usr/bin/sha224sum\\\",\\\"/usr/bin/sha256sum\\\",\\\"/usr/bin/sha384sum\\\",\\\"/usr/bin/sha512sum\\\",\\\"/usr/bin/shred\\\",\\\"/usr/bin/shuf\\\",\\\"/usr/bin/sort\\\",\\\"/usr/bin/split\\\",\\\"/usr/bin/stat\\\",\\\"/usr/bin/stdbuf\\\",\\\"/usr/bin/sum\\\",\\\"/usr/bin/tac\\\",\\\"/usr/bin/tail\\\",\\\"/usr/bin/tee\\\",\\\"/usr/bin/test\\\",\\\"/usr/bin/timeout\\\",\\\"/usr/bin/tr\\\",\\\"/usr/bin/truncate\\\",\\\"/usr/bin/tsort\\\",\\\"/usr/bin/tty\\\",\\\"/usr/bin/unexpand\\\",\\\"/usr/bin/uniq\\\",\\\"/usr/bin/unlink\\\",\\\"/usr/bin/users\\\",\\\"/usr/bin/wc\\\",\\\"/usr/bin/who\\\",\\\"/usr/bin/whoami\\\",\\\"/usr/sbin/chroot\\\",\\\"/bin/busybox\\\"])\\n\\u0026\\u0026 process.parent.file.name in [\\\"java\\\", \\\"jspawnhelper\\\"]\",\"filters\":[\"os == \\\"linux\\\"\"],\"monitoring\":[\"v5l-ynv-guh\",\"gxu-c6v-pka\",\"1os-ptz-he9\",\"ddu-dat-9cx\",\"oiv-iar-6uj\",\"n6v-uoj-6jv\",\"zay-klh-gzk\",\"t0c-318-ksc\",\"mnq-jea-ord\",\"hjq-1ou-gxj\",\"zt3-q2u-xka\",\"n52-kmk-gy5\",\"lwi-ota-cdp\",\"eme-xsc-20m\",\"acr-3t9-p0d\",\"hw2-pev-bdl\",\"mm8-gf5-1mh\",\"wfe-tga-w8i\",\"kz9-gsr-aet\",\"u2n-mby-zu5\",\"ygu-bj5-cnb\",\"8h9-6l9-ofq\",\"x6i-kv0-iby\",\"wry-lqz-m1l\",\"ljy-djc-pxw\",\"kmt-lzi-f6r\",\"CWS_CUSTOM-canary\",\"hdo-seh-iaa\",\"CWS_DD\"],\"name\":\"java_shell_execution_parent\",\"product_tags\":[\"tactic:TA0001-initial-access\",\"technique:T1190-exploit-public-facing-application\",\"policy:threat-detection\"],\"updateDate\":1742407951000,\"updater\":{\"name\":\"Datadog\",\"handle\":\"\"}}},{\"id\":\"def-000-j45\",\"type\":\"agent_rule\",\"attributes\":{\"category\":\"Kernel Activity\",\"creationDate\":1742407951000,\"creator\":{\"name\":\"Datadog\",\"handle\":\"\"},\"defaultRule\":true,\"description\":\"A process is tracing privileged processes or sshd for possible credential dumping\",\"enabled\":true,\"expression\":\"(ptrace.request == PTRACE_PEEKTEXT || ptrace.request == PTRACE_PEEKDATA || ptrace.request == PTRACE_PEEKUSR) \\u0026\\u0026 ptrace.tracee.euid == 0 \\u0026\\u0026 process.comm not in [\\\"dlv\\\", \\\"dlv-linux-amd64\\\", \\\"strace\\\", \\\"gdb\\\", \\\"lldb-server\\\"]\",\"filters\":[\"os == \\\"linux\\\"\"],\"monitoring\":[\"v5l-ynv-guh\",\"gxu-c6v-pka\",\"1os-ptz-he9\",\"ddu-dat-9cx\",\"oiv-iar-6uj\",\"n6v-uoj-6jv\",\"zay-klh-gzk\",\"t0c-318-ksc\",\"mnq-jea-ord\",\"hjq-1ou-gxj\",\"zt3-q2u-xka\",\"n52-kmk-gy5\",\"lwi-ota-cdp\",\"eme-xsc-20m\",\"acr-3t9-p0d\",\"hw2-pev-bdl\",\"mm8-gf5-1mh\",\"wfe-tga-w8i\",\"kz9-gsr-aet\",\"u2n-mby-zu5\",\"ygu-bj5-cnb\",\"8h9-6l9-ofq\",\"x6i-kv0-iby\",\"wry-lqz-m1l\",\"ljy-djc-pxw\",\"kmt-lzi-f6r\",\"CWS_CUSTOM-canary\",\"hdo-seh-iaa\",\"CWS_DD\"],\"name\":\"sensitive_tracing\",\"product_tags\":[\"tactic:TA0004-privilege-escalation\",\"technique:T1055-process-injection\",\"policy:threat-detection\"],\"updateDate\":1742407951000,\"updater\":{\"name\":\"Datadog\",\"handle\":\"\"}}},{\"id\":\"def-000-tlf\",\"type\":\"agent_rule\",\"attributes\":{\"category\":\"File Activity\",\"creationDate\":1742407951000,\"creator\":{\"name\":\"Datadog\",\"handle\":\"\"},\"defaultRule\":true,\"description\":\"the windows hosts file was modified\",\"enabled\":true,\"expression\":\"write.file.device_path in [~\\\"\\\\Device\\\\*\\\\windows\\\\system32\\\\Drivers\\\\etc\\\\hosts\\\"]\",\"filters\":[\"os == \\\"windows\\\"\"],\"monitoring\":[\"v5l-ynv-guh\",\"gxu-c6v-pka\",\"1os-ptz-he9\",\"ddu-dat-9cx\",\"oiv-iar-6uj\",\"n6v-uoj-6jv\",\"zay-klh-gzk\",\"t0c-318-ksc\",\"mnq-jea-ord\",\"hjq-1ou-gxj\",\"zt3-q2u-xka\",\"n52-kmk-gy5\",\"lwi-ota-cdp\",\"eme-xsc-20m\",\"acr-3t9-p0d\",\"hw2-pev-bdl\",\"mm8-gf5-1mh\",\"wfe-tga-w8i\",\"kz9-gsr-aet\",\"u2n-mby-zu5\",\"ygu-bj5-cnb\",\"8h9-6l9-ofq\",\"x6i-kv0-iby\",\"wry-lqz-m1l\",\"ljy-djc-pxw\",\"kmt-lzi-f6r\",\"CWS_CUSTOM-canary\",\"hdo-seh-iaa\",\"CWS_DD\"],\"name\":\"windows_hosts_file_modified\",\"product_tags\":[\"tactic:TA0005-defense-evasion\",\"technique:T1036-masquerading\",\"policy:compliance\"],\"updateDate\":1742407951000,\"updater\":{\"name\":\"Datadog\",\"handle\":\"\"}}},{\"id\":\"def-000-qwu\",\"type\":\"agent_rule\",\"attributes\":{\"category\":\"File Activity\",\"creationDate\":1742407951000,\"creator\":{\"name\":\"Datadog\",\"handle\":\"\"},\"defaultRule\":true,\"description\":\"SSH modified keys may have been modified\",\"enabled\":true,\"expression\":\"(\\n open.flags \\u0026 (O_CREAT|O_TRUNC|O_APPEND|O_RDWR|O_WRONLY) \\u003e 0 \\u0026\\u0026\\n open.file.name in [ \\\"authorized_keys\\\", \\\"authorized_keys2\\\" ] \\u0026\\u0026 (open.file.path in [ ~\\\"/root/.ssh/*\\\", ~\\\"/home/*/.ssh/*\\\", ~\\\"/var/lib/*/.ssh/*\\\" ])\\n) \\u0026\\u0026 container.id != \\\"\\\" \\u0026\\u0026 container.created_at \\u003e 90s\",\"filters\":[\"os == \\\"linux\\\"\"],\"monitoring\":[\"v5l-ynv-guh\",\"gxu-c6v-pka\",\"1os-ptz-he9\",\"ddu-dat-9cx\",\"oiv-iar-6uj\",\"n6v-uoj-6jv\",\"zay-klh-gzk\",\"t0c-318-ksc\",\"mnq-jea-ord\",\"hjq-1ou-gxj\",\"zt3-q2u-xka\",\"n52-kmk-gy5\",\"lwi-ota-cdp\",\"eme-xsc-20m\",\"acr-3t9-p0d\",\"hw2-pev-bdl\",\"mm8-gf5-1mh\",\"wfe-tga-w8i\",\"kz9-gsr-aet\",\"u2n-mby-zu5\",\"ygu-bj5-cnb\",\"8h9-6l9-ofq\",\"x6i-kv0-iby\",\"wry-lqz-m1l\",\"ljy-djc-pxw\",\"kmt-lzi-f6r\",\"CWS_CUSTOM-canary\",\"hdo-seh-iaa\",\"CWS_DD\"],\"name\":\"ssh_authorized_keys_open_v2\",\"product_tags\":[\"tactic:TA0003-persistence\",\"technique:T1098-account-manipulation\",\"policy:threat-detection\",\"policy:compliance\"],\"updateDate\":1742407951000,\"updater\":{\"name\":\"Datadog\",\"handle\":\"\"}}},{\"id\":\"def-000-x7z\",\"type\":\"agent_rule\",\"attributes\":{\"category\":\"Process Activity\",\"creationDate\":1742407951000,\"creator\":{\"name\":\"Datadog\",\"handle\":\"\"},\"defaultRule\":true,\"description\":\"Process executed with arguments common with Inveigh tool usage\",\"enabled\":true,\"expression\":\"exec.cmdline in [~\\\"*SpooferIP*\\\", ~\\\"*ReplyToIPs*\\\", ~\\\"*ReplyToDomains*\\\", ~\\\"*ReplyToMACs*\\\", ~\\\"*SnifferIP*\\\"]\",\"filters\":[\"os == \\\"windows\\\"\"],\"monitoring\":[\"v5l-ynv-guh\",\"gxu-c6v-pka\",\"1os-ptz-he9\",\"ddu-dat-9cx\",\"oiv-iar-6uj\",\"n6v-uoj-6jv\",\"zay-klh-gzk\",\"t0c-318-ksc\",\"mnq-jea-ord\",\"hjq-1ou-gxj\",\"zt3-q2u-xka\",\"n52-kmk-gy5\",\"lwi-ota-cdp\",\"eme-xsc-20m\",\"acr-3t9-p0d\",\"hw2-pev-bdl\",\"mm8-gf5-1mh\",\"wfe-tga-w8i\",\"kz9-gsr-aet\",\"u2n-mby-zu5\",\"ygu-bj5-cnb\",\"8h9-6l9-ofq\",\"x6i-kv0-iby\",\"wry-lqz-m1l\",\"ljy-djc-pxw\",\"kmt-lzi-f6r\",\"CWS_CUSTOM-canary\",\"hdo-seh-iaa\",\"CWS_DD\"],\"name\":\"inveigh_tool_usage\",\"product_tags\":[\"tactic:TA0009-collection\",\"technique:T1557-adversary-in-the-middle\",\"policy:threat-detection\"],\"updateDate\":1742407951000,\"updater\":{\"name\":\"Datadog\",\"handle\":\"\"}}},{\"id\":\"def-000-guo\",\"type\":\"agent_rule\",\"attributes\":{\"category\":\"Process Activity\",\"creationDate\":1742407951000,\"creator\":{\"name\":\"Datadog\",\"handle\":\"\"},\"defaultRule\":true,\"description\":\"A process was executed matching arguments for a UAC bypass technique common in powershell empire\",\"enabled\":true,\"expression\":\"exec.cmdline in [~\\\"*-NoP -NonI -w Hidden -c $x=$((gp HKCU:Software\\\\Microsoft\\\\Windows Update).Update)*\\\", ~\\\"*-NoP -NonI -c $x=$((gp HKCU:Software\\\\Microsoft\\\\Windows Update).Update);*\\\"]\",\"filters\":[\"os == \\\"windows\\\"\"],\"monitoring\":[\"v5l-ynv-guh\",\"gxu-c6v-pka\",\"1os-ptz-he9\",\"ddu-dat-9cx\",\"oiv-iar-6uj\",\"n6v-uoj-6jv\",\"zay-klh-gzk\",\"t0c-318-ksc\",\"mnq-jea-ord\",\"hjq-1ou-gxj\",\"zt3-q2u-xka\",\"n52-kmk-gy5\",\"lwi-ota-cdp\",\"eme-xsc-20m\",\"acr-3t9-p0d\",\"hw2-pev-bdl\",\"mm8-gf5-1mh\",\"wfe-tga-w8i\",\"kz9-gsr-aet\",\"u2n-mby-zu5\",\"ygu-bj5-cnb\",\"8h9-6l9-ofq\",\"x6i-kv0-iby\",\"wry-lqz-m1l\",\"ljy-djc-pxw\",\"kmt-lzi-f6r\",\"CWS_CUSTOM-canary\",\"hdo-seh-iaa\",\"CWS_DD\"],\"name\":\"powershell_empire_uac_bypass\",\"product_tags\":[\"tactic:TA0006-credential-access\",\"technique:T1003-os-credential-dumping\",\"policy:threat-detection\"],\"updateDate\":1742407951000,\"updater\":{\"name\":\"Datadog\",\"handle\":\"\"}}},{\"id\":\"def-000-bxs\",\"type\":\"agent_rule\",\"attributes\":{\"category\":\"File Activity\",\"creationDate\":1742407951000,\"creator\":{\"name\":\"Datadog\",\"handle\":\"\"},\"defaultRule\":true,\"description\":\"Sudoers policy file may have been modified without authorization\",\"enabled\":true,\"expression\":\"(\\n (unlink.file.path == \\\"/etc/sudoers\\\")\\n)\",\"filters\":[\"os == \\\"linux\\\"\"],\"monitoring\":[\"v5l-ynv-guh\",\"gxu-c6v-pka\",\"1os-ptz-he9\",\"ddu-dat-9cx\",\"oiv-iar-6uj\",\"n6v-uoj-6jv\",\"zay-klh-gzk\",\"t0c-318-ksc\",\"mnq-jea-ord\",\"hjq-1ou-gxj\",\"zt3-q2u-xka\",\"n52-kmk-gy5\",\"lwi-ota-cdp\",\"eme-xsc-20m\",\"acr-3t9-p0d\",\"hw2-pev-bdl\",\"mm8-gf5-1mh\",\"wfe-tga-w8i\",\"kz9-gsr-aet\",\"u2n-mby-zu5\",\"ygu-bj5-cnb\",\"8h9-6l9-ofq\",\"x6i-kv0-iby\",\"wry-lqz-m1l\",\"ljy-djc-pxw\",\"kmt-lzi-f6r\",\"CWS_CUSTOM-canary\",\"hdo-seh-iaa\",\"CWS_DD\"],\"name\":\"sudoers_policy_modified_unlink\",\"product_tags\":[\"tactic:TA0004-privilege-escalation\",\"technique:T1548-abuse-elevation-control-mechanism\",\"policy:compliance\"],\"updateDate\":1742407951000,\"updater\":{\"name\":\"Datadog\",\"handle\":\"\"}}},{\"id\":\"def-000-h19\",\"type\":\"agent_rule\",\"attributes\":{\"category\":\"File Activity\",\"creationDate\":1742407951000,\"creator\":{\"name\":\"Datadog\",\"handle\":\"\"},\"defaultRule\":true,\"description\":\"The container breakout CVE-2024-21626 was successful\",\"enabled\":true,\"expression\":\"chdir.syscall.path =~ \\\"/proc/self/fd/*\\\" \\u0026\\u0026 chdir.file.path == \\\"/sys/fs/cgroup\\\" \\u0026\\u0026 process.file.name =~ \\\"runc.*\\\"\",\"filters\":[\"os == \\\"linux\\\"\"],\"monitoring\":[\"v5l-ynv-guh\",\"gxu-c6v-pka\",\"1os-ptz-he9\",\"ddu-dat-9cx\",\"oiv-iar-6uj\",\"n6v-uoj-6jv\",\"zay-klh-gzk\",\"t0c-318-ksc\",\"mnq-jea-ord\",\"hjq-1ou-gxj\",\"zt3-q2u-xka\",\"n52-kmk-gy5\",\"lwi-ota-cdp\",\"eme-xsc-20m\",\"acr-3t9-p0d\",\"hw2-pev-bdl\",\"mm8-gf5-1mh\",\"wfe-tga-w8i\",\"kz9-gsr-aet\",\"u2n-mby-zu5\",\"ygu-bj5-cnb\",\"8h9-6l9-ofq\",\"x6i-kv0-iby\",\"wry-lqz-m1l\",\"ljy-djc-pxw\",\"kmt-lzi-f6r\",\"CWS_CUSTOM-canary\",\"hdo-seh-iaa\",\"CWS_DD\"],\"name\":\"runc_leaky_fd\",\"product_tags\":[\"tactic:TA0004-privilege-escalation\",\"technique:T1611-escape-to-host\",\"policy:threat-detection\"],\"updateDate\":1742407951000,\"updater\":{\"name\":\"Datadog\",\"handle\":\"\"}}},{\"id\":\"def-000-7ez\",\"type\":\"agent_rule\",\"attributes\":{\"category\":\"Process Activity\",\"creationDate\":1742407951000,\"creator\":{\"name\":\"Datadog\",\"handle\":\"\"},\"defaultRule\":true,\"description\":\"Process arguments indicating possible php shell detected\",\"enabled\":true,\"expression\":\"exec.file.name == \\\"php\\\" \\u0026\\u0026 exec.args_flags in [\\\"r\\\"] \\u0026\\u0026 ((exec.args in [~\\\"*socket_bind*\\\", ~\\\"*socket_listen*\\\", ~\\\"*socket_accept*\\\", ~\\\"*socket_create*\\\", ~\\\"*socket_write*\\\", ~\\\"*socket_read*\\\"]) || (exec.args in [~\\\"*/bin/bash*\\\", ~\\\"*/bin/sh*\\\"]))\",\"filters\":[\"os == \\\"linux\\\"\"],\"monitoring\":[\"v5l-ynv-guh\",\"gxu-c6v-pka\",\"1os-ptz-he9\",\"ddu-dat-9cx\",\"oiv-iar-6uj\",\"n6v-uoj-6jv\",\"zay-klh-gzk\",\"t0c-318-ksc\",\"mnq-jea-ord\",\"hjq-1ou-gxj\",\"zt3-q2u-xka\",\"n52-kmk-gy5\",\"lwi-ota-cdp\",\"eme-xsc-20m\",\"acr-3t9-p0d\",\"hw2-pev-bdl\",\"mm8-gf5-1mh\",\"wfe-tga-w8i\",\"kz9-gsr-aet\",\"u2n-mby-zu5\",\"ygu-bj5-cnb\",\"8h9-6l9-ofq\",\"x6i-kv0-iby\",\"wry-lqz-m1l\",\"ljy-djc-pxw\",\"kmt-lzi-f6r\",\"CWS_CUSTOM-canary\",\"hdo-seh-iaa\",\"CWS_DD\"],\"name\":\"php_shell\",\"product_tags\":[\"tactic:TA0001-initial-access\",\"technique:T1210-exploitation-of-remote-services\",\"policy:threat-detection\"],\"updateDate\":1742407951000,\"updater\":{\"name\":\"Datadog\",\"handle\":\"\"}}},{\"id\":\"w0z-64n-bss\",\"type\":\"agent_rule\",\"attributes\":{\"category\":\"Process Activity\",\"creationDate\":1742407951000,\"creator\":{\"name\":\"Datadog\",\"handle\":\"\"},\"defaultRule\":true,\"description\":\"A network utility was executed in a container\",\"enabled\":true,\"expression\":\"(exec.comm in [\\\"socat\\\", \\\"dig\\\", \\\"nslookup\\\", \\\"host\\\", ~\\\"netcat*\\\", ~\\\"nc*\\\", \\\"ncat\\\"] ||\\n exec.comm in [\\\"wget\\\", \\\"curl\\\", \\\"lwp-download\\\"]) \\u0026\\u0026\\ncontainer.id != \\\"\\\" \\u0026\\u0026 exec.args not in [ ~\\\"*localhost*\\\", ~\\\"*127.0.0.1*\\\", ~\\\"*motd.ubuntu.com*\\\" ]\",\"filters\":[\"os == \\\"linux\\\"\"],\"monitoring\":[\"v5l-ynv-guh\",\"gxu-c6v-pka\",\"1os-ptz-he9\",\"ddu-dat-9cx\",\"oiv-iar-6uj\",\"n6v-uoj-6jv\",\"zay-klh-gzk\",\"t0c-318-ksc\",\"mnq-jea-ord\",\"hjq-1ou-gxj\",\"zt3-q2u-xka\",\"n52-kmk-gy5\",\"lwi-ota-cdp\",\"eme-xsc-20m\",\"acr-3t9-p0d\",\"hw2-pev-bdl\",\"mm8-gf5-1mh\",\"wfe-tga-w8i\",\"kz9-gsr-aet\",\"u2n-mby-zu5\",\"ygu-bj5-cnb\",\"8h9-6l9-ofq\",\"x6i-kv0-iby\",\"wry-lqz-m1l\",\"ljy-djc-pxw\",\"kmt-lzi-f6r\",\"CWS_CUSTOM-canary\",\"hdo-seh-iaa\",\"CWS_DD\"],\"name\":\"net_util_in_container\",\"product_tags\":[\"tactic:TA0011-command-and-control\",\"technique:T1105-ingress-tool-transfer\",\"policy:threat-detection\"],\"updateDate\":1742407951000,\"updater\":{\"name\":\"Datadog\",\"handle\":\"\"}}},{\"id\":\"def-000-49j\",\"type\":\"agent_rule\",\"attributes\":{\"category\":\"Process Activity\",\"creationDate\":1742407951000,\"creator\":{\"name\":\"Datadog\",\"handle\":\"\"},\"defaultRule\":true,\"description\":\"A known kubernetes pentesting tool has been executed\",\"enabled\":true,\"expression\":\"(exec.file.name in [ ~\\\"python*\\\" ] \\u0026\\u0026 (\\\"KubiScan.py\\\" in exec.argv || \\\"kubestriker\\\" in exec.argv ) ) || exec.file.name in [ \\\"kubiscan\\\",\\\"kdigger\\\",\\\"kube-hunter\\\",\\\"rakkess\\\",\\\"peirates\\\",\\\"kubescape\\\",\\\"kubeaudit\\\",\\\"kube-linter\\\",\\\"stratus\\\",~\\\"botb-*\\\"]\",\"filters\":[\"os == \\\"linux\\\"\"],\"monitoring\":[\"v5l-ynv-guh\",\"gxu-c6v-pka\",\"1os-ptz-he9\",\"ddu-dat-9cx\",\"oiv-iar-6uj\",\"n6v-uoj-6jv\",\"zay-klh-gzk\",\"t0c-318-ksc\",\"mnq-jea-ord\",\"hjq-1ou-gxj\",\"zt3-q2u-xka\",\"n52-kmk-gy5\",\"lwi-ota-cdp\",\"eme-xsc-20m\",\"acr-3t9-p0d\",\"hw2-pev-bdl\",\"mm8-gf5-1mh\",\"wfe-tga-w8i\",\"kz9-gsr-aet\",\"u2n-mby-zu5\",\"ygu-bj5-cnb\",\"8h9-6l9-ofq\",\"x6i-kv0-iby\",\"wry-lqz-m1l\",\"ljy-djc-pxw\",\"kmt-lzi-f6r\",\"CWS_CUSTOM-canary\",\"hdo-seh-iaa\",\"CWS_DD\"],\"name\":\"offensive_k8s_tool\",\"product_tags\":[\"tactic:TA0007-discovery\",\"technique:T1613-container-and-resource-discovery\",\"policy:threat-detection\"],\"updateDate\":1742407951000,\"updater\":{\"name\":\"Datadog\",\"handle\":\"\"}}},{\"id\":\"def-000-y27\",\"type\":\"agent_rule\",\"attributes\":{\"category\":\"File Activity\",\"creationDate\":1742407951000,\"creator\":{\"name\":\"Datadog\",\"handle\":\"\"},\"defaultRule\":true,\"description\":\"RC scripts modified\",\"enabled\":true,\"expression\":\"(open.flags \\u0026 (O_CREAT|O_TRUNC|O_APPEND|O_RDWR|O_WRONLY) \\u003e 0 \\u0026\\u0026 (open.file.path in [\\\"/etc/rc.common\\\", \\\"/etc/rc.local\\\"])) \\u0026\\u0026 process.ancestors.file.path not in [~\\\"/usr/bin/apt*\\\", \\\"/usr/bin/dpkg\\\", \\\"/usr/bin/rpm\\\", \\\"/usr/bin/unattended-upgrade\\\", \\\"/usr/bin/npm\\\", ~\\\"/usr/bin/pip*\\\", ~\\\"/usr/local/bin/pip*\\\", \\\"/usr/bin/yum\\\", \\\"/sbin/apk\\\", \\\"/usr/lib/snapd/snapd\\\"]\",\"filters\":[\"os == \\\"linux\\\"\"],\"monitoring\":[\"v5l-ynv-guh\",\"gxu-c6v-pka\",\"1os-ptz-he9\",\"ddu-dat-9cx\",\"oiv-iar-6uj\",\"n6v-uoj-6jv\",\"zay-klh-gzk\",\"t0c-318-ksc\",\"mnq-jea-ord\",\"hjq-1ou-gxj\",\"zt3-q2u-xka\",\"n52-kmk-gy5\",\"lwi-ota-cdp\",\"eme-xsc-20m\",\"acr-3t9-p0d\",\"hw2-pev-bdl\",\"mm8-gf5-1mh\",\"wfe-tga-w8i\",\"kz9-gsr-aet\",\"u2n-mby-zu5\",\"ygu-bj5-cnb\",\"8h9-6l9-ofq\",\"x6i-kv0-iby\",\"wry-lqz-m1l\",\"ljy-djc-pxw\",\"kmt-lzi-f6r\",\"CWS_CUSTOM-canary\",\"hdo-seh-iaa\",\"CWS_DD\"],\"name\":\"rc_scripts_modified\",\"product_tags\":[\"tactic:TA0003-persistence\",\"technique:T1037-boot-or-logon-initialization-scripts\",\"policy:threat-detection\"],\"updateDate\":1742407951000,\"updater\":{\"name\":\"Datadog\",\"handle\":\"\"}}},{\"id\":\"460-gys-lqp\",\"type\":\"agent_rule\",\"attributes\":{\"category\":\"Network Activity\",\"creationDate\":1742407951000,\"creator\":{\"name\":\"Datadog\",\"handle\":\"\"},\"defaultRule\":true,\"description\":\"A DNS lookup was done for a pastebin-like site\",\"enabled\":true,\"expression\":\"dns.question.name in [\\\"pastebin.com\\\", \\\"ghostbin.com\\\", \\\"termbin.com\\\", \\\"klgrth.io\\\", \\\"rentry.co\\\", \\\"transfer.sh\\\"] \\u0026\\u0026 process.file.name != \\\"\\\"\",\"filters\":[\"os == \\\"linux\\\"\"],\"monitoring\":[\"v5l-ynv-guh\",\"gxu-c6v-pka\",\"1os-ptz-he9\",\"ddu-dat-9cx\",\"oiv-iar-6uj\",\"n6v-uoj-6jv\",\"zay-klh-gzk\",\"t0c-318-ksc\",\"mnq-jea-ord\",\"hjq-1ou-gxj\",\"zt3-q2u-xka\",\"n52-kmk-gy5\",\"lwi-ota-cdp\",\"eme-xsc-20m\",\"acr-3t9-p0d\",\"hw2-pev-bdl\",\"mm8-gf5-1mh\",\"wfe-tga-w8i\",\"kz9-gsr-aet\",\"u2n-mby-zu5\",\"ygu-bj5-cnb\",\"8h9-6l9-ofq\",\"x6i-kv0-iby\",\"wry-lqz-m1l\",\"ljy-djc-pxw\",\"kmt-lzi-f6r\",\"CWS_CUSTOM-canary\",\"hdo-seh-iaa\",\"CWS_DD\"],\"name\":\"paste_site\",\"product_tags\":[\"tactic:TA0011-command-and-control\",\"technique:T1105-ingress-tool-transfer\",\"policy:threat-detection\"],\"updateDate\":1742407951000,\"updater\":{\"name\":\"Datadog\",\"handle\":\"\"}}},{\"id\":\"o5t-b08-86p\",\"type\":\"agent_rule\",\"attributes\":{\"category\":\"File Activity\",\"creationDate\":1742407951000,\"creator\":{\"name\":\"Datadog\",\"handle\":\"\"},\"defaultRule\":true,\"description\":\"SSL certificates may have been tampered with\",\"enabled\":true,\"expression\":\"(\\n (rename.file.path in [ ~\\\"/etc/ssl/certs/**\\\", ~\\\"/etc/pki/**\\\" ]\\n || rename.file.destination.path in [ ~\\\"/etc/ssl/certs/**\\\", ~\\\"/etc/pki/**\\\" ])\\n \\u0026\\u0026 process.file.path not in [~\\\"/usr/bin/apt*\\\", \\\"/usr/bin/dpkg\\\", \\\"/usr/bin/rpm\\\", \\\"/usr/bin/unattended-upgrade\\\", \\\"/usr/bin/npm\\\", ~\\\"/usr/bin/pip*\\\", ~\\\"/usr/local/bin/pip*\\\", \\\"/usr/bin/yum\\\", \\\"/sbin/apk\\\", \\\"/usr/lib/snapd/snapd\\\"]\\n)\\n\\u0026\\u0026 process.file.path != \\\"/usr/sbin/update-ca-certificates\\\"\\n\\u0026\\u0026 process.ancestors.file.path != \\\"/usr/sbin/update-ca-certificates\\\"\\n\\u0026\\u0026 process.ancestors.file.path not in [~\\\"/usr/bin/apt*\\\", \\\"/usr/bin/dpkg\\\", \\\"/usr/bin/rpm\\\", \\\"/usr/bin/unattended-upgrade\\\", \\\"/usr/bin/npm\\\", ~\\\"/usr/bin/pip*\\\", ~\\\"/usr/local/bin/pip*\\\", \\\"/usr/bin/yum\\\", \\\"/sbin/apk\\\", \\\"/usr/lib/snapd/snapd\\\"]\\n\\u0026\\u0026 process.file.name !~ \\\"runc*\\\"\",\"filters\":[\"os == \\\"linux\\\"\"],\"monitoring\":[\"v5l-ynv-guh\",\"gxu-c6v-pka\",\"1os-ptz-he9\",\"ddu-dat-9cx\",\"oiv-iar-6uj\",\"n6v-uoj-6jv\",\"zay-klh-gzk\",\"t0c-318-ksc\",\"mnq-jea-ord\",\"hjq-1ou-gxj\",\"zt3-q2u-xka\",\"n52-kmk-gy5\",\"lwi-ota-cdp\",\"eme-xsc-20m\",\"acr-3t9-p0d\",\"hw2-pev-bdl\",\"mm8-gf5-1mh\",\"wfe-tga-w8i\",\"kz9-gsr-aet\",\"u2n-mby-zu5\",\"ygu-bj5-cnb\",\"8h9-6l9-ofq\",\"x6i-kv0-iby\",\"wry-lqz-m1l\",\"ljy-djc-pxw\",\"kmt-lzi-f6r\",\"CWS_CUSTOM-canary\",\"hdo-seh-iaa\",\"CWS_DD\"],\"name\":\"ssl_certificate_tampering_rename\",\"product_tags\":[\"tactic:TA0005-defense-evasion\",\"technique:T1553-subvert-trust-controls\",\"policy:compliance\"],\"updateDate\":1742407951000,\"updater\":{\"name\":\"Datadog\",\"handle\":\"\"}}},{\"id\":\"kv9-026-vhz\",\"type\":\"agent_rule\",\"attributes\":{\"category\":\"File Activity\",\"creationDate\":1742407951000,\"creator\":{\"name\":\"Datadog\",\"handle\":\"\"},\"defaultRule\":true,\"description\":\"Sensitive credential files were modified using a non-standard tool\",\"enabled\":true,\"expression\":\"(\\n (utimes.file.path in [ \\\"/etc/shadow\\\", \\\"/etc/gshadow\\\" ])\\n \\u0026\\u0026 process.file.path not in [ \\\"/sbin/vipw\\\", \\\"/usr/sbin/vipw\\\", \\\"/sbin/vigr\\\", \\\"/usr/sbin/vigr\\\", \\\"/usr/bin/containerd\\\", \\\"/usr/local/bin/containerd\\\", \\\"/usr/bin/dockerd\\\", \\\"/usr/local/bin/dockerd\\\", \\\"/usr/sbin/groupadd\\\", \\\"/usr/sbin/useradd\\\", \\\"/usr/sbin/usermod\\\", \\\"/usr/sbin/userdel\\\", \\\"/usr/bin/gpasswd\\\", \\\"/usr/bin/chage\\\", \\\"/usr/sbin/chpasswd\\\", \\\"/usr/bin/passwd\\\" ]\\n \\u0026\\u0026 process.ancestors.file.path not in [~\\\"/usr/bin/apt*\\\", \\\"/usr/bin/dpkg\\\", \\\"/usr/bin/rpm\\\", \\\"/usr/bin/unattended-upgrade\\\", \\\"/usr/bin/npm\\\", ~\\\"/usr/bin/pip*\\\", ~\\\"/usr/local/bin/pip*\\\", \\\"/usr/bin/yum\\\", \\\"/sbin/apk\\\", \\\"/usr/lib/snapd/snapd\\\"]\\n)\",\"filters\":[\"os == \\\"linux\\\"\"],\"monitoring\":[\"v5l-ynv-guh\",\"gxu-c6v-pka\",\"1os-ptz-he9\",\"ddu-dat-9cx\",\"oiv-iar-6uj\",\"n6v-uoj-6jv\",\"zay-klh-gzk\",\"t0c-318-ksc\",\"mnq-jea-ord\",\"hjq-1ou-gxj\",\"zt3-q2u-xka\",\"n52-kmk-gy5\",\"lwi-ota-cdp\",\"eme-xsc-20m\",\"acr-3t9-p0d\",\"hw2-pev-bdl\",\"mm8-gf5-1mh\",\"wfe-tga-w8i\",\"kz9-gsr-aet\",\"u2n-mby-zu5\",\"ygu-bj5-cnb\",\"8h9-6l9-ofq\",\"x6i-kv0-iby\",\"wry-lqz-m1l\",\"ljy-djc-pxw\",\"kmt-lzi-f6r\",\"CWS_CUSTOM-canary\",\"hdo-seh-iaa\",\"CWS_DD\"],\"name\":\"credential_modified_utimes\",\"product_tags\":[\"tactic:TA0006-credential-access\",\"technique:T1003-os-credential-dumping\",\"policy:compliance\"],\"updateDate\":1742407951000,\"updater\":{\"name\":\"Datadog\",\"handle\":\"\"}}},{\"id\":\"def-000-ly8\",\"type\":\"agent_rule\",\"attributes\":{\"category\":\"Process Activity\",\"creationDate\":1742407951000,\"creator\":{\"name\":\"Datadog\",\"handle\":\"\"},\"defaultRule\":true,\"description\":\"The auditd configuration file was modified without using auditctl\",\"enabled\":true,\"expression\":\"open.file.path == \\\"/etc/audit/auditd.conf\\\" \\u0026\\u0026 open.flags \\u0026 (O_CREAT|O_TRUNC|O_APPEND|O_RDWR|O_WRONLY) \\u003e 0 \\u0026\\u0026 process.file.name != \\\"auditctl\\\"\",\"filters\":[\"os == \\\"linux\\\"\"],\"monitoring\":[\"v5l-ynv-guh\",\"gxu-c6v-pka\",\"1os-ptz-he9\",\"ddu-dat-9cx\",\"oiv-iar-6uj\",\"n6v-uoj-6jv\",\"zay-klh-gzk\",\"t0c-318-ksc\",\"mnq-jea-ord\",\"hjq-1ou-gxj\",\"zt3-q2u-xka\",\"n52-kmk-gy5\",\"lwi-ota-cdp\",\"eme-xsc-20m\",\"acr-3t9-p0d\",\"hw2-pev-bdl\",\"mm8-gf5-1mh\",\"wfe-tga-w8i\",\"kz9-gsr-aet\",\"u2n-mby-zu5\",\"ygu-bj5-cnb\",\"8h9-6l9-ofq\",\"x6i-kv0-iby\",\"wry-lqz-m1l\",\"ljy-djc-pxw\",\"kmt-lzi-f6r\",\"CWS_CUSTOM-canary\",\"hdo-seh-iaa\",\"CWS_DD\"],\"name\":\"auditd_config_modified\",\"product_tags\":[\"tactic:TA0005-defense-evasion\",\"technique:T1562-impair-defenses\",\"policy:threat-detection\"],\"updateDate\":1742407951000,\"updater\":{\"name\":\"Datadog\",\"handle\":\"\"}}},{\"id\":\"wnk-nli-nbp\",\"type\":\"agent_rule\",\"attributes\":{\"category\":\"File Activity\",\"creationDate\":1742407951000,\"creator\":{\"name\":\"Datadog\",\"handle\":\"\"},\"defaultRule\":true,\"description\":\"An unauthorized job was added to cron scheduling\",\"enabled\":true,\"expression\":\"(\\n (chown.file.path in [ ~\\\"/var/spool/cron/**\\\", ~\\\"/etc/cron.*/**\\\", ~\\\"/etc/crontab\\\", ~\\\"/etc/crontabs/**\\\"])\\n \\u0026\\u0026 process.file.path not in [ \\\"/usr/bin/at\\\", \\\"/usr/bin/crontab\\\" ]\\n) \\u0026\\u0026 (chown.file.destination.uid != chown.file.uid || chown.file.destination.gid != chown.file.gid)\\n\\u0026\\u0026 process.file.path not in [~\\\"/usr/bin/apt*\\\", \\\"/usr/bin/dpkg\\\", \\\"/usr/bin/rpm\\\", \\\"/usr/bin/unattended-upgrade\\\", \\\"/usr/bin/containerd\\\", \\\"/usr/local/bin/containerd\\\", \\\"/usr/bin/dockerd\\\", \\\"/usr/bin/npm\\\", ~\\\"/usr/bin/pip*\\\", ~\\\"/usr/local/bin/pip*\\\"]\",\"filters\":[\"os == \\\"linux\\\"\"],\"monitoring\":[\"v5l-ynv-guh\",\"gxu-c6v-pka\",\"1os-ptz-he9\",\"ddu-dat-9cx\",\"oiv-iar-6uj\",\"n6v-uoj-6jv\",\"zay-klh-gzk\",\"t0c-318-ksc\",\"mnq-jea-ord\",\"hjq-1ou-gxj\",\"zt3-q2u-xka\",\"n52-kmk-gy5\",\"lwi-ota-cdp\",\"eme-xsc-20m\",\"acr-3t9-p0d\",\"hw2-pev-bdl\",\"mm8-gf5-1mh\",\"wfe-tga-w8i\",\"kz9-gsr-aet\",\"u2n-mby-zu5\",\"ygu-bj5-cnb\",\"8h9-6l9-ofq\",\"x6i-kv0-iby\",\"wry-lqz-m1l\",\"ljy-djc-pxw\",\"kmt-lzi-f6r\",\"CWS_CUSTOM-canary\",\"hdo-seh-iaa\",\"CWS_DD\"],\"name\":\"cron_at_job_creation_chown\",\"product_tags\":[\"tactic:TA0002-execution\",\"technique:T1053-scheduled-task-or-job\",\"policy:threat-detection\",\"policy:compliance\"],\"updateDate\":1742407951000,\"updater\":{\"name\":\"Datadog\",\"handle\":\"\"}}},{\"id\":\"191-ty1-ede\",\"type\":\"agent_rule\",\"attributes\":{\"category\":\"File Activity\",\"creationDate\":1742407951000,\"creator\":{\"name\":\"Datadog\",\"handle\":\"\"},\"defaultRule\":true,\"description\":\"SSL certificates may have been tampered with\",\"enabled\":true,\"expression\":\"(\\n open.flags \\u0026 (O_CREAT|O_RDWR|O_WRONLY) \\u003e 0 \\u0026\\u0026\\n (open.file.path in [ ~\\\"/etc/ssl/certs/**\\\", ~\\\"/etc/pki/**\\\" ])\\n)\\n\\u0026\\u0026 process.file.path != \\\"/usr/sbin/update-ca-certificates\\\"\\n\\u0026\\u0026 process.ancestors.file.path != \\\"/usr/sbin/update-ca-certificates\\\"\\n\\u0026\\u0026 process.ancestors.file.path not in [~\\\"/usr/bin/apt*\\\", \\\"/usr/bin/dpkg\\\", \\\"/usr/bin/rpm\\\", \\\"/usr/bin/unattended-upgrade\\\", \\\"/usr/bin/npm\\\", ~\\\"/usr/bin/pip*\\\", ~\\\"/usr/local/bin/pip*\\\", \\\"/usr/bin/yum\\\", \\\"/sbin/apk\\\", \\\"/usr/lib/snapd/snapd\\\"]\\n\\u0026\\u0026 process.file.name !~ \\\"runc*\\\"\",\"filters\":[\"os == \\\"linux\\\"\"],\"monitoring\":[\"v5l-ynv-guh\",\"gxu-c6v-pka\",\"1os-ptz-he9\",\"ddu-dat-9cx\",\"oiv-iar-6uj\",\"n6v-uoj-6jv\",\"zay-klh-gzk\",\"t0c-318-ksc\",\"mnq-jea-ord\",\"hjq-1ou-gxj\",\"zt3-q2u-xka\",\"n52-kmk-gy5\",\"lwi-ota-cdp\",\"eme-xsc-20m\",\"acr-3t9-p0d\",\"hw2-pev-bdl\",\"mm8-gf5-1mh\",\"wfe-tga-w8i\",\"kz9-gsr-aet\",\"u2n-mby-zu5\",\"ygu-bj5-cnb\",\"8h9-6l9-ofq\",\"x6i-kv0-iby\",\"wry-lqz-m1l\",\"ljy-djc-pxw\",\"kmt-lzi-f6r\",\"CWS_CUSTOM-canary\",\"hdo-seh-iaa\",\"CWS_DD\"],\"name\":\"ssl_certificate_tampering_open\",\"product_tags\":[\"tactic:TA0005-defense-evasion\",\"technique:T1553-subvert-trust-controls\",\"policy:compliance\"],\"updateDate\":1742407951000,\"updater\":{\"name\":\"Datadog\",\"handle\":\"\"}}},{\"id\":\"def-000-jl7\",\"type\":\"agent_rule\",\"attributes\":{\"category\":\"Process Activity\",\"creationDate\":1742407951000,\"creator\":{\"name\":\"Datadog\",\"handle\":\"\"},\"defaultRule\":true,\"description\":\"openssl used to establish backdoor\",\"enabled\":true,\"expression\":\"exec.comm == \\\"openssl\\\" \\u0026\\u0026 exec.args =~ \\\"*s_client*\\\"\",\"filters\":[\"os == \\\"linux\\\"\"],\"monitoring\":[\"v5l-ynv-guh\",\"gxu-c6v-pka\",\"1os-ptz-he9\",\"ddu-dat-9cx\",\"oiv-iar-6uj\",\"n6v-uoj-6jv\",\"zay-klh-gzk\",\"t0c-318-ksc\",\"mnq-jea-ord\",\"hjq-1ou-gxj\",\"zt3-q2u-xka\",\"n52-kmk-gy5\",\"lwi-ota-cdp\",\"eme-xsc-20m\",\"acr-3t9-p0d\",\"hw2-pev-bdl\",\"mm8-gf5-1mh\",\"wfe-tga-w8i\",\"kz9-gsr-aet\",\"u2n-mby-zu5\",\"ygu-bj5-cnb\",\"8h9-6l9-ofq\",\"x6i-kv0-iby\",\"wry-lqz-m1l\",\"ljy-djc-pxw\",\"kmt-lzi-f6r\",\"CWS_CUSTOM-canary\",\"hdo-seh-iaa\",\"CWS_DD\"],\"name\":\"openssl_backdoor\",\"product_tags\":[\"tactic:TA0002-execution\",\"technique:T1059-command-and-scripting-interpreter\",\"policy:threat-detection\"],\"updateDate\":1742407951000,\"updater\":{\"name\":\"Datadog\",\"handle\":\"\"}}},{\"id\":\"def-000-41f\",\"type\":\"agent_rule\",\"attributes\":{\"category\":\"Kernel Activity\",\"creationDate\":1742407951000,\"creator\":{\"name\":\"Datadog\",\"handle\":\"\"},\"defaultRule\":true,\"description\":\"SSH initiated a connection on a nonstandard port\",\"enabled\":true,\"expression\":\"connect.addr.port in [80, 8080, 88, 443, 8443, 4444] \\u0026\\u0026 process.file.name == \\\"ssh\\\"\",\"filters\":[\"os == \\\"linux\\\"\"],\"monitoring\":[\"v5l-ynv-guh\",\"gxu-c6v-pka\",\"1os-ptz-he9\",\"ddu-dat-9cx\",\"oiv-iar-6uj\",\"n6v-uoj-6jv\",\"zay-klh-gzk\",\"t0c-318-ksc\",\"mnq-jea-ord\",\"hjq-1ou-gxj\",\"zt3-q2u-xka\",\"n52-kmk-gy5\",\"lwi-ota-cdp\",\"eme-xsc-20m\",\"acr-3t9-p0d\",\"hw2-pev-bdl\",\"mm8-gf5-1mh\",\"wfe-tga-w8i\",\"kz9-gsr-aet\",\"u2n-mby-zu5\",\"ygu-bj5-cnb\",\"8h9-6l9-ofq\",\"x6i-kv0-iby\",\"wry-lqz-m1l\",\"ljy-djc-pxw\",\"kmt-lzi-f6r\",\"CWS_CUSTOM-canary\",\"hdo-seh-iaa\",\"CWS_DD\"],\"name\":\"ssh_nonstandard_connection\",\"product_tags\":[\"tactic:TA0008-lateral-movement\",\"technique:T1021-remote-services\",\"policy:threat-detection\"],\"updateDate\":1742407951000,\"updater\":{\"name\":\"Datadog\",\"handle\":\"\"}}},{\"id\":\"def-000-mxb\",\"type\":\"agent_rule\",\"attributes\":{\"category\":\"File Activity\",\"creationDate\":1742407951000,\"creator\":{\"name\":\"Datadog\",\"handle\":\"\"},\"defaultRule\":true,\"description\":\"The host file system was mounted in a container\",\"enabled\":true,\"expression\":\"mount.source.path == \\\"/\\\" \\u0026\\u0026 mount.fs_type != \\\"overlay\\\" \\u0026\\u0026 container.id != \\\"\\\"\",\"filters\":[\"os == \\\"linux\\\"\"],\"monitoring\":[\"v5l-ynv-guh\",\"gxu-c6v-pka\",\"1os-ptz-he9\",\"ddu-dat-9cx\",\"oiv-iar-6uj\",\"n6v-uoj-6jv\",\"zay-klh-gzk\",\"t0c-318-ksc\",\"mnq-jea-ord\",\"hjq-1ou-gxj\",\"zt3-q2u-xka\",\"n52-kmk-gy5\",\"lwi-ota-cdp\",\"eme-xsc-20m\",\"acr-3t9-p0d\",\"hw2-pev-bdl\",\"mm8-gf5-1mh\",\"wfe-tga-w8i\",\"kz9-gsr-aet\",\"u2n-mby-zu5\",\"ygu-bj5-cnb\",\"8h9-6l9-ofq\",\"x6i-kv0-iby\",\"wry-lqz-m1l\",\"ljy-djc-pxw\",\"kmt-lzi-f6r\",\"CWS_CUSTOM-canary\",\"hdo-seh-iaa\",\"CWS_DD\"],\"name\":\"mount_host_fs\",\"product_tags\":[\"tactic:TA0004-privilege-escalation\",\"technique:T1611-escape-to-host\",\"policy:threat-detection\"],\"updateDate\":1742407951000,\"updater\":{\"name\":\"Datadog\",\"handle\":\"\"}}},{\"id\":\"def-000-4tl\",\"type\":\"agent_rule\",\"attributes\":{\"category\":\"Process Activity\",\"creationDate\":1742407951000,\"creator\":{\"name\":\"Datadog\",\"handle\":\"\"},\"defaultRule\":true,\"description\":\"Certutil was executed to transmit or decode a potentially malicious file\",\"enabled\":true,\"expression\":\"exec.file.name == \\\"certutil.exe\\\" \\u0026\\u0026 ((exec.cmdline =~ \\\"*urlcache*\\\" \\u0026\\u0026 exec.cmdline =~ \\\"*split*\\\") || exec.cmdline =~ \\\"*decode*\\\")\",\"filters\":[\"os == \\\"windows\\\"\"],\"monitoring\":[\"v5l-ynv-guh\",\"gxu-c6v-pka\",\"1os-ptz-he9\",\"ddu-dat-9cx\",\"oiv-iar-6uj\",\"n6v-uoj-6jv\",\"zay-klh-gzk\",\"t0c-318-ksc\",\"mnq-jea-ord\",\"hjq-1ou-gxj\",\"zt3-q2u-xka\",\"n52-kmk-gy5\",\"lwi-ota-cdp\",\"eme-xsc-20m\",\"acr-3t9-p0d\",\"hw2-pev-bdl\",\"mm8-gf5-1mh\",\"wfe-tga-w8i\",\"kz9-gsr-aet\",\"u2n-mby-zu5\",\"ygu-bj5-cnb\",\"8h9-6l9-ofq\",\"x6i-kv0-iby\",\"wry-lqz-m1l\",\"ljy-djc-pxw\",\"kmt-lzi-f6r\",\"CWS_CUSTOM-canary\",\"hdo-seh-iaa\",\"CWS_DD\"],\"name\":\"certutil_usage\",\"product_tags\":[\"tactic:TA0011-command-and-control\",\"technique:T1105-ingress-tool-transfer\",\"policy:threat-detection\"],\"updateDate\":1742407951000,\"updater\":{\"name\":\"Datadog\",\"handle\":\"\"}}},{\"id\":\"def-000-nv0\",\"type\":\"agent_rule\",\"attributes\":{\"category\":\"Process Activity\",\"creationDate\":1742407951000,\"creator\":{\"name\":\"Datadog\",\"handle\":\"\"},\"defaultRule\":true,\"description\":\"The rclone utility was executed\",\"enabled\":true,\"expression\":\"exec.file.name in [\\\"rclone\\\", \\\"rsync\\\", \\\"sftp\\\", \\\"ftp\\\", \\\"scp\\\", \\\"dcp\\\", \\\"rcp\\\"]\",\"filters\":[\"os == \\\"linux\\\"\"],\"monitoring\":[\"v5l-ynv-guh\",\"gxu-c6v-pka\",\"1os-ptz-he9\",\"ddu-dat-9cx\",\"oiv-iar-6uj\",\"n6v-uoj-6jv\",\"zay-klh-gzk\",\"t0c-318-ksc\",\"mnq-jea-ord\",\"hjq-1ou-gxj\",\"zt3-q2u-xka\",\"n52-kmk-gy5\",\"lwi-ota-cdp\",\"eme-xsc-20m\",\"acr-3t9-p0d\",\"hw2-pev-bdl\",\"mm8-gf5-1mh\",\"wfe-tga-w8i\",\"kz9-gsr-aet\",\"u2n-mby-zu5\",\"ygu-bj5-cnb\",\"8h9-6l9-ofq\",\"x6i-kv0-iby\",\"wry-lqz-m1l\",\"ljy-djc-pxw\",\"kmt-lzi-f6r\",\"CWS_CUSTOM-canary\",\"hdo-seh-iaa\",\"CWS_DD\"],\"name\":\"file_sync_exfil\",\"product_tags\":[\"tactic:TA0010-exfiltration\",\"technique:T1048-exfiltration-over-alternative-protocol\",\"policy:threat-detection\"],\"updateDate\":1742407951000,\"updater\":{\"name\":\"Datadog\",\"handle\":\"\"}}},{\"id\":\"lkj-jnb-khe\",\"type\":\"agent_rule\",\"attributes\":{\"actions\":[{\"set\":{\"name\":\"imds_v1_usage_services\",\"field\":\"process.file.name\",\"append\":true,\"ttl\":10000000000},\"disabled\":false}],\"category\":\"Network Activity\",\"creationDate\":1742407951000,\"creator\":{\"name\":\"Datadog\",\"handle\":\"\"},\"defaultRule\":true,\"description\":\"An AWS IMDSv1 request was issued\",\"disabled\":[\"v5l-ynv-guh\",\"gxu-c6v-pka\",\"1os-ptz-he9\",\"ddu-dat-9cx\",\"oiv-iar-6uj\",\"n6v-uoj-6jv\",\"zay-klh-gzk\",\"t0c-318-ksc\",\"mnq-jea-ord\",\"hjq-1ou-gxj\",\"zt3-q2u-xka\",\"n52-kmk-gy5\",\"lwi-ota-cdp\",\"eme-xsc-20m\",\"acr-3t9-p0d\",\"hw2-pev-bdl\",\"mm8-gf5-1mh\",\"wfe-tga-w8i\",\"kz9-gsr-aet\",\"u2n-mby-zu5\",\"ygu-bj5-cnb\",\"8h9-6l9-ofq\",\"x6i-kv0-iby\",\"wry-lqz-m1l\",\"ljy-djc-pxw\",\"kmt-lzi-f6r\",\"CWS_CUSTOM-canary\",\"hdo-seh-iaa\",\"CWS_DD\"],\"enabled\":false,\"expression\":\"imds.cloud_provider == \\\"aws\\\" \\u0026\\u0026 imds.aws.is_imds_v2 == false \\u0026\\u0026 process.file.name not in ${imds_v1_usage_services}\",\"filters\":[\"os == \\\"linux\\\"\"],\"name\":\"imds_v1_usage\",\"product_tags\":[\"tactic:TA0006-credential-access\",\"technique:T1552-unsecured-credentials\",\"policy:best-practice\"],\"updateDate\":1742407951000,\"updater\":{\"name\":\"Datadog\",\"handle\":\"\"}}},{\"id\":\"def-000-fbb\",\"type\":\"agent_rule\",\"attributes\":{\"category\":\"Kernel Activity\",\"creationDate\":1742407951000,\"creator\":{\"name\":\"Datadog\",\"handle\":\"\"},\"defaultRule\":true,\"description\":\"Library libpam.so hooked using eBPF\",\"enabled\":true,\"expression\":\"bpf.cmd == BPF_MAP_CREATE \\u0026\\u0026 process.args in [r\\\"libpam\\\\.so\\\"]\",\"filters\":[\"os == \\\"linux\\\"\"],\"monitoring\":[\"v5l-ynv-guh\",\"gxu-c6v-pka\",\"1os-ptz-he9\",\"ddu-dat-9cx\",\"oiv-iar-6uj\",\"n6v-uoj-6jv\",\"zay-klh-gzk\",\"t0c-318-ksc\",\"mnq-jea-ord\",\"hjq-1ou-gxj\",\"zt3-q2u-xka\",\"n52-kmk-gy5\",\"lwi-ota-cdp\",\"eme-xsc-20m\",\"acr-3t9-p0d\",\"hw2-pev-bdl\",\"mm8-gf5-1mh\",\"wfe-tga-w8i\",\"kz9-gsr-aet\",\"u2n-mby-zu5\",\"ygu-bj5-cnb\",\"8h9-6l9-ofq\",\"x6i-kv0-iby\",\"wry-lqz-m1l\",\"ljy-djc-pxw\",\"kmt-lzi-f6r\",\"CWS_CUSTOM-canary\",\"hdo-seh-iaa\",\"CWS_DD\"],\"name\":\"libpam_ebpf_hook\",\"product_tags\":[\"tactic:TA0006-credential-access\",\"technique:T1056-input-capture\",\"policy:threat-detection\"],\"updateDate\":1742407951000,\"updater\":{\"name\":\"Datadog\",\"handle\":\"\"}}},{\"id\":\"def-000-d1i\",\"type\":\"agent_rule\",\"attributes\":{\"category\":\"Process Activity\",\"creationDate\":1742407951000,\"creator\":{\"name\":\"Datadog\",\"handle\":\"\"},\"defaultRule\":true,\"description\":\"Process memory was dumped using the minidump function from comsvcs.dll\",\"enabled\":true,\"expression\":\"exec.cmdline =~ \\\"*MiniDump*\\\" \\u0026\\u0026 exec.cmdline =~ \\\"*comsvcs*\\\"\",\"filters\":[\"os == \\\"windows\\\"\"],\"monitoring\":[\"v5l-ynv-guh\",\"gxu-c6v-pka\",\"1os-ptz-he9\",\"ddu-dat-9cx\",\"oiv-iar-6uj\",\"n6v-uoj-6jv\",\"zay-klh-gzk\",\"t0c-318-ksc\",\"mnq-jea-ord\",\"hjq-1ou-gxj\",\"zt3-q2u-xka\",\"n52-kmk-gy5\",\"lwi-ota-cdp\",\"eme-xsc-20m\",\"acr-3t9-p0d\",\"hw2-pev-bdl\",\"mm8-gf5-1mh\",\"wfe-tga-w8i\",\"kz9-gsr-aet\",\"u2n-mby-zu5\",\"ygu-bj5-cnb\",\"8h9-6l9-ofq\",\"x6i-kv0-iby\",\"wry-lqz-m1l\",\"ljy-djc-pxw\",\"kmt-lzi-f6r\",\"CWS_CUSTOM-canary\",\"hdo-seh-iaa\",\"CWS_DD\"],\"name\":\"minidump_usage\",\"product_tags\":[\"tactic:TA0006-credential-access\",\"technique:T1003-os-credential-dumping\",\"policy:threat-detection\"],\"updateDate\":1742407951000,\"updater\":{\"name\":\"Datadog\",\"handle\":\"\"}}},{\"id\":\"def-000-8j2\",\"type\":\"agent_rule\",\"attributes\":{\"category\":\"Process Activity\",\"creationDate\":1742407951000,\"creator\":{\"name\":\"Datadog\",\"handle\":\"\"},\"defaultRule\":true,\"description\":\"A web application spawned a shell or shell utility\",\"enabled\":true,\"expression\":\"(exec.file.path in [ \\\"/bin/dash\\\",\\n \\\"/usr/bin/dash\\\",\\n \\\"/bin/sh\\\",\\n \\\"/bin/static-sh\\\",\\n \\\"/usr/bin/sh\\\",\\n \\\"/bin/bash\\\",\\n \\\"/usr/bin/bash\\\",\\n \\\"/bin/bash-static\\\",\\n \\\"/usr/bin/zsh\\\",\\n \\\"/usr/bin/ash\\\",\\n \\\"/usr/bin/csh\\\",\\n \\\"/usr/bin/ksh\\\",\\n \\\"/usr/bin/tcsh\\\",\\n \\\"/usr/lib/initramfs-tools/bin/busybox\\\",\\n \\\"/bin/busybox\\\",\\n \\\"/usr/bin/fish\\\",\\n \\\"/bin/ksh93\\\",\\n \\\"/bin/rksh\\\",\\n \\\"/bin/rksh93\\\",\\n \\\"/bin/lksh\\\",\\n \\\"/bin/mksh\\\",\\n \\\"/bin/mksh-static\\\",\\n \\\"/usr/bin/csharp\\\",\\n \\\"/bin/posh\\\",\\n \\\"/usr/bin/rc\\\",\\n \\\"/bin/sash\\\",\\n \\\"/usr/bin/yash\\\",\\n \\\"/bin/zsh5\\\",\\n \\\"/bin/zsh5-static\\\" ] || exec.comm in [\\\"wget\\\", \\\"curl\\\", \\\"lwp-download\\\"] || exec.file.path in [\\\"/bin/cat\\\",\\\"/bin/chgrp\\\",\\\"/bin/chmod\\\",\\\"/bin/chown\\\",\\\"/bin/cp\\\",\\\"/bin/date\\\",\\\"/bin/dd\\\",\\\"/bin/df\\\",\\\"/bin/dir\\\",\\\"/bin/echo\\\",\\\"/bin/ln\\\",\\\"/bin/ls\\\",\\\"/bin/mkdir\\\",\\\"/bin/mknod\\\",\\\"/bin/mktemp\\\",\\\"/bin/mv\\\",\\\"/bin/pwd\\\",\\\"/bin/readlink\\\",\\\"/bin/rm\\\",\\\"/bin/rmdir\\\",\\\"/bin/sleep\\\",\\\"/bin/stty\\\",\\\"/bin/sync\\\",\\\"/bin/touch\\\",\\\"/bin/uname\\\",\\\"/bin/vdir\\\",\\\"/usr/bin/arch\\\",\\\"/usr/bin/b2sum\\\",\\\"/usr/bin/base32\\\",\\\"/usr/bin/base64\\\",\\\"/usr/bin/basename\\\",\\\"/usr/bin/chcon\\\",\\\"/usr/bin/cksum\\\",\\\"/usr/bin/comm\\\",\\\"/usr/bin/csplit\\\",\\\"/usr/bin/cut\\\",\\\"/usr/bin/dircolors\\\",\\\"/usr/bin/dirname\\\",\\\"/usr/bin/du\\\",\\\"/usr/bin/env\\\",\\\"/usr/bin/expand\\\",\\\"/usr/bin/expr\\\",\\\"/usr/bin/factor\\\",\\\"/usr/bin/fmt\\\",\\\"/usr/bin/fold\\\",\\\"/usr/bin/groups\\\",\\\"/usr/bin/head\\\",\\\"/usr/bin/hostid\\\",\\\"/usr/bin/id\\\",\\\"/usr/bin/install\\\",\\\"/usr/bin/join\\\",\\\"/usr/bin/link\\\",\\\"/usr/bin/logname\\\",\\\"/usr/bin/md5sum\\\",\\\"/usr/bin/md5sum.textutils\\\",\\\"/usr/bin/mkfifo\\\",\\\"/usr/bin/nice\\\",\\\"/usr/bin/nl\\\",\\\"/usr/bin/nohup\\\",\\\"/usr/bin/nproc\\\",\\\"/usr/bin/numfmt\\\",\\\"/usr/bin/od\\\",\\\"/usr/bin/paste\\\",\\\"/usr/bin/pathchk\\\",\\\"/usr/bin/pinky\\\",\\\"/usr/bin/pr\\\",\\\"/usr/bin/printenv\\\",\\\"/usr/bin/printf\\\",\\\"/usr/bin/ptx\\\",\\\"/usr/bin/realpath\\\",\\\"/usr/bin/runcon\\\",\\\"/usr/bin/seq\\\",\\\"/usr/bin/sha1sum\\\",\\\"/usr/bin/sha224sum\\\",\\\"/usr/bin/sha256sum\\\",\\\"/usr/bin/sha384sum\\\",\\\"/usr/bin/sha512sum\\\",\\\"/usr/bin/shred\\\",\\\"/usr/bin/shuf\\\",\\\"/usr/bin/sort\\\",\\\"/usr/bin/split\\\",\\\"/usr/bin/stat\\\",\\\"/usr/bin/stdbuf\\\",\\\"/usr/bin/sum\\\",\\\"/usr/bin/tac\\\",\\\"/usr/bin/tail\\\",\\\"/usr/bin/tee\\\",\\\"/usr/bin/test\\\",\\\"/usr/bin/timeout\\\",\\\"/usr/bin/tr\\\",\\\"/usr/bin/truncate\\\",\\\"/usr/bin/tsort\\\",\\\"/usr/bin/tty\\\",\\\"/usr/bin/unexpand\\\",\\\"/usr/bin/uniq\\\",\\\"/usr/bin/unlink\\\",\\\"/usr/bin/users\\\",\\\"/usr/bin/wc\\\",\\\"/usr/bin/who\\\",\\\"/usr/bin/whoami\\\",\\\"/usr/sbin/chroot\\\",\\\"/bin/busybox\\\"]) \\u0026\\u0026\\n(process.parent.file.name in [\\\"apache2\\\", \\\"nginx\\\", ~\\\"tomcat*\\\", \\\"httpd\\\"] || process.parent.file.name =~ \\\"php*\\\")\",\"filters\":[\"os == \\\"linux\\\"\"],\"monitoring\":[\"v5l-ynv-guh\",\"gxu-c6v-pka\",\"1os-ptz-he9\",\"ddu-dat-9cx\",\"oiv-iar-6uj\",\"n6v-uoj-6jv\",\"zay-klh-gzk\",\"t0c-318-ksc\",\"mnq-jea-ord\",\"hjq-1ou-gxj\",\"zt3-q2u-xka\",\"n52-kmk-gy5\",\"lwi-ota-cdp\",\"eme-xsc-20m\",\"acr-3t9-p0d\",\"hw2-pev-bdl\",\"mm8-gf5-1mh\",\"wfe-tga-w8i\",\"kz9-gsr-aet\",\"u2n-mby-zu5\",\"ygu-bj5-cnb\",\"8h9-6l9-ofq\",\"x6i-kv0-iby\",\"wry-lqz-m1l\",\"ljy-djc-pxw\",\"kmt-lzi-f6r\",\"CWS_CUSTOM-canary\",\"hdo-seh-iaa\",\"CWS_DD\"],\"name\":\"potential_web_shell_parent\",\"product_tags\":[\"tactic:TA0002-execution\",\"technique:T1210-exploitation-of-remote-services\",\"policy:threat-detection\"],\"updateDate\":1742407951000,\"updater\":{\"name\":\"Datadog\",\"handle\":\"\"}}},{\"id\":\"ssp-47a-p20\",\"type\":\"agent_rule\",\"attributes\":{\"category\":\"File Activity\",\"creationDate\":1742407951000,\"creator\":{\"name\":\"Datadog\",\"handle\":\"\"},\"defaultRule\":true,\"description\":\"Critical system binaries may have been modified\",\"enabled\":true,\"expression\":\"(\\n (unlink.file.path in [ ~\\\"/bin/*\\\", ~\\\"/sbin/*\\\", ~\\\"/usr/bin/*\\\", ~\\\"/usr/sbin/*\\\", ~\\\"/usr/local/bin/*\\\", ~\\\"/usr/local/sbin/*\\\", ~\\\"/boot/**\\\" ])\\n \\u0026\\u0026 process.file.path not in [~\\\"/usr/bin/apt*\\\", \\\"/usr/bin/dpkg\\\", \\\"/usr/bin/rpm\\\", \\\"/usr/bin/unattended-upgrade\\\", \\\"/usr/bin/containerd\\\", \\\"/usr/local/bin/containerd\\\", \\\"/usr/bin/dockerd\\\", \\\"/usr/bin/npm\\\", ~\\\"/usr/bin/pip*\\\", ~\\\"/usr/local/bin/pip*\\\"]\\n \\u0026\\u0026 process.ancestors.file.path not in [~\\\"/usr/bin/apt*\\\", \\\"/usr/bin/dpkg\\\", \\\"/usr/bin/rpm\\\", \\\"/usr/bin/unattended-upgrade\\\", \\\"/usr/bin/npm\\\", ~\\\"/usr/bin/pip*\\\", ~\\\"/usr/local/bin/pip*\\\", \\\"/usr/bin/yum\\\", \\\"/sbin/apk\\\", \\\"/usr/lib/snapd/snapd\\\"]\\n)\",\"filters\":[\"os == \\\"linux\\\"\"],\"monitoring\":[\"v5l-ynv-guh\",\"gxu-c6v-pka\",\"1os-ptz-he9\",\"ddu-dat-9cx\",\"oiv-iar-6uj\",\"n6v-uoj-6jv\",\"zay-klh-gzk\",\"t0c-318-ksc\",\"mnq-jea-ord\",\"hjq-1ou-gxj\",\"zt3-q2u-xka\",\"n52-kmk-gy5\",\"lwi-ota-cdp\",\"eme-xsc-20m\",\"acr-3t9-p0d\",\"hw2-pev-bdl\",\"mm8-gf5-1mh\",\"wfe-tga-w8i\",\"kz9-gsr-aet\",\"u2n-mby-zu5\",\"ygu-bj5-cnb\",\"8h9-6l9-ofq\",\"x6i-kv0-iby\",\"wry-lqz-m1l\",\"ljy-djc-pxw\",\"kmt-lzi-f6r\",\"CWS_CUSTOM-canary\",\"hdo-seh-iaa\",\"CWS_DD\"],\"name\":\"pci_11_5_critical_binaries_unlink\",\"product_tags\":[\"tactic:TA0005-defense-evasion\",\"technique:T1036-masquerading\",\"policy:compliance\"],\"updateDate\":1742407951000,\"updater\":{\"name\":\"Datadog\",\"handle\":\"\"}}},{\"id\":\"v5x-8l4-d6a\",\"type\":\"agent_rule\",\"attributes\":{\"category\":\"File Activity\",\"creationDate\":1742407951000,\"creator\":{\"name\":\"Datadog\",\"handle\":\"\"},\"defaultRule\":true,\"description\":\"Shell History was Deleted\",\"enabled\":true,\"expression\":\"open.flags \\u0026 (O_CREAT|O_TRUNC|O_APPEND|O_RDWR|O_WRONLY) \\u003e 0 \\u0026\\u0026 open.file.name in [\\\".bash_history\\\", \\\".zsh_history\\\", \\\".fish_history\\\", \\\"fish_history\\\", \\\".dash_history\\\", \\\".sh_history\\\"] \\u0026\\u0026 open.file.path in [~\\\"/root/*\\\", ~\\\"/home/**\\\"] \\u0026\\u0026 process.file.name == \\\"truncate\\\"\",\"filters\":[\"os == \\\"linux\\\"\"],\"monitoring\":[\"v5l-ynv-guh\",\"gxu-c6v-pka\",\"1os-ptz-he9\",\"ddu-dat-9cx\",\"oiv-iar-6uj\",\"n6v-uoj-6jv\",\"zay-klh-gzk\",\"t0c-318-ksc\",\"mnq-jea-ord\",\"hjq-1ou-gxj\",\"zt3-q2u-xka\",\"n52-kmk-gy5\",\"lwi-ota-cdp\",\"eme-xsc-20m\",\"acr-3t9-p0d\",\"hw2-pev-bdl\",\"mm8-gf5-1mh\",\"wfe-tga-w8i\",\"kz9-gsr-aet\",\"u2n-mby-zu5\",\"ygu-bj5-cnb\",\"8h9-6l9-ofq\",\"x6i-kv0-iby\",\"wry-lqz-m1l\",\"ljy-djc-pxw\",\"kmt-lzi-f6r\",\"CWS_CUSTOM-canary\",\"hdo-seh-iaa\",\"CWS_DD\"],\"name\":\"shell_history_truncated\",\"product_tags\":[\"tactic:TA0005-defense-evasion\",\"technique:T1070-indicator-removal\",\"policy:threat-detection\",\"policy:compliance\"],\"updateDate\":1742407951000,\"updater\":{\"name\":\"Datadog\",\"handle\":\"\"}}},{\"id\":\"7ts-208-rn4\",\"type\":\"agent_rule\",\"attributes\":{\"category\":\"Process Activity\",\"creationDate\":1742407951000,\"creator\":{\"name\":\"Datadog\",\"handle\":\"\"},\"defaultRule\":true,\"description\":\"An AppArmor profile was modified in an interactive session\",\"enabled\":true,\"expression\":\"exec.file.name in [\\\"aa-disable\\\", \\\"aa-complain\\\", \\\"aa-audit\\\"] \\u0026\\u0026 exec.tty_name !=\\\"\\\"\",\"filters\":[\"os == \\\"linux\\\"\"],\"monitoring\":[\"v5l-ynv-guh\",\"gxu-c6v-pka\",\"1os-ptz-he9\",\"ddu-dat-9cx\",\"oiv-iar-6uj\",\"n6v-uoj-6jv\",\"zay-klh-gzk\",\"t0c-318-ksc\",\"mnq-jea-ord\",\"hjq-1ou-gxj\",\"zt3-q2u-xka\",\"n52-kmk-gy5\",\"lwi-ota-cdp\",\"eme-xsc-20m\",\"acr-3t9-p0d\",\"hw2-pev-bdl\",\"mm8-gf5-1mh\",\"wfe-tga-w8i\",\"kz9-gsr-aet\",\"u2n-mby-zu5\",\"ygu-bj5-cnb\",\"8h9-6l9-ofq\",\"x6i-kv0-iby\",\"wry-lqz-m1l\",\"ljy-djc-pxw\",\"kmt-lzi-f6r\",\"CWS_CUSTOM-canary\",\"hdo-seh-iaa\",\"CWS_DD\"],\"name\":\"apparmor_modified_tty\",\"product_tags\":[\"tactic:TA0005-defense-evasion\",\"technique:T1562-impair-defenses\",\"policy:threat-detection\"],\"updateDate\":1742407951000,\"updater\":{\"name\":\"Datadog\",\"handle\":\"\"}}},{\"id\":\"2dz-kyt-nme\",\"type\":\"agent_rule\",\"attributes\":{\"category\":\"File Activity\",\"creationDate\":1742407951000,\"creator\":{\"name\":\"Datadog\",\"handle\":\"\"},\"defaultRule\":true,\"description\":\"A new kernel module was added\",\"enabled\":true,\"expression\":\"(\\n (chmod.file.path in [ ~\\\"/lib/modules/**\\\", ~\\\"/usr/lib/modules/**\\\" ])\\n \\u0026\\u0026 process.file.path not in [~\\\"/usr/bin/apt*\\\", \\\"/usr/bin/dpkg\\\", \\\"/usr/bin/rpm\\\", \\\"/usr/bin/unattended-upgrade\\\", \\\"/usr/bin/npm\\\", ~\\\"/usr/bin/pip*\\\", ~\\\"/usr/local/bin/pip*\\\", \\\"/usr/bin/yum\\\", \\\"/sbin/apk\\\", \\\"/usr/lib/snapd/snapd\\\"]\\n \\u0026\\u0026 process.ancestors.file.path not in [~\\\"/usr/bin/apt*\\\", \\\"/usr/bin/dpkg\\\", \\\"/usr/bin/rpm\\\", \\\"/usr/bin/unattended-upgrade\\\", \\\"/usr/bin/npm\\\", ~\\\"/usr/bin/pip*\\\", ~\\\"/usr/local/bin/pip*\\\", \\\"/usr/bin/yum\\\", \\\"/sbin/apk\\\", \\\"/usr/lib/snapd/snapd\\\"] \\u0026\\u0026 process.ancestors.file.path != \\\"/usr/bin/kmod\\\"\\n) \\u0026\\u0026 chmod.file.destination.mode != chmod.file.mode\",\"filters\":[\"os == \\\"linux\\\"\"],\"monitoring\":[\"v5l-ynv-guh\",\"gxu-c6v-pka\",\"1os-ptz-he9\",\"ddu-dat-9cx\",\"oiv-iar-6uj\",\"n6v-uoj-6jv\",\"zay-klh-gzk\",\"t0c-318-ksc\",\"mnq-jea-ord\",\"hjq-1ou-gxj\",\"zt3-q2u-xka\",\"n52-kmk-gy5\",\"lwi-ota-cdp\",\"eme-xsc-20m\",\"acr-3t9-p0d\",\"hw2-pev-bdl\",\"mm8-gf5-1mh\",\"wfe-tga-w8i\",\"kz9-gsr-aet\",\"u2n-mby-zu5\",\"ygu-bj5-cnb\",\"8h9-6l9-ofq\",\"x6i-kv0-iby\",\"wry-lqz-m1l\",\"ljy-djc-pxw\",\"kmt-lzi-f6r\",\"CWS_CUSTOM-canary\",\"hdo-seh-iaa\",\"CWS_DD\"],\"name\":\"kernel_module_chmod\",\"product_tags\":[\"tactic:TA0003-persistence\",\"technique:T1547-boot-or-logon-autostart-execution\",\"policy:compliance\"],\"updateDate\":1742407951000,\"updater\":{\"name\":\"Datadog\",\"handle\":\"\"}}},{\"id\":\"def-000-wv3\",\"type\":\"agent_rule\",\"attributes\":{\"actions\":[{\"hash\":{},\"disabled\":false}],\"category\":\"File Activity\",\"creationDate\":1742407951000,\"creator\":{\"name\":\"Datadog\",\"handle\":\"\"},\"defaultRule\":true,\"description\":\"Redis module has been created\",\"enabled\":true,\"expression\":\"(open.flags \\u0026 (O_CREAT|O_TRUNC|O_RDWR|O_WRONLY) \\u003e 0 \\u0026\\u0026 open.file.path =~ \\\"/tmp/**\\\" \\u0026\\u0026 open.file.name in [~\\\"*.rdb\\\", ~\\\"*.aof\\\", ~\\\"*.so\\\"]) \\u0026\\u0026 process.file.name in [\\\"redis-check-rdb\\\", \\\"redis-server\\\"]\",\"filters\":[\"os == \\\"linux\\\"\"],\"monitoring\":[\"v5l-ynv-guh\",\"gxu-c6v-pka\",\"1os-ptz-he9\",\"ddu-dat-9cx\",\"oiv-iar-6uj\",\"n6v-uoj-6jv\",\"zay-klh-gzk\",\"t0c-318-ksc\",\"mnq-jea-ord\",\"hjq-1ou-gxj\",\"zt3-q2u-xka\",\"n52-kmk-gy5\",\"lwi-ota-cdp\",\"eme-xsc-20m\",\"acr-3t9-p0d\",\"hw2-pev-bdl\",\"mm8-gf5-1mh\",\"wfe-tga-w8i\",\"kz9-gsr-aet\",\"u2n-mby-zu5\",\"ygu-bj5-cnb\",\"8h9-6l9-ofq\",\"x6i-kv0-iby\",\"wry-lqz-m1l\",\"ljy-djc-pxw\",\"kmt-lzi-f6r\",\"CWS_CUSTOM-canary\",\"hdo-seh-iaa\",\"CWS_DD\"],\"name\":\"redis_save_module\",\"product_tags\":[\"tactic:TA0002-execution\",\"technique:T1129-shared-modules\",\"policy:threat-detection\"],\"updateDate\":1742407951000,\"updater\":{\"name\":\"Datadog\",\"handle\":\"\"}}},{\"id\":\"def-000-dpm\",\"type\":\"agent_rule\",\"attributes\":{\"category\":\"Process Activity\",\"creationDate\":1742407951000,\"creator\":{\"name\":\"Datadog\",\"handle\":\"\"},\"defaultRule\":true,\"description\":\"A process attempted to enable writing to model-specific registers\",\"enabled\":true,\"expression\":\"exec.comm == \\\"modprobe\\\" \\u0026\\u0026 process.args =~ \\\"*msr*allow_writes*\\\"\",\"filters\":[\"os == \\\"linux\\\"\"],\"monitoring\":[\"v5l-ynv-guh\",\"gxu-c6v-pka\",\"1os-ptz-he9\",\"ddu-dat-9cx\",\"oiv-iar-6uj\",\"n6v-uoj-6jv\",\"zay-klh-gzk\",\"t0c-318-ksc\",\"mnq-jea-ord\",\"hjq-1ou-gxj\",\"zt3-q2u-xka\",\"n52-kmk-gy5\",\"lwi-ota-cdp\",\"eme-xsc-20m\",\"acr-3t9-p0d\",\"hw2-pev-bdl\",\"mm8-gf5-1mh\",\"wfe-tga-w8i\",\"kz9-gsr-aet\",\"u2n-mby-zu5\",\"ygu-bj5-cnb\",\"8h9-6l9-ofq\",\"x6i-kv0-iby\",\"wry-lqz-m1l\",\"ljy-djc-pxw\",\"kmt-lzi-f6r\",\"CWS_CUSTOM-canary\",\"hdo-seh-iaa\",\"CWS_DD\"],\"name\":\"kernel_msr_write\",\"product_tags\":[\"tactic:TA0040-impact\",\"technique:T1496-resource-hijacking\",\"policy:threat-detection\"],\"updateDate\":1742407951000,\"updater\":{\"name\":\"Datadog\",\"handle\":\"\"}}},{\"id\":\"j8a-wic-bvi\",\"type\":\"agent_rule\",\"attributes\":{\"category\":\"Process Activity\",\"creationDate\":1742407951000,\"creator\":{\"name\":\"Datadog\",\"handle\":\"\"},\"defaultRule\":true,\"description\":\"The LD_PRELOAD variable is populated by a link to a suspicious file directory\",\"enabled\":true,\"expression\":\"exec.envs in [~\\\"LD_PRELOAD=*/tmp/*\\\", ~\\\"LD_PRELOAD=/dev/shm/*\\\"]\",\"filters\":[\"os == \\\"linux\\\"\"],\"monitoring\":[\"v5l-ynv-guh\",\"gxu-c6v-pka\",\"1os-ptz-he9\",\"ddu-dat-9cx\",\"oiv-iar-6uj\",\"n6v-uoj-6jv\",\"zay-klh-gzk\",\"t0c-318-ksc\",\"mnq-jea-ord\",\"hjq-1ou-gxj\",\"zt3-q2u-xka\",\"n52-kmk-gy5\",\"lwi-ota-cdp\",\"eme-xsc-20m\",\"acr-3t9-p0d\",\"hw2-pev-bdl\",\"mm8-gf5-1mh\",\"wfe-tga-w8i\",\"kz9-gsr-aet\",\"u2n-mby-zu5\",\"ygu-bj5-cnb\",\"8h9-6l9-ofq\",\"x6i-kv0-iby\",\"wry-lqz-m1l\",\"ljy-djc-pxw\",\"kmt-lzi-f6r\",\"CWS_CUSTOM-canary\",\"hdo-seh-iaa\",\"CWS_DD\"],\"name\":\"ld_preload_unusual_library_path\",\"product_tags\":[\"tactic:TA0004-privilege-escalation\",\"technique:T1574-hijack-execution-flow\",\"policy:threat-detection\"],\"updateDate\":1742407951000,\"updater\":{\"name\":\"Datadog\",\"handle\":\"\"}}},{\"id\":\"def-000-nin\",\"type\":\"agent_rule\",\"attributes\":{\"category\":\"Network Activity\",\"creationDate\":1742407951000,\"creator\":{\"name\":\"Datadog\",\"handle\":\"\"},\"defaultRule\":true,\"description\":\"A DNS request was made for a chatroom domain\",\"enabled\":true,\"expression\":\"dns.question.name in [\\\"discord.com\\\", \\\"api.telegram.org\\\", \\\"cdn.discordapp.com\\\"]\",\"filters\":[\"os == \\\"linux\\\"\"],\"monitoring\":[\"v5l-ynv-guh\",\"gxu-c6v-pka\",\"1os-ptz-he9\",\"ddu-dat-9cx\",\"oiv-iar-6uj\",\"n6v-uoj-6jv\",\"zay-klh-gzk\",\"t0c-318-ksc\",\"mnq-jea-ord\",\"hjq-1ou-gxj\",\"zt3-q2u-xka\",\"n52-kmk-gy5\",\"lwi-ota-cdp\",\"eme-xsc-20m\",\"acr-3t9-p0d\",\"hw2-pev-bdl\",\"mm8-gf5-1mh\",\"wfe-tga-w8i\",\"kz9-gsr-aet\",\"u2n-mby-zu5\",\"ygu-bj5-cnb\",\"8h9-6l9-ofq\",\"x6i-kv0-iby\",\"wry-lqz-m1l\",\"ljy-djc-pxw\",\"kmt-lzi-f6r\",\"CWS_CUSTOM-canary\",\"hdo-seh-iaa\",\"CWS_DD\"],\"name\":\"chatroom_request\",\"product_tags\":[\"tactic:TA0011-command-and-control\",\"technique:T1572-protocol-tunneling\",\"policy:threat-detection\"],\"updateDate\":1742407951000,\"updater\":{\"name\":\"Datadog\",\"handle\":\"\"}}},{\"id\":\"9ym-18v-5zi\",\"type\":\"agent_rule\",\"attributes\":{\"category\":\"File Activity\",\"creationDate\":1742407951000,\"creator\":{\"name\":\"Datadog\",\"handle\":\"\"},\"defaultRule\":true,\"description\":\"Critical system binaries may have been modified\",\"enabled\":true,\"expression\":\"(\\n (link.file.path in [ ~\\\"/bin/*\\\", ~\\\"/sbin/*\\\", ~\\\"/usr/bin/*\\\", ~\\\"/usr/sbin/*\\\", ~\\\"/usr/local/bin/*\\\", ~\\\"/usr/local/sbin/*\\\", ~\\\"/boot/**\\\" ]\\n || link.file.destination.path in [ ~\\\"/bin/*\\\", ~\\\"/sbin/*\\\", ~\\\"/usr/bin/*\\\", ~\\\"/usr/sbin/*\\\", ~\\\"/usr/local/bin/*\\\", ~\\\"/usr/local/sbin/*\\\", ~\\\"/boot/**\\\" ])\\n \\u0026\\u0026 process.file.path not in [~\\\"/usr/bin/apt*\\\", \\\"/usr/bin/dpkg\\\", \\\"/usr/bin/rpm\\\", \\\"/usr/bin/unattended-upgrade\\\", \\\"/usr/bin/containerd\\\", \\\"/usr/local/bin/containerd\\\", \\\"/usr/bin/dockerd\\\", \\\"/usr/bin/npm\\\", ~\\\"/usr/bin/pip*\\\", ~\\\"/usr/local/bin/pip*\\\"]\\n \\u0026\\u0026 process.ancestors.file.path not in [~\\\"/usr/bin/apt*\\\", \\\"/usr/bin/dpkg\\\", \\\"/usr/bin/rpm\\\", \\\"/usr/bin/unattended-upgrade\\\", \\\"/usr/bin/npm\\\", ~\\\"/usr/bin/pip*\\\", ~\\\"/usr/local/bin/pip*\\\", \\\"/usr/bin/yum\\\", \\\"/sbin/apk\\\", \\\"/usr/lib/snapd/snapd\\\"]\\n)\",\"filters\":[\"os == \\\"linux\\\"\"],\"monitoring\":[\"v5l-ynv-guh\",\"gxu-c6v-pka\",\"1os-ptz-he9\",\"ddu-dat-9cx\",\"oiv-iar-6uj\",\"n6v-uoj-6jv\",\"zay-klh-gzk\",\"t0c-318-ksc\",\"mnq-jea-ord\",\"hjq-1ou-gxj\",\"zt3-q2u-xka\",\"n52-kmk-gy5\",\"lwi-ota-cdp\",\"eme-xsc-20m\",\"acr-3t9-p0d\",\"hw2-pev-bdl\",\"mm8-gf5-1mh\",\"wfe-tga-w8i\",\"kz9-gsr-aet\",\"u2n-mby-zu5\",\"ygu-bj5-cnb\",\"8h9-6l9-ofq\",\"x6i-kv0-iby\",\"wry-lqz-m1l\",\"ljy-djc-pxw\",\"kmt-lzi-f6r\",\"CWS_CUSTOM-canary\",\"hdo-seh-iaa\",\"CWS_DD\"],\"name\":\"pci_11_5_critical_binaries_link\",\"product_tags\":[\"tactic:TA0005-defense-evasion\",\"technique:T1036-masquerading\",\"policy:compliance\"],\"updateDate\":1742407951000,\"updater\":{\"name\":\"Datadog\",\"handle\":\"\"}}},{\"id\":\"ro4-rju-1vq\",\"type\":\"agent_rule\",\"attributes\":{\"category\":\"Process Activity\",\"creationDate\":1742407951000,\"creator\":{\"name\":\"Datadog\",\"handle\":\"\"},\"defaultRule\":true,\"description\":\"An GCP IMDS was called via a network utility\",\"enabled\":true,\"expression\":\"exec.comm in [\\\"wget\\\", \\\"curl\\\", \\\"lwp-download\\\"] \\u0026\\u0026 exec.args in [~\\\"*metadata.google.internal/computeMetadata/v1/instance/service-accounts/default/token\\\", ~\\\"*169.254.169.254/computeMetadata/v1/instance/service-accounts/default/token\\\"]\",\"filters\":[\"os == \\\"linux\\\"\"],\"monitoring\":[\"v5l-ynv-guh\",\"gxu-c6v-pka\",\"1os-ptz-he9\",\"ddu-dat-9cx\",\"oiv-iar-6uj\",\"n6v-uoj-6jv\",\"zay-klh-gzk\",\"t0c-318-ksc\",\"mnq-jea-ord\",\"hjq-1ou-gxj\",\"zt3-q2u-xka\",\"n52-kmk-gy5\",\"lwi-ota-cdp\",\"eme-xsc-20m\",\"acr-3t9-p0d\",\"hw2-pev-bdl\",\"mm8-gf5-1mh\",\"wfe-tga-w8i\",\"kz9-gsr-aet\",\"u2n-mby-zu5\",\"ygu-bj5-cnb\",\"8h9-6l9-ofq\",\"x6i-kv0-iby\",\"wry-lqz-m1l\",\"ljy-djc-pxw\",\"kmt-lzi-f6r\",\"CWS_CUSTOM-canary\",\"hdo-seh-iaa\",\"CWS_DD\"],\"name\":\"gcp_imds\",\"product_tags\":[\"tactic:TA0006-credential-access\",\"technique:T1552-unsecured-credentials\",\"policy:best-practice\",\"policy:threat-detection\"],\"updateDate\":1742407951000,\"updater\":{\"name\":\"Datadog\",\"handle\":\"\"}}},{\"id\":\"def-000-eho\",\"type\":\"agent_rule\",\"attributes\":{\"category\":\"File Activity\",\"creationDate\":1742407951000,\"creator\":{\"name\":\"Datadog\",\"handle\":\"\"},\"defaultRule\":true,\"description\":\"Container escape attempted by overwriting release_agent\",\"enabled\":true,\"expression\":\"open.file.name == \\\"release_agent\\\" \\u0026\\u0026 open.file.path in [\\\"/tmp/**\\\", \\\"/home/**\\\", \\\"/root/**\\\", \\\"/*\\\"] \\u0026\\u0026 open.flags \\u0026 O_CREAT|O_TRUNC|O_APPEND|O_RDWR|O_WRONLY \\u003e 0\",\"filters\":[\"os == \\\"linux\\\"\"],\"monitoring\":[\"v5l-ynv-guh\",\"gxu-c6v-pka\",\"1os-ptz-he9\",\"ddu-dat-9cx\",\"oiv-iar-6uj\",\"n6v-uoj-6jv\",\"zay-klh-gzk\",\"t0c-318-ksc\",\"mnq-jea-ord\",\"hjq-1ou-gxj\",\"zt3-q2u-xka\",\"n52-kmk-gy5\",\"lwi-ota-cdp\",\"eme-xsc-20m\",\"acr-3t9-p0d\",\"hw2-pev-bdl\",\"mm8-gf5-1mh\",\"wfe-tga-w8i\",\"kz9-gsr-aet\",\"u2n-mby-zu5\",\"ygu-bj5-cnb\",\"8h9-6l9-ofq\",\"x6i-kv0-iby\",\"wry-lqz-m1l\",\"ljy-djc-pxw\",\"kmt-lzi-f6r\",\"CWS_CUSTOM-canary\",\"hdo-seh-iaa\",\"CWS_DD\"],\"name\":\"release_agent_escape\",\"product_tags\":[\"tactic:TA0004-privilege-escalation\",\"technique:T1611-escape-to-host\",\"policy:threat-detection\"],\"updateDate\":1742407951000,\"updater\":{\"name\":\"Datadog\",\"handle\":\"\"}}},{\"id\":\"sif-d9p-wzg\",\"type\":\"agent_rule\",\"attributes\":{\"category\":\"File Activity\",\"creationDate\":1742407951000,\"creator\":{\"name\":\"Datadog\",\"handle\":\"\"},\"defaultRule\":true,\"description\":\"nsswitch may have been modified without authorization\",\"enabled\":true,\"expression\":\"(\\n (rename.file.path in [ \\\"/etc/nsswitch.conf\\\" ]\\n || rename.file.destination.path in [ \\\"/etc/nsswitch.conf\\\" ])\\n)\",\"filters\":[\"os == \\\"linux\\\"\"],\"monitoring\":[\"v5l-ynv-guh\",\"gxu-c6v-pka\",\"1os-ptz-he9\",\"ddu-dat-9cx\",\"oiv-iar-6uj\",\"n6v-uoj-6jv\",\"zay-klh-gzk\",\"t0c-318-ksc\",\"mnq-jea-ord\",\"hjq-1ou-gxj\",\"zt3-q2u-xka\",\"n52-kmk-gy5\",\"lwi-ota-cdp\",\"eme-xsc-20m\",\"acr-3t9-p0d\",\"hw2-pev-bdl\",\"mm8-gf5-1mh\",\"wfe-tga-w8i\",\"kz9-gsr-aet\",\"u2n-mby-zu5\",\"ygu-bj5-cnb\",\"8h9-6l9-ofq\",\"x6i-kv0-iby\",\"wry-lqz-m1l\",\"ljy-djc-pxw\",\"kmt-lzi-f6r\",\"CWS_CUSTOM-canary\",\"hdo-seh-iaa\",\"CWS_DD\"],\"name\":\"nsswitch_conf_mod_rename\",\"product_tags\":[\"tactic:TA0003-persistence\",\"technique:T1556-modify-authentication-process\",\"policy:compliance\"],\"updateDate\":1742407951000,\"updater\":{\"name\":\"Datadog\",\"handle\":\"\"}}},{\"id\":\"def-000-7m7\",\"type\":\"agent_rule\",\"attributes\":{\"category\":\"Process Activity\",\"creationDate\":1742407951000,\"creator\":{\"name\":\"Datadog\",\"handle\":\"\"},\"defaultRule\":true,\"description\":\"The auditctl command was used to modify auditd\",\"enabled\":true,\"expression\":\"exec.file.name == \\\"auditctl\\\" \\u0026\\u0026 exec.args_flags not in [\\\"s\\\", \\\"l\\\"]\",\"filters\":[\"os == \\\"linux\\\"\"],\"monitoring\":[\"v5l-ynv-guh\",\"gxu-c6v-pka\",\"1os-ptz-he9\",\"ddu-dat-9cx\",\"oiv-iar-6uj\",\"n6v-uoj-6jv\",\"zay-klh-gzk\",\"t0c-318-ksc\",\"mnq-jea-ord\",\"hjq-1ou-gxj\",\"zt3-q2u-xka\",\"n52-kmk-gy5\",\"lwi-ota-cdp\",\"eme-xsc-20m\",\"acr-3t9-p0d\",\"hw2-pev-bdl\",\"mm8-gf5-1mh\",\"wfe-tga-w8i\",\"kz9-gsr-aet\",\"u2n-mby-zu5\",\"ygu-bj5-cnb\",\"8h9-6l9-ofq\",\"x6i-kv0-iby\",\"wry-lqz-m1l\",\"ljy-djc-pxw\",\"kmt-lzi-f6r\",\"CWS_CUSTOM-canary\",\"hdo-seh-iaa\",\"CWS_DD\"],\"name\":\"auditctl_usage\",\"product_tags\":[\"tactic:TA0005-defense-evasion\",\"technique:T1562-impair-defenses\",\"policy:threat-detection\"],\"updateDate\":1742407951000,\"updater\":{\"name\":\"Datadog\",\"handle\":\"\"}}},{\"id\":\"def-000-oil\",\"type\":\"agent_rule\",\"attributes\":{\"category\":\"Process Activity\",\"creationDate\":1742407951000,\"creator\":{\"name\":\"Datadog\",\"handle\":\"\"},\"defaultRule\":true,\"description\":\"The unshare utility was executed in a container\",\"enabled\":true,\"expression\":\"exec.comm == \\\"unshare\\\" \\u0026\\u0026 container.id != \\\"\\\"\",\"filters\":[\"os == \\\"linux\\\"\"],\"monitoring\":[\"v5l-ynv-guh\",\"gxu-c6v-pka\",\"1os-ptz-he9\",\"ddu-dat-9cx\",\"oiv-iar-6uj\",\"n6v-uoj-6jv\",\"zay-klh-gzk\",\"t0c-318-ksc\",\"mnq-jea-ord\",\"hjq-1ou-gxj\",\"zt3-q2u-xka\",\"n52-kmk-gy5\",\"lwi-ota-cdp\",\"eme-xsc-20m\",\"acr-3t9-p0d\",\"hw2-pev-bdl\",\"mm8-gf5-1mh\",\"wfe-tga-w8i\",\"kz9-gsr-aet\",\"u2n-mby-zu5\",\"ygu-bj5-cnb\",\"8h9-6l9-ofq\",\"x6i-kv0-iby\",\"wry-lqz-m1l\",\"ljy-djc-pxw\",\"kmt-lzi-f6r\",\"CWS_CUSTOM-canary\",\"hdo-seh-iaa\",\"CWS_DD\"],\"name\":\"unshare_in_container\",\"product_tags\":[\"tactic:TA0004-privilege-escalation\",\"technique:T1611-escape-to-host\",\"policy:threat-detection\"],\"updateDate\":1742407951000,\"updater\":{\"name\":\"Datadog\",\"handle\":\"\"}}},{\"id\":\"def-000-925\",\"type\":\"agent_rule\",\"attributes\":{\"category\":\"Process Activity\",\"creationDate\":1742407951000,\"creator\":{\"name\":\"Datadog\",\"handle\":\"\"},\"defaultRule\":true,\"description\":\"A shell with a TTY was executed in a container\",\"enabled\":true,\"expression\":\"exec.file.path in [ \\\"/bin/dash\\\",\\n \\\"/usr/bin/dash\\\",\\n \\\"/bin/sh\\\",\\n \\\"/bin/static-sh\\\",\\n \\\"/usr/bin/sh\\\",\\n \\\"/bin/bash\\\",\\n \\\"/usr/bin/bash\\\",\\n \\\"/bin/bash-static\\\",\\n \\\"/usr/bin/zsh\\\",\\n \\\"/usr/bin/ash\\\",\\n \\\"/usr/bin/csh\\\",\\n \\\"/usr/bin/ksh\\\",\\n \\\"/usr/bin/tcsh\\\",\\n \\\"/usr/lib/initramfs-tools/bin/busybox\\\",\\n \\\"/bin/busybox\\\",\\n \\\"/usr/bin/fish\\\",\\n \\\"/bin/ksh93\\\",\\n \\\"/bin/rksh\\\",\\n \\\"/bin/rksh93\\\",\\n \\\"/bin/lksh\\\",\\n \\\"/bin/mksh\\\",\\n \\\"/bin/mksh-static\\\",\\n \\\"/usr/bin/csharp\\\",\\n \\\"/bin/posh\\\",\\n \\\"/usr/bin/rc\\\",\\n \\\"/bin/sash\\\",\\n \\\"/usr/bin/yash\\\",\\n \\\"/bin/zsh5\\\",\\n \\\"/bin/zsh5-static\\\" ] \\u0026\\u0026 process.tty_name != \\\"\\\" \\u0026\\u0026 process.container.id != \\\"\\\"\",\"filters\":[\"os == \\\"linux\\\"\"],\"monitoring\":[\"v5l-ynv-guh\",\"gxu-c6v-pka\",\"1os-ptz-he9\",\"ddu-dat-9cx\",\"oiv-iar-6uj\",\"n6v-uoj-6jv\",\"zay-klh-gzk\",\"t0c-318-ksc\",\"mnq-jea-ord\",\"hjq-1ou-gxj\",\"zt3-q2u-xka\",\"n52-kmk-gy5\",\"lwi-ota-cdp\",\"eme-xsc-20m\",\"acr-3t9-p0d\",\"hw2-pev-bdl\",\"mm8-gf5-1mh\",\"wfe-tga-w8i\",\"kz9-gsr-aet\",\"u2n-mby-zu5\",\"ygu-bj5-cnb\",\"8h9-6l9-ofq\",\"x6i-kv0-iby\",\"wry-lqz-m1l\",\"ljy-djc-pxw\",\"kmt-lzi-f6r\",\"CWS_CUSTOM-canary\",\"hdo-seh-iaa\",\"CWS_DD\"],\"name\":\"tty_shell_in_container\",\"product_tags\":[\"tactic:TA0002-execution\",\"technique:T1609-container-administration-command\",\"policy:threat-detection\"],\"updateDate\":1742407951000,\"updater\":{\"name\":\"Datadog\",\"handle\":\"\"}}},{\"id\":\"fyq-x5u-mv1\",\"type\":\"agent_rule\",\"attributes\":{\"category\":\"File Activity\",\"creationDate\":1742407951000,\"creator\":{\"name\":\"Datadog\",\"handle\":\"\"},\"defaultRule\":true,\"description\":\"A new kernel module was added\",\"enabled\":true,\"expression\":\"(\\n (utimes.file.path in [ ~\\\"/lib/modules/**\\\", ~\\\"/usr/lib/modules/**\\\" ])\\n \\u0026\\u0026 process.file.path not in [~\\\"/usr/bin/apt*\\\", \\\"/usr/bin/dpkg\\\", \\\"/usr/bin/rpm\\\", \\\"/usr/bin/unattended-upgrade\\\", \\\"/usr/bin/npm\\\", ~\\\"/usr/bin/pip*\\\", ~\\\"/usr/local/bin/pip*\\\", \\\"/usr/bin/yum\\\", \\\"/sbin/apk\\\", \\\"/usr/lib/snapd/snapd\\\"]\\n \\u0026\\u0026 process.ancestors.file.path not in [~\\\"/usr/bin/apt*\\\", \\\"/usr/bin/dpkg\\\", \\\"/usr/bin/rpm\\\", \\\"/usr/bin/unattended-upgrade\\\", \\\"/usr/bin/npm\\\", ~\\\"/usr/bin/pip*\\\", ~\\\"/usr/local/bin/pip*\\\", \\\"/usr/bin/yum\\\", \\\"/sbin/apk\\\", \\\"/usr/lib/snapd/snapd\\\"] \\u0026\\u0026 process.ancestors.file.path != \\\"/usr/bin/kmod\\\"\\n)\",\"filters\":[\"os == \\\"linux\\\"\"],\"monitoring\":[\"v5l-ynv-guh\",\"gxu-c6v-pka\",\"1os-ptz-he9\",\"ddu-dat-9cx\",\"oiv-iar-6uj\",\"n6v-uoj-6jv\",\"zay-klh-gzk\",\"t0c-318-ksc\",\"mnq-jea-ord\",\"hjq-1ou-gxj\",\"zt3-q2u-xka\",\"n52-kmk-gy5\",\"lwi-ota-cdp\",\"eme-xsc-20m\",\"acr-3t9-p0d\",\"hw2-pev-bdl\",\"mm8-gf5-1mh\",\"wfe-tga-w8i\",\"kz9-gsr-aet\",\"u2n-mby-zu5\",\"ygu-bj5-cnb\",\"8h9-6l9-ofq\",\"x6i-kv0-iby\",\"wry-lqz-m1l\",\"ljy-djc-pxw\",\"kmt-lzi-f6r\",\"CWS_CUSTOM-canary\",\"hdo-seh-iaa\",\"CWS_DD\"],\"name\":\"kernel_module_utimes\",\"product_tags\":[\"tactic:TA0003-persistence\",\"technique:T1547-boot-or-logon-autostart-execution\",\"policy:compliance\"],\"updateDate\":1742407951000,\"updater\":{\"name\":\"Datadog\",\"handle\":\"\"}}},{\"id\":\"def-000-a65\",\"type\":\"agent_rule\",\"attributes\":{\"category\":\"Network Activity\",\"creationDate\":1742407951000,\"creator\":{\"name\":\"Datadog\",\"handle\":\"\"},\"defaultRule\":true,\"description\":\"Web application requested IMDSv1 credentials\",\"enabled\":true,\"expression\":\"imds.aws.is_imds_v2 == false \\u0026\\u0026 imds.url =~ \\\"*/*/meta-data/iam/security-credentials/*\\\" \\u0026\\u0026 (process.ancestors.file.name in [\\\"apache2\\\", \\\"nginx\\\", ~\\\"tomcat*\\\", \\\"httpd\\\"] || process.ancestors.file.name =~ \\\"php*\\\" || process.ancestors.file.name == \\\"java\\\")\",\"filters\":[\"os == \\\"linux\\\"\"],\"monitoring\":[\"v5l-ynv-guh\",\"gxu-c6v-pka\",\"1os-ptz-he9\",\"ddu-dat-9cx\",\"oiv-iar-6uj\",\"n6v-uoj-6jv\",\"zay-klh-gzk\",\"t0c-318-ksc\",\"mnq-jea-ord\",\"hjq-1ou-gxj\",\"zt3-q2u-xka\",\"n52-kmk-gy5\",\"lwi-ota-cdp\",\"eme-xsc-20m\",\"acr-3t9-p0d\",\"hw2-pev-bdl\",\"mm8-gf5-1mh\",\"wfe-tga-w8i\",\"kz9-gsr-aet\",\"u2n-mby-zu5\",\"ygu-bj5-cnb\",\"8h9-6l9-ofq\",\"x6i-kv0-iby\",\"wry-lqz-m1l\",\"ljy-djc-pxw\",\"kmt-lzi-f6r\",\"CWS_CUSTOM-canary\",\"hdo-seh-iaa\",\"CWS_DD\"],\"name\":\"webapp_imds_V1_request\",\"product_tags\":[\"tactic:TA0040-impact\",\"technique:T1531-account-access-removal\",\"policy:threat-detection\"],\"updateDate\":1742407951000,\"updater\":{\"name\":\"Datadog\",\"handle\":\"\"}}},{\"id\":\"xgw-28i-480\",\"type\":\"agent_rule\",\"attributes\":{\"category\":\"Process Activity\",\"creationDate\":1742407951000,\"creator\":{\"name\":\"Datadog\",\"handle\":\"\"},\"defaultRule\":true,\"description\":\"A container executed a new binary not found in the container image\",\"enabled\":true,\"expression\":\"container.id != \\\"\\\" \\u0026\\u0026 process.file.in_upper_layer \\u0026\\u0026 process.file.modification_time \\u003c 30s \\u0026\\u0026 exec.file.name != \\\"\\\"\",\"filters\":[\"os == \\\"linux\\\"\"],\"monitoring\":[\"v5l-ynv-guh\",\"gxu-c6v-pka\",\"1os-ptz-he9\",\"ddu-dat-9cx\",\"oiv-iar-6uj\",\"n6v-uoj-6jv\",\"zay-klh-gzk\",\"t0c-318-ksc\",\"mnq-jea-ord\",\"hjq-1ou-gxj\",\"zt3-q2u-xka\",\"n52-kmk-gy5\",\"lwi-ota-cdp\",\"eme-xsc-20m\",\"acr-3t9-p0d\",\"hw2-pev-bdl\",\"mm8-gf5-1mh\",\"wfe-tga-w8i\",\"kz9-gsr-aet\",\"u2n-mby-zu5\",\"ygu-bj5-cnb\",\"8h9-6l9-ofq\",\"x6i-kv0-iby\",\"wry-lqz-m1l\",\"ljy-djc-pxw\",\"kmt-lzi-f6r\",\"CWS_CUSTOM-canary\",\"hdo-seh-iaa\",\"CWS_DD\"],\"name\":\"new_binary_execution_in_container\",\"product_tags\":[\"tactic:TA0011-command-and-control\",\"technique:T1105-ingress-tool-transfer\",\"policy:threat-detection\"],\"updateDate\":1742407951000,\"updater\":{\"name\":\"Datadog\",\"handle\":\"\"}}},{\"id\":\"def-000-wok\",\"type\":\"agent_rule\",\"attributes\":{\"category\":\"File Activity\",\"creationDate\":1742407951000,\"creator\":{\"name\":\"Datadog\",\"handle\":\"\"},\"defaultRule\":true,\"description\":\"Device rule created\",\"enabled\":true,\"expression\":\"open.file.path in [~\\\"/etc/udev/rules.d/*\\\", ~\\\"/lib/udev/rules.d/*\\\", ~\\\"/usr/lib/udev/rules.d/*\\\", ~\\\"/usr/local/lib/udev/rules.d/*\\\", ~\\\"/run/udev/rules.d/*\\\"] \\u0026\\u0026 open.flags \\u0026 O_CREAT \\u003e 0\",\"filters\":[\"os == \\\"linux\\\"\"],\"monitoring\":[\"v5l-ynv-guh\",\"gxu-c6v-pka\",\"1os-ptz-he9\",\"ddu-dat-9cx\",\"oiv-iar-6uj\",\"n6v-uoj-6jv\",\"zay-klh-gzk\",\"t0c-318-ksc\",\"mnq-jea-ord\",\"hjq-1ou-gxj\",\"zt3-q2u-xka\",\"n52-kmk-gy5\",\"lwi-ota-cdp\",\"eme-xsc-20m\",\"acr-3t9-p0d\",\"hw2-pev-bdl\",\"mm8-gf5-1mh\",\"wfe-tga-w8i\",\"kz9-gsr-aet\",\"u2n-mby-zu5\",\"ygu-bj5-cnb\",\"8h9-6l9-ofq\",\"x6i-kv0-iby\",\"wry-lqz-m1l\",\"ljy-djc-pxw\",\"kmt-lzi-f6r\",\"CWS_CUSTOM-canary\",\"hdo-seh-iaa\",\"CWS_DD\"],\"name\":\"udev_modification\",\"product_tags\":[\"tactic:TA0003-persistence\",\"technique:T1546-event-triggered-execution\",\"policy:threat-detection\"],\"updateDate\":1742407951000,\"updater\":{\"name\":\"Datadog\",\"handle\":\"\"}}},{\"id\":\"4mx-n6o-mmb\",\"type\":\"agent_rule\",\"attributes\":{\"category\":\"File Activity\",\"creationDate\":1742407951000,\"creator\":{\"name\":\"Datadog\",\"handle\":\"\"},\"defaultRule\":true,\"description\":\"An unauthorized job was added to cron scheduling\",\"enabled\":true,\"expression\":\"(\\n (utimes.file.path in [ ~\\\"/var/spool/cron/**\\\", ~\\\"/etc/cron.*/**\\\", ~\\\"/etc/crontab\\\", ~\\\"/etc/crontabs/**\\\"])\\n \\u0026\\u0026 process.file.path not in [ \\\"/usr/bin/at\\\", \\\"/usr/bin/crontab\\\" ]\\n)\\n\\u0026\\u0026 process.file.path not in [~\\\"/usr/bin/apt*\\\", \\\"/usr/bin/dpkg\\\", \\\"/usr/bin/rpm\\\", \\\"/usr/bin/unattended-upgrade\\\", \\\"/usr/bin/containerd\\\", \\\"/usr/local/bin/containerd\\\", \\\"/usr/bin/dockerd\\\", \\\"/usr/bin/npm\\\", ~\\\"/usr/bin/pip*\\\", ~\\\"/usr/local/bin/pip*\\\"]\",\"filters\":[\"os == \\\"linux\\\"\"],\"monitoring\":[\"v5l-ynv-guh\",\"gxu-c6v-pka\",\"1os-ptz-he9\",\"ddu-dat-9cx\",\"oiv-iar-6uj\",\"n6v-uoj-6jv\",\"zay-klh-gzk\",\"t0c-318-ksc\",\"mnq-jea-ord\",\"hjq-1ou-gxj\",\"zt3-q2u-xka\",\"n52-kmk-gy5\",\"lwi-ota-cdp\",\"eme-xsc-20m\",\"acr-3t9-p0d\",\"hw2-pev-bdl\",\"mm8-gf5-1mh\",\"wfe-tga-w8i\",\"kz9-gsr-aet\",\"u2n-mby-zu5\",\"ygu-bj5-cnb\",\"8h9-6l9-ofq\",\"x6i-kv0-iby\",\"wry-lqz-m1l\",\"ljy-djc-pxw\",\"kmt-lzi-f6r\",\"CWS_CUSTOM-canary\",\"hdo-seh-iaa\",\"CWS_DD\"],\"name\":\"cron_at_job_creation_utimes\",\"product_tags\":[\"tactic:TA0002-execution\",\"technique:T1053-scheduled-task-or-job\",\"policy:threat-detection\",\"policy:compliance\"],\"updateDate\":1742407951000,\"updater\":{\"name\":\"Datadog\",\"handle\":\"\"}}},{\"id\":\"0yj-grp-cmx\",\"type\":\"agent_rule\",\"attributes\":{\"category\":\"File Activity\",\"creationDate\":1742407951000,\"creator\":{\"name\":\"Datadog\",\"handle\":\"\"},\"defaultRule\":true,\"description\":\"Sensitive credential files were modified using a non-standard tool\",\"enabled\":true,\"expression\":\"(\\n (rename.file.path in [ \\\"/etc/shadow\\\", \\\"/etc/gshadow\\\" ]\\n || rename.file.destination.path in [ \\\"/etc/shadow\\\", \\\"/etc/gshadow\\\" ])\\n \\u0026\\u0026 process.file.path not in [ \\\"/sbin/vipw\\\", \\\"/usr/sbin/vipw\\\", \\\"/sbin/vigr\\\", \\\"/usr/sbin/vigr\\\", \\\"/usr/bin/containerd\\\", \\\"/usr/local/bin/containerd\\\", \\\"/usr/bin/dockerd\\\", \\\"/usr/local/bin/dockerd\\\", \\\"/usr/sbin/groupadd\\\", \\\"/usr/sbin/useradd\\\", \\\"/usr/sbin/usermod\\\", \\\"/usr/sbin/userdel\\\", \\\"/usr/bin/gpasswd\\\", \\\"/usr/bin/chage\\\", \\\"/usr/sbin/chpasswd\\\", \\\"/usr/bin/passwd\\\" ]\\n \\u0026\\u0026 process.ancestors.file.path not in [~\\\"/usr/bin/apt*\\\", \\\"/usr/bin/dpkg\\\", \\\"/usr/bin/rpm\\\", \\\"/usr/bin/unattended-upgrade\\\", \\\"/usr/bin/npm\\\", ~\\\"/usr/bin/pip*\\\", ~\\\"/usr/local/bin/pip*\\\", \\\"/usr/bin/yum\\\", \\\"/sbin/apk\\\", \\\"/usr/lib/snapd/snapd\\\"]\\n)\",\"filters\":[\"os == \\\"linux\\\"\"],\"monitoring\":[\"v5l-ynv-guh\",\"gxu-c6v-pka\",\"1os-ptz-he9\",\"ddu-dat-9cx\",\"oiv-iar-6uj\",\"n6v-uoj-6jv\",\"zay-klh-gzk\",\"t0c-318-ksc\",\"mnq-jea-ord\",\"hjq-1ou-gxj\",\"zt3-q2u-xka\",\"n52-kmk-gy5\",\"lwi-ota-cdp\",\"eme-xsc-20m\",\"acr-3t9-p0d\",\"hw2-pev-bdl\",\"mm8-gf5-1mh\",\"wfe-tga-w8i\",\"kz9-gsr-aet\",\"u2n-mby-zu5\",\"ygu-bj5-cnb\",\"8h9-6l9-ofq\",\"x6i-kv0-iby\",\"wry-lqz-m1l\",\"ljy-djc-pxw\",\"kmt-lzi-f6r\",\"CWS_CUSTOM-canary\",\"hdo-seh-iaa\",\"CWS_DD\"],\"name\":\"credential_modified_rename\",\"product_tags\":[\"tactic:TA0006-credential-access\",\"technique:T1003-os-credential-dumping\",\"policy:compliance\"],\"updateDate\":1742407951000,\"updater\":{\"name\":\"Datadog\",\"handle\":\"\"}}},{\"id\":\"4ov-ang-2gx\",\"type\":\"agent_rule\",\"attributes\":{\"category\":\"Network Activity\",\"creationDate\":1742407951000,\"creator\":{\"name\":\"Datadog\",\"handle\":\"\"},\"defaultRule\":true,\"description\":\"A DNS lookup was done for a IP check service\",\"enabled\":true,\"expression\":\"dns.question.name in [\\\"icanhazip.com\\\", \\\"ip-api.com\\\", \\\"myip.opendns.com\\\", \\\"checkip.amazonaws.com\\\", \\\"whatismyip.akamai.com\\\"] \\u0026\\u0026 process.file.name != \\\"\\\"\",\"filters\":[\"os == \\\"linux\\\"\"],\"monitoring\":[\"v5l-ynv-guh\",\"gxu-c6v-pka\",\"1os-ptz-he9\",\"ddu-dat-9cx\",\"oiv-iar-6uj\",\"n6v-uoj-6jv\",\"zay-klh-gzk\",\"t0c-318-ksc\",\"mnq-jea-ord\",\"hjq-1ou-gxj\",\"zt3-q2u-xka\",\"n52-kmk-gy5\",\"lwi-ota-cdp\",\"eme-xsc-20m\",\"acr-3t9-p0d\",\"hw2-pev-bdl\",\"mm8-gf5-1mh\",\"wfe-tga-w8i\",\"kz9-gsr-aet\",\"u2n-mby-zu5\",\"ygu-bj5-cnb\",\"8h9-6l9-ofq\",\"x6i-kv0-iby\",\"wry-lqz-m1l\",\"ljy-djc-pxw\",\"kmt-lzi-f6r\",\"CWS_CUSTOM-canary\",\"hdo-seh-iaa\",\"CWS_DD\"],\"name\":\"ip_check_domain\",\"product_tags\":[\"tactic:TA0007-discovery\",\"technique:T1016-system-network-configuration-discovery\",\"policy:threat-detection\"],\"updateDate\":1742407951000,\"updater\":{\"name\":\"Datadog\",\"handle\":\"\"}}},{\"id\":\"def-000-fqm\",\"type\":\"agent_rule\",\"attributes\":{\"category\":\"Process Activity\",\"creationDate\":1742407951000,\"creator\":{\"name\":\"Datadog\",\"handle\":\"\"},\"defaultRule\":true,\"description\":\"The whoami command was executed\",\"enabled\":true,\"expression\":\"exec.comm == \\\"whoami\\\"\",\"filters\":[\"os == \\\"linux\\\"\"],\"monitoring\":[\"v5l-ynv-guh\",\"gxu-c6v-pka\",\"1os-ptz-he9\",\"ddu-dat-9cx\",\"oiv-iar-6uj\",\"n6v-uoj-6jv\",\"zay-klh-gzk\",\"t0c-318-ksc\",\"mnq-jea-ord\",\"hjq-1ou-gxj\",\"zt3-q2u-xka\",\"n52-kmk-gy5\",\"lwi-ota-cdp\",\"eme-xsc-20m\",\"acr-3t9-p0d\",\"hw2-pev-bdl\",\"mm8-gf5-1mh\",\"wfe-tga-w8i\",\"kz9-gsr-aet\",\"u2n-mby-zu5\",\"ygu-bj5-cnb\",\"8h9-6l9-ofq\",\"x6i-kv0-iby\",\"wry-lqz-m1l\",\"ljy-djc-pxw\",\"kmt-lzi-f6r\",\"CWS_CUSTOM-canary\",\"hdo-seh-iaa\",\"CWS_DD\"],\"name\":\"exec_whoami\",\"product_tags\":[\"tactic:TA0007-discovery\",\"technique:T1033-system-owner-or-user-discovery\",\"policy:threat-detection\"],\"updateDate\":1742407951000,\"updater\":{\"name\":\"Datadog\",\"handle\":\"\"}}},{\"id\":\"wgv-wsb-pse\",\"type\":\"agent_rule\",\"attributes\":{\"category\":\"Process Activity\",\"creationDate\":1742407951000,\"creator\":{\"name\":\"Datadog\",\"handle\":\"\"},\"defaultRule\":true,\"description\":\"An AWS IMDS was called via a network utility\",\"enabled\":true,\"expression\":\"exec.comm in [\\\"wget\\\", \\\"curl\\\", \\\"lwp-download\\\"] \\u0026\\u0026 exec.args in [~\\\"*169.254.169.254/latest/meta-data/iam/security-credentials/*\\\", ~\\\"*169.254.170.2$AWS_CONTAINER_CREDENTIALS_RELATIVE_URI\\\", ~\\\"*169.254.170.2/*/credentials?id=*\\\"]\",\"filters\":[\"os == \\\"linux\\\"\"],\"monitoring\":[\"v5l-ynv-guh\",\"gxu-c6v-pka\",\"1os-ptz-he9\",\"ddu-dat-9cx\",\"oiv-iar-6uj\",\"n6v-uoj-6jv\",\"zay-klh-gzk\",\"t0c-318-ksc\",\"mnq-jea-ord\",\"hjq-1ou-gxj\",\"zt3-q2u-xka\",\"n52-kmk-gy5\",\"lwi-ota-cdp\",\"eme-xsc-20m\",\"acr-3t9-p0d\",\"hw2-pev-bdl\",\"mm8-gf5-1mh\",\"wfe-tga-w8i\",\"kz9-gsr-aet\",\"u2n-mby-zu5\",\"ygu-bj5-cnb\",\"8h9-6l9-ofq\",\"x6i-kv0-iby\",\"wry-lqz-m1l\",\"ljy-djc-pxw\",\"kmt-lzi-f6r\",\"CWS_CUSTOM-canary\",\"hdo-seh-iaa\",\"CWS_DD\"],\"name\":\"aws_imds\",\"product_tags\":[\"tactic:TA0006-credential-access\",\"technique:T1552-unsecured-credentials\",\"policy:best-practice\",\"policy:threat-detection\"],\"updateDate\":1742407951000,\"updater\":{\"name\":\"Datadog\",\"handle\":\"\"}}},{\"id\":\"def-000-xv7\",\"type\":\"agent_rule\",\"attributes\":{\"category\":\"Process Activity\",\"creationDate\":1742407951000,\"creator\":{\"name\":\"Datadog\",\"handle\":\"\"},\"defaultRule\":true,\"description\":\"Kernel modules were listed using the kmod command\",\"enabled\":true,\"expression\":\"exec.comm == \\\"kmod\\\" \\u0026\\u0026 exec.args in [~\\\"*list*\\\"]\",\"filters\":[\"os == \\\"linux\\\"\"],\"monitoring\":[\"v5l-ynv-guh\",\"gxu-c6v-pka\",\"1os-ptz-he9\",\"ddu-dat-9cx\",\"oiv-iar-6uj\",\"n6v-uoj-6jv\",\"zay-klh-gzk\",\"t0c-318-ksc\",\"mnq-jea-ord\",\"hjq-1ou-gxj\",\"zt3-q2u-xka\",\"n52-kmk-gy5\",\"lwi-ota-cdp\",\"eme-xsc-20m\",\"acr-3t9-p0d\",\"hw2-pev-bdl\",\"mm8-gf5-1mh\",\"wfe-tga-w8i\",\"kz9-gsr-aet\",\"u2n-mby-zu5\",\"ygu-bj5-cnb\",\"8h9-6l9-ofq\",\"x6i-kv0-iby\",\"wry-lqz-m1l\",\"ljy-djc-pxw\",\"kmt-lzi-f6r\",\"CWS_CUSTOM-canary\",\"hdo-seh-iaa\",\"CWS_DD\"],\"name\":\"kmod_list\",\"product_tags\":[\"tactic:TA0007-discovery\",\"technique:T1082-system-information-discovery\",\"policy:threat-detection\"],\"updateDate\":1742407951000,\"updater\":{\"name\":\"Datadog\",\"handle\":\"\"}}},{\"id\":\"def-000-4y4\",\"type\":\"agent_rule\",\"attributes\":{\"category\":\"Process Activity\",\"creationDate\":1742407951000,\"creator\":{\"name\":\"Datadog\",\"handle\":\"\"},\"defaultRule\":true,\"description\":\"A suspicious bitsadmin command has been executed\",\"enabled\":true,\"expression\":\"exec.file.name == \\\"bitsadmin.exe\\\" \\u0026\\u0026 exec.cmdline in [~\\\"*addfile*\\\", ~\\\"*create*\\\", ~\\\"*resume*\\\"]\",\"filters\":[\"os == \\\"windows\\\"\"],\"monitoring\":[\"v5l-ynv-guh\",\"gxu-c6v-pka\",\"1os-ptz-he9\",\"ddu-dat-9cx\",\"oiv-iar-6uj\",\"n6v-uoj-6jv\",\"zay-klh-gzk\",\"t0c-318-ksc\",\"mnq-jea-ord\",\"hjq-1ou-gxj\",\"zt3-q2u-xka\",\"n52-kmk-gy5\",\"lwi-ota-cdp\",\"eme-xsc-20m\",\"acr-3t9-p0d\",\"hw2-pev-bdl\",\"mm8-gf5-1mh\",\"wfe-tga-w8i\",\"kz9-gsr-aet\",\"u2n-mby-zu5\",\"ygu-bj5-cnb\",\"8h9-6l9-ofq\",\"x6i-kv0-iby\",\"wry-lqz-m1l\",\"ljy-djc-pxw\",\"kmt-lzi-f6r\",\"CWS_CUSTOM-canary\",\"hdo-seh-iaa\",\"CWS_DD\"],\"name\":\"suspicious_bitsadmin_usage\",\"product_tags\":[\"tactic:TA0011-command-and-control\",\"technique:T1105-ingress-tool-transfer\",\"policy:threat-detection\"],\"updateDate\":1742407951000,\"updater\":{\"name\":\"Datadog\",\"handle\":\"\"}}},{\"id\":\"dfr-by9-sx8\",\"type\":\"agent_rule\",\"attributes\":{\"category\":\"File Activity\",\"creationDate\":1742407951000,\"creator\":{\"name\":\"Datadog\",\"handle\":\"\"},\"defaultRule\":true,\"description\":\"Shell History was Deleted\",\"enabled\":true,\"expression\":\"unlink.file.name in [\\\".bash_history\\\", \\\".zsh_history\\\", \\\".fish_history\\\", \\\"fish_history\\\", \\\".dash_history\\\", \\\".sh_history\\\"] \\u0026\\u0026 unlink.file.path in [~\\\"/root/**\\\", ~\\\"/home/**\\\"] \\u0026\\u0026 process.comm not in [\\\"dockerd\\\", \\\"containerd\\\"]\",\"filters\":[\"os == \\\"linux\\\"\"],\"monitoring\":[\"v5l-ynv-guh\",\"gxu-c6v-pka\",\"1os-ptz-he9\",\"ddu-dat-9cx\",\"oiv-iar-6uj\",\"n6v-uoj-6jv\",\"zay-klh-gzk\",\"t0c-318-ksc\",\"mnq-jea-ord\",\"hjq-1ou-gxj\",\"zt3-q2u-xka\",\"n52-kmk-gy5\",\"lwi-ota-cdp\",\"eme-xsc-20m\",\"acr-3t9-p0d\",\"hw2-pev-bdl\",\"mm8-gf5-1mh\",\"wfe-tga-w8i\",\"kz9-gsr-aet\",\"u2n-mby-zu5\",\"ygu-bj5-cnb\",\"8h9-6l9-ofq\",\"x6i-kv0-iby\",\"wry-lqz-m1l\",\"ljy-djc-pxw\",\"kmt-lzi-f6r\",\"CWS_CUSTOM-canary\",\"hdo-seh-iaa\",\"CWS_DD\"],\"name\":\"shell_history_deleted\",\"product_tags\":[\"tactic:TA0005-defense-evasion\",\"technique:T1070-indicator-removal\",\"policy:threat-detection\",\"policy:compliance\"],\"updateDate\":1742407951000,\"updater\":{\"name\":\"Datadog\",\"handle\":\"\"}}},{\"id\":\"qt9-i99-q9p\",\"type\":\"agent_rule\",\"attributes\":{\"category\":\"File Activity\",\"creationDate\":1742407951000,\"creator\":{\"name\":\"Datadog\",\"handle\":\"\"},\"defaultRule\":true,\"description\":\"nsswitch may have been modified without authorization\",\"enabled\":true,\"expression\":\"(\\n (utimes.file.path in [ \\\"/etc/nsswitch.conf\\\" ])\\n)\",\"filters\":[\"os == \\\"linux\\\"\"],\"monitoring\":[\"v5l-ynv-guh\",\"gxu-c6v-pka\",\"1os-ptz-he9\",\"ddu-dat-9cx\",\"oiv-iar-6uj\",\"n6v-uoj-6jv\",\"zay-klh-gzk\",\"t0c-318-ksc\",\"mnq-jea-ord\",\"hjq-1ou-gxj\",\"zt3-q2u-xka\",\"n52-kmk-gy5\",\"lwi-ota-cdp\",\"eme-xsc-20m\",\"acr-3t9-p0d\",\"hw2-pev-bdl\",\"mm8-gf5-1mh\",\"wfe-tga-w8i\",\"kz9-gsr-aet\",\"u2n-mby-zu5\",\"ygu-bj5-cnb\",\"8h9-6l9-ofq\",\"x6i-kv0-iby\",\"wry-lqz-m1l\",\"ljy-djc-pxw\",\"kmt-lzi-f6r\",\"CWS_CUSTOM-canary\",\"hdo-seh-iaa\",\"CWS_DD\"],\"name\":\"nsswitch_conf_mod_utimes\",\"product_tags\":[\"tactic:TA0003-persistence\",\"technique:T1556-modify-authentication-process\",\"policy:compliance\"],\"updateDate\":1742407951000,\"updater\":{\"name\":\"Datadog\",\"handle\":\"\"}}},{\"id\":\"ayv-hqe-lx8\",\"type\":\"agent_rule\",\"attributes\":{\"category\":\"File Activity\",\"creationDate\":1742407951000,\"creator\":{\"name\":\"Datadog\",\"handle\":\"\"},\"defaultRule\":true,\"description\":\"SSL certificates may have been tampered with\",\"enabled\":true,\"expression\":\"(\\n (utimes.file.path in [ ~\\\"/etc/ssl/certs/**\\\" ])\\n \\u0026\\u0026 process.file.path not in [~\\\"/usr/bin/apt*\\\", \\\"/usr/bin/dpkg\\\", \\\"/usr/bin/rpm\\\", \\\"/usr/bin/unattended-upgrade\\\", \\\"/usr/bin/npm\\\", ~\\\"/usr/bin/pip*\\\", ~\\\"/usr/local/bin/pip*\\\", \\\"/usr/bin/yum\\\", \\\"/sbin/apk\\\", \\\"/usr/lib/snapd/snapd\\\"]\\n)\\n\\u0026\\u0026 process.file.path != \\\"/usr/sbin/update-ca-certificates\\\"\\n\\u0026\\u0026 process.ancestors.file.path != \\\"/usr/sbin/update-ca-certificates\\\"\\n\\u0026\\u0026 process.ancestors.file.path not in [~\\\"/usr/bin/apt*\\\", \\\"/usr/bin/dpkg\\\", \\\"/usr/bin/rpm\\\", \\\"/usr/bin/unattended-upgrade\\\", \\\"/usr/bin/npm\\\", ~\\\"/usr/bin/pip*\\\", ~\\\"/usr/local/bin/pip*\\\", \\\"/usr/bin/yum\\\", \\\"/sbin/apk\\\", \\\"/usr/lib/snapd/snapd\\\"]\\n\\u0026\\u0026 process.file.name !~ \\\"runc*\\\"\",\"filters\":[\"os == \\\"linux\\\"\"],\"monitoring\":[\"v5l-ynv-guh\",\"gxu-c6v-pka\",\"1os-ptz-he9\",\"ddu-dat-9cx\",\"oiv-iar-6uj\",\"n6v-uoj-6jv\",\"zay-klh-gzk\",\"t0c-318-ksc\",\"mnq-jea-ord\",\"hjq-1ou-gxj\",\"zt3-q2u-xka\",\"n52-kmk-gy5\",\"lwi-ota-cdp\",\"eme-xsc-20m\",\"acr-3t9-p0d\",\"hw2-pev-bdl\",\"mm8-gf5-1mh\",\"wfe-tga-w8i\",\"kz9-gsr-aet\",\"u2n-mby-zu5\",\"ygu-bj5-cnb\",\"8h9-6l9-ofq\",\"x6i-kv0-iby\",\"wry-lqz-m1l\",\"ljy-djc-pxw\",\"kmt-lzi-f6r\",\"CWS_CUSTOM-canary\",\"hdo-seh-iaa\",\"CWS_DD\"],\"name\":\"ssl_certificate_tampering_utimes\",\"product_tags\":[\"tactic:TA0005-defense-evasion\",\"technique:T1553-subvert-trust-controls\",\"policy:compliance\"],\"updateDate\":1742407951000,\"updater\":{\"name\":\"Datadog\",\"handle\":\"\"}}},{\"id\":\"4yt-ize-avz\",\"type\":\"agent_rule\",\"attributes\":{\"category\":\"Process Activity\",\"creationDate\":1742407951000,\"creator\":{\"name\":\"Datadog\",\"handle\":\"\"},\"defaultRule\":true,\"description\":\"Omiagent spawns a privileged child process\",\"enabled\":true,\"expression\":\"exec.uid \\u003e= 0 \\u0026\\u0026 process.ancestors.file.name == \\\"omiagent\\\"\",\"filters\":[\"os == \\\"linux\\\"\"],\"monitoring\":[\"v5l-ynv-guh\",\"gxu-c6v-pka\",\"1os-ptz-he9\",\"ddu-dat-9cx\",\"oiv-iar-6uj\",\"n6v-uoj-6jv\",\"zay-klh-gzk\",\"t0c-318-ksc\",\"mnq-jea-ord\",\"hjq-1ou-gxj\",\"zt3-q2u-xka\",\"n52-kmk-gy5\",\"lwi-ota-cdp\",\"eme-xsc-20m\",\"acr-3t9-p0d\",\"hw2-pev-bdl\",\"mm8-gf5-1mh\",\"wfe-tga-w8i\",\"kz9-gsr-aet\",\"u2n-mby-zu5\",\"ygu-bj5-cnb\",\"8h9-6l9-ofq\",\"x6i-kv0-iby\",\"wry-lqz-m1l\",\"ljy-djc-pxw\",\"kmt-lzi-f6r\",\"CWS_CUSTOM-canary\",\"hdo-seh-iaa\",\"CWS_DD\"],\"name\":\"omigod\",\"product_tags\":[\"tactic:TA0002-execution\",\"technique:T1203-exploitation-for-client-execution\",\"policy:threat-detection\"],\"updateDate\":1742407951000,\"updater\":{\"name\":\"Datadog\",\"handle\":\"\"}}},{\"id\":\"def-000-6x2\",\"type\":\"agent_rule\",\"attributes\":{\"category\":\"File Activity\",\"creationDate\":1742407951000,\"creator\":{\"name\":\"Datadog\",\"handle\":\"\"},\"defaultRule\":true,\"description\":\"Service registry runkey modified\",\"enabled\":true,\"expression\":\"set.registry.key_path in [~\\\"HKEY_LOCAL_MACHINE\\\\Software\\\\Microsoft\\\\Windows\\\\CurrentVersion\\\\RunServicesOnce\\\", ~\\\"HKEY_LOCAL_MACHINE\\\\Software\\\\Microsoft\\\\CurrentVersion\\\\RunServices\\\"]\",\"filters\":[\"os == \\\"windows\\\"\"],\"monitoring\":[\"v5l-ynv-guh\",\"gxu-c6v-pka\",\"1os-ptz-he9\",\"ddu-dat-9cx\",\"oiv-iar-6uj\",\"n6v-uoj-6jv\",\"zay-klh-gzk\",\"t0c-318-ksc\",\"mnq-jea-ord\",\"hjq-1ou-gxj\",\"zt3-q2u-xka\",\"n52-kmk-gy5\",\"lwi-ota-cdp\",\"eme-xsc-20m\",\"acr-3t9-p0d\",\"hw2-pev-bdl\",\"mm8-gf5-1mh\",\"wfe-tga-w8i\",\"kz9-gsr-aet\",\"u2n-mby-zu5\",\"ygu-bj5-cnb\",\"8h9-6l9-ofq\",\"x6i-kv0-iby\",\"wry-lqz-m1l\",\"ljy-djc-pxw\",\"kmt-lzi-f6r\",\"CWS_CUSTOM-canary\",\"hdo-seh-iaa\",\"CWS_DD\"],\"name\":\"registry_service_runkey_modified\",\"product_tags\":[\"tactic:TA0003-persistence\",\"technique:T1547-boot-or-logon-autostart-execution\",\"policy:threat-detection\"],\"updateDate\":1742407951000,\"updater\":{\"name\":\"Datadog\",\"handle\":\"\"}}},{\"id\":\"m7d-vlh-3yq\",\"type\":\"agent_rule\",\"attributes\":{\"category\":\"Process Activity\",\"creationDate\":1742407951000,\"creator\":{\"name\":\"Datadog\",\"handle\":\"\"},\"defaultRule\":true,\"description\":\"Package management was detected in a container\",\"enabled\":true,\"expression\":\"exec.file.path in [~\\\"/usr/bin/apt*\\\", \\\"/usr/bin/dpkg\\\", \\\"/usr/bin/rpm\\\", \\\"/usr/bin/unattended-upgrade\\\", \\\"/usr/bin/npm\\\", ~\\\"/usr/bin/pip*\\\", ~\\\"/usr/local/bin/pip*\\\", \\\"/usr/bin/yum\\\", \\\"/sbin/apk\\\", \\\"/usr/lib/snapd/snapd\\\"] \\u0026\\u0026 container.id != \\\"\\\"\",\"filters\":[\"os == \\\"linux\\\"\"],\"monitoring\":[\"v5l-ynv-guh\",\"gxu-c6v-pka\",\"1os-ptz-he9\",\"ddu-dat-9cx\",\"oiv-iar-6uj\",\"n6v-uoj-6jv\",\"zay-klh-gzk\",\"t0c-318-ksc\",\"mnq-jea-ord\",\"hjq-1ou-gxj\",\"zt3-q2u-xka\",\"n52-kmk-gy5\",\"lwi-ota-cdp\",\"eme-xsc-20m\",\"acr-3t9-p0d\",\"hw2-pev-bdl\",\"mm8-gf5-1mh\",\"wfe-tga-w8i\",\"kz9-gsr-aet\",\"u2n-mby-zu5\",\"ygu-bj5-cnb\",\"8h9-6l9-ofq\",\"x6i-kv0-iby\",\"wry-lqz-m1l\",\"ljy-djc-pxw\",\"kmt-lzi-f6r\",\"CWS_CUSTOM-canary\",\"hdo-seh-iaa\",\"CWS_DD\"],\"name\":\"package_management_in_container\",\"product_tags\":[\"tactic:TA0002-execution\",\"technique:T1059-command-and-scripting-interpreter\",\"policy:threat-detection\",\"policy:best-practice\"],\"updateDate\":1742407951000,\"updater\":{\"name\":\"Datadog\",\"handle\":\"\"}}},{\"id\":\"def-000-h1x\",\"type\":\"agent_rule\",\"attributes\":{\"category\":\"Process Activity\",\"creationDate\":1742407951000,\"creator\":{\"name\":\"Datadog\",\"handle\":\"\"},\"defaultRule\":true,\"description\":\"The Docker socket was referenced in a cURL command\",\"enabled\":true,\"expression\":\"exec.file.name == \\\"curl\\\" \\u0026\\u0026 exec.args_flags in [\\\"unix-socket\\\"] \\u0026\\u0026 exec.args in [~\\\"*docker.sock*\\\"] \\u0026\\u0026 container.id != \\\"\\\"\",\"filters\":[\"os == \\\"linux\\\"\"],\"monitoring\":[\"v5l-ynv-guh\",\"gxu-c6v-pka\",\"1os-ptz-he9\",\"ddu-dat-9cx\",\"oiv-iar-6uj\",\"n6v-uoj-6jv\",\"zay-klh-gzk\",\"t0c-318-ksc\",\"mnq-jea-ord\",\"hjq-1ou-gxj\",\"zt3-q2u-xka\",\"n52-kmk-gy5\",\"lwi-ota-cdp\",\"eme-xsc-20m\",\"acr-3t9-p0d\",\"hw2-pev-bdl\",\"mm8-gf5-1mh\",\"wfe-tga-w8i\",\"kz9-gsr-aet\",\"u2n-mby-zu5\",\"ygu-bj5-cnb\",\"8h9-6l9-ofq\",\"x6i-kv0-iby\",\"wry-lqz-m1l\",\"ljy-djc-pxw\",\"kmt-lzi-f6r\",\"CWS_CUSTOM-canary\",\"hdo-seh-iaa\",\"CWS_DD\"],\"name\":\"curl_docker_socket\",\"product_tags\":[\"tactic:TA0007-discovery\",\"technique:T1613-container-and-resource-discovery\",\"policy:threat-detection\"],\"updateDate\":1742407951000,\"updater\":{\"name\":\"Datadog\",\"handle\":\"\"}}},{\"id\":\"kpm-7kh-xz5\",\"type\":\"agent_rule\",\"attributes\":{\"category\":\"Kernel Activity\",\"creationDate\":1742407951000,\"creator\":{\"name\":\"Datadog\",\"handle\":\"\"},\"defaultRule\":true,\"description\":\"A process attempted to inject code into another process\",\"enabled\":true,\"expression\":\"ptrace.request == PTRACE_POKETEXT || ptrace.request == PTRACE_POKEDATA || ptrace.request == PTRACE_POKEUSR\",\"filters\":[\"os == \\\"linux\\\"\"],\"monitoring\":[\"v5l-ynv-guh\",\"gxu-c6v-pka\",\"1os-ptz-he9\",\"ddu-dat-9cx\",\"oiv-iar-6uj\",\"n6v-uoj-6jv\",\"zay-klh-gzk\",\"t0c-318-ksc\",\"mnq-jea-ord\",\"hjq-1ou-gxj\",\"zt3-q2u-xka\",\"n52-kmk-gy5\",\"lwi-ota-cdp\",\"eme-xsc-20m\",\"acr-3t9-p0d\",\"hw2-pev-bdl\",\"mm8-gf5-1mh\",\"wfe-tga-w8i\",\"kz9-gsr-aet\",\"u2n-mby-zu5\",\"ygu-bj5-cnb\",\"8h9-6l9-ofq\",\"x6i-kv0-iby\",\"wry-lqz-m1l\",\"ljy-djc-pxw\",\"kmt-lzi-f6r\",\"CWS_CUSTOM-canary\",\"hdo-seh-iaa\",\"CWS_DD\"],\"name\":\"ptrace_injection\",\"product_tags\":[\"tactic:TA0005-defense-evasion\",\"technique:T1055-process-injection\",\"policy:threat-detection\"],\"updateDate\":1742407951000,\"updater\":{\"name\":\"Datadog\",\"handle\":\"\"}}},{\"id\":\"def-000-g5v\",\"type\":\"agent_rule\",\"attributes\":{\"category\":\"Kernel Activity\",\"creationDate\":1742407951000,\"creator\":{\"name\":\"Datadog\",\"handle\":\"\"},\"defaultRule\":true,\"description\":\"A process connected to an SSH server\",\"enabled\":true,\"expression\":\"connect.addr.port == 22 \\u0026\\u0026 connect.addr.family \\u0026 (AF_INET|AF_INET6) \\u003e 0 \\u0026\\u0026 connect.addr.ip not in [127.0.0.0/8, 0.0.0.0/32, ::1/128, ::/128]\",\"filters\":[\"os == \\\"linux\\\"\"],\"monitoring\":[\"v5l-ynv-guh\",\"gxu-c6v-pka\",\"1os-ptz-he9\",\"ddu-dat-9cx\",\"oiv-iar-6uj\",\"n6v-uoj-6jv\",\"zay-klh-gzk\",\"t0c-318-ksc\",\"mnq-jea-ord\",\"hjq-1ou-gxj\",\"zt3-q2u-xka\",\"n52-kmk-gy5\",\"lwi-ota-cdp\",\"eme-xsc-20m\",\"acr-3t9-p0d\",\"hw2-pev-bdl\",\"mm8-gf5-1mh\",\"wfe-tga-w8i\",\"kz9-gsr-aet\",\"u2n-mby-zu5\",\"ygu-bj5-cnb\",\"8h9-6l9-ofq\",\"x6i-kv0-iby\",\"wry-lqz-m1l\",\"ljy-djc-pxw\",\"kmt-lzi-f6r\",\"CWS_CUSTOM-canary\",\"hdo-seh-iaa\",\"CWS_DD\"],\"name\":\"ssh_outbound_connection\",\"product_tags\":[\"tactic:TA0008-lateral-movement\",\"technique:T1563-remote-service-session-hijacking\",\"policy:threat-detection\"],\"updateDate\":1742407951000,\"updater\":{\"name\":\"Datadog\",\"handle\":\"\"}}},{\"id\":\"9y1-cbb-p03\",\"type\":\"agent_rule\",\"attributes\":{\"category\":\"File Activity\",\"creationDate\":1742407951000,\"creator\":{\"name\":\"Datadog\",\"handle\":\"\"},\"defaultRule\":true,\"description\":\"SSL certificates may have been tampered with\",\"enabled\":true,\"expression\":\"(\\n (unlink.file.path in [ ~\\\"/etc/ssl/certs/**\\\" ])\\n \\u0026\\u0026 process.file.path not in [~\\\"/usr/bin/apt*\\\", \\\"/usr/bin/dpkg\\\", \\\"/usr/bin/rpm\\\", \\\"/usr/bin/unattended-upgrade\\\", \\\"/usr/bin/npm\\\", ~\\\"/usr/bin/pip*\\\", ~\\\"/usr/local/bin/pip*\\\", \\\"/usr/bin/yum\\\", \\\"/sbin/apk\\\", \\\"/usr/lib/snapd/snapd\\\"]\\n)\\n\\u0026\\u0026 process.file.path != \\\"/usr/sbin/update-ca-certificates\\\"\\n\\u0026\\u0026 process.ancestors.file.path != \\\"/usr/sbin/update-ca-certificates\\\"\\n\\u0026\\u0026 process.ancestors.file.path not in [~\\\"/usr/bin/apt*\\\", \\\"/usr/bin/dpkg\\\", \\\"/usr/bin/rpm\\\", \\\"/usr/bin/unattended-upgrade\\\", \\\"/usr/bin/npm\\\", ~\\\"/usr/bin/pip*\\\", ~\\\"/usr/local/bin/pip*\\\", \\\"/usr/bin/yum\\\", \\\"/sbin/apk\\\", \\\"/usr/lib/snapd/snapd\\\"]\\n\\u0026\\u0026 process.file.name !~ \\\"runc*\\\"\",\"filters\":[\"os == \\\"linux\\\"\"],\"monitoring\":[\"v5l-ynv-guh\",\"gxu-c6v-pka\",\"1os-ptz-he9\",\"ddu-dat-9cx\",\"oiv-iar-6uj\",\"n6v-uoj-6jv\",\"zay-klh-gzk\",\"t0c-318-ksc\",\"mnq-jea-ord\",\"hjq-1ou-gxj\",\"zt3-q2u-xka\",\"n52-kmk-gy5\",\"lwi-ota-cdp\",\"eme-xsc-20m\",\"acr-3t9-p0d\",\"hw2-pev-bdl\",\"mm8-gf5-1mh\",\"wfe-tga-w8i\",\"kz9-gsr-aet\",\"u2n-mby-zu5\",\"ygu-bj5-cnb\",\"8h9-6l9-ofq\",\"x6i-kv0-iby\",\"wry-lqz-m1l\",\"ljy-djc-pxw\",\"kmt-lzi-f6r\",\"CWS_CUSTOM-canary\",\"hdo-seh-iaa\",\"CWS_DD\"],\"name\":\"ssl_certificate_tampering_unlink\",\"product_tags\":[\"tactic:TA0005-defense-evasion\",\"technique:T1553-subvert-trust-controls\",\"policy:compliance\"],\"updateDate\":1742407951000,\"updater\":{\"name\":\"Datadog\",\"handle\":\"\"}}},{\"id\":\"def-000-gqa\",\"type\":\"agent_rule\",\"attributes\":{\"category\":\"File Activity\",\"creationDate\":1742407951000,\"creator\":{\"name\":\"Datadog\",\"handle\":\"\"},\"defaultRule\":true,\"description\":\"Windows boot registry key modified\",\"enabled\":true,\"expression\":\"set.registry.key_path in [~\\\"HKEY_LOCAL_MACHINE\\\\SOFTWARE\\\\Microsoft\\\\Windows NT\\\\CurrentVersion\\\\IniFileMapping\\\\SYSTEM.ini\\\\boot*\\\"]\",\"filters\":[\"os == \\\"windows\\\"\"],\"monitoring\":[\"v5l-ynv-guh\",\"gxu-c6v-pka\",\"1os-ptz-he9\",\"ddu-dat-9cx\",\"oiv-iar-6uj\",\"n6v-uoj-6jv\",\"zay-klh-gzk\",\"t0c-318-ksc\",\"mnq-jea-ord\",\"hjq-1ou-gxj\",\"zt3-q2u-xka\",\"n52-kmk-gy5\",\"lwi-ota-cdp\",\"eme-xsc-20m\",\"acr-3t9-p0d\",\"hw2-pev-bdl\",\"mm8-gf5-1mh\",\"wfe-tga-w8i\",\"kz9-gsr-aet\",\"u2n-mby-zu5\",\"ygu-bj5-cnb\",\"8h9-6l9-ofq\",\"x6i-kv0-iby\",\"wry-lqz-m1l\",\"ljy-djc-pxw\",\"kmt-lzi-f6r\",\"CWS_CUSTOM-canary\",\"hdo-seh-iaa\",\"CWS_DD\"],\"name\":\"windows_boot_registry_key_modified\",\"product_tags\":[\"tactic:TA0005-defense-evasion\",\"technique:T1112-modify-registry\",\"policy:threat-detection\"],\"updateDate\":1742407951000,\"updater\":{\"name\":\"Datadog\",\"handle\":\"\"}}},{\"id\":\"64n-p6m-uq1\",\"type\":\"agent_rule\",\"attributes\":{\"category\":\"File Activity\",\"creationDate\":1742407951000,\"creator\":{\"name\":\"Datadog\",\"handle\":\"\"},\"defaultRule\":true,\"description\":\"A service may have been modified without authorization\",\"enabled\":true,\"expression\":\"(\\n (link.file.path in [ ~\\\"/lib/systemd/system/**\\\", ~\\\"/usr/lib/systemd/system/**\\\", ~\\\"/etc/systemd/system/**\\\" ]\\n || link.file.destination.path in [ ~\\\"/lib/systemd/system/**\\\", ~\\\"/usr/lib/systemd/system/**\\\", ~\\\"/etc/systemd/system/**\\\" ])\\n \\u0026\\u0026 process.file.path not in [~\\\"/usr/bin/apt*\\\", \\\"/usr/bin/dpkg\\\", \\\"/usr/bin/rpm\\\", \\\"/usr/bin/unattended-upgrade\\\", \\\"/usr/bin/npm\\\", ~\\\"/usr/bin/pip*\\\", ~\\\"/usr/local/bin/pip*\\\", \\\"/usr/bin/yum\\\", \\\"/sbin/apk\\\", \\\"/usr/lib/snapd/snapd\\\"]\\n)\",\"filters\":[\"os == \\\"linux\\\"\"],\"monitoring\":[\"v5l-ynv-guh\",\"gxu-c6v-pka\",\"1os-ptz-he9\",\"ddu-dat-9cx\",\"oiv-iar-6uj\",\"n6v-uoj-6jv\",\"zay-klh-gzk\",\"t0c-318-ksc\",\"mnq-jea-ord\",\"hjq-1ou-gxj\",\"zt3-q2u-xka\",\"n52-kmk-gy5\",\"lwi-ota-cdp\",\"eme-xsc-20m\",\"acr-3t9-p0d\",\"hw2-pev-bdl\",\"mm8-gf5-1mh\",\"wfe-tga-w8i\",\"kz9-gsr-aet\",\"u2n-mby-zu5\",\"ygu-bj5-cnb\",\"8h9-6l9-ofq\",\"x6i-kv0-iby\",\"wry-lqz-m1l\",\"ljy-djc-pxw\",\"kmt-lzi-f6r\",\"CWS_CUSTOM-canary\",\"hdo-seh-iaa\",\"CWS_DD\"],\"name\":\"systemd_modification_link\",\"product_tags\":[\"tactic:TA0002-execution\",\"technique:T1569-system-services\",\"policy:threat-detection\",\"policy:compliance\"],\"updateDate\":1742407951000,\"updater\":{\"name\":\"Datadog\",\"handle\":\"\"}}},{\"id\":\"xiu-ghq-4zi\",\"type\":\"agent_rule\",\"attributes\":{\"category\":\"File Activity\",\"creationDate\":1742407951000,\"creator\":{\"name\":\"Datadog\",\"handle\":\"\"},\"defaultRule\":true,\"description\":\"Critical system binaries may have been modified\",\"enabled\":true,\"expression\":\"(\\n (chown.file.path in [ ~\\\"/bin/*\\\", ~\\\"/sbin/*\\\", ~\\\"/usr/bin/*\\\", ~\\\"/usr/sbin/*\\\", ~\\\"/usr/local/bin/*\\\", ~\\\"/usr/local/sbin/*\\\", ~\\\"/boot/**\\\" ])\\n \\u0026\\u0026 process.file.path not in [~\\\"/usr/bin/apt*\\\", \\\"/usr/bin/dpkg\\\", \\\"/usr/bin/rpm\\\", \\\"/usr/bin/unattended-upgrade\\\", \\\"/usr/bin/containerd\\\", \\\"/usr/local/bin/containerd\\\", \\\"/usr/bin/dockerd\\\", \\\"/usr/bin/npm\\\", ~\\\"/usr/bin/pip*\\\", ~\\\"/usr/local/bin/pip*\\\"]\\n \\u0026\\u0026 process.ancestors.file.path not in [~\\\"/usr/bin/apt*\\\", \\\"/usr/bin/dpkg\\\", \\\"/usr/bin/rpm\\\", \\\"/usr/bin/unattended-upgrade\\\", \\\"/usr/bin/npm\\\", ~\\\"/usr/bin/pip*\\\", ~\\\"/usr/local/bin/pip*\\\", \\\"/usr/bin/yum\\\", \\\"/sbin/apk\\\", \\\"/usr/lib/snapd/snapd\\\"]\\n) \\u0026\\u0026 (chown.file.destination.uid != chown.file.uid || chown.file.destination.gid != chown.file.gid)\",\"filters\":[\"os == \\\"linux\\\"\"],\"monitoring\":[\"v5l-ynv-guh\",\"gxu-c6v-pka\",\"1os-ptz-he9\",\"ddu-dat-9cx\",\"oiv-iar-6uj\",\"n6v-uoj-6jv\",\"zay-klh-gzk\",\"t0c-318-ksc\",\"mnq-jea-ord\",\"hjq-1ou-gxj\",\"zt3-q2u-xka\",\"n52-kmk-gy5\",\"lwi-ota-cdp\",\"eme-xsc-20m\",\"acr-3t9-p0d\",\"hw2-pev-bdl\",\"mm8-gf5-1mh\",\"wfe-tga-w8i\",\"kz9-gsr-aet\",\"u2n-mby-zu5\",\"ygu-bj5-cnb\",\"8h9-6l9-ofq\",\"x6i-kv0-iby\",\"wry-lqz-m1l\",\"ljy-djc-pxw\",\"kmt-lzi-f6r\",\"CWS_CUSTOM-canary\",\"hdo-seh-iaa\",\"CWS_DD\"],\"name\":\"pci_11_5_critical_binaries_chown\",\"product_tags\":[\"tactic:TA0005-defense-evasion\",\"technique:T1036-masquerading\",\"policy:compliance\"],\"updateDate\":1742407951000,\"updater\":{\"name\":\"Datadog\",\"handle\":\"\"}}},{\"id\":\"2s5-ipa-ooo\",\"type\":\"agent_rule\",\"attributes\":{\"category\":\"File Activity\",\"creationDate\":1742407951000,\"creator\":{\"name\":\"Datadog\",\"handle\":\"\"},\"defaultRule\":true,\"description\":\"A process wrote to a dynamic linker config file\",\"enabled\":true,\"expression\":\"open.file.path in [\\\"/etc/ld.so.preload\\\", \\\"/etc/ld.so.conf\\\", ~\\\"/etc/ld.so.conf.d/*.conf\\\"] \\u0026\\u0026 open.flags \\u0026 (O_CREAT|O_TRUNC|O_APPEND|O_RDWR|O_WRONLY) \\u003e 0 \\u0026\\u0026 process.file.path not in [~\\\"/usr/bin/apt*\\\", \\\"/usr/bin/dpkg\\\", \\\"/usr/bin/rpm\\\", \\\"/usr/bin/unattended-upgrade\\\", \\\"/usr/bin/containerd\\\", \\\"/usr/local/bin/containerd\\\", \\\"/usr/bin/dockerd\\\", \\\"/usr/bin/npm\\\", ~\\\"/usr/bin/pip*\\\", ~\\\"/usr/local/bin/pip*\\\"] \\u0026\\u0026 process.ancestors.file.path not in [\\\"/opt/datadog-agent/embedded/bin/agent\\\", \\\"/opt/datadog-agent/embedded/bin/system-probe\\\", \\\"/opt/datadog-agent/embedded/bin/security-agent\\\", \\\"/opt/datadog-agent/embedded/bin/process-agent\\\", \\\"/opt/datadog-agent/embedded/bin/trace-agent\\\", \\\"/opt/datadog-agent/bin/agent/agent\\\", \\\"/opt/datadog/apm/inject/auto_inject_runc\\\", \\\"/usr/bin/dd-host-install\\\", \\\"/usr/bin/dd-host-container-install\\\", \\\"/usr/bin/dd-container-install\\\", \\\"/opt/datadog-agent/bin/datadog-cluster-agent\\\", ~\\\"/opt/datadog-packages/**\\\", ~\\\"/opt/datadog-installer/**\\\"] \\u0026\\u0026 process.argv0 not in [\\\"runc\\\", \\\"/usr/bin/runc\\\", \\\"/usr/sbin/runc\\\"]\",\"filters\":[\"os == \\\"linux\\\"\"],\"monitoring\":[\"v5l-ynv-guh\",\"gxu-c6v-pka\",\"1os-ptz-he9\",\"ddu-dat-9cx\",\"oiv-iar-6uj\",\"n6v-uoj-6jv\",\"zay-klh-gzk\",\"t0c-318-ksc\",\"mnq-jea-ord\",\"hjq-1ou-gxj\",\"zt3-q2u-xka\",\"n52-kmk-gy5\",\"lwi-ota-cdp\",\"eme-xsc-20m\",\"acr-3t9-p0d\",\"hw2-pev-bdl\",\"mm8-gf5-1mh\",\"wfe-tga-w8i\",\"kz9-gsr-aet\",\"u2n-mby-zu5\",\"ygu-bj5-cnb\",\"8h9-6l9-ofq\",\"x6i-kv0-iby\",\"wry-lqz-m1l\",\"ljy-djc-pxw\",\"kmt-lzi-f6r\",\"CWS_CUSTOM-canary\",\"hdo-seh-iaa\",\"CWS_DD\"],\"name\":\"dynamic_linker_config_write\",\"product_tags\":[\"tactic:TA0004-privilege-escalation\",\"technique:T1574-hijack-execution-flow\",\"policy:threat-detection\"],\"updateDate\":1742407951000,\"updater\":{\"name\":\"Datadog\",\"handle\":\"\"}}},{\"id\":\"def-000-bgf\",\"type\":\"agent_rule\",\"attributes\":{\"category\":\"Process Activity\",\"creationDate\":1742407951000,\"creator\":{\"name\":\"Datadog\",\"handle\":\"\"},\"defaultRule\":true,\"description\":\"A hidden file was executed in a suspicious folder\",\"enabled\":true,\"expression\":\"exec.file.name =~ \\\".*\\\" \\u0026\\u0026 exec.file.path in [~\\\"/home/**\\\", ~\\\"/tmp/**\\\", ~\\\"/var/tmp/**\\\", ~\\\"/dev/shm/**\\\"]\",\"filters\":[\"os == \\\"linux\\\"\"],\"monitoring\":[\"v5l-ynv-guh\",\"gxu-c6v-pka\",\"1os-ptz-he9\",\"ddu-dat-9cx\",\"oiv-iar-6uj\",\"n6v-uoj-6jv\",\"zay-klh-gzk\",\"t0c-318-ksc\",\"mnq-jea-ord\",\"hjq-1ou-gxj\",\"zt3-q2u-xka\",\"n52-kmk-gy5\",\"lwi-ota-cdp\",\"eme-xsc-20m\",\"acr-3t9-p0d\",\"hw2-pev-bdl\",\"mm8-gf5-1mh\",\"wfe-tga-w8i\",\"kz9-gsr-aet\",\"u2n-mby-zu5\",\"ygu-bj5-cnb\",\"8h9-6l9-ofq\",\"x6i-kv0-iby\",\"wry-lqz-m1l\",\"ljy-djc-pxw\",\"kmt-lzi-f6r\",\"CWS_CUSTOM-canary\",\"hdo-seh-iaa\",\"CWS_DD\"],\"name\":\"hidden_file_executed\",\"product_tags\":[\"tactic:TA0005-defense-evasion\",\"technique:T1564-hide-artifacts\",\"policy:threat-detection\"],\"updateDate\":1742407951000,\"updater\":{\"name\":\"Datadog\",\"handle\":\"\"}}},{\"id\":\"def-000-zp4\",\"type\":\"agent_rule\",\"attributes\":{\"category\":\"File Activity\",\"creationDate\":1742407951000,\"creator\":{\"name\":\"Datadog\",\"handle\":\"\"},\"defaultRule\":true,\"description\":\"microsoft security essentials executable modified\",\"enabled\":true,\"expression\":\"write.file.device_path in [~\\\"\\\\Device\\\\*\\\\Program Files\\\\Microsoft Security Client\\\\msseces.exe\\\"]\",\"filters\":[\"os == \\\"windows\\\"\"],\"monitoring\":[\"v5l-ynv-guh\",\"gxu-c6v-pka\",\"1os-ptz-he9\",\"ddu-dat-9cx\",\"oiv-iar-6uj\",\"n6v-uoj-6jv\",\"zay-klh-gzk\",\"t0c-318-ksc\",\"mnq-jea-ord\",\"hjq-1ou-gxj\",\"zt3-q2u-xka\",\"n52-kmk-gy5\",\"lwi-ota-cdp\",\"eme-xsc-20m\",\"acr-3t9-p0d\",\"hw2-pev-bdl\",\"mm8-gf5-1mh\",\"wfe-tga-w8i\",\"kz9-gsr-aet\",\"u2n-mby-zu5\",\"ygu-bj5-cnb\",\"8h9-6l9-ofq\",\"x6i-kv0-iby\",\"wry-lqz-m1l\",\"ljy-djc-pxw\",\"kmt-lzi-f6r\",\"CWS_CUSTOM-canary\",\"hdo-seh-iaa\",\"CWS_DD\"],\"name\":\"windows_security_essentials_executable_modified\",\"product_tags\":[\"tactic:TA0005-defense-evasion\",\"technique:T1036-masquerading\",\"policy:compliance\"],\"updateDate\":1742407951000,\"updater\":{\"name\":\"Datadog\",\"handle\":\"\"}}},{\"id\":\"def-000-npv\",\"type\":\"agent_rule\",\"attributes\":{\"category\":\"File Activity\",\"creationDate\":1742407951000,\"creator\":{\"name\":\"Datadog\",\"handle\":\"\"},\"defaultRule\":true,\"description\":\"Detects CVE-2022-0543\",\"enabled\":true,\"expression\":\"(open.file.path =~ \\\"/usr/lib/x86_64-linux-gnu/*\\\" \\u0026\\u0026 open.file.name in [\\\"libc-2.29.so\\\", \\\"libc-2.30.so\\\", \\\"libc-2.31.so\\\", \\\"libc-2.32.so\\\", \\\"libc-2.33.so\\\", \\\"libc-2.34.so\\\", \\\"libc-2.35.so\\\", \\\"libc-2.36.so\\\", \\\"libc-2.37.so\\\"]) \\u0026\\u0026 process.ancestors.comm in [\\\"redis-check-rdb\\\", \\\"redis-server\\\"]\",\"filters\":[\"os == \\\"linux\\\"\"],\"monitoring\":[\"v5l-ynv-guh\",\"gxu-c6v-pka\",\"1os-ptz-he9\",\"ddu-dat-9cx\",\"oiv-iar-6uj\",\"n6v-uoj-6jv\",\"zay-klh-gzk\",\"t0c-318-ksc\",\"mnq-jea-ord\",\"hjq-1ou-gxj\",\"zt3-q2u-xka\",\"n52-kmk-gy5\",\"lwi-ota-cdp\",\"eme-xsc-20m\",\"acr-3t9-p0d\",\"hw2-pev-bdl\",\"mm8-gf5-1mh\",\"wfe-tga-w8i\",\"kz9-gsr-aet\",\"u2n-mby-zu5\",\"ygu-bj5-cnb\",\"8h9-6l9-ofq\",\"x6i-kv0-iby\",\"wry-lqz-m1l\",\"ljy-djc-pxw\",\"kmt-lzi-f6r\",\"CWS_CUSTOM-canary\",\"hdo-seh-iaa\",\"CWS_DD\"],\"name\":\"redis_sandbox_escape\",\"product_tags\":[\"tactic:TA0001-initial-access\",\"technique:T1190-exploit-public-facing-application\",\"policy:threat-detection\"],\"updateDate\":1742407951000,\"updater\":{\"name\":\"Datadog\",\"handle\":\"\"}}},{\"id\":\"def-000-eck\",\"type\":\"agent_rule\",\"attributes\":{\"category\":\"File Activity\",\"creationDate\":1742407951000,\"creator\":{\"name\":\"Datadog\",\"handle\":\"\"},\"defaultRule\":true,\"description\":\"Dll written to a suspicious directory\",\"enabled\":true,\"expression\":\"create.file.name =~ \\\"*.dll\\\" \\u0026\\u0026 create.file.device_path not in [~\\\"\\\\Device\\\\*\\\\Windows\\\\System32\\\\**\\\", ~\\\"\\\\Device\\\\*\\\\ProgramData\\\\docker\\\\**\\\"] \\u0026\\u0026 process.file.name != \\\"dockerd.exe\\\"\",\"filters\":[\"os == \\\"windows\\\"\"],\"monitoring\":[\"v5l-ynv-guh\",\"gxu-c6v-pka\",\"1os-ptz-he9\",\"ddu-dat-9cx\",\"oiv-iar-6uj\",\"n6v-uoj-6jv\",\"zay-klh-gzk\",\"t0c-318-ksc\",\"mnq-jea-ord\",\"hjq-1ou-gxj\",\"zt3-q2u-xka\",\"n52-kmk-gy5\",\"lwi-ota-cdp\",\"eme-xsc-20m\",\"acr-3t9-p0d\",\"hw2-pev-bdl\",\"mm8-gf5-1mh\",\"wfe-tga-w8i\",\"kz9-gsr-aet\",\"u2n-mby-zu5\",\"ygu-bj5-cnb\",\"8h9-6l9-ofq\",\"x6i-kv0-iby\",\"wry-lqz-m1l\",\"ljy-djc-pxw\",\"kmt-lzi-f6r\",\"CWS_CUSTOM-canary\",\"hdo-seh-iaa\",\"CWS_DD\"],\"name\":\"suspicious_dll_write\",\"product_tags\":[\"tactic:TA0002-execution\",\"technique:T1609-container-administration-command\",\"technique:T1610-deploy-container\",\"policy:threat-detection\"],\"updateDate\":1742407951000,\"updater\":{\"name\":\"Datadog\",\"handle\":\"\"}}},{\"id\":\"def-000-beh\",\"type\":\"agent_rule\",\"attributes\":{\"category\":\"Process Activity\",\"creationDate\":1742407951000,\"creator\":{\"name\":\"Datadog\",\"handle\":\"\"},\"defaultRule\":true,\"description\":\"Dotnet_dump was used to dump a process memory\",\"enabled\":true,\"expression\":\"exec.cmdline =~ \\\"*dotnet-dump*\\\" \\u0026\\u0026 exec.cmdline =~ \\\"*collect*\\\"\",\"filters\":[\"os == \\\"windows\\\"\"],\"monitoring\":[\"v5l-ynv-guh\",\"gxu-c6v-pka\",\"1os-ptz-he9\",\"ddu-dat-9cx\",\"oiv-iar-6uj\",\"n6v-uoj-6jv\",\"zay-klh-gzk\",\"t0c-318-ksc\",\"mnq-jea-ord\",\"hjq-1ou-gxj\",\"zt3-q2u-xka\",\"n52-kmk-gy5\",\"lwi-ota-cdp\",\"eme-xsc-20m\",\"acr-3t9-p0d\",\"hw2-pev-bdl\",\"mm8-gf5-1mh\",\"wfe-tga-w8i\",\"kz9-gsr-aet\",\"u2n-mby-zu5\",\"ygu-bj5-cnb\",\"8h9-6l9-ofq\",\"x6i-kv0-iby\",\"wry-lqz-m1l\",\"ljy-djc-pxw\",\"kmt-lzi-f6r\",\"CWS_CUSTOM-canary\",\"hdo-seh-iaa\",\"CWS_DD\"],\"name\":\"dotnet_dump_execution\",\"product_tags\":[\"tactic:TA0009-collection\",\"technique:T1005-data-from-local-system\",\"policy:threat-detection\"],\"updateDate\":1742407951000,\"updater\":{\"name\":\"Datadog\",\"handle\":\"\"}}},{\"id\":\"td2-31c-ln4\",\"type\":\"agent_rule\",\"attributes\":{\"category\":\"File Activity\",\"creationDate\":1742407951000,\"creator\":{\"name\":\"Datadog\",\"handle\":\"\"},\"defaultRule\":true,\"description\":\"Sensitive credential files were modified using a non-standard tool\",\"enabled\":true,\"expression\":\"(\\n (chown.file.path in [ \\\"/etc/shadow\\\", \\\"/etc/gshadow\\\" ])\\n \\u0026\\u0026 process.file.path not in [ \\\"/sbin/vipw\\\", \\\"/usr/sbin/vipw\\\", \\\"/sbin/vigr\\\", \\\"/usr/sbin/vigr\\\", \\\"/usr/bin/containerd\\\", \\\"/usr/local/bin/containerd\\\", \\\"/usr/bin/dockerd\\\", \\\"/usr/local/bin/dockerd\\\", \\\"/usr/sbin/groupadd\\\", \\\"/usr/sbin/useradd\\\", \\\"/usr/sbin/usermod\\\", \\\"/usr/sbin/userdel\\\", \\\"/usr/bin/gpasswd\\\", \\\"/usr/bin/chage\\\", \\\"/usr/sbin/chpasswd\\\", \\\"/usr/bin/passwd\\\" ]\\n \\u0026\\u0026 process.ancestors.file.path not in [~\\\"/usr/bin/apt*\\\", \\\"/usr/bin/dpkg\\\", \\\"/usr/bin/rpm\\\", \\\"/usr/bin/unattended-upgrade\\\", \\\"/usr/bin/npm\\\", ~\\\"/usr/bin/pip*\\\", ~\\\"/usr/local/bin/pip*\\\", \\\"/usr/bin/yum\\\", \\\"/sbin/apk\\\", \\\"/usr/lib/snapd/snapd\\\"]\\n) \\u0026\\u0026 (chown.file.destination.uid != chown.file.uid || chown.file.destination.gid != chown.file.gid)\",\"filters\":[\"os == \\\"linux\\\"\"],\"monitoring\":[\"v5l-ynv-guh\",\"gxu-c6v-pka\",\"1os-ptz-he9\",\"ddu-dat-9cx\",\"oiv-iar-6uj\",\"n6v-uoj-6jv\",\"zay-klh-gzk\",\"t0c-318-ksc\",\"mnq-jea-ord\",\"hjq-1ou-gxj\",\"zt3-q2u-xka\",\"n52-kmk-gy5\",\"lwi-ota-cdp\",\"eme-xsc-20m\",\"acr-3t9-p0d\",\"hw2-pev-bdl\",\"mm8-gf5-1mh\",\"wfe-tga-w8i\",\"kz9-gsr-aet\",\"u2n-mby-zu5\",\"ygu-bj5-cnb\",\"8h9-6l9-ofq\",\"x6i-kv0-iby\",\"wry-lqz-m1l\",\"ljy-djc-pxw\",\"kmt-lzi-f6r\",\"CWS_CUSTOM-canary\",\"hdo-seh-iaa\",\"CWS_DD\"],\"name\":\"credential_modified_chown\",\"product_tags\":[\"tactic:TA0006-credential-access\",\"technique:T1003-os-credential-dumping\",\"policy:compliance\"],\"updateDate\":1742407951000,\"updater\":{\"name\":\"Datadog\",\"handle\":\"\"}}},{\"id\":\"def-000-5wh\",\"type\":\"agent_rule\",\"attributes\":{\"category\":\"Process Activity\",\"creationDate\":1742407951000,\"creator\":{\"name\":\"Datadog\",\"handle\":\"\"},\"defaultRule\":true,\"description\":\"a SUID file was executed\",\"enabled\":true,\"expression\":\"(setuid.euid == 0 || setuid.uid == 0) \\u0026\\u0026 process.file.mode \\u0026 S_ISUID \\u003e 0 \\u0026\\u0026 process.file.uid == 0 \\u0026\\u0026 process.uid != 0 \\u0026\\u0026 process.file.path != \\\"/usr/bin/sudo\\\"\",\"filters\":[\"os == \\\"linux\\\"\"],\"monitoring\":[\"v5l-ynv-guh\",\"gxu-c6v-pka\",\"1os-ptz-he9\",\"ddu-dat-9cx\",\"oiv-iar-6uj\",\"n6v-uoj-6jv\",\"zay-klh-gzk\",\"t0c-318-ksc\",\"mnq-jea-ord\",\"hjq-1ou-gxj\",\"zt3-q2u-xka\",\"n52-kmk-gy5\",\"lwi-ota-cdp\",\"eme-xsc-20m\",\"acr-3t9-p0d\",\"hw2-pev-bdl\",\"mm8-gf5-1mh\",\"wfe-tga-w8i\",\"kz9-gsr-aet\",\"u2n-mby-zu5\",\"ygu-bj5-cnb\",\"8h9-6l9-ofq\",\"x6i-kv0-iby\",\"wry-lqz-m1l\",\"ljy-djc-pxw\",\"kmt-lzi-f6r\",\"CWS_CUSTOM-canary\",\"hdo-seh-iaa\",\"CWS_DD\"],\"name\":\"suid_file_execution\",\"product_tags\":[\"tactic:TA0004-privilege-escalation\",\"technique:T1548-abuse-elevation-control-mechanism\",\"policy:threat-detection\"],\"updateDate\":1742407951000,\"updater\":{\"name\":\"Datadog\",\"handle\":\"\"}}},{\"id\":\"smg-le8-msf\",\"type\":\"agent_rule\",\"attributes\":{\"actions\":[{\"hash\":{},\"disabled\":false}],\"category\":\"File Activity\",\"creationDate\":1742407951000,\"creator\":{\"name\":\"Datadog\",\"handle\":\"\"},\"defaultRule\":true,\"description\":\"A compiler wrote a suspicious file in a container\",\"enabled\":true,\"expression\":\"open.flags \\u0026 O_CREAT \\u003e 0\\n\\u0026\\u0026 (\\n (open.file.path =~ \\\"/tmp/**\\\" \\u0026\\u0026 open.file.name in [~\\\"*.ko\\\", ~\\\".*\\\"])\\n || open.file.path in [~\\\"/var/tmp/**\\\", ~\\\"/root/**\\\", ~\\\"*/bin/*\\\", ~\\\"/usr/local/lib/**\\\"]\\n)\\n\\u0026\\u0026 (process.comm in [\\\"javac\\\", \\\"clang\\\", \\\"gcc\\\", \\\"bcc\\\"] || process.ancestors.comm in [\\\"javac\\\", \\\"clang\\\", \\\"gcc\\\", \\\"bcc\\\"] || process.file.name in [\\\"javac\\\", \\\"clang\\\", \\\"gcc\\\", \\\"bcc\\\"] || process.ancestors.file.name in [\\\"javac\\\", \\\"clang\\\", \\\"gcc\\\", \\\"bcc\\\"])\\n\\u0026\\u0026 process.file.name not in [\\\"pip\\\", ~\\\"python*\\\"]\\n\\u0026\\u0026 container.id != \\\"\\\"\",\"filters\":[\"os == \\\"linux\\\"\"],\"monitoring\":[\"v5l-ynv-guh\",\"gxu-c6v-pka\",\"1os-ptz-he9\",\"ddu-dat-9cx\",\"oiv-iar-6uj\",\"n6v-uoj-6jv\",\"zay-klh-gzk\",\"t0c-318-ksc\",\"mnq-jea-ord\",\"hjq-1ou-gxj\",\"zt3-q2u-xka\",\"n52-kmk-gy5\",\"lwi-ota-cdp\",\"eme-xsc-20m\",\"acr-3t9-p0d\",\"hw2-pev-bdl\",\"mm8-gf5-1mh\",\"wfe-tga-w8i\",\"kz9-gsr-aet\",\"u2n-mby-zu5\",\"ygu-bj5-cnb\",\"8h9-6l9-ofq\",\"x6i-kv0-iby\",\"wry-lqz-m1l\",\"ljy-djc-pxw\",\"kmt-lzi-f6r\",\"CWS_CUSTOM-canary\",\"hdo-seh-iaa\",\"CWS_DD\"],\"name\":\"compile_after_delivery\",\"product_tags\":[\"tactic:TA0005-defense-evasion\",\"tactic:TA0004-privilege-escalation\",\"technique:T1027-obfuscated-files-or-information\",\"technique:T1574-hijack-execution-flow\",\"policy:threat-detection\"],\"updateDate\":1742407951000,\"updater\":{\"name\":\"Datadog\",\"handle\":\"\"}}},{\"id\":\"07y-k18-cih\",\"type\":\"agent_rule\",\"attributes\":{\"category\":\"Process Activity\",\"creationDate\":1742407951000,\"creator\":{\"name\":\"Datadog\",\"handle\":\"\"},\"defaultRule\":true,\"description\":\"A user was created via an interactive session\",\"enabled\":true,\"expression\":\"exec.file.name in [\\\"useradd\\\", \\\"newusers\\\", \\\"adduser\\\"] \\u0026\\u0026 exec.tty_name !=\\\"\\\" \\u0026\\u0026 process.ancestors.file.path not in [~\\\"/usr/bin/apt*\\\", \\\"/usr/bin/dpkg\\\", \\\"/usr/bin/rpm\\\", \\\"/usr/bin/unattended-upgrade\\\", \\\"/usr/bin/npm\\\", ~\\\"/usr/bin/pip*\\\", ~\\\"/usr/local/bin/pip*\\\", \\\"/usr/bin/yum\\\", \\\"/sbin/apk\\\", \\\"/usr/lib/snapd/snapd\\\"] \\u0026\\u0026 exec.args_flags not in [\\\"D\\\"]\",\"filters\":[\"os == \\\"linux\\\"\"],\"monitoring\":[\"v5l-ynv-guh\",\"gxu-c6v-pka\",\"1os-ptz-he9\",\"ddu-dat-9cx\",\"oiv-iar-6uj\",\"n6v-uoj-6jv\",\"zay-klh-gzk\",\"t0c-318-ksc\",\"mnq-jea-ord\",\"hjq-1ou-gxj\",\"zt3-q2u-xka\",\"n52-kmk-gy5\",\"lwi-ota-cdp\",\"eme-xsc-20m\",\"acr-3t9-p0d\",\"hw2-pev-bdl\",\"mm8-gf5-1mh\",\"wfe-tga-w8i\",\"kz9-gsr-aet\",\"u2n-mby-zu5\",\"ygu-bj5-cnb\",\"8h9-6l9-ofq\",\"x6i-kv0-iby\",\"wry-lqz-m1l\",\"ljy-djc-pxw\",\"kmt-lzi-f6r\",\"CWS_CUSTOM-canary\",\"hdo-seh-iaa\",\"CWS_DD\"],\"name\":\"user_created_tty\",\"product_tags\":[\"tactic:TA0003-persistence\",\"technique:T1136-create-account\",\"policy:threat-detection\"],\"updateDate\":1742407951000,\"updater\":{\"name\":\"Datadog\",\"handle\":\"\"}}},{\"id\":\"def-000-76q\",\"type\":\"agent_rule\",\"attributes\":{\"category\":\"File Activity\",\"creationDate\":1742407951000,\"creator\":{\"name\":\"Datadog\",\"handle\":\"\"},\"defaultRule\":true,\"description\":\"Windows cryptographic blocking policy modified\",\"enabled\":true,\"expression\":\"set.registry.key_path in [~\\\"HKEY_LOCAL_MACHINE\\\\SOFTWARE\\\\Microsoft\\\\Cryptography\\\\OID\\\\EncodingType 0\\\\CryptSIPDllRemoveSignedDataMsg*\\\"]\",\"filters\":[\"os == \\\"windows\\\"\"],\"monitoring\":[\"v5l-ynv-guh\",\"gxu-c6v-pka\",\"1os-ptz-he9\",\"ddu-dat-9cx\",\"oiv-iar-6uj\",\"n6v-uoj-6jv\",\"zay-klh-gzk\",\"t0c-318-ksc\",\"mnq-jea-ord\",\"hjq-1ou-gxj\",\"zt3-q2u-xka\",\"n52-kmk-gy5\",\"lwi-ota-cdp\",\"eme-xsc-20m\",\"acr-3t9-p0d\",\"hw2-pev-bdl\",\"mm8-gf5-1mh\",\"wfe-tga-w8i\",\"kz9-gsr-aet\",\"u2n-mby-zu5\",\"ygu-bj5-cnb\",\"8h9-6l9-ofq\",\"x6i-kv0-iby\",\"wry-lqz-m1l\",\"ljy-djc-pxw\",\"kmt-lzi-f6r\",\"CWS_CUSTOM-canary\",\"hdo-seh-iaa\",\"CWS_DD\"],\"name\":\"windows_cryptographic_blocking_policy_registry_key_modified\",\"product_tags\":[\"tactic:TA0005-defense-evasion\",\"technique:T1553-subvert-trust-controls\",\"policy:threat-detection\"],\"updateDate\":1742407951000,\"updater\":{\"name\":\"Datadog\",\"handle\":\"\"}}},{\"id\":\"w7o-w48-j34\",\"type\":\"agent_rule\",\"attributes\":{\"category\":\"File Activity\",\"creationDate\":1742407951000,\"creator\":{\"name\":\"Datadog\",\"handle\":\"\"},\"defaultRule\":true,\"description\":\"PAM may have been modified without authorization\",\"enabled\":true,\"expression\":\"(\\n open.flags \\u0026 (O_CREAT|O_TRUNC|O_APPEND|O_RDWR|O_WRONLY) \\u003e 0 \\u0026\\u0026\\n (open.file.path in [ ~\\\"/etc/pam.d/**\\\", \\\"/etc/pam.conf\\\" ])\\n)\",\"filters\":[\"os == \\\"linux\\\"\"],\"monitoring\":[\"v5l-ynv-guh\",\"gxu-c6v-pka\",\"1os-ptz-he9\",\"ddu-dat-9cx\",\"oiv-iar-6uj\",\"n6v-uoj-6jv\",\"zay-klh-gzk\",\"t0c-318-ksc\",\"mnq-jea-ord\",\"hjq-1ou-gxj\",\"zt3-q2u-xka\",\"n52-kmk-gy5\",\"lwi-ota-cdp\",\"eme-xsc-20m\",\"acr-3t9-p0d\",\"hw2-pev-bdl\",\"mm8-gf5-1mh\",\"wfe-tga-w8i\",\"kz9-gsr-aet\",\"u2n-mby-zu5\",\"ygu-bj5-cnb\",\"8h9-6l9-ofq\",\"x6i-kv0-iby\",\"wry-lqz-m1l\",\"ljy-djc-pxw\",\"kmt-lzi-f6r\",\"CWS_CUSTOM-canary\",\"hdo-seh-iaa\",\"CWS_DD\"],\"name\":\"pam_modification_open\",\"product_tags\":[\"tactic:TA0003-persistence\",\"technique:T1556-modify-authentication-process\",\"policy:compliance\"],\"updateDate\":1742407951000,\"updater\":{\"name\":\"Datadog\",\"handle\":\"\"}}},{\"id\":\"m23-qb9-9s8\",\"type\":\"agent_rule\",\"attributes\":{\"category\":\"File Activity\",\"creationDate\":1742407951000,\"creator\":{\"name\":\"Datadog\",\"handle\":\"\"},\"defaultRule\":true,\"description\":\"An unauthorized job was added to cron scheduling\",\"enabled\":true,\"expression\":\"(\\n (unlink.file.path in [ ~\\\"/var/spool/cron/**\\\", ~\\\"/etc/cron.*/**\\\", ~\\\"/etc/crontab\\\", ~\\\"/etc/crontabs/**\\\"])\\n \\u0026\\u0026 process.file.path not in [ \\\"/usr/bin/at\\\", \\\"/usr/bin/crontab\\\" ]\\n)\\n\\u0026\\u0026 process.file.path not in [~\\\"/usr/bin/apt*\\\", \\\"/usr/bin/dpkg\\\", \\\"/usr/bin/rpm\\\", \\\"/usr/bin/unattended-upgrade\\\", \\\"/usr/bin/containerd\\\", \\\"/usr/local/bin/containerd\\\", \\\"/usr/bin/dockerd\\\", \\\"/usr/bin/npm\\\", ~\\\"/usr/bin/pip*\\\", ~\\\"/usr/local/bin/pip*\\\"]\",\"filters\":[\"os == \\\"linux\\\"\"],\"monitoring\":[\"v5l-ynv-guh\",\"gxu-c6v-pka\",\"1os-ptz-he9\",\"ddu-dat-9cx\",\"oiv-iar-6uj\",\"n6v-uoj-6jv\",\"zay-klh-gzk\",\"t0c-318-ksc\",\"mnq-jea-ord\",\"hjq-1ou-gxj\",\"zt3-q2u-xka\",\"n52-kmk-gy5\",\"lwi-ota-cdp\",\"eme-xsc-20m\",\"acr-3t9-p0d\",\"hw2-pev-bdl\",\"mm8-gf5-1mh\",\"wfe-tga-w8i\",\"kz9-gsr-aet\",\"u2n-mby-zu5\",\"ygu-bj5-cnb\",\"8h9-6l9-ofq\",\"x6i-kv0-iby\",\"wry-lqz-m1l\",\"ljy-djc-pxw\",\"kmt-lzi-f6r\",\"CWS_CUSTOM-canary\",\"hdo-seh-iaa\",\"CWS_DD\"],\"name\":\"cron_at_job_creation_unlink\",\"product_tags\":[\"tactic:TA0002-execution\",\"technique:T1053-scheduled-task-or-job\",\"policy:threat-detection\",\"policy:compliance\"],\"updateDate\":1742407951000,\"updater\":{\"name\":\"Datadog\",\"handle\":\"\"}}},{\"id\":\"def-000-zo8\",\"type\":\"agent_rule\",\"attributes\":{\"category\":\"Process Activity\",\"creationDate\":1742407951000,\"creator\":{\"name\":\"Datadog\",\"handle\":\"\"},\"defaultRule\":true,\"description\":\"Recently written or modified suid file has been executed\",\"enabled\":true,\"expression\":\"((process.file.mode \\u0026 S_ISUID \\u003e 0) \\u0026\\u0026 process.file.modification_time \\u003c 30s) \\u0026\\u0026 exec.file.name != \\\"\\\" \\u0026\\u0026 process.ancestors.file.path not in [\\\"/opt/datadog-agent/embedded/bin/agent\\\", \\\"/opt/datadog-agent/embedded/bin/system-probe\\\", \\\"/opt/datadog-agent/embedded/bin/security-agent\\\", \\\"/opt/datadog-agent/embedded/bin/process-agent\\\", \\\"/opt/datadog-agent/embedded/bin/trace-agent\\\", \\\"/opt/datadog-agent/bin/agent/agent\\\", \\\"/opt/datadog/apm/inject/auto_inject_runc\\\", \\\"/usr/bin/dd-host-install\\\", \\\"/usr/bin/dd-host-container-install\\\", \\\"/usr/bin/dd-container-install\\\", \\\"/opt/datadog-agent/bin/datadog-cluster-agent\\\", ~\\\"/opt/datadog-packages/**\\\", ~\\\"/opt/datadog-installer/**\\\"]\",\"filters\":[\"os == \\\"linux\\\"\"],\"monitoring\":[\"v5l-ynv-guh\",\"gxu-c6v-pka\",\"1os-ptz-he9\",\"ddu-dat-9cx\",\"oiv-iar-6uj\",\"n6v-uoj-6jv\",\"zay-klh-gzk\",\"t0c-318-ksc\",\"mnq-jea-ord\",\"hjq-1ou-gxj\",\"zt3-q2u-xka\",\"n52-kmk-gy5\",\"lwi-ota-cdp\",\"eme-xsc-20m\",\"acr-3t9-p0d\",\"hw2-pev-bdl\",\"mm8-gf5-1mh\",\"wfe-tga-w8i\",\"kz9-gsr-aet\",\"u2n-mby-zu5\",\"ygu-bj5-cnb\",\"8h9-6l9-ofq\",\"x6i-kv0-iby\",\"wry-lqz-m1l\",\"ljy-djc-pxw\",\"kmt-lzi-f6r\",\"CWS_CUSTOM-canary\",\"hdo-seh-iaa\",\"CWS_DD\"],\"name\":\"suspicious_suid_execution\",\"product_tags\":[\"tactic:TA0004-privilege-escalation\",\"technique:T1548-abuse-elevation-control-mechanism\",\"policy:threat-detection\"],\"updateDate\":1742407951000,\"updater\":{\"name\":\"Datadog\",\"handle\":\"\"}}},{\"id\":\"56y-vsb-zqu\",\"type\":\"agent_rule\",\"attributes\":{\"category\":\"File Activity\",\"creationDate\":1742407951000,\"creator\":{\"name\":\"Datadog\",\"handle\":\"\"},\"defaultRule\":true,\"description\":\"A new kernel module was added\",\"enabled\":true,\"expression\":\"(\\n open.flags \\u0026 (O_CREAT|O_TRUNC|O_APPEND|O_RDWR|O_WRONLY) \\u003e 0 \\u0026\\u0026\\n (open.file.path in [ ~\\\"/lib/modules/**\\\", ~\\\"/usr/lib/modules/**\\\" ])\\n \\u0026\\u0026 process.file.path not in [~\\\"/usr/bin/apt*\\\", \\\"/usr/bin/dpkg\\\", \\\"/usr/bin/rpm\\\", \\\"/usr/bin/unattended-upgrade\\\", \\\"/usr/bin/npm\\\", ~\\\"/usr/bin/pip*\\\", ~\\\"/usr/local/bin/pip*\\\", \\\"/usr/bin/yum\\\", \\\"/sbin/apk\\\", \\\"/usr/lib/snapd/snapd\\\"]\\n \\u0026\\u0026 process.ancestors.file.path not in [~\\\"/usr/bin/apt*\\\", \\\"/usr/bin/dpkg\\\", \\\"/usr/bin/rpm\\\", \\\"/usr/bin/unattended-upgrade\\\", \\\"/usr/bin/npm\\\", ~\\\"/usr/bin/pip*\\\", ~\\\"/usr/local/bin/pip*\\\", \\\"/usr/bin/yum\\\", \\\"/sbin/apk\\\", \\\"/usr/lib/snapd/snapd\\\"] \\u0026\\u0026 process.ancestors.file.path != \\\"/usr/bin/kmod\\\"\\n)\",\"filters\":[\"os == \\\"linux\\\"\"],\"monitoring\":[\"v5l-ynv-guh\",\"gxu-c6v-pka\",\"1os-ptz-he9\",\"ddu-dat-9cx\",\"oiv-iar-6uj\",\"n6v-uoj-6jv\",\"zay-klh-gzk\",\"t0c-318-ksc\",\"mnq-jea-ord\",\"hjq-1ou-gxj\",\"zt3-q2u-xka\",\"n52-kmk-gy5\",\"lwi-ota-cdp\",\"eme-xsc-20m\",\"acr-3t9-p0d\",\"hw2-pev-bdl\",\"mm8-gf5-1mh\",\"wfe-tga-w8i\",\"kz9-gsr-aet\",\"u2n-mby-zu5\",\"ygu-bj5-cnb\",\"8h9-6l9-ofq\",\"x6i-kv0-iby\",\"wry-lqz-m1l\",\"ljy-djc-pxw\",\"kmt-lzi-f6r\",\"CWS_CUSTOM-canary\",\"hdo-seh-iaa\",\"CWS_DD\"],\"name\":\"kernel_module_open\",\"product_tags\":[\"tactic:TA0003-persistence\",\"technique:T1547-boot-or-logon-autostart-execution\",\"policy:compliance\"],\"updateDate\":1742407951000,\"updater\":{\"name\":\"Datadog\",\"handle\":\"\"}}},{\"id\":\"def-000-0fx\",\"type\":\"agent_rule\",\"attributes\":{\"category\":\"Process Activity\",\"creationDate\":1742407951000,\"creator\":{\"name\":\"Datadog\",\"handle\":\"\"},\"defaultRule\":true,\"description\":\"Shell process spawned from print server\",\"enabled\":true,\"expression\":\"exec.file.name != \\\"\\\" \\u0026\\u0026 process.parent.file.name == \\\"foomatic-rip\\\"\",\"filters\":[\"os == \\\"linux\\\"\"],\"monitoring\":[\"v5l-ynv-guh\",\"gxu-c6v-pka\",\"1os-ptz-he9\",\"ddu-dat-9cx\",\"oiv-iar-6uj\",\"n6v-uoj-6jv\",\"zay-klh-gzk\",\"t0c-318-ksc\",\"mnq-jea-ord\",\"hjq-1ou-gxj\",\"zt3-q2u-xka\",\"n52-kmk-gy5\",\"lwi-ota-cdp\",\"eme-xsc-20m\",\"acr-3t9-p0d\",\"hw2-pev-bdl\",\"mm8-gf5-1mh\",\"wfe-tga-w8i\",\"kz9-gsr-aet\",\"u2n-mby-zu5\",\"ygu-bj5-cnb\",\"8h9-6l9-ofq\",\"x6i-kv0-iby\",\"wry-lqz-m1l\",\"ljy-djc-pxw\",\"kmt-lzi-f6r\",\"CWS_CUSTOM-canary\",\"hdo-seh-iaa\",\"CWS_DD\"],\"name\":\"cups_spawned_shell\",\"product_tags\":[\"tactic:TA0001-initial-access\",\"technique:T1190-exploit-public-facing-application\",\"policy:threat-detection\"],\"updateDate\":1742407951000,\"updater\":{\"name\":\"Datadog\",\"handle\":\"\"}}},{\"id\":\"def-000-b5z\",\"type\":\"agent_rule\",\"attributes\":{\"category\":\"Process Activity\",\"creationDate\":1742407951000,\"creator\":{\"name\":\"Datadog\",\"handle\":\"\"},\"defaultRule\":true,\"description\":\"process arguments match rubeus credential theft tool\",\"enabled\":true,\"expression\":\"exec.cmdline in [~\\\"*asreproast*\\\", ~\\\"*/service:krbtgt*\\\", ~\\\"*dump /luid:0x*\\\", ~\\\"*kerberoast*\\\", ~\\\"*createonly /program*\\\", ~\\\"*ptt /ticket*\\\", ~\\\"*impersonateuser*\\\", ~\\\"*renew /ticket*\\\", ~\\\"*asktgt /user*\\\", ~\\\"*harvest /interval*\\\", ~\\\"*s4u /user*\\\", ~\\\"*hash /password*\\\", ~\\\"*golden /aes256*\\\", ~\\\"*silver /user*\\\", \\\"*rubeus*\\\"]\",\"filters\":[\"os == \\\"windows\\\"\"],\"monitoring\":[\"v5l-ynv-guh\",\"gxu-c6v-pka\",\"1os-ptz-he9\",\"ddu-dat-9cx\",\"oiv-iar-6uj\",\"n6v-uoj-6jv\",\"zay-klh-gzk\",\"t0c-318-ksc\",\"mnq-jea-ord\",\"hjq-1ou-gxj\",\"zt3-q2u-xka\",\"n52-kmk-gy5\",\"lwi-ota-cdp\",\"eme-xsc-20m\",\"acr-3t9-p0d\",\"hw2-pev-bdl\",\"mm8-gf5-1mh\",\"wfe-tga-w8i\",\"kz9-gsr-aet\",\"u2n-mby-zu5\",\"ygu-bj5-cnb\",\"8h9-6l9-ofq\",\"x6i-kv0-iby\",\"wry-lqz-m1l\",\"ljy-djc-pxw\",\"kmt-lzi-f6r\",\"CWS_CUSTOM-canary\",\"hdo-seh-iaa\",\"CWS_DD\"],\"name\":\"rubeus_execution\",\"product_tags\":[\"tactic:TA0006-credential-access\",\"technique:T1558-steal-or-forge-kerberos-tickets\",\"policy:threat-detection\"],\"updateDate\":1742407951000,\"updater\":{\"name\":\"Datadog\",\"handle\":\"\"}}},{\"id\":\"jeh-18e-m9h\",\"type\":\"agent_rule\",\"attributes\":{\"category\":\"Process Activity\",\"creationDate\":1742407951000,\"creator\":{\"name\":\"Datadog\",\"handle\":\"\"},\"defaultRule\":true,\"description\":\"An interactive shell was started inside of a container\",\"enabled\":true,\"expression\":\"exec.file.path in [ \\\"/bin/dash\\\",\\n \\\"/usr/bin/dash\\\",\\n \\\"/bin/sh\\\",\\n \\\"/bin/static-sh\\\",\\n \\\"/usr/bin/sh\\\",\\n \\\"/bin/bash\\\",\\n \\\"/usr/bin/bash\\\",\\n \\\"/bin/bash-static\\\",\\n \\\"/usr/bin/zsh\\\",\\n \\\"/usr/bin/ash\\\",\\n \\\"/usr/bin/csh\\\",\\n \\\"/usr/bin/ksh\\\",\\n \\\"/usr/bin/tcsh\\\",\\n \\\"/usr/lib/initramfs-tools/bin/busybox\\\",\\n \\\"/bin/busybox\\\",\\n \\\"/usr/bin/fish\\\",\\n \\\"/bin/ksh93\\\",\\n \\\"/bin/rksh\\\",\\n \\\"/bin/rksh93\\\",\\n \\\"/bin/lksh\\\",\\n \\\"/bin/mksh\\\",\\n \\\"/bin/mksh-static\\\",\\n \\\"/usr/bin/csharp\\\",\\n \\\"/bin/posh\\\",\\n \\\"/usr/bin/rc\\\",\\n \\\"/bin/sash\\\",\\n \\\"/usr/bin/yash\\\",\\n \\\"/bin/zsh5\\\",\\n \\\"/bin/zsh5-static\\\" ] \\u0026\\u0026 exec.args_flags in [\\\"i\\\"] \\u0026\\u0026 container.id !=\\\"\\\"\",\"filters\":[\"os == \\\"linux\\\"\"],\"monitoring\":[\"v5l-ynv-guh\",\"gxu-c6v-pka\",\"1os-ptz-he9\",\"ddu-dat-9cx\",\"oiv-iar-6uj\",\"n6v-uoj-6jv\",\"zay-klh-gzk\",\"t0c-318-ksc\",\"mnq-jea-ord\",\"hjq-1ou-gxj\",\"zt3-q2u-xka\",\"n52-kmk-gy5\",\"lwi-ota-cdp\",\"eme-xsc-20m\",\"acr-3t9-p0d\",\"hw2-pev-bdl\",\"mm8-gf5-1mh\",\"wfe-tga-w8i\",\"kz9-gsr-aet\",\"u2n-mby-zu5\",\"ygu-bj5-cnb\",\"8h9-6l9-ofq\",\"x6i-kv0-iby\",\"wry-lqz-m1l\",\"ljy-djc-pxw\",\"kmt-lzi-f6r\",\"CWS_CUSTOM-canary\",\"hdo-seh-iaa\",\"CWS_DD\"],\"name\":\"interactive_shell_in_container\",\"product_tags\":[\"tactic:TA0002-execution\",\"technique:T1609-container-administration-command\",\"policy:threat-detection\"],\"updateDate\":1742407951000,\"updater\":{\"name\":\"Datadog\",\"handle\":\"\"}}},{\"id\":\"c2g-31u-jpk\",\"type\":\"agent_rule\",\"attributes\":{\"category\":\"Process Activity\",\"creationDate\":1742407951000,\"creator\":{\"name\":\"Datadog\",\"handle\":\"\"},\"defaultRule\":true,\"description\":\"An Azure IMDS was called via a network utility\",\"enabled\":true,\"expression\":\"exec.comm in [\\\"wget\\\", \\\"curl\\\", \\\"lwp-download\\\"] \\u0026\\u0026 exec.args in [~\\\"*169.254.169.254/metadata/identity/oauth2/token?api-version=*\\\"]\",\"filters\":[\"os == \\\"linux\\\"\"],\"monitoring\":[\"v5l-ynv-guh\",\"gxu-c6v-pka\",\"1os-ptz-he9\",\"ddu-dat-9cx\",\"oiv-iar-6uj\",\"n6v-uoj-6jv\",\"zay-klh-gzk\",\"t0c-318-ksc\",\"mnq-jea-ord\",\"hjq-1ou-gxj\",\"zt3-q2u-xka\",\"n52-kmk-gy5\",\"lwi-ota-cdp\",\"eme-xsc-20m\",\"acr-3t9-p0d\",\"hw2-pev-bdl\",\"mm8-gf5-1mh\",\"wfe-tga-w8i\",\"kz9-gsr-aet\",\"u2n-mby-zu5\",\"ygu-bj5-cnb\",\"8h9-6l9-ofq\",\"x6i-kv0-iby\",\"wry-lqz-m1l\",\"ljy-djc-pxw\",\"kmt-lzi-f6r\",\"CWS_CUSTOM-canary\",\"hdo-seh-iaa\",\"CWS_DD\"],\"name\":\"azure_imds\",\"product_tags\":[\"tactic:TA0006-credential-access\",\"technique:T1552-unsecured-credentials\",\"policy:best-practice\",\"policy:threat-detection\"],\"updateDate\":1742407951000,\"updater\":{\"name\":\"Datadog\",\"handle\":\"\"}}},{\"id\":\"91f-pyq-54k\",\"type\":\"agent_rule\",\"attributes\":{\"category\":\"File Activity\",\"creationDate\":1742407951000,\"creator\":{\"name\":\"Datadog\",\"handle\":\"\"},\"defaultRule\":true,\"description\":\"SSH modified keys may have been modified\",\"enabled\":true,\"expression\":\"(\\n link.file.name in [ \\\"authorized_keys\\\", \\\"authorized_keys2\\\" ] \\u0026\\u0026 (link.file.path in [ ~\\\"/root/.ssh/*\\\", ~\\\"/home/*/.ssh/*\\\", ~\\\"/var/lib/*/.ssh/*\\\" ]\\n || link.file.destination.path in [ ~\\\"/root/.ssh/*\\\", ~\\\"/home/*/.ssh/*\\\", ~\\\"/var/lib/*/.ssh/*\\\" ])\\n)\",\"filters\":[\"os == \\\"linux\\\"\"],\"monitoring\":[\"v5l-ynv-guh\",\"gxu-c6v-pka\",\"1os-ptz-he9\",\"ddu-dat-9cx\",\"oiv-iar-6uj\",\"n6v-uoj-6jv\",\"zay-klh-gzk\",\"t0c-318-ksc\",\"mnq-jea-ord\",\"hjq-1ou-gxj\",\"zt3-q2u-xka\",\"n52-kmk-gy5\",\"lwi-ota-cdp\",\"eme-xsc-20m\",\"acr-3t9-p0d\",\"hw2-pev-bdl\",\"mm8-gf5-1mh\",\"wfe-tga-w8i\",\"kz9-gsr-aet\",\"u2n-mby-zu5\",\"ygu-bj5-cnb\",\"8h9-6l9-ofq\",\"x6i-kv0-iby\",\"wry-lqz-m1l\",\"ljy-djc-pxw\",\"kmt-lzi-f6r\",\"CWS_CUSTOM-canary\",\"hdo-seh-iaa\",\"CWS_DD\"],\"name\":\"ssh_authorized_keys_link\",\"product_tags\":[\"tactic:TA0003-persistence\",\"technique:T1098-account-manipulation\",\"policy:threat-detection\",\"policy:compliance\"],\"updateDate\":1742407951000,\"updater\":{\"name\":\"Datadog\",\"handle\":\"\"}}},{\"id\":\"wwc-6it-t7i\",\"type\":\"agent_rule\",\"attributes\":{\"category\":\"File Activity\",\"creationDate\":1742407951000,\"creator\":{\"name\":\"Datadog\",\"handle\":\"\"},\"defaultRule\":true,\"description\":\"nsswitch may have been modified without authorization\",\"enabled\":true,\"expression\":\"(\\n (link.file.path in [ \\\"/etc/nsswitch.conf\\\" ]\\n || link.file.destination.path in [ \\\"/etc/nsswitch.conf\\\" ])\\n)\",\"filters\":[\"os == \\\"linux\\\"\"],\"monitoring\":[\"v5l-ynv-guh\",\"gxu-c6v-pka\",\"1os-ptz-he9\",\"ddu-dat-9cx\",\"oiv-iar-6uj\",\"n6v-uoj-6jv\",\"zay-klh-gzk\",\"t0c-318-ksc\",\"mnq-jea-ord\",\"hjq-1ou-gxj\",\"zt3-q2u-xka\",\"n52-kmk-gy5\",\"lwi-ota-cdp\",\"eme-xsc-20m\",\"acr-3t9-p0d\",\"hw2-pev-bdl\",\"mm8-gf5-1mh\",\"wfe-tga-w8i\",\"kz9-gsr-aet\",\"u2n-mby-zu5\",\"ygu-bj5-cnb\",\"8h9-6l9-ofq\",\"x6i-kv0-iby\",\"wry-lqz-m1l\",\"ljy-djc-pxw\",\"kmt-lzi-f6r\",\"CWS_CUSTOM-canary\",\"hdo-seh-iaa\",\"CWS_DD\"],\"name\":\"nsswitch_conf_mod_link\",\"product_tags\":[\"tactic:TA0003-persistence\",\"technique:T1556-modify-authentication-process\",\"policy:compliance\"],\"updateDate\":1742407951000,\"updater\":{\"name\":\"Datadog\",\"handle\":\"\"}}},{\"id\":\"def-000-s07\",\"type\":\"agent_rule\",\"attributes\":{\"category\":\"File Activity\",\"creationDate\":1742407951000,\"creator\":{\"name\":\"Datadog\",\"handle\":\"\"},\"defaultRule\":true,\"description\":\"Sudoers policy file may have been modified without authorization\",\"enabled\":true,\"expression\":\"(\\n (utimes.file.path == \\\"/etc/sudoers\\\")\\n) \\u0026\\u0026 process.file.path not in [~\\\"/usr/bin/apt*\\\", \\\"/usr/bin/dpkg\\\", \\\"/usr/bin/rpm\\\", \\\"/usr/bin/unattended-upgrade\\\", \\\"/usr/bin/containerd\\\", \\\"/usr/local/bin/containerd\\\", \\\"/usr/bin/dockerd\\\", \\\"/usr/bin/npm\\\", ~\\\"/usr/bin/pip*\\\", ~\\\"/usr/local/bin/pip*\\\"]\",\"filters\":[\"os == \\\"linux\\\"\"],\"monitoring\":[\"v5l-ynv-guh\",\"gxu-c6v-pka\",\"1os-ptz-he9\",\"ddu-dat-9cx\",\"oiv-iar-6uj\",\"n6v-uoj-6jv\",\"zay-klh-gzk\",\"t0c-318-ksc\",\"mnq-jea-ord\",\"hjq-1ou-gxj\",\"zt3-q2u-xka\",\"n52-kmk-gy5\",\"lwi-ota-cdp\",\"eme-xsc-20m\",\"acr-3t9-p0d\",\"hw2-pev-bdl\",\"mm8-gf5-1mh\",\"wfe-tga-w8i\",\"kz9-gsr-aet\",\"u2n-mby-zu5\",\"ygu-bj5-cnb\",\"8h9-6l9-ofq\",\"x6i-kv0-iby\",\"wry-lqz-m1l\",\"ljy-djc-pxw\",\"kmt-lzi-f6r\",\"CWS_CUSTOM-canary\",\"hdo-seh-iaa\",\"CWS_DD\"],\"name\":\"sudoers_policy_modified_utimes\",\"product_tags\":[\"tactic:TA0004-privilege-escalation\",\"technique:T1548-abuse-elevation-control-mechanism\",\"policy:compliance\"],\"updateDate\":1742407951000,\"updater\":{\"name\":\"Datadog\",\"handle\":\"\"}}},{\"id\":\"def-000-ev8\",\"type\":\"agent_rule\",\"attributes\":{\"category\":\"Process Activity\",\"creationDate\":1742407951000,\"creator\":{\"name\":\"Datadog\",\"handle\":\"\"},\"defaultRule\":true,\"description\":\"The wrmsr program executed\",\"enabled\":true,\"expression\":\"exec.comm == \\\"wrmsr\\\"\",\"filters\":[\"os == \\\"linux\\\"\"],\"monitoring\":[\"v5l-ynv-guh\",\"gxu-c6v-pka\",\"1os-ptz-he9\",\"ddu-dat-9cx\",\"oiv-iar-6uj\",\"n6v-uoj-6jv\",\"zay-klh-gzk\",\"t0c-318-ksc\",\"mnq-jea-ord\",\"hjq-1ou-gxj\",\"zt3-q2u-xka\",\"n52-kmk-gy5\",\"lwi-ota-cdp\",\"eme-xsc-20m\",\"acr-3t9-p0d\",\"hw2-pev-bdl\",\"mm8-gf5-1mh\",\"wfe-tga-w8i\",\"kz9-gsr-aet\",\"u2n-mby-zu5\",\"ygu-bj5-cnb\",\"8h9-6l9-ofq\",\"x6i-kv0-iby\",\"wry-lqz-m1l\",\"ljy-djc-pxw\",\"kmt-lzi-f6r\",\"CWS_CUSTOM-canary\",\"hdo-seh-iaa\",\"CWS_DD\"],\"name\":\"exec_wrmsr\",\"product_tags\":[\"tactic:TA0040-impact\",\"technique:T1496-resource-hijacking\",\"policy:threat-detection\"],\"updateDate\":1742407951000,\"updater\":{\"name\":\"Datadog\",\"handle\":\"\"}}},{\"id\":\"wri-hx3-4n3\",\"type\":\"agent_rule\",\"attributes\":{\"category\":\"File Activity\",\"creationDate\":1742407951000,\"creator\":{\"name\":\"Datadog\",\"handle\":\"\"},\"defaultRule\":true,\"description\":\"PAM may have been modified without authorization\",\"enabled\":true,\"expression\":\"(\\n (rename.file.path in [ ~\\\"/etc/pam.d/**\\\", \\\"/etc/pam.conf\\\" ]\\n || rename.file.destination.path in [ ~\\\"/etc/pam.d/**\\\", \\\"/etc/pam.conf\\\" ])\\n)\",\"filters\":[\"os == \\\"linux\\\"\"],\"monitoring\":[\"v5l-ynv-guh\",\"gxu-c6v-pka\",\"1os-ptz-he9\",\"ddu-dat-9cx\",\"oiv-iar-6uj\",\"n6v-uoj-6jv\",\"zay-klh-gzk\",\"t0c-318-ksc\",\"mnq-jea-ord\",\"hjq-1ou-gxj\",\"zt3-q2u-xka\",\"n52-kmk-gy5\",\"lwi-ota-cdp\",\"eme-xsc-20m\",\"acr-3t9-p0d\",\"hw2-pev-bdl\",\"mm8-gf5-1mh\",\"wfe-tga-w8i\",\"kz9-gsr-aet\",\"u2n-mby-zu5\",\"ygu-bj5-cnb\",\"8h9-6l9-ofq\",\"x6i-kv0-iby\",\"wry-lqz-m1l\",\"ljy-djc-pxw\",\"kmt-lzi-f6r\",\"CWS_CUSTOM-canary\",\"hdo-seh-iaa\",\"CWS_DD\"],\"name\":\"pam_modification_rename\",\"product_tags\":[\"tactic:TA0003-persistence\",\"technique:T1556-modify-authentication-process\",\"policy:compliance\"],\"updateDate\":1742407951000,\"updater\":{\"name\":\"Datadog\",\"handle\":\"\"}}},{\"id\":\"tlu-qlm-1ow\",\"type\":\"agent_rule\",\"attributes\":{\"category\":\"File Activity\",\"creationDate\":1742407951000,\"creator\":{\"name\":\"Datadog\",\"handle\":\"\"},\"defaultRule\":true,\"description\":\"The runc binary was modified in a non-standard way\",\"enabled\":true,\"expression\":\"open.file.path in [\\\"/usr/bin/runc\\\", \\\"/usr/sbin/runc\\\", \\\"/usr/bin/docker-runc\\\"]\\n\\u0026\\u0026 open.flags \\u0026 O_CREAT|O_TRUNC|O_APPEND|O_RDWR|O_WRONLY \\u003e 0\\n\\u0026\\u0026 process.file.path not in [~\\\"/usr/bin/apt*\\\", \\\"/usr/bin/dpkg\\\", \\\"/usr/bin/rpm\\\", \\\"/usr/bin/unattended-upgrade\\\", \\\"/usr/bin/containerd\\\", \\\"/usr/local/bin/containerd\\\", \\\"/usr/bin/dockerd\\\", \\\"/usr/bin/npm\\\", ~\\\"/usr/bin/pip*\\\", ~\\\"/usr/local/bin/pip*\\\"]\\n\\u0026\\u0026 process.ancestors.file.path not in [~\\\"/usr/bin/apt*\\\", \\\"/usr/bin/dpkg\\\", \\\"/usr/bin/rpm\\\", \\\"/usr/bin/unattended-upgrade\\\", \\\"/usr/bin/npm\\\", ~\\\"/usr/bin/pip*\\\", ~\\\"/usr/local/bin/pip*\\\", \\\"/usr/bin/yum\\\", \\\"/sbin/apk\\\", \\\"/usr/lib/snapd/snapd\\\"]\",\"filters\":[\"os == \\\"linux\\\"\"],\"monitoring\":[\"v5l-ynv-guh\",\"gxu-c6v-pka\",\"1os-ptz-he9\",\"ddu-dat-9cx\",\"oiv-iar-6uj\",\"n6v-uoj-6jv\",\"zay-klh-gzk\",\"t0c-318-ksc\",\"mnq-jea-ord\",\"hjq-1ou-gxj\",\"zt3-q2u-xka\",\"n52-kmk-gy5\",\"lwi-ota-cdp\",\"eme-xsc-20m\",\"acr-3t9-p0d\",\"hw2-pev-bdl\",\"mm8-gf5-1mh\",\"wfe-tga-w8i\",\"kz9-gsr-aet\",\"u2n-mby-zu5\",\"ygu-bj5-cnb\",\"8h9-6l9-ofq\",\"x6i-kv0-iby\",\"wry-lqz-m1l\",\"ljy-djc-pxw\",\"kmt-lzi-f6r\",\"CWS_CUSTOM-canary\",\"hdo-seh-iaa\",\"CWS_DD\"],\"name\":\"runc_modification\",\"product_tags\":[\"tactic:TA0004-privilege-escalation\",\"technique:T1611-escape-to-host\",\"policy:threat-detection\"],\"updateDate\":1742407951000,\"updater\":{\"name\":\"Datadog\",\"handle\":\"\"}}},{\"id\":\"def-000-qn0\",\"type\":\"agent_rule\",\"attributes\":{\"category\":\"Process Activity\",\"creationDate\":1742407951000,\"creator\":{\"name\":\"Datadog\",\"handle\":\"\"},\"defaultRule\":true,\"description\":\"nsenter used to breakout of container\",\"enabled\":true,\"expression\":\"exec.file.name == \\\"nsenter\\\" \\u0026\\u0026 exec.args_options in [\\\"target=1\\\", \\\"t=1\\\"] \\u0026\\u0026 container.id != \\\"\\\"\",\"filters\":[\"os == \\\"linux\\\"\"],\"monitoring\":[\"v5l-ynv-guh\",\"gxu-c6v-pka\",\"1os-ptz-he9\",\"ddu-dat-9cx\",\"oiv-iar-6uj\",\"n6v-uoj-6jv\",\"zay-klh-gzk\",\"t0c-318-ksc\",\"mnq-jea-ord\",\"hjq-1ou-gxj\",\"zt3-q2u-xka\",\"n52-kmk-gy5\",\"lwi-ota-cdp\",\"eme-xsc-20m\",\"acr-3t9-p0d\",\"hw2-pev-bdl\",\"mm8-gf5-1mh\",\"wfe-tga-w8i\",\"kz9-gsr-aet\",\"u2n-mby-zu5\",\"ygu-bj5-cnb\",\"8h9-6l9-ofq\",\"x6i-kv0-iby\",\"wry-lqz-m1l\",\"ljy-djc-pxw\",\"kmt-lzi-f6r\",\"CWS_CUSTOM-canary\",\"hdo-seh-iaa\",\"CWS_DD\"],\"name\":\"nsenter_in_container\",\"product_tags\":[\"tactic:TA0004-privilege-escalation\",\"technique:T1611-escape-to-host\",\"policy:threat-detection\"],\"updateDate\":1742407951000,\"updater\":{\"name\":\"Datadog\",\"handle\":\"\"}}},{\"id\":\"afj-5sv-2wb\",\"type\":\"agent_rule\",\"attributes\":{\"category\":\"Process Activity\",\"creationDate\":1742407951000,\"creator\":{\"name\":\"Datadog\",\"handle\":\"\"},\"defaultRule\":true,\"description\":\"A container management utility was executed in a container\",\"enabled\":true,\"expression\":\"exec.file.name in [\\\"docker\\\", \\\"kubectl\\\"] \\u0026\\u0026 container.id != \\\"\\\"\",\"filters\":[\"os == \\\"linux\\\"\"],\"monitoring\":[\"v5l-ynv-guh\",\"gxu-c6v-pka\",\"1os-ptz-he9\",\"ddu-dat-9cx\",\"oiv-iar-6uj\",\"n6v-uoj-6jv\",\"zay-klh-gzk\",\"t0c-318-ksc\",\"mnq-jea-ord\",\"hjq-1ou-gxj\",\"zt3-q2u-xka\",\"n52-kmk-gy5\",\"lwi-ota-cdp\",\"eme-xsc-20m\",\"acr-3t9-p0d\",\"hw2-pev-bdl\",\"mm8-gf5-1mh\",\"wfe-tga-w8i\",\"kz9-gsr-aet\",\"u2n-mby-zu5\",\"ygu-bj5-cnb\",\"8h9-6l9-ofq\",\"x6i-kv0-iby\",\"wry-lqz-m1l\",\"ljy-djc-pxw\",\"kmt-lzi-f6r\",\"CWS_CUSTOM-canary\",\"hdo-seh-iaa\",\"CWS_DD\"],\"name\":\"suspicious_container_client\",\"product_tags\":[\"tactic:TA0002-execution\",\"technique:T1609-container-administration-command\",\"technique:T1610-deploy-container\",\"policy:threat-detection\"],\"updateDate\":1742407951000,\"updater\":{\"name\":\"Datadog\",\"handle\":\"\"}}},{\"id\":\"def-000-uv8\",\"type\":\"agent_rule\",\"attributes\":{\"category\":\"Process Activity\",\"creationDate\":1742407951000,\"creator\":{\"name\":\"Datadog\",\"handle\":\"\"},\"defaultRule\":true,\"description\":\"systemctl used to stop a service\",\"enabled\":true,\"expression\":\"exec.file.name == \\\"systemctl\\\" \\u0026\\u0026 exec.args in [~\\\"*stop*\\\"]\",\"filters\":[\"os == \\\"linux\\\"\"],\"monitoring\":[\"v5l-ynv-guh\",\"gxu-c6v-pka\",\"1os-ptz-he9\",\"ddu-dat-9cx\",\"oiv-iar-6uj\",\"n6v-uoj-6jv\",\"zay-klh-gzk\",\"t0c-318-ksc\",\"mnq-jea-ord\",\"hjq-1ou-gxj\",\"zt3-q2u-xka\",\"n52-kmk-gy5\",\"lwi-ota-cdp\",\"eme-xsc-20m\",\"acr-3t9-p0d\",\"hw2-pev-bdl\",\"mm8-gf5-1mh\",\"wfe-tga-w8i\",\"kz9-gsr-aet\",\"u2n-mby-zu5\",\"ygu-bj5-cnb\",\"8h9-6l9-ofq\",\"x6i-kv0-iby\",\"wry-lqz-m1l\",\"ljy-djc-pxw\",\"kmt-lzi-f6r\",\"CWS_CUSTOM-canary\",\"hdo-seh-iaa\",\"CWS_DD\"],\"name\":\"service_stop\",\"product_tags\":[\"tactic:TA0040-impact\",\"technique:T1489-service-stop\",\"policy:threat-detection\"],\"updateDate\":1742407951000,\"updater\":{\"name\":\"Datadog\",\"handle\":\"\"}}},{\"id\":\"7vi-w5r-h15\",\"type\":\"agent_rule\",\"attributes\":{\"category\":\"File Activity\",\"creationDate\":1742407951000,\"creator\":{\"name\":\"Datadog\",\"handle\":\"\"},\"defaultRule\":true,\"description\":\"Critical system binaries may have been modified\",\"enabled\":true,\"expression\":\"(\\n (chmod.file.path in [ ~\\\"/bin/*\\\", ~\\\"/sbin/*\\\", ~\\\"/usr/bin/*\\\", ~\\\"/usr/sbin/*\\\", ~\\\"/usr/local/bin/*\\\", ~\\\"/usr/local/sbin/*\\\", ~\\\"/boot/**\\\" ])\\n \\u0026\\u0026 process.file.path not in [~\\\"/usr/bin/apt*\\\", \\\"/usr/bin/dpkg\\\", \\\"/usr/bin/rpm\\\", \\\"/usr/bin/unattended-upgrade\\\", \\\"/usr/bin/containerd\\\", \\\"/usr/local/bin/containerd\\\", \\\"/usr/bin/dockerd\\\", \\\"/usr/bin/npm\\\", ~\\\"/usr/bin/pip*\\\", ~\\\"/usr/local/bin/pip*\\\"]\\n \\u0026\\u0026 process.ancestors.file.path not in [~\\\"/usr/bin/apt*\\\", \\\"/usr/bin/dpkg\\\", \\\"/usr/bin/rpm\\\", \\\"/usr/bin/unattended-upgrade\\\", \\\"/usr/bin/npm\\\", ~\\\"/usr/bin/pip*\\\", ~\\\"/usr/local/bin/pip*\\\", \\\"/usr/bin/yum\\\", \\\"/sbin/apk\\\", \\\"/usr/lib/snapd/snapd\\\"]\\n) \\u0026\\u0026 chmod.file.destination.mode != chmod.file.mode\",\"filters\":[\"os == \\\"linux\\\"\"],\"monitoring\":[\"v5l-ynv-guh\",\"gxu-c6v-pka\",\"1os-ptz-he9\",\"ddu-dat-9cx\",\"oiv-iar-6uj\",\"n6v-uoj-6jv\",\"zay-klh-gzk\",\"t0c-318-ksc\",\"mnq-jea-ord\",\"hjq-1ou-gxj\",\"zt3-q2u-xka\",\"n52-kmk-gy5\",\"lwi-ota-cdp\",\"eme-xsc-20m\",\"acr-3t9-p0d\",\"hw2-pev-bdl\",\"mm8-gf5-1mh\",\"wfe-tga-w8i\",\"kz9-gsr-aet\",\"u2n-mby-zu5\",\"ygu-bj5-cnb\",\"8h9-6l9-ofq\",\"x6i-kv0-iby\",\"wry-lqz-m1l\",\"ljy-djc-pxw\",\"kmt-lzi-f6r\",\"CWS_CUSTOM-canary\",\"hdo-seh-iaa\",\"CWS_DD\"],\"name\":\"pci_11_5_critical_binaries_chmod\",\"product_tags\":[\"tactic:TA0005-defense-evasion\",\"technique:T1036-masquerading\",\"policy:compliance\"],\"updateDate\":1742407951000,\"updater\":{\"name\":\"Datadog\",\"handle\":\"\"}}},{\"id\":\"def-000-6lj\",\"type\":\"agent_rule\",\"attributes\":{\"category\":\"File Activity\",\"creationDate\":1742407951000,\"creator\":{\"name\":\"Datadog\",\"handle\":\"\"},\"defaultRule\":true,\"description\":\"windows explorer file has been modified\",\"enabled\":true,\"expression\":\"write.file.device_path in [~\\\"\\\\Device\\\\*\\\\windows\\\\explorer.exe\\\"]\",\"filters\":[\"os == \\\"windows\\\"\"],\"monitoring\":[\"v5l-ynv-guh\",\"gxu-c6v-pka\",\"1os-ptz-he9\",\"ddu-dat-9cx\",\"oiv-iar-6uj\",\"n6v-uoj-6jv\",\"zay-klh-gzk\",\"t0c-318-ksc\",\"mnq-jea-ord\",\"hjq-1ou-gxj\",\"zt3-q2u-xka\",\"n52-kmk-gy5\",\"lwi-ota-cdp\",\"eme-xsc-20m\",\"acr-3t9-p0d\",\"hw2-pev-bdl\",\"mm8-gf5-1mh\",\"wfe-tga-w8i\",\"kz9-gsr-aet\",\"u2n-mby-zu5\",\"ygu-bj5-cnb\",\"8h9-6l9-ofq\",\"x6i-kv0-iby\",\"wry-lqz-m1l\",\"ljy-djc-pxw\",\"kmt-lzi-f6r\",\"CWS_CUSTOM-canary\",\"hdo-seh-iaa\",\"CWS_DD\"],\"name\":\"windows_explorer_executable_modified\",\"product_tags\":[\"tactic:TA0005-defense-evasion\",\"technique:T1036-masquerading\",\"policy:compliance\"],\"updateDate\":1742407951000,\"updater\":{\"name\":\"Datadog\",\"handle\":\"\"}}},{\"id\":\"900-1sj-xhs\",\"type\":\"agent_rule\",\"attributes\":{\"category\":\"File Activity\",\"creationDate\":1742407951000,\"creator\":{\"name\":\"Datadog\",\"handle\":\"\"},\"defaultRule\":true,\"description\":\"PAM may have been modified without authorization\",\"enabled\":true,\"expression\":\"(\\n (unlink.file.path in [ ~\\\"/etc/pam.d/**\\\", \\\"/etc/pam.conf\\\" ])\\n)\",\"filters\":[\"os == \\\"linux\\\"\"],\"monitoring\":[\"v5l-ynv-guh\",\"gxu-c6v-pka\",\"1os-ptz-he9\",\"ddu-dat-9cx\",\"oiv-iar-6uj\",\"n6v-uoj-6jv\",\"zay-klh-gzk\",\"t0c-318-ksc\",\"mnq-jea-ord\",\"hjq-1ou-gxj\",\"zt3-q2u-xka\",\"n52-kmk-gy5\",\"lwi-ota-cdp\",\"eme-xsc-20m\",\"acr-3t9-p0d\",\"hw2-pev-bdl\",\"mm8-gf5-1mh\",\"wfe-tga-w8i\",\"kz9-gsr-aet\",\"u2n-mby-zu5\",\"ygu-bj5-cnb\",\"8h9-6l9-ofq\",\"x6i-kv0-iby\",\"wry-lqz-m1l\",\"ljy-djc-pxw\",\"kmt-lzi-f6r\",\"CWS_CUSTOM-canary\",\"hdo-seh-iaa\",\"CWS_DD\"],\"name\":\"pam_modification_unlink\",\"product_tags\":[\"tactic:TA0003-persistence\",\"technique:T1556-modify-authentication-process\",\"policy:compliance\"],\"updateDate\":1742407951000,\"updater\":{\"name\":\"Datadog\",\"handle\":\"\"}}},{\"id\":\"jlt-y4v-dax\",\"type\":\"agent_rule\",\"attributes\":{\"category\":\"File Activity\",\"creationDate\":1742407951000,\"creator\":{\"name\":\"Datadog\",\"handle\":\"\"},\"defaultRule\":true,\"description\":\"A service may have been modified without authorization\",\"enabled\":true,\"expression\":\"(\\n (unlink.file.path in [ ~\\\"/lib/systemd/system/**\\\", ~\\\"/usr/lib/systemd/system/**\\\", ~\\\"/etc/systemd/system/**\\\" ])\\n \\u0026\\u0026 process.file.path not in [~\\\"/usr/bin/apt*\\\", \\\"/usr/bin/dpkg\\\", \\\"/usr/bin/rpm\\\", \\\"/usr/bin/unattended-upgrade\\\", \\\"/usr/bin/npm\\\", ~\\\"/usr/bin/pip*\\\", ~\\\"/usr/local/bin/pip*\\\", \\\"/usr/bin/yum\\\", \\\"/sbin/apk\\\", \\\"/usr/lib/snapd/snapd\\\"]\\n)\",\"filters\":[\"os == \\\"linux\\\"\"],\"monitoring\":[\"v5l-ynv-guh\",\"gxu-c6v-pka\",\"1os-ptz-he9\",\"ddu-dat-9cx\",\"oiv-iar-6uj\",\"n6v-uoj-6jv\",\"zay-klh-gzk\",\"t0c-318-ksc\",\"mnq-jea-ord\",\"hjq-1ou-gxj\",\"zt3-q2u-xka\",\"n52-kmk-gy5\",\"lwi-ota-cdp\",\"eme-xsc-20m\",\"acr-3t9-p0d\",\"hw2-pev-bdl\",\"mm8-gf5-1mh\",\"wfe-tga-w8i\",\"kz9-gsr-aet\",\"u2n-mby-zu5\",\"ygu-bj5-cnb\",\"8h9-6l9-ofq\",\"x6i-kv0-iby\",\"wry-lqz-m1l\",\"ljy-djc-pxw\",\"kmt-lzi-f6r\",\"CWS_CUSTOM-canary\",\"hdo-seh-iaa\",\"CWS_DD\"],\"name\":\"systemd_modification_unlink\",\"product_tags\":[\"tactic:TA0002-execution\",\"technique:T1569-system-services\",\"policy:threat-detection\",\"policy:compliance\"],\"updateDate\":1742407951000,\"updater\":{\"name\":\"Datadog\",\"handle\":\"\"}}},{\"id\":\"dmf-a2c-odj\",\"type\":\"agent_rule\",\"attributes\":{\"category\":\"Process Activity\",\"creationDate\":1742407951000,\"creator\":{\"name\":\"Datadog\",\"handle\":\"\"},\"defaultRule\":true,\"description\":\"A symbolic link for shell history was created targeting /dev/null\",\"enabled\":true,\"expression\":\"exec.comm == \\\"ln\\\" \\u0026\\u0026 exec.args in [~\\\"*.*history*\\\", \\\"/dev/null\\\"]\",\"filters\":[\"os == \\\"linux\\\"\"],\"monitoring\":[\"v5l-ynv-guh\",\"gxu-c6v-pka\",\"1os-ptz-he9\",\"ddu-dat-9cx\",\"oiv-iar-6uj\",\"n6v-uoj-6jv\",\"zay-klh-gzk\",\"t0c-318-ksc\",\"mnq-jea-ord\",\"hjq-1ou-gxj\",\"zt3-q2u-xka\",\"n52-kmk-gy5\",\"lwi-ota-cdp\",\"eme-xsc-20m\",\"acr-3t9-p0d\",\"hw2-pev-bdl\",\"mm8-gf5-1mh\",\"wfe-tga-w8i\",\"kz9-gsr-aet\",\"u2n-mby-zu5\",\"ygu-bj5-cnb\",\"8h9-6l9-ofq\",\"x6i-kv0-iby\",\"wry-lqz-m1l\",\"ljy-djc-pxw\",\"kmt-lzi-f6r\",\"CWS_CUSTOM-canary\",\"hdo-seh-iaa\",\"CWS_DD\"],\"name\":\"shell_history_symlink\",\"product_tags\":[\"tactic:TA0005-defense-evasion\",\"technique:T1070-indicator-removal\",\"policy:threat-detection\",\"policy:compliance\"],\"updateDate\":1742407951000,\"updater\":{\"name\":\"Datadog\",\"handle\":\"\"}}},{\"id\":\"def-000-ehx\",\"type\":\"agent_rule\",\"attributes\":{\"category\":\"Process Activity\",\"creationDate\":1742407951000,\"creator\":{\"name\":\"Datadog\",\"handle\":\"\"},\"defaultRule\":true,\"description\":\"The auditd rules file was modified without using auditctl\",\"enabled\":true,\"expression\":\"open.file.path in [\\\"/etc/audit/rules.d/audit.rules\\\", \\\"/etc/audit/audit.rules\\\"] \\u0026\\u0026 open.flags \\u0026 (O_CREAT|O_TRUNC|O_APPEND|O_RDWR|O_WRONLY) \\u003e 0 \\u0026\\u0026 process.file.name != \\\"auditctl\\\"\",\"filters\":[\"os == \\\"linux\\\"\"],\"monitoring\":[\"v5l-ynv-guh\",\"gxu-c6v-pka\",\"1os-ptz-he9\",\"ddu-dat-9cx\",\"oiv-iar-6uj\",\"n6v-uoj-6jv\",\"zay-klh-gzk\",\"t0c-318-ksc\",\"mnq-jea-ord\",\"hjq-1ou-gxj\",\"zt3-q2u-xka\",\"n52-kmk-gy5\",\"lwi-ota-cdp\",\"eme-xsc-20m\",\"acr-3t9-p0d\",\"hw2-pev-bdl\",\"mm8-gf5-1mh\",\"wfe-tga-w8i\",\"kz9-gsr-aet\",\"u2n-mby-zu5\",\"ygu-bj5-cnb\",\"8h9-6l9-ofq\",\"x6i-kv0-iby\",\"wry-lqz-m1l\",\"ljy-djc-pxw\",\"kmt-lzi-f6r\",\"CWS_CUSTOM-canary\",\"hdo-seh-iaa\",\"CWS_DD\"],\"name\":\"auditd_rule_file_modified\",\"product_tags\":[\"tactic:TA0005-defense-evasion\",\"technique:T1562-impair-defenses\",\"policy:threat-detection\"],\"updateDate\":1742407951000,\"updater\":{\"name\":\"Datadog\",\"handle\":\"\"}}},{\"id\":\"def-000-fn2\",\"type\":\"agent_rule\",\"attributes\":{\"category\":\"Process Activity\",\"creationDate\":1742407951000,\"creator\":{\"name\":\"Datadog\",\"handle\":\"\"},\"defaultRule\":true,\"description\":\"Shell profile was modified\",\"enabled\":true,\"expression\":\"open.file.path in [~\\\"/home/*/*profile\\\", ~\\\"/home/*/*rc\\\"] \\u0026\\u0026 open.flags \\u0026 ((O_CREAT|O_TRUNC|O_RDWR|O_WRONLY)) \\u003e 0\",\"filters\":[\"os == \\\"linux\\\"\"],\"monitoring\":[\"v5l-ynv-guh\",\"gxu-c6v-pka\",\"1os-ptz-he9\",\"ddu-dat-9cx\",\"oiv-iar-6uj\",\"n6v-uoj-6jv\",\"zay-klh-gzk\",\"t0c-318-ksc\",\"mnq-jea-ord\",\"hjq-1ou-gxj\",\"zt3-q2u-xka\",\"n52-kmk-gy5\",\"lwi-ota-cdp\",\"eme-xsc-20m\",\"acr-3t9-p0d\",\"hw2-pev-bdl\",\"mm8-gf5-1mh\",\"wfe-tga-w8i\",\"kz9-gsr-aet\",\"u2n-mby-zu5\",\"ygu-bj5-cnb\",\"8h9-6l9-ofq\",\"x6i-kv0-iby\",\"wry-lqz-m1l\",\"ljy-djc-pxw\",\"kmt-lzi-f6r\",\"CWS_CUSTOM-canary\",\"hdo-seh-iaa\",\"CWS_DD\"],\"name\":\"shell_profile_modification\",\"product_tags\":[\"tactic:TA0003-persistence\",\"technique:T1547-boot-or-logon-autostart-execution\",\"policy:threat-detection\",\"policy:compliance\"],\"updateDate\":1742407951000,\"updater\":{\"name\":\"Datadog\",\"handle\":\"\"}}},{\"id\":\"def-000-i9x\",\"type\":\"agent_rule\",\"attributes\":{\"category\":\"File Activity\",\"creationDate\":1742407951000,\"creator\":{\"name\":\"Datadog\",\"handle\":\"\"},\"defaultRule\":true,\"description\":\"nsswitch may have been modified without authorization\",\"enabled\":true,\"expression\":\"(\\n open.flags \\u0026 ((O_RDWR|O_WRONLY|O_CREAT)) \\u003e 0 \\u0026\\u0026\\n (open.file.path in [ \\\"/etc/nsswitch.conf\\\" ])\\n) \\u0026\\u0026 container.id != \\\"\\\" \\u0026\\u0026 container.created_at \\u003e 90s \\u0026\\u0026 process.file.path not in [~\\\"/usr/bin/apt*\\\", \\\"/usr/bin/dpkg\\\", \\\"/usr/bin/rpm\\\", \\\"/usr/bin/unattended-upgrade\\\", \\\"/usr/bin/containerd\\\", \\\"/usr/local/bin/containerd\\\", \\\"/usr/bin/dockerd\\\", \\\"/usr/bin/npm\\\", ~\\\"/usr/bin/pip*\\\", ~\\\"/usr/local/bin/pip*\\\"]\",\"filters\":[\"os == \\\"linux\\\"\"],\"monitoring\":[\"v5l-ynv-guh\",\"gxu-c6v-pka\",\"1os-ptz-he9\",\"ddu-dat-9cx\",\"oiv-iar-6uj\",\"n6v-uoj-6jv\",\"zay-klh-gzk\",\"t0c-318-ksc\",\"mnq-jea-ord\",\"hjq-1ou-gxj\",\"zt3-q2u-xka\",\"n52-kmk-gy5\",\"lwi-ota-cdp\",\"eme-xsc-20m\",\"acr-3t9-p0d\",\"hw2-pev-bdl\",\"mm8-gf5-1mh\",\"wfe-tga-w8i\",\"kz9-gsr-aet\",\"u2n-mby-zu5\",\"ygu-bj5-cnb\",\"8h9-6l9-ofq\",\"x6i-kv0-iby\",\"wry-lqz-m1l\",\"ljy-djc-pxw\",\"kmt-lzi-f6r\",\"CWS_CUSTOM-canary\",\"hdo-seh-iaa\",\"CWS_DD\"],\"name\":\"nsswitch_conf_mod_open_v2\",\"product_tags\":[\"tactic:TA0003-persistence\",\"technique:T1556-modify-authentication-process\",\"policy:compliance\"],\"updateDate\":1742407951000,\"updater\":{\"name\":\"Datadog\",\"handle\":\"\"}}},{\"id\":\"7zw-qbm-y6d\",\"type\":\"agent_rule\",\"attributes\":{\"category\":\"File Activity\",\"creationDate\":1742407951000,\"creator\":{\"name\":\"Datadog\",\"handle\":\"\"},\"defaultRule\":true,\"description\":\"A service may have been modified without authorization\",\"enabled\":true,\"expression\":\"(\\n open.flags \\u0026 (O_CREAT|O_RDWR|O_WRONLY) \\u003e 0 \\u0026\\u0026\\n (open.file.path in [ ~\\\"/lib/systemd/system/**\\\", ~\\\"/usr/lib/systemd/system/**\\\", ~\\\"/etc/systemd/system/**\\\" ])\\n \\u0026\\u0026 process.file.path not in [~\\\"/usr/bin/apt*\\\", \\\"/usr/bin/dpkg\\\", \\\"/usr/bin/rpm\\\", \\\"/usr/bin/unattended-upgrade\\\", \\\"/usr/bin/npm\\\", ~\\\"/usr/bin/pip*\\\", ~\\\"/usr/local/bin/pip*\\\", \\\"/usr/bin/yum\\\", \\\"/sbin/apk\\\", \\\"/usr/lib/snapd/snapd\\\"]\\n)\",\"filters\":[\"os == \\\"linux\\\"\"],\"monitoring\":[\"v5l-ynv-guh\",\"gxu-c6v-pka\",\"1os-ptz-he9\",\"ddu-dat-9cx\",\"oiv-iar-6uj\",\"n6v-uoj-6jv\",\"zay-klh-gzk\",\"t0c-318-ksc\",\"mnq-jea-ord\",\"hjq-1ou-gxj\",\"zt3-q2u-xka\",\"n52-kmk-gy5\",\"lwi-ota-cdp\",\"eme-xsc-20m\",\"acr-3t9-p0d\",\"hw2-pev-bdl\",\"mm8-gf5-1mh\",\"wfe-tga-w8i\",\"kz9-gsr-aet\",\"u2n-mby-zu5\",\"ygu-bj5-cnb\",\"8h9-6l9-ofq\",\"x6i-kv0-iby\",\"wry-lqz-m1l\",\"ljy-djc-pxw\",\"kmt-lzi-f6r\",\"CWS_CUSTOM-canary\",\"hdo-seh-iaa\",\"CWS_DD\"],\"name\":\"systemd_modification_open\",\"product_tags\":[\"tactic:TA0002-execution\",\"technique:T1569-system-services\",\"policy:threat-detection\",\"policy:compliance\"],\"updateDate\":1742407951000,\"updater\":{\"name\":\"Datadog\",\"handle\":\"\"}}},{\"id\":\"def-000-oi1\",\"type\":\"agent_rule\",\"attributes\":{\"category\":\"Process Activity\",\"creationDate\":1742407951000,\"creator\":{\"name\":\"Datadog\",\"handle\":\"\"},\"defaultRule\":true,\"description\":\"Process arguments indicating possible socat shell detected\",\"enabled\":true,\"expression\":\"((exec.file.name == \\\"socat\\\") || (exec.comm == \\\"socat\\\")) \\u0026\\u0026 exec.args in [~\\\"*/bin/bash*\\\", ~\\\"*/bin/sh*\\\", ~\\\"*exec*\\\", ~\\\"*pty*\\\", ~\\\"*setsid*\\\", ~\\\"*stderr*\\\"]\",\"filters\":[\"os == \\\"linux\\\"\"],\"monitoring\":[\"v5l-ynv-guh\",\"gxu-c6v-pka\",\"1os-ptz-he9\",\"ddu-dat-9cx\",\"oiv-iar-6uj\",\"n6v-uoj-6jv\",\"zay-klh-gzk\",\"t0c-318-ksc\",\"mnq-jea-ord\",\"hjq-1ou-gxj\",\"zt3-q2u-xka\",\"n52-kmk-gy5\",\"lwi-ota-cdp\",\"eme-xsc-20m\",\"acr-3t9-p0d\",\"hw2-pev-bdl\",\"mm8-gf5-1mh\",\"wfe-tga-w8i\",\"kz9-gsr-aet\",\"u2n-mby-zu5\",\"ygu-bj5-cnb\",\"8h9-6l9-ofq\",\"x6i-kv0-iby\",\"wry-lqz-m1l\",\"ljy-djc-pxw\",\"kmt-lzi-f6r\",\"CWS_CUSTOM-canary\",\"hdo-seh-iaa\",\"CWS_DD\"],\"name\":\"socat_shell\",\"product_tags\":[\"tactic:TA0002-execution\",\"technique:T1059-command-and-scripting-interpreter\",\"policy:threat-detection\"],\"updateDate\":1742407951000,\"updater\":{\"name\":\"Datadog\",\"handle\":\"\"}}},{\"id\":\"fpa-r6g-2em\",\"type\":\"agent_rule\",\"attributes\":{\"category\":\"File Activity\",\"creationDate\":1742407951000,\"creator\":{\"name\":\"Datadog\",\"handle\":\"\"},\"defaultRule\":true,\"description\":\"Critical system binaries may have been modified\",\"enabled\":true,\"expression\":\"(\\n open.flags \\u0026 (O_CREAT|O_TRUNC|O_APPEND|O_RDWR|O_WRONLY) \\u003e 0 \\u0026\\u0026\\n open.file.path in [ ~\\\"/bin/*\\\", ~\\\"/sbin/*\\\", ~\\\"/usr/bin/*\\\", ~\\\"/usr/sbin/*\\\", ~\\\"/usr/local/bin/*\\\", ~\\\"/usr/local/sbin/*\\\", ~\\\"/boot/**\\\" ]\\n \\u0026\\u0026 process.file.path not in [~\\\"/usr/bin/apt*\\\", \\\"/usr/bin/dpkg\\\", \\\"/usr/bin/rpm\\\", \\\"/usr/bin/unattended-upgrade\\\", \\\"/usr/bin/containerd\\\", \\\"/usr/local/bin/containerd\\\", \\\"/usr/bin/dockerd\\\", \\\"/usr/bin/npm\\\", ~\\\"/usr/bin/pip*\\\", ~\\\"/usr/local/bin/pip*\\\"]\\n \\u0026\\u0026 process.ancestors.file.path not in [~\\\"/usr/bin/apt*\\\", \\\"/usr/bin/dpkg\\\", \\\"/usr/bin/rpm\\\", \\\"/usr/bin/unattended-upgrade\\\", \\\"/usr/bin/npm\\\", ~\\\"/usr/bin/pip*\\\", ~\\\"/usr/local/bin/pip*\\\", \\\"/usr/bin/yum\\\", \\\"/sbin/apk\\\", \\\"/usr/lib/snapd/snapd\\\"]\\n)\",\"filters\":[\"os == \\\"linux\\\"\"],\"monitoring\":[\"v5l-ynv-guh\",\"gxu-c6v-pka\",\"1os-ptz-he9\",\"ddu-dat-9cx\",\"oiv-iar-6uj\",\"n6v-uoj-6jv\",\"zay-klh-gzk\",\"t0c-318-ksc\",\"mnq-jea-ord\",\"hjq-1ou-gxj\",\"zt3-q2u-xka\",\"n52-kmk-gy5\",\"lwi-ota-cdp\",\"eme-xsc-20m\",\"acr-3t9-p0d\",\"hw2-pev-bdl\",\"mm8-gf5-1mh\",\"wfe-tga-w8i\",\"kz9-gsr-aet\",\"u2n-mby-zu5\",\"ygu-bj5-cnb\",\"8h9-6l9-ofq\",\"x6i-kv0-iby\",\"wry-lqz-m1l\",\"ljy-djc-pxw\",\"kmt-lzi-f6r\",\"CWS_CUSTOM-canary\",\"hdo-seh-iaa\",\"CWS_DD\"],\"name\":\"pci_11_5_critical_binaries_open\",\"product_tags\":[\"tactic:TA0005-defense-evasion\",\"technique:T1036-masquerading\",\"policy:compliance\"],\"updateDate\":1742407951000,\"updater\":{\"name\":\"Datadog\",\"handle\":\"\"}}},{\"id\":\"def-000-oy4\",\"type\":\"agent_rule\",\"attributes\":{\"category\":\"Process Activity\",\"creationDate\":1742407951000,\"creator\":{\"name\":\"Datadog\",\"handle\":\"\"},\"defaultRule\":true,\"description\":\"A tool used to dump process memory has been executed\",\"enabled\":true,\"expression\":\"exec.file.name in [\\\"procmon.exe\\\",\\\"procdump.exe\\\"]\",\"filters\":[\"os == \\\"windows\\\"\"],\"monitoring\":[\"v5l-ynv-guh\",\"gxu-c6v-pka\",\"1os-ptz-he9\",\"ddu-dat-9cx\",\"oiv-iar-6uj\",\"n6v-uoj-6jv\",\"zay-klh-gzk\",\"t0c-318-ksc\",\"mnq-jea-ord\",\"hjq-1ou-gxj\",\"zt3-q2u-xka\",\"n52-kmk-gy5\",\"lwi-ota-cdp\",\"eme-xsc-20m\",\"acr-3t9-p0d\",\"hw2-pev-bdl\",\"mm8-gf5-1mh\",\"wfe-tga-w8i\",\"kz9-gsr-aet\",\"u2n-mby-zu5\",\"ygu-bj5-cnb\",\"8h9-6l9-ofq\",\"x6i-kv0-iby\",\"wry-lqz-m1l\",\"ljy-djc-pxw\",\"kmt-lzi-f6r\",\"CWS_CUSTOM-canary\",\"hdo-seh-iaa\",\"CWS_DD\"],\"name\":\"procdump_execution\",\"product_tags\":[\"tactic:TA0006-credential-access\",\"technique:T1003-os-credential-dumping\",\"policy:threat-detection\"],\"updateDate\":1742407951000,\"updater\":{\"name\":\"Datadog\",\"handle\":\"\"}}},{\"id\":\"def-000-u7b\",\"type\":\"agent_rule\",\"attributes\":{\"category\":\"Process Activity\",\"creationDate\":1742407951000,\"creator\":{\"name\":\"Datadog\",\"handle\":\"\"},\"defaultRule\":true,\"description\":\"Known offensive tool crackmap exec executed\",\"enabled\":true,\"expression\":\"exec.cmdline in [~\\\"*crackmapexec*\\\", ~\\\"*cme.exe*\\\", ~\\\"*cme.py*\\\"]\",\"filters\":[\"os == \\\"windows\\\"\"],\"monitoring\":[\"v5l-ynv-guh\",\"gxu-c6v-pka\",\"1os-ptz-he9\",\"ddu-dat-9cx\",\"oiv-iar-6uj\",\"n6v-uoj-6jv\",\"zay-klh-gzk\",\"t0c-318-ksc\",\"mnq-jea-ord\",\"hjq-1ou-gxj\",\"zt3-q2u-xka\",\"n52-kmk-gy5\",\"lwi-ota-cdp\",\"eme-xsc-20m\",\"acr-3t9-p0d\",\"hw2-pev-bdl\",\"mm8-gf5-1mh\",\"wfe-tga-w8i\",\"kz9-gsr-aet\",\"u2n-mby-zu5\",\"ygu-bj5-cnb\",\"8h9-6l9-ofq\",\"x6i-kv0-iby\",\"wry-lqz-m1l\",\"ljy-djc-pxw\",\"kmt-lzi-f6r\",\"CWS_CUSTOM-canary\",\"hdo-seh-iaa\",\"CWS_DD\"],\"name\":\"crackmap_exec_executed\",\"product_tags\":[\"tactic:TA0006-credential-access\",\"technique:T1003-os-credential-dumping\",\"policy:threat-detection\"],\"updateDate\":1742407951000,\"updater\":{\"name\":\"Datadog\",\"handle\":\"\"}}},{\"id\":\"htc-275-0wt\",\"type\":\"agent_rule\",\"attributes\":{\"category\":\"File Activity\",\"creationDate\":1742407951000,\"creator\":{\"name\":\"Datadog\",\"handle\":\"\"},\"defaultRule\":true,\"description\":\"SSH modified keys may have been modified\",\"enabled\":true,\"expression\":\"(\\n chmod.file.name in [ \\\"authorized_keys\\\", \\\"authorized_keys2\\\" ] \\u0026\\u0026 (chmod.file.path in [ ~\\\"/root/.ssh/*\\\", ~\\\"/home/*/.ssh/*\\\", ~\\\"/var/lib/*/.ssh/*\\\" ])\\n) \\u0026\\u0026 chmod.file.destination.mode != chmod.file.mode\",\"filters\":[\"os == \\\"linux\\\"\"],\"monitoring\":[\"v5l-ynv-guh\",\"gxu-c6v-pka\",\"1os-ptz-he9\",\"ddu-dat-9cx\",\"oiv-iar-6uj\",\"n6v-uoj-6jv\",\"zay-klh-gzk\",\"t0c-318-ksc\",\"mnq-jea-ord\",\"hjq-1ou-gxj\",\"zt3-q2u-xka\",\"n52-kmk-gy5\",\"lwi-ota-cdp\",\"eme-xsc-20m\",\"acr-3t9-p0d\",\"hw2-pev-bdl\",\"mm8-gf5-1mh\",\"wfe-tga-w8i\",\"kz9-gsr-aet\",\"u2n-mby-zu5\",\"ygu-bj5-cnb\",\"8h9-6l9-ofq\",\"x6i-kv0-iby\",\"wry-lqz-m1l\",\"ljy-djc-pxw\",\"kmt-lzi-f6r\",\"CWS_CUSTOM-canary\",\"hdo-seh-iaa\",\"CWS_DD\"],\"name\":\"ssh_authorized_keys_chmod\",\"product_tags\":[\"tactic:TA0003-persistence\",\"technique:T1098-account-manipulation\",\"policy:threat-detection\",\"policy:compliance\"],\"updateDate\":1742407951000,\"updater\":{\"name\":\"Datadog\",\"handle\":\"\"}}},{\"id\":\"def-000-xg6\",\"type\":\"agent_rule\",\"attributes\":{\"category\":\"File Activity\",\"creationDate\":1742407951000,\"creator\":{\"name\":\"Datadog\",\"handle\":\"\"},\"defaultRule\":true,\"description\":\"a critical windows file was modified\",\"enabled\":true,\"expression\":\"write.file.device_path in [~\\\"\\\\Device\\\\*\\\\windows\\\\system32\\\\**\\\"]\",\"filters\":[\"os == \\\"windows\\\"\"],\"monitoring\":[\"v5l-ynv-guh\",\"gxu-c6v-pka\",\"1os-ptz-he9\",\"ddu-dat-9cx\",\"oiv-iar-6uj\",\"n6v-uoj-6jv\",\"zay-klh-gzk\",\"t0c-318-ksc\",\"mnq-jea-ord\",\"hjq-1ou-gxj\",\"zt3-q2u-xka\",\"n52-kmk-gy5\",\"lwi-ota-cdp\",\"eme-xsc-20m\",\"acr-3t9-p0d\",\"hw2-pev-bdl\",\"mm8-gf5-1mh\",\"wfe-tga-w8i\",\"kz9-gsr-aet\",\"u2n-mby-zu5\",\"ygu-bj5-cnb\",\"8h9-6l9-ofq\",\"x6i-kv0-iby\",\"wry-lqz-m1l\",\"ljy-djc-pxw\",\"kmt-lzi-f6r\",\"CWS_CUSTOM-canary\",\"hdo-seh-iaa\",\"CWS_DD\"],\"name\":\"critical_windows_files_modified\",\"product_tags\":[\"tactic:TA0005-defense-evasion\",\"technique:T1036-masquerading\",\"policy:compliance\"],\"updateDate\":1742407951000,\"updater\":{\"name\":\"Datadog\",\"handle\":\"\"}}},{\"id\":\"lli-czr-q4y\",\"type\":\"agent_rule\",\"attributes\":{\"category\":\"File Activity\",\"creationDate\":1742407951000,\"creator\":{\"name\":\"Datadog\",\"handle\":\"\"},\"defaultRule\":true,\"description\":\"Sensitive credential files were modified using a non-standard tool\",\"enabled\":true,\"expression\":\"(\\n (link.file.path in [ \\\"/etc/shadow\\\", \\\"/etc/gshadow\\\" ]\\n || link.file.destination.path in [ \\\"/etc/shadow\\\", \\\"/etc/gshadow\\\" ])\\n \\u0026\\u0026 process.file.path not in [ \\\"/sbin/vipw\\\", \\\"/usr/sbin/vipw\\\", \\\"/sbin/vigr\\\", \\\"/usr/sbin/vigr\\\", \\\"/usr/bin/containerd\\\", \\\"/usr/local/bin/containerd\\\", \\\"/usr/bin/dockerd\\\", \\\"/usr/local/bin/dockerd\\\", \\\"/usr/sbin/groupadd\\\", \\\"/usr/sbin/useradd\\\", \\\"/usr/sbin/usermod\\\", \\\"/usr/sbin/userdel\\\", \\\"/usr/bin/gpasswd\\\", \\\"/usr/bin/chage\\\", \\\"/usr/sbin/chpasswd\\\", \\\"/usr/bin/passwd\\\" ]\\n \\u0026\\u0026 process.ancestors.file.path not in [~\\\"/usr/bin/apt*\\\", \\\"/usr/bin/dpkg\\\", \\\"/usr/bin/rpm\\\", \\\"/usr/bin/unattended-upgrade\\\", \\\"/usr/bin/npm\\\", ~\\\"/usr/bin/pip*\\\", ~\\\"/usr/local/bin/pip*\\\", \\\"/usr/bin/yum\\\", \\\"/sbin/apk\\\", \\\"/usr/lib/snapd/snapd\\\"]\\n)\",\"filters\":[\"os == \\\"linux\\\"\"],\"monitoring\":[\"v5l-ynv-guh\",\"gxu-c6v-pka\",\"1os-ptz-he9\",\"ddu-dat-9cx\",\"oiv-iar-6uj\",\"n6v-uoj-6jv\",\"zay-klh-gzk\",\"t0c-318-ksc\",\"mnq-jea-ord\",\"hjq-1ou-gxj\",\"zt3-q2u-xka\",\"n52-kmk-gy5\",\"lwi-ota-cdp\",\"eme-xsc-20m\",\"acr-3t9-p0d\",\"hw2-pev-bdl\",\"mm8-gf5-1mh\",\"wfe-tga-w8i\",\"kz9-gsr-aet\",\"u2n-mby-zu5\",\"ygu-bj5-cnb\",\"8h9-6l9-ofq\",\"x6i-kv0-iby\",\"wry-lqz-m1l\",\"ljy-djc-pxw\",\"kmt-lzi-f6r\",\"CWS_CUSTOM-canary\",\"hdo-seh-iaa\",\"CWS_DD\"],\"name\":\"credential_modified_link\",\"product_tags\":[\"tactic:TA0006-credential-access\",\"technique:T1003-os-credential-dumping\",\"policy:compliance\"],\"updateDate\":1742407951000,\"updater\":{\"name\":\"Datadog\",\"handle\":\"\"}}},{\"id\":\"t5u-qdx-650\",\"type\":\"agent_rule\",\"attributes\":{\"category\":\"File Activity\",\"creationDate\":1742407951000,\"creator\":{\"name\":\"Datadog\",\"handle\":\"\"},\"defaultRule\":true,\"description\":\"SSH modified keys may have been modified\",\"enabled\":true,\"expression\":\"(\\n rename.file.name in [ \\\"authorized_keys\\\", \\\"authorized_keys2\\\" ] \\u0026\\u0026 (rename.file.path in [ ~\\\"/root/.ssh/*\\\", ~\\\"/home/*/.ssh/*\\\", ~\\\"/var/lib/*/.ssh/*\\\" ]\\n || rename.file.destination.path in [ ~\\\"/root/.ssh/*\\\", ~\\\"/home/*/.ssh/*\\\", ~\\\"/var/lib/*/.ssh/*\\\" ])\\n)\",\"filters\":[\"os == \\\"linux\\\"\"],\"monitoring\":[\"v5l-ynv-guh\",\"gxu-c6v-pka\",\"1os-ptz-he9\",\"ddu-dat-9cx\",\"oiv-iar-6uj\",\"n6v-uoj-6jv\",\"zay-klh-gzk\",\"t0c-318-ksc\",\"mnq-jea-ord\",\"hjq-1ou-gxj\",\"zt3-q2u-xka\",\"n52-kmk-gy5\",\"lwi-ota-cdp\",\"eme-xsc-20m\",\"acr-3t9-p0d\",\"hw2-pev-bdl\",\"mm8-gf5-1mh\",\"wfe-tga-w8i\",\"kz9-gsr-aet\",\"u2n-mby-zu5\",\"ygu-bj5-cnb\",\"8h9-6l9-ofq\",\"x6i-kv0-iby\",\"wry-lqz-m1l\",\"ljy-djc-pxw\",\"kmt-lzi-f6r\",\"CWS_CUSTOM-canary\",\"hdo-seh-iaa\",\"CWS_DD\"],\"name\":\"ssh_authorized_keys_rename\",\"product_tags\":[\"tactic:TA0003-persistence\",\"technique:T1098-account-manipulation\",\"policy:threat-detection\",\"policy:compliance\"],\"updateDate\":1742407951000,\"updater\":{\"name\":\"Datadog\",\"handle\":\"\"}}},{\"id\":\"def-000-o1o\",\"type\":\"agent_rule\",\"attributes\":{\"category\":\"Kernel Activity\",\"creationDate\":1742407951000,\"creator\":{\"name\":\"Datadog\",\"handle\":\"\"},\"defaultRule\":true,\"description\":\"A process made a connection to a port associated with P2PInfect malware\",\"enabled\":true,\"expression\":\"connect.addr.family \\u0026 (AF_INET|AF_INET6) \\u003e 0 \\u0026\\u0026 connect.addr.is_public == true \\u0026\\u0026 connect.addr.port \\u003e= 60100 \\u0026\\u0026 connect.addr.port \\u003c= 60150\",\"filters\":[\"os == \\\"linux\\\"\"],\"monitoring\":[\"v5l-ynv-guh\",\"gxu-c6v-pka\",\"1os-ptz-he9\",\"ddu-dat-9cx\",\"oiv-iar-6uj\",\"n6v-uoj-6jv\",\"zay-klh-gzk\",\"t0c-318-ksc\",\"mnq-jea-ord\",\"hjq-1ou-gxj\",\"zt3-q2u-xka\",\"n52-kmk-gy5\",\"lwi-ota-cdp\",\"eme-xsc-20m\",\"acr-3t9-p0d\",\"hw2-pev-bdl\",\"mm8-gf5-1mh\",\"wfe-tga-w8i\",\"kz9-gsr-aet\",\"u2n-mby-zu5\",\"ygu-bj5-cnb\",\"8h9-6l9-ofq\",\"x6i-kv0-iby\",\"wry-lqz-m1l\",\"ljy-djc-pxw\",\"kmt-lzi-f6r\",\"CWS_CUSTOM-canary\",\"hdo-seh-iaa\",\"CWS_DD\"],\"name\":\"p2pinfect_connection\",\"product_tags\":[\"tactic:TA0011-command-and-control\",\"technique:T1071-application-layer-protocol\",\"policy:threat-detection\"],\"updateDate\":1742407951000,\"updater\":{\"name\":\"Datadog\",\"handle\":\"\"}}},{\"id\":\"def-000-o13\",\"type\":\"agent_rule\",\"attributes\":{\"category\":\"File Activity\",\"creationDate\":1742407951000,\"creator\":{\"name\":\"Datadog\",\"handle\":\"\"},\"defaultRule\":true,\"description\":\"The configuration directory for an ssh worm\",\"enabled\":true,\"expression\":\"open.file.path in [~\\\"/root/.prng/*\\\", ~\\\"/home/*/.prng/*\\\", ~\\\"/root/.config/prng/*\\\", ~\\\"/home/*/.config/prng/*\\\"] \\u0026\\u0026 open.flags \\u0026 (O_CREAT|O_TRUNC|O_APPEND|O_RDWR|O_WRONLY) \\u003e 0\",\"filters\":[\"os == \\\"linux\\\"\"],\"monitoring\":[\"v5l-ynv-guh\",\"gxu-c6v-pka\",\"1os-ptz-he9\",\"ddu-dat-9cx\",\"oiv-iar-6uj\",\"n6v-uoj-6jv\",\"zay-klh-gzk\",\"t0c-318-ksc\",\"mnq-jea-ord\",\"hjq-1ou-gxj\",\"zt3-q2u-xka\",\"n52-kmk-gy5\",\"lwi-ota-cdp\",\"eme-xsc-20m\",\"acr-3t9-p0d\",\"hw2-pev-bdl\",\"mm8-gf5-1mh\",\"wfe-tga-w8i\",\"kz9-gsr-aet\",\"u2n-mby-zu5\",\"ygu-bj5-cnb\",\"8h9-6l9-ofq\",\"x6i-kv0-iby\",\"wry-lqz-m1l\",\"ljy-djc-pxw\",\"kmt-lzi-f6r\",\"CWS_CUSTOM-canary\",\"hdo-seh-iaa\",\"CWS_DD\"],\"name\":\"ssh_it_tool_config_write\",\"product_tags\":[\"tactic:TA0003-persistence\",\"technique:T1098-account-manipulation\",\"policy:threat-detection\"],\"updateDate\":1742407951000,\"updater\":{\"name\":\"Datadog\",\"handle\":\"\"}}},{\"id\":\"def-000-6jw\",\"type\":\"agent_rule\",\"attributes\":{\"category\":\"Process Activity\",\"creationDate\":1742407951000,\"creator\":{\"name\":\"Datadog\",\"handle\":\"\"},\"defaultRule\":true,\"description\":\"Process environment variables match cryptocurrency miner\",\"enabled\":true,\"expression\":\"exec.envs in [\\\"POOL_USER\\\", \\\"POOL_URL\\\", \\\"POOL_PASS\\\", \\\"DONATE_LEVEL\\\"]\",\"filters\":[\"os == \\\"linux\\\"\"],\"monitoring\":[\"v5l-ynv-guh\",\"gxu-c6v-pka\",\"1os-ptz-he9\",\"ddu-dat-9cx\",\"oiv-iar-6uj\",\"n6v-uoj-6jv\",\"zay-klh-gzk\",\"t0c-318-ksc\",\"mnq-jea-ord\",\"hjq-1ou-gxj\",\"zt3-q2u-xka\",\"n52-kmk-gy5\",\"lwi-ota-cdp\",\"eme-xsc-20m\",\"acr-3t9-p0d\",\"hw2-pev-bdl\",\"mm8-gf5-1mh\",\"wfe-tga-w8i\",\"kz9-gsr-aet\",\"u2n-mby-zu5\",\"ygu-bj5-cnb\",\"8h9-6l9-ofq\",\"x6i-kv0-iby\",\"wry-lqz-m1l\",\"ljy-djc-pxw\",\"kmt-lzi-f6r\",\"CWS_CUSTOM-canary\",\"hdo-seh-iaa\",\"CWS_DD\"],\"name\":\"cryptominer_envs\",\"product_tags\":[\"tactic:TA0040-impact\",\"technique:T1496-resource-hijacking\",\"policy:threat-detection\"],\"updateDate\":1742407951000,\"updater\":{\"name\":\"Datadog\",\"handle\":\"\"}}},{\"id\":\"def-000-u1r\",\"type\":\"agent_rule\",\"attributes\":{\"category\":\"File Activity\",\"creationDate\":1742407951000,\"creator\":{\"name\":\"Datadog\",\"handle\":\"\"},\"defaultRule\":true,\"description\":\"A process deleted common system log files\",\"enabled\":true,\"expression\":\"unlink.file.path in [\\\"/var/run/utmp\\\", \\\"/var/log/wtmp\\\", \\\"/var/log/btmp\\\", \\\"/var/log/lastlog\\\", \\\"/var/log/faillog\\\", \\\"/var/log/syslog\\\", \\\"/var/log/messages\\\", \\\"/var/log/secure\\\", \\\"/var/log/auth.log\\\", \\\"/var/log/boot.log\\\", \\\"/var/log/kern.log\\\"] \\u0026\\u0026 process.comm not in [\\\"dockerd\\\", \\\"containerd\\\"]\",\"filters\":[\"os == \\\"linux\\\"\"],\"monitoring\":[\"v5l-ynv-guh\",\"gxu-c6v-pka\",\"1os-ptz-he9\",\"ddu-dat-9cx\",\"oiv-iar-6uj\",\"n6v-uoj-6jv\",\"zay-klh-gzk\",\"t0c-318-ksc\",\"mnq-jea-ord\",\"hjq-1ou-gxj\",\"zt3-q2u-xka\",\"n52-kmk-gy5\",\"lwi-ota-cdp\",\"eme-xsc-20m\",\"acr-3t9-p0d\",\"hw2-pev-bdl\",\"mm8-gf5-1mh\",\"wfe-tga-w8i\",\"kz9-gsr-aet\",\"u2n-mby-zu5\",\"ygu-bj5-cnb\",\"8h9-6l9-ofq\",\"x6i-kv0-iby\",\"wry-lqz-m1l\",\"ljy-djc-pxw\",\"kmt-lzi-f6r\",\"CWS_CUSTOM-canary\",\"hdo-seh-iaa\",\"CWS_DD\"],\"name\":\"delete_system_log\",\"product_tags\":[\"tactic:TA0005-defense-evasion\",\"technique:T1070-indicator-removal\",\"policy:threat-detection\"],\"updateDate\":1742407951000,\"updater\":{\"name\":\"Datadog\",\"handle\":\"\"}}},{\"id\":\"yjj-o5q-x00\",\"type\":\"agent_rule\",\"attributes\":{\"category\":\"File Activity\",\"creationDate\":1742407951000,\"creator\":{\"name\":\"Datadog\",\"handle\":\"\"},\"defaultRule\":true,\"description\":\"A service may have been modified without authorization\",\"enabled\":true,\"expression\":\"(\\n (utimes.file.path in [ ~\\\"/lib/systemd/system/**\\\", ~\\\"/usr/lib/systemd/system/**\\\", ~\\\"/etc/systemd/system/**\\\" ])\\n \\u0026\\u0026 process.file.path not in [~\\\"/usr/bin/apt*\\\", \\\"/usr/bin/dpkg\\\", \\\"/usr/bin/rpm\\\", \\\"/usr/bin/unattended-upgrade\\\", \\\"/usr/bin/npm\\\", ~\\\"/usr/bin/pip*\\\", ~\\\"/usr/local/bin/pip*\\\", \\\"/usr/bin/yum\\\", \\\"/sbin/apk\\\", \\\"/usr/lib/snapd/snapd\\\"]\\n)\",\"filters\":[\"os == \\\"linux\\\"\"],\"monitoring\":[\"v5l-ynv-guh\",\"gxu-c6v-pka\",\"1os-ptz-he9\",\"ddu-dat-9cx\",\"oiv-iar-6uj\",\"n6v-uoj-6jv\",\"zay-klh-gzk\",\"t0c-318-ksc\",\"mnq-jea-ord\",\"hjq-1ou-gxj\",\"zt3-q2u-xka\",\"n52-kmk-gy5\",\"lwi-ota-cdp\",\"eme-xsc-20m\",\"acr-3t9-p0d\",\"hw2-pev-bdl\",\"mm8-gf5-1mh\",\"wfe-tga-w8i\",\"kz9-gsr-aet\",\"u2n-mby-zu5\",\"ygu-bj5-cnb\",\"8h9-6l9-ofq\",\"x6i-kv0-iby\",\"wry-lqz-m1l\",\"ljy-djc-pxw\",\"kmt-lzi-f6r\",\"CWS_CUSTOM-canary\",\"hdo-seh-iaa\",\"CWS_DD\"],\"name\":\"systemd_modification_utimes\",\"product_tags\":[\"tactic:TA0002-execution\",\"technique:T1569-system-services\",\"policy:threat-detection\",\"policy:compliance\"],\"updateDate\":1742407951000,\"updater\":{\"name\":\"Datadog\",\"handle\":\"\"}}},{\"id\":\"def-000-wnn\",\"type\":\"agent_rule\",\"attributes\":{\"category\":\"File Activity\",\"creationDate\":1742407951000,\"creator\":{\"name\":\"Datadog\",\"handle\":\"\"},\"defaultRule\":true,\"description\":\"Windows firewall configuration registry key modified\",\"enabled\":true,\"expression\":\"set.registry.key_path in [~\\\"HKEY_LOCAL_MACHINE\\\\SYSTEM\\\\CurrentControlSet\\\\Services\\\\SharedAccess\\\\Parameters\\\\FirewallPolicy\\\\*\\\"]\",\"filters\":[\"os == \\\"windows\\\"\"],\"monitoring\":[\"v5l-ynv-guh\",\"gxu-c6v-pka\",\"1os-ptz-he9\",\"ddu-dat-9cx\",\"oiv-iar-6uj\",\"n6v-uoj-6jv\",\"zay-klh-gzk\",\"t0c-318-ksc\",\"mnq-jea-ord\",\"hjq-1ou-gxj\",\"zt3-q2u-xka\",\"n52-kmk-gy5\",\"lwi-ota-cdp\",\"eme-xsc-20m\",\"acr-3t9-p0d\",\"hw2-pev-bdl\",\"mm8-gf5-1mh\",\"wfe-tga-w8i\",\"kz9-gsr-aet\",\"u2n-mby-zu5\",\"ygu-bj5-cnb\",\"8h9-6l9-ofq\",\"x6i-kv0-iby\",\"wry-lqz-m1l\",\"ljy-djc-pxw\",\"kmt-lzi-f6r\",\"CWS_CUSTOM-canary\",\"hdo-seh-iaa\",\"CWS_DD\"],\"name\":\"windows_firewall_configuration_registry_key_modified\",\"product_tags\":[\"tactic:TA0005-defense-evasion\",\"technique:T1112-modify-registry\",\"policy:compliance\"],\"updateDate\":1742407951000,\"updater\":{\"name\":\"Datadog\",\"handle\":\"\"}}},{\"id\":\"def-000-j1b\",\"type\":\"agent_rule\",\"attributes\":{\"category\":\"Process Activity\",\"creationDate\":1742407951000,\"creator\":{\"name\":\"Datadog\",\"handle\":\"\"},\"defaultRule\":true,\"description\":\"Looney Tunables (CVE-2023-4911) exploit attempted\",\"enabled\":true,\"expression\":\"exec.file.mode \\u0026 S_ISUID \\u003e 0 \\u0026\\u0026 exec.file.uid == 0 \\u0026\\u0026 exec.uid != 0 \\u0026\\u0026 exec.envs in [~\\\"*GLIBC_TUNABLES*\\\"]\",\"filters\":[\"os == \\\"linux\\\"\"],\"monitoring\":[\"v5l-ynv-guh\",\"gxu-c6v-pka\",\"1os-ptz-he9\",\"ddu-dat-9cx\",\"oiv-iar-6uj\",\"n6v-uoj-6jv\",\"zay-klh-gzk\",\"t0c-318-ksc\",\"mnq-jea-ord\",\"hjq-1ou-gxj\",\"zt3-q2u-xka\",\"n52-kmk-gy5\",\"lwi-ota-cdp\",\"eme-xsc-20m\",\"acr-3t9-p0d\",\"hw2-pev-bdl\",\"mm8-gf5-1mh\",\"wfe-tga-w8i\",\"kz9-gsr-aet\",\"u2n-mby-zu5\",\"ygu-bj5-cnb\",\"8h9-6l9-ofq\",\"x6i-kv0-iby\",\"wry-lqz-m1l\",\"ljy-djc-pxw\",\"kmt-lzi-f6r\",\"CWS_CUSTOM-canary\",\"hdo-seh-iaa\",\"CWS_DD\"],\"name\":\"looney_tunables_exploit\",\"product_tags\":[\"tactic:TA0004-privilege-escalation\",\"technique:T1068-exploitation-for-privilege-escalation\",\"policy:threat-detection\"],\"updateDate\":1742407951000,\"updater\":{\"name\":\"Datadog\",\"handle\":\"\"}}},{\"id\":\"def-000-dar\",\"type\":\"agent_rule\",\"attributes\":{\"category\":\"Kernel Activity\",\"creationDate\":1742407951000,\"creator\":{\"name\":\"Datadog\",\"handle\":\"\"},\"defaultRule\":true,\"description\":\"A shell made an outbound network connection\",\"enabled\":true,\"expression\":\"connect.addr.family \\u0026 (AF_INET|AF_INET6) \\u003e 0 \\u0026\\u0026 process.file.name in [\\\"dash\\\",\\\"sh\\\",\\\"static-sh\\\",\\\"sh\\\",\\\"bash\\\",\\\"bash\\\",\\\"bash-static\\\",\\\"zsh\\\",\\\"ash\\\",\\\"csh\\\",\\\"ksh\\\",\\\"tcsh\\\",\\\"busybox\\\",\\\"busybox\\\",\\\"fish\\\",\\\"ksh93\\\",\\\"rksh\\\",\\\"rksh93\\\",\\\"lksh\\\",\\\"mksh\\\",\\\"mksh-static\\\",\\\"csharp\\\",\\\"posh\\\",\\\"rc\\\",\\\"sash\\\",\\\"yash\\\",\\\"zsh5\\\",\\\"zsh5-static\\\"] \\u0026\\u0026 connect.addr.is_public == true\",\"filters\":[\"os == \\\"linux\\\"\"],\"monitoring\":[\"v5l-ynv-guh\",\"gxu-c6v-pka\",\"1os-ptz-he9\",\"ddu-dat-9cx\",\"oiv-iar-6uj\",\"n6v-uoj-6jv\",\"zay-klh-gzk\",\"t0c-318-ksc\",\"mnq-jea-ord\",\"hjq-1ou-gxj\",\"zt3-q2u-xka\",\"n52-kmk-gy5\",\"lwi-ota-cdp\",\"eme-xsc-20m\",\"acr-3t9-p0d\",\"hw2-pev-bdl\",\"mm8-gf5-1mh\",\"wfe-tga-w8i\",\"kz9-gsr-aet\",\"u2n-mby-zu5\",\"ygu-bj5-cnb\",\"8h9-6l9-ofq\",\"x6i-kv0-iby\",\"wry-lqz-m1l\",\"ljy-djc-pxw\",\"kmt-lzi-f6r\",\"CWS_CUSTOM-canary\",\"hdo-seh-iaa\",\"CWS_DD\"],\"name\":\"shell_net_connection\",\"product_tags\":[\"tactic:TA0002-execution\",\"technique:T1059-command-and-scripting-interpreter\",\"policy:threat-detection\"],\"updateDate\":1742407951000,\"updater\":{\"name\":\"Datadog\",\"handle\":\"\"}}},{\"id\":\"def-000-88h\",\"type\":\"agent_rule\",\"attributes\":{\"category\":\"Process Activity\",\"creationDate\":1742407951000,\"creator\":{\"name\":\"Datadog\",\"handle\":\"\"},\"defaultRule\":true,\"description\":\"Egress traffic allowed using iptables\",\"enabled\":true,\"expression\":\"exec.comm == \\\"iptables\\\" \\u0026\\u0026 process.args in [r\\\"OUTPUT.*((25[0-5]|(2[0-4]|1\\\\d|[1-9]|)\\\\d)\\\\.?\\\\b){4}.*ACCEPT\\\"] \\u0026\\u0026 process.args not in [r\\\"(127\\\\.)|(10\\\\.)|(172\\\\.1[6-9]\\\\.)|(172\\\\.2[0-9]\\\\.)|(^172\\\\.3[0-1]\\\\.)|(192\\\\.168\\\\.)|(169\\\\.254\\\\.)\\\"]\",\"filters\":[\"os == \\\"linux\\\"\"],\"monitoring\":[\"v5l-ynv-guh\",\"gxu-c6v-pka\",\"1os-ptz-he9\",\"ddu-dat-9cx\",\"oiv-iar-6uj\",\"n6v-uoj-6jv\",\"zay-klh-gzk\",\"t0c-318-ksc\",\"mnq-jea-ord\",\"hjq-1ou-gxj\",\"zt3-q2u-xka\",\"n52-kmk-gy5\",\"lwi-ota-cdp\",\"eme-xsc-20m\",\"acr-3t9-p0d\",\"hw2-pev-bdl\",\"mm8-gf5-1mh\",\"wfe-tga-w8i\",\"kz9-gsr-aet\",\"u2n-mby-zu5\",\"ygu-bj5-cnb\",\"8h9-6l9-ofq\",\"x6i-kv0-iby\",\"wry-lqz-m1l\",\"ljy-djc-pxw\",\"kmt-lzi-f6r\",\"CWS_CUSTOM-canary\",\"hdo-seh-iaa\",\"CWS_DD\"],\"name\":\"iptables_egress_allowed\",\"product_tags\":[\"tactic:TA0005-defense-evasion\",\"technique:T1562-impair-defenses\",\"policy:threat-detection\"],\"updateDate\":1742407951000,\"updater\":{\"name\":\"Datadog\",\"handle\":\"\"}}},{\"id\":\"def-000-bus\",\"type\":\"agent_rule\",\"attributes\":{\"category\":\"File Activity\",\"creationDate\":1742407951000,\"creator\":{\"name\":\"Datadog\",\"handle\":\"\"},\"defaultRule\":true,\"description\":\"The executable bit was added to a newly created file\",\"enabled\":true,\"expression\":\"chmod.file.in_upper_layer \\u0026\\u0026\\nchmod.file.change_time \\u003c 30s \\u0026\\u0026\\ncontainer.id != \\\"\\\" \\u0026\\u0026\\nchmod.file.destination.mode != chmod.file.mode \\u0026\\u0026\\nchmod.file.destination.mode \\u0026 S_IXUSR|S_IXGRP|S_IXOTH \\u003e 0 \\u0026\\u0026\\nprocess.argv in [\\\"+x\\\"]\",\"filters\":[\"os == \\\"linux\\\"\"],\"monitoring\":[\"v5l-ynv-guh\",\"gxu-c6v-pka\",\"1os-ptz-he9\",\"ddu-dat-9cx\",\"oiv-iar-6uj\",\"n6v-uoj-6jv\",\"zay-klh-gzk\",\"t0c-318-ksc\",\"mnq-jea-ord\",\"hjq-1ou-gxj\",\"zt3-q2u-xka\",\"n52-kmk-gy5\",\"lwi-ota-cdp\",\"eme-xsc-20m\",\"acr-3t9-p0d\",\"hw2-pev-bdl\",\"mm8-gf5-1mh\",\"wfe-tga-w8i\",\"kz9-gsr-aet\",\"u2n-mby-zu5\",\"ygu-bj5-cnb\",\"8h9-6l9-ofq\",\"x6i-kv0-iby\",\"wry-lqz-m1l\",\"ljy-djc-pxw\",\"kmt-lzi-f6r\",\"CWS_CUSTOM-canary\",\"hdo-seh-iaa\",\"CWS_DD\"],\"name\":\"executable_bit_added\",\"product_tags\":[\"tactic:TA0005-defense-evasion\",\"technique:T1222-file-and-directory-permissions-modification\",\"policy:threat-detection\"],\"updateDate\":1742407951000,\"updater\":{\"name\":\"Datadog\",\"handle\":\"\"}}},{\"id\":\"def-000-550\",\"type\":\"agent_rule\",\"attributes\":{\"category\":\"File Activity\",\"creationDate\":1742407951000,\"creator\":{\"name\":\"Datadog\",\"handle\":\"\"},\"defaultRule\":true,\"description\":\"Sudoers policy file may have been modified without authorization\",\"enabled\":true,\"expression\":\"(\\n (rename.file.path == \\\"/etc/sudoers\\\"\\n || rename.file.destination.path == \\\"/etc/sudoers\\\")\\n)\",\"filters\":[\"os == \\\"linux\\\"\"],\"monitoring\":[\"v5l-ynv-guh\",\"gxu-c6v-pka\",\"1os-ptz-he9\",\"ddu-dat-9cx\",\"oiv-iar-6uj\",\"n6v-uoj-6jv\",\"zay-klh-gzk\",\"t0c-318-ksc\",\"mnq-jea-ord\",\"hjq-1ou-gxj\",\"zt3-q2u-xka\",\"n52-kmk-gy5\",\"lwi-ota-cdp\",\"eme-xsc-20m\",\"acr-3t9-p0d\",\"hw2-pev-bdl\",\"mm8-gf5-1mh\",\"wfe-tga-w8i\",\"kz9-gsr-aet\",\"u2n-mby-zu5\",\"ygu-bj5-cnb\",\"8h9-6l9-ofq\",\"x6i-kv0-iby\",\"wry-lqz-m1l\",\"ljy-djc-pxw\",\"kmt-lzi-f6r\",\"CWS_CUSTOM-canary\",\"hdo-seh-iaa\",\"CWS_DD\"],\"name\":\"sudoers_policy_modified_rename\",\"product_tags\":[\"tactic:TA0004-privilege-escalation\",\"technique:T1548-abuse-elevation-control-mechanism\",\"policy:compliance\"],\"updateDate\":1742407951000,\"updater\":{\"name\":\"Datadog\",\"handle\":\"\"}}},{\"id\":\"0i7-z9o-zed\",\"type\":\"agent_rule\",\"attributes\":{\"actions\":[{\"set\":{\"name\":\"processes_accessing\",\"field\":\"process.file.path\",\"append\":true,\"ttl\":60000000000},\"disabled\":false}],\"category\":\"File Activity\",\"creationDate\":1742407951000,\"creator\":{\"name\":\"Datadog\",\"handle\":\"\"},\"defaultRule\":true,\"description\":\"The Kubernetes pod service account token was accessed\",\"enabled\":true,\"expression\":\"open.file.path in [~\\\"/var/run/secrets/kubernetes.io/serviceaccount/**\\\", ~\\\"/run/secrets/kubernetes.io/serviceaccount/**\\\"]\\n\\u0026\\u0026 open.file.name == \\\"token\\\"\\n\\u0026\\u0026 process.file.path not in [\\\"/opt/datadog-agent/embedded/bin/agent\\\", \\\"/opt/datadog-agent/embedded/bin/system-probe\\\", \\\"/opt/datadog-agent/embedded/bin/security-agent\\\", \\\"/opt/datadog-agent/embedded/bin/process-agent\\\", \\\"/opt/datadog-agent/embedded/bin/trace-agent\\\", \\\"/opt/datadog-agent/bin/agent/agent\\\", \\\"/opt/datadog/apm/inject/auto_inject_runc\\\", \\\"/usr/bin/dd-host-install\\\", \\\"/usr/bin/dd-host-container-install\\\", \\\"/usr/bin/dd-container-install\\\", \\\"/opt/datadog-agent/bin/datadog-cluster-agent\\\", ~\\\"/opt/datadog-packages/**\\\", ~\\\"/opt/datadog-installer/**\\\"]\\n\\u0026\\u0026 process.file.path not in [\\\"/usr/bin/cilium-agent\\\", \\\"/coredns\\\", \\\"/usr/bin/cilium-operator\\\", \\\"/manager\\\", \\\"/fluent-bit/bin/fluent-bit\\\", \\\"/usr/local/bin/cloud-node-manager\\\", \\\"/secrets-store-csi\\\", \\\"/bin/secrets-store-csi-driver-provider-aws\\\", \\\"/usr/bin/calico-node\\\", \\\"/opt/aws/amazon-cloudwatch-agent/bin/amazon-cloudwatch-agent\\\", \\\"/nginx-ingress-controller\\\", \\\"/cluster-autoscaler\\\", \\\"/cluster-proportional-autoscaler\\\", \\\"/haproxy-ingress-controller\\\", \\\"/kube-state-metrics\\\", \\\"/fluent-bit-gke-exporter\\\", \\\"/bin/external-secrets\\\", \\\"/node-termination-handler\\\", \\\"/fluent-bit-gke-exporter\\\", \\\"/bin/vault\\\", \\\"/usr/local/bin/kubectl\\\", \\\"/local-provisioner\\\", \\\"/usr/bin/gitlab-runner\\\", \\\"/usr/local/bin/vaultd\\\", \\\"/usr/local/bin/trace-driveline-writer\\\", \\\"/usr/local/bin/registration-controller\\\", \\\"/usr/local/bin/cluster-autoscaler\\\"]\\n\\u0026\\u0026 process.file.path not in ${processes_accessing}\\n\\u0026\\u0026 process.ancestors.file.path not in [\\\"/opt/datadog-agent/embedded/bin/agent\\\", \\\"/opt/datadog-agent/embedded/bin/system-probe\\\", \\\"/opt/datadog-agent/embedded/bin/security-agent\\\", \\\"/opt/datadog-agent/embedded/bin/process-agent\\\", \\\"/opt/datadog-agent/embedded/bin/trace-agent\\\", \\\"/opt/datadog-agent/bin/agent/agent\\\", \\\"/opt/datadog/apm/inject/auto_inject_runc\\\", \\\"/usr/bin/dd-host-install\\\", \\\"/usr/bin/dd-host-container-install\\\", \\\"/usr/bin/dd-container-install\\\", \\\"/opt/datadog-agent/bin/datadog-cluster-agent\\\", ~\\\"/opt/datadog-packages/**\\\", ~\\\"/opt/datadog-installer/**\\\"]\",\"filters\":[\"os == \\\"linux\\\"\"],\"monitoring\":[\"v5l-ynv-guh\",\"gxu-c6v-pka\",\"1os-ptz-he9\",\"ddu-dat-9cx\",\"oiv-iar-6uj\",\"n6v-uoj-6jv\",\"zay-klh-gzk\",\"t0c-318-ksc\",\"mnq-jea-ord\",\"hjq-1ou-gxj\",\"zt3-q2u-xka\",\"n52-kmk-gy5\",\"lwi-ota-cdp\",\"eme-xsc-20m\",\"acr-3t9-p0d\",\"hw2-pev-bdl\",\"mm8-gf5-1mh\",\"wfe-tga-w8i\",\"kz9-gsr-aet\",\"u2n-mby-zu5\",\"ygu-bj5-cnb\",\"8h9-6l9-ofq\",\"x6i-kv0-iby\",\"wry-lqz-m1l\",\"ljy-djc-pxw\",\"kmt-lzi-f6r\",\"CWS_CUSTOM-canary\",\"hdo-seh-iaa\",\"CWS_DD\"],\"name\":\"k8s_pod_service_account_token_accessed\",\"product_tags\":[\"tactic:TA0006-credential-access\",\"technique:T1552-unsecured-credentials\",\"policy:threat-detection\"],\"updateDate\":1742407951000,\"updater\":{\"name\":\"Datadog\",\"handle\":\"\"}}},{\"id\":\"x7i-34j-1rv\",\"type\":\"agent_rule\",\"attributes\":{\"category\":\"File Activity\",\"creationDate\":1742407951000,\"creator\":{\"name\":\"Datadog\",\"handle\":\"\"},\"defaultRule\":true,\"description\":\"PAM may have been modified without authorization\",\"enabled\":true,\"expression\":\"(\\n (link.file.path in [ ~\\\"/etc/pam.d/**\\\", \\\"/etc/pam.conf\\\" ]\\n || link.file.destination.path in [ ~\\\"/etc/pam.d/**\\\", \\\"/etc/pam.conf\\\" ])\\n)\",\"filters\":[\"os == \\\"linux\\\"\"],\"monitoring\":[\"v5l-ynv-guh\",\"gxu-c6v-pka\",\"1os-ptz-he9\",\"ddu-dat-9cx\",\"oiv-iar-6uj\",\"n6v-uoj-6jv\",\"zay-klh-gzk\",\"t0c-318-ksc\",\"mnq-jea-ord\",\"hjq-1ou-gxj\",\"zt3-q2u-xka\",\"n52-kmk-gy5\",\"lwi-ota-cdp\",\"eme-xsc-20m\",\"acr-3t9-p0d\",\"hw2-pev-bdl\",\"mm8-gf5-1mh\",\"wfe-tga-w8i\",\"kz9-gsr-aet\",\"u2n-mby-zu5\",\"ygu-bj5-cnb\",\"8h9-6l9-ofq\",\"x6i-kv0-iby\",\"wry-lqz-m1l\",\"ljy-djc-pxw\",\"kmt-lzi-f6r\",\"CWS_CUSTOM-canary\",\"hdo-seh-iaa\",\"CWS_DD\"],\"name\":\"pam_modification_link\",\"product_tags\":[\"tactic:TA0003-persistence\",\"technique:T1556-modify-authentication-process\",\"policy:compliance\"],\"updateDate\":1742407951000,\"updater\":{\"name\":\"Datadog\",\"handle\":\"\"}}},{\"id\":\"zfb-ixo-o4w\",\"type\":\"agent_rule\",\"attributes\":{\"category\":\"File Activity\",\"creationDate\":1742407951000,\"creator\":{\"name\":\"Datadog\",\"handle\":\"\"},\"defaultRule\":true,\"description\":\"A suspicious file was written by a network utility\",\"enabled\":true,\"expression\":\"open.flags \\u0026 O_CREAT \\u003e 0 \\u0026\\u0026 process.comm in [\\\"wget\\\", \\\"curl\\\", \\\"lwp-download\\\"]\\n\\u0026\\u0026 (\\n (open.file.path =~ \\\"/tmp/**\\\" \\u0026\\u0026 open.file.name in [~\\\"*.sh\\\", ~\\\"*.c\\\", ~\\\"*.so\\\", ~\\\"*.ko\\\"])\\n || open.file.path in [~\\\"/usr/**\\\", ~\\\"/lib/**\\\", ~\\\"/etc/**\\\", ~\\\"/var/tmp/**\\\", ~\\\"/dev/shm/**\\\"]\\n)\",\"filters\":[\"os == \\\"linux\\\"\"],\"monitoring\":[\"v5l-ynv-guh\",\"gxu-c6v-pka\",\"1os-ptz-he9\",\"ddu-dat-9cx\",\"oiv-iar-6uj\",\"n6v-uoj-6jv\",\"zay-klh-gzk\",\"t0c-318-ksc\",\"mnq-jea-ord\",\"hjq-1ou-gxj\",\"zt3-q2u-xka\",\"n52-kmk-gy5\",\"lwi-ota-cdp\",\"eme-xsc-20m\",\"acr-3t9-p0d\",\"hw2-pev-bdl\",\"mm8-gf5-1mh\",\"wfe-tga-w8i\",\"kz9-gsr-aet\",\"u2n-mby-zu5\",\"ygu-bj5-cnb\",\"8h9-6l9-ofq\",\"x6i-kv0-iby\",\"wry-lqz-m1l\",\"ljy-djc-pxw\",\"kmt-lzi-f6r\",\"CWS_CUSTOM-canary\",\"hdo-seh-iaa\",\"CWS_DD\"],\"name\":\"net_file_download\",\"product_tags\":[\"tactic:TA0011-command-and-control\",\"technique:T1105-ingress-tool-transfer\",\"policy:threat-detection\"],\"updateDate\":1742407951000,\"updater\":{\"name\":\"Datadog\",\"handle\":\"\"}}},{\"id\":\"def-000-ab6\",\"type\":\"agent_rule\",\"attributes\":{\"category\":\"Network Activity\",\"creationDate\":1742407951000,\"creator\":{\"name\":\"Datadog\",\"handle\":\"\"},\"defaultRule\":true,\"description\":\"Recently modified file requested credentials from IMDS\",\"enabled\":true,\"expression\":\"imds.url =~ \\\"/*/meta-data/iam/security-credentials/*\\\" \\u0026\\u0026 (process.parent.file.modification_time \\u003c 120s || process.file.modification_time \\u003c 30s)\",\"filters\":[\"os == \\\"linux\\\"\"],\"monitoring\":[\"v5l-ynv-guh\",\"gxu-c6v-pka\",\"1os-ptz-he9\",\"ddu-dat-9cx\",\"oiv-iar-6uj\",\"n6v-uoj-6jv\",\"zay-klh-gzk\",\"t0c-318-ksc\",\"mnq-jea-ord\",\"hjq-1ou-gxj\",\"zt3-q2u-xka\",\"n52-kmk-gy5\",\"lwi-ota-cdp\",\"eme-xsc-20m\",\"acr-3t9-p0d\",\"hw2-pev-bdl\",\"mm8-gf5-1mh\",\"wfe-tga-w8i\",\"kz9-gsr-aet\",\"u2n-mby-zu5\",\"ygu-bj5-cnb\",\"8h9-6l9-ofq\",\"x6i-kv0-iby\",\"wry-lqz-m1l\",\"ljy-djc-pxw\",\"kmt-lzi-f6r\",\"CWS_CUSTOM-canary\",\"hdo-seh-iaa\",\"CWS_DD\"],\"name\":\"modified_file_requesting_imds_creds\",\"product_tags\":[\"tactic:TA0006-credential-access\",\"technique:T1552-unsecured-credentials\",\"policy:threat-detection\"],\"updateDate\":1742407951000,\"updater\":{\"name\":\"Datadog\",\"handle\":\"\"}}},{\"id\":\"def-000-9rk\",\"type\":\"agent_rule\",\"attributes\":{\"category\":\"Process Activity\",\"creationDate\":1742407951000,\"creator\":{\"name\":\"Datadog\",\"handle\":\"\"},\"defaultRule\":true,\"description\":\"Local account groups were enumerated after container start up\",\"enabled\":true,\"expression\":\"exec.file.name in [\\\"tcpdump\\\", \\\"tshark\\\"]\",\"filters\":[\"os == \\\"linux\\\"\"],\"monitoring\":[\"v5l-ynv-guh\",\"gxu-c6v-pka\",\"1os-ptz-he9\",\"ddu-dat-9cx\",\"oiv-iar-6uj\",\"n6v-uoj-6jv\",\"zay-klh-gzk\",\"t0c-318-ksc\",\"mnq-jea-ord\",\"hjq-1ou-gxj\",\"zt3-q2u-xka\",\"n52-kmk-gy5\",\"lwi-ota-cdp\",\"eme-xsc-20m\",\"acr-3t9-p0d\",\"hw2-pev-bdl\",\"mm8-gf5-1mh\",\"wfe-tga-w8i\",\"kz9-gsr-aet\",\"u2n-mby-zu5\",\"ygu-bj5-cnb\",\"8h9-6l9-ofq\",\"x6i-kv0-iby\",\"wry-lqz-m1l\",\"ljy-djc-pxw\",\"kmt-lzi-f6r\",\"CWS_CUSTOM-canary\",\"hdo-seh-iaa\",\"CWS_DD\"],\"name\":\"network_sniffing_tool\",\"product_tags\":[\"tactic:TA0007-discovery\",\"technique:T1040-network-sniffing\",\"policy:threat-detection\"],\"updateDate\":1742407951000,\"updater\":{\"name\":\"Datadog\",\"handle\":\"\"}}},{\"id\":\"w6f-wte-i63\",\"type\":\"agent_rule\",\"attributes\":{\"category\":\"File Activity\",\"creationDate\":1742407951000,\"creator\":{\"name\":\"Datadog\",\"handle\":\"\"},\"defaultRule\":true,\"description\":\"SSL certificates may have been tampered with\",\"enabled\":true,\"expression\":\"(\\n (link.file.path in [ ~\\\"/etc/ssl/certs/**\\\", ~\\\"/etc/pki/**\\\" ]\\n || link.file.destination.path in [ ~\\\"/etc/ssl/certs/**\\\", ~\\\"/etc/pki/**\\\" ])\\n \\u0026\\u0026 process.file.path not in [~\\\"/usr/bin/apt*\\\", \\\"/usr/bin/dpkg\\\", \\\"/usr/bin/rpm\\\", \\\"/usr/bin/unattended-upgrade\\\", \\\"/usr/bin/npm\\\", ~\\\"/usr/bin/pip*\\\", ~\\\"/usr/local/bin/pip*\\\", \\\"/usr/bin/yum\\\", \\\"/sbin/apk\\\", \\\"/usr/lib/snapd/snapd\\\"]\\n \\u0026\\u0026 process.file.path != \\\"/usr/sbin/update-ca-certificates\\\"\\n \\u0026\\u0026 process.ancestors.file.path != \\\"/usr/sbin/update-ca-certificates\\\"\\n \\u0026\\u0026 process.ancestors.file.path not in [~\\\"/usr/bin/apt*\\\", \\\"/usr/bin/dpkg\\\", \\\"/usr/bin/rpm\\\", \\\"/usr/bin/unattended-upgrade\\\", \\\"/usr/bin/npm\\\", ~\\\"/usr/bin/pip*\\\", ~\\\"/usr/local/bin/pip*\\\", \\\"/usr/bin/yum\\\", \\\"/sbin/apk\\\", \\\"/usr/lib/snapd/snapd\\\"]\\n \\u0026\\u0026 process.file.name !~ \\\"runc*\\\"\\n)\",\"filters\":[\"os == \\\"linux\\\"\"],\"monitoring\":[\"v5l-ynv-guh\",\"gxu-c6v-pka\",\"1os-ptz-he9\",\"ddu-dat-9cx\",\"oiv-iar-6uj\",\"n6v-uoj-6jv\",\"zay-klh-gzk\",\"t0c-318-ksc\",\"mnq-jea-ord\",\"hjq-1ou-gxj\",\"zt3-q2u-xka\",\"n52-kmk-gy5\",\"lwi-ota-cdp\",\"eme-xsc-20m\",\"acr-3t9-p0d\",\"hw2-pev-bdl\",\"mm8-gf5-1mh\",\"wfe-tga-w8i\",\"kz9-gsr-aet\",\"u2n-mby-zu5\",\"ygu-bj5-cnb\",\"8h9-6l9-ofq\",\"x6i-kv0-iby\",\"wry-lqz-m1l\",\"ljy-djc-pxw\",\"kmt-lzi-f6r\",\"CWS_CUSTOM-canary\",\"hdo-seh-iaa\",\"CWS_DD\"],\"name\":\"ssl_certificate_tampering_link\",\"product_tags\":[\"tactic:TA0005-defense-evasion\",\"technique:T1553-subvert-trust-controls\",\"policy:compliance\"],\"updateDate\":1742407951000,\"updater\":{\"name\":\"Datadog\",\"handle\":\"\"}}},{\"id\":\"def-000-qwm\",\"type\":\"agent_rule\",\"attributes\":{\"category\":\"File Activity\",\"creationDate\":1742407951000,\"creator\":{\"name\":\"Datadog\",\"handle\":\"\"},\"defaultRule\":true,\"description\":\"The kubeconfig file was accessed\",\"enabled\":true,\"expression\":\"open.file.path in [~\\\"/home/*/.kube/config\\\", \\\"/root/.kube/config\\\"]\",\"filters\":[\"os == \\\"linux\\\"\"],\"monitoring\":[\"v5l-ynv-guh\",\"gxu-c6v-pka\",\"1os-ptz-he9\",\"ddu-dat-9cx\",\"oiv-iar-6uj\",\"n6v-uoj-6jv\",\"zay-klh-gzk\",\"t0c-318-ksc\",\"mnq-jea-ord\",\"hjq-1ou-gxj\",\"zt3-q2u-xka\",\"n52-kmk-gy5\",\"lwi-ota-cdp\",\"eme-xsc-20m\",\"acr-3t9-p0d\",\"hw2-pev-bdl\",\"mm8-gf5-1mh\",\"wfe-tga-w8i\",\"kz9-gsr-aet\",\"u2n-mby-zu5\",\"ygu-bj5-cnb\",\"8h9-6l9-ofq\",\"x6i-kv0-iby\",\"wry-lqz-m1l\",\"ljy-djc-pxw\",\"kmt-lzi-f6r\",\"CWS_CUSTOM-canary\",\"hdo-seh-iaa\",\"CWS_DD\"],\"name\":\"read_kubeconfig\",\"product_tags\":[\"tactic:TA0007-discovery\",\"technique:T1613-container-and-resource-discovery\",\"policy:threat-detection\"],\"updateDate\":1742407951000,\"updater\":{\"name\":\"Datadog\",\"handle\":\"\"}}},{\"id\":\"l2e-aka-bw6\",\"type\":\"agent_rule\",\"attributes\":{\"category\":\"Process Activity\",\"creationDate\":1742407951000,\"creator\":{\"name\":\"Datadog\",\"handle\":\"\"},\"defaultRule\":true,\"description\":\"The passwd or chpasswd utility was used to modify an account password\",\"enabled\":true,\"expression\":\"exec.file.path in [\\\"/usr/bin/passwd\\\", \\\"/usr/sbin/chpasswd\\\"] \\u0026\\u0026 exec.args_flags not in [\\\"S\\\", \\\"status\\\"]\",\"filters\":[\"os == \\\"linux\\\"\"],\"monitoring\":[\"v5l-ynv-guh\",\"gxu-c6v-pka\",\"1os-ptz-he9\",\"ddu-dat-9cx\",\"oiv-iar-6uj\",\"n6v-uoj-6jv\",\"zay-klh-gzk\",\"t0c-318-ksc\",\"mnq-jea-ord\",\"hjq-1ou-gxj\",\"zt3-q2u-xka\",\"n52-kmk-gy5\",\"lwi-ota-cdp\",\"eme-xsc-20m\",\"acr-3t9-p0d\",\"hw2-pev-bdl\",\"mm8-gf5-1mh\",\"wfe-tga-w8i\",\"kz9-gsr-aet\",\"u2n-mby-zu5\",\"ygu-bj5-cnb\",\"8h9-6l9-ofq\",\"x6i-kv0-iby\",\"wry-lqz-m1l\",\"ljy-djc-pxw\",\"kmt-lzi-f6r\",\"CWS_CUSTOM-canary\",\"hdo-seh-iaa\",\"CWS_DD\"],\"name\":\"passwd_execution\",\"product_tags\":[\"tactic:TA0003-persistence\",\"tactic:TA0040-impact\",\"technique:T1098-account-manipulation\",\"technique:T1531-account-access-removal\",\"policy:threat-detection\"],\"updateDate\":1742407951000,\"updater\":{\"name\":\"Datadog\",\"handle\":\"\"}}},{\"id\":\"lrg-avx-x1k\",\"type\":\"agent_rule\",\"attributes\":{\"category\":\"Kernel Activity\",\"creationDate\":1742407951000,\"creator\":{\"name\":\"Datadog\",\"handle\":\"\"},\"defaultRule\":true,\"description\":\"A kernel module was loaded from memory\",\"enabled\":true,\"expression\":\"load_module.loaded_from_memory == true\",\"filters\":[\"os == \\\"linux\\\"\"],\"monitoring\":[\"v5l-ynv-guh\",\"gxu-c6v-pka\",\"1os-ptz-he9\",\"ddu-dat-9cx\",\"oiv-iar-6uj\",\"n6v-uoj-6jv\",\"zay-klh-gzk\",\"t0c-318-ksc\",\"mnq-jea-ord\",\"hjq-1ou-gxj\",\"zt3-q2u-xka\",\"n52-kmk-gy5\",\"lwi-ota-cdp\",\"eme-xsc-20m\",\"acr-3t9-p0d\",\"hw2-pev-bdl\",\"mm8-gf5-1mh\",\"wfe-tga-w8i\",\"kz9-gsr-aet\",\"u2n-mby-zu5\",\"ygu-bj5-cnb\",\"8h9-6l9-ofq\",\"x6i-kv0-iby\",\"wry-lqz-m1l\",\"ljy-djc-pxw\",\"kmt-lzi-f6r\",\"CWS_CUSTOM-canary\",\"hdo-seh-iaa\",\"CWS_DD\"],\"name\":\"kernel_module_load_from_memory\",\"product_tags\":[\"tactic:TA0003-persistence\",\"technique:T1547-boot-or-logon-autostart-execution\",\"policy:threat-detection\"],\"updateDate\":1742407951000,\"updater\":{\"name\":\"Datadog\",\"handle\":\"\"}}},{\"id\":\"def-000-6ql\",\"type\":\"agent_rule\",\"attributes\":{\"category\":\"Process Activity\",\"creationDate\":1742407951000,\"creator\":{\"name\":\"Datadog\",\"handle\":\"\"},\"defaultRule\":true,\"description\":\"memfd object created\",\"enabled\":true,\"expression\":\"exec.file.name =~ \\\"memfd*\\\" \\u0026\\u0026 exec.file.path == \\\"\\\" \\u0026\\u0026 process.parent.file.path not in [\\\"/usr/bin/runc\\\", \\\"/usr/sbin/runc\\\", \\\"/usr/bin/docker-runc\\\" , \\\"/run/docker/runtime-runc/moby/*\\\", \\\"/x86_64-bottlerocket-linux-gnu/sys-root/usr/bin/runc\\\"] \\u0026\\u0026 !(process.comm == \\\"dd-ipc-helper\\\" \\u0026\\u0026 exec.file.name in [\\\"memfd:spawn_worker_trampoline (deleted)\\\", \\\"memfd:spawn_worker_trampoline\\\"])\",\"filters\":[\"os == \\\"linux\\\"\"],\"monitoring\":[\"v5l-ynv-guh\",\"gxu-c6v-pka\",\"1os-ptz-he9\",\"ddu-dat-9cx\",\"oiv-iar-6uj\",\"n6v-uoj-6jv\",\"zay-klh-gzk\",\"t0c-318-ksc\",\"mnq-jea-ord\",\"hjq-1ou-gxj\",\"zt3-q2u-xka\",\"n52-kmk-gy5\",\"lwi-ota-cdp\",\"eme-xsc-20m\",\"acr-3t9-p0d\",\"hw2-pev-bdl\",\"mm8-gf5-1mh\",\"wfe-tga-w8i\",\"kz9-gsr-aet\",\"u2n-mby-zu5\",\"ygu-bj5-cnb\",\"8h9-6l9-ofq\",\"x6i-kv0-iby\",\"wry-lqz-m1l\",\"ljy-djc-pxw\",\"kmt-lzi-f6r\",\"CWS_CUSTOM-canary\",\"hdo-seh-iaa\",\"CWS_DD\"],\"name\":\"memfd_create\",\"product_tags\":[\"tactic:TA0005-defense-evasion\",\"technique:T1620-reflective-code-loading\",\"policy:threat-detection\"],\"updateDate\":1742407951000,\"updater\":{\"name\":\"Datadog\",\"handle\":\"\"}}},{\"id\":\"20v-gdb-0ha\",\"type\":\"agent_rule\",\"attributes\":{\"category\":\"File Activity\",\"creationDate\":1742407951000,\"creator\":{\"name\":\"Datadog\",\"handle\":\"\"},\"defaultRule\":true,\"description\":\"A new kernel module was added\",\"enabled\":true,\"expression\":\"(\\n (unlink.file.path in [ ~\\\"/lib/modules/**\\\", ~\\\"/usr/lib/modules/**\\\" ])\\n \\u0026\\u0026 process.file.path not in [~\\\"/usr/bin/apt*\\\", \\\"/usr/bin/dpkg\\\", \\\"/usr/bin/rpm\\\", \\\"/usr/bin/unattended-upgrade\\\", \\\"/usr/bin/npm\\\", ~\\\"/usr/bin/pip*\\\", ~\\\"/usr/local/bin/pip*\\\", \\\"/usr/bin/yum\\\", \\\"/sbin/apk\\\", \\\"/usr/lib/snapd/snapd\\\"]\\n \\u0026\\u0026 process.ancestors.file.path not in [~\\\"/usr/bin/apt*\\\", \\\"/usr/bin/dpkg\\\", \\\"/usr/bin/rpm\\\", \\\"/usr/bin/unattended-upgrade\\\", \\\"/usr/bin/npm\\\", ~\\\"/usr/bin/pip*\\\", ~\\\"/usr/local/bin/pip*\\\", \\\"/usr/bin/yum\\\", \\\"/sbin/apk\\\", \\\"/usr/lib/snapd/snapd\\\"] \\u0026\\u0026 process.ancestors.file.path != \\\"/usr/bin/kmod\\\"\\n)\",\"filters\":[\"os == \\\"linux\\\"\"],\"monitoring\":[\"v5l-ynv-guh\",\"gxu-c6v-pka\",\"1os-ptz-he9\",\"ddu-dat-9cx\",\"oiv-iar-6uj\",\"n6v-uoj-6jv\",\"zay-klh-gzk\",\"t0c-318-ksc\",\"mnq-jea-ord\",\"hjq-1ou-gxj\",\"zt3-q2u-xka\",\"n52-kmk-gy5\",\"lwi-ota-cdp\",\"eme-xsc-20m\",\"acr-3t9-p0d\",\"hw2-pev-bdl\",\"mm8-gf5-1mh\",\"wfe-tga-w8i\",\"kz9-gsr-aet\",\"u2n-mby-zu5\",\"ygu-bj5-cnb\",\"8h9-6l9-ofq\",\"x6i-kv0-iby\",\"wry-lqz-m1l\",\"ljy-djc-pxw\",\"kmt-lzi-f6r\",\"CWS_CUSTOM-canary\",\"hdo-seh-iaa\",\"CWS_DD\"],\"name\":\"kernel_module_unlink\",\"product_tags\":[\"tactic:TA0003-persistence\",\"technique:T1547-boot-or-logon-autostart-execution\",\"policy:compliance\"],\"updateDate\":1742407951000,\"updater\":{\"name\":\"Datadog\",\"handle\":\"\"}}},{\"id\":\"pfu-dvh-e5w\",\"type\":\"agent_rule\",\"attributes\":{\"category\":\"File Activity\",\"creationDate\":1742407951000,\"creator\":{\"name\":\"Datadog\",\"handle\":\"\"},\"defaultRule\":true,\"description\":\"PAM may have been modified without authorization\",\"enabled\":true,\"expression\":\"(\\n (chown.file.path in [ ~\\\"/etc/pam.d/**\\\", \\\"/etc/pam.conf\\\" ])\\n) \\u0026\\u0026 (chown.file.destination.uid != chown.file.uid || chown.file.destination.gid != chown.file.gid)\",\"filters\":[\"os == \\\"linux\\\"\"],\"monitoring\":[\"v5l-ynv-guh\",\"gxu-c6v-pka\",\"1os-ptz-he9\",\"ddu-dat-9cx\",\"oiv-iar-6uj\",\"n6v-uoj-6jv\",\"zay-klh-gzk\",\"t0c-318-ksc\",\"mnq-jea-ord\",\"hjq-1ou-gxj\",\"zt3-q2u-xka\",\"n52-kmk-gy5\",\"lwi-ota-cdp\",\"eme-xsc-20m\",\"acr-3t9-p0d\",\"hw2-pev-bdl\",\"mm8-gf5-1mh\",\"wfe-tga-w8i\",\"kz9-gsr-aet\",\"u2n-mby-zu5\",\"ygu-bj5-cnb\",\"8h9-6l9-ofq\",\"x6i-kv0-iby\",\"wry-lqz-m1l\",\"ljy-djc-pxw\",\"kmt-lzi-f6r\",\"CWS_CUSTOM-canary\",\"hdo-seh-iaa\",\"CWS_DD\"],\"name\":\"pam_modification_chown\",\"product_tags\":[\"tactic:TA0003-persistence\",\"technique:T1556-modify-authentication-process\",\"policy:compliance\"],\"updateDate\":1742407951000,\"updater\":{\"name\":\"Datadog\",\"handle\":\"\"}}},{\"id\":\"def-000-qem\",\"type\":\"agent_rule\",\"attributes\":{\"category\":\"Process Activity\",\"creationDate\":1742407951000,\"creator\":{\"name\":\"Datadog\",\"handle\":\"\"},\"defaultRule\":true,\"description\":\"A user was deleted via an interactive session\",\"enabled\":true,\"expression\":\"exec.file.name in [\\\"userdel\\\", \\\"deluser\\\"] \\u0026\\u0026 exec.tty_name !=\\\"\\\" \\u0026\\u0026 process.ancestors.file.path not in [~\\\"/usr/bin/apt*\\\", \\\"/usr/bin/dpkg\\\", \\\"/usr/bin/rpm\\\", \\\"/usr/bin/unattended-upgrade\\\", \\\"/usr/bin/npm\\\", ~\\\"/usr/bin/pip*\\\", ~\\\"/usr/local/bin/pip*\\\", \\\"/usr/bin/yum\\\", \\\"/sbin/apk\\\", \\\"/usr/lib/snapd/snapd\\\"]\",\"filters\":[\"os == \\\"linux\\\"\"],\"monitoring\":[\"v5l-ynv-guh\",\"gxu-c6v-pka\",\"1os-ptz-he9\",\"ddu-dat-9cx\",\"oiv-iar-6uj\",\"n6v-uoj-6jv\",\"zay-klh-gzk\",\"t0c-318-ksc\",\"mnq-jea-ord\",\"hjq-1ou-gxj\",\"zt3-q2u-xka\",\"n52-kmk-gy5\",\"lwi-ota-cdp\",\"eme-xsc-20m\",\"acr-3t9-p0d\",\"hw2-pev-bdl\",\"mm8-gf5-1mh\",\"wfe-tga-w8i\",\"kz9-gsr-aet\",\"u2n-mby-zu5\",\"ygu-bj5-cnb\",\"8h9-6l9-ofq\",\"x6i-kv0-iby\",\"wry-lqz-m1l\",\"ljy-djc-pxw\",\"kmt-lzi-f6r\",\"CWS_CUSTOM-canary\",\"hdo-seh-iaa\",\"CWS_DD\"],\"name\":\"user_deleted_tty\",\"product_tags\":[\"tactic:TA0040-impact\",\"technique:T1531-account-access-removal\",\"policy:threat-detection\"],\"updateDate\":1742407951000,\"updater\":{\"name\":\"Datadog\",\"handle\":\"\"}}},{\"id\":\"def-000-brb\",\"type\":\"agent_rule\",\"attributes\":{\"category\":\"Process Activity\",\"creationDate\":1742407951000,\"creator\":{\"name\":\"Datadog\",\"handle\":\"\"},\"defaultRule\":true,\"description\":\"regedit used to export critical registry hive\",\"enabled\":true,\"expression\":\"exec.file.name in [\\\"reg.exe\\\", \\\"regedit.exe\\\"] \\u0026\\u0026 exec.cmdline in [~\\\"*hklm*\\\", ~\\\"*hkey_local_machine*\\\", ~\\\"*system*\\\", ~\\\"*sam*\\\", ~\\\"*security*\\\"]\",\"filters\":[\"os == \\\"windows\\\"\"],\"monitoring\":[\"v5l-ynv-guh\",\"gxu-c6v-pka\",\"1os-ptz-he9\",\"ddu-dat-9cx\",\"oiv-iar-6uj\",\"n6v-uoj-6jv\",\"zay-klh-gzk\",\"t0c-318-ksc\",\"mnq-jea-ord\",\"hjq-1ou-gxj\",\"zt3-q2u-xka\",\"n52-kmk-gy5\",\"lwi-ota-cdp\",\"eme-xsc-20m\",\"acr-3t9-p0d\",\"hw2-pev-bdl\",\"mm8-gf5-1mh\",\"wfe-tga-w8i\",\"kz9-gsr-aet\",\"u2n-mby-zu5\",\"ygu-bj5-cnb\",\"8h9-6l9-ofq\",\"x6i-kv0-iby\",\"wry-lqz-m1l\",\"ljy-djc-pxw\",\"kmt-lzi-f6r\",\"CWS_CUSTOM-canary\",\"hdo-seh-iaa\",\"CWS_DD\"],\"name\":\"critical_registry_export\",\"product_tags\":[\"tactic:TA0006-credential-access\",\"technique:T1003-os-credential-dumping\",\"policy:threat-detection\"],\"updateDate\":1742407951000,\"updater\":{\"name\":\"Datadog\",\"handle\":\"\"}}},{\"id\":\"7y2-ihu-hm2\",\"type\":\"agent_rule\",\"attributes\":{\"category\":\"Process Activity\",\"creationDate\":1742407951000,\"creator\":{\"name\":\"Datadog\",\"handle\":\"\"},\"defaultRule\":true,\"description\":\"A network utility was executed\",\"enabled\":true,\"expression\":\"(exec.comm in [\\\"socat\\\", \\\"dig\\\", \\\"nslookup\\\", \\\"host\\\", ~\\\"netcat*\\\", ~\\\"nc*\\\", \\\"ncat\\\"] ||\\n exec.comm in [\\\"wget\\\", \\\"curl\\\", \\\"lwp-download\\\"]) \\u0026\\u0026\\ncontainer.id == \\\"\\\" \\u0026\\u0026 exec.args not in [ ~\\\"*localhost*\\\", ~\\\"*127.0.0.1*\\\", ~\\\"*motd.ubuntu.com*\\\" ]\",\"filters\":[\"os == \\\"linux\\\"\"],\"monitoring\":[\"v5l-ynv-guh\",\"gxu-c6v-pka\",\"1os-ptz-he9\",\"ddu-dat-9cx\",\"oiv-iar-6uj\",\"n6v-uoj-6jv\",\"zay-klh-gzk\",\"t0c-318-ksc\",\"mnq-jea-ord\",\"hjq-1ou-gxj\",\"zt3-q2u-xka\",\"n52-kmk-gy5\",\"lwi-ota-cdp\",\"eme-xsc-20m\",\"acr-3t9-p0d\",\"hw2-pev-bdl\",\"mm8-gf5-1mh\",\"wfe-tga-w8i\",\"kz9-gsr-aet\",\"u2n-mby-zu5\",\"ygu-bj5-cnb\",\"8h9-6l9-ofq\",\"x6i-kv0-iby\",\"wry-lqz-m1l\",\"ljy-djc-pxw\",\"kmt-lzi-f6r\",\"CWS_CUSTOM-canary\",\"hdo-seh-iaa\",\"CWS_DD\"],\"name\":\"net_util\",\"product_tags\":[\"tactic:TA0011-command-and-control\",\"technique:T1105-ingress-tool-transfer\",\"policy:threat-detection\"],\"updateDate\":1742407951000,\"updater\":{\"name\":\"Datadog\",\"handle\":\"\"}}},{\"id\":\"def-000-nip\",\"type\":\"agent_rule\",\"attributes\":{\"category\":\"Process Activity\",\"creationDate\":1742407951000,\"creator\":{\"name\":\"Datadog\",\"handle\":\"\"},\"defaultRule\":true,\"description\":\"Browser WebDriver spawned shell\",\"enabled\":true,\"expression\":\"process.parent.file.name in [~\\\"chromedriver*\\\", \\\"geckodriver\\\"] \\u0026\\u0026 exec.file.name not in [\\\"chrome\\\", \\\"google-chrome\\\", \\\"chromium\\\", \\\"firefox\\\"]\",\"filters\":[\"os == \\\"linux\\\"\"],\"monitoring\":[\"v5l-ynv-guh\",\"gxu-c6v-pka\",\"1os-ptz-he9\",\"ddu-dat-9cx\",\"oiv-iar-6uj\",\"n6v-uoj-6jv\",\"zay-klh-gzk\",\"t0c-318-ksc\",\"mnq-jea-ord\",\"hjq-1ou-gxj\",\"zt3-q2u-xka\",\"n52-kmk-gy5\",\"lwi-ota-cdp\",\"eme-xsc-20m\",\"acr-3t9-p0d\",\"hw2-pev-bdl\",\"mm8-gf5-1mh\",\"wfe-tga-w8i\",\"kz9-gsr-aet\",\"u2n-mby-zu5\",\"ygu-bj5-cnb\",\"8h9-6l9-ofq\",\"x6i-kv0-iby\",\"wry-lqz-m1l\",\"ljy-djc-pxw\",\"kmt-lzi-f6r\",\"CWS_CUSTOM-canary\",\"hdo-seh-iaa\",\"CWS_DD\"],\"name\":\"webdriver_spawned_shell\",\"product_tags\":[\"tactic:TA0001-initial-access\",\"technique:T1190-exploit-public-facing-application\",\"policy:threat-detection\"],\"updateDate\":1742407951000,\"updater\":{\"name\":\"Datadog\",\"handle\":\"\"}}},{\"id\":\"def-000-jed\",\"type\":\"agent_rule\",\"attributes\":{\"category\":\"File Activity\",\"creationDate\":1742407951000,\"creator\":{\"name\":\"Datadog\",\"handle\":\"\"},\"defaultRule\":true,\"description\":\"Windows registry hives file location key modified\",\"enabled\":true,\"expression\":\"set.registry.key_path in [~\\\"HKEY_LOCAL_MACHINE\\\\SYSTEM\\\\CurrentControlSet\\\\Control\\\\hivelist*\\\"]\",\"filters\":[\"os == \\\"windows\\\"\"],\"monitoring\":[\"v5l-ynv-guh\",\"gxu-c6v-pka\",\"1os-ptz-he9\",\"ddu-dat-9cx\",\"oiv-iar-6uj\",\"n6v-uoj-6jv\",\"zay-klh-gzk\",\"t0c-318-ksc\",\"mnq-jea-ord\",\"hjq-1ou-gxj\",\"zt3-q2u-xka\",\"n52-kmk-gy5\",\"lwi-ota-cdp\",\"eme-xsc-20m\",\"acr-3t9-p0d\",\"hw2-pev-bdl\",\"mm8-gf5-1mh\",\"wfe-tga-w8i\",\"kz9-gsr-aet\",\"u2n-mby-zu5\",\"ygu-bj5-cnb\",\"8h9-6l9-ofq\",\"x6i-kv0-iby\",\"wry-lqz-m1l\",\"ljy-djc-pxw\",\"kmt-lzi-f6r\",\"CWS_CUSTOM-canary\",\"hdo-seh-iaa\",\"CWS_DD\"],\"name\":\"registry_hives_file_path_key_modified\",\"product_tags\":[\"tactic:TA0005-defense-evasion\",\"technique:T1112-modify-registry\",\"policy:compliance\"],\"updateDate\":1742407951000,\"updater\":{\"name\":\"Datadog\",\"handle\":\"\"}}},{\"id\":\"hba-kfe-1xr\",\"type\":\"agent_rule\",\"attributes\":{\"category\":\"File Activity\",\"creationDate\":1742407951000,\"creator\":{\"name\":\"Datadog\",\"handle\":\"\"},\"defaultRule\":true,\"description\":\"SSH modified keys may have been modified\",\"enabled\":true,\"expression\":\"(\\n utimes.file.name in [ \\\"authorized_keys\\\", \\\"authorized_keys2\\\" ] \\u0026\\u0026 (utimes.file.path in [ ~\\\"/root/.ssh/*\\\", ~\\\"/home/*/.ssh/*\\\", ~\\\"/var/lib/*/.ssh/*\\\" ])\\n)\",\"filters\":[\"os == \\\"linux\\\"\"],\"monitoring\":[\"v5l-ynv-guh\",\"gxu-c6v-pka\",\"1os-ptz-he9\",\"ddu-dat-9cx\",\"oiv-iar-6uj\",\"n6v-uoj-6jv\",\"zay-klh-gzk\",\"t0c-318-ksc\",\"mnq-jea-ord\",\"hjq-1ou-gxj\",\"zt3-q2u-xka\",\"n52-kmk-gy5\",\"lwi-ota-cdp\",\"eme-xsc-20m\",\"acr-3t9-p0d\",\"hw2-pev-bdl\",\"mm8-gf5-1mh\",\"wfe-tga-w8i\",\"kz9-gsr-aet\",\"u2n-mby-zu5\",\"ygu-bj5-cnb\",\"8h9-6l9-ofq\",\"x6i-kv0-iby\",\"wry-lqz-m1l\",\"ljy-djc-pxw\",\"kmt-lzi-f6r\",\"CWS_CUSTOM-canary\",\"hdo-seh-iaa\",\"CWS_DD\"],\"name\":\"ssh_authorized_keys_utimes\",\"product_tags\":[\"tactic:TA0003-persistence\",\"technique:T1098-account-manipulation\",\"policy:threat-detection\",\"policy:compliance\"],\"updateDate\":1742407951000,\"updater\":{\"name\":\"Datadog\",\"handle\":\"\"}}},{\"id\":\"def-000-a41\",\"type\":\"agent_rule\",\"attributes\":{\"category\":\"Process Activity\",\"creationDate\":1742407951000,\"creator\":{\"name\":\"Datadog\",\"handle\":\"\"},\"defaultRule\":true,\"description\":\"The base64 command was used to decode information\",\"enabled\":true,\"expression\":\"exec.file.name == \\\"base64\\\" \\u0026\\u0026 exec.args_flags in [\\\"d\\\"]\",\"filters\":[\"os == \\\"linux\\\"\"],\"monitoring\":[\"v5l-ynv-guh\",\"gxu-c6v-pka\",\"1os-ptz-he9\",\"ddu-dat-9cx\",\"oiv-iar-6uj\",\"n6v-uoj-6jv\",\"zay-klh-gzk\",\"t0c-318-ksc\",\"mnq-jea-ord\",\"hjq-1ou-gxj\",\"zt3-q2u-xka\",\"n52-kmk-gy5\",\"lwi-ota-cdp\",\"eme-xsc-20m\",\"acr-3t9-p0d\",\"hw2-pev-bdl\",\"mm8-gf5-1mh\",\"wfe-tga-w8i\",\"kz9-gsr-aet\",\"u2n-mby-zu5\",\"ygu-bj5-cnb\",\"8h9-6l9-ofq\",\"x6i-kv0-iby\",\"wry-lqz-m1l\",\"ljy-djc-pxw\",\"kmt-lzi-f6r\",\"CWS_CUSTOM-canary\",\"hdo-seh-iaa\",\"CWS_DD\"],\"name\":\"base64_decode\",\"product_tags\":[\"tactic:TA0005-defense-evasion\",\"technique:T1140-deobfuscate-or-decode-files-or-information\",\"policy:threat-detection\"],\"updateDate\":1742407951000,\"updater\":{\"name\":\"Datadog\",\"handle\":\"\"}}},{\"id\":\"ucb-5zb-rmj\",\"type\":\"agent_rule\",\"attributes\":{\"category\":\"File Activity\",\"creationDate\":1742407951000,\"creator\":{\"name\":\"Datadog\",\"handle\":\"\"},\"defaultRule\":true,\"description\":\"A new kernel module was added\",\"enabled\":true,\"expression\":\"(\\n (link.file.path in [ ~\\\"/lib/modules/**\\\", ~\\\"/usr/lib/modules/**\\\" ]\\n || link.file.destination.path in [ ~\\\"/lib/modules/**\\\", ~\\\"/usr/lib/modules/**\\\" ])\\n \\u0026\\u0026 process.file.path not in [~\\\"/usr/bin/apt*\\\", \\\"/usr/bin/dpkg\\\", \\\"/usr/bin/rpm\\\", \\\"/usr/bin/unattended-upgrade\\\", \\\"/usr/bin/npm\\\", ~\\\"/usr/bin/pip*\\\", ~\\\"/usr/local/bin/pip*\\\", \\\"/usr/bin/yum\\\", \\\"/sbin/apk\\\", \\\"/usr/lib/snapd/snapd\\\"]\\n \\u0026\\u0026 process.ancestors.file.path not in [~\\\"/usr/bin/apt*\\\", \\\"/usr/bin/dpkg\\\", \\\"/usr/bin/rpm\\\", \\\"/usr/bin/unattended-upgrade\\\", \\\"/usr/bin/npm\\\", ~\\\"/usr/bin/pip*\\\", ~\\\"/usr/local/bin/pip*\\\", \\\"/usr/bin/yum\\\", \\\"/sbin/apk\\\", \\\"/usr/lib/snapd/snapd\\\"] \\u0026\\u0026 process.ancestors.file.path != \\\"/usr/bin/kmod\\\"\\n)\",\"filters\":[\"os == \\\"linux\\\"\"],\"monitoring\":[\"v5l-ynv-guh\",\"gxu-c6v-pka\",\"1os-ptz-he9\",\"ddu-dat-9cx\",\"oiv-iar-6uj\",\"n6v-uoj-6jv\",\"zay-klh-gzk\",\"t0c-318-ksc\",\"mnq-jea-ord\",\"hjq-1ou-gxj\",\"zt3-q2u-xka\",\"n52-kmk-gy5\",\"lwi-ota-cdp\",\"eme-xsc-20m\",\"acr-3t9-p0d\",\"hw2-pev-bdl\",\"mm8-gf5-1mh\",\"wfe-tga-w8i\",\"kz9-gsr-aet\",\"u2n-mby-zu5\",\"ygu-bj5-cnb\",\"8h9-6l9-ofq\",\"x6i-kv0-iby\",\"wry-lqz-m1l\",\"ljy-djc-pxw\",\"kmt-lzi-f6r\",\"CWS_CUSTOM-canary\",\"hdo-seh-iaa\",\"CWS_DD\"],\"name\":\"kernel_module_link\",\"product_tags\":[\"tactic:TA0003-persistence\",\"technique:T1547-boot-or-logon-autostart-execution\",\"policy:compliance\"],\"updateDate\":1742407951000,\"updater\":{\"name\":\"Datadog\",\"handle\":\"\"}}},{\"id\":\"def-000-n3u\",\"type\":\"agent_rule\",\"attributes\":{\"category\":\"File Activity\",\"creationDate\":1742407951000,\"creator\":{\"name\":\"Datadog\",\"handle\":\"\"},\"defaultRule\":true,\"description\":\"Windows shell folders registry key modified\",\"enabled\":true,\"expression\":\"set.registry.key_path in [~\\\"HKEY_LOCAL_MACHINE\\\\SOFTWARE\\\\Microsoft\\\\Windows\\\\CurrentVersion\\\\Explorer\\\\Shell Folders*\\\", ~\\\"HKEY_LOCAL_MACHINE\\\\SOFTWARE\\\\Microsoft\\\\Windows\\\\CurrentVersion\\\\Explorer\\\\User Shell Folders*\\\"]\",\"filters\":[\"os == \\\"windows\\\"\"],\"monitoring\":[\"v5l-ynv-guh\",\"gxu-c6v-pka\",\"1os-ptz-he9\",\"ddu-dat-9cx\",\"oiv-iar-6uj\",\"n6v-uoj-6jv\",\"zay-klh-gzk\",\"t0c-318-ksc\",\"mnq-jea-ord\",\"hjq-1ou-gxj\",\"zt3-q2u-xka\",\"n52-kmk-gy5\",\"lwi-ota-cdp\",\"eme-xsc-20m\",\"acr-3t9-p0d\",\"hw2-pev-bdl\",\"mm8-gf5-1mh\",\"wfe-tga-w8i\",\"kz9-gsr-aet\",\"u2n-mby-zu5\",\"ygu-bj5-cnb\",\"8h9-6l9-ofq\",\"x6i-kv0-iby\",\"wry-lqz-m1l\",\"ljy-djc-pxw\",\"kmt-lzi-f6r\",\"CWS_CUSTOM-canary\",\"hdo-seh-iaa\",\"CWS_DD\"],\"name\":\"windows_shell_folders_registry_key_modified\",\"product_tags\":[\"tactic:TA0005-defense-evasion\",\"technique:T1036-masquerading\",\"policy:compliance\"],\"updateDate\":1742407951000,\"updater\":{\"name\":\"Datadog\",\"handle\":\"\"}}},{\"id\":\"def-000-6oh\",\"type\":\"agent_rule\",\"attributes\":{\"category\":\"File Activity\",\"creationDate\":1742407951000,\"creator\":{\"name\":\"Datadog\",\"handle\":\"\"},\"defaultRule\":true,\"description\":\"A Registry runkey has been modified\",\"enabled\":true,\"expression\":\"set.registry.key_path in [~\\\"HKEY_LOCAL_MACHINE\\\\SOFTWARE\\\\Microsoft\\\\Windows\\\\CurrentVersion\\\\Run\\\", ~\\\"HKEY_LOCAL_MACHINE\\\\SOFTWARE\\\\Microsoft\\\\Windows\\\\CurrentVersion\\\\Runonce\\\", ~\\\"HKEY_LOCAL_MACHINE\\\\Software\\\\Wow6432Node\\\\Microsoft\\\\Windows\\\\CurrentVersion\\\\Run\\\", ~\\\"HKEY_LOCAL_MACHINE\\\\Software\\\\Microsoft\\\\Windows NT\\\\CurrentVersion\\\\Terminal Server\\\\Install\\\\Software\\\\Microsoft\\\\Windows\\\\CurrentVersion\\\\Run\\\", ~\\\"HKEY_LOCAL_MACHINE\\\\Software\\\\Microsoft\\\\Windows NT\\\\CurrentVersion\\\\Terminal Server\\\\Install\\\\Software\\\\Microsoft\\\\Windows\\\\CurrentVersion\\\\Runonce\\\", ~\\\"HKEY_LOCAL_MACHINE\\\\Software\\\\Microsoft\\\\Windows NT\\\\CurrentVersion\\\\Terminal Server\\\\Install\\\\Software\\\\Microsoft\\\\Windows\\\\CurrentVersion\\\\RunonceEx\\\"]\",\"filters\":[\"os == \\\"windows\\\"\"],\"monitoring\":[\"v5l-ynv-guh\",\"gxu-c6v-pka\",\"1os-ptz-he9\",\"ddu-dat-9cx\",\"oiv-iar-6uj\",\"n6v-uoj-6jv\",\"zay-klh-gzk\",\"t0c-318-ksc\",\"mnq-jea-ord\",\"hjq-1ou-gxj\",\"zt3-q2u-xka\",\"n52-kmk-gy5\",\"lwi-ota-cdp\",\"eme-xsc-20m\",\"acr-3t9-p0d\",\"hw2-pev-bdl\",\"mm8-gf5-1mh\",\"wfe-tga-w8i\",\"kz9-gsr-aet\",\"u2n-mby-zu5\",\"ygu-bj5-cnb\",\"8h9-6l9-ofq\",\"x6i-kv0-iby\",\"wry-lqz-m1l\",\"ljy-djc-pxw\",\"kmt-lzi-f6r\",\"CWS_CUSTOM-canary\",\"hdo-seh-iaa\",\"CWS_DD\"],\"name\":\"registry_runkey_modified\",\"product_tags\":[\"tactic:TA0003-persistence\",\"technique:T1547-boot-or-logon-autostart-execution\",\"policy:threat-detection\"],\"updateDate\":1742407951000,\"updater\":{\"name\":\"Datadog\",\"handle\":\"\"}}},{\"id\":\"mcv-y5o-zg5\",\"type\":\"agent_rule\",\"attributes\":{\"category\":\"File Activity\",\"creationDate\":1742407951000,\"creator\":{\"name\":\"Datadog\",\"handle\":\"\"},\"defaultRule\":true,\"description\":\"An unauthorized job was added to cron scheduling\",\"enabled\":true,\"expression\":\"(\\n (link.file.path in [ ~\\\"/var/spool/cron/**\\\", ~\\\"/etc/cron.*/**\\\", ~\\\"/etc/crontab\\\", ~\\\"/etc/crontabs/**\\\"]\\n || link.file.destination.path in [ ~\\\"/var/spool/cron/**\\\", ~\\\"/etc/cron.*/**\\\", ~\\\"/etc/crontab\\\" ])\\n \\u0026\\u0026 process.file.path not in [ \\\"/usr/bin/at\\\", \\\"/usr/bin/crontab\\\" ]\\n)\\n\\u0026\\u0026 process.file.path not in [~\\\"/usr/bin/apt*\\\", \\\"/usr/bin/dpkg\\\", \\\"/usr/bin/rpm\\\", \\\"/usr/bin/unattended-upgrade\\\", \\\"/usr/bin/containerd\\\", \\\"/usr/local/bin/containerd\\\", \\\"/usr/bin/dockerd\\\", \\\"/usr/bin/npm\\\", ~\\\"/usr/bin/pip*\\\", ~\\\"/usr/local/bin/pip*\\\"]\",\"filters\":[\"os == \\\"linux\\\"\"],\"monitoring\":[\"v5l-ynv-guh\",\"gxu-c6v-pka\",\"1os-ptz-he9\",\"ddu-dat-9cx\",\"oiv-iar-6uj\",\"n6v-uoj-6jv\",\"zay-klh-gzk\",\"t0c-318-ksc\",\"mnq-jea-ord\",\"hjq-1ou-gxj\",\"zt3-q2u-xka\",\"n52-kmk-gy5\",\"lwi-ota-cdp\",\"eme-xsc-20m\",\"acr-3t9-p0d\",\"hw2-pev-bdl\",\"mm8-gf5-1mh\",\"wfe-tga-w8i\",\"kz9-gsr-aet\",\"u2n-mby-zu5\",\"ygu-bj5-cnb\",\"8h9-6l9-ofq\",\"x6i-kv0-iby\",\"wry-lqz-m1l\",\"ljy-djc-pxw\",\"kmt-lzi-f6r\",\"CWS_CUSTOM-canary\",\"hdo-seh-iaa\",\"CWS_DD\"],\"name\":\"cron_at_job_creation_link\",\"product_tags\":[\"tactic:TA0002-execution\",\"technique:T1053-scheduled-task-or-job\",\"policy:threat-detection\",\"policy:compliance\"],\"updateDate\":1742407951000,\"updater\":{\"name\":\"Datadog\",\"handle\":\"\"}}},{\"id\":\"def-000-l8e\",\"type\":\"agent_rule\",\"attributes\":{\"category\":\"File Activity\",\"creationDate\":1742407951000,\"creator\":{\"name\":\"Datadog\",\"handle\":\"\"},\"defaultRule\":true,\"description\":\"Sudoers policy file may have been modified without authorization\",\"enabled\":true,\"expression\":\"(\\n (chown.file.path == \\\"/etc/sudoers\\\")\\n) \\u0026\\u0026 (chown.file.destination.uid != chown.file.uid || chown.file.destination.gid != chown.file.gid)\",\"filters\":[\"os == \\\"linux\\\"\"],\"monitoring\":[\"v5l-ynv-guh\",\"gxu-c6v-pka\",\"1os-ptz-he9\",\"ddu-dat-9cx\",\"oiv-iar-6uj\",\"n6v-uoj-6jv\",\"zay-klh-gzk\",\"t0c-318-ksc\",\"mnq-jea-ord\",\"hjq-1ou-gxj\",\"zt3-q2u-xka\",\"n52-kmk-gy5\",\"lwi-ota-cdp\",\"eme-xsc-20m\",\"acr-3t9-p0d\",\"hw2-pev-bdl\",\"mm8-gf5-1mh\",\"wfe-tga-w8i\",\"kz9-gsr-aet\",\"u2n-mby-zu5\",\"ygu-bj5-cnb\",\"8h9-6l9-ofq\",\"x6i-kv0-iby\",\"wry-lqz-m1l\",\"ljy-djc-pxw\",\"kmt-lzi-f6r\",\"CWS_CUSTOM-canary\",\"hdo-seh-iaa\",\"CWS_DD\"],\"name\":\"sudoers_policy_modified_chown\",\"product_tags\":[\"tactic:TA0004-privilege-escalation\",\"technique:T1548-abuse-elevation-control-mechanism\",\"policy:compliance\"],\"updateDate\":1742407951000,\"updater\":{\"name\":\"Datadog\",\"handle\":\"\"}}},{\"id\":\"g7f-kfr-tdb\",\"type\":\"agent_rule\",\"attributes\":{\"category\":\"Process Activity\",\"creationDate\":1742407951000,\"creator\":{\"name\":\"Datadog\",\"handle\":\"\"},\"defaultRule\":true,\"description\":\"Python code was provided on the command line\",\"enabled\":true,\"expression\":\"exec.file.name == ~\\\"python*\\\" \\u0026\\u0026 exec.args_flags in [\\\"c\\\"] \\u0026\\u0026 exec.args in [~\\\"*-c*SOCK_STREAM*\\\", ~\\\"*-c*subprocess*\\\", ~\\\"*-c*/bash*\\\", ~\\\"*-c*/bin/sh*\\\", ~\\\"*-c*pty.spawn*\\\"] \\u0026\\u0026 exec.args !~ \\\"*setuptools*\\\"\",\"filters\":[\"os == \\\"linux\\\"\"],\"monitoring\":[\"v5l-ynv-guh\",\"gxu-c6v-pka\",\"1os-ptz-he9\",\"ddu-dat-9cx\",\"oiv-iar-6uj\",\"n6v-uoj-6jv\",\"zay-klh-gzk\",\"t0c-318-ksc\",\"mnq-jea-ord\",\"hjq-1ou-gxj\",\"zt3-q2u-xka\",\"n52-kmk-gy5\",\"lwi-ota-cdp\",\"eme-xsc-20m\",\"acr-3t9-p0d\",\"hw2-pev-bdl\",\"mm8-gf5-1mh\",\"wfe-tga-w8i\",\"kz9-gsr-aet\",\"u2n-mby-zu5\",\"ygu-bj5-cnb\",\"8h9-6l9-ofq\",\"x6i-kv0-iby\",\"wry-lqz-m1l\",\"ljy-djc-pxw\",\"kmt-lzi-f6r\",\"CWS_CUSTOM-canary\",\"hdo-seh-iaa\",\"CWS_DD\"],\"name\":\"python_cli_code\",\"product_tags\":[\"tactic:TA0002-execution\",\"technique:T1059-command-and-scripting-interpreter\",\"policy:threat-detection\"],\"updateDate\":1742407951000,\"updater\":{\"name\":\"Datadog\",\"handle\":\"\"}}},{\"id\":\"def-000-wqf\",\"type\":\"agent_rule\",\"attributes\":{\"category\":\"File Activity\",\"creationDate\":1742407951000,\"creator\":{\"name\":\"Datadog\",\"handle\":\"\"},\"defaultRule\":true,\"description\":\"Windows update registry key modified\",\"enabled\":true,\"expression\":\"set.registry.key_path in [~\\\"HKEY_LOCAL_MACHINE\\\\SOFTWARE\\\\Policies\\\\Microsoft\\\\WindowsUpdate*\\\"]\",\"filters\":[\"os == \\\"windows\\\"\"],\"monitoring\":[\"v5l-ynv-guh\",\"gxu-c6v-pka\",\"1os-ptz-he9\",\"ddu-dat-9cx\",\"oiv-iar-6uj\",\"n6v-uoj-6jv\",\"zay-klh-gzk\",\"t0c-318-ksc\",\"mnq-jea-ord\",\"hjq-1ou-gxj\",\"zt3-q2u-xka\",\"n52-kmk-gy5\",\"lwi-ota-cdp\",\"eme-xsc-20m\",\"acr-3t9-p0d\",\"hw2-pev-bdl\",\"mm8-gf5-1mh\",\"wfe-tga-w8i\",\"kz9-gsr-aet\",\"u2n-mby-zu5\",\"ygu-bj5-cnb\",\"8h9-6l9-ofq\",\"x6i-kv0-iby\",\"wry-lqz-m1l\",\"ljy-djc-pxw\",\"kmt-lzi-f6r\",\"CWS_CUSTOM-canary\",\"hdo-seh-iaa\",\"CWS_DD\"],\"name\":\"windows_update_registry_key_modified\",\"product_tags\":[\"tactic:TA0005-defense-evasion\",\"technique:T1112-modify-registry\",\"policy:threat-detection\"],\"updateDate\":1742407951000,\"updater\":{\"name\":\"Datadog\",\"handle\":\"\"}}},{\"id\":\"48s-46n-g4w\",\"type\":\"agent_rule\",\"attributes\":{\"category\":\"File Activity\",\"creationDate\":1742407951000,\"creator\":{\"name\":\"Datadog\",\"handle\":\"\"},\"defaultRule\":true,\"description\":\"A service may have been modified without authorization\",\"enabled\":true,\"expression\":\"(\\n (chmod.file.path in [ ~\\\"/lib/systemd/system/**\\\", ~\\\"/usr/lib/systemd/system/**\\\", ~\\\"/etc/systemd/system/**\\\" ])\\n \\u0026\\u0026 process.file.path not in [~\\\"/usr/bin/apt*\\\", \\\"/usr/bin/dpkg\\\", \\\"/usr/bin/rpm\\\", \\\"/usr/bin/unattended-upgrade\\\", \\\"/usr/bin/npm\\\", ~\\\"/usr/bin/pip*\\\", ~\\\"/usr/local/bin/pip*\\\", \\\"/usr/bin/yum\\\", \\\"/sbin/apk\\\", \\\"/usr/lib/snapd/snapd\\\"]\\n) \\u0026\\u0026 chmod.file.destination.mode != chmod.file.mode\",\"filters\":[\"os == \\\"linux\\\"\"],\"monitoring\":[\"v5l-ynv-guh\",\"gxu-c6v-pka\",\"1os-ptz-he9\",\"ddu-dat-9cx\",\"oiv-iar-6uj\",\"n6v-uoj-6jv\",\"zay-klh-gzk\",\"t0c-318-ksc\",\"mnq-jea-ord\",\"hjq-1ou-gxj\",\"zt3-q2u-xka\",\"n52-kmk-gy5\",\"lwi-ota-cdp\",\"eme-xsc-20m\",\"acr-3t9-p0d\",\"hw2-pev-bdl\",\"mm8-gf5-1mh\",\"wfe-tga-w8i\",\"kz9-gsr-aet\",\"u2n-mby-zu5\",\"ygu-bj5-cnb\",\"8h9-6l9-ofq\",\"x6i-kv0-iby\",\"wry-lqz-m1l\",\"ljy-djc-pxw\",\"kmt-lzi-f6r\",\"CWS_CUSTOM-canary\",\"hdo-seh-iaa\",\"CWS_DD\"],\"name\":\"systemd_modification_chmod\",\"product_tags\":[\"tactic:TA0002-execution\",\"technique:T1569-system-services\",\"policy:threat-detection\",\"policy:compliance\"],\"updateDate\":1742407951000,\"updater\":{\"name\":\"Datadog\",\"handle\":\"\"}}},{\"id\":\"94l-lhd-e33\",\"type\":\"agent_rule\",\"attributes\":{\"category\":\"File Activity\",\"creationDate\":1742407951000,\"creator\":{\"name\":\"Datadog\",\"handle\":\"\"},\"defaultRule\":true,\"description\":\"A new kernel module was added\",\"enabled\":true,\"expression\":\"(\\n (chown.file.path in [ ~\\\"/lib/modules/**\\\", ~\\\"/usr/lib/modules/**\\\" ])\\n \\u0026\\u0026 process.file.path not in [~\\\"/usr/bin/apt*\\\", \\\"/usr/bin/dpkg\\\", \\\"/usr/bin/rpm\\\", \\\"/usr/bin/unattended-upgrade\\\", \\\"/usr/bin/npm\\\", ~\\\"/usr/bin/pip*\\\", ~\\\"/usr/local/bin/pip*\\\", \\\"/usr/bin/yum\\\", \\\"/sbin/apk\\\", \\\"/usr/lib/snapd/snapd\\\"]\\n \\u0026\\u0026 process.ancestors.file.path not in [~\\\"/usr/bin/apt*\\\", \\\"/usr/bin/dpkg\\\", \\\"/usr/bin/rpm\\\", \\\"/usr/bin/unattended-upgrade\\\", \\\"/usr/bin/npm\\\", ~\\\"/usr/bin/pip*\\\", ~\\\"/usr/local/bin/pip*\\\", \\\"/usr/bin/yum\\\", \\\"/sbin/apk\\\", \\\"/usr/lib/snapd/snapd\\\"] \\u0026\\u0026 process.ancestors.file.path != \\\"/usr/bin/kmod\\\"\\n) \\u0026\\u0026 (chown.file.destination.uid != chown.file.uid || chown.file.destination.gid != chown.file.gid)\",\"filters\":[\"os == \\\"linux\\\"\"],\"monitoring\":[\"v5l-ynv-guh\",\"gxu-c6v-pka\",\"1os-ptz-he9\",\"ddu-dat-9cx\",\"oiv-iar-6uj\",\"n6v-uoj-6jv\",\"zay-klh-gzk\",\"t0c-318-ksc\",\"mnq-jea-ord\",\"hjq-1ou-gxj\",\"zt3-q2u-xka\",\"n52-kmk-gy5\",\"lwi-ota-cdp\",\"eme-xsc-20m\",\"acr-3t9-p0d\",\"hw2-pev-bdl\",\"mm8-gf5-1mh\",\"wfe-tga-w8i\",\"kz9-gsr-aet\",\"u2n-mby-zu5\",\"ygu-bj5-cnb\",\"8h9-6l9-ofq\",\"x6i-kv0-iby\",\"wry-lqz-m1l\",\"ljy-djc-pxw\",\"kmt-lzi-f6r\",\"CWS_CUSTOM-canary\",\"hdo-seh-iaa\",\"CWS_DD\"],\"name\":\"kernel_module_chown\",\"product_tags\":[\"tactic:TA0003-persistence\",\"technique:T1547-boot-or-logon-autostart-execution\",\"policy:compliance\"],\"updateDate\":1742407951000,\"updater\":{\"name\":\"Datadog\",\"handle\":\"\"}}},{\"id\":\"jr3-0m8-jlj\",\"type\":\"agent_rule\",\"attributes\":{\"actions\":[{\"hash\":{},\"disabled\":false}],\"category\":\"Process Activity\",\"creationDate\":1742407951000,\"creator\":{\"name\":\"Datadog\",\"handle\":\"\"},\"defaultRule\":true,\"description\":\"A process launched with arguments associated with cryptominers\",\"enabled\":true,\"expression\":\"exec.args_options in [~\\\"cpu-priority*\\\", ~\\\"donate-level*\\\"] || exec.args_flags == \\\"randomx-1gb-pages\\\" || exec.args in [~\\\"*stratum+tcp*\\\", ~\\\"*stratum+ssl*\\\", ~\\\"*stratum1+tcp*\\\", ~\\\"*stratum1+ssl*\\\", ~\\\"*stratum2+tcp*\\\", ~\\\"*stratum2+ssl*\\\", ~\\\"*nicehash*\\\", ~\\\"*yespower*\\\"]\",\"filters\":[\"os == \\\"linux\\\"\"],\"monitoring\":[\"v5l-ynv-guh\",\"gxu-c6v-pka\",\"1os-ptz-he9\",\"ddu-dat-9cx\",\"oiv-iar-6uj\",\"n6v-uoj-6jv\",\"zay-klh-gzk\",\"t0c-318-ksc\",\"mnq-jea-ord\",\"hjq-1ou-gxj\",\"zt3-q2u-xka\",\"n52-kmk-gy5\",\"lwi-ota-cdp\",\"eme-xsc-20m\",\"acr-3t9-p0d\",\"hw2-pev-bdl\",\"mm8-gf5-1mh\",\"wfe-tga-w8i\",\"kz9-gsr-aet\",\"u2n-mby-zu5\",\"ygu-bj5-cnb\",\"8h9-6l9-ofq\",\"x6i-kv0-iby\",\"wry-lqz-m1l\",\"ljy-djc-pxw\",\"kmt-lzi-f6r\",\"CWS_CUSTOM-canary\",\"hdo-seh-iaa\",\"CWS_DD\"],\"name\":\"cryptominer_args\",\"product_tags\":[\"tactic:TA0040-impact\",\"technique:T1496-resource-hijacking\",\"policy:threat-detection\"],\"updateDate\":1742407951000,\"updater\":{\"name\":\"Datadog\",\"handle\":\"\"}}},{\"id\":\"7q3-6aa-pix\",\"type\":\"agent_rule\",\"attributes\":{\"category\":\"File Activity\",\"creationDate\":1742407951000,\"creator\":{\"name\":\"Datadog\",\"handle\":\"\"},\"defaultRule\":true,\"description\":\"SSH modified keys may have been modified\",\"enabled\":true,\"expression\":\"(\\n chown.file.name in [ \\\"authorized_keys\\\", \\\"authorized_keys2\\\" ] \\u0026\\u0026 (chown.file.path in [ ~\\\"/root/.ssh/*\\\", ~\\\"/home/*/.ssh/*\\\", ~\\\"/var/lib/*/.ssh/*\\\" ])\\n) \\u0026\\u0026 (chown.file.destination.uid != chown.file.uid || chown.file.destination.gid != chown.file.gid)\",\"filters\":[\"os == \\\"linux\\\"\"],\"monitoring\":[\"v5l-ynv-guh\",\"gxu-c6v-pka\",\"1os-ptz-he9\",\"ddu-dat-9cx\",\"oiv-iar-6uj\",\"n6v-uoj-6jv\",\"zay-klh-gzk\",\"t0c-318-ksc\",\"mnq-jea-ord\",\"hjq-1ou-gxj\",\"zt3-q2u-xka\",\"n52-kmk-gy5\",\"lwi-ota-cdp\",\"eme-xsc-20m\",\"acr-3t9-p0d\",\"hw2-pev-bdl\",\"mm8-gf5-1mh\",\"wfe-tga-w8i\",\"kz9-gsr-aet\",\"u2n-mby-zu5\",\"ygu-bj5-cnb\",\"8h9-6l9-ofq\",\"x6i-kv0-iby\",\"wry-lqz-m1l\",\"ljy-djc-pxw\",\"kmt-lzi-f6r\",\"CWS_CUSTOM-canary\",\"hdo-seh-iaa\",\"CWS_DD\"],\"name\":\"ssh_authorized_keys_chown\",\"product_tags\":[\"tactic:TA0003-persistence\",\"technique:T1098-account-manipulation\",\"policy:threat-detection\",\"policy:compliance\"],\"updateDate\":1742407951000,\"updater\":{\"name\":\"Datadog\",\"handle\":\"\"}}},{\"id\":\"def-000-mfu\",\"type\":\"agent_rule\",\"attributes\":{\"category\":\"Process Activity\",\"creationDate\":1742407951000,\"creator\":{\"name\":\"Datadog\",\"handle\":\"\"},\"defaultRule\":true,\"description\":\"A Jupyter notebook executed a shell\",\"enabled\":true,\"expression\":\"(exec.file.name in [\\\"cat\\\",\\\"chgrp\\\",\\\"chmod\\\",\\\"chown\\\",\\\"cp\\\",\\\"date\\\",\\\"dd\\\",\\\"df\\\",\\\"dir\\\",\\\"echo\\\",\\\"ln\\\",\\\"ls\\\",\\\"mkdir\\\",\\\"mknod\\\",\\\"mktemp\\\",\\\"mv\\\",\\\"pwd\\\",\\\"readlink\\\",\\\"rm\\\",\\\"rmdir\\\",\\\"sleep\\\",\\\"stty\\\",\\\"sync\\\",\\\"touch\\\",\\\"uname\\\",\\\"vdir\\\",\\\"arch\\\",\\\"b2sum\\\",\\\"base32\\\",\\\"base64\\\",\\\"basename\\\",\\\"chcon\\\",\\\"cksum\\\",\\\"comm\\\",\\\"csplit\\\",\\\"cut\\\",\\\"dircolors\\\",\\\"dirname\\\",\\\"du\\\",\\\"env\\\",\\\"expand\\\",\\\"expr\\\",\\\"factor\\\",\\\"fmt\\\",\\\"fold\\\",\\\"groups\\\",\\\"head\\\",\\\"hostid\\\",\\\"id\\\",\\\"install\\\",\\\"join\\\",\\\"link\\\",\\\"logname\\\",\\\"md5sum\\\",\\\"textutils\\\",\\\"mkfifo\\\",\\\"nice\\\",\\\"nl\\\",\\\"nohup\\\",\\\"nproc\\\",\\\"numfmt\\\",\\\"od\\\",\\\"paste\\\",\\\"pathchk\\\",\\\"pinky\\\",\\\"pr\\\",\\\"printenv\\\",\\\"printf\\\",\\\"ptx\\\",\\\"realpath\\\",\\\"runcon\\\",\\\"seq\\\",\\\"sha1sum\\\",\\\"sha224sum\\\",\\\"sha256sum\\\",\\\"sha384sum\\\",\\\"sha512sum\\\",\\\"shred\\\",\\\"shuf\\\",\\\"sort\\\",\\\"split\\\",\\\"stat\\\",\\\"stdbuf\\\",\\\"sum\\\",\\\"tac\\\",\\\"tail\\\",\\\"tee\\\",\\\"test\\\",\\\"timeout\\\",\\\"tr\\\",\\\"truncate\\\",\\\"tsort\\\",\\\"tty\\\",\\\"unexpand\\\",\\\"uniq\\\",\\\"unlink\\\",\\\"users\\\",\\\"wc\\\",\\\"who\\\",\\\"whoami\\\",\\\"chroot\\\"] || exec.file.name in [\\\"wget\\\", \\\"curl\\\", \\\"lwp-download\\\"] || exec.file.name in [\\\"dash\\\",\\\"sh\\\",\\\"static-sh\\\",\\\"sh\\\",\\\"bash\\\",\\\"bash\\\",\\\"bash-static\\\",\\\"zsh\\\",\\\"ash\\\",\\\"csh\\\",\\\"ksh\\\",\\\"tcsh\\\",\\\"busybox\\\",\\\"busybox\\\",\\\"fish\\\",\\\"ksh93\\\",\\\"rksh\\\",\\\"rksh93\\\",\\\"lksh\\\",\\\"mksh\\\",\\\"mksh-static\\\",\\\"csharp\\\",\\\"posh\\\",\\\"rc\\\",\\\"sash\\\",\\\"yash\\\",\\\"zsh5\\\",\\\"zsh5-static\\\"]) \\u0026\\u0026 process.ancestors.comm in [\\\"jupyter-noteboo\\\", \\\"jupyter-lab\\\"]\",\"filters\":[\"os == \\\"linux\\\"\"],\"monitoring\":[\"v5l-ynv-guh\",\"gxu-c6v-pka\",\"1os-ptz-he9\",\"ddu-dat-9cx\",\"oiv-iar-6uj\",\"n6v-uoj-6jv\",\"zay-klh-gzk\",\"t0c-318-ksc\",\"mnq-jea-ord\",\"hjq-1ou-gxj\",\"zt3-q2u-xka\",\"n52-kmk-gy5\",\"lwi-ota-cdp\",\"eme-xsc-20m\",\"acr-3t9-p0d\",\"hw2-pev-bdl\",\"mm8-gf5-1mh\",\"wfe-tga-w8i\",\"kz9-gsr-aet\",\"u2n-mby-zu5\",\"ygu-bj5-cnb\",\"8h9-6l9-ofq\",\"x6i-kv0-iby\",\"wry-lqz-m1l\",\"ljy-djc-pxw\",\"kmt-lzi-f6r\",\"CWS_CUSTOM-canary\",\"hdo-seh-iaa\",\"CWS_DD\"],\"name\":\"jupyter_shell_execution\",\"product_tags\":[\"tactic:TA0001-initial-access\",\"technique:T1190-exploit-public-facing-application\",\"policy:threat-detection\"],\"updateDate\":1742407951000,\"updater\":{\"name\":\"Datadog\",\"handle\":\"\"}}},{\"id\":\"def-000-dnj\",\"type\":\"agent_rule\",\"attributes\":{\"category\":\"Process Activity\",\"creationDate\":1742407951000,\"creator\":{\"name\":\"Datadog\",\"handle\":\"\"},\"defaultRule\":true,\"description\":\"The AWS CLI utility was executed\",\"enabled\":true,\"expression\":\"exec.file.name == \\\"aws\\\"\",\"filters\":[\"os == \\\"linux\\\"\"],\"monitoring\":[\"v5l-ynv-guh\",\"gxu-c6v-pka\",\"1os-ptz-he9\",\"ddu-dat-9cx\",\"oiv-iar-6uj\",\"n6v-uoj-6jv\",\"zay-klh-gzk\",\"t0c-318-ksc\",\"mnq-jea-ord\",\"hjq-1ou-gxj\",\"zt3-q2u-xka\",\"n52-kmk-gy5\",\"lwi-ota-cdp\",\"eme-xsc-20m\",\"acr-3t9-p0d\",\"hw2-pev-bdl\",\"mm8-gf5-1mh\",\"wfe-tga-w8i\",\"kz9-gsr-aet\",\"u2n-mby-zu5\",\"ygu-bj5-cnb\",\"8h9-6l9-ofq\",\"x6i-kv0-iby\",\"wry-lqz-m1l\",\"ljy-djc-pxw\",\"kmt-lzi-f6r\",\"CWS_CUSTOM-canary\",\"hdo-seh-iaa\",\"CWS_DD\"],\"name\":\"aws_cli_usage\",\"product_tags\":[\"tactic:TA0002-execution\",\"technique:T1651-cloud-administration-command\",\"policy:best-practice\",\"policy:threat-detection\"],\"updateDate\":1742407951000,\"updater\":{\"name\":\"Datadog\",\"handle\":\"\"}}},{\"id\":\"def-000-juz\",\"type\":\"agent_rule\",\"attributes\":{\"category\":\"Process Activity\",\"creationDate\":1742407951000,\"creator\":{\"name\":\"Datadog\",\"handle\":\"\"},\"defaultRule\":true,\"description\":\"A privileged container was created\",\"enabled\":true,\"expression\":\"exec.file.name != \\\"\\\" \\u0026\\u0026 container.id != \\\"\\\" \\u0026\\u0026 container.created_at \\u003c 1s \\u0026\\u0026 process.cap_permitted \\u0026 CAP_SYS_ADMIN \\u003e 0\",\"filters\":[\"os == \\\"linux\\\"\"],\"monitoring\":[\"v5l-ynv-guh\",\"gxu-c6v-pka\",\"1os-ptz-he9\",\"ddu-dat-9cx\",\"oiv-iar-6uj\",\"n6v-uoj-6jv\",\"zay-klh-gzk\",\"t0c-318-ksc\",\"mnq-jea-ord\",\"hjq-1ou-gxj\",\"zt3-q2u-xka\",\"n52-kmk-gy5\",\"lwi-ota-cdp\",\"eme-xsc-20m\",\"acr-3t9-p0d\",\"hw2-pev-bdl\",\"mm8-gf5-1mh\",\"wfe-tga-w8i\",\"kz9-gsr-aet\",\"u2n-mby-zu5\",\"ygu-bj5-cnb\",\"8h9-6l9-ofq\",\"x6i-kv0-iby\",\"wry-lqz-m1l\",\"ljy-djc-pxw\",\"kmt-lzi-f6r\",\"CWS_CUSTOM-canary\",\"hdo-seh-iaa\",\"CWS_DD\"],\"name\":\"deploy_priv_container\",\"product_tags\":[\"tactic:TA0004-privilege-escalation\",\"technique:T1611-escape-to-host\",\"policy:threat-detection\",\"policy:best-practice\"],\"updateDate\":1742407951000,\"updater\":{\"name\":\"Datadog\",\"handle\":\"\"}}},{\"id\":\"def-000-zse\",\"type\":\"agent_rule\",\"attributes\":{\"category\":\"Process Activity\",\"creationDate\":1742407951000,\"creator\":{\"name\":\"Datadog\",\"handle\":\"\"},\"defaultRule\":true,\"description\":\"PHP web application spawning shell\",\"enabled\":true,\"expression\":\"exec.file.name in [~\\\"powershell*\\\",\\\"cmd.exe\\\"] \\u0026\\u0026 process.parent.file.name in [\\\"php.exe\\\",\\\"php-cgi.exe\\\"]\",\"filters\":[\"os == \\\"windows\\\"\"],\"monitoring\":[\"v5l-ynv-guh\",\"gxu-c6v-pka\",\"1os-ptz-he9\",\"ddu-dat-9cx\",\"oiv-iar-6uj\",\"n6v-uoj-6jv\",\"zay-klh-gzk\",\"t0c-318-ksc\",\"mnq-jea-ord\",\"hjq-1ou-gxj\",\"zt3-q2u-xka\",\"n52-kmk-gy5\",\"lwi-ota-cdp\",\"eme-xsc-20m\",\"acr-3t9-p0d\",\"hw2-pev-bdl\",\"mm8-gf5-1mh\",\"wfe-tga-w8i\",\"kz9-gsr-aet\",\"u2n-mby-zu5\",\"ygu-bj5-cnb\",\"8h9-6l9-ofq\",\"x6i-kv0-iby\",\"wry-lqz-m1l\",\"ljy-djc-pxw\",\"kmt-lzi-f6r\",\"CWS_CUSTOM-canary\",\"hdo-seh-iaa\",\"CWS_DD\"],\"name\":\"php_spawning_shell\",\"product_tags\":[\"tactic:TA0002-execution\",\"technique:T1210-exploitation-of-remote-services\",\"policy:threat-detection\"],\"updateDate\":1742407951000,\"updater\":{\"name\":\"Datadog\",\"handle\":\"\"}}},{\"id\":\"def-000-hbr\",\"type\":\"agent_rule\",\"attributes\":{\"category\":\"Process Activity\",\"creationDate\":1742407951000,\"creator\":{\"name\":\"Datadog\",\"handle\":\"\"},\"defaultRule\":true,\"description\":\"process arguments match sliver c2 implant\",\"enabled\":true,\"expression\":\"exec.cmdline =~ \\\"*NoExit *\\\" \\u0026\\u0026 exec.cmdline =~ \\\"*Command *\\\" \\u0026\\u0026 exec.cmdline =~ \\\"*[Console]::OutputEncoding=[Text.UTF8Encoding]::UTF8*\\\"\",\"filters\":[\"os == \\\"windows\\\"\"],\"monitoring\":[\"v5l-ynv-guh\",\"gxu-c6v-pka\",\"1os-ptz-he9\",\"ddu-dat-9cx\",\"oiv-iar-6uj\",\"n6v-uoj-6jv\",\"zay-klh-gzk\",\"t0c-318-ksc\",\"mnq-jea-ord\",\"hjq-1ou-gxj\",\"zt3-q2u-xka\",\"n52-kmk-gy5\",\"lwi-ota-cdp\",\"eme-xsc-20m\",\"acr-3t9-p0d\",\"hw2-pev-bdl\",\"mm8-gf5-1mh\",\"wfe-tga-w8i\",\"kz9-gsr-aet\",\"u2n-mby-zu5\",\"ygu-bj5-cnb\",\"8h9-6l9-ofq\",\"x6i-kv0-iby\",\"wry-lqz-m1l\",\"ljy-djc-pxw\",\"kmt-lzi-f6r\",\"CWS_CUSTOM-canary\",\"hdo-seh-iaa\",\"CWS_DD\"],\"name\":\"sliver_c2_implant_execution\",\"product_tags\":[\"tactic:TA0011-command-and-control\",\"technique:T1071-application-layer-protocol\",\"policy:threat-detection\"],\"updateDate\":1742407951000,\"updater\":{\"name\":\"Datadog\",\"handle\":\"\"}}},{\"id\":\"def-000-0en\",\"type\":\"agent_rule\",\"attributes\":{\"category\":\"Process Activity\",\"creationDate\":1742407951000,\"creator\":{\"name\":\"Datadog\",\"handle\":\"\"},\"defaultRule\":true,\"description\":\"The debugfs was executed in a container\",\"enabled\":true,\"expression\":\"exec.comm == \\\"debugfs\\\" \\u0026\\u0026 container.id != \\\"\\\"\",\"filters\":[\"os == \\\"linux\\\"\"],\"monitoring\":[\"v5l-ynv-guh\",\"gxu-c6v-pka\",\"1os-ptz-he9\",\"ddu-dat-9cx\",\"oiv-iar-6uj\",\"n6v-uoj-6jv\",\"zay-klh-gzk\",\"t0c-318-ksc\",\"mnq-jea-ord\",\"hjq-1ou-gxj\",\"zt3-q2u-xka\",\"n52-kmk-gy5\",\"lwi-ota-cdp\",\"eme-xsc-20m\",\"acr-3t9-p0d\",\"hw2-pev-bdl\",\"mm8-gf5-1mh\",\"wfe-tga-w8i\",\"kz9-gsr-aet\",\"u2n-mby-zu5\",\"ygu-bj5-cnb\",\"8h9-6l9-ofq\",\"x6i-kv0-iby\",\"wry-lqz-m1l\",\"ljy-djc-pxw\",\"kmt-lzi-f6r\",\"CWS_CUSTOM-canary\",\"hdo-seh-iaa\",\"CWS_DD\"],\"name\":\"debugfs_in_container\",\"product_tags\":[\"tactic:TA0007-discovery\",\"technique:T1613-container-and-resource-discovery\",\"policy:threat-detection\"],\"updateDate\":1742407951000,\"updater\":{\"name\":\"Datadog\",\"handle\":\"\"}}},{\"id\":\"def-000-crv\",\"type\":\"agent_rule\",\"attributes\":{\"category\":\"File Activity\",\"creationDate\":1742407951000,\"creator\":{\"name\":\"Datadog\",\"handle\":\"\"},\"defaultRule\":true,\"description\":\"Sudoers policy file may have been modified without authorization\",\"enabled\":true,\"expression\":\"(\\n (chmod.file.path == \\\"/etc/sudoers\\\")\\n) \\u0026\\u0026 chmod.file.destination.mode != chmod.file.mode \\u0026\\u0026 process.ancestors.file.path not in [~\\\"/usr/bin/apt*\\\", \\\"/usr/bin/dpkg\\\", \\\"/usr/bin/rpm\\\", \\\"/usr/bin/unattended-upgrade\\\", \\\"/usr/bin/npm\\\", ~\\\"/usr/bin/pip*\\\", ~\\\"/usr/local/bin/pip*\\\", \\\"/usr/bin/yum\\\", \\\"/sbin/apk\\\", \\\"/usr/lib/snapd/snapd\\\"]\",\"filters\":[\"os == \\\"linux\\\"\"],\"monitoring\":[\"v5l-ynv-guh\",\"gxu-c6v-pka\",\"1os-ptz-he9\",\"ddu-dat-9cx\",\"oiv-iar-6uj\",\"n6v-uoj-6jv\",\"zay-klh-gzk\",\"t0c-318-ksc\",\"mnq-jea-ord\",\"hjq-1ou-gxj\",\"zt3-q2u-xka\",\"n52-kmk-gy5\",\"lwi-ota-cdp\",\"eme-xsc-20m\",\"acr-3t9-p0d\",\"hw2-pev-bdl\",\"mm8-gf5-1mh\",\"wfe-tga-w8i\",\"kz9-gsr-aet\",\"u2n-mby-zu5\",\"ygu-bj5-cnb\",\"8h9-6l9-ofq\",\"x6i-kv0-iby\",\"wry-lqz-m1l\",\"ljy-djc-pxw\",\"kmt-lzi-f6r\",\"CWS_CUSTOM-canary\",\"hdo-seh-iaa\",\"CWS_DD\"],\"name\":\"sudoers_policy_modified_chmod\",\"product_tags\":[\"tactic:TA0004-privilege-escalation\",\"technique:T1548-abuse-elevation-control-mechanism\",\"policy:compliance\"],\"updateDate\":1742407951000,\"updater\":{\"name\":\"Datadog\",\"handle\":\"\"}}},{\"id\":\"def-000-qt6\",\"type\":\"agent_rule\",\"attributes\":{\"category\":\"File Activity\",\"creationDate\":1742407951000,\"creator\":{\"name\":\"Datadog\",\"handle\":\"\"},\"defaultRule\":true,\"description\":\"SSL certificates may have been tampered with\",\"enabled\":true,\"expression\":\"(\\n open.flags \\u0026 (O_CREAT|O_RDWR|O_WRONLY) \\u003e 0 \\u0026\\u0026\\n (open.file.path in [ ~\\\"/etc/ssl/certs/**\\\", ~\\\"/etc/pki/**\\\" ])\\n)\\n\\u0026\\u0026 process.file.path != \\\"/usr/sbin/update-ca-certificates\\\"\\n\\u0026\\u0026 process.ancestors.file.path != \\\"/usr/sbin/update-ca-certificates\\\"\\n\\u0026\\u0026 process.ancestors.file.path not in [~\\\"/usr/bin/apt*\\\", \\\"/usr/bin/dpkg\\\", \\\"/usr/bin/rpm\\\", \\\"/usr/bin/unattended-upgrade\\\", \\\"/usr/bin/npm\\\", ~\\\"/usr/bin/pip*\\\", ~\\\"/usr/local/bin/pip*\\\", \\\"/usr/bin/yum\\\", \\\"/sbin/apk\\\", \\\"/usr/lib/snapd/snapd\\\"]\\n\\u0026\\u0026 process.file.name !~ \\\"runc*\\\"\\n\\u0026\\u0026 container.id != \\\"\\\"\\n\\u0026\\u0026 container.created_at \\u003e 90s\",\"filters\":[\"os == \\\"linux\\\"\"],\"monitoring\":[\"v5l-ynv-guh\",\"gxu-c6v-pka\",\"1os-ptz-he9\",\"ddu-dat-9cx\",\"oiv-iar-6uj\",\"n6v-uoj-6jv\",\"zay-klh-gzk\",\"t0c-318-ksc\",\"mnq-jea-ord\",\"hjq-1ou-gxj\",\"zt3-q2u-xka\",\"n52-kmk-gy5\",\"lwi-ota-cdp\",\"eme-xsc-20m\",\"acr-3t9-p0d\",\"hw2-pev-bdl\",\"mm8-gf5-1mh\",\"wfe-tga-w8i\",\"kz9-gsr-aet\",\"u2n-mby-zu5\",\"ygu-bj5-cnb\",\"8h9-6l9-ofq\",\"x6i-kv0-iby\",\"wry-lqz-m1l\",\"ljy-djc-pxw\",\"kmt-lzi-f6r\",\"CWS_CUSTOM-canary\",\"hdo-seh-iaa\",\"CWS_DD\"],\"name\":\"ssl_certificate_tampering_open_v2\",\"product_tags\":[\"tactic:TA0005-defense-evasion\",\"technique:T1553-subvert-trust-controls\",\"policy:compliance\"],\"updateDate\":1742407951000,\"updater\":{\"name\":\"Datadog\",\"handle\":\"\"}}},{\"id\":\"def-000-x51\",\"type\":\"agent_rule\",\"attributes\":{\"category\":\"File Activity\",\"creationDate\":1742407951000,\"creator\":{\"name\":\"Datadog\",\"handle\":\"\"},\"defaultRule\":true,\"description\":\"Safeboot registry modified\",\"enabled\":true,\"expression\":\"set.registry.key_path in [~\\\"HKEY_LOCAL_MACHINE\\\\System\\\\CurrentControlSet\\\\Control\\\\SafeBoot\\\"]\",\"filters\":[\"os == \\\"windows\\\"\"],\"monitoring\":[\"v5l-ynv-guh\",\"gxu-c6v-pka\",\"1os-ptz-he9\",\"ddu-dat-9cx\",\"oiv-iar-6uj\",\"n6v-uoj-6jv\",\"zay-klh-gzk\",\"t0c-318-ksc\",\"mnq-jea-ord\",\"hjq-1ou-gxj\",\"zt3-q2u-xka\",\"n52-kmk-gy5\",\"lwi-ota-cdp\",\"eme-xsc-20m\",\"acr-3t9-p0d\",\"hw2-pev-bdl\",\"mm8-gf5-1mh\",\"wfe-tga-w8i\",\"kz9-gsr-aet\",\"u2n-mby-zu5\",\"ygu-bj5-cnb\",\"8h9-6l9-ofq\",\"x6i-kv0-iby\",\"wry-lqz-m1l\",\"ljy-djc-pxw\",\"kmt-lzi-f6r\",\"CWS_CUSTOM-canary\",\"hdo-seh-iaa\",\"CWS_DD\"],\"name\":\"safeboot_modification\",\"product_tags\":[\"tactic:TA0005-defense-evasion\",\"technique:T1562-impair-defenses\",\"policy:threat-detection\",\"policy:compliance\"],\"updateDate\":1742407951000,\"updater\":{\"name\":\"Datadog\",\"handle\":\"\"}}},{\"id\":\"xa1-b6v-n2l\",\"type\":\"agent_rule\",\"attributes\":{\"category\":\"File Activity\",\"creationDate\":1742407951000,\"creator\":{\"name\":\"Datadog\",\"handle\":\"\"},\"defaultRule\":true,\"description\":\"An unauthorized job was added to cron scheduling\",\"enabled\":true,\"expression\":\"(\\n (rename.file.path in [ ~\\\"/var/spool/cron/**\\\", ~\\\"/etc/cron.*/**\\\", ~\\\"/etc/crontab\\\", ~\\\"/etc/crontabs/**\\\"]\\n || rename.file.destination.path in [ ~\\\"/var/spool/cron/**\\\", ~\\\"/etc/cron.*/**\\\", ~\\\"/etc/crontab\\\" ])\\n \\u0026\\u0026 process.file.path not in [ \\\"/usr/bin/at\\\", \\\"/usr/bin/crontab\\\" ]\\n)\\n\\u0026\\u0026 process.file.path not in [~\\\"/usr/bin/apt*\\\", \\\"/usr/bin/dpkg\\\", \\\"/usr/bin/rpm\\\", \\\"/usr/bin/unattended-upgrade\\\", \\\"/usr/bin/containerd\\\", \\\"/usr/local/bin/containerd\\\", \\\"/usr/bin/dockerd\\\", \\\"/usr/bin/npm\\\", ~\\\"/usr/bin/pip*\\\", ~\\\"/usr/local/bin/pip*\\\"]\",\"filters\":[\"os == \\\"linux\\\"\"],\"monitoring\":[\"v5l-ynv-guh\",\"gxu-c6v-pka\",\"1os-ptz-he9\",\"ddu-dat-9cx\",\"oiv-iar-6uj\",\"n6v-uoj-6jv\",\"zay-klh-gzk\",\"t0c-318-ksc\",\"mnq-jea-ord\",\"hjq-1ou-gxj\",\"zt3-q2u-xka\",\"n52-kmk-gy5\",\"lwi-ota-cdp\",\"eme-xsc-20m\",\"acr-3t9-p0d\",\"hw2-pev-bdl\",\"mm8-gf5-1mh\",\"wfe-tga-w8i\",\"kz9-gsr-aet\",\"u2n-mby-zu5\",\"ygu-bj5-cnb\",\"8h9-6l9-ofq\",\"x6i-kv0-iby\",\"wry-lqz-m1l\",\"ljy-djc-pxw\",\"kmt-lzi-f6r\",\"CWS_CUSTOM-canary\",\"hdo-seh-iaa\",\"CWS_DD\"],\"name\":\"cron_at_job_creation_rename\",\"product_tags\":[\"tactic:TA0002-execution\",\"technique:T1053-scheduled-task-or-job\",\"policy:threat-detection\",\"policy:compliance\"],\"updateDate\":1742407951000,\"updater\":{\"name\":\"Datadog\",\"handle\":\"\"}}},{\"id\":\"def-000-tp8\",\"type\":\"agent_rule\",\"attributes\":{\"category\":\"File Activity\",\"creationDate\":1742407951000,\"creator\":{\"name\":\"Datadog\",\"handle\":\"\"},\"defaultRule\":true,\"description\":\"A process opened a model-specific register (MSR) configuration file\",\"enabled\":true,\"expression\":\"open.file.path == \\\"/sys/module/msr/parameters/allow_writes\\\" \\u0026\\u0026 open.flags \\u0026 O_CREAT|O_TRUNC|O_APPEND|O_RDWR|O_WRONLY \\u003e 0\",\"filters\":[\"os == \\\"linux\\\"\"],\"monitoring\":[\"v5l-ynv-guh\",\"gxu-c6v-pka\",\"1os-ptz-he9\",\"ddu-dat-9cx\",\"oiv-iar-6uj\",\"n6v-uoj-6jv\",\"zay-klh-gzk\",\"t0c-318-ksc\",\"mnq-jea-ord\",\"hjq-1ou-gxj\",\"zt3-q2u-xka\",\"n52-kmk-gy5\",\"lwi-ota-cdp\",\"eme-xsc-20m\",\"acr-3t9-p0d\",\"hw2-pev-bdl\",\"mm8-gf5-1mh\",\"wfe-tga-w8i\",\"kz9-gsr-aet\",\"u2n-mby-zu5\",\"ygu-bj5-cnb\",\"8h9-6l9-ofq\",\"x6i-kv0-iby\",\"wry-lqz-m1l\",\"ljy-djc-pxw\",\"kmt-lzi-f6r\",\"CWS_CUSTOM-canary\",\"hdo-seh-iaa\",\"CWS_DD\"],\"name\":\"open_msr_writes\",\"product_tags\":[\"tactic:TA0040-impact\",\"technique:T1496-resource-hijacking\",\"policy:threat-detection\"],\"updateDate\":1742407951000,\"updater\":{\"name\":\"Datadog\",\"handle\":\"\"}}},{\"id\":\"34t-hic-8cn\",\"type\":\"agent_rule\",\"attributes\":{\"category\":\"File Activity\",\"creationDate\":1742407951000,\"creator\":{\"name\":\"Datadog\",\"handle\":\"\"},\"defaultRule\":true,\"description\":\"PAM may have been modified without authorization\",\"enabled\":true,\"expression\":\"(\\n (chmod.file.path in [ ~\\\"/etc/pam.d/**\\\", \\\"/etc/pam.conf\\\" ])\\n) \\u0026\\u0026 chmod.file.destination.mode != chmod.file.mode\",\"filters\":[\"os == \\\"linux\\\"\"],\"monitoring\":[\"v5l-ynv-guh\",\"gxu-c6v-pka\",\"1os-ptz-he9\",\"ddu-dat-9cx\",\"oiv-iar-6uj\",\"n6v-uoj-6jv\",\"zay-klh-gzk\",\"t0c-318-ksc\",\"mnq-jea-ord\",\"hjq-1ou-gxj\",\"zt3-q2u-xka\",\"n52-kmk-gy5\",\"lwi-ota-cdp\",\"eme-xsc-20m\",\"acr-3t9-p0d\",\"hw2-pev-bdl\",\"mm8-gf5-1mh\",\"wfe-tga-w8i\",\"kz9-gsr-aet\",\"u2n-mby-zu5\",\"ygu-bj5-cnb\",\"8h9-6l9-ofq\",\"x6i-kv0-iby\",\"wry-lqz-m1l\",\"ljy-djc-pxw\",\"kmt-lzi-f6r\",\"CWS_CUSTOM-canary\",\"hdo-seh-iaa\",\"CWS_DD\"],\"name\":\"pam_modification_chmod\",\"product_tags\":[\"tactic:TA0003-persistence\",\"technique:T1556-modify-authentication-process\",\"policy:compliance\"],\"updateDate\":1742407951000,\"updater\":{\"name\":\"Datadog\",\"handle\":\"\"}}},{\"id\":\"rpc-ji0-zfu\",\"type\":\"agent_rule\",\"attributes\":{\"category\":\"File Activity\",\"creationDate\":1742407951000,\"creator\":{\"name\":\"Datadog\",\"handle\":\"\"},\"defaultRule\":true,\"description\":\"SSH modified keys may have been modified\",\"enabled\":true,\"expression\":\"(\\n open.flags \\u0026 (O_CREAT|O_TRUNC|O_APPEND|O_RDWR|O_WRONLY) \\u003e 0 \\u0026\\u0026\\n open.file.name in [ \\\"authorized_keys\\\", \\\"authorized_keys2\\\" ] \\u0026\\u0026 (open.file.path in [ ~\\\"/root/.ssh/*\\\", ~\\\"/home/*/.ssh/*\\\", ~\\\"/var/lib/*/.ssh/*\\\" ])\\n)\",\"filters\":[\"os == \\\"linux\\\"\"],\"monitoring\":[\"v5l-ynv-guh\",\"gxu-c6v-pka\",\"1os-ptz-he9\",\"ddu-dat-9cx\",\"oiv-iar-6uj\",\"n6v-uoj-6jv\",\"zay-klh-gzk\",\"t0c-318-ksc\",\"mnq-jea-ord\",\"hjq-1ou-gxj\",\"zt3-q2u-xka\",\"n52-kmk-gy5\",\"lwi-ota-cdp\",\"eme-xsc-20m\",\"acr-3t9-p0d\",\"hw2-pev-bdl\",\"mm8-gf5-1mh\",\"wfe-tga-w8i\",\"kz9-gsr-aet\",\"u2n-mby-zu5\",\"ygu-bj5-cnb\",\"8h9-6l9-ofq\",\"x6i-kv0-iby\",\"wry-lqz-m1l\",\"ljy-djc-pxw\",\"kmt-lzi-f6r\",\"CWS_CUSTOM-canary\",\"hdo-seh-iaa\",\"CWS_DD\"],\"name\":\"ssh_authorized_keys_open\",\"product_tags\":[\"tactic:TA0003-persistence\",\"technique:T1098-account-manipulation\",\"policy:threat-detection\",\"policy:compliance\"],\"updateDate\":1742407951000,\"updater\":{\"name\":\"Datadog\",\"handle\":\"\"}}},{\"id\":\"3i1-zpd-ycj\",\"type\":\"agent_rule\",\"attributes\":{\"category\":\"File Activity\",\"creationDate\":1742407951000,\"creator\":{\"name\":\"Datadog\",\"handle\":\"\"},\"defaultRule\":true,\"description\":\"A new kernel module was added\",\"enabled\":true,\"expression\":\"(\\n (rename.file.path in [ ~\\\"/lib/modules/**\\\", ~\\\"/usr/lib/modules/**\\\" ]\\n || rename.file.destination.path in [ ~\\\"/lib/modules/**\\\", ~\\\"/usr/lib/modules/**\\\" ])\\n \\u0026\\u0026 process.file.path not in [~\\\"/usr/bin/apt*\\\", \\\"/usr/bin/dpkg\\\", \\\"/usr/bin/rpm\\\", \\\"/usr/bin/unattended-upgrade\\\", \\\"/usr/bin/npm\\\", ~\\\"/usr/bin/pip*\\\", ~\\\"/usr/local/bin/pip*\\\", \\\"/usr/bin/yum\\\", \\\"/sbin/apk\\\", \\\"/usr/lib/snapd/snapd\\\"]\\n \\u0026\\u0026 process.ancestors.file.path not in [~\\\"/usr/bin/apt*\\\", \\\"/usr/bin/dpkg\\\", \\\"/usr/bin/rpm\\\", \\\"/usr/bin/unattended-upgrade\\\", \\\"/usr/bin/npm\\\", ~\\\"/usr/bin/pip*\\\", ~\\\"/usr/local/bin/pip*\\\", \\\"/usr/bin/yum\\\", \\\"/sbin/apk\\\", \\\"/usr/lib/snapd/snapd\\\"] \\u0026\\u0026 process.ancestors.file.path != \\\"/usr/bin/kmod\\\"\\n)\",\"filters\":[\"os == \\\"linux\\\"\"],\"monitoring\":[\"v5l-ynv-guh\",\"gxu-c6v-pka\",\"1os-ptz-he9\",\"ddu-dat-9cx\",\"oiv-iar-6uj\",\"n6v-uoj-6jv\",\"zay-klh-gzk\",\"t0c-318-ksc\",\"mnq-jea-ord\",\"hjq-1ou-gxj\",\"zt3-q2u-xka\",\"n52-kmk-gy5\",\"lwi-ota-cdp\",\"eme-xsc-20m\",\"acr-3t9-p0d\",\"hw2-pev-bdl\",\"mm8-gf5-1mh\",\"wfe-tga-w8i\",\"kz9-gsr-aet\",\"u2n-mby-zu5\",\"ygu-bj5-cnb\",\"8h9-6l9-ofq\",\"x6i-kv0-iby\",\"wry-lqz-m1l\",\"ljy-djc-pxw\",\"kmt-lzi-f6r\",\"CWS_CUSTOM-canary\",\"hdo-seh-iaa\",\"CWS_DD\"],\"name\":\"kernel_module_rename\",\"product_tags\":[\"tactic:TA0003-persistence\",\"technique:T1547-boot-or-logon-autostart-execution\",\"policy:compliance\"],\"updateDate\":1742407951000,\"updater\":{\"name\":\"Datadog\",\"handle\":\"\"}}},{\"id\":\"wwy-h4d-pwm\",\"type\":\"agent_rule\",\"attributes\":{\"category\":\"File Activity\",\"creationDate\":1742407951000,\"creator\":{\"name\":\"Datadog\",\"handle\":\"\"},\"defaultRule\":true,\"description\":\"A service may have been modified without authorization\",\"enabled\":true,\"expression\":\"(\\n (chown.file.path in [ ~\\\"/lib/systemd/system/**\\\", ~\\\"/usr/lib/systemd/system/**\\\", ~\\\"/etc/systemd/system/**\\\" ])\\n \\u0026\\u0026 process.file.path not in [~\\\"/usr/bin/apt*\\\", \\\"/usr/bin/dpkg\\\", \\\"/usr/bin/rpm\\\", \\\"/usr/bin/unattended-upgrade\\\", \\\"/usr/bin/npm\\\", ~\\\"/usr/bin/pip*\\\", ~\\\"/usr/local/bin/pip*\\\", \\\"/usr/bin/yum\\\", \\\"/sbin/apk\\\", \\\"/usr/lib/snapd/snapd\\\"]\\n) \\u0026\\u0026 (chown.file.destination.uid != chown.file.uid || chown.file.destination.gid != chown.file.gid)\",\"filters\":[\"os == \\\"linux\\\"\"],\"monitoring\":[\"v5l-ynv-guh\",\"gxu-c6v-pka\",\"1os-ptz-he9\",\"ddu-dat-9cx\",\"oiv-iar-6uj\",\"n6v-uoj-6jv\",\"zay-klh-gzk\",\"t0c-318-ksc\",\"mnq-jea-ord\",\"hjq-1ou-gxj\",\"zt3-q2u-xka\",\"n52-kmk-gy5\",\"lwi-ota-cdp\",\"eme-xsc-20m\",\"acr-3t9-p0d\",\"hw2-pev-bdl\",\"mm8-gf5-1mh\",\"wfe-tga-w8i\",\"kz9-gsr-aet\",\"u2n-mby-zu5\",\"ygu-bj5-cnb\",\"8h9-6l9-ofq\",\"x6i-kv0-iby\",\"wry-lqz-m1l\",\"ljy-djc-pxw\",\"kmt-lzi-f6r\",\"CWS_CUSTOM-canary\",\"hdo-seh-iaa\",\"CWS_DD\"],\"name\":\"systemd_modification_chown\",\"product_tags\":[\"tactic:TA0002-execution\",\"technique:T1569-system-services\",\"policy:threat-detection\",\"policy:compliance\"],\"updateDate\":1742407951000,\"updater\":{\"name\":\"Datadog\",\"handle\":\"\"}}},{\"id\":\"def-000-bv2\",\"type\":\"agent_rule\",\"attributes\":{\"category\":\"Process Activity\",\"creationDate\":1742407951000,\"creator\":{\"name\":\"Datadog\",\"handle\":\"\"},\"defaultRule\":true,\"description\":\"Process matches known relay attack tool\",\"enabled\":true,\"expression\":\"exec.file.name in [~\\\"*PetitPotam*\\\", ~\\\"*RottenPotato*\\\", ~\\\"*HotPotato*\\\", ~\\\"*JuicyPotato*\\\", ~\\\"*just_dce_*\\\", ~\\\"*Juicy Potato*\\\", \\\"rot.exe\\\", \\\"Potato.exe\\\", \\\"SpoolSample.exe\\\", \\\"Responder.exe\\\", ~\\\"*smbrelayx*\\\", ~\\\"*smbrelayx*\\\", ~\\\"*ntlmrelayx*\\\", ~\\\"*LocalPotato*\\\"] || exec.cmdline in [~\\\"*Invoke-Tater*\\\", ~\\\"*smbrelay*\\\", ~\\\"*ntlmrelay*\\\", ~\\\"*cme smb*\\\", ~\\\"*ntlm:NTLMhash*\\\", ~\\\"*Invoke-PetitPotam*\\\"]\",\"filters\":[\"os == \\\"windows\\\"\"],\"monitoring\":[\"v5l-ynv-guh\",\"gxu-c6v-pka\",\"1os-ptz-he9\",\"ddu-dat-9cx\",\"oiv-iar-6uj\",\"n6v-uoj-6jv\",\"zay-klh-gzk\",\"t0c-318-ksc\",\"mnq-jea-ord\",\"hjq-1ou-gxj\",\"zt3-q2u-xka\",\"n52-kmk-gy5\",\"lwi-ota-cdp\",\"eme-xsc-20m\",\"acr-3t9-p0d\",\"hw2-pev-bdl\",\"mm8-gf5-1mh\",\"wfe-tga-w8i\",\"kz9-gsr-aet\",\"u2n-mby-zu5\",\"ygu-bj5-cnb\",\"8h9-6l9-ofq\",\"x6i-kv0-iby\",\"wry-lqz-m1l\",\"ljy-djc-pxw\",\"kmt-lzi-f6r\",\"CWS_CUSTOM-canary\",\"hdo-seh-iaa\",\"CWS_DD\"],\"name\":\"relay_attack_tool_execution\",\"product_tags\":[\"tactic:TA0006-credential-access\",\"technique:T1555-credentials-from-password-stores\",\"policy:threat-detection\"],\"updateDate\":1742407951000,\"updater\":{\"name\":\"Datadog\",\"handle\":\"\"}}},{\"id\":\"def-000-fsq\",\"type\":\"agent_rule\",\"attributes\":{\"category\":\"Process Activity\",\"creationDate\":1742407951000,\"creator\":{\"name\":\"Datadog\",\"handle\":\"\"},\"defaultRule\":true,\"description\":\"A cryptominer was potentially executed\",\"enabled\":true,\"expression\":\"exec.cmdline in [~\\\"*cpu-priority*\\\", ~\\\"*donate-level*\\\", ~\\\"*randomx-1gb-pages*\\\", ~\\\"*stratum+tcp*\\\", ~\\\"*stratum+ssl*\\\", ~\\\"*stratum1+tcp*\\\", ~\\\"*stratum1+ssl*\\\", ~\\\"*stratum2+tcp*\\\", ~\\\"*stratum2+ssl*\\\", ~\\\"*nicehash*\\\", ~\\\"*yespower*\\\"]\",\"filters\":[\"os == \\\"windows\\\"\"],\"monitoring\":[\"v5l-ynv-guh\",\"gxu-c6v-pka\",\"1os-ptz-he9\",\"ddu-dat-9cx\",\"oiv-iar-6uj\",\"n6v-uoj-6jv\",\"zay-klh-gzk\",\"t0c-318-ksc\",\"mnq-jea-ord\",\"hjq-1ou-gxj\",\"zt3-q2u-xka\",\"n52-kmk-gy5\",\"lwi-ota-cdp\",\"eme-xsc-20m\",\"acr-3t9-p0d\",\"hw2-pev-bdl\",\"mm8-gf5-1mh\",\"wfe-tga-w8i\",\"kz9-gsr-aet\",\"u2n-mby-zu5\",\"ygu-bj5-cnb\",\"8h9-6l9-ofq\",\"x6i-kv0-iby\",\"wry-lqz-m1l\",\"ljy-djc-pxw\",\"kmt-lzi-f6r\",\"CWS_CUSTOM-canary\",\"hdo-seh-iaa\",\"CWS_DD\"],\"name\":\"windows_cryptominer_process\",\"product_tags\":[\"tactic:TA0040-impact\",\"technique:T1496-resource-hijacking\",\"policy:threat-detection\"],\"updateDate\":1742407951000,\"updater\":{\"name\":\"Datadog\",\"handle\":\"\"}}},{\"id\":\"2rq-drz-11u\",\"type\":\"agent_rule\",\"attributes\":{\"category\":\"File Activity\",\"creationDate\":1742407951000,\"creator\":{\"name\":\"Datadog\",\"handle\":\"\"},\"defaultRule\":true,\"description\":\"A process unlinked a dynamic linker config file\",\"enabled\":true,\"expression\":\"unlink.file.path in [\\\"/etc/ld.so.preload\\\", \\\"/etc/ld.so.conf\\\", ~\\\"/etc/ld.so.conf.d/*.conf\\\"] \\u0026\\u0026 process.file.path not in [~\\\"/usr/bin/apt*\\\", \\\"/usr/bin/dpkg\\\", \\\"/usr/bin/rpm\\\", \\\"/usr/bin/unattended-upgrade\\\", \\\"/usr/bin/npm\\\", ~\\\"/usr/bin/pip*\\\", ~\\\"/usr/local/bin/pip*\\\", \\\"/usr/bin/yum\\\", \\\"/sbin/apk\\\", \\\"/usr/lib/snapd/snapd\\\"]\",\"filters\":[\"os == \\\"linux\\\"\"],\"monitoring\":[\"v5l-ynv-guh\",\"gxu-c6v-pka\",\"1os-ptz-he9\",\"ddu-dat-9cx\",\"oiv-iar-6uj\",\"n6v-uoj-6jv\",\"zay-klh-gzk\",\"t0c-318-ksc\",\"mnq-jea-ord\",\"hjq-1ou-gxj\",\"zt3-q2u-xka\",\"n52-kmk-gy5\",\"lwi-ota-cdp\",\"eme-xsc-20m\",\"acr-3t9-p0d\",\"hw2-pev-bdl\",\"mm8-gf5-1mh\",\"wfe-tga-w8i\",\"kz9-gsr-aet\",\"u2n-mby-zu5\",\"ygu-bj5-cnb\",\"8h9-6l9-ofq\",\"x6i-kv0-iby\",\"wry-lqz-m1l\",\"ljy-djc-pxw\",\"kmt-lzi-f6r\",\"CWS_CUSTOM-canary\",\"hdo-seh-iaa\",\"CWS_DD\"],\"name\":\"dynamic_linker_config_unlink\",\"product_tags\":[\"tactic:TA0004-privilege-escalation\",\"technique:T1574-hijack-execution-flow\",\"policy:threat-detection\"],\"updateDate\":1742407951000,\"updater\":{\"name\":\"Datadog\",\"handle\":\"\"}}},{\"id\":\"y5i-yxn-27t\",\"type\":\"agent_rule\",\"attributes\":{\"category\":\"File Activity\",\"creationDate\":1742407951000,\"creator\":{\"name\":\"Datadog\",\"handle\":\"\"},\"defaultRule\":true,\"description\":\"SSL certificates may have been tampered with\",\"enabled\":true,\"expression\":\"(\\n (chmod.file.path in [ ~\\\"/etc/ssl/certs/**\\\", ~\\\"/etc/pki/**\\\" ])\\n \\u0026\\u0026 process.file.path not in [~\\\"/usr/bin/apt*\\\", \\\"/usr/bin/dpkg\\\", \\\"/usr/bin/rpm\\\", \\\"/usr/bin/unattended-upgrade\\\", \\\"/usr/bin/npm\\\", ~\\\"/usr/bin/pip*\\\", ~\\\"/usr/local/bin/pip*\\\", \\\"/usr/bin/yum\\\", \\\"/sbin/apk\\\", \\\"/usr/lib/snapd/snapd\\\"]\\n) \\u0026\\u0026 chmod.file.mode != chmod.file.destination.mode\\n\\u0026\\u0026 process.file.path != \\\"/usr/sbin/update-ca-certificates\\\"\\n\\u0026\\u0026 process.ancestors.file.path != \\\"/usr/sbin/update-ca-certificates\\\"\\n\\u0026\\u0026 process.ancestors.file.path not in [~\\\"/usr/bin/apt*\\\", \\\"/usr/bin/dpkg\\\", \\\"/usr/bin/rpm\\\", \\\"/usr/bin/unattended-upgrade\\\", \\\"/usr/bin/npm\\\", ~\\\"/usr/bin/pip*\\\", ~\\\"/usr/local/bin/pip*\\\", \\\"/usr/bin/yum\\\", \\\"/sbin/apk\\\", \\\"/usr/lib/snapd/snapd\\\"]\\n\\u0026\\u0026 process.file.name !~ \\\"runc*\\\"\",\"filters\":[\"os == \\\"linux\\\"\"],\"monitoring\":[\"v5l-ynv-guh\",\"gxu-c6v-pka\",\"1os-ptz-he9\",\"ddu-dat-9cx\",\"oiv-iar-6uj\",\"n6v-uoj-6jv\",\"zay-klh-gzk\",\"t0c-318-ksc\",\"mnq-jea-ord\",\"hjq-1ou-gxj\",\"zt3-q2u-xka\",\"n52-kmk-gy5\",\"lwi-ota-cdp\",\"eme-xsc-20m\",\"acr-3t9-p0d\",\"hw2-pev-bdl\",\"mm8-gf5-1mh\",\"wfe-tga-w8i\",\"kz9-gsr-aet\",\"u2n-mby-zu5\",\"ygu-bj5-cnb\",\"8h9-6l9-ofq\",\"x6i-kv0-iby\",\"wry-lqz-m1l\",\"ljy-djc-pxw\",\"kmt-lzi-f6r\",\"CWS_CUSTOM-canary\",\"hdo-seh-iaa\",\"CWS_DD\"],\"name\":\"ssl_certificate_tampering_chmod\",\"product_tags\":[\"tactic:TA0005-defense-evasion\",\"technique:T1553-subvert-trust-controls\",\"policy:compliance\"],\"updateDate\":1742407951000,\"updater\":{\"name\":\"Datadog\",\"handle\":\"\"}}},{\"id\":\"def-000-18q\",\"type\":\"agent_rule\",\"attributes\":{\"category\":\"Process Activity\",\"creationDate\":1742407951000,\"creator\":{\"name\":\"Datadog\",\"handle\":\"\"},\"defaultRule\":true,\"description\":\"Tar archive created\",\"enabled\":true,\"expression\":\"exec.file.path == \\\"/usr/bin/tar\\\" \\u0026\\u0026 exec.args_flags in [\\\"create\\\",\\\"c\\\"]\",\"filters\":[\"os == \\\"linux\\\"\"],\"monitoring\":[\"v5l-ynv-guh\",\"gxu-c6v-pka\",\"1os-ptz-he9\",\"ddu-dat-9cx\",\"oiv-iar-6uj\",\"n6v-uoj-6jv\",\"zay-klh-gzk\",\"t0c-318-ksc\",\"mnq-jea-ord\",\"hjq-1ou-gxj\",\"zt3-q2u-xka\",\"n52-kmk-gy5\",\"lwi-ota-cdp\",\"eme-xsc-20m\",\"acr-3t9-p0d\",\"hw2-pev-bdl\",\"mm8-gf5-1mh\",\"wfe-tga-w8i\",\"kz9-gsr-aet\",\"u2n-mby-zu5\",\"ygu-bj5-cnb\",\"8h9-6l9-ofq\",\"x6i-kv0-iby\",\"wry-lqz-m1l\",\"ljy-djc-pxw\",\"kmt-lzi-f6r\",\"CWS_CUSTOM-canary\",\"hdo-seh-iaa\",\"CWS_DD\"],\"name\":\"tar_execution\",\"product_tags\":[\"tactic:TA0009-collection\",\"technique:T1560-archive-collected-data\",\"policy:threat-detection\"],\"updateDate\":1742407951000,\"updater\":{\"name\":\"Datadog\",\"handle\":\"\"}}},{\"id\":\"dkb-9ud-0ca\",\"type\":\"agent_rule\",\"attributes\":{\"category\":\"Kernel Activity\",\"creationDate\":1742407951000,\"creator\":{\"name\":\"Datadog\",\"handle\":\"\"},\"defaultRule\":true,\"description\":\"A container loaded a new kernel module\",\"enabled\":true,\"expression\":\"load_module.name != \\\"\\\" \\u0026\\u0026 container.id !=\\\"\\\"\",\"filters\":[\"os == \\\"linux\\\"\"],\"monitoring\":[\"v5l-ynv-guh\",\"gxu-c6v-pka\",\"1os-ptz-he9\",\"ddu-dat-9cx\",\"oiv-iar-6uj\",\"n6v-uoj-6jv\",\"zay-klh-gzk\",\"t0c-318-ksc\",\"mnq-jea-ord\",\"hjq-1ou-gxj\",\"zt3-q2u-xka\",\"n52-kmk-gy5\",\"lwi-ota-cdp\",\"eme-xsc-20m\",\"acr-3t9-p0d\",\"hw2-pev-bdl\",\"mm8-gf5-1mh\",\"wfe-tga-w8i\",\"kz9-gsr-aet\",\"u2n-mby-zu5\",\"ygu-bj5-cnb\",\"8h9-6l9-ofq\",\"x6i-kv0-iby\",\"wry-lqz-m1l\",\"ljy-djc-pxw\",\"kmt-lzi-f6r\",\"CWS_CUSTOM-canary\",\"hdo-seh-iaa\",\"CWS_DD\"],\"name\":\"kernel_module_load_container\",\"product_tags\":[\"tactic:TA0003-persistence\",\"technique:T1547-boot-or-logon-autostart-execution\",\"policy:threat-detection\"],\"updateDate\":1742407951000,\"updater\":{\"name\":\"Datadog\",\"handle\":\"\"}}},{\"id\":\"def-000-4xu\",\"type\":\"agent_rule\",\"attributes\":{\"category\":\"Process Activity\",\"creationDate\":1742407951000,\"creator\":{\"name\":\"Datadog\",\"handle\":\"\"},\"defaultRule\":true,\"description\":\"Kernel modules were listed using the lsmod command\",\"enabled\":true,\"expression\":\"exec.comm == \\\"lsmod\\\"\",\"filters\":[\"os == \\\"linux\\\"\"],\"monitoring\":[\"v5l-ynv-guh\",\"gxu-c6v-pka\",\"1os-ptz-he9\",\"ddu-dat-9cx\",\"oiv-iar-6uj\",\"n6v-uoj-6jv\",\"zay-klh-gzk\",\"t0c-318-ksc\",\"mnq-jea-ord\",\"hjq-1ou-gxj\",\"zt3-q2u-xka\",\"n52-kmk-gy5\",\"lwi-ota-cdp\",\"eme-xsc-20m\",\"acr-3t9-p0d\",\"hw2-pev-bdl\",\"mm8-gf5-1mh\",\"wfe-tga-w8i\",\"kz9-gsr-aet\",\"u2n-mby-zu5\",\"ygu-bj5-cnb\",\"8h9-6l9-ofq\",\"x6i-kv0-iby\",\"wry-lqz-m1l\",\"ljy-djc-pxw\",\"kmt-lzi-f6r\",\"CWS_CUSTOM-canary\",\"hdo-seh-iaa\",\"CWS_DD\"],\"name\":\"exec_lsmod\",\"product_tags\":[\"tactic:TA0007-discovery\",\"technique:T1082-system-information-discovery\",\"policy:threat-detection\"],\"updateDate\":1742407951000,\"updater\":{\"name\":\"Datadog\",\"handle\":\"\"}}},{\"id\":\"mq1-y7n-kf2\",\"type\":\"agent_rule\",\"attributes\":{\"category\":\"Process Activity\",\"creationDate\":1742407951000,\"creator\":{\"name\":\"Datadog\",\"handle\":\"\"},\"defaultRule\":true,\"description\":\"A database application spawned a shell, shell utility, or HTTP utility\",\"enabled\":true,\"expression\":\"(exec.file.path in [ \\\"/bin/dash\\\",\\n \\\"/usr/bin/dash\\\",\\n \\\"/bin/sh\\\",\\n \\\"/bin/static-sh\\\",\\n \\\"/usr/bin/sh\\\",\\n \\\"/bin/bash\\\",\\n \\\"/usr/bin/bash\\\",\\n \\\"/bin/bash-static\\\",\\n \\\"/usr/bin/zsh\\\",\\n \\\"/usr/bin/ash\\\",\\n \\\"/usr/bin/csh\\\",\\n \\\"/usr/bin/ksh\\\",\\n \\\"/usr/bin/tcsh\\\",\\n \\\"/usr/lib/initramfs-tools/bin/busybox\\\",\\n \\\"/bin/busybox\\\",\\n \\\"/usr/bin/fish\\\",\\n \\\"/bin/ksh93\\\",\\n \\\"/bin/rksh\\\",\\n \\\"/bin/rksh93\\\",\\n \\\"/bin/lksh\\\",\\n \\\"/bin/mksh\\\",\\n \\\"/bin/mksh-static\\\",\\n \\\"/usr/bin/csharp\\\",\\n \\\"/bin/posh\\\",\\n \\\"/usr/bin/rc\\\",\\n \\\"/bin/sash\\\",\\n \\\"/usr/bin/yash\\\",\\n \\\"/bin/zsh5\\\",\\n \\\"/bin/zsh5-static\\\" ] ||\\n exec.comm in [\\\"wget\\\", \\\"curl\\\", \\\"lwp-download\\\"] ||\\n exec.file.path in [\\\"/bin/cat\\\",\\\"/bin/chgrp\\\",\\\"/bin/chmod\\\",\\\"/bin/chown\\\",\\\"/bin/cp\\\",\\\"/bin/date\\\",\\\"/bin/dd\\\",\\\"/bin/df\\\",\\\"/bin/dir\\\",\\\"/bin/echo\\\",\\\"/bin/ln\\\",\\\"/bin/ls\\\",\\\"/bin/mkdir\\\",\\\"/bin/mknod\\\",\\\"/bin/mktemp\\\",\\\"/bin/mv\\\",\\\"/bin/pwd\\\",\\\"/bin/readlink\\\",\\\"/bin/rm\\\",\\\"/bin/rmdir\\\",\\\"/bin/sleep\\\",\\\"/bin/stty\\\",\\\"/bin/sync\\\",\\\"/bin/touch\\\",\\\"/bin/uname\\\",\\\"/bin/vdir\\\",\\\"/usr/bin/arch\\\",\\\"/usr/bin/b2sum\\\",\\\"/usr/bin/base32\\\",\\\"/usr/bin/base64\\\",\\\"/usr/bin/basename\\\",\\\"/usr/bin/chcon\\\",\\\"/usr/bin/cksum\\\",\\\"/usr/bin/comm\\\",\\\"/usr/bin/csplit\\\",\\\"/usr/bin/cut\\\",\\\"/usr/bin/dircolors\\\",\\\"/usr/bin/dirname\\\",\\\"/usr/bin/du\\\",\\\"/usr/bin/env\\\",\\\"/usr/bin/expand\\\",\\\"/usr/bin/expr\\\",\\\"/usr/bin/factor\\\",\\\"/usr/bin/fmt\\\",\\\"/usr/bin/fold\\\",\\\"/usr/bin/groups\\\",\\\"/usr/bin/head\\\",\\\"/usr/bin/hostid\\\",\\\"/usr/bin/id\\\",\\\"/usr/bin/install\\\",\\\"/usr/bin/join\\\",\\\"/usr/bin/link\\\",\\\"/usr/bin/logname\\\",\\\"/usr/bin/md5sum\\\",\\\"/usr/bin/md5sum.textutils\\\",\\\"/usr/bin/mkfifo\\\",\\\"/usr/bin/nice\\\",\\\"/usr/bin/nl\\\",\\\"/usr/bin/nohup\\\",\\\"/usr/bin/nproc\\\",\\\"/usr/bin/numfmt\\\",\\\"/usr/bin/od\\\",\\\"/usr/bin/paste\\\",\\\"/usr/bin/pathchk\\\",\\\"/usr/bin/pinky\\\",\\\"/usr/bin/pr\\\",\\\"/usr/bin/printenv\\\",\\\"/usr/bin/printf\\\",\\\"/usr/bin/ptx\\\",\\\"/usr/bin/realpath\\\",\\\"/usr/bin/runcon\\\",\\\"/usr/bin/seq\\\",\\\"/usr/bin/sha1sum\\\",\\\"/usr/bin/sha224sum\\\",\\\"/usr/bin/sha256sum\\\",\\\"/usr/bin/sha384sum\\\",\\\"/usr/bin/sha512sum\\\",\\\"/usr/bin/shred\\\",\\\"/usr/bin/shuf\\\",\\\"/usr/bin/sort\\\",\\\"/usr/bin/split\\\",\\\"/usr/bin/stat\\\",\\\"/usr/bin/stdbuf\\\",\\\"/usr/bin/sum\\\",\\\"/usr/bin/tac\\\",\\\"/usr/bin/tail\\\",\\\"/usr/bin/tee\\\",\\\"/usr/bin/test\\\",\\\"/usr/bin/timeout\\\",\\\"/usr/bin/tr\\\",\\\"/usr/bin/truncate\\\",\\\"/usr/bin/tsort\\\",\\\"/usr/bin/tty\\\",\\\"/usr/bin/unexpand\\\",\\\"/usr/bin/uniq\\\",\\\"/usr/bin/unlink\\\",\\\"/usr/bin/users\\\",\\\"/usr/bin/wc\\\",\\\"/usr/bin/who\\\",\\\"/usr/bin/whoami\\\",\\\"/usr/sbin/chroot\\\",\\\"/bin/busybox\\\"]) \\u0026\\u0026\\nprocess.parent.file.name in [\\\"mysqld\\\", \\\"mongod\\\", \\\"postgres\\\"] \\u0026\\u0026\\n!(process.parent.file.name == \\\"initdb\\\" \\u0026\\u0026\\nexec.args == \\\"-c locale -a\\\") \\u0026\\u0026\\n!(process.parent.file.name == \\\"postgres\\\" \\u0026\\u0026\\nexec.args == ~\\\"*pg_wal*\\\")\",\"filters\":[\"os == \\\"linux\\\"\"],\"monitoring\":[\"v5l-ynv-guh\",\"gxu-c6v-pka\",\"1os-ptz-he9\",\"ddu-dat-9cx\",\"oiv-iar-6uj\",\"n6v-uoj-6jv\",\"zay-klh-gzk\",\"t0c-318-ksc\",\"mnq-jea-ord\",\"hjq-1ou-gxj\",\"zt3-q2u-xka\",\"n52-kmk-gy5\",\"lwi-ota-cdp\",\"eme-xsc-20m\",\"acr-3t9-p0d\",\"hw2-pev-bdl\",\"mm8-gf5-1mh\",\"wfe-tga-w8i\",\"kz9-gsr-aet\",\"u2n-mby-zu5\",\"ygu-bj5-cnb\",\"8h9-6l9-ofq\",\"x6i-kv0-iby\",\"wry-lqz-m1l\",\"ljy-djc-pxw\",\"kmt-lzi-f6r\",\"CWS_CUSTOM-canary\",\"hdo-seh-iaa\",\"CWS_DD\"],\"name\":\"database_shell_execution\",\"product_tags\":[\"tactic:TA0001-initial-access\",\"technique:T1190-exploit-public-facing-application\",\"policy:threat-detection\"],\"updateDate\":1742407951000,\"updater\":{\"name\":\"Datadog\",\"handle\":\"\"}}},{\"id\":\"prk-6q1-g0m\",\"type\":\"agent_rule\",\"attributes\":{\"category\":\"File Activity\",\"creationDate\":1742407951000,\"creator\":{\"name\":\"Datadog\",\"handle\":\"\"},\"defaultRule\":true,\"description\":\"A service may have been modified without authorization\",\"enabled\":true,\"expression\":\"(\\n (rename.file.path in [ ~\\\"/lib/systemd/system/**\\\", ~\\\"/usr/lib/systemd/system/**\\\", ~\\\"/etc/systemd/system/**\\\" ]\\n || rename.file.destination.path in [ ~\\\"/lib/systemd/system/**\\\", ~\\\"/usr/lib/systemd/system/**\\\", ~\\\"/etc/systemd/system/**\\\" ])\\n \\u0026\\u0026 process.file.path not in [~\\\"/usr/bin/apt*\\\", \\\"/usr/bin/dpkg\\\", \\\"/usr/bin/rpm\\\", \\\"/usr/bin/unattended-upgrade\\\", \\\"/usr/bin/npm\\\", ~\\\"/usr/bin/pip*\\\", ~\\\"/usr/local/bin/pip*\\\", \\\"/usr/bin/yum\\\", \\\"/sbin/apk\\\", \\\"/usr/lib/snapd/snapd\\\"]\\n)\",\"filters\":[\"os == \\\"linux\\\"\"],\"monitoring\":[\"v5l-ynv-guh\",\"gxu-c6v-pka\",\"1os-ptz-he9\",\"ddu-dat-9cx\",\"oiv-iar-6uj\",\"n6v-uoj-6jv\",\"zay-klh-gzk\",\"t0c-318-ksc\",\"mnq-jea-ord\",\"hjq-1ou-gxj\",\"zt3-q2u-xka\",\"n52-kmk-gy5\",\"lwi-ota-cdp\",\"eme-xsc-20m\",\"acr-3t9-p0d\",\"hw2-pev-bdl\",\"mm8-gf5-1mh\",\"wfe-tga-w8i\",\"kz9-gsr-aet\",\"u2n-mby-zu5\",\"ygu-bj5-cnb\",\"8h9-6l9-ofq\",\"x6i-kv0-iby\",\"wry-lqz-m1l\",\"ljy-djc-pxw\",\"kmt-lzi-f6r\",\"CWS_CUSTOM-canary\",\"hdo-seh-iaa\",\"CWS_DD\"],\"name\":\"systemd_modification_rename\",\"product_tags\":[\"tactic:TA0002-execution\",\"technique:T1569-system-services\",\"policy:threat-detection\",\"policy:compliance\"],\"updateDate\":1742407951000,\"updater\":{\"name\":\"Datadog\",\"handle\":\"\"}}},{\"id\":\"pwu-7u7-iiq\",\"type\":\"agent_rule\",\"attributes\":{\"category\":\"Kernel Activity\",\"creationDate\":1742407951000,\"creator\":{\"name\":\"Datadog\",\"handle\":\"\"},\"defaultRule\":true,\"description\":\"A process uses an anti-debugging technique to block debuggers\",\"enabled\":true,\"expression\":\"ptrace.request == PTRACE_TRACEME \\u0026\\u0026 process.file.name != \\\"\\\"\",\"filters\":[\"os == \\\"linux\\\"\"],\"monitoring\":[\"v5l-ynv-guh\",\"gxu-c6v-pka\",\"1os-ptz-he9\",\"ddu-dat-9cx\",\"oiv-iar-6uj\",\"n6v-uoj-6jv\",\"zay-klh-gzk\",\"t0c-318-ksc\",\"mnq-jea-ord\",\"hjq-1ou-gxj\",\"zt3-q2u-xka\",\"n52-kmk-gy5\",\"lwi-ota-cdp\",\"eme-xsc-20m\",\"acr-3t9-p0d\",\"hw2-pev-bdl\",\"mm8-gf5-1mh\",\"wfe-tga-w8i\",\"kz9-gsr-aet\",\"u2n-mby-zu5\",\"ygu-bj5-cnb\",\"8h9-6l9-ofq\",\"x6i-kv0-iby\",\"wry-lqz-m1l\",\"ljy-djc-pxw\",\"kmt-lzi-f6r\",\"CWS_CUSTOM-canary\",\"hdo-seh-iaa\",\"CWS_DD\"],\"name\":\"ptrace_antidebug\",\"product_tags\":[\"tactic:TA0005-defense-evasion\",\"technique:T1622-debugger-evasion\",\"policy:threat-detection\"],\"updateDate\":1742407951000,\"updater\":{\"name\":\"Datadog\",\"handle\":\"\"}}},{\"id\":\"def-000-lel\",\"type\":\"agent_rule\",\"attributes\":{\"category\":\"Process Activity\",\"creationDate\":1742407951000,\"creator\":{\"name\":\"Datadog\",\"handle\":\"\"},\"defaultRule\":true,\"description\":\"Perl executed with suspicious argument\",\"enabled\":true,\"expression\":\"exec.file.name == ~\\\"perl*\\\" \\u0026\\u0026 exec.args_flags in [\\\"e\\\"] \\u0026\\u0026 (exec.args in [~\\\"*socket*\\\", ~\\\"*bind*\\\", ~\\\"*sockaddr*\\\", ~\\\"*listen*\\\", ~\\\"*accept\\\", ~\\\"*stdin*\\\", ~\\\"*stdout\\\"])\",\"filters\":[\"os == \\\"linux\\\"\"],\"monitoring\":[\"v5l-ynv-guh\",\"gxu-c6v-pka\",\"1os-ptz-he9\",\"ddu-dat-9cx\",\"oiv-iar-6uj\",\"n6v-uoj-6jv\",\"zay-klh-gzk\",\"t0c-318-ksc\",\"mnq-jea-ord\",\"hjq-1ou-gxj\",\"zt3-q2u-xka\",\"n52-kmk-gy5\",\"lwi-ota-cdp\",\"eme-xsc-20m\",\"acr-3t9-p0d\",\"hw2-pev-bdl\",\"mm8-gf5-1mh\",\"wfe-tga-w8i\",\"kz9-gsr-aet\",\"u2n-mby-zu5\",\"ygu-bj5-cnb\",\"8h9-6l9-ofq\",\"x6i-kv0-iby\",\"wry-lqz-m1l\",\"ljy-djc-pxw\",\"kmt-lzi-f6r\",\"CWS_CUSTOM-canary\",\"hdo-seh-iaa\",\"CWS_DD\"],\"name\":\"perl_shell\",\"product_tags\":[\"tactic:TA0001-initial-access\",\"technique:T1210-exploitation-of-remote-services\",\"policy:threat-detection\"],\"updateDate\":1742407951000,\"updater\":{\"name\":\"Datadog\",\"handle\":\"\"}}},{\"id\":\"kyr-sg6-us9\",\"type\":\"agent_rule\",\"attributes\":{\"category\":\"File Activity\",\"creationDate\":1742407951000,\"creator\":{\"name\":\"Datadog\",\"handle\":\"\"},\"defaultRule\":true,\"description\":\"SSL certificates may have been tampered with\",\"enabled\":true,\"expression\":\"(\\n (chown.file.path in [ ~\\\"/etc/ssl/certs/**\\\", ~\\\"/etc/pki/**\\\" ])\\n \\u0026\\u0026 process.file.path not in [~\\\"/usr/bin/apt*\\\", \\\"/usr/bin/dpkg\\\", \\\"/usr/bin/rpm\\\", \\\"/usr/bin/unattended-upgrade\\\", \\\"/usr/bin/npm\\\", ~\\\"/usr/bin/pip*\\\", ~\\\"/usr/local/bin/pip*\\\", \\\"/usr/bin/yum\\\", \\\"/sbin/apk\\\", \\\"/usr/lib/snapd/snapd\\\"]\\n) \\u0026\\u0026 (chown.file.destination.uid != chown.file.uid || chown.file.destination.gid != chown.file.gid)\\n\\u0026\\u0026 process.file.path != \\\"/usr/sbin/update-ca-certificates\\\"\\n\\u0026\\u0026 process.ancestors.file.path != \\\"/usr/sbin/update-ca-certificates\\\"\\n\\u0026\\u0026 process.ancestors.file.path not in [~\\\"/usr/bin/apt*\\\", \\\"/usr/bin/dpkg\\\", \\\"/usr/bin/rpm\\\", \\\"/usr/bin/unattended-upgrade\\\", \\\"/usr/bin/npm\\\", ~\\\"/usr/bin/pip*\\\", ~\\\"/usr/local/bin/pip*\\\", \\\"/usr/bin/yum\\\", \\\"/sbin/apk\\\", \\\"/usr/lib/snapd/snapd\\\"]\\n\\u0026\\u0026 process.file.name !~ \\\"runc*\\\"\",\"filters\":[\"os == \\\"linux\\\"\"],\"monitoring\":[\"v5l-ynv-guh\",\"gxu-c6v-pka\",\"1os-ptz-he9\",\"ddu-dat-9cx\",\"oiv-iar-6uj\",\"n6v-uoj-6jv\",\"zay-klh-gzk\",\"t0c-318-ksc\",\"mnq-jea-ord\",\"hjq-1ou-gxj\",\"zt3-q2u-xka\",\"n52-kmk-gy5\",\"lwi-ota-cdp\",\"eme-xsc-20m\",\"acr-3t9-p0d\",\"hw2-pev-bdl\",\"mm8-gf5-1mh\",\"wfe-tga-w8i\",\"kz9-gsr-aet\",\"u2n-mby-zu5\",\"ygu-bj5-cnb\",\"8h9-6l9-ofq\",\"x6i-kv0-iby\",\"wry-lqz-m1l\",\"ljy-djc-pxw\",\"kmt-lzi-f6r\",\"CWS_CUSTOM-canary\",\"hdo-seh-iaa\",\"CWS_DD\"],\"name\":\"ssl_certificate_tampering_chown\",\"product_tags\":[\"tactic:TA0005-defense-evasion\",\"technique:T1553-subvert-trust-controls\",\"policy:compliance\"],\"updateDate\":1742407951000,\"updater\":{\"name\":\"Datadog\",\"handle\":\"\"}}},{\"id\":\"def-000-2k6\",\"type\":\"agent_rule\",\"attributes\":{\"category\":\"Process Activity\",\"creationDate\":1742407951000,\"creator\":{\"name\":\"Datadog\",\"handle\":\"\"},\"defaultRule\":true,\"description\":\"Suspicious usage of ntdsutil\",\"enabled\":true,\"expression\":\"exec.file.name == \\\"ntdsutil.exe\\\" \\u0026\\u0026 exec.cmdline in [~\\\"*ntds*\\\", ~\\\"*create*\\\"]\",\"filters\":[\"os == \\\"windows\\\"\"],\"monitoring\":[\"v5l-ynv-guh\",\"gxu-c6v-pka\",\"1os-ptz-he9\",\"ddu-dat-9cx\",\"oiv-iar-6uj\",\"n6v-uoj-6jv\",\"zay-klh-gzk\",\"t0c-318-ksc\",\"mnq-jea-ord\",\"hjq-1ou-gxj\",\"zt3-q2u-xka\",\"n52-kmk-gy5\",\"lwi-ota-cdp\",\"eme-xsc-20m\",\"acr-3t9-p0d\",\"hw2-pev-bdl\",\"mm8-gf5-1mh\",\"wfe-tga-w8i\",\"kz9-gsr-aet\",\"u2n-mby-zu5\",\"ygu-bj5-cnb\",\"8h9-6l9-ofq\",\"x6i-kv0-iby\",\"wry-lqz-m1l\",\"ljy-djc-pxw\",\"kmt-lzi-f6r\",\"CWS_CUSTOM-canary\",\"hdo-seh-iaa\",\"CWS_DD\"],\"name\":\"suspicious_ntdsutil_usage\",\"product_tags\":[\"tactic:TA0006-credential-access\",\"technique:T1003-os-credential-dumping\",\"policy:threat-detection\"],\"updateDate\":1742407951000,\"updater\":{\"name\":\"Datadog\",\"handle\":\"\"}}},{\"id\":\"def-000-vqm\",\"type\":\"agent_rule\",\"attributes\":{\"category\":\"Process Activity\",\"creationDate\":1742407951000,\"creator\":{\"name\":\"Datadog\",\"handle\":\"\"},\"defaultRule\":true,\"description\":\"A scheduled task was created\",\"enabled\":true,\"expression\":\"exec.cmdline in [~\\\"*at.exe\\\",~\\\"*schtasks*\\\"] \\u0026\\u0026 exec.cmdline =~ \\\"*create*\\\"\",\"filters\":[\"os == \\\"windows\\\"\"],\"monitoring\":[\"v5l-ynv-guh\",\"gxu-c6v-pka\",\"1os-ptz-he9\",\"ddu-dat-9cx\",\"oiv-iar-6uj\",\"n6v-uoj-6jv\",\"zay-klh-gzk\",\"t0c-318-ksc\",\"mnq-jea-ord\",\"hjq-1ou-gxj\",\"zt3-q2u-xka\",\"n52-kmk-gy5\",\"lwi-ota-cdp\",\"eme-xsc-20m\",\"acr-3t9-p0d\",\"hw2-pev-bdl\",\"mm8-gf5-1mh\",\"wfe-tga-w8i\",\"kz9-gsr-aet\",\"u2n-mby-zu5\",\"ygu-bj5-cnb\",\"8h9-6l9-ofq\",\"x6i-kv0-iby\",\"wry-lqz-m1l\",\"ljy-djc-pxw\",\"kmt-lzi-f6r\",\"CWS_CUSTOM-canary\",\"hdo-seh-iaa\",\"CWS_DD\"],\"name\":\"scheduled_task_creation\",\"product_tags\":[\"tactic:TA0003-persistence\",\"technique:T1053-scheduled-task-or-job\",\"policy:threat-detection\"],\"updateDate\":1742407951000,\"updater\":{\"name\":\"Datadog\",\"handle\":\"\"}}},{\"id\":\"v2b-cd3-clr\",\"type\":\"agent_rule\",\"attributes\":{\"category\":\"File Activity\",\"creationDate\":1742407951000,\"creator\":{\"name\":\"Datadog\",\"handle\":\"\"},\"defaultRule\":true,\"description\":\"nsswitch may have been modified without authorization\",\"enabled\":true,\"expression\":\"(\\n (chown.file.path in [ \\\"/etc/nsswitch.conf\\\" ])\\n) \\u0026\\u0026 (chown.file.destination.uid != chown.file.uid || chown.file.destination.gid != chown.file.gid) \\u0026\\u0026 process.file.path not in [~\\\"/usr/bin/apt*\\\", \\\"/usr/bin/dpkg\\\", \\\"/usr/bin/rpm\\\", \\\"/usr/bin/unattended-upgrade\\\", \\\"/usr/bin/containerd\\\", \\\"/usr/local/bin/containerd\\\", \\\"/usr/bin/dockerd\\\", \\\"/usr/bin/npm\\\", ~\\\"/usr/bin/pip*\\\", ~\\\"/usr/local/bin/pip*\\\"]\",\"filters\":[\"os == \\\"linux\\\"\"],\"monitoring\":[\"v5l-ynv-guh\",\"gxu-c6v-pka\",\"1os-ptz-he9\",\"ddu-dat-9cx\",\"oiv-iar-6uj\",\"n6v-uoj-6jv\",\"zay-klh-gzk\",\"t0c-318-ksc\",\"mnq-jea-ord\",\"hjq-1ou-gxj\",\"zt3-q2u-xka\",\"n52-kmk-gy5\",\"lwi-ota-cdp\",\"eme-xsc-20m\",\"acr-3t9-p0d\",\"hw2-pev-bdl\",\"mm8-gf5-1mh\",\"wfe-tga-w8i\",\"kz9-gsr-aet\",\"u2n-mby-zu5\",\"ygu-bj5-cnb\",\"8h9-6l9-ofq\",\"x6i-kv0-iby\",\"wry-lqz-m1l\",\"ljy-djc-pxw\",\"kmt-lzi-f6r\",\"CWS_CUSTOM-canary\",\"hdo-seh-iaa\",\"CWS_DD\"],\"name\":\"nsswitch_conf_mod_chown\",\"product_tags\":[\"tactic:TA0003-persistence\",\"technique:T1556-modify-authentication-process\",\"policy:compliance\"],\"updateDate\":1742407951000,\"updater\":{\"name\":\"Datadog\",\"handle\":\"\"}}},{\"id\":\"9f3-haw-91q\",\"type\":\"agent_rule\",\"attributes\":{\"category\":\"File Activity\",\"creationDate\":1742407951000,\"creator\":{\"name\":\"Datadog\",\"handle\":\"\"},\"defaultRule\":true,\"description\":\"The AWS EKS service account token was accessed\",\"enabled\":true,\"expression\":\"open.file.path =~ \\\"/var/run/secrets/eks.amazonaws.com/serviceaccount/**\\\" \\u0026\\u0026 open.file.name == \\\"token\\\" \\u0026\\u0026 process.file.path not in [\\\"/opt/datadog-agent/embedded/bin/agent\\\", \\\"/opt/datadog-agent/embedded/bin/system-probe\\\", \\\"/opt/datadog-agent/embedded/bin/security-agent\\\", \\\"/opt/datadog-agent/embedded/bin/process-agent\\\", \\\"/opt/datadog-agent/embedded/bin/trace-agent\\\", \\\"/opt/datadog-agent/bin/agent/agent\\\", \\\"/opt/datadog/apm/inject/auto_inject_runc\\\", \\\"/usr/bin/dd-host-install\\\", \\\"/usr/bin/dd-host-container-install\\\", \\\"/usr/bin/dd-container-install\\\", \\\"/opt/datadog-agent/bin/datadog-cluster-agent\\\", ~\\\"/opt/datadog-packages/**\\\", ~\\\"/opt/datadog-installer/**\\\"]\",\"filters\":[\"os == \\\"linux\\\"\"],\"monitoring\":[\"v5l-ynv-guh\",\"gxu-c6v-pka\",\"1os-ptz-he9\",\"ddu-dat-9cx\",\"oiv-iar-6uj\",\"n6v-uoj-6jv\",\"zay-klh-gzk\",\"t0c-318-ksc\",\"mnq-jea-ord\",\"hjq-1ou-gxj\",\"zt3-q2u-xka\",\"n52-kmk-gy5\",\"lwi-ota-cdp\",\"eme-xsc-20m\",\"acr-3t9-p0d\",\"hw2-pev-bdl\",\"mm8-gf5-1mh\",\"wfe-tga-w8i\",\"kz9-gsr-aet\",\"u2n-mby-zu5\",\"ygu-bj5-cnb\",\"8h9-6l9-ofq\",\"x6i-kv0-iby\",\"wry-lqz-m1l\",\"ljy-djc-pxw\",\"kmt-lzi-f6r\",\"CWS_CUSTOM-canary\",\"hdo-seh-iaa\",\"CWS_DD\"],\"name\":\"aws_eks_service_account_token_accessed\",\"product_tags\":[\"tactic:TA0006-credential-access\",\"technique:T1552-unsecured-credentials\",\"policy:threat-detection\"],\"updateDate\":1742407951000,\"updater\":{\"name\":\"Datadog\",\"handle\":\"\"}}},{\"id\":\"def-000-d4i\",\"type\":\"agent_rule\",\"attributes\":{\"category\":\"Process Activity\",\"creationDate\":1742407951000,\"creator\":{\"name\":\"Datadog\",\"handle\":\"\"},\"defaultRule\":true,\"description\":\"NTDS file referenced in commandline\",\"enabled\":true,\"expression\":\"exec.cmdline =~ \\\"*ntds.dit*\\\"\",\"filters\":[\"os == \\\"windows\\\"\"],\"monitoring\":[\"v5l-ynv-guh\",\"gxu-c6v-pka\",\"1os-ptz-he9\",\"ddu-dat-9cx\",\"oiv-iar-6uj\",\"n6v-uoj-6jv\",\"zay-klh-gzk\",\"t0c-318-ksc\",\"mnq-jea-ord\",\"hjq-1ou-gxj\",\"zt3-q2u-xka\",\"n52-kmk-gy5\",\"lwi-ota-cdp\",\"eme-xsc-20m\",\"acr-3t9-p0d\",\"hw2-pev-bdl\",\"mm8-gf5-1mh\",\"wfe-tga-w8i\",\"kz9-gsr-aet\",\"u2n-mby-zu5\",\"ygu-bj5-cnb\",\"8h9-6l9-ofq\",\"x6i-kv0-iby\",\"wry-lqz-m1l\",\"ljy-djc-pxw\",\"kmt-lzi-f6r\",\"CWS_CUSTOM-canary\",\"hdo-seh-iaa\",\"CWS_DD\"],\"name\":\"ntds_in_commandline\",\"product_tags\":[\"tactic:TA0006-credential-access\",\"technique:T1003-os-credential-dumping\",\"policy:threat-detection\"],\"updateDate\":1742407951000,\"updater\":{\"name\":\"Datadog\",\"handle\":\"\"}}},{\"id\":\"def-000-d4w\",\"type\":\"agent_rule\",\"attributes\":{\"category\":\"File Activity\",\"creationDate\":1742407951000,\"creator\":{\"name\":\"Datadog\",\"handle\":\"\"},\"defaultRule\":true,\"description\":\"A file executed from /dev/shm/ directory\",\"enabled\":true,\"expression\":\"exec.file.path == \\\"/dev/shm/**\\\"\",\"filters\":[\"os == \\\"linux\\\"\"],\"monitoring\":[\"v5l-ynv-guh\",\"gxu-c6v-pka\",\"1os-ptz-he9\",\"ddu-dat-9cx\",\"oiv-iar-6uj\",\"n6v-uoj-6jv\",\"zay-klh-gzk\",\"t0c-318-ksc\",\"mnq-jea-ord\",\"hjq-1ou-gxj\",\"zt3-q2u-xka\",\"n52-kmk-gy5\",\"lwi-ota-cdp\",\"eme-xsc-20m\",\"acr-3t9-p0d\",\"hw2-pev-bdl\",\"mm8-gf5-1mh\",\"wfe-tga-w8i\",\"kz9-gsr-aet\",\"u2n-mby-zu5\",\"ygu-bj5-cnb\",\"8h9-6l9-ofq\",\"x6i-kv0-iby\",\"wry-lqz-m1l\",\"ljy-djc-pxw\",\"kmt-lzi-f6r\",\"CWS_CUSTOM-canary\",\"hdo-seh-iaa\",\"CWS_DD\"],\"name\":\"devshm_execution\",\"product_tags\":[\"tactic:TA0005-defense-evasion\",\"technique:T1564-hide-artifacts\",\"policy:threat-detection\"],\"updateDate\":1742407951000,\"updater\":{\"name\":\"Datadog\",\"handle\":\"\"}}},{\"id\":\"422-svi-03v\",\"type\":\"agent_rule\",\"attributes\":{\"category\":\"File Activity\",\"creationDate\":1742407951000,\"creator\":{\"name\":\"Datadog\",\"handle\":\"\"},\"defaultRule\":true,\"description\":\"Potential Dirty pipe exploitation\",\"enabled\":true,\"expression\":\"(splice.pipe_exit_flag \\u0026 PIPE_BUF_FLAG_CAN_MERGE) \\u003e 0 \\u0026\\u0026 (process.uid != 0 \\u0026\\u0026 process.gid != 0)\",\"filters\":[\"os == \\\"linux\\\"\"],\"monitoring\":[\"v5l-ynv-guh\",\"gxu-c6v-pka\",\"1os-ptz-he9\",\"ddu-dat-9cx\",\"oiv-iar-6uj\",\"n6v-uoj-6jv\",\"zay-klh-gzk\",\"t0c-318-ksc\",\"mnq-jea-ord\",\"hjq-1ou-gxj\",\"zt3-q2u-xka\",\"n52-kmk-gy5\",\"lwi-ota-cdp\",\"eme-xsc-20m\",\"acr-3t9-p0d\",\"hw2-pev-bdl\",\"mm8-gf5-1mh\",\"wfe-tga-w8i\",\"kz9-gsr-aet\",\"u2n-mby-zu5\",\"ygu-bj5-cnb\",\"8h9-6l9-ofq\",\"x6i-kv0-iby\",\"wry-lqz-m1l\",\"ljy-djc-pxw\",\"kmt-lzi-f6r\",\"CWS_CUSTOM-canary\",\"hdo-seh-iaa\",\"CWS_DD\"],\"name\":\"dirty_pipe_exploitation\",\"product_tags\":[\"tactic:TA0004-privilege-escalation\",\"technique:T1068-exploitation-for-privilege-escalation\",\"policy:threat-detection\"],\"updateDate\":1742407951000,\"updater\":{\"name\":\"Datadog\",\"handle\":\"\"}}},{\"id\":\"def-000-tat\",\"type\":\"agent_rule\",\"attributes\":{\"category\":\"File Activity\",\"creationDate\":1742407951000,\"creator\":{\"name\":\"Datadog\",\"handle\":\"\"},\"defaultRule\":true,\"description\":\"Windows RPC COM debugging registry key modified\",\"enabled\":true,\"expression\":\"set.registry.key_path in [~\\\"HKEY_LOCAL_MACHINE\\\\SOFTWARE\\\\Microsoft\\\\Windows NT\\\\CurrentVersion\\\\Windows*\\\"]\",\"filters\":[\"os == \\\"windows\\\"\"],\"monitoring\":[\"v5l-ynv-guh\",\"gxu-c6v-pka\",\"1os-ptz-he9\",\"ddu-dat-9cx\",\"oiv-iar-6uj\",\"n6v-uoj-6jv\",\"zay-klh-gzk\",\"t0c-318-ksc\",\"mnq-jea-ord\",\"hjq-1ou-gxj\",\"zt3-q2u-xka\",\"n52-kmk-gy5\",\"lwi-ota-cdp\",\"eme-xsc-20m\",\"acr-3t9-p0d\",\"hw2-pev-bdl\",\"mm8-gf5-1mh\",\"wfe-tga-w8i\",\"kz9-gsr-aet\",\"u2n-mby-zu5\",\"ygu-bj5-cnb\",\"8h9-6l9-ofq\",\"x6i-kv0-iby\",\"wry-lqz-m1l\",\"ljy-djc-pxw\",\"kmt-lzi-f6r\",\"CWS_CUSTOM-canary\",\"hdo-seh-iaa\",\"CWS_DD\"],\"name\":\"windows_com_rpc_debugging_registry_key_modified\",\"product_tags\":[\"tactic:TA0005-defense-evasion\",\"technique:T1112-modify-registry\",\"policy:compliance\"],\"updateDate\":1742407951000,\"updater\":{\"name\":\"Datadog\",\"handle\":\"\"}}},{\"id\":\"sqi-q1z-onu\",\"type\":\"agent_rule\",\"attributes\":{\"category\":\"Process Activity\",\"creationDate\":1742407951000,\"creator\":{\"name\":\"Datadog\",\"handle\":\"\"},\"defaultRule\":true,\"description\":\"Network utility executed with suspicious URI\",\"enabled\":true,\"expression\":\"exec.comm in [\\\"wget\\\", \\\"curl\\\", \\\"lwp-download\\\"] \\u0026\\u0026 exec.args in [~\\\"*.php*\\\", ~\\\"*.jpg*\\\"] \",\"filters\":[\"os == \\\"linux\\\"\"],\"monitoring\":[\"v5l-ynv-guh\",\"gxu-c6v-pka\",\"1os-ptz-he9\",\"ddu-dat-9cx\",\"oiv-iar-6uj\",\"n6v-uoj-6jv\",\"zay-klh-gzk\",\"t0c-318-ksc\",\"mnq-jea-ord\",\"hjq-1ou-gxj\",\"zt3-q2u-xka\",\"n52-kmk-gy5\",\"lwi-ota-cdp\",\"eme-xsc-20m\",\"acr-3t9-p0d\",\"hw2-pev-bdl\",\"mm8-gf5-1mh\",\"wfe-tga-w8i\",\"kz9-gsr-aet\",\"u2n-mby-zu5\",\"ygu-bj5-cnb\",\"8h9-6l9-ofq\",\"x6i-kv0-iby\",\"wry-lqz-m1l\",\"ljy-djc-pxw\",\"kmt-lzi-f6r\",\"CWS_CUSTOM-canary\",\"hdo-seh-iaa\",\"CWS_DD\"],\"name\":\"net_unusual_request\",\"product_tags\":[\"tactic:TA0011-command-and-control\",\"technique:T1105-ingress-tool-transfer\",\"policy:threat-detection\"],\"updateDate\":1742407951000,\"updater\":{\"name\":\"Datadog\",\"handle\":\"\"}}},{\"id\":\"def-000-y7j\",\"type\":\"agent_rule\",\"attributes\":{\"category\":\"File Activity\",\"creationDate\":1742407951000,\"creator\":{\"name\":\"Datadog\",\"handle\":\"\"},\"defaultRule\":true,\"description\":\"Critical system binaries may have been modified\",\"enabled\":true,\"expression\":\"(\\n open.flags \\u0026 (O_CREAT|O_TRUNC|O_APPEND|O_RDWR|O_WRONLY) \\u003e 0 \\u0026\\u0026\\n open.file.path in [ ~\\\"/bin/*\\\", ~\\\"/sbin/*\\\", ~\\\"/usr/bin/*\\\", ~\\\"/usr/sbin/*\\\", ~\\\"/usr/local/bin/*\\\", ~\\\"/usr/local/sbin/*\\\", ~\\\"/boot/**\\\" ]\\n \\u0026\\u0026 process.file.path not in [~\\\"/usr/bin/apt*\\\", \\\"/usr/bin/dpkg\\\", \\\"/usr/bin/rpm\\\", \\\"/usr/bin/unattended-upgrade\\\", \\\"/usr/bin/containerd\\\", \\\"/usr/local/bin/containerd\\\", \\\"/usr/bin/dockerd\\\", \\\"/usr/bin/npm\\\", ~\\\"/usr/bin/pip*\\\", ~\\\"/usr/local/bin/pip*\\\"]\\n \\u0026\\u0026 process.ancestors.file.path not in [~\\\"/usr/bin/apt*\\\", \\\"/usr/bin/dpkg\\\", \\\"/usr/bin/rpm\\\", \\\"/usr/bin/unattended-upgrade\\\", \\\"/usr/bin/npm\\\", ~\\\"/usr/bin/pip*\\\", ~\\\"/usr/local/bin/pip*\\\", \\\"/usr/bin/yum\\\", \\\"/sbin/apk\\\", \\\"/usr/lib/snapd/snapd\\\"]\\n) \\u0026\\u0026 container.id != \\\"\\\" \\u0026\\u0026 container.created_at \\u003e 90s\",\"filters\":[\"os == \\\"linux\\\"\"],\"monitoring\":[\"v5l-ynv-guh\",\"gxu-c6v-pka\",\"1os-ptz-he9\",\"ddu-dat-9cx\",\"oiv-iar-6uj\",\"n6v-uoj-6jv\",\"zay-klh-gzk\",\"t0c-318-ksc\",\"mnq-jea-ord\",\"hjq-1ou-gxj\",\"zt3-q2u-xka\",\"n52-kmk-gy5\",\"lwi-ota-cdp\",\"eme-xsc-20m\",\"acr-3t9-p0d\",\"hw2-pev-bdl\",\"mm8-gf5-1mh\",\"wfe-tga-w8i\",\"kz9-gsr-aet\",\"u2n-mby-zu5\",\"ygu-bj5-cnb\",\"8h9-6l9-ofq\",\"x6i-kv0-iby\",\"wry-lqz-m1l\",\"ljy-djc-pxw\",\"kmt-lzi-f6r\",\"CWS_CUSTOM-canary\",\"hdo-seh-iaa\",\"CWS_DD\"],\"name\":\"pci_11_5_critical_binaries_open_v2\",\"product_tags\":[\"tactic:TA0005-defense-evasion\",\"technique:T1036-masquerading\",\"policy:compliance\"],\"updateDate\":1742407951000,\"updater\":{\"name\":\"Datadog\",\"handle\":\"\"}}},{\"id\":\"def-000-myb\",\"type\":\"agent_rule\",\"attributes\":{\"category\":\"File Activity\",\"creationDate\":1742407951000,\"creator\":{\"name\":\"Datadog\",\"handle\":\"\"},\"defaultRule\":true,\"description\":\"Sudoers policy file may have been modified without authorization\",\"enabled\":true,\"expression\":\"(\\n (link.file.path == \\\"/etc/sudoers\\\"\\n || link.file.destination.path == \\\"/etc/sudoers\\\")\\n)\",\"filters\":[\"os == \\\"linux\\\"\"],\"monitoring\":[\"v5l-ynv-guh\",\"gxu-c6v-pka\",\"1os-ptz-he9\",\"ddu-dat-9cx\",\"oiv-iar-6uj\",\"n6v-uoj-6jv\",\"zay-klh-gzk\",\"t0c-318-ksc\",\"mnq-jea-ord\",\"hjq-1ou-gxj\",\"zt3-q2u-xka\",\"n52-kmk-gy5\",\"lwi-ota-cdp\",\"eme-xsc-20m\",\"acr-3t9-p0d\",\"hw2-pev-bdl\",\"mm8-gf5-1mh\",\"wfe-tga-w8i\",\"kz9-gsr-aet\",\"u2n-mby-zu5\",\"ygu-bj5-cnb\",\"8h9-6l9-ofq\",\"x6i-kv0-iby\",\"wry-lqz-m1l\",\"ljy-djc-pxw\",\"kmt-lzi-f6r\",\"CWS_CUSTOM-canary\",\"hdo-seh-iaa\",\"CWS_DD\"],\"name\":\"sudoers_policy_modified_link\",\"product_tags\":[\"tactic:TA0004-privilege-escalation\",\"technique:T1548-abuse-elevation-control-mechanism\",\"policy:compliance\"],\"updateDate\":1742407951000,\"updater\":{\"name\":\"Datadog\",\"handle\":\"\"}}},{\"id\":\"def-000-3b9\",\"type\":\"agent_rule\",\"attributes\":{\"category\":\"File Activity\",\"creationDate\":1742407951000,\"creator\":{\"name\":\"Datadog\",\"handle\":\"\"},\"defaultRule\":true,\"description\":\"Sensitive credential files were modified using a non-standard tool\",\"enabled\":true,\"expression\":\"(\\n open.flags \\u0026 ((O_CREAT|O_RDWR|O_WRONLY|O_TRUNC)) \\u003e 0 \\u0026\\u0026\\n (open.file.path in [ \\\"/etc/shadow\\\", \\\"/etc/gshadow\\\" ])\\n \\u0026\\u0026 process.file.path not in [ \\\"/sbin/vipw\\\", \\\"/usr/sbin/vipw\\\", \\\"/sbin/vigr\\\", \\\"/usr/sbin/vigr\\\", \\\"/usr/bin/containerd\\\", \\\"/usr/local/bin/containerd\\\", \\\"/usr/bin/dockerd\\\", \\\"/usr/local/bin/dockerd\\\", \\\"/usr/sbin/groupadd\\\", \\\"/usr/sbin/useradd\\\", \\\"/usr/sbin/usermod\\\", \\\"/usr/sbin/userdel\\\", \\\"/usr/bin/gpasswd\\\", \\\"/usr/bin/chage\\\", \\\"/usr/sbin/chpasswd\\\", \\\"/usr/bin/passwd\\\" ]\\n \\u0026\\u0026 process.ancestors.file.path not in [~\\\"/usr/bin/apt*\\\", \\\"/usr/bin/dpkg\\\", \\\"/usr/bin/rpm\\\", \\\"/usr/bin/unattended-upgrade\\\", \\\"/usr/bin/npm\\\", ~\\\"/usr/bin/pip*\\\", ~\\\"/usr/local/bin/pip*\\\", \\\"/usr/bin/yum\\\", \\\"/sbin/apk\\\", \\\"/usr/lib/snapd/snapd\\\"]\\n) \\u0026\\u0026 container.id != \\\"\\\" \\u0026\\u0026 container.created_at \\u003e 90s\",\"filters\":[\"os == \\\"linux\\\"\"],\"monitoring\":[\"v5l-ynv-guh\",\"gxu-c6v-pka\",\"1os-ptz-he9\",\"ddu-dat-9cx\",\"oiv-iar-6uj\",\"n6v-uoj-6jv\",\"zay-klh-gzk\",\"t0c-318-ksc\",\"mnq-jea-ord\",\"hjq-1ou-gxj\",\"zt3-q2u-xka\",\"n52-kmk-gy5\",\"lwi-ota-cdp\",\"eme-xsc-20m\",\"acr-3t9-p0d\",\"hw2-pev-bdl\",\"mm8-gf5-1mh\",\"wfe-tga-w8i\",\"kz9-gsr-aet\",\"u2n-mby-zu5\",\"ygu-bj5-cnb\",\"8h9-6l9-ofq\",\"x6i-kv0-iby\",\"wry-lqz-m1l\",\"ljy-djc-pxw\",\"kmt-lzi-f6r\",\"CWS_CUSTOM-canary\",\"hdo-seh-iaa\",\"CWS_DD\"],\"name\":\"credential_modified_open_v2\",\"product_tags\":[\"tactic:TA0006-credential-access\",\"technique:T1003-os-credential-dumping\",\"policy:compliance\"],\"updateDate\":1742407951000,\"updater\":{\"name\":\"Datadog\",\"handle\":\"\"}}},{\"id\":\"def-000-mmo\",\"type\":\"agent_rule\",\"attributes\":{\"category\":\"File Activity\",\"creationDate\":1742407951000,\"creator\":{\"name\":\"Datadog\",\"handle\":\"\"},\"defaultRule\":true,\"description\":\"Sudoers policy file may have been modified without authorization\",\"enabled\":true,\"expression\":\"(open.flags \\u0026 (O_CREAT|O_TRUNC|O_APPEND|O_RDWR|O_WRONLY) \\u003e 0 \\u0026\\u0026\\n(open.file.path == \\\"/etc/sudoers\\\")) \\u0026\\u0026 process.file.path not in [~\\\"/usr/bin/apt*\\\", \\\"/usr/bin/dpkg\\\", \\\"/usr/bin/rpm\\\", \\\"/usr/bin/unattended-upgrade\\\", \\\"/usr/bin/npm\\\", ~\\\"/usr/bin/pip*\\\", ~\\\"/usr/local/bin/pip*\\\", \\\"/usr/bin/yum\\\", \\\"/sbin/apk\\\", \\\"/usr/lib/snapd/snapd\\\"]\",\"filters\":[\"os == \\\"linux\\\"\"],\"monitoring\":[\"v5l-ynv-guh\",\"gxu-c6v-pka\",\"1os-ptz-he9\",\"ddu-dat-9cx\",\"oiv-iar-6uj\",\"n6v-uoj-6jv\",\"zay-klh-gzk\",\"t0c-318-ksc\",\"mnq-jea-ord\",\"hjq-1ou-gxj\",\"zt3-q2u-xka\",\"n52-kmk-gy5\",\"lwi-ota-cdp\",\"eme-xsc-20m\",\"acr-3t9-p0d\",\"hw2-pev-bdl\",\"mm8-gf5-1mh\",\"wfe-tga-w8i\",\"kz9-gsr-aet\",\"u2n-mby-zu5\",\"ygu-bj5-cnb\",\"8h9-6l9-ofq\",\"x6i-kv0-iby\",\"wry-lqz-m1l\",\"ljy-djc-pxw\",\"kmt-lzi-f6r\",\"CWS_CUSTOM-canary\",\"hdo-seh-iaa\",\"CWS_DD\"],\"name\":\"sudoers_policy_modified_open\",\"product_tags\":[\"tactic:TA0004-privilege-escalation\",\"technique:T1548-abuse-elevation-control-mechanism\",\"policy:compliance\"],\"updateDate\":1742407951000,\"updater\":{\"name\":\"Datadog\",\"handle\":\"\"}}},{\"id\":\"a52-req-ghm\",\"type\":\"agent_rule\",\"attributes\":{\"category\":\"Process Activity\",\"creationDate\":1742407951000,\"creator\":{\"name\":\"Datadog\",\"handle\":\"\"},\"defaultRule\":true,\"description\":\"Exfiltration attempt via network utility\",\"enabled\":true,\"expression\":\"exec.comm in [\\\"wget\\\", \\\"curl\\\", \\\"lwp-download\\\"] \\u0026\\u0026\\nexec.args_options in [ ~\\\"post-file=*\\\", ~\\\"post-data=*\\\", ~\\\"T=*\\\", ~\\\"d=@*\\\", ~\\\"upload-file=*\\\", ~\\\"F=file*\\\"] \\u0026\\u0026\\nexec.args not in [~\\\"*localhost*\\\", ~\\\"*127.0.0.1*\\\"]\",\"filters\":[\"os == \\\"linux\\\"\"],\"monitoring\":[\"v5l-ynv-guh\",\"gxu-c6v-pka\",\"1os-ptz-he9\",\"ddu-dat-9cx\",\"oiv-iar-6uj\",\"n6v-uoj-6jv\",\"zay-klh-gzk\",\"t0c-318-ksc\",\"mnq-jea-ord\",\"hjq-1ou-gxj\",\"zt3-q2u-xka\",\"n52-kmk-gy5\",\"lwi-ota-cdp\",\"eme-xsc-20m\",\"acr-3t9-p0d\",\"hw2-pev-bdl\",\"mm8-gf5-1mh\",\"wfe-tga-w8i\",\"kz9-gsr-aet\",\"u2n-mby-zu5\",\"ygu-bj5-cnb\",\"8h9-6l9-ofq\",\"x6i-kv0-iby\",\"wry-lqz-m1l\",\"ljy-djc-pxw\",\"kmt-lzi-f6r\",\"CWS_CUSTOM-canary\",\"hdo-seh-iaa\",\"CWS_DD\"],\"name\":\"net_util_exfiltration\",\"product_tags\":[\"tactic:TA0010-exfiltration\",\"technique:T1048-exfiltration-over-alternative-protocol\",\"policy:threat-detection\"],\"updateDate\":1742407951000,\"updater\":{\"name\":\"Datadog\",\"handle\":\"\"}}},{\"id\":\"def-000-969\",\"type\":\"agent_rule\",\"attributes\":{\"category\":\"Process Activity\",\"creationDate\":1742407951000,\"creator\":{\"name\":\"Datadog\",\"handle\":\"\"},\"defaultRule\":true,\"description\":\"Process arguments indicating possible netcat shell detected\",\"enabled\":true,\"expression\":\"exec.file.name in [\\\"netcat\\\", \\\"nc\\\", \\\"ncat\\\"] \\u0026\\u0026 ((exec.args_flags in [\\\"l\\\"] \\u0026\\u0026 exec.args_flags in [\\\"p\\\"]) || (exec.args_flags in [\\\"n\\\"] \\u0026\\u0026 exec.args_flags in [\\\"v\\\"]) || (exec.args in [~\\\"*/bin/bash*\\\", ~\\\"*/bin/sh*\\\"]))\",\"filters\":[\"os == \\\"linux\\\"\"],\"monitoring\":[\"v5l-ynv-guh\",\"gxu-c6v-pka\",\"1os-ptz-he9\",\"ddu-dat-9cx\",\"oiv-iar-6uj\",\"n6v-uoj-6jv\",\"zay-klh-gzk\",\"t0c-318-ksc\",\"mnq-jea-ord\",\"hjq-1ou-gxj\",\"zt3-q2u-xka\",\"n52-kmk-gy5\",\"lwi-ota-cdp\",\"eme-xsc-20m\",\"acr-3t9-p0d\",\"hw2-pev-bdl\",\"mm8-gf5-1mh\",\"wfe-tga-w8i\",\"kz9-gsr-aet\",\"u2n-mby-zu5\",\"ygu-bj5-cnb\",\"8h9-6l9-ofq\",\"x6i-kv0-iby\",\"wry-lqz-m1l\",\"ljy-djc-pxw\",\"kmt-lzi-f6r\",\"CWS_CUSTOM-canary\",\"hdo-seh-iaa\",\"CWS_DD\"],\"name\":\"netcat_shell\",\"product_tags\":[\"tactic:TA0001-initial-access\",\"technique:T1190-exploit-public-facing-application\",\"policy:threat-detection\"],\"updateDate\":1742407951000,\"updater\":{\"name\":\"Datadog\",\"handle\":\"\"}}},{\"id\":\"def-000-ibc\",\"type\":\"agent_rule\",\"attributes\":{\"category\":\"Process Activity\",\"creationDate\":1742407951000,\"creator\":{\"name\":\"Datadog\",\"handle\":\"\"},\"defaultRule\":true,\"description\":\"The mount utility was executed in a container\",\"enabled\":true,\"expression\":\"exec.comm == \\\"mount\\\" \\u0026\\u0026 container.id != \\\"\\\"\",\"filters\":[\"os == \\\"linux\\\"\"],\"monitoring\":[\"v5l-ynv-guh\",\"gxu-c6v-pka\",\"1os-ptz-he9\",\"ddu-dat-9cx\",\"oiv-iar-6uj\",\"n6v-uoj-6jv\",\"zay-klh-gzk\",\"t0c-318-ksc\",\"mnq-jea-ord\",\"hjq-1ou-gxj\",\"zt3-q2u-xka\",\"n52-kmk-gy5\",\"lwi-ota-cdp\",\"eme-xsc-20m\",\"acr-3t9-p0d\",\"hw2-pev-bdl\",\"mm8-gf5-1mh\",\"wfe-tga-w8i\",\"kz9-gsr-aet\",\"u2n-mby-zu5\",\"ygu-bj5-cnb\",\"8h9-6l9-ofq\",\"x6i-kv0-iby\",\"wry-lqz-m1l\",\"ljy-djc-pxw\",\"kmt-lzi-f6r\",\"CWS_CUSTOM-canary\",\"hdo-seh-iaa\",\"CWS_DD\"],\"name\":\"mount_in_container\",\"product_tags\":[\"tactic:TA0004-privilege-escalation\",\"technique:T1611-escape-to-host\",\"policy:threat-detection\"],\"updateDate\":1742407951000,\"updater\":{\"name\":\"Datadog\",\"handle\":\"\"}}},{\"id\":\"def-000-vez\",\"type\":\"agent_rule\",\"attributes\":{\"category\":\"File Activity\",\"creationDate\":1742407951000,\"creator\":{\"name\":\"Datadog\",\"handle\":\"\"},\"defaultRule\":true,\"description\":\"Windows winlogon registry key modified\",\"enabled\":true,\"expression\":\"set.registry.key_path in [~\\\"HKEY_LOCAL_MACHINE\\\\SOFTWARE\\\\Microsoft\\\\Windows NT\\\\CurrentVersion\\\\Winlogon*\\\"]\",\"filters\":[\"os == \\\"windows\\\"\"],\"monitoring\":[\"v5l-ynv-guh\",\"gxu-c6v-pka\",\"1os-ptz-he9\",\"ddu-dat-9cx\",\"oiv-iar-6uj\",\"n6v-uoj-6jv\",\"zay-klh-gzk\",\"t0c-318-ksc\",\"mnq-jea-ord\",\"hjq-1ou-gxj\",\"zt3-q2u-xka\",\"n52-kmk-gy5\",\"lwi-ota-cdp\",\"eme-xsc-20m\",\"acr-3t9-p0d\",\"hw2-pev-bdl\",\"mm8-gf5-1mh\",\"wfe-tga-w8i\",\"kz9-gsr-aet\",\"u2n-mby-zu5\",\"ygu-bj5-cnb\",\"8h9-6l9-ofq\",\"x6i-kv0-iby\",\"wry-lqz-m1l\",\"ljy-djc-pxw\",\"kmt-lzi-f6r\",\"CWS_CUSTOM-canary\",\"hdo-seh-iaa\",\"CWS_DD\"],\"name\":\"winlogon_registry_key_modified\",\"product_tags\":[\"tactic:TA0005-defense-evasion\",\"technique:T1112-modify-registry\",\"policy:threat-detection\"],\"updateDate\":1742407951000,\"updater\":{\"name\":\"Datadog\",\"handle\":\"\"}}},{\"id\":\"s9m-foq-qqz\",\"type\":\"agent_rule\",\"attributes\":{\"category\":\"File Activity\",\"creationDate\":1742407951000,\"creator\":{\"name\":\"Datadog\",\"handle\":\"\"},\"defaultRule\":true,\"description\":\"Sensitive credential files were modified using a non-standard tool\",\"enabled\":true,\"expression\":\"(\\n (chmod.file.path in [ \\\"/etc/shadow\\\", \\\"/etc/gshadow\\\" ])\\n \\u0026\\u0026 process.file.path not in [ \\\"/sbin/vipw\\\", \\\"/usr/sbin/vipw\\\", \\\"/sbin/vigr\\\", \\\"/usr/sbin/vigr\\\", \\\"/usr/bin/containerd\\\", \\\"/usr/local/bin/containerd\\\", \\\"/usr/bin/dockerd\\\", \\\"/usr/local/bin/dockerd\\\", \\\"/usr/sbin/groupadd\\\", \\\"/usr/sbin/useradd\\\", \\\"/usr/sbin/usermod\\\", \\\"/usr/sbin/userdel\\\", \\\"/usr/bin/gpasswd\\\", \\\"/usr/bin/chage\\\", \\\"/usr/sbin/chpasswd\\\", \\\"/usr/bin/passwd\\\" ]\\n \\u0026\\u0026 process.ancestors.file.path not in [~\\\"/usr/bin/apt*\\\", \\\"/usr/bin/dpkg\\\", \\\"/usr/bin/rpm\\\", \\\"/usr/bin/unattended-upgrade\\\", \\\"/usr/bin/npm\\\", ~\\\"/usr/bin/pip*\\\", ~\\\"/usr/local/bin/pip*\\\", \\\"/usr/bin/yum\\\", \\\"/sbin/apk\\\", \\\"/usr/lib/snapd/snapd\\\"]\\n) \\u0026\\u0026 chmod.file.destination.mode != chmod.file.mode\",\"filters\":[\"os == \\\"linux\\\"\"],\"monitoring\":[\"v5l-ynv-guh\",\"gxu-c6v-pka\",\"1os-ptz-he9\",\"ddu-dat-9cx\",\"oiv-iar-6uj\",\"n6v-uoj-6jv\",\"zay-klh-gzk\",\"t0c-318-ksc\",\"mnq-jea-ord\",\"hjq-1ou-gxj\",\"zt3-q2u-xka\",\"n52-kmk-gy5\",\"lwi-ota-cdp\",\"eme-xsc-20m\",\"acr-3t9-p0d\",\"hw2-pev-bdl\",\"mm8-gf5-1mh\",\"wfe-tga-w8i\",\"kz9-gsr-aet\",\"u2n-mby-zu5\",\"ygu-bj5-cnb\",\"8h9-6l9-ofq\",\"x6i-kv0-iby\",\"wry-lqz-m1l\",\"ljy-djc-pxw\",\"kmt-lzi-f6r\",\"CWS_CUSTOM-canary\",\"hdo-seh-iaa\",\"CWS_DD\"],\"name\":\"credential_modified_chmod\",\"product_tags\":[\"tactic:TA0006-credential-access\",\"technique:T1003-os-credential-dumping\",\"policy:compliance\"],\"updateDate\":1742407951000,\"updater\":{\"name\":\"Datadog\",\"handle\":\"\"}}},{\"id\":\"gx3-4a5-w9a\",\"type\":\"agent_rule\",\"attributes\":{\"category\":\"Kernel Activity\",\"creationDate\":1742407951000,\"creator\":{\"name\":\"Datadog\",\"handle\":\"\"},\"defaultRule\":true,\"description\":\"A kernel module was loaded from memory inside a container\",\"enabled\":true,\"expression\":\"load_module.loaded_from_memory == true \\u0026\\u0026 container.id !=\\\"\\\"\",\"filters\":[\"os == \\\"linux\\\"\"],\"monitoring\":[\"v5l-ynv-guh\",\"gxu-c6v-pka\",\"1os-ptz-he9\",\"ddu-dat-9cx\",\"oiv-iar-6uj\",\"n6v-uoj-6jv\",\"zay-klh-gzk\",\"t0c-318-ksc\",\"mnq-jea-ord\",\"hjq-1ou-gxj\",\"zt3-q2u-xka\",\"n52-kmk-gy5\",\"lwi-ota-cdp\",\"eme-xsc-20m\",\"acr-3t9-p0d\",\"hw2-pev-bdl\",\"mm8-gf5-1mh\",\"wfe-tga-w8i\",\"kz9-gsr-aet\",\"u2n-mby-zu5\",\"ygu-bj5-cnb\",\"8h9-6l9-ofq\",\"x6i-kv0-iby\",\"wry-lqz-m1l\",\"ljy-djc-pxw\",\"kmt-lzi-f6r\",\"CWS_CUSTOM-canary\",\"hdo-seh-iaa\",\"CWS_DD\"],\"name\":\"kernel_module_load_from_memory_container\",\"product_tags\":[\"tactic:TA0003-persistence\",\"technique:T1547-boot-or-logon-autostart-execution\",\"policy:threat-detection\"],\"updateDate\":1742407951000,\"updater\":{\"name\":\"Datadog\",\"handle\":\"\"}}},{\"id\":\"wgq-lg4-tas\",\"type\":\"agent_rule\",\"attributes\":{\"category\":\"Kernel Activity\",\"creationDate\":1742407951000,\"creator\":{\"name\":\"Datadog\",\"handle\":\"\"},\"defaultRule\":true,\"description\":\"SELinux enforcement status was disabled\",\"enabled\":true,\"expression\":\"selinux.enforce.status in [\\\"permissive\\\", \\\"disabled\\\"] \\u0026\\u0026 process.ancestors.args != ~\\\"*BECOME-SUCCESS*\\\"\",\"filters\":[\"os == \\\"linux\\\"\"],\"monitoring\":[\"v5l-ynv-guh\",\"gxu-c6v-pka\",\"1os-ptz-he9\",\"ddu-dat-9cx\",\"oiv-iar-6uj\",\"n6v-uoj-6jv\",\"zay-klh-gzk\",\"t0c-318-ksc\",\"mnq-jea-ord\",\"hjq-1ou-gxj\",\"zt3-q2u-xka\",\"n52-kmk-gy5\",\"lwi-ota-cdp\",\"eme-xsc-20m\",\"acr-3t9-p0d\",\"hw2-pev-bdl\",\"mm8-gf5-1mh\",\"wfe-tga-w8i\",\"kz9-gsr-aet\",\"u2n-mby-zu5\",\"ygu-bj5-cnb\",\"8h9-6l9-ofq\",\"x6i-kv0-iby\",\"wry-lqz-m1l\",\"ljy-djc-pxw\",\"kmt-lzi-f6r\",\"CWS_CUSTOM-canary\",\"hdo-seh-iaa\",\"CWS_DD\"],\"name\":\"selinux_disable_enforcement\",\"product_tags\":[\"tactic:TA0005-defense-evasion\",\"technique:T1562-impair-defenses\",\"policy:threat-detection\"],\"updateDate\":1742407951000,\"updater\":{\"name\":\"Datadog\",\"handle\":\"\"}}},{\"id\":\"def-000-j1p\",\"type\":\"agent_rule\",\"attributes\":{\"category\":\"File Activity\",\"creationDate\":1742407951000,\"creator\":{\"name\":\"Datadog\",\"handle\":\"\"},\"defaultRule\":true,\"description\":\"Windows Known DLLs location registry key modified\",\"enabled\":true,\"expression\":\"set.registry.key_path in [~\\\"HKEY_LOCAL_MACHINE\\\\SYSTEM\\\\CurrentControlSet\\\\Control\\\\Session Manager\\\\KnownDLLs*\\\"]\",\"filters\":[\"os == \\\"windows\\\"\"],\"monitoring\":[\"v5l-ynv-guh\",\"gxu-c6v-pka\",\"1os-ptz-he9\",\"ddu-dat-9cx\",\"oiv-iar-6uj\",\"n6v-uoj-6jv\",\"zay-klh-gzk\",\"t0c-318-ksc\",\"mnq-jea-ord\",\"hjq-1ou-gxj\",\"zt3-q2u-xka\",\"n52-kmk-gy5\",\"lwi-ota-cdp\",\"eme-xsc-20m\",\"acr-3t9-p0d\",\"hw2-pev-bdl\",\"mm8-gf5-1mh\",\"wfe-tga-w8i\",\"kz9-gsr-aet\",\"u2n-mby-zu5\",\"ygu-bj5-cnb\",\"8h9-6l9-ofq\",\"x6i-kv0-iby\",\"wry-lqz-m1l\",\"ljy-djc-pxw\",\"kmt-lzi-f6r\",\"CWS_CUSTOM-canary\",\"hdo-seh-iaa\",\"CWS_DD\"],\"name\":\"known_dll_registry_key_modified\",\"product_tags\":[\"tactic:TA0005-defense-evasion\",\"technique:T1574-hijack-execution-flow\",\"policy:compliance\"],\"updateDate\":1742407951000,\"updater\":{\"name\":\"Datadog\",\"handle\":\"\"}}},{\"id\":\"def-000-do7\",\"type\":\"agent_rule\",\"attributes\":{\"category\":\"File Activity\",\"creationDate\":1742407951000,\"creator\":{\"name\":\"Datadog\",\"handle\":\"\"},\"defaultRule\":true,\"description\":\"Possible ransomware note created under common user directories\",\"enabled\":true,\"expression\":\"open.flags \\u0026 O_CREAT \\u003e 0\\n\\u0026\\u0026 open.file.path in [~\\\"/home/**\\\", ~\\\"/root/**\\\", ~\\\"/bin/**\\\", ~\\\"/usr/bin/**\\\", ~\\\"/opt/**\\\", ~\\\"/etc/**\\\", ~\\\"/var/log/**\\\", ~\\\"/var/lib/log/**\\\", ~\\\"/var/backup/**\\\", ~\\\"/var/www/**\\\"]\\n\\u0026\\u0026 open.file.name in [r\\\"(?i)(restore|recover|read|instruction|how_to|ransom|lock).*(your_|crypt|lock|file|ransom)\\\"] \\u0026\\u0026 open.file.name not in [r\\\"\\\\.lock$\\\"]\",\"filters\":[\"os == \\\"linux\\\"\"],\"monitoring\":[\"v5l-ynv-guh\",\"gxu-c6v-pka\",\"1os-ptz-he9\",\"ddu-dat-9cx\",\"oiv-iar-6uj\",\"n6v-uoj-6jv\",\"zay-klh-gzk\",\"t0c-318-ksc\",\"mnq-jea-ord\",\"hjq-1ou-gxj\",\"zt3-q2u-xka\",\"n52-kmk-gy5\",\"lwi-ota-cdp\",\"eme-xsc-20m\",\"acr-3t9-p0d\",\"hw2-pev-bdl\",\"mm8-gf5-1mh\",\"wfe-tga-w8i\",\"kz9-gsr-aet\",\"u2n-mby-zu5\",\"ygu-bj5-cnb\",\"8h9-6l9-ofq\",\"x6i-kv0-iby\",\"wry-lqz-m1l\",\"ljy-djc-pxw\",\"kmt-lzi-f6r\",\"CWS_CUSTOM-canary\",\"hdo-seh-iaa\",\"CWS_DD\"],\"name\":\"ransomware_note\",\"product_tags\":[\"tactic:TA0040-impact\",\"technique:T1490-inhibit-system-recovery\",\"policy:threat-detection\"],\"updateDate\":1742407951000,\"updater\":{\"name\":\"Datadog\",\"handle\":\"\"}}},{\"id\":\"mqh-lgo-brj\",\"type\":\"agent_rule\",\"attributes\":{\"category\":\"File Activity\",\"creationDate\":1742407951000,\"creator\":{\"name\":\"Datadog\",\"handle\":\"\"},\"defaultRule\":true,\"description\":\"nsswitch may have been modified without authorization\",\"enabled\":true,\"expression\":\"(\\n (chmod.file.path in [ \\\"/etc/nsswitch.conf\\\" ])\\n) \\u0026\\u0026 chmod.file.destination.mode != chmod.file.mode \\u0026\\u0026 process.file.path not in [~\\\"/usr/bin/apt*\\\", \\\"/usr/bin/dpkg\\\", \\\"/usr/bin/rpm\\\", \\\"/usr/bin/unattended-upgrade\\\", \\\"/usr/bin/containerd\\\", \\\"/usr/local/bin/containerd\\\", \\\"/usr/bin/dockerd\\\", \\\"/usr/bin/npm\\\", ~\\\"/usr/bin/pip*\\\", ~\\\"/usr/local/bin/pip*\\\"]\",\"filters\":[\"os == \\\"linux\\\"\"],\"monitoring\":[\"v5l-ynv-guh\",\"gxu-c6v-pka\",\"1os-ptz-he9\",\"ddu-dat-9cx\",\"oiv-iar-6uj\",\"n6v-uoj-6jv\",\"zay-klh-gzk\",\"t0c-318-ksc\",\"mnq-jea-ord\",\"hjq-1ou-gxj\",\"zt3-q2u-xka\",\"n52-kmk-gy5\",\"lwi-ota-cdp\",\"eme-xsc-20m\",\"acr-3t9-p0d\",\"hw2-pev-bdl\",\"mm8-gf5-1mh\",\"wfe-tga-w8i\",\"kz9-gsr-aet\",\"u2n-mby-zu5\",\"ygu-bj5-cnb\",\"8h9-6l9-ofq\",\"x6i-kv0-iby\",\"wry-lqz-m1l\",\"ljy-djc-pxw\",\"kmt-lzi-f6r\",\"CWS_CUSTOM-canary\",\"hdo-seh-iaa\",\"CWS_DD\"],\"name\":\"nsswitch_conf_mod_chmod\",\"product_tags\":[\"tactic:TA0003-persistence\",\"technique:T1556-modify-authentication-process\",\"policy:compliance\"],\"updateDate\":1742407951000,\"updater\":{\"name\":\"Datadog\",\"handle\":\"\"}}},{\"id\":\"ehh-ypb-9pl\",\"type\":\"agent_rule\",\"attributes\":{\"category\":\"Process Activity\",\"creationDate\":1742407951000,\"creator\":{\"name\":\"Datadog\",\"handle\":\"\"},\"defaultRule\":true,\"description\":\"A compiler was executed inside of a container\",\"enabled\":true,\"expression\":\"(exec.comm in [\\\"javac\\\", \\\"clang\\\", \\\"gcc\\\", \\\"bcc\\\"] || exec.file.name in [\\\"javac\\\", \\\"clang\\\", \\\"gcc\\\", \\\"bcc\\\"] || (exec.file.name == \\\"go\\\" \\u0026\\u0026 exec.args in [~\\\"*build*\\\", ~\\\"*run*\\\"])) \\u0026\\u0026 container.id !=\\\"\\\" \\u0026\\u0026 process.ancestors.file.path != \\\"/usr/bin/cilium-agent\\\"\",\"filters\":[\"os == \\\"linux\\\"\"],\"monitoring\":[\"v5l-ynv-guh\",\"gxu-c6v-pka\",\"1os-ptz-he9\",\"ddu-dat-9cx\",\"oiv-iar-6uj\",\"n6v-uoj-6jv\",\"zay-klh-gzk\",\"t0c-318-ksc\",\"mnq-jea-ord\",\"hjq-1ou-gxj\",\"zt3-q2u-xka\",\"n52-kmk-gy5\",\"lwi-ota-cdp\",\"eme-xsc-20m\",\"acr-3t9-p0d\",\"hw2-pev-bdl\",\"mm8-gf5-1mh\",\"wfe-tga-w8i\",\"kz9-gsr-aet\",\"u2n-mby-zu5\",\"ygu-bj5-cnb\",\"8h9-6l9-ofq\",\"x6i-kv0-iby\",\"wry-lqz-m1l\",\"ljy-djc-pxw\",\"kmt-lzi-f6r\",\"CWS_CUSTOM-canary\",\"hdo-seh-iaa\",\"CWS_DD\"],\"name\":\"compiler_in_container\",\"product_tags\":[\"tactic:TA0005-defense-evasion\",\"technique:T1027-obfuscated-files-or-information\",\"policy:best-practice\",\"policy:threat-detection\"],\"updateDate\":1742407951000,\"updater\":{\"name\":\"Datadog\",\"handle\":\"\"}}},{\"id\":\"def-000-qf8\",\"type\":\"agent_rule\",\"attributes\":{\"category\":\"Process Activity\",\"creationDate\":1742407951000,\"creator\":{\"name\":\"Datadog\",\"handle\":\"\"},\"defaultRule\":true,\"description\":\"sharpup tool used for local privilege escalation\",\"enabled\":true,\"expression\":\"exec.file.name == \\\"sharpup.exe\\\" \\u0026\\u0026 exec.cmdline in [~\\\"*HijackablePaths*\\\", ~\\\"*UnquotedServicePath*\\\", ~\\\"*ProcessDLLHijack*\\\", ~\\\"*ModifiableServiceBinaries*\\\", ~\\\"*ModifiableScheduledTask*\\\", ~\\\"*DomainGPPPassword*\\\", ~\\\"*CachedGPPPassword*\\\"]\",\"filters\":[\"os == \\\"windows\\\"\"],\"monitoring\":[\"v5l-ynv-guh\",\"gxu-c6v-pka\",\"1os-ptz-he9\",\"ddu-dat-9cx\",\"oiv-iar-6uj\",\"n6v-uoj-6jv\",\"zay-klh-gzk\",\"t0c-318-ksc\",\"mnq-jea-ord\",\"hjq-1ou-gxj\",\"zt3-q2u-xka\",\"n52-kmk-gy5\",\"lwi-ota-cdp\",\"eme-xsc-20m\",\"acr-3t9-p0d\",\"hw2-pev-bdl\",\"mm8-gf5-1mh\",\"wfe-tga-w8i\",\"kz9-gsr-aet\",\"u2n-mby-zu5\",\"ygu-bj5-cnb\",\"8h9-6l9-ofq\",\"x6i-kv0-iby\",\"wry-lqz-m1l\",\"ljy-djc-pxw\",\"kmt-lzi-f6r\",\"CWS_CUSTOM-canary\",\"hdo-seh-iaa\",\"CWS_DD\"],\"name\":\"sharpup_tool_usage\",\"product_tags\":[\"tactic:TA0004-privilege-escalation\",\"technique:T1068-exploitation-for-privilege-escalation\",\"policy:threat-detection\"],\"updateDate\":1742407951000,\"updater\":{\"name\":\"Datadog\",\"handle\":\"\"}}},{\"id\":\"def-000-b7s\",\"type\":\"agent_rule\",\"attributes\":{\"category\":\"Network Activity\",\"creationDate\":1742407951000,\"creator\":{\"name\":\"Datadog\",\"handle\":\"\"},\"defaultRule\":true,\"description\":\"Kubernetes DNS enumeration\",\"enabled\":true,\"expression\":\"dns.question.name == \\\"any.any.svc.cluster.local\\\" \\u0026\\u0026 dns.question.type == SRV \\u0026\\u0026 container.id != \\\"\\\"\",\"filters\":[\"os == \\\"linux\\\"\"],\"monitoring\":[\"v5l-ynv-guh\",\"gxu-c6v-pka\",\"1os-ptz-he9\",\"ddu-dat-9cx\",\"oiv-iar-6uj\",\"n6v-uoj-6jv\",\"zay-klh-gzk\",\"t0c-318-ksc\",\"mnq-jea-ord\",\"hjq-1ou-gxj\",\"zt3-q2u-xka\",\"n52-kmk-gy5\",\"lwi-ota-cdp\",\"eme-xsc-20m\",\"acr-3t9-p0d\",\"hw2-pev-bdl\",\"mm8-gf5-1mh\",\"wfe-tga-w8i\",\"kz9-gsr-aet\",\"u2n-mby-zu5\",\"ygu-bj5-cnb\",\"8h9-6l9-ofq\",\"x6i-kv0-iby\",\"wry-lqz-m1l\",\"ljy-djc-pxw\",\"kmt-lzi-f6r\",\"CWS_CUSTOM-canary\",\"hdo-seh-iaa\",\"CWS_DD\"],\"name\":\"kubernetes_dns_enumeration\",\"product_tags\":[\"tactic:TA0007-discovery\",\"technique:T1046-network-service-discovery\",\"policy:threat-detection\"],\"updateDate\":1742407951000,\"updater\":{\"name\":\"Datadog\",\"handle\":\"\"}}},{\"id\":\"def-000-mr5\",\"type\":\"agent_rule\",\"attributes\":{\"category\":\"File Activity\",\"creationDate\":1742407951000,\"creator\":{\"name\":\"Datadog\",\"handle\":\"\"},\"defaultRule\":true,\"description\":\"Process hidden using mount\",\"enabled\":true,\"expression\":\"mount.mountpoint.path in [~\\\"/proc/1*\\\", ~\\\"/proc/2*\\\", ~\\\"/proc/3*\\\", ~\\\"/proc/4*\\\", ~\\\"/proc/5*\\\", ~\\\"/proc/6*\\\", ~\\\"/proc/7*\\\", ~\\\"/proc/8*\\\", ~\\\"/proc/9*\\\"]\",\"filters\":[\"os == \\\"linux\\\"\"],\"monitoring\":[\"v5l-ynv-guh\",\"gxu-c6v-pka\",\"1os-ptz-he9\",\"ddu-dat-9cx\",\"oiv-iar-6uj\",\"n6v-uoj-6jv\",\"zay-klh-gzk\",\"t0c-318-ksc\",\"mnq-jea-ord\",\"hjq-1ou-gxj\",\"zt3-q2u-xka\",\"n52-kmk-gy5\",\"lwi-ota-cdp\",\"eme-xsc-20m\",\"acr-3t9-p0d\",\"hw2-pev-bdl\",\"mm8-gf5-1mh\",\"wfe-tga-w8i\",\"kz9-gsr-aet\",\"u2n-mby-zu5\",\"ygu-bj5-cnb\",\"8h9-6l9-ofq\",\"x6i-kv0-iby\",\"wry-lqz-m1l\",\"ljy-djc-pxw\",\"kmt-lzi-f6r\",\"CWS_CUSTOM-canary\",\"hdo-seh-iaa\",\"CWS_DD\"],\"name\":\"mount_proc_hide\",\"product_tags\":[\"tactic:TA0005-defense-evasion\",\"technique:T1564-hide-artifacts\",\"policy:threat-detection\"],\"updateDate\":1742407951000,\"updater\":{\"name\":\"Datadog\",\"handle\":\"\"}}},{\"id\":\"def-000-qnj\",\"type\":\"agent_rule\",\"attributes\":{\"category\":\"Kernel Activity\",\"creationDate\":1742407951000,\"creator\":{\"name\":\"Datadog\",\"handle\":\"\"},\"defaultRule\":true,\"description\":\"A process made an outbound IRC connection\",\"enabled\":true,\"expression\":\"connect.addr.port == 6667 \\u0026\\u0026 connect.addr.is_public == true\",\"filters\":[\"os == \\\"linux\\\"\"],\"monitoring\":[\"v5l-ynv-guh\",\"gxu-c6v-pka\",\"1os-ptz-he9\",\"ddu-dat-9cx\",\"oiv-iar-6uj\",\"n6v-uoj-6jv\",\"zay-klh-gzk\",\"t0c-318-ksc\",\"mnq-jea-ord\",\"hjq-1ou-gxj\",\"zt3-q2u-xka\",\"n52-kmk-gy5\",\"lwi-ota-cdp\",\"eme-xsc-20m\",\"acr-3t9-p0d\",\"hw2-pev-bdl\",\"mm8-gf5-1mh\",\"wfe-tga-w8i\",\"kz9-gsr-aet\",\"u2n-mby-zu5\",\"ygu-bj5-cnb\",\"8h9-6l9-ofq\",\"x6i-kv0-iby\",\"wry-lqz-m1l\",\"ljy-djc-pxw\",\"kmt-lzi-f6r\",\"CWS_CUSTOM-canary\",\"hdo-seh-iaa\",\"CWS_DD\"],\"name\":\"irc_connection\",\"product_tags\":[\"tactic:TA0011-command-and-control\",\"technique:T1071-application-layer-protocol\",\"policy:threat-detection\"],\"updateDate\":1742407951000,\"updater\":{\"name\":\"Datadog\",\"handle\":\"\"}}},{\"id\":\"9pu-mp3-xea\",\"type\":\"agent_rule\",\"attributes\":{\"category\":\"File Activity\",\"creationDate\":1742407951000,\"creator\":{\"name\":\"Datadog\",\"handle\":\"\"},\"defaultRule\":true,\"description\":\"Critical system binaries may have been modified\",\"enabled\":true,\"expression\":\"(\\n (rename.file.path in [ ~\\\"/bin/*\\\", ~\\\"/sbin/*\\\", ~\\\"/usr/bin/*\\\", ~\\\"/usr/sbin/*\\\", ~\\\"/usr/local/bin/*\\\", ~\\\"/usr/local/sbin/*\\\", ~\\\"/boot/**\\\" ]\\n || rename.file.destination.path in [ ~\\\"/bin/*\\\", ~\\\"/sbin/*\\\", ~\\\"/usr/bin/*\\\", ~\\\"/usr/sbin/*\\\", ~\\\"/usr/local/bin/*\\\", ~\\\"/usr/local/sbin/*\\\", ~\\\"/boot/**\\\" ])\\n \\u0026\\u0026 process.file.path not in [~\\\"/usr/bin/apt*\\\", \\\"/usr/bin/dpkg\\\", \\\"/usr/bin/rpm\\\", \\\"/usr/bin/unattended-upgrade\\\", \\\"/usr/bin/containerd\\\", \\\"/usr/local/bin/containerd\\\", \\\"/usr/bin/dockerd\\\", \\\"/usr/bin/npm\\\", ~\\\"/usr/bin/pip*\\\", ~\\\"/usr/local/bin/pip*\\\"]\\n \\u0026\\u0026 process.ancestors.file.path not in [~\\\"/usr/bin/apt*\\\", \\\"/usr/bin/dpkg\\\", \\\"/usr/bin/rpm\\\", \\\"/usr/bin/unattended-upgrade\\\", \\\"/usr/bin/npm\\\", ~\\\"/usr/bin/pip*\\\", ~\\\"/usr/local/bin/pip*\\\", \\\"/usr/bin/yum\\\", \\\"/sbin/apk\\\", \\\"/usr/lib/snapd/snapd\\\"]\\n)\",\"filters\":[\"os == \\\"linux\\\"\"],\"monitoring\":[\"v5l-ynv-guh\",\"gxu-c6v-pka\",\"1os-ptz-he9\",\"ddu-dat-9cx\",\"oiv-iar-6uj\",\"n6v-uoj-6jv\",\"zay-klh-gzk\",\"t0c-318-ksc\",\"mnq-jea-ord\",\"hjq-1ou-gxj\",\"zt3-q2u-xka\",\"n52-kmk-gy5\",\"lwi-ota-cdp\",\"eme-xsc-20m\",\"acr-3t9-p0d\",\"hw2-pev-bdl\",\"mm8-gf5-1mh\",\"wfe-tga-w8i\",\"kz9-gsr-aet\",\"u2n-mby-zu5\",\"ygu-bj5-cnb\",\"8h9-6l9-ofq\",\"x6i-kv0-iby\",\"wry-lqz-m1l\",\"ljy-djc-pxw\",\"kmt-lzi-f6r\",\"CWS_CUSTOM-canary\",\"hdo-seh-iaa\",\"CWS_DD\"],\"name\":\"pci_11_5_critical_binaries_rename\",\"product_tags\":[\"tactic:TA0005-defense-evasion\",\"technique:T1036-masquerading\",\"policy:compliance\"],\"updateDate\":1742407951000,\"updater\":{\"name\":\"Datadog\",\"handle\":\"\"}}},{\"id\":\"4mu-d2x-fyk\",\"type\":\"agent_rule\",\"attributes\":{\"category\":\"File Activity\",\"creationDate\":1742407951000,\"creator\":{\"name\":\"Datadog\",\"handle\":\"\"},\"defaultRule\":true,\"description\":\"nsswitch may have been modified without authorization\",\"enabled\":true,\"expression\":\"(\\n (unlink.file.path in [ \\\"/etc/nsswitch.conf\\\" ])\\n)\",\"filters\":[\"os == \\\"linux\\\"\"],\"monitoring\":[\"v5l-ynv-guh\",\"gxu-c6v-pka\",\"1os-ptz-he9\",\"ddu-dat-9cx\",\"oiv-iar-6uj\",\"n6v-uoj-6jv\",\"zay-klh-gzk\",\"t0c-318-ksc\",\"mnq-jea-ord\",\"hjq-1ou-gxj\",\"zt3-q2u-xka\",\"n52-kmk-gy5\",\"lwi-ota-cdp\",\"eme-xsc-20m\",\"acr-3t9-p0d\",\"hw2-pev-bdl\",\"mm8-gf5-1mh\",\"wfe-tga-w8i\",\"kz9-gsr-aet\",\"u2n-mby-zu5\",\"ygu-bj5-cnb\",\"8h9-6l9-ofq\",\"x6i-kv0-iby\",\"wry-lqz-m1l\",\"ljy-djc-pxw\",\"kmt-lzi-f6r\",\"CWS_CUSTOM-canary\",\"hdo-seh-iaa\",\"CWS_DD\"],\"name\":\"nsswitch_conf_mod_unlink\",\"product_tags\":[\"tactic:TA0003-persistence\",\"technique:T1556-modify-authentication-process\",\"policy:compliance\"],\"updateDate\":1742407951000,\"updater\":{\"name\":\"Datadog\",\"handle\":\"\"}}},{\"id\":\"q08-c9l-rsp\",\"type\":\"agent_rule\",\"attributes\":{\"category\":\"File Activity\",\"creationDate\":1742407951000,\"creator\":{\"name\":\"Datadog\",\"handle\":\"\"},\"defaultRule\":true,\"description\":\"Sensitive credential files were modified using a non-standard tool\",\"enabled\":true,\"expression\":\"(\\n (unlink.file.path in [ \\\"/etc/shadow\\\", \\\"/etc/gshadow\\\" ])\\n \\u0026\\u0026 process.file.path not in [ \\\"/sbin/vipw\\\", \\\"/usr/sbin/vipw\\\", \\\"/sbin/vigr\\\", \\\"/usr/sbin/vigr\\\", \\\"/usr/bin/containerd\\\", \\\"/usr/local/bin/containerd\\\", \\\"/usr/bin/dockerd\\\", \\\"/usr/local/bin/dockerd\\\", \\\"/usr/sbin/groupadd\\\", \\\"/usr/sbin/useradd\\\", \\\"/usr/sbin/usermod\\\", \\\"/usr/sbin/userdel\\\", \\\"/usr/bin/gpasswd\\\", \\\"/usr/bin/chage\\\", \\\"/usr/sbin/chpasswd\\\", \\\"/usr/bin/passwd\\\" ]\\n \\u0026\\u0026 process.ancestors.file.path not in [~\\\"/usr/bin/apt*\\\", \\\"/usr/bin/dpkg\\\", \\\"/usr/bin/rpm\\\", \\\"/usr/bin/unattended-upgrade\\\", \\\"/usr/bin/npm\\\", ~\\\"/usr/bin/pip*\\\", ~\\\"/usr/local/bin/pip*\\\", \\\"/usr/bin/yum\\\", \\\"/sbin/apk\\\", \\\"/usr/lib/snapd/snapd\\\"]\\n)\",\"filters\":[\"os == \\\"linux\\\"\"],\"monitoring\":[\"v5l-ynv-guh\",\"gxu-c6v-pka\",\"1os-ptz-he9\",\"ddu-dat-9cx\",\"oiv-iar-6uj\",\"n6v-uoj-6jv\",\"zay-klh-gzk\",\"t0c-318-ksc\",\"mnq-jea-ord\",\"hjq-1ou-gxj\",\"zt3-q2u-xka\",\"n52-kmk-gy5\",\"lwi-ota-cdp\",\"eme-xsc-20m\",\"acr-3t9-p0d\",\"hw2-pev-bdl\",\"mm8-gf5-1mh\",\"wfe-tga-w8i\",\"kz9-gsr-aet\",\"u2n-mby-zu5\",\"ygu-bj5-cnb\",\"8h9-6l9-ofq\",\"x6i-kv0-iby\",\"wry-lqz-m1l\",\"ljy-djc-pxw\",\"kmt-lzi-f6r\",\"CWS_CUSTOM-canary\",\"hdo-seh-iaa\",\"CWS_DD\"],\"name\":\"credential_modified_unlink\",\"product_tags\":[\"tactic:TA0006-credential-access\",\"technique:T1003-os-credential-dumping\",\"policy:compliance\"],\"updateDate\":1742407951000,\"updater\":{\"name\":\"Datadog\",\"handle\":\"\"}}},{\"id\":\"5t3-iiv-rv5\",\"type\":\"agent_rule\",\"attributes\":{\"category\":\"Kernel Activity\",\"creationDate\":1742407951000,\"creator\":{\"name\":\"Datadog\",\"handle\":\"\"},\"defaultRule\":true,\"description\":\"A kernel module was loaded\",\"enabled\":true,\"expression\":\"load_module.loaded_from_memory == false \\u0026\\u0026 load_module.name not in [\\\"nf_tables\\\", \\\"iptable_filter\\\", \\\"ip6table_filter\\\", \\\"bpfilter\\\", \\\"ip6_tables\\\", \\\"ip6table_nat\\\", \\\"nf_reject_ipv4\\\", \\\"ipt_REJECT\\\", \\\"iptable_raw\\\", \\\"udp_diag\\\", \\\"inet_diag\\\"] \\u0026\\u0026 process.ancestors.file.name not in [~\\\"falcon*\\\", \\\"unattended-upgrade\\\", \\\"apt.systemd.daily\\\", \\\"xtables-legacy-multi\\\", \\\"ssm-agent-worker\\\"]\",\"filters\":[\"os == \\\"linux\\\"\"],\"monitoring\":[\"v5l-ynv-guh\",\"gxu-c6v-pka\",\"1os-ptz-he9\",\"ddu-dat-9cx\",\"oiv-iar-6uj\",\"n6v-uoj-6jv\",\"zay-klh-gzk\",\"t0c-318-ksc\",\"mnq-jea-ord\",\"hjq-1ou-gxj\",\"zt3-q2u-xka\",\"n52-kmk-gy5\",\"lwi-ota-cdp\",\"eme-xsc-20m\",\"acr-3t9-p0d\",\"hw2-pev-bdl\",\"mm8-gf5-1mh\",\"wfe-tga-w8i\",\"kz9-gsr-aet\",\"u2n-mby-zu5\",\"ygu-bj5-cnb\",\"8h9-6l9-ofq\",\"x6i-kv0-iby\",\"wry-lqz-m1l\",\"ljy-djc-pxw\",\"kmt-lzi-f6r\",\"CWS_CUSTOM-canary\",\"hdo-seh-iaa\",\"CWS_DD\"],\"name\":\"kernel_module_load\",\"product_tags\":[\"tactic:TA0003-persistence\",\"tactic:TA0040-impact\",\"tactic:TA0003-persistence\",\"technique:T1547-boot-or-logon-autostart-execution\",\"technique:T1496-resource-hijacking\",\"policy:threat-detection\"],\"updateDate\":1742407951000,\"updater\":{\"name\":\"Datadog\",\"handle\":\"\"}}}]}", "encoding": null }, "headers": { @@ -26,7 +60,35 @@ "message": "OK" } }, - "recorded_at": "Tue, 01 Apr 2025 14:30:58 GMT" + "recorded_at": "Thu, 15 May 2025 11:49:25 GMT" + }, + { + "request": { + "body": "", + "headers": { + "Accept": [ + "*/*" + ] + }, + "method": "delete", + "uri": "https://api.datadoghq.com/api/v2/remote_config/products/cws/policy/v5l-ynv-guh" + }, + "response": { + "body": { + "string": "", + "encoding": null + }, + "headers": { + "Content-Type": [ + "application/json" + ] + }, + "status": { + "code": 204, + "message": "No Content" + } + }, + "recorded_at": "Thu, 15 May 2025 11:49:25 GMT" } ], "recorded_with": "VCR 6.0.0" diff --git a/tests/scenarios/cassettes/v2/csm_threats/Get-all-Cloud-Workload-Security-Agent-rules-returns-OK-response.frozen b/tests/scenarios/cassettes/v2/csm_threats/Get-all-Cloud-Workload-Security-Agent-rules-returns-OK-response.frozen index a1b59dc82..78b68096f 100644 --- a/tests/scenarios/cassettes/v2/csm_threats/Get-all-Cloud-Workload-Security-Agent-rules-returns-OK-response.frozen +++ b/tests/scenarios/cassettes/v2/csm_threats/Get-all-Cloud-Workload-Security-Agent-rules-returns-OK-response.frozen @@ -1 +1 @@ -2025-04-01T14:30:58.973Z \ No newline at end of file +2025-05-15T11:49:37.428Z \ No newline at end of file diff --git a/tests/scenarios/cassettes/v2/csm_threats/Get-all-Cloud-Workload-Security-Agent-rules-returns-OK-response.json b/tests/scenarios/cassettes/v2/csm_threats/Get-all-Cloud-Workload-Security-Agent-rules-returns-OK-response.json index 4cfbd3b5f..84f296222 100644 --- a/tests/scenarios/cassettes/v2/csm_threats/Get-all-Cloud-Workload-Security-Agent-rules-returns-OK-response.json +++ b/tests/scenarios/cassettes/v2/csm_threats/Get-all-Cloud-Workload-Security-Agent-rules-returns-OK-response.json @@ -26,7 +26,7 @@ "message": "OK" } }, - "recorded_at": "Tue, 01 Apr 2025 14:30:58 GMT" + "recorded_at": "Thu, 15 May 2025 11:49:37 GMT" } ], "recorded_with": "VCR 6.0.0" diff --git a/tests/scenarios/cassettes/v2/csm_threats/Get-the-latest-CSM-Threats-policy-returns-OK-response.frozen b/tests/scenarios/cassettes/v2/csm_threats/Get-the-latest-CSM-Threats-policy-returns-OK-response.frozen index 9c2278bbc..c22edcecc 100644 --- a/tests/scenarios/cassettes/v2/csm_threats/Get-the-latest-CSM-Threats-policy-returns-OK-response.frozen +++ b/tests/scenarios/cassettes/v2/csm_threats/Get-the-latest-CSM-Threats-policy-returns-OK-response.frozen @@ -1 +1 @@ -2025-04-01T14:30:59.240Z \ No newline at end of file +2025-05-15T11:49:37.644Z \ No newline at end of file diff --git a/tests/scenarios/cassettes/v2/csm_threats/Get-the-latest-CSM-Threats-policy-returns-OK-response.json b/tests/scenarios/cassettes/v2/csm_threats/Get-the-latest-CSM-Threats-policy-returns-OK-response.json index db5e6342c..0d61e38eb 100644 --- a/tests/scenarios/cassettes/v2/csm_threats/Get-the-latest-CSM-Threats-policy-returns-OK-response.json +++ b/tests/scenarios/cassettes/v2/csm_threats/Get-the-latest-CSM-Threats-policy-returns-OK-response.json @@ -13,7 +13,7 @@ }, "response": { "body": { - "string": "UEsDBBQACAAIAAAAAAAAAAAAAAAAAAAAAAAOAAAAZGVmYXVsdC5wb2xpY3nsvX13G7fROPp/PwW6tyc/iY9JSrLsJL6P2qtISqMnsq0jys3TE/nuAbEgF+EusAGwpJiq/uy/g7d94y6XpGTRaZieWgR28DaYGQCDwcz/Ay7fXr+/uT19d/sGXARECiAZkCERYEQiDGYkigBlEgwx4HgUYSRxAAgFMsTgHEoYsDE4TRIAaWCAhxiwKeYzTqTEFMyIDAHFM5CwiKC5qTVgMxoxGIgeuI4wFBjELCCjOeBphEVd9SPGwSiNIjBKKZKEURgROe/9aYq5IIy+AYe944PeQZejr1//Sdfy5k8AdAEJ3gCYJJDHjPu6EYIDX8r5nwAAIMACcZJIXcMpVS2dKkiQcGaGDwVwpVS3IAWESswhkmSKgcBCta7rGpFIYq6bVf91ARPg5AR4EaHpvadz8X3CTYk3AN9j1FNt9CiMsar7Zw/CbkAEHEbYewFUCrE4iSChNgnTgEjvI/jqK1NcyrmvS//5xDMt2OLBGzCCkcA5ClRJJCM/FXCMF8d+G+IMBiAWx3o6oQCpwIGiCDs/GiZ4gvEqSNeglw0I8rHwRxEcC01zGilCDT7yPraPL/ARoyMyzuZ5yTgDYGBTDtUXsDjbinBZKkEqCB1nyNlk6CzB1Aw9gTLUkH0sUV/Xaf4Neqo7GhEGWuPgK7D33j+7uTi9fXjv3958eHf28N4/vb6+eHf+8N6/Of/p5uG9/9PN+3dX/9wHfwUHqnjCGcJCFFD95yKqV8GiYh9flV8NkYZnnxGBmiwKGNQd6AUm1dMpRTNVHNsvH7eN5JnwUUSWceLpTwNwdnUJUkmUlNNoVfyRSvxkvDcT7d3EE+ELzKcEYR8ixFIqfckmmKoUFqKJMFT/L34cAFsW2LJAl9WjKZVfczRVdvoEvP4U8j5PaV9gxLEUfTwRPRjD3xiFM9FDLO7bvtiu9DudArOVMKM76S3Msm4rE0p9lsh+YNanLhxjKvs4HuIgwEF/SGhfZ2kibAEUcyFx3E04G+KV4DFKOZHz7sot2FGsXkByiPBS8GyE9ePswyTuE/oLRorzJPPNb5+nFGnYVHBdRxB0QyZkl1AhYRTVfkOMSkgo5k1Q9QD1nXY5KEqFxDwb5KdygQSiCRxjoahk4aNtBXP1tWVVmgmfxIGo32v8NACXb88Hmh+QqjEAUwIBBBTLGeMTx/6b8IjmeLWOG3KdjbGeJZRyjZ5olnTdHqywn1DLry7wyescvv62d/TquGf/9iMosZD9GEvYVajoExjn1Ig4DjCVBEaib3CWV/D1Qe/oL6c/Dfyz9+9uTy/fXdwocXt+8e728vRq4N9cXJ3eXv7jwv9wc1lTst/pFyr/GwlOWrH+W8rxEryrz78nzCuUG4xrLMh5n8FUhkd9Lan+BhPStbvgVtQMocCvj/0AIxY0rD0GpHYPaIoBQkeMx3rbtDGCyiLXtFm7DdRIDFqGhTCXasqa1tQz+720kOpzDodUxEQCxt3oIEiYNNQWzUEMI4IIS83+ZulwZ4QGzK2qLQN2He7he6yHvbdn6CYOIkKxXtM6KY8QRCHu5IgpfRdJRGTH2wcPDzVfzXA63v5yzIVQcsZin+NfUyxkDceA83cDYD+bDR4MsD6Pwaw4CFgMyUbkEFDR03UTRgtHoYAIxLjaFsf68JOQnsQRHnMY9xgfa5YKaM+CwSTRkC1kwuKYUZ9i6RMqeao64KtpqBt1RRSAPRrDZN/WEc0NUxB9HDQ1ASglRBPx1Ls1jQ7VuBpzDIVAUJ8HRwmhGg+/jTkcZj+O1C+eCungEqp/fVx6yPqHgrRSpB2LiTobwJHE3A9wRKaY1x2nHSQHM86k4iyRiqTATvpADbL1exNcPXQtYGlDb/fzarduPysWsz8B2KvbQco4adgUWrHcmzC9PPU63sf9rK6Hh7rTySezI7V16i0EZ0y6REdvRuwHtZWJGIJRPyLDfE8BwH6h724rmi8sv8Ap1LspFEFDB2Ok00OEvI+qX64MpAgLyfhmpSuEuHrBvNm1qiiMerELGb0mJNHYS+YyZDTH2Vdf5fTUI4E+ljWdcwCAWpNUILYQivAN+Ne/q8TOfUL9MqE20npxiSFUkAADNnosne9VthXt01AnRdpL7dUsVmPm1e5ThimJAkvQPFWTsL9fMwFe6SxVoQrNMWqSsh09IhFJY7szXy6IOESTGCa+6plfkrilyfmRshkFbDTCVJApBpKxKCush7WauF6+wLvF1yLH1a++WRyhGKv1vpBK5m0btnzrmysvURizmmEO1PC0VjIvpMWsADPMca6XsfoYQBntCglpAHmgkbIJYWYCOBevAOzpLlZkolXIiBAGbOY5/czYpkFBpi4yf+nwDby+UJQyJYmpR5FOOcemxrz6vZCjic2RapBlG1Hc8FGfIRma1BeoftFtjjlLExhUclOBeW1mzGoyA1w+9Y4TKMSs3C0UwjEuF0VhDZzNAh/r0V3Hnw7xn/JaYCI7Zawkk3EpgydxKZ1SKCWmAQ66aTLmMMClz1SDF1pISLKwQBbyc8B5GudzDpNJPjFk2BcUJoH5N19XtZDKKTRQm0+qzzO9WB0B/nxS/BxnR6W1eJTN6JfOo2xW3bfseHTHo18OjxZJtMikqdnYFb6qnIcH0AA/XoAfk6DlXFzD0xGhky+bpVUP1+ToQvGHB5BXUMTfypXtxMNOPDyPeFibedUh3Z8efdH8W76ULNxKli4h3S3lvruNLEqAGl3Ejml3TPtlMG1ZOYA4hhIHPpTgr+DbA7E2S3NMYVyj7f+COHrP9HFNjiyvycUqdqvyjsG/YAZfm4VT+uVvqk0f12ThHc/teO5L5TlJYlxjGvFF8Zzu447ndjz3e+Q5IgmCkc/xmAjJ5z6+TxivMa3geIwDIjP7GgOXVQBcBSAk06exPdG3gByPtd3JC+DZHujkxwUrE3uVFU6i2F5ahRM89zUq/RiikFB3m2XMGF0CZr+sfVj7NZfFmR2Itj4WS8yPYY4lW2TRAHkzjM04kdluW1u+Fm7178511l3nzpa/MwN/eXTXagyIOKM+lP4vbOjrsw9htOku75SClMJUhoyT33AAfmFDYzYbBIZUVGVAoBAHaUTo+Okkb+3NnTVnEAljUV81nVk1KAmsMnqdhSypjVLKGdqici1BnckLWRZWtgHw2Eudlh58Ton1FGvH+pJvIyKtvczaJpHWXF39Xoj0GW41dkTdTtT1B8/t0XTdIfOJSbrQ3Ap3PRs3vt5OfGXe2VH2ipTNEvwlSeump1a1L6uKHFF3l7ExUT6jkN8R6oqE2qTA3xqpNqjrn5joymK4Xb2/cfM7Qbxd+m7Sbm+Pvut12RsT2E6ofoFE16De3SLR1Spzd0T3eyW6eSJZrBr2IR/XUZrDFohgShVBGScgkI/TGFMpABSCIQKl+1KoU2xCd/mzJqb74J4ooCTtJpwwo4JU4w0YhRJ3IzzFUafwUKLwJkq1wyENWHzfPRwPuwkcY+GVIJ1mVEgOZRr/l0QWnVmOEFE553AR6HAR6mgR6qgARQnCIRShTc6xSNgM83WmDNNpzZRd2wnDdEo4o2qWwBRyoqoTIIYSuUlCKeeYojnQ1W08WaobRht9/f79lf9hcHGjKNYkbq6y39eng4FKnL9/d3p74V9d/OPiqm20aSJ8kcAZxYEvQhzVPO8bqOyMTC0wGHEWg4QTKrXngkcMb0SKfiFKD2ASyDGVBQhV14ixGEqCupwkLY9eUh75hsd9of7U3CvchhicaxBgQLSg53iE1dRZRzYAfbi5cs98n2Cg+llryuudueiZTim575oONbx8NuPqKZiOAam8JWp+zGWwE0AJh1BgM+/2TZB7p1wRUg4WwCSJCDJuYBwpQKBreGH+uEegLwDj4Ifb2+vHPBDPF8kcg8U7Ti3EoQi9F9mSVpDu1Q8qsy5LanJqqKWmwLCpxYUPLrNr2qgt9FtDZU2NoIb8SUO+rCsQkWGfUCI5jEeiKxmLhOlsKuZDdr84iJp818CI1Ix6IsJvXy7k8monXWYNbFQHGzdlLsMwEiHkyUKxhDVgjKNFGmmajXndlP8mwle1ma6XQK2m7jteywtCpVyZJUxLSG3W7M9wrEbuEvrC2yXYjGaJDCaAEme/M+BglP0i3P3EKGTud5RVFQn3K54UgOMJzduOJxLHWZPx1P1KZhkIxzBQ568sHee/CtWKCOOsIiHlPPs9p8j9lixFoUukSgK7xNRWlfEcN4AZQx+JNC5lQIFfHlVzXh9Xc1wjGQmGiNFSxqRSsyKAUlq7LCjlpKVkQDhiEeOiklltOkiLKUynpeR9AmlQySmhZASRZOWcuNSPEYtKFWgbjFKnQgxLECETkpRyKinnmybP+oWREvocaWRpNq6OOw5eVVBscnoS32uHEqU+xpMRGbFijtpAltKlDlEWpkkpQ21aShlpXMEUK40ygULicoYMUVgaVkLoZF7K4OUUobIyozpvVMqR98UkxzBSTZXyUlqhT4F/LSVDeFjBpgjh0dFxTear14uZL7+pgXx1WGUvEXIclDPS0lgE4yWULjCJErDldDCsVFFuUkJUTpLSPEuMy0lRql4d11mZLyUvp1KKYHmiZXUUVm65ZEoX2TKl5NdyusoCqcBlWTArDWwWskoSxsTlWAsmzli2crgV/+N+ftXQuC/Xa088F79G+jAdMzo2plUJE3LMrSc5W8uf95bu79W2JBh6OXy+9VWfuwjoMzgGXejtr1xr1pGGej95nWTsz2DU5gUmwMN0PBItTg7UscJCVr0cPNa9Qb5dUEC2EW+TAwCOsMS+scrxIzZeHEaunjDAgfXpAkwhELGxMXvcZCC1CtbcPV0qY+3GRWdEbNyfVTOG1YwIChmxcSlvBElUzRNzUc2KsRBaeVGCwyjluJQFUxn2qoWHjMmFzAnmVGd+LB5p9cRlrjkKCqiCimr5mT3AScTmfsLJdLmbDQVBIjzWs2bhjBsv85pkkzlrOrHXPlX5b3AoSmOHiZ9gHhOpKOkrcHZ67Q/+OfBPz99evssc0DSPeyrCePk5VfUs5zWto+gHeNoXYdwHAeFY7WU2OolWNtsKMqu502lhNMLl3E9Ign0o1c63Rg9x7RxpgXMFDRS06kDEiDTH7WLRNTu/p5ZJhHu6C5hKPte6BvAVuL68vvC/+/C9//3V6d/9s9N3/tuLm79f7KuZ1d47y0XviWwteeJKumm3xjolZ6DWIOegRdbmiCuiYgPsPR5rqwz9r+AAPNXQmaRY+kEaJ8tI/jwHK7ufUxkwk94xjtvofjWPLcZdmm60q9po8reGWBRhJNsYY05hTJC2L8LceSRuvArMhmMgtOrJVgFMFdZRsZYDm0x5w5KEJepHQU+wXsKxPoe/AMVc7Y84u2vJ83pBv2M+ftzexch6FxrFkmsae683y9p2eNkkG0dokj35JDd6SH6CKX5KX8nPRiFbujoDK76EaHXCu7K33p0D4f9gB8Las1kkat8I/Ig5xRGIWZBmb7QiImT2QkuGGOiyj77lyU5murrl65/usjmJL/ZZHSHNt5KD2ZXcr63UQasCWKGHPBYNZ1z9SXHxmMP4Kfum6m3vWirVJ39IpK9tM+o7mUOCIZFlSw4IKJ5Fc3cm2nhRyW6qCg8nCPXTJMHcj+Ac81zxUABBIaRj7EsSY/Df4OWBKEAtnOZra1jh8cZq5b4CA//yfz8Mbh7U37/fXOu/729/KJubZhKbj6dGPP/XfQtnqvZ8MafIx/ejOg+yapI4ihjFn8uNv+6oaUJJLG6uB4AnRlKrEOwfgfSfwPzhKGkdGQ38gsvtxaEpiIx/BYYchUrejBgHIntEurEKpcw0qq1695OFLraJ0TFKmv2B//3s+kv2Bu68f/fGjI01A0rMKYz6iMVJKvFb5x18emguGSjCLthB10Y7EP0Aj2AaSeMy3FiPVN2MP6K+5dgPSRBgagKK4EYvnacWzug7FvWLRd/BLAoeoWcsKFE/Aa9XOO6VN9CfvH7IYpyt4UVvvlXvvgW1yXJkKDL0p4dNnsoLcQGmhyWv20SIdDOxoZrsoYilgZ9wNiUB5hoczoyKVX+HM9EjJlqBPz1S33W/FzbwRTe8f/lXaTQuVIj4dwUDkqdmqAv+dgWWLqH+U5VXUJRVWgAbERwFbxb7VQCBSYJpsWnzn5TRG3B4kP2XT0se1MnajrQ4/K3EgdJWImqahIT8ST3/ZotwDYXurEV21iJZ5u/OWqTJTozUmn61XPwQOsVkHPpqIpuEa2bl6BaWilmqvQfSuZemPuMsOq/vcZpGu6QPEsZGmF9eWzvOG5xE81t2eS3KGec6qEIl8+3pmcsZUDKy9bQsOomPQowmfiFMQ2XxPX83ABFjk9ToXAO1bzUxHi6vgS7sojktxUODEGsI8kAQpCH8jSQuzANJujAhLhXPSdJjSpBT4fJ0V0hSDu6kPsxCKInQReAExtDUsqijzO94WlCmD1fCx2M1Ch9GEZvV7Vsu9HcgORyNCAIWzh7BXS2b4Ky8D3Y1lZ2pu30i995/uL3+cNvr7O0dvfr5oPvq48Pe0c8H3eOPD4d3wcPPh91vPz7s3wX7d72/3Q33/3X8717n9Ozs4vq2orPihagQ3Ns7PPr6rrf/sHd4YP58fXTXO/z5dffbj3latWPT/7/OePnzQffQAnyrCrz+xiRef3untpp3vf02guVIrb4Uo6ZbsewWAAYYQApYKocspQG4vDkDlaJrIt6W7sEg4D3tkePkBLx+/fprK5Xyj0T4STqMCFIQ2VajaVC/wCmsGqb65mK/boQKfMFEeWeXuttp7HYaRehVdho7u1RvZ5dazNjZpWapnV2qy9rZpe7sUm3e1uxS7Xqz7L0YcZGc1IL1i94YhjhKMG/ZU/+SJnOJ+SpPo/7HgKqDAB4yNslPzHb/qQutub+shpbS4zDLp1s53aLp1ku9VNpVUi+Qem0064hdEfViqMWLWwLd6pctfHrNM8tdYaXTi5xb39zSZlc1u6C5tcwtY3YFswuXW6+yZSpbnQqLkluL3BJkV55swTHrTHF5yVcVvZgYiZPRqF0xsoXCSD27LGSrgV0EMtlv/skkvRXwFhG5OM+keFFqZ8Laymgtmp1EdoI4k78a807a5kLWyVbd+YIkzQSokZsFcZlJSSMcc5lYFIVFCVgUfEV558SclW5WHDj8WxGWSS47fi2nrHgyUskKo1wGadFTkDhO0BgKKogVK00yIeJkhxYZRlJkAsKKhcYAbq371dpS5nDmmX/yA5jJMOeo4p9se+/p45JnvuiTjaePBJ455njZQaXwyxxQPHvM8MwhxHPHDs8cNLw4/5O35o4OnjkseOpo4JnDgGe2/p7Z7HvF7b225a+xuSnEyjPSrGulmRabNiuCwxapOflG+AkLNgqD/mM6xJxiiQVIWPA80dBJHn2yGA99knWlR1hNLHR9ibVOgYJlGNlFT98ZP21m/LSUThShuJ6WokKqHiLGcUBFaTgWiCWYQ708Aq8fQwrH2PweRSmmsjskZjh50qsxEYxYGnQpC3C3WIVlj66SMbiLBNG5lrTKX7oBJ1PMu+7OtQtnle7CiCCm28iQDmeib1TbXd2DGZQoLNJN/Tddno4Jve8SqhXSemI5U5g2+HJzlkomEKxmJ5wljCvRBaMqTAgTzu7nTTUrSaGFMe7GWHKCRAXZ3fEEd41vY1tkqM++xo6haxFnhqDwLTGPrRVPN4Q0iBamr77GKUyjuqlUHUTSELbONVOixCcue/MeExnBYZentPglr0m3UGdQapheT3hEKO5qQ+C6GqxLZzO4CiKrBLgwYTvr0p2AXVPALt/baAtS31iQNrqiBhTPLKg1Ns2tDTfZsKzndzoiw741cc2Gm1qleiF/DVd3n9PqfD1r8WLJNd8lLIzzP9ntfts4S/GjJ5mF8uZOwVdlmHq32M/FMPU+sHcMs2OYtnEuZ5hncFC+GoM1PZl7Fv5qcJS5MnsV6lrN2fbKNe8Yd8e4C4y7DlsxWLvPW2QpBbkZT6mStr2eqcUfcRb75tFuyby4CFq0Lv7ZoyPfGj29yAygfNMRk/O6mjVMSp9LxS0wNV4/6cjnWG/7STI9tg34Nxf/c3F2W2yOQx0QKg0SPyBQExDRr5NVYtl8lYbyyRvBCDGq6aKezmAie+a0FfQCSKK5yrw3A+hGeAzRvBunkdQaByGsLqQ7Y3zSevWzOP/LvSzkrhXM3JkXRWUCeSxVNPlaWMXYs2Y8Bepah7aNP4UVnpKvMKJ6Om81C1s+mOUTtcqwnCn6I+3QVxvpY+eyIXbBsyz5j3vnXNw7NEQu2K3wuxW+bZxPssI3BlZ4Fj5qjqKwMgMUals1RMLKde+Ya8dcj2GuZlcuz8JcjSEcdgywY4C2cT4NAzRFmHgmBmgKJ7FjgB0DtI3zkQwgeLuPJ+vTzob0pao+HVRWu2RhijFw1BUJRmREkI3x+5i4F9kTsZgF5p4WVB90afdlseAd/TrNDEG0+DFTyPEjImreJq3keWbypI5n9FSBOv8IquHWi07KZtQPokJM5gmeLwkv/JONKfyjKgjOr66EdtCqPuZRmSd4/shYwwLLnquup3qUybNP3g8/XvzTv3p/dnrlvz09++Hy3cXd4J+D24u3d2c6BIc8M9YDAyzv7M+7gakYvDUWK3e6+6r3rQjKrL38gAof0zTGvMEvYcGq7fzdAFRh15zmxZeh2jUBnffU/8UU9exleE/LB00DpTJynugyg5t/1Cgf2p55RoFvfaP5KU1FCiM/IkMOuZmLxdHfhhhcnfvXNxdX70/PsyApgAiQsCSNtMOd4RxArfI33niKritIhJ/AaWcWPuWTl3fmpGNcUmiRWsjOnVO0UEFEhgmMfTxMRn7IWM0e98rgxkL2BAMKLuN7/N3195uMaZiMeigOFMh319/7b0+vjfLlYkGSEf0s1TR/1xOsbUSMUTz3ZarFsHAeN2sGpgHBrQUEe2f/uOgeHRy97B5/e3i4D2zBXLhvMszcNjd3TjT4cHnuPOXl31OikZHnFp1uVimg8/ery+/O/NsP706/u7oYtM1yjONRYOKF1axj+itgw18wkk/oVFetQLrqWm8rJ618GhNKtN/Qlqf9Vhupn7CncVJakVwdYJRS/TjYaEkRi8UUiV7Q8qxhtSf+eql9Syg5X+pJVDfZsgKr/tKxnzAW+eZp/uK4820Hx4JFU62rV2JZY70xzpZCiXZdsuFb4fr3/J+8Ti8mFN/HPHvCX0oqAAopU0PqMa53k5W0AhFpkjAuC9Us5Cgw9FKXc44Biin1OTnSGUQbfBcT6iOWobYyxK4b1QwFNDoqNlBK6QYYiwjtxXqXW0yojzyJIJW9+/lv6mspZdFE6JghDKnrQTVrY9cFbk9iPC5ZH0KKkrRjHcRxnSOsG4wwlVG+ozFLlS2NA1Bwt2X45vLt+WAT2tHuhlIeaVbod/oxlrCrPU4RGOcGhIX2+oaPap3hm+6arZlzOXd4dCDAw0MZeXWALw/E8n1/rG39QyakP6pBmtoMqI8GV9Z/vJI9utyTeMbXNfUESzkqCMu+Roj5NhK+3gMpwmBTzCM438RzvhlqewQADVfr0u4JRls90KRUbj4WNf1+SIIly4V1OWbWCF1qk16bedD/JoxQ2Sts47V9a//QnnN14qiYeFlMHBcTr4qJ18XE18XEN8XEt22LP8XSiAX3aqhuSanuV9UkqzOjxNRsbZ/AMV6m2yndutlLt6rr4FUf7NsqlaywPxcv47TUsa7bwOIbFreOidCtMm5RckvHhBWjjT48NLzASQXPtFARGfaLoUxX9iLXppdQ0+nOLVZUL07ou/JsVdwfFSb7w83lJlP5f9ZzqlB3iO8loQt72fslGXe8j+D/tA9c1vndPK1S56PdblYco+QDFQwZY5KAmK2MMNs09VstC3pAFEsEpRkcRVqvRVWxjb1S7De4Uz1xthQ5drOYt5+8jj4+q15ZPB8efd076B30rGjqxEwGvXSYUpmqrmS3cG0zYPyfyiZtwUXhqzs9afeaTylD1sJfTbCcUthY8EkH1ukqjj4xyNFptUWx6Vv7Nzj5/8yPNFF1F4t8f6ISndrmCtrWZdOyIv5bHBUuZYcnWLJ/J9zx52fnDgRlU/hZt/3IXc8RGui9KR2DhAlBhhG2dVhPTwGWGG0owOreBJvKDb4LWFdL517OFwWvfJHX7LEvUXh/eAD1JemSktOFko4xtIZ+mAc71mmV+rjfuiYqevcFJaOROvZIxmrm4ErNePYW1zydN6psp9FUZ+mRNLEZrDmc9u4J7EH8CWZBoiRITcAnKULIJ61MP/OHhEI+L7gQaxMAefdx7saB4hkwNWk+GGnfaYRqRUlegMRtjg8bBlvPe6UD2YIn8ZXOa2Xt0YonYiowlZi3YMpCZfFmhhzDCUslYKPHiciqLuxECUPdViVYcnEZ8iTkYyxPDjVxnBxuFA+ZCjEjEoU6QIkfs6DplZcDBDGcgxBOMRhiTHNlgNoqKlTAVIaMk9821vev8frL7JVdz0xAkvzydoO3PQs09mxXn9m0PW80krVpo/ZB09Zpo+ah0wq08XmfsexoaTkt1dtIbZmU6iyn6impUGqF1zst1Lgm6uptoLeLurJt9F7FBvrB6m32VzWGXoF9d8y1nEL86dGOSPLtUCFE51/BtwdiR0LLSajJRHy7FNRgOr6KjG43En9aKd1kBrxlBNabBz/x0BsMQLc99FrD0EcNXQY2KLY2Y4sIreGYd7fnA3dZOsIcU2T0atVCT2BXoPrTC0hbCFI2GmEqyBT7k29Eg/rj1BjFFSy/QKKOpMLaKbIIhFCYCXyM8rzO6yP45CVzGTLasWEg9rwf0yEZIEh7ydxTMO5MPFWs7alOCsnJRJ2YS1/3wX6D1ztdiggEqffCmwRkrF046aq6YaoP3y88DicTLIT3wksw4VBiYUEEggm2v2EaaF+BumhEbFHtxScV3otP3pDJYbdNBLOYjOtO3u9jol9yGhfvQge4zWNchyQK3Dq2Cfo1YtT55q+ViL11r1VVPcx2p4XC1AYks4attQV3dikKVGucGgxfwd7bwc2+jX+a2ouC0YYR66p3fSfA64u5sObf/VjwfgI5jLGqtF+0hi3cBZbvIlsfALYG+Va1ChH5Q4gmAWM1micLkWmesJBwGBERglKZNZGBS5fpto2KDlyLFeGjiGDaKlammGtkmXDb+qp72cyXDKGzwhUNY6WqNYdYN9/6IlzgaNQfBf3Dx83rBiq35CghdISRXCuARSFkhbEZ1XEnqvZb10fXl7puEMNoBvlGPFKKYDGCMYnmart++r1/+e7i9sH+fb1fGP+SiBcLELrjfz0Brw8ODxbL66//rb++Ws411smVb7zvxbjVOOXaFAB5AWMGaC9OnuCqK19lqhf9n+Ugsd4BoFhyvfcS6xI4jP2Scr5BpXx9+nZLG8EmX2JqI5jAuBcYg4s84/Gq5XUxVqto3SbG6p1JrYWxz6twXQ/D9Wez7SG44c1mG34LVayghlyhwtXOPQvorFdJbg2dn91Tw2dCY5PSZWuIbH6q34aBMmW2K19WqHJDpDYpYraH1MYn2p8LAw36mC1ioOmN7soY2Olvy1MuxCxYFrTjNsQWCjAOUGh/F42+3OlSE8EcQJpZv2hgxjdS8NRsigtD1r3I0GJDn9jcWqugzPnXQJUSUutYWpEjsS8anuU2B7bU5YaEdiMywSArv+b4G0Jbusrd65FxyIQspCXmcSE5icZchvaxCteH4h7SCckhFSPMeyLc/ElIgoh/eOi/8hEnkiAYGSsigkXT7v3MArpXDQ6+QaBsgrn1Nu+KdCz7iMJvR2mFZPVzzmkLmUXQIWPyC/IPsE0xtDD0/2SXAcUV5ykPfctYrvb4t0WWqz/97Vhux3KfneW2qTVoZtH6I8XWOLThPPGMDFrozWqaiGfs2054VIf+RxAem7J2vS5rW6z9ZKqsBk3WM7LhjgvBjgvX4cJaE8YdI+4YcWNa/gMz4nJz2E3ZtOnGYltc2nxhsR3+WvXu4xl7t9sNV4f+R2D/TRm86fZsawzeeHm2Y6EdC32ZLNRw/bo9Fmq6fd2x0I6FtshCmEeP84ihalBsFDy9U4yTE/DJU/V3vLpraX2nixccZNjJ6whFNM53iOqg/anyYRBwm9ROkqlNQIRwIi2cDIjLFzJgqVzuF6PsFcN4yWjzi5GEySOxHyafBe9eEibNSOctSPcr6MbSL6HZ5hlsl/PMIamcp23Uy1kcw6Dz9H5K9HwkcKadfDZNzA/XYIaHACZJZK19gCsD8jKbPS3KJ8EMJWEzzHWlHe+Fh+Kgh+9x2eag6HmxYOsQJhr0hfrVRWNiCi4fPZPGu6M/w0MzfN/UvoiF03oc6FclhiAZtz+ewpvUXo1Jiw0xHkARei8y+V4Q0tUPhgoWsySUBHUbaqkpMGxqceGDy+yaNmoL/dZQWVMjqCF/0pAv6wqo1YJQIjmMR6IrGYuE6Wwq5kN2vziImnzXwIjUjHoiwm9fLuTyaiddZg1sVAcbN2UuwzASIeTJQrGENWCMo0UaaZqNed2U/ybCV7WZrpfgY/ZCblUnWuUndQW7Lj1CKL0X9mc4VmN1iZgFeYLNaJbIYAIocfY7Aw5G2S/C3U+MQuZ+R1lVkXC/4kkBOJ7QvO14InGcNRlP3a9kloEoka6OmVk6zn8VqhURxllFQsp59ntOkfstWYpCl0iVVHSJqa0q4zJuADMWPhJpXMqAAr88qua8Pq7muEYyogsRo6WMSaVmNfOltEgi/agxz0lLyYBwxCLGRSWz2nSQFlOYTkvJ+wTSoJJTQskIIsnKOXGpHyMWlSowjrqKOSGGJYiQCUlKOZWUC8OfZ/3CSAl9jjSyNBtXxx0HryooNjk9ie+lWoVKfYwnIzJixRxKUKk+WuoQZWGalDLUClzKSOMKplhplNr+sJwhQxSWhpUQOpmXMng5RaiszKjOG5Vy5H0xyTGMVFOlvJRW6FPgX0vJEB5WsClCeHR0XJP56vVi5stvaiBfHVbZS4QcB+WMtDQWwXgJpQtMokRqOR0MK1WUm5QQlZOkNM8S43JSlKpX53hW5kvJy6mUIlieaFkdhZVbLpnSRbZMKfm1nK6yQCpwWRbMSgObhayShDFxOfr8iELOWLZyuDW+6K+x1r93vsuECUQhPlKrFR0Teq+325LF1n+kF0qZ2LWrsaKTT/q00fFatubZTtjHcUI49lOI/OE8gWLpW+eSa80YShRqR/vZqcrYHX84PQOmLiAxCin5NcXaWwCjaqR548A0rlvcbIvvvAfYs0r3HbsG3XeMXoLuDPxgnF93EfjL/clf9vbGCfjhx7MPbwZsJGeQ47u3BHEm2EjeuXg4HxK1gu/37F975ClWu3ll/2+rETxnSMeAWGIGf2pcFzhTdx3uIXtpa2JDrOfWYJ0jlKdaihl1hyHb31VOQ5JDhH1IJQnwMB0vI7JUYKGN96kkXQ091i4bMlKSDAwjhibAfNwwtpTpUs96lVaQ17c3p2cXvv737cXGpuhmqIT+0v42uvSC3JQAiAUK25IBSJkMMX+Me4TGQV6///Hi9uJ/b7U0WQZ0fnp72gr0YXCzHCczOiHSzxw/+FggGME29Chx407C+n241dowLgAbARuzxpyY2QjYkDaH3eODl8ebYKt6MD4pBlNLJuprrscpBqgZ/HBxdWWFxfXp7Q+dwtsPDVdwiHx+Obi+Ov2nhT6/GPx4+/7aH1wMBpfv3xULupA4LaJcOxrxUUR8xGpDAWgAQ1YKoQlnUxLgADDnDFW7cQGtflxW1ncVvJ80Kb1Qg5/0LuoM3p/96A9uby5O3zrxizoiHVqiyPOKSimdLOoNu6iTyHlPU0+n2tiftVMILNNEH9Zb3EJwSAWLlYz3Kat7g3PtFIg5pJpw7MILgZQG2suuXgHVRiOLkEXwRmzdGlzAfi65/8+OuZ+8fshinHnl5/ZS40V2hVK9N7FplshGN/8RG5fTZLiQN4RokialrNlsVowGUB+vgHt7fyP7e1xfL+AHjhGbYv6gDrkP6rTDUy1pH0I28yV7MNPwoJaI/V5nb85S7j/o0EA670FVboH2DWlU2nTcyr27nirxl5bVjSPfkINYEnLv5gxYoEfdiO09zo6r9kWwmU1u9CfqIAOyHH174n3c3/9D3fQ0TjSGgT9Jh9h481mc5NsQg/y7mlsbIhYpxG0248s4uN9TrfVNc3pQmplLuW1DCojwBaTBkN37xi/U4rjO9YWIcEvsUffg1fHLTQZTG63ETcT9N6/918ddXbQ7pmm/MYKJF5Eh6h71jr41cUtc+uVBJX1YSR9V0i8r6eNK+lUl/bqS/lrH6GvgjlwdqbHcRSFGky4Php5+BKmyBOZTzFecoym2IYprpIsCcUGJsxPAI+LbtcqZevFSN73twWgMStQvyEb21wJeKxSwKUqBDgzHaAETIRThG/CvfxcQbqOohmSKhQkopMazYlTVLIKqLm6kQOTCq355UVVVL1eJMpthhad0OSJOwY1DgYHNSfJ5h/7++9ufTm8uFg/nDh3/wFzVfHeTUk13j62EUYQbK3Kqgp/Y7PXxy6N3LKhRG6zTs2bdw7vbaj23OvwfjMBA88fdpVETL6nki+7JSoh+1t5c3K/KP0pCEYTb+WhgAHOBYrnpeZloHUTYHov3601Pc0WtOI3g3IdSQjTRnkCXKc+yIKpQohAL6yFUVwFMFSBzJro2VmtNDjrXWBJ5zSSM7cH0hqkdrsqRzGb9wGQp/T8pQfNSzi+pkH6AsF+EADmIx5k0SjngmVyXGiSMRQMYJxF2WTdYJEydSG3GJ68j4qHGwn2nPk1lFJcydHAZ137h/rWsjr2kUzbB3VsoMa/UXK3YplGMgYiHha9v3t1evQ3zk76ts4jXVgrBUGBfe/1s3OCe5Q4bNURBNTecZ84dCR2X69tkZ1XZAynIUp1ew7Hdy0PpFQ/wxfO71+8UD7QbOIRcjsp0iFOxjMOSBUMrzWu2ZCHGKpAhHsnHsluF3qDgOOEMZlGu+lbSvpnwoRy7XK0070cpCd4cOIKeYD7ExaJm68xoNAf9hLMxzzg4kRL0JSkYxJE4wVwwCiVORUbqHFM8q0BCMZFjCfoFsBDyKRYS9LXj3SmMHKccpxU4EYK+82RjM8csCjAFfYjF0avXriSJppjnhb2OQX8rp6QU+RGGk7k/qlmMbkt+TbPgQfZIeNw9Onx99NrobFN93B2ly+e2gT9QGBDeE3OBYBQVjhFJ0e+pOU4Y0IrCVsxFfyT6SN+kL4Zlyu7J1HB7bbo/hZKiL6p6tCgwF23KhMe1bqi0T07KaFdISAPIAzCDjzPeqhUMmT4lNcHO8lvJUs4wM//t6vwFrdumAuMPawK9U4q9AQKO8JAx2cInAwuWb2afdxer3ygsOQWr/n3HmGwbLQpxkEY48CUUE2Ni23CNlYECBaoFwyoKmfWWPLvvU2IfhaodUbzuKEflt+bAy8eHtQTy7Xcf0xHjSLsbrpnTiysFDApAwLg0M77IbBubCDzbj56tumerNdfQ6sgmBJlqTnCtlC15c3Y0Vz4namX87uLs/duL7uDD2dnFYNCKCSqIJFPsSw4RoUsvrYkAFqro3t5+xUIb8Iow0BYSmcF5YTuk9iSuiTUxtdd8NXtx8WP7Je/FxY/tl7wXFz9+GNwYfZwB0v/iHk5NaN7FeNaZp7sgmup5iqZWtQvj4PWxp93fqUrUr7HR4EVRMGxT4LnZMWdoIVmyODHmRRKSuaWEggPQFdsEzzWG/VkzXu1tpmqzbdOlzWnTxJxdU+HCUZZHY2AKph+KjLRkz6kNVO7UNxMvlfGZhrWIWZApdpA/kF8gmqixXUMZuvvZD/TXlEkc2GO8+mS/2EP4+dWVKWmz3+rFQFVji3xnX5Mtfndi9RYKV/qcxZDQv19fX5f3x2dQAZfy26YDR5EfEiU65n6AIyxrFTPafOkHA6Zl3XkBdE3CKr4IzfXbvSEUoeuJ4o3eb5X0iJQzquleUK2hkNTCsvYtavVG2B01Py7h8HxDVdhyrYNpMY/r3+meAjGPhywiSDtl0pRvjMfCAvbdTbuJKaqksI41T9OWByTLWD2LLBHRevbudWwXzLbKNbjWuJ2B4+emsbbbnJZb47oruOcg0Pq7T0OeS6izLMUyI9IV5oXitrgWhvhMVAsKWCqHOrSwi0JeKbzmNK0bu6Lhbsy81vHMP/mLHJNhHtYU/2TvPTz9fsYzX/RTF0+/EfHMuxcve7lS+GVerHj23YlnXqV47h2KZ16eeHH+J2/NvSXxzOsRj6tM8zrEM29BPPP6wyu+93AxHZYE7VhhohPO9LVey6FFT7aFLR3tN5ndpTf5HdtKkaz7HY5qFHp7rdex+626PBGRKeY+OvJJnESQyk3UeqYSgI6AreQRO4/SUeUdu7gnEnQWdx3685m1WWv6/vMZo4JF+OObN+9TmaTygiIWEDo++fkW38veh9vvv3FZH9+8Ucm2wwB7dLh7XcUTPDDdq4Yc0zs1VblXeMKZrV72y37tEqb1AHWPO3VKgWdKT6eiF1gKkj1IlQHmvHVTJULfOWLHgT/B80a3zIPBD7n2TAF+bmcCBZe3NA+tVumtWpsqWUcutFuTP2djiCNEWF6pSlnOUC7L/XwxWurnoNZP7xbmIPNpuukc1Dv4fYo52KL/1ro5q98lP/uU1ZxY1pqxBh84G05YoWOrOW/dsJ3V4lfUTVu9U85nn7bHHQMWKtp8/hucCG5lXmrdNO6m5omnBmzuv69u4poc9z37vBXd422G8EaXfxuivCwNV3Lft2FLm/Ndk1u2Z5++WuXbWtPX6NDt+ZHa4Kjr+ZFacNC1IVKbXHx9dqQSaXTxxnre+MtZRKk1hiiE9HVPeubmFSxVlYEZ4/EmWF2i9+olnI6rgy/mGSjTuX4dcPlTjXphrcWnFaGUUWf9sFS1pqiUUCJNPNhSxFhmzSgyK4qE8Y1srxZjtSrUfnPwAnxzoP/95gU4Pn75Anyj/z0+Pj5eolgUImzRGojQdxrCFcPlWihzaQWpxoq5EHua8Z6cgKOjBQ3aCqrGssYtyZT/h0df9w7U//rftGkBIh9hLo26DfsSxgnmhI6bdQFXoFCgKrVMefs0dBPkrBefCUvUFyLqqx6J0jO4ZEK+IJ+Az2YPsqijqNFLVNUWf1qCnT+fFC2XUv1qvotgt0gD3mIFdYY3T1jVf9ic1b9qt+ZwbUrQJRzcoEnaDgc3B/vdcfBWIhTtOH57c/x5OL7p+LYNhl8SjbaF3wu1rKY4XKHOP5oMaRznOiwJ2tnyiav7A8xCHae3H4GbOL5Jhb0Fjm86rrapRpeFQ1+Rq3fr2bYpfRUq34y6Gy4CdgT+OajyCav6AxI4AI+5TmliguZLlS3wQPO9yArUXKhn1TuQFWr9o23tdrJg2zOwiixYn8+bb9+2weeNF2gLHLnjwB0HPvcMfCYObLyq3QoHNt227jhwx4Fbn4FHcWAaMMyFn7CIoNzVTuOVowEHBlwxF26wldAcyFIJnAVD+8u7tViyeg2pKjDsaLroPcJQ+A9FP+tTRv1V1hdEGeXrreWU8QyXO+tiuGHv+cUguLIbXcBvAXb5pUHzzGyEtwYF7Fbx9gjDoUJghKrXyAW8LTqC3AmqRmXNVgmiyEgLCpwWVlqqpnliZmo8An8x2Fs4Fj81BpqOIF8OBqrHkuVL3XbkwzYdEDVPOQmM19oljzohGHy4PDfzWwzsssn87QksUxIUvIE8PACbp7J03v7iVt7sRsHAv9R9UavCAkxWZfGLC47Qdi4b6pBFAWs7JYiEIMJS4Q+JFDCICW1yxnFagAYZdBZG4fNEX1GwWVtL3XHAIFDFDOV0ShFAORZpjNtpJ8NFRr0+ikhD5MrcI1wMKRwbH0A2SmU5XpD2hZaBb0JlNS42resJxUna77qMsvfh9mrEEEpL0JbCoIMoajL6Po8ioD5JTLV1bpESMvPvzebbTFRxxj8Br9MLIuNapvg5wNrxTUXA3Z3r7LtO5pzVeLx6eXRnrzJyiGvjz/AcSnhn8HfX7EFBIc/KK014q+KRykAoOmjio0GOOw0B2Ai4MpvhsIZnXIVLWUYBVfhlZRbRknaJkL3BCFMZzTO6YTxfPlVhI3/XkxqND8NbZOviKmm6Yrwf+Gq1Bf8NXh6I/LF4mQ68VTUHJlZIACUM2Lir3Zr2cTzEQYADswxrT6dq/WsBNC6WuglnQ7wSPEYpJ3LeXbkFO57VC2inVUvBsxHWj7MPk7hvwj31YSqZDRblLzprDLohE7KbhXSs+ZZJuiaoeoD6TrscFKVCYp4N8lO5QALRBI6xKEWGcR9tK5jngV0aGUlPblBywtGkmjt1vru2tBltehegD3NmHPZvvxg/Z8lnvZFd+PQH1LCvr8HchKpq1Xrbp6p6W/UdVT0JVW1T+1lHhY0+zrZKhA3X709Pg4VGVzO3fvou/OHYYH0irdczb5lIn9oickdZW6CsJpX1lmmr2dLw6amkLAJXMkx8+k7sSLWVVJvuB7ZNqo3Gcjsq2QaVNNyhbJ1Kmgy6dlTyealEQr5MHXgLOYAchWSKV4oF0KoIz6/F3IAk5EviLus2vRceatHMSDk33i59Qv2y0r5K6NqhpQ7PDcHt7T+fWumfEXhl0JqiTbxi4+42o8MCWVU/DLV7y8Ws3EduTS01BYZNLS58cJmZ19uaQr81VNbUCGrInzTky7oCir4JJZLDeCS6OhC26azz7FsdRE2+a8D4AK4UsB6AK7m82kmXWQMb1cHGTZnLMOw8DVeKGb/DNfAcLdJI02zM66bc+C2uyXS9BKXrFsVu9Vr2NS+yZEopjnzJ4WhEkAEtCSD9ndAx0IEouAQjxmeQByoriy+gy63Jp3sVv7MJmTJJIULEy+PDuY9jJqRXjppbkVRXShCfqX9uvI9Vv7YaQii0ayc81dAflapuFJiu71z9M1uE1nDc29s7evXzQffVx4e9o58PuscfHw7vgoefD7vffty/C/bven+7G+7/6/jf3kdQ62lXhKmUEfaWdUZfVXIcM6lXMK2Mj4iQmC4O8yRz39vU4duz6+Pu1eXg9uLdm4fB+7MfB/sN2CIsIFQ3aX5p44OAClX7C+CFkAr3t5sOUypTlUwMPXXp2KB6pP68TDi71/7a6ZizSRmdCeSYykLDRiIC65McePaP+ddIJuDZP7+ZPxPzR0uVj8vX2zTA0xYf3ubaE/A0etSaW++SS+2KVB/6qnrRC5yvLSVd6/Kd5G38pncqTRA8pdX8xnB/rb65UqqEIm5Z4G9D7CA/67V+RvC2MW+DW/xUYO67p5BSzhdHc6phSiEjpgQCSIGOvgeRVDszYXq28VjyS1PNAapJGGiGo3imUsb1XRCo34VoTYVVYPWr1t/7trpur5pdI5+3bFP1jNsoLa0zbuGeacYDrGV7gKPdLLfM4gwPYZL4JA6E/49D34afWpzLn/AQwCSJrKgHFhAH4PLt+WB6WAioJTaZStWBHpyJHhGmM9MjBa47qyZKf095ZIxz+p1+jCXsBlDCPoFxbnpQ6IYNVLnXMMc5ycAEohAfmVWV0HuNf8liBM1sh1Jqbnl4aKKXzGwoCZOO1wp4Arxf4BR6y9fXGR4GXEeKEAmcURw0xUD4jrOZYrSf8PBcFwC2AMgLrDkdlS1FGWGfPBRyFmPTO42iMUYTZtIFdsuLZVLFlNRFGBtHuJtn6F/EkPWIcDxibVG9rTmSr0MgZiG+l8f1dtHIy/EQnz+yd2Nk+5o46ZeUfE8i/BYmCaHju8E/B7cXb3uEkjs1ijZLD4clxGKfJ8gP8DAdj43PgbVQdnN9Bs7evwVZBb8X/NkvKyOKzxPJxhwmIUH+MGJoorBljbjXRFqpMuAqcxbe28bZWd67+d37y/M7F5rldp5gcGC+Dy6vz6PoBsdsigdkTHFwDiV8K8brITTW5qxWstTtFgpgetOQMGlEeTRfzThvtSg3Bj8dlKTdhBOmlg2z5HYCHUe6G+EpdqGgOaQBi++7h+NhN4HjLCaekBzKNP4viZJKjhBROedwEehwEepoEeqoAEUJwoVQ7HMsEjbDreFf3Azg+yRiHDsFqYJdQru2FHClKoaSjyNabeDrrt1yc1pSMaW15e9cH7QZ6WqDVYvHDEbOj7T1Er0u47paKr6mtyjytNivCaNrozaKu4E6vQWnOgL43TXkMMaqR3ff26Fca6FztyrRhExIYd4yNKNLhjijF10gf9XwOOysSSfmXuTl0Z3ZAok7LNGd7tCKo3VbSB8LYXeQq3FL7KQpcFWAvAqQV/E8+LAG5kBtGEQu6cHA9e1Mvye4i4XACIs12MrcSYxYFGAu1uUmc1VhC2+TiRr3DdVNw4UVPHcmEN33putG/j5NxR/Upr1S+4pToYndx3RK1O6ZSn8KuY7Quu68mCqofjri6tjm9OiBLQsVbioGb/WLF353kfd/VeQZ/w7rIsqU2iZqHIFpKU6KzO0o7YPu4wp4iNh4/QXRlfsScLDirl/3txUfMTEnbLXJbzhiu6iHmep1SiD46e3lZqOu0Vt98vR+Tjff8V54KDZPfuoU/GVNwk8xuebTwUXzC6H/GwAA//9QSwcIkllWq048AACIrQEAUEsDBBQACAAIAAAAAAAAAAAAAAAAAAAAAAANAAAAY3VzdG9tLnBvbGljedSdz47kthHG7/sUxObsXbL+kRzAhwWSQw5ODGPvhqbFnpajltqSenvm7YNWLxzY1mRHEwSjb06LhaT+fiJZLFYVqb+4v//w4z9/+vzpH5/v3N/qZhrd1Lvp0Ixu37TFXZq2dV0/ufvihrJvy24qtWs6Nx2K+2s1VXX/4D6dTq7q6tvF98X1X8pwGZppKp27NNPBdeXiTn3b7J5uT637S9f2VT1+cD+2pRqLO/Z1s39yw7kt49Lj9/3g9ue2dftzt5uavqvaZnr68O5LGcam7+7ce2Wi8P7d/IS7d85955r6zv1UdXV/7Kpjeeecc3UZd0Nzmm63vJ//b9+0Uxnme65/37l+dN9/7963TXd+vF1SHk9DGW8/1J9K9+FK8eH61PnKMu0+joeq7i8fT9U4Xvqhvt1XN2N135b6zu2rdiy/qSqP1fHUlt1QqqlUu/E4Ha7/HKuH0k1XgqFM56Eb+38NZTz13VhCDEImRvJnjh+e3KfrjfPbew1SeSy7PyCNh/8HgWUDJ4iJPTZBsizgBIkTNkGm6MmACZRSxB4HKqLY40DVg9siVTHCHgcWEmG3QQoZ25pqMvBxYOzB52ST4KHHASexnLLfFEFd2vJiAlLK6olxCZiipa2tD9YRqLFsbRw8lOmF8oME1UgBVj7FvLWZYI185USksPJNeWuz2Cr5FrfmCK2RH3NEfvsbXNSvkK+BNjdzrZHPkQXX8qh4Ap51VTkg9301b7idx7xubumyRj4rAVseU0V2mKNsL/6zQn4SMmD52evmYldr5GfbXBB9lfwUZGPxhpfLJ88B2HBS8FFx+z6FEICX6hTMgA0nhXRdqsMO3ZCvTgOsfDLkaYs4RGCfh4SCAlseMQF2GkiSAAdKSMViwrU8mtLmih5WyE+yvVz1CvlZCDjCTDkmYPnsySuuz8Ne1OP6POwzAw9dJo9seZgUOUjIBJ2aY9pgye0a+XO1Kqx89gE4Lc0MnRxinks8geWbBzacrBF4rctsHrgogDn6zW3YWSM/G/LbFw/tMIvPwCFaFs7A6QkWITHgty+ct1YKvEp+Aq7nYUkZebEoOQCXZLD6iLzWVQqb2yO7Sn4Cju+zqiBHGlQN2XCqISeHWKMgx3k0e+DcFmvOyNNWFObAqG9fSCKHRJuSfz7VL98A+HXz0ALB5zJOKAxM1z9wBg3w7SDEi+svKAYNi9MBFIPZYgwIiiH5xVAEEoP6vBjMgmJQwm8Hi/B2SZ8pO0disLAcm4ZieCZECsXwTDkfFEMi/L6UDb4vzRuwwf3WRMv+Es4qLok39FbIEtB7knqKCZ1h3tQPzkCR4Bnm0wnAGSQYfDvMRyaiM2iGt0tydTTAGebDK9EZOMD3pblCEJxhLhNEZ2D8edps2W+FWT1oNPj8ye08G3AGw1/FWQrwXmsMDN+XouBb1mgRPraUUoD3NLJn+Nx0zldnCZ0hoUfIyEtE70vkzaPP0xRIEnjugQLHBJ4D+nqkEjYDRY9e90PseflwJSQG/Pw68ZxPxGYwfiZChhIRoJgoo3sayUwWZ2mUVmAfDL3GgT0ZesSbvcDXSDMRodePMc21ucgjmvFz68xBlkc0TisQ/PqNGb/CgZnh46zM86fwoEfDc/kroFaQENHrG1gEvhqURWm5VgZmNIjC17OyxIgeB2CJefksDySG+UQMbIbb3npwBgv47WAZfV8iayT0PX2s6ZmoEhCDeTN0v9uSjywLH67FYRDvSX2AHg/iyXLaDsPx6edZ7s+//eabu6G/tr80++Z4f3/4s57m6KpXa+lPpfuDljLtPo6Hqu4vH0/VOF76of7v4qYyTg/9qm9GBzVRThv5XO4rANhysmAZFyAZxRg3smHtCvBL9aVahUDJQrS4oTZYjcCkOciWutEV4eWH14SgWSVvqBednqZD361qBFISn7bUCK+BsJTY+42ETV4JwYE8+xi3AzGcx+nlw4F8UAtpwaN8S/3fdMbuq3oov56vl/8HRShYjrYdlOnp9FXGyxskePU+x418Yff3FN9slt/HgSxTXrJRb+Mj/y8oMWvgtDDI4VDEq7Ck9Lbd698BAAD//1BLBwgtiMaVEgYAAImSAABQSwECFAAUAAgACAAAAAAAkllWq048AACIrQEADgAAAAAAAAAAAAAAAAAAAAAAZGVmYXVsdC5wb2xpY3lQSwECFAAUAAgACAAAAAAALYjGlRIGAACJkgAADQAAAAAAAAAAAAAAAACKPAAAY3VzdG9tLnBvbGljeVBLBQYAAAAAAgACAHcAAADXQgAAAAA=", + "string": "UEsDBBQACAAIAAAAAAAAAAAAAAAAAAAAAAAOAAAAZGVmYXVsdC5wb2xpY3nsvXl32ziyOPr/fAoM35z52b6hNi9Z3s3Mc9vuad92Eh/L6b592nk8EAmJiEiADYCS1ePJZ/8dLFxFSpTkeEmUPm0RYGEhagFQKFT9P+D83eWHq+vj99dvwJmHBQeCAuFjDoY4QGCKgwAQKsAAAYaGAXIF8gAmQPgInEIBPToCx1EEIPE08AABOkFsyrAQiIApFj4gaAoiGmB3pmv16JQEFHq8BS4DBDkCIfXwcAZYHCBeVf2QMjCMgwAMY+IKTAkMsJi1/jJBjGNK3oBu62C/1bGZ+6rzF1XLm78AYAPsvQEwiiALKXNUIxh5jhCzvwAAgIe4y3AkVA3HRLZ0LCFBxKj+fMhBUkp2CxKAiUAMugJPEOCIy9ZVXUMcCMRUs/KfDSgHb98CK8AkvrVULrqNmC7xBqBb5LZkGy0CQyTr/t2C0PYwh4MAWS+ATLk0jAKIiUnC2MPC+gT+/nddXIiZo0r/9a2lWzDFvTdgCAOOVF7EqBe7whFwlOudkJ/gvrk+7nQ6h7aHhohwZKMJTD9IQSHXJ/iPGL257h4e9WwcRhCzBJyncBq5b4TPEBS2hwRSSMpQIHvuisCJORyh+bG/9lEKA1wahoqcIAcxR56kSEMfCsa7h/GWkEmDVjqgkI24MwzgiCuaV0jhcvAD69PTH1/PcSkZ4lFK5wvG2QMaNmZQvgHz1C4Zl8YCxByTUYqcdYaeRojooY+g8BVkGwm3rerUf72W7I5ChIZWOPg72PngnFydHV/ffXCurz6+P7n74BxfXp69P7374Fyd/np198H59erD+4vfdsE/QEcWjxh1Eec5VP81j+rngEUpvhzZ/2aI1DLzARGo2CKHQdWBlqdTLZWSPFPGsXnz6XtH8pQ7boAXScLjX/vg5OIcxALLWU6hVcqnWKB7k31Tvskw9Wzdn7oBOjrs2m5AY8+GXogJ5kLLGdvI9vJoDRAXdqSmVRetNJRozB2O2AS7yIGuS2MiHEHHiMgU4ryOeeQYn/3cB6YsMGWBKqtGvFB+xREvi7wvwGpPIGuzmLQ5chkSvI3GvAVD+CclcMpbLg3bpi+mK+29vZxALGBPddKa4wTVVjpxtWkk2p5eQ9lwhIhoo3CAPA957QEmbZWlGHUJIJ9xgUI7YnSAGsEjN2ZYzOzGLZivaF5AMOiiheDpF1Z/ZxtGYRuTz8iV0klQRz87LCaugo05U3V4nu1TLmxMuIBBUPnOpURATBCrg6oGqO50kuMGMReIpR/5pVgggu4YjhCXVDL30rSCmHy7ycrlyHYZ8hARGAa2ZohqgXjYs2OiEI+8XJnVxCIOPT7PrXJd/msfnL877Su+dOWXeWCCIYCAIDGlbJyIynV4VUlHKZc020xHSFGLGzOFpmAa2cl+Jbf2lktFVeCLtdc9et3qHR60zG87gAJx0Q6RgLZESRvDMOOK3Oi0Ne6yCl52Wr2/Hf/ad04+vL8+Pn9/diWnxtOz99fnxxd95+rs4vj6/Jcz5+PVeUXJ9l47V/k/sff2iWF/TTH/Z8zQAuKQr58TeUi60GShxknM2hTGwu+1lVj/J4ywbba13wb+BpCjowPHQy71alY8GqRy56eLAUyGlIVQ3M92W0LqNis3fwrT3kZj32wh2T3o2B6ig2HMXSiQTeWCUn6vLfvKZbr84U1G3EVMSJKvW2SemPeFlaVS/DBIeIgFoCwZeAgiKjQ9BDMQwgC7mMZ6w7EQE1NMPJosM5fgIulwC90ihZGdHc13oRdggtQCai9mgQtdH+1lOCu851GAxZ61C+7uKt7qz9mzdtdHarebrF9t+b+c1RkNqhHbObQxGclvtgWlga1GdohYcxz6UDBKQ4ehP2LERYXsA6fv+8C81ns/6CGlKoNpceDREOK1eMYjvKXqxpTktFQe5i5lcsceKr1UhFsCBWjEYNiibKSEo0daBgxGkYLcgJdWGPbDlz25ThXUlUMeE4ICTEbNx5yGISUOQcLBRLBYjoMj6bJq8EtzC9jhsesDyAEJYbRr6gpmWpBhpTjUNQIoBHTH/L73dQo7snGJghBy7kKlORxGmCi0/DlicJA+9OQTi7lI4CKinj4tVIf9IiHN9LQJUjsvbUUhE8RmlajsHBzZZohtszGqKNEAoxEOkAOHAjHHQwFOi5fQaSAZmDIqpNjjMY9ysk6pf0G6kl8HX3e2ASyoP4z2A/wDdMxrKf/MIwA7VXtJEUY120Oz5miNqVogtvasT7tpXXd3VbqcL3pvaupUmwlGqUgSe2pbYl7ITU1AXRi0AzzIdhcA7Ob6nmxKs1XTZziBal/lBlDT4shV6YHrWp9kv5IykLiIC8rWK11ihuYFs2ZXqiL31fNdSHkmwpEavWgmfEqyMfv73zN6amFPKbHqtTJQUXaO2HzI/Tfg3/9pyHALViQ5qAM7YniCAzRCNuIuDGCtkqfTe2mnSxdv8YqlKKQPbB9/hu440yLZw4BOV+Vq5mDiFDmylqnzCx1MOPYQoMNNGXqntDlYTm9VInt5qZ2KJdOIWpW7jUGMA89wLoslte3uVlCaVVAflchfiQZJjakSw8UBjkOjjNhA6jdbFq9CWRttTVwG3XEII0cOo1OYiwuU9DOhUwLoUHYdTxCQS7q0sMJBs4l88Zo4Wa8aTCb1y3cGoW6I5BI5l4pmD7NH7HT2bcrzwF4cRistrtKi2UGs64e0Yrj7cpjVCWtWSE3CHEwRQ9kZhznbAIQSmwtIPMg8hZx1uDmdnrPJF4Ad1cXSjGkON7gPPTq1krOOkUmD3Iw7PzUUlLTAanPJXhMc6XokvxVzTGrEyu9zOYpDE/720mw9Ude8VLpG6o6rC5TfqDZHjMYR9Eq5MUesMjOkFZkeKmpHRxHkfFrsluvDESoWdf0KOJMFPlUPd5VQSwb+S1YLjMRecVSi8aiQwaKwkI4JFAIRD3l2HI0Y9FDhNVHguRYiHM0tn3L5GeAsDjOcw2icIQYP2pzAyNN/s1WXkuwZhXpyt0aUgGyFcvf+17f512GqgHkaskLZN2CJpyVSgk7JU5cSdFpeV2+lxFZKPB0pkSfRvJiI9cYj91bm3N2BGvjRHPwIexso1R5NqgSYjJ+2UJE9XFGm5Irf3YGsgjwGG1e2FVBbAfUwAuoZig8aIeJMek9aghTNrHJ2VgWzqsTuajexr8rLoAp94VZsbMXG0xAb1RrUYq7LEBTIc6AA/wCvO/wZihqGCAwrjnGfkKTZ0X1cUVIUVyv5Krbrla3gecKC5xkKkZg8/Q2P7uOKQmTL9Vuu33J9HdcLHKIKu8knxfWqj1uu33L9luvX4XossAsDh6ER5oLNHHQbUVZhL8jQCHlYpJa1Gi6tACQVAB9P7se0U5k3MDRSZp0vgGV6oJKf5ow4zbG3Pw5Cc8Dtj9HMUch0Quj6mCQn3/pKSpKA6ZOxsX8+R+IGd2ZA1a0/vuDaH8ywZYrMX/xbD3NThkW691K3qXL2YTenKutm78aUv9EI2O/dbHjBpKE9yP6RHUL+RyzFYFO2oMSBwvlMB45SAWBK6swNjgmICYyFTxn+E3ngMx3oG2CepzlFVga46yMvTu1J72XqqzQuMPZ4PKI0aMumU7M8OQXKjNbeXJZQlp3FDHU5aKWZMhXYojhbmAbApufOS3rwNaeM+5i8V596NuGNZZcsO4f7tiFK5NkC8rFNmf2ZDhrIH7Ae+1Sewz8m+1Scuj8X9nmAA9ktuz1ndqvW1zwet1XpZu6Z2XLNNTi+Xrvx1baPjbl6y3PPnudohJ7SDFfnJ6PSLUaeV6uObddmlwecGLcs9OxZqO608tGYqOZs8p7ZoTh1LT/LXLv57eS15bxqzqs74ns8zqs+0Fub9LcT0ZYdVmCHmrOvR2SHypOuLTts2eG+2WEWCRrKIXEgG1XxQIJHEMCYyG5oT62QjeIQEcEB5Jy6GIrkTa5Ovg5HZB4FqOpDcmHVjWI7YpjqcxuJCY8SKJAdoAkK9nLXZnPuCGQ7DBKPhrd2dzSwIzhC3CpAJsdJyvVcHP6XcA2i0xzOg2JOdx6oOw/Vm4fq5aAIdpEPuW+SM8QjOkVsETFteLP7oKOcEbqiks4OXh/ZDHEaMxeZa9erHVFlpITIpIKULg0hITLBjBJJPWACGZafyUEIhZsQjxszhog7A6q6tYlIdkMfLV5++HDhfOyfXUke14mri/T58rjfl4nTD++Pr8+ci7Nfzi42YemvO85xxB0ewSlBnsN9FFT4HOnL7JRxDTAYMhqCiGEilDPDDQZ2iPPuNAsXxCPIEBE5CFnXkNIQCuzaDEebXArv2pjgZaet3dcdG91GAcXCjuJBgF17CF1MRjaMogC7K3pIilng6AnC4fKn4rz82kfgVIEADaJWCQwNkaRi4xAauB+vLkDereVmI6+8IcWs2imxIvqY4Ftbd6jG4Zj+rpaE2dMg80bSG6BrmeeWo+5+zuMhJF7GF6s7cPGggAPIkeYJpzinlqa0BBbkKCJlEwhUDS/0T+K15wWgDPx0fX25iYu4bLGXITNvyKQWI5D71gsDB/KrlPILmVmVJRSr1dRSUWBQ1+LciyTT1m1UFvqzprK6Rtya/HFNvqgqEOBBW4oGBsOh9qPFdWdjPhvQ2/mPqMhPGhjiiq8ec//1/lwuK3cyyayADapgw7rMRSPsch+yaK5YRGtGjLnzNFKHjVkVyv/k/mFlZtJLINdeyXu0kh/EUrkiS+iWXLnpMI/+SH55klBWbUmCTkmaSGE8KFD6nAJ7w/QJs+QRuT5NnoO0qoAnT+E4BxyOSdZ2OBYoTJsMJ8lTNE1BGIJegMk4TYfZU65aHiCUVsSFmKXPM+Imz4LGrp8kYjkZJImJqSrlOaYBU4bu8TgsZECO9nvlnKODck7SSEqCvktJIWNcqlkSQCGtnO4VcuJC0sPMpQFlvJRZbtqL8ylEJoXkbQSJV8opDMkQuoIWc8JCP4Y0KFSgDC0LnfIRLED4lAtcyCmlEle+WdZnigvDl5BGmqaj8neH3mFpiHVOS6Bb5RKx0MdwPMRDms+R241CutAhQv04KmTIBV0hIw5LI0ULXxlBLlAxQ/iuX/isCJPxrJDBiilMRAmjKm9YyBG3+SRDMJBNFfJiUqJPjv4oJH3YLY0m92Gvd1CReXg0n7n/qgLysFtmL+4z5BUz4sK3cMoKQzrHJFLAFtPeoFRFsUkB3WISF/AsEComeaF6gUNEi3wpWDEVExcWES3KX2HkVpKMyTxbxgT/UUyXWSDmqCgLpoUPm/q0lIQhTnKMmTKjNJ05khn/0252AFq7Z1FzTzjjfwRKKRRSMtL20xHlYsRMcAJTy193Fu595LLEG1gZfLYKl69tFyhdEgI2tHYb15p2pKbeL9ZeNHKmMNjIj+ljbLg8NIhHQ77EY5vcchnIssu2TX21ZesXCWQasZ755ggFSCBHG+M6AR3Nj2im6NPAnnFMCnQhENCRvvexzphWHu9kkQ5iESpfpCojoKP2tJwxKGcEkIuAjgp5Q4iDch6f8XJWiDhXasACnHJqXciCsfBb5cIDSsVc5hgxojI/5VUhioZS3445JXNODb2BlqmpSfTLjo2JJ9mQMpuhkE5gsALhRAGdORHDk8UOFFNnkF7GJtrNur5WvQ7V1OmaVrjJ/d+gyws4gZETIRZiISn87+Dk+NLp/9Z3jk/fnb9PPauuh48VPGIedbsKJEK2oCo2RAOMFN6X3Rgm6JpwP1ys/JADmslLpRRse2jS5n7YBh5mSC6Q11JvlHZwEjKteW9vE2HZjNQPjw5sH3vIhkxgudBvHlXCw0zMnAhHyIFC7uYq1HyXiXtzcCqhgYQGZuLTKqR80RXHbkcu/VzUUl1ARLCZUuWBv4PL88sz54ePPzo/Xhz/yzk5fu+8O7v619mupHwV5KhY9BaLpSXfJiUTtjCmxIWYScZcuLPJ+mEFlugcvbLzg2kPKVtcegWc5iteA7GbI7QJVv4BOuA7wAoVBAnHi8NokZw6zcCKUR5kBkzXKiEKlwmrZq5Utet/1ai6nVUXO8ClQYBcsZE0e22bWmpHXQo8KKAtpbOt9ge2XoY1H+YZgSF2lW04YknAv1rDn3RANYRSg5sqgK7CxAFU08c6/FCzBETCbQdei9NWxJDSCb4A+VwV7i+1X8jyWl57T7/89HjGBqsZCeRLrni7dD06W4HPN3e1XU1w6rbgInrTTvQFvXd6q41FeA/Udp9RCR+MWB/JMgY0vAW+NJRb45hv2zB0zzsMXYFi2GjSyWhk7nMLGTzNeTZSUxZzAl552/hnxAgKQEi9OHW3EWAuUmcbwkdAld3YrCBVd6nqNlnbLFNrdV71zFIm76R/DZWWGjmt9p0fumsfAf2uECoMNXG932icjL75aw7U/n4yUHQqWZEyO+aIrT1ULOQ1ilT1SnZ5xGB4n4Mk691gjL6qHZX+TNkpZ4CFo2x6q4cngwQDLIoWwBAQNA1miZZr7dVKahmSuwyPiRNHEWJOAGeIZYr+HIjrQzJCjsAhAv8N9js8B1WlJJuvocGF/Gbl/g76zvn/fuxf3cnff11dqt8P1z8VL53lBbuW6f91u5G4bqYa6vV6KjqIUqSnSi5bqQIVCrit3WKseFoh63T4jLgOuh1Whf+SBMTcgBL0taI064lRNSFnQqZNBYDFh0KpzM0Pd9WPp3+YG20y6t2Orb7XRGuuHPLOwasCkC2Flg3lp0q6maA0ANsKo008J3OjUmFjKiFSkc8RZK4vZ8ohZYCnnqzWPsYoijfZVnVonVwXN7MNb+phpnFgztqhHblRfeTUf51cPuW4qUmc1NaI0pESnIrGgrZLwygW6F0SR3XS1cYYxEVJDG3bBNHmbQ8NYRwIHVxV22SXA7JuUN+TooL1YiD52PMQUa6HFkRAOjZw+pxh/mw2Hy2PBt4GZ7S5E/EvwGrlNHbFbf8Xq+3TEKU7j3z8unI8u9xxxSYYazYpbXBeIVnVmXTr4rbmQmFPuoXIn5jzeL1pRzbZUrH6nYjRCfYQU+Bwqk/H1Xs45S2sA3Q7k558r4ZtTuuRj3v3t38XviaJ0s//U0KAYLH+1LlrEByJJCH/ycpLQ5RWmgMbYhR4b+b7lQOBUYRIvmn9T4jgDeh20n8NqeKr87GhDSn+ZN4kMYZeEv2O5IsYs2dJK1xAdq9h8NJVbgWXbs2ft+bPaeazM3+uu4OBK69VbGQ4tOy+4JE6X0oNh7wQE8yTNXheUdRoniEThEe+I2mqbrJJ73Ul83zpgqCxI1K557o+HRcxq2+zszuzDOxHlA4RO780N+quUBTMrun5JS9mnKpA16XMd8cnSU6f4KGpZ5M1wNJTvsPDlzb0JohxyGY2JrbwkR1izwuar8lw5Lg+csdOLnp3aTl2+r4PAkrHsT5I9eRWVIf+Pr8EqjAwk+NCVNSI9JrY39iFxId/4iiJ/o0jG0Y4SYUzHLWonFsJT/JUV3DUgiH8kxK5kDAvpj4UmKsicAxDqGuZP/bLjIQ2wNpStVz3KFHLJUGn9UFVzNbVZOJIKZe4g1QYeAcGAZ1WLa3P1HsgGBwOsQsMnFEGJ7Wsg8TivjapySop4rVIY9aHj9eXH69bezs7vcPfO/bhp7ud3u8d++DTXffGu/u9a7/+dLd74+3etP55M9j998F/WnvHJydnl9dzqv0sXDizdrq9lzet3budbkf/vOzdtLq/H9mvP2Vp2Y5J//8qY//3jt01AK9lgaNXOnH0+kZu2W5auxsxcdOFfE9pKjFLwFdYyTNXLs5ITlDUHJWqoP2QABqLAY2JB86vTkCp6IqIN6Vb0PNYSzn5ffsWHB0dvTSTVvYSc0fb9kqIdDm81qCuEKa/87KbNyK2lSZ0db3RZziB5XuBjrarrhpwCQ7Kt2e31wK36+LtujgP3WRdvL0WaG2vBeYzttcC09T2WmCStb0WuL0WaPIe7VqgmW8WuTJRc49cHMoJ67NaGPooiBDbaIvxCHfsPsfRTCDWxFXG/2hQuVFDA0rHmZbHLIhVoRUXvDtVR9h6Pk+m8mQWTyZwNXebaVvN2Gqy1hObmaLV7KzkXTInJ9NxOhOrSVjPv7mpV826yYSbzLVmmjUzbDK5JvOqmVLNTJpMoOm8mU6XuVkymRyTOdFMhekMqCe+/HyXTXNqdtMiMGUaM4WlM5cWw2aeSqcnMyulk5H+k049ZsYxA5HNL+m0kp9G0tnDTBpqrkimiGRmSCcENfKJ+M+kfiLsVedzoj2V6FqQ5+R3Kra1tM6EdF4250VyXhLnBXAid424NfIpGX8jU1NRar5fCU4jL7WYNNIxE4pKFuZEYCL5NAXl5JwRb6lUS4SZkmFadKUSy8ipzKtZiV2WLqArS+ndoqX/ZDtCnaE3dvmfdL9hqf2bpd+orZal9iiW3ndZ6c4p96R3TJbZ91h6V2Ql+yBL73ysMPvJWkv2MpbevVhyr2Lp3Yml9yKW3n1Y+f2GuttdYWyc7TqM4LONNFNy3GQFcPDcxPj4FXci6iVnm44xPXCUxYGju1Fn1PZzPECMIIE4iKiXaICBqQKoKrSpW76aFeV8qtioMMb/kl3/5chlSPD2OO1TC9PEoML0KD2hX6XAp2xSz3qQ3qHXhhnz8/7WNn1rm15nm96AWiS5JP11cYDjMDe4LmXII7zwUQaIRohBNZUDqx1CAkdIPw+DGBFhD7D+qCxpVdzjCGjs2YR6yM5XYRjGlvIQ2S7HKtcQWPGN7TE80UpWZeNhw2mpuzDALlVtpEMPp7ytz21s1YMpFK6fp57qd6o8GWFya2OiDjcSbXBgOp5iLhaUu7CcHTEaUSalmpS7RRgfRozezupqlrJDTRzIDpFg2OWlwbZHY2Tr0HemyEApDrRtmW0GTn+CHG+BWGgsYm0fEi+YQ191jRMYB1WolB10hSZvfQVQoURKVlQMNznCIoADm8Uk/yarSbVQdetHs75CeIAJstVtraoaTMS/5Ay5MJBlApxDWBOm+du/zSvEzcSFyeg/8wW3N4i2UrqhlG7kQLfScqyCFHMwVWZjkg5zIIvMxo4e32ysfkGpbhw5+sZRbRBEQNDUgJrLSdmdiI1WiY0iHgZ40DZXolJKiM1ZTy5/heAXX/PS5WqXJfMlV7whPPed33LE3WXf+de3uWrH6Y229cNRrrcl3LcjxDjmApGcmXWBZQ9e2gNKhU2ZHdARJXreFJCJCisvw74VftzLjFsdfvGhGLc61uKWcbeMu+w7FzPuAwTCfF6MXufM40H4vCZgT2M2z9XVLIRj45q3AmQrQOYEyHNkbwor19/zrC0h1+NtWdK019K1OENGQ0c7Vipc4MmD5u/v/G6RoWNMRl+k5qOO7ojOOSpnDaLC60JxA0x0rCEydBhSO1UcTQ5MA87V2f+cnVznm2NwKpOxFzkehoqQsfIgJROL6KbwKV+sIQxcShR9VtM7jERLKwi8lgdxMJOZt/oD7ACNoDuzwzgQSsfGudH+2VPKxhueFNfQ4cIL88uLr03G93gZf57uF3ubzFxMaprV9/CLjLEpNyz0ObmRjfl9I2KN0c3x+CoSRruLbOB0rcH4VkubzUyLn9jQLibiJoOc3L3b8OJds3H/tui8JkLzgyyON3MQlquoLj7zdi28XQsv+85vai1cGyz6Qfi5PjJ0Y0bM1dY07HPjurdMvmXyb4HJ693TPgiT1wah3jLilhGXfee3xYh1EbEfiBHrwl9vGXHLiMu+8xthRM6WO8828Sa0K0pE5HcBWUg5h6WSQVFg8wi5eIhdoI24NonKnboICKmnjaNA+UK/cpIfcranvBPoT+CbeMv/qk5AJXk4AeYV18Abed8d36vzXUWsoMrDnWx4M28kS/1a3Jdf3jGhU+J4QeAYo8GZM0YzR3vXrLJG/1X7eAE/y4Lg9OKCq4ho8iVIqgBjNAOFKlb2GMORaCXVtWSP0onli/XTz2e/ORcfTo4vnHfHJz+dvz+76f/Wvz57d3OiIpGLE23y2Efixjze9HXF4J02s71R3Ze93wxPDR1ONHU8XSVgUqN5xyPcQSQOEauJjJK7JXD6vg/KsCtS+7yvGOU/jsxa8n8+cVvGBLClJgrFCoUyYhapMv2rXyp0lV/Z8cvBUerxJfH1uDp3BJ5jIg84MYl5DAMnwAMGmabHeQxc+whcnDqXV2cXH45P03j5AHMQ0SgOlNfhwQxAdYKuXRLnXSziAN1DUKc0kv4XK+vM2z3tOlHN77nszIniRpzwoH7YAzyIYOigQTR0fEor9qAXGk0GssUpkHDpbIB+uPxxneEdRMOWG3oS5IfLH513x5daWXw2N7Ni5SZHN3/T4nSjwW1qU9o5PLIxiWJhuzASMUPNR5RSgmaOiNWyhCchmCoGVgGCawMIdk5+ObN7nd6+ffC6290FpmC22FlnmLO7cJmz6v7H89MkJEf2PsYKGVluPgpTmRn2/nVx/sOJc/3x/fEPF2f9ByP4+w/LFKJwqHwrw6olp3oL6OAzcsU9RvSTi0VVdaXv1rfJ2WvCBvkL2YUtTW6/Uh0PorDHUTFNbJUP5AsWJ5nyUW491ct2SAeztt6l3L46co4O7AEVIkBMwgpbfaI9InGbz7jNKBXFXqiNShbGNYso6tk4cm1zc7z43dlFTTUsb9Qdc0ebDjiCwVCikSCwY2J07sreLQRNbravR5LNViNHvY7N0FD5upsg26UesuUUt8pKPMQEq5hgS5wMmhNL5ckuDqPCajypAwxjomrXJ6kuDfnE5S1vyWX1Zs4G1QbnHSb4dGGUMNXkJvue5iK6s29TngeWY7Dq2JORE1EaONpT4Pz4Z5tOud0KJsrmQq4JFclCzqmLYer80WWzSFBdr7p0MVnTNVa1e8Ev1l4rxATdhiz1KFhISgACCZWf1KJM6TRKaQnC4yiiTOSqmcuRYO6+Kpf4Kcyn5OuopzKwuk6cT8iXSPjqXhhKulHOkEDDXr6BQko1QCUrt0Kla8kn5EsWBZCI1u3sT/m2kDLDhMmIugiSpAflrK/jSfGr7tuTraB2Rm78W0saVk6fJStUKC+vkIuICLKNpF4dm9LIA7krM1pynL877a9DtcoVdswCJQzae+0QCagC+rUxDLPbYrn22lqSVAb9zgemSEJ9dHsdDu7uimirAtzv8E0mgKZCaPO7R6G6uu5TLpxhBfLkPki+1DgzManlLKDK3Uvgb1VTS9NktgJpK8Tod0PuqC2oZA257wvg7P4Dg6+wDFwrjHB+uJcHWVdwlaFL7mHEy0rFmIjnPZ6SHR0fewsWMCY6gl61qFLrjJymR/U3opiIVk6bpS6XtrtG764SvXxiP584yCcO84mjfOJlPvEqn3i92aan2Qpzg0gJBAk9SyTOUeZRczynMZF0PmVYCES0cuUe4pyUnGEY4zBjG1YODdnUUaKpUk4d5nHeZkxNQibIBZh3hZEsqLifLHeS1VGyhhlTK3egdndX485D7n6SQ7kAD9JnJNzm8TY2OqZZwbNst3OYegYQlAa2YJDwoZFjTQkr0eGZNcQ8ab0v0k3JR3qO7D5ena9DVP8HreRWs+psoRX55oxur/U5Gu1Zn8D/eU4oEFVht47LHLtx1K2Sk95syDl19U0FD+t9Btd7KPkspxA1tAQJFwo9zMRVSgUii63tIXW3JtJbqjTJ8JxoSSSGlWJd9spgvNt72eq0Oi0zW+yFVHiteBATEcuupIZrz4cWnLnAZAXCOMu9TVSKKpbVfUr4lTCZITJFmUNVb3mCtohyocLXvdVoUmm5nzDpa/Prvf3/9EMcybrzRX58KxN7lc3lTAMWEcgmlPA48eJSmlgSAGehsLiHde4zkR1//Y5lhwuFk/mzrFy5ZxFNMPHUNpuMQEQ5x4MAmTqMd3jdxHoTTZU2WFeuMZ/Dv1z27WRSIxd3JrDqY9JEkgLu7kB1SbKg5GSuZCI2lNp7ALlvaEGlZerT7gbrucdwqmdEgcMJHg4xGanQN/NEcSGZIXWXp91taiOR5JAceQAOhQ5kby6rKWsgYNSr90AWwo28OFTSQnAfsvEmMrrBCXgnOwE3o7PCsE6dASaQzXIhGJaJ5WzkUOZ1lqAp0DUp6TRUoTAwUScAWQEcLostVDPO1RKxoGebC8zbSA1XcdKzoWrjYWUkR0QgtgRnBgrEXBulDRiCYxoLQIebTaHlk8O3crJUbRVnrMLSyRKQjZB421Uc8rZbGYxrIxQ8kHaJcD7FwvXl0A+dkHp1zpkSQBDCGfDhBIEBQiTTeMttp0QHjIVPGf5zbVueFZw2aQ1A0rOW/ISche4aLnnmOO7B7FtT0qnyplfxMjtvLuatZie7iVBvYLh6eKRjX89sSRWIiCTajhnjMpVW2JRV0WelD6JHp88K30QN6PPrep7Z0vPTp+fqi0mPTM5V15WqqTlXqoGznSUc8QzRV30Z/HHRV7wkvlO6DH5nTgZ2m94KbyDGtkIGPHkqdSa9LaFWb8KyXGOC6EAB/gFe673VlrjBkybuuhv8j0vbNTf7m8yiy+/wf3vzaN0N7UdGYvXN7W9w+Gvu5T728Ffe1332wy88rtVdSscWYFIhvd5fn/YTO8IhYrJDShtZLnQPRseyPy0Pi2diVUyHQ0Q4niBn/IrXaNGP9XXB3J00ECEitDGnDhLvQ66JeZPD+6qAY+CLFc2ET8meCeC/Y/0cD3DfhaQVzSwJk2gVJ1LcW7KTXDA8Rqz0dhfs1gRcUqUwdyGxXlhjD49URA5Vle3HSn35wmJwPEacWy+sCGEGBeIGRCkLzTOMPRWmShUNsCmqgjLE3HrxxRpQMbA3WxosOwE46u7nPPtD4mU2vKtfhaMhHlWpMD+EWHlM1JGXOYAg1bB6wPVx4IE8D69ICQpHMfbAP94WLa6qvELKeqjpziZM11viPbHX2Z+/zuMGGJF13KCpXUR6f7zSi0Niyy9B1aFKzVVxsPOuf7ULChHulbRbZ+jLZmlvgdXmM24cN7RDztoRZDBEstJ2/v54zmytaDa31KWa3JKsj7ivasMuv4fzwBlAd+xRWnGYYiDSwxTEBRwEmPugUGZFNKCC0a1po3Tsr+Yb7mgS3Gi+WUb6ncPXhUMs8/lkZCsRFzFJDc3HdIKYIhkHEcFmyjR2Ef0XHCikhUtHiaWqVhzuKqpXhrMcBcP20Gt3N6Puez/RetBJIOpFmAyRK+Qal6QvaxEWwsQZpgHWN54jysTcJaTL3uW5qhuEMJhCtpbQMi21oOex1hCGOJiBv4Od4x+d8/dn13fm92g3h4oMHnNHGySAoofNDEJ1/B9vwVGn25kvr97+t3p7uIEYW+GcuPOym7easNUJ9+qGVyZWj6NjkIVo6VWDS10AZAX0FT9jR3MPNljZ4qxss/xV9EKr6XPyJVfzhHOvrP9QwrrwXi6q7YipbqAcBYVOwZCi5sD78vjdI2166wIUyU1vBMOWp43cs4zND743QO3DbJkrsFZ5DPyYWKuOTrMS1r7ucfDzw3K1TvDxkFzjxnEZjnNVNDgkbVDh89F1zaG0+sD00VD61R1qf8OorDt4eTRk1ntTXoaFIocuP4BpUOUzRmzdYczjIbbWg+63jIWaM5lHxEKd+9TGWNiepz89suN86jnF/VmB3q59ZKAAZcD1zXP+SlOiSNSdAZCkFxgUMGVrHa5U7Kxzw656kaJGbWqTvlXfNEmdOvVlKS7U+cZXQFBTNW/n9SvbDJMdQoKV0726HfLhfjcF1qdrNkMhncBVdCdcIIfXuH49fd8H+o6YVpBQgsCQMgB1uQEmdoDHCKTlV0RmtcMdK6k88VEz8ikXubRALMwlx8GICd+4xGFKgdpyVSK5d9Di/ldyPLOCtmvzWxGRi51u1zl0XIYlVwf6kgtGvE5hcWIAEx8mCXzNXLEODlfTV0iONJKR554TBs4ly68zITqXmQcdUCqekFfux5xh5j79W3bUbb74YfVczfyJdPaP7BDyP2LEKt3UVU3Aizi9Usn1iJxerePacvqW0786pz9Z3ehjSIbq/fmjCYaazfkDyoVcb5qpWB+wb1uZVf7070FmPTOJUq2XfyyJcm9q+Rqt/ANy/5b5wZb5nwHzV94P2/L/lv/XZqHvmP/XuWv4zGRG3envY4mM+sPfx2H2pufID9i77Uak/Onfgyx6ZnKlzvjg0eRKre3BlnO3nLvl3Bzn1hisPB7n1tmrbDl3y7nfH+ciFtS6okUsqPchnzioXYcz5/0rfrFkT/asKhsdZROCjAfaOWewXAVI0zjbG2DimUeZDz2PmaSKpktMArouioSBEx5O8rnwaCw2i2LWyItsr9sp3sGlQ2W6I1AS7rN5zInIjzZzJhz50f17EpaQkR/VI5TNuRQuYtQp4RIJp4BDk6dRWczTm+hinrprWcxiCHp7T9LJ8L2TRwSnKupaHZ38dAmmaAByl/FAUgZkZdZzK5HRhB7ZiE4RU5XuWS8sN/Ra6BYVzbPyAalyZmF+pEBfyCfbHWFdcANkLLuCdq94oEL7tnCmaKAR4ejvnMfHcTU21OV5zamUmYf7iCCwU2FUCfSCyIPct14YOJCfeMsvNHvMZ8mRc+2aWioKDOpanHuRZNq6jcpCf9ZUVteIW5M/rskXVQXkCkByOYPhUNv6cd3ZmM8G9Hb+IyrykwaGuOKrx9x/vT+Xy8qdTDIrYIMq2LAuc9EIu9yHLJorFtGaEWPuPI3UYWNWhfI/uX9YmZn0EnxK/aM0DVJQdKiSsyxWXwiF9cI8+iP5rUkipF6WoFOSJlIYDwqUPqfA3jB9wix5RK5Pk+cgrSrgyVM4zgGHY5K1HY4FCtMmw0nyFE1TEDnXBZiM03SYPeWq5QFCaUVciFn6PCNu8ixo7PpJIpbyOUlMTFUplzENmLJwj8dhIQNytN8r5xwdlHOSRlKi811KChnjUs0S84U0jwLl0ibLiQtJDzOXBpTxUma5aS/OpxCZFJK3ESReKacwJEPoClrMCQv9GNKgUIH29p/P8REsQPiUC1zIKaUIFzAI8lmfKS4MX0IaaZqOyt8deoelIdY5LYFuhZyFCn0Mx0M8pPkcgt1CfaTQIUL9OCpkyLVAISMOSyNFC1+pjMaLGcJ3/cJnRZiMZ4UMVkxhIkoYVXnDQo64zScZgoFsqpAXkxJ9cvRHIenDbmk0uQ97vYOKzMOj+cz9VxWQh90ye3GfIa+YERe+hVNWGNI5JpEitZj2BqUqik0K6BaTuIBngVAxyQvVCxwiWuRLwYqpmLiwiGhR/gojt5JkTObZMib4j2K6zAIxR0VZMC182NSnpSQMcZKjdAKuzyhNZ45kjs/Hw6kMwJqtd2EEXR/15GxFRpjcqn2IoKGJz2P5QkRm7qqt6O0XtQ3bszbZszzsMjnZHTgojDBDTgxdZzCLIF/oXKoQRCmEwvVVNOh046uvrXw8PgG6ruwDlPc8SuSYZ40D3bhqcb1tT+JNz2wn7ff0EtjvKTkH9hT8pONy2i742+3bv+3sjCLw088nH9/06VBMIUM377DLKKdDcfOrbgV8jORaYrdlfs2uNF/t+pX9v5tdSns4N38S2ypw+4KracfalV9y/UzFaE89+uiA7qu5+Vtle2vJlkJKko2q6e/GO9UHHGLBoIscSAT20CAeLWK6mCOuLvYRgW0FPVKuFFPWEhQMAuqOgX6J2Fpu9HSXWibupYS8vL46Pjlz1N93Z1/lZldDnetRr2cnHzcH2HCsMfm83BlVwXuYLgFc6kmyExRAQoWPGMjf8byvUb788PPZ9dn/XquJZhHQ6fH18VKgj/2rr46UzuFhctvVLg5uI6xMyRgLJ3UE6ZRC7SyYgRI1jVKWG10rZRzQIchPkDJ98suZ3ev0uvZBZ/9gHXyVtTbK2VuyHonG8m2mfUVkkmo2+z+dXVyY+ePy+PqnvdzVWAWXi9B4et6/vDj+zUCfnvV/vv5w6fTP+v3zD+/zBc2Ni84m64wVwht1jl7NO7FcWHop1pV7VscNsOPSypjaCkDznMR1xOgEe8gDNAkHpu6BgqVeeBsr0HM+Y+u06G5NnF3b3et/OPnZ6V9fnR2/SxYL7h6PB4Zes7y8llsljaI7yYjErKUIe6/c2F+V50Yk4kgpuZ6R70YGCaehXB05hFZdfr5MTkcySMkXCBgLPRATT4XbU2tHuVkAHmZIbu4xWkv+Lg3ZbV4XgmqnqqovVtunIUpjXTNz2PwiPdoun2ebNI1EbfDsgI6KaTyYyxtAdxxHhazpdJqPsV0dBZxZO//EuztMHfuiO4aUM8c7hqB3hwkXLFYYu/Pp1BH0TqPhTi4mdlt7OzMaM+fOZbNIqLw7WbkB2tVkWmozEWrMumnJEn/bZD22zFdrx8bExwMsbG3eYJvPa+6rkrmOpkbuFGwgCkR6dQIM0EaGEjubWVZXujnSxMS0CpYSdTpuctShuvVpd/e7MgBYi84a+Pvo7L+0B5QKmzI7oCNKkgNG4+nFCMrmO3DJgc44HiDtiHme6q59BLL3ktj0hKi3JeuR4CKJ1m7J1tq6OTXKSrgVcjcZ4wf1QcuQh7nDIfEG9NbRTtfnh/hUlePJIrFndw4P9tcZ1zJrvv2SI9LbV0fO0YGtitojErf3rBphbQV44Nq9Vu91iyvPGia93ymlu6V0r5TeL6UPSunDUvqolH4p059qJEd22qNG2XZ95I5t5g0s5RhEZnHEJohtRC6NTvDvN0xwQjQT5Gj/5RVTgQQB+m2m3zCLlQ0op35SqJ4LquhNhGp9UENbX6y9lsaRfIJ0aJ7mEF0iyfVxDNXo5kbCh9x/A/79n4YUsGyp2u29trkPGfJsjZBVhO8Ic8Fmjo8niDvykx05kM4YzRYsBBK9XlIcqOJaNMspTG06x2jWbJlQq/DiSLSSJlqyRzlh/dPPZ785Fx9Oji+cd8cnP52/P7vp/9a/Pnt3cxIzhog40b5x+kjcmMcb2csAc7GZ+rGZTqDb7SV+sZJPKGOlwj4uxQeLyWIUHIOrZPA1bMaFDzvoH368/vX46mxe65sg4he5oqDk5iomitU2rYQSF9VWlOigf6XTo4P93nvqVeijV+lZvVL7/XW5nmvEQkxgAPpKJNyc65PQBZU86Z40GugH7c3Z7Uacu3x1e3hQXt3CWFAV2n6NYCUpN5tjqeVc3deAmWA1vP2wLL0KWkyP+YfViKW+omeG4QDOHCgEdMcqDNSik6LEPFYdFyJuwkOpKoCuAqSRpFbGcaXt494lElhcUgFDo1+7onJ3KnMENVk/UVFI/0+M3Vkh53PMheO5yMlDgAzEYlToEyhg6dwk1Y8oDfowjAKUZF0hHlHiIWYyvlh7PByoUbjdq04TEYSFjAu5TU7az5lfFc9Az8mEjpF9DQVipZrLFZu0GyLAw0Hu7Zv31xfv/ExhaerMj+sm9Nr0nO3w8DAHye0ho6Gd+LW0lUprlUVfgCBHjgr9VLsnPMlixCiI3InQYJbGk8FkVKxvIfUu3Y2nttyFOq0aJWS61Jeb9EwdmddGWu29vHpujRg0G2B3hQOGo27X1uNsC2r7lIvm6IwHKOaLBE80Z5evRJApCTLCAsJHQ7GpFCqxIeQMRYxCnpjNt810+GbMBmKU5KqD83YQY+9NJ+HzMWIDlC+qN5iUBDPQjhgdsVSwRUKAtsC5yxk4lHMBJVCgmKcSgCGCpiVIyMdiJEA7B+ZDNkFcgLbS9k9gkAiQg7gEx33QTjjRZI5o4CEC2hDx3uFRUhIHE8SywtaeHv6HEiCvbC4QDOS8N6RshGwzuNzWY7GC/IiJ6wQIjmfOsGINc10IMDVgCI5pLBLd0oHd6x71jvTxZaw6PIwXU1uN1HB9D7MWn0nGCnLb/ygfgEqrATRo6eySz3h7yNuusni0qnf+skL5ua2NzpoeSg4Qt+C9uxo1Ekxff9R+k1PH3SoMEaHE5gISDzIPTOFmhv6VIjtVnMfETXXYfC5nkF7/s1X+3OnOuqL8u70CuT39eBp8yuEQyR3IEl7tG7BsL/iwm0B1kLhAmSb79wOlYqMRb6ZLOzzqqfNPzBLwJpNV4X2Fro27PvLiAHmOgHysb/HV2NykoECCKrHZRNW92jLJbKHkUsH1ZTs8bwBRiJac3DjcYOSX75Q7h/t2+uG27JBcO3ymgwZjb0YYqRnCMT10EBlS5qKw8hJa/+xCAoMcENAO8rUzePOV60xIph8tU3XLVKsNKBELMed4oiRV0krxfmAmLrUZylu5nvvh7OTDuzO7//Hk5Kzf3wgXX5MLEkwQjgWeIEcwdS5UReXJNgFzYKDy0YnNW8TVZUDue8rGOb3Vm9tE5E1AV8TUTr0t39nZz8utAs/Ofl5uFXh29vPH/pU+69FA6i9qoRh7ErAQO1md8qVxG7xgougkmJhzTBh6RweWCuYgK5FPI306FATeYPnh0HLqWGFW2swQMdFSckGjefrQliWuyEydJRyASbF10D1vg2alzViVhmayzY12TEtMaV69Tu4Q2OkwNBo7H7IojrQOMOZwVKFRMTA5e3HJQWrRkzEaKKF4vbmlNKa6YTW/zE0oZmB/UjGe5XheQuEn5nofyR8xFcgzyln5yrwxyszTiwtd0mS/U2sUWY0p8oNxtDL/PplariFPSp/SEGLyr8vLy+KG+gRK4EL+BiSwEkfdu+GnvmziYzmhzBwPBUhUngSoayE/aTA1A57mQFfks7z7qOxEuzWA3E96IiVW689SeoiLGeV0yyvXkEuqKbTScVXZXjBR3X1aIHezbVBuo7QJETSbdDsvO3ZqWL1CuBuwbPFZoAI+C6sdjh0DPgsHshblT1wJDH1hyM9RRmIjKiAbIaWSbXto0ibxEkcKi6RyGkQ9INWSuLVnuqA3akmD3wxOkqt/X5s3l9m9LDGGrLKeegjGrrag02y9gKuLE1N6vfKZ0wxBy2K8a6bVEd4JoLEY0Jh4gCAxpWwMSoVXJKFV47jXWDhpHxuW/pP50dAZ2h1G/if10mAprxeWfqMcVFjKs4OlvVVYqb+J3JP2M2EZbxGW9iVhJd4jLO0vwgqzn6y1xAOEpX0+WExmap8OlvbgYGmfDVbeS0MSUHxBAPsNiHCZidb93iYw3lwYVfZaS9RIivAMbEHhuw6lLbSb3TOt5Nm/vcfcigO4naUGfrsbnr0t12/clyUAWCYiAjxBzHF7Dg6jABKxzlGdrgS4PWAqWYi9ZoonpUp6T89usQB78xsD9frE3DKqe//7CSWcBujTmzcfYhHF4oy41MNk9Pb3a3QrWh+vf3yVZH1680YmN1GVrBD/rvOymzd+tQM4Q3LpTgV1aRPRb7BHXSg2c3imqrgHl2c7O1V7O1m5lXMqli7czJvdytWbUqpXuRtTKQmenqsmxhEcCY5TF2nCQ4xttg17YKHJfSeJSYs8Z4xmtWEM+/2fsmMxCfi1vYTmQsSl0zGwSr2Vy7BSVs8C2qtdXfxDfXOBc7+4KCtkJTet0txSrNwHC2+3XGQvDVe6gZSuJI/K2HePQB5pnLB1yaM6aN59kMeTjYn25Mipeov/4NRUoQpaiZhqPJGvSUu5jjULmrZmOw8ThP2BKao6YNaDU9RmKoy5itYnzZpIO1uSKZJMZZilLdXcM9WAh42/8+QorS44z4MTWj4EznoUUhvWZ00ayXWuaYieNVv6JmVYXXiWB6esynO1lSirNrDLFt85fNcE9Xh4fOeCeayJ77pwIN8zvrHQdhPauYL2nT+PbWNXPsSjmOkbxokHnJl2t0hkZWBKWbgOwhccaLUiRkZlvOTzNJTuXLsKuPiqQh++0vLnqeI6wyihJLEiX3gwJjlYuzcQytt8BguoMUdPrdEjyta6XVQ49JGVKNy+6rwArzrq76sX4OBg/wV4pf4eHBwcLDiy5NzfQH/deWUHUCAGAzukk8wScg4Jve7aLk3l+CcHjEtOJZPTBgOlzbogUWjRlmv3M+Bv34Jeb+4ArsFJZfHALkrtQbq9l62O/K/96gXomMf93gvw5k233e29kg/ydxP1dENUHR7tl1Blcz0Stq8so1bxhsl54LiICX2ghxwBwwgxTEb1quoLkCtQngF1eeMhcB1cVge1qlM3I+G2OQ/aske84OYrGuMnFIvqwe4hzKvQK9TmZa36XxaMzl/f5m/MxMqfru1CO08D1nwFVRc+7rGqbwxn1f5dzVWwTY4vGxqrHB7u2zweTBATtmAxF8lB59wkULmgqhchNccZjyNCqo8ktiKkWoQ8wDHLVuQ8Ho6/UZFTp6d5DIlTo2hpIHBytTQ7o2pQ5/cmxGq/cxWZAJbLhXuu7jvAQpWo2Uyh9Kgip+5M9BFETp2KZ9mBVt2J1ApiZTujPzarNWGzZ8peNefHWw77Gmxxj1V9hxwGQOUpfNW7ezyLf1QOrT93fwQGrT86b8BquXqaHpM3qPV7W3lvBdVjY6CJoHqGgqbeDOMxBE2tJcWcSNiKgK0IeGgMfKsioNYy51FEQJ1xzVYEbEXAo2PgeYuA2KOIcUdDpB7Ma80SNLipUHI3qrHNUyKAxgIkFnPLXd+sJBPKpgqyAi0PdBetDe66fVcEvB5pruBq5/DglQ0HsaTiAE30pV1DoXaIXB8SzMONSLX6+PsJkWrxSHwxqT7AgfCzR3nN/uTJYLy0Y5lDeA528cFjPal8G4isOdR5VERuYMCbi8lfDmA1h8j5mFTbueXJ0WetzvVRKTQvaub0sEuEzUJt67cubmo1W08GnXParm8eJXWahqeDkrL2YfH67XFE+mO6oH9GNIg9HQtxgacmCPofz081wU0hBxp0vctmOxyJGHs5B8R3d8DkySyVtzuvQtCbUNB3zlVf5MpiDiatMv8mCZ+/TB8kMSipdxPtxNdGYP1liphH2MU05s4ACw69EJM637zHOWiQQqdB9tPYio2wvIpv3rSthd55oefJYprDUvfvL3RAGx6HaCMeW8GrVrdzaGMykl9kC0oDWzBI+HAVP0wZVlJ547gBrnQKf5yLJBNCAkfaL3wscIDFrMB3QMUvScHXYcOKGGrG8ayUfSoGtQhST4JVJgVrDf9SR1hHndf5iNCSWjAXLOEPhbnqgt2O7aEooDO7ODArIsoLgrpbmadBAOQrgYi6PJbno/R+5nrcosk8zy9fgLXX8gLtGzz/2kPKc3lpGr05Vdk3e2n8Qh3VYr93YywDMohLHU3qFAp4o3F+U++7VCLczIqKbb9l3BPhcclvdZKzn+FbQQA6BEmZ9fBeISWTChcKSQlUkpAbCMXGobU6nX2b8jxwPgDCiqOtlh4LVh1XyEVEBLOU5yjLFriysF6QrDZf1fobXLLYmF/H6q5oj4uOXA+D/wb7HZ75ICzykNVUg261aSTaHhTQoyNbBQVso3CAPA95eqGs4gTKFeoSQB1fwI4YHaBG8MiNGRYzu3EL5nuaF1CBIxaCp19Y/Z1tGIVtHe+hDWNBHf3szAfU8lSoIhvrALyV7zJhUwNVDVDd6STHDWIupPwy3f9SLBBBdwxHKDPYyr80rSCmnElvwNCPtxBVNOcVPPXWnZwdJ/E0HmkXW3e1Vynu9HeY3xRZqV6v+rXaAc+9+g5P4Fc/YNyA2JetKw6PXttGFq7gYQAs2zlXU3rlwdvjU3r1DdQtpd8LpT/Z88knxBm1QT8elTFq7Cjvny9yjTa7V3n/XfjuWPPbYJzq8+BHZpz7voy0pfYttStqrztdfmR6r7/bc/+UW5wqGl0Fuv9ObNnnWbJP3Wn+Y7NP7Y2VLeVuKVdTbo3Rw6NTbt1Fiy3lfn+UKyBbdGJxDRmAzPXxBDUKmr70bDazrUkGWUBWjFHp6FW4OjnQbVovLHcj5fFr26VBUBqU4uB2bPOdCSjybA8K2GCMzUiKmY405WDiFA/tyuyvgklJLgcQXF//dt8n4Snbl4Zd8bmleUqF2ku5M8ds5RcDFVpqPisLMVhRS0WBQV2Lcy+SzDRoYEWhP2sqq2vErckf1+SLqgKS6zHBgsFwqA0ouO5sEhix/BEV+UkDOoRiqYAJoFjKZeVOJpkVsEEVbFiXuWiEk0CNpWI6bGMFPHPnaaQOG7MqlOuwjxWZSS9B4Txfslv1UeTTte5YKkJiQlDgCAaHQ+zqXheksXqPyQio4P1MgCFlU8g8mZUGJlflVhQZO6XwcxGeUEGg62JLbtmKL0eUC6twfFwW2xdypjyRf66sT+XwdgqCSwpQDpm9op1GuaorCabqO5V/pvPQCo5ZOzu9w9879uGnu53e7x374NNd98a7+71rv/60e+Pt3rT+eTPY/ffBf6xPoDLgHvdjIQJkLeqMMiXS/oLlkzo8DZQ/7vnPfJtG8avr8PXJ5YF9cd6/Pnv/5q7/4eTn/m7NaGHqYaKa1E/KnNMjXNb+Alg+JDz5teNBTEQsk5GmJ5uM9FAP5c9+xOitigpMRoyOi8MZQYaIyDWshTMw0WWBZX70Xy0kgWV+/tQ/Y/2jBNynDRZEK9i1Hb7spbEhbZEwSWO2iz00WRKIVVsaARYHG62Dqt3Uy9Wz7ENbVs9bXuJ/Xs43VfnJXFT7Tq1o6yBYTMr58y7tjf7zq/urPzw4stEEEWELhkcjxJC3UvhWg0AiJyu0ZOF17aME8qvaIKbcbxqz7t3kcAVbiKNuV4FEyBZU2Yg0H1WOmJP4VRJiNj+ixwqmEMV+giGABKgYn7LHEwSMQ/W1xzOzOlIiSTYJPSUBCZrKlI7Z4XnyWdOyKpdbITS3VXruG9GqnVRqh3W60SZqOTd395XZHRQoCUKxGrF5OhD/UmIzcA9EbB5S87yHgi2BbUJABx0bhxF0ayIx7HfTyCXaXnOFQP+ahqZoAKPIwaHHnV+6DkN/xIhX2KX/igYgF1waGEDkgfN3p/1JF2TWoHwdQpIdaMEpb2GuOzPpSXA1VJJM1PuYBdokur3XDpGAStnQxjDMjBZz3WjrEN47NRSWESyMoOujnl7fYXKrsC9o6EJNa74QSkzc3dVRa2qsHfnRnrUU8C2wPsMJtDZY6T0EYXhMxXHnEZwS5NWFBP+B0akUMr+iwakqAEwBkBVYkRhKS+siur5Yrs9oiHTvFIJGyB1Tnc6JmqxYKsx1SVWE0lGA7CxDPWHN0kPM0JDebsK4na6tw/wstKTuvu7Y6DYKKBZ2FA8C7NpD6GIyygdyb44ybV/uDCgVDkMjuameOWOUXSqs4GtdBsgyICkDxmjWLJZYrUk7R6KVVNeSXcgt3n/6+ew35+LDyfGF8+745Kfz92c3/Q8/Xv96fHV28w67jHI6FMkNBvD++uYkZpIQfpFTKSU35wT/iAP0DkYRJqOb/m/967N3LUzwjfyKzUxmm3mW6XZ7thqfmZ185MpYcmnosMh1PDSIRyPtx3IllF1dnoCTD+9AWsFzwZ9580QQVaHgT1HEZpGgIwYjH7vOIKAqtlFyU3dFdBUqA0llphePjq2TrHezmw/npzdnxKUeJqPrWYRAR7/vn1+eBsGVnElQH48I8k6hgO/46CFQ2dyb03LWUx8bqot4Zq6Zx9sxyIGpJXREhV5aBLNm10wWX/gpXeZxo1huUalcxugF6J5HidwXBGiCApPFIPFoeGt3RwM7giOU3P9R+tM4/C/hRqUczoNiTnceqDsP1ZuH6uWgCHaRD7lvkjPEIzqV0/EGhLB4TXPw+shmiNOYuWiNQGMJ7tV0y1Bygid7uYB5TSmQlCpdNtqMa9UFw8SmJ7vOh0tX+Uz5m6QP6krYBsPckN86+0d2CPkfMWLQqxjpBXJTrp+mMEjiW5rolasKzKSWUgzMR5zk1EIjmc1OtPTpI3HTN2fLN30fMuQdqwXfzSVkMESyRzc/mk+5VEN3sxGXNETfZjOfT7ng2iNAPaKEj1IGUQUy3wCb4WVFxtAn/Pu9G73/4DdIuDeqQw8wzhuwSbJpdRDnZs/aTCqFybQNkipAVgXIqngYNJiLxECuyXm2pAD9pG8n6q77Tcg5chF/+uJLWyQMaeAhxleVWtpQwRR+TGFVuyIvL8fPzLxy01dd/1F3XU/s91PxR44YKNX+tClASRQHkQlmNEREOBPIsOLKFclBV0GUE4ekjsekCvVhFVOYebzp64rBO+V7gt2cZf1/4jjTnndXxY8u9ZgYSdhJrQ1wXoImfPVR9fEhhr/BomHRAjugo9WXeUm5p4CDhtoL1d8nj48Qa9UtJqM63e2J8faTHudOMAS/vjtfb9QrDoO+WGpbqJrfs15Ybqj9h1RZUBQV5L+G+JJN+mdf291I5+Clbb7IzhzuqDv4LJaPzXSw/zcAAP//UEsHCNE5ZgjYRgAAUisCAFBLAwQUAAgACAAAAAAAAAAAAAAAAAAAAAAADQAAAGN1c3RvbS5wb2xpY3ncnU9v3DjSxu/5FELe8yRk/SMZYA4B3j3sYXYHg9wHspuOe7bd6rTk2P72C6mDCdZp75gKFqnHOQ0G3e3nJ5JPFYsl6f+6v//y6z9/+/D+Hx/edX/bbKexm4Zuut6O3dV2V7u77W7X7Yepu6jdsV7t6uVUN912303Xtfv/fuo3w8fu/eHQ9fvN6cMXtRs+1+PdcTtNdd/dbafrbl/vusOw214+nH51M9ztd0O/Gd90v+5qP9buZthsrx664+2ujud+/mo4dle3u113dbu/nLbDvt9tp4c3rz7X47gd9u+615pj4devll9496rrfuq2m3fdb/1+M9zs+5v6quu6blPHy+P2MJ2+8nr5f1fb3VSPy3fmfz91w9j9/HP3erfd396fPlLvD8c6nv7QcKj7NzPFm/lXl0/W6fLteN1vhru3h34c74bj5vS9zXbsL3Z186676ndj/VNVve9vDrt6eaz9VPvL8Wa6nv9z7D/W/TQTHOt0e9yPw7+OdTwM+7HGFIVMjORbjl8euvfzF5ertwap3tfLR0jj9f+CwIqBE6TMAZsgWxFwgswZm6BQCmTABEo5Ya8DFVHsdaAawL1IVYyw14HFTNhjkGPBdlPNBr4OjAN4TDaJAXodcBYruQRcAhHSbNAESqEEZwSbuqvPJiClooEYl4ApWfa2R2sjUGPx5kUf6/RM+VGiaqIIK59S8RaNW+QrZyKFlW/K3jKJJvmWvCWjLfJTSchX32FhpUG+RnIXuVrkc2LBdR6VQMBRV5Uj8txXC4Y7eSyou+1ji3xWAnYeU0VOmJP4q8E1yM9CBiy/BHVXP2yRX8zdQUaT/BzFWb3h+fIpcAQ2ToohKe7cpxgj8FadohmwcVLM81YddunGMicNsPLJkMMWcUzAOQ8JRQV2HjEBThpIsgAXSkjFUsZ1Hs3ZXeNJg/ws/voFGuQXIeAKM5WUgeVzoKC4OQ8H0YCb83AoDLx0mQKy8zApcpGQCfpojslh23OL/KVjGFY+hwh8LM0MfTjEvLTZAsu3AGycrAl4r8tsAbgpgDkFdzdNtcgvhnz1JUAnzBIKcImWhQvw8QSLkBjw1Rcu3lqBm+Rn4H4ellyQN4tSInBLBmtIyHtdpejuPuUm+Rm4vs+qglxpUDVk41RDPhxiTYJc59ESgM+2WEtBDltJmCOjXn0hSRwzuZJ/e9g8/wbALzcPnSH4UMcJhYFp/gfOoBF+HIT47P4LikHj2XAAxWB2tgYExZDD2VIEEoOGcraYBcWghD8OluB9SZ9oO0disHi+Ng3F8ESJFIrhiXY+KIZM+HOpGPxcWm7ABs9bM53Pl3B2cVmCoY9CkYg+kzRQyugMy0394AyUCJ5heToBOINEgx+H5bGV6Axa4H1J5kQDnGF5gCg6A0f4ubR0CIIzLG2C6AyMH6fNzuetMLsHTQZ/fnJ6ng04g+Hv4ixH+Kw1RYafS0nwnTVZgq8t5RzhM40SGP5supQ5WUJnyOgVMgqS0OcSBQvocZoiSQY/e6DIKYOfAX15pBI2A6WA3vdDHPj8w5WQGPDP14mX80RsBuMnKmQoFQFKmQp6ppHN5GyURhkFDtHQexw4kKFXvDkIfI80ExF6/xjT0puLvKIZ/2ydOcr5FY0zCgS/f2PG73BgZvg6K/PyOkLo1fDU+RXQKEhM6P0NLALfDcqidL5XBmY1iML3s7KkhF4HYEnl/LM8kBiWJ2JgM5zurQdnsIg/DlbQ70tkTYR+Tx9rfqKqBMRgwQw977YcEsuZF9fiMEgIpCFCrwcJZCX7Ybh5+H2R+/uff/OHp6Gfdn9sr7Y3FxfX3+rZ3nT9ai3Doe4faanT5dvxut8Md28P/TjeDcfNfxc3jsO0u/h07O9diJuOt1+1TXWc2t5mbbEop+xj3FfItxi1OLkPbY18ykLAV58Dm5MXOq6SH1mRrz5rRJavKTh5j/4sv+kF7ifjzE7egL5C/mKcCVc+ZWEnVbM18mfjLMDyIxvw3GdWQpavKTiKug1Pfzu5ppNn77VqtxjNU8Bq0j77Jeicmc0yOcrx27RHVxlym3ZWL69rb9euKTgKsB+Hpuw4qomv9LIRgK1ki55SnFaAbJSSJ9v5o//cNyFQtpgsORqDZgQmLVE8TaMZ4flGNG+yVDwVqA4P0/WwbxoEUpKQPQ3CGgjLmUNwtGVcAcGRAofkaNt+vG2JyxSiWsyOcuhZ/18e31z0m2P9dDt//CuKULSSzA/K9HD4IqNpTomFkkp0lOetBolZ2MuT0b8LRISVHK3y1SBKpZw7coYDsWiUXgJICmReHr//fSC5kDqqJH0FaSznLfbrcrE3giz2+xJGZLFfR+nuapDFfl0u9kaQxX5fAshivy5TlFaQ2X5dutbztyMxaAgluUx9n08hWrJZdulXDRSnOAhPsQRBl7vCFoo5ArKj6vM6iiX8uUxIWiiW2OcyZLRQLIEPfizmqOep8eErxaoi1sl0PZ3xfTfQ7L/icrWsBFqs2GWitRJodmV1WUpZCbQYtMvEZSXQ7NXlJY3QbNsJ07b/4/hHrFA5dxD3Y24d+R6UVDRyPuNrcCgSVFiyo0bstSCnbMDl5qURZMkCXGabjSBL9H8JU2uJ+vgWDB3tv92RlZcwIkt0d1Qc/kv5T+xcirKnTqGVGBajRUfJ41oMyiKOQuFaDA6u+u1XY0T2VKdfjeFrL78aQxMhLfFHyeFstEhr4nECEi0ihbtH8mdjRVoDj+TPhorkRI/lR/bUP9os39d2qFm+ph994+G/AwAA//9QSwcIf7LXoRwIAABNywAAUEsBAhQAFAAIAAgAAAAAANE5ZgjYRgAAUisCAA4AAAAAAAAAAAAAAAAAAAAAAGRlZmF1bHQucG9saWN5UEsBAhQAFAAIAAgAAAAAAH+y16EcCAAATcsAAA0AAAAAAAAAAAAAAAAAFEcAAGN1c3RvbS5wb2xpY3lQSwUGAAAAAAIAAgB3AAAAa08AAAAA", "encoding": null }, "headers": { @@ -26,7 +26,7 @@ "message": "OK" } }, - "recorded_at": "Tue, 01 Apr 2025 14:30:59 GMT" + "recorded_at": "Thu, 15 May 2025 11:49:37 GMT" } ], "recorded_with": "VCR 6.0.0" diff --git a/tests/scenarios/cassettes/v2/csm_threats/Get-the-latest-Cloud-Workload-Security-policy-returns-OK-response.frozen b/tests/scenarios/cassettes/v2/csm_threats/Get-the-latest-Cloud-Workload-Security-policy-returns-OK-response.frozen index f0de7ad59..b7bb98d22 100644 --- a/tests/scenarios/cassettes/v2/csm_threats/Get-the-latest-Cloud-Workload-Security-policy-returns-OK-response.frozen +++ b/tests/scenarios/cassettes/v2/csm_threats/Get-the-latest-Cloud-Workload-Security-policy-returns-OK-response.frozen @@ -1 +1 @@ -2025-04-01T14:30:59.438Z \ No newline at end of file +2025-05-15T11:49:38.307Z \ No newline at end of file diff --git a/tests/scenarios/cassettes/v2/csm_threats/Get-the-latest-Cloud-Workload-Security-policy-returns-OK-response.json b/tests/scenarios/cassettes/v2/csm_threats/Get-the-latest-Cloud-Workload-Security-policy-returns-OK-response.json index 30f0d5596..0bb4eee32 100644 --- a/tests/scenarios/cassettes/v2/csm_threats/Get-the-latest-Cloud-Workload-Security-policy-returns-OK-response.json +++ b/tests/scenarios/cassettes/v2/csm_threats/Get-the-latest-Cloud-Workload-Security-policy-returns-OK-response.json @@ -13,7 +13,7 @@ }, "response": { "body": { - "string": "# IMPORTANT: Edits to this file will not be reflected in the Datadog App and will be overwritten with new policy file downloads. Please modify rules in the Datadog App for full functionality.\nversion: '1743517859524'\nrules:\n- id: apparmor_modified_tty\n version: a7f3b5c2\n description: An AppArmor profile was modified in an interactive session\n expression: exec.file.name in [\"aa-disable\", \"aa-complain\", \"aa-audit\"] && exec.tty_name\n !=\"\"\n agent_version: ''\n filters:\n - os == \"linux\"\n- id: auditctl_usage\n version: fdc2412d\n description: The auditctl command was used to modify auditd\n expression: exec.file.name == \"auditctl\" && exec.args_flags not in [\"s\", \"l\"]\n agent_version: ''\n filters:\n - os == \"linux\"\n- id: auditd_config_modified\n version: c7f52a7a\n description: The auditd configuration file was modified without using auditctl\n expression: open.file.path == \"/etc/audit/auditd.conf\" && open.flags & (O_CREAT|O_TRUNC|O_RDWR|O_WRONLY)\n > 0 && process.file.name != \"auditctl\"\n agent_version: ''\n filters: []\n- id: auditd_rule_file_modified\n version: c533115d\n description: The auditd rules file was modified without using auditctl\n expression: open.file.path in [\"/etc/audit/rules.d/audit.rules\", \"/etc/audit/audit.rules\"]\n && open.flags & (O_CREAT|O_TRUNC|O_RDWR|O_WRONLY) > 0 && process.file.name !=\n \"auditctl\"\n agent_version: ''\n filters: []\n- id: aws_eks_service_account_token_accessed\n version: d6a7a4a0\n description: The AWS EKS service account token was accessed\n expression: open.file.path =~ \"/var/run/secrets/eks.amazonaws.com/serviceaccount/**\"\n && open.file.name == \"token\" && process.file.path not in [\"/opt/datadog-agent/embedded/bin/agent\",\n \"/opt/datadog-agent/embedded/bin/system-probe\", \"/opt/datadog-agent/embedded/bin/security-agent\",\n \"/opt/datadog-agent/embedded/bin/process-agent\", \"/opt/datadog-agent/bin/agent/agent\",\n \"/opt/datadog/apm/inject/auto_inject_runc\", \"/usr/bin/dd-host-install\", \"/usr/bin/dd-host-container-install\",\n \"/usr/bin/dd-container-install\", \"/opt/datadog-agent/bin/datadog-cluster-agent\"]\n agent_version: ''\n filters: []\n- id: aws_imds\n version: 6d47fcfe\n description: An AWS IMDS was called via a network utility\n expression: exec.comm in [\"wget\", \"curl\", \"lwp-download\"] && exec.args in [~\"*169.254.169.254/latest/meta-data/iam/security-credentials/*\",\n \"*169.254.170.2$AWS_CONTAINER_CREDENTIALS_RELATIVE_URI\", ~\"*169.254.170.2/*/credentials?id=*\"]\n agent_version: ''\n filters: []\n- id: aws_metadata_service\n version: 4601e52e\n description: EC2 Instance Metadata Service Accessed via Network Utility\n expression: exec.file.path in [\"/usr/bin/wget\", \"/usr/bin/curl\"] && exec.args in\n [~\"*169.254.169.254*\"]\n agent_version: ''\n filters: []\n- id: azure_imds\n version: 784f9a83\n description: An Azure IMDS was called via a network utility\n expression: exec.comm in [\"wget\", \"curl\", \"lwp-download\"] && exec.args in [~\"*169.254.169.254/metadata/identity/oauth2/token?api-version=*\"]\n agent_version: ''\n filters: []\n- id: chatroom_request\n version: 91aa2a0f\n description: A DNS request was made for a chatroom domain\n expression: dns.question.name in [\"discord.com\", \"api.telegram.org\", \"cdn.discordapp.com\"]\n agent_version: ''\n filters:\n - os == \"linux\"\n- id: common_net_intrusion_util\n version: c7198131\n description: A network utility (nmap) commonly used in intrusion attacks was executed\n expression: exec.file.name in [\"nmap\", \"masscan\", \"fping\", \"zgrab\", \"zgrab2\", \"rustscan\",\n \"pnscan\"] && exec.args_flags not in [\"V\", \"version\"]\n agent_version: ''\n filters: []\n- id: compile_after_delivery\n version: f41c1e36\n description: A compiler wrote a suspicious file in a container\n expression: |-\n open.flags & O_CREAT > 0\n && (\n (open.file.path =~ \"/tmp/**\" && open.file.name in [~\"*.ko\", ~\".*\"])\n || open.file.path in [~\"/var/tmp/**\", ~\"/dev/shm/**\", ~\"/root/**\", ~\"*/bin/*\", ~\"/usr/local/lib/**\"]\n )\n && (process.comm in [\"javac\", \"clang\", \"gcc\",\"bcc\"] || process.ancestors.comm in [\"javac\", \"clang\", \"gcc\",\"bcc\"])\n && process.file.name not in [\"pip\", ~\"python*\"]\n && container.id != \"\"\n agent_version: ''\n filters: []\n- id: compiler_in_container\n version: 441a7e85\n description: Compiler Executed in Container\n expression: (exec.file.name in [\"javac\", \"clang\", \"gcc\",\"bcc\"] || (exec.file.name\n == \"go\" && exec.args in [~\"*build*\", ~\"*run*\"])) && container.id !=\"\" && process.ancestors.file.path\n != \"/usr/bin/cilium-agent\"\n agent_version: ''\n filters: []\n- id: credential_modified_chmod\n version: 7e14d921\n description: Sensitive credential files were modified using a non-standard tool\n expression: |-\n (\n (chmod.file.path in [ \"/etc/shadow\", \"/etc/gshadow\" ])\n && process.file.path not in [ \"/sbin/vipw\", \"/usr/sbin/vipw\", \"/sbin/vigr\", \"/usr/sbin/vigr\", \"/usr/bin/containerd\", \"/usr/local/bin/containerd\", \"/usr/bin/dockerd\", \"/usr/local/bin/dockerd\", \"/usr/sbin/groupadd\", \"/usr/sbin/useradd\", \"/usr/sbin/usermod\", \"/usr/sbin/userdel\", \"/usr/bin/gpasswd\", \"/usr/bin/chage\", \"/usr/sbin/chpasswd\", \"/usr/bin/passwd\" ]\n && process.ancestors.file.path not in [~\"/usr/bin/apt*\", \"/usr/bin/dpkg\", \"/usr/bin/rpm\", \"/usr/bin/unattended-upgrade\", \"/usr/bin/npm\", ~\"/usr/bin/pip*\", \"/usr/bin/yum\", \"/sbin/apk\", \"/usr/lib/snapd/snapd\"]\n ) && chmod.file.destination.mode != chmod.file.mode\n agent_version: ''\n filters: []\n- id: credential_modified_chown\n version: 3731e0d5\n description: Sensitive credential files were modified using a non-standard tool\n expression: |-\n (\n (chown.file.path in [ \"/etc/shadow\", \"/etc/gshadow\" ])\n && process.file.path not in [ \"/sbin/vipw\", \"/usr/sbin/vipw\", \"/sbin/vigr\", \"/usr/sbin/vigr\", \"/usr/bin/containerd\", \"/usr/local/bin/containerd\", \"/usr/bin/dockerd\", \"/usr/local/bin/dockerd\", \"/usr/sbin/groupadd\", \"/usr/sbin/useradd\", \"/usr/sbin/usermod\", \"/usr/sbin/userdel\", \"/usr/bin/gpasswd\", \"/usr/bin/chage\", \"/usr/sbin/chpasswd\", \"/usr/bin/passwd\" ]\n && process.ancestors.file.path not in [~\"/usr/bin/apt*\", \"/usr/bin/dpkg\", \"/usr/bin/rpm\", \"/usr/bin/unattended-upgrade\", \"/usr/bin/npm\", ~\"/usr/bin/pip*\", \"/usr/bin/yum\", \"/sbin/apk\", \"/usr/lib/snapd/snapd\"]\n ) && (chown.file.destination.uid != chown.file.uid || chown.file.destination.gid != chown.file.gid)\n agent_version: ''\n filters: []\n- id: credential_modified_link\n version: 7594ec54\n description: Sensitive credential files were modified using a non-standard tool\n expression: |-\n (\n (link.file.path in [ \"/etc/shadow\", \"/etc/gshadow\" ]\n || link.file.destination.path in [ \"/etc/shadow\", \"/etc/gshadow\" ])\n && process.file.path not in [ \"/sbin/vipw\", \"/usr/sbin/vipw\", \"/sbin/vigr\", \"/usr/sbin/vigr\", \"/usr/bin/containerd\", \"/usr/local/bin/containerd\", \"/usr/bin/dockerd\", \"/usr/local/bin/dockerd\", \"/usr/sbin/groupadd\", \"/usr/sbin/useradd\", \"/usr/sbin/usermod\", \"/usr/sbin/userdel\", \"/usr/bin/gpasswd\", \"/usr/bin/chage\", \"/usr/sbin/chpasswd\", \"/usr/bin/passwd\" ]\n && process.ancestors.file.path not in [~\"/usr/bin/apt*\", \"/usr/bin/dpkg\", \"/usr/bin/rpm\", \"/usr/bin/unattended-upgrade\", \"/usr/bin/npm\", ~\"/usr/bin/pip*\", \"/usr/bin/yum\", \"/sbin/apk\", \"/usr/lib/snapd/snapd\"]\n )\n agent_version: ''\n filters: []\n- id: credential_modified_open_v2\n version: 5aec9afe\n description: Sensitive credential files were modified using a non-standard tool\n expression: |-\n (\n open.flags & ((O_CREAT|O_RDWR|O_WRONLY|O_TRUNC)) > 0 &&\n (open.file.path in [ \"/etc/shadow\", \"/etc/gshadow\" ])\n && process.file.path not in [ \"/sbin/vipw\", \"/usr/sbin/vipw\", \"/sbin/vigr\", \"/usr/sbin/vigr\", \"/usr/bin/containerd\", \"/usr/local/bin/containerd\", \"/usr/bin/dockerd\", \"/usr/local/bin/dockerd\", \"/usr/sbin/groupadd\", \"/usr/sbin/useradd\", \"/usr/sbin/usermod\", \"/usr/sbin/userdel\", \"/usr/bin/gpasswd\", \"/usr/bin/chage\", \"/usr/sbin/chpasswd\", \"/usr/bin/passwd\" ]\n && process.ancestors.file.path not in [~\"/usr/bin/apt*\", \"/usr/bin/dpkg\", \"/usr/bin/rpm\", \"/usr/bin/unattended-upgrade\", \"/usr/bin/npm\", ~\"/usr/bin/pip*\", \"/usr/bin/yum\", \"/sbin/apk\", \"/usr/lib/snapd/snapd\"]\n ) && container.created_at > 90s\n agent_version: ''\n filters:\n - os == \"linux\"\n- id: credential_modified_rename\n version: 8bb8242b\n description: Sensitive credential files were modified using a non-standard tool\n expression: |-\n (\n (rename.file.path in [ \"/etc/shadow\", \"/etc/gshadow\" ]\n || rename.file.destination.path in [ \"/etc/shadow\", \"/etc/gshadow\" ])\n && process.file.path not in [ \"/sbin/vipw\", \"/usr/sbin/vipw\", \"/sbin/vigr\", \"/usr/sbin/vigr\", \"/usr/bin/containerd\", \"/usr/local/bin/containerd\", \"/usr/bin/dockerd\", \"/usr/local/bin/dockerd\", \"/usr/sbin/groupadd\", \"/usr/sbin/useradd\", \"/usr/sbin/usermod\", \"/usr/sbin/userdel\", \"/usr/bin/gpasswd\", \"/usr/bin/chage\", \"/usr/sbin/chpasswd\", \"/usr/bin/passwd\" ]\n && process.ancestors.file.path not in [~\"/usr/bin/apt*\", \"/usr/bin/dpkg\", \"/usr/bin/rpm\", \"/usr/bin/unattended-upgrade\", \"/usr/bin/npm\", ~\"/usr/bin/pip*\", \"/usr/bin/yum\", \"/sbin/apk\", \"/usr/lib/snapd/snapd\"]\n )\n agent_version: ''\n filters: []\n- id: credential_modified_unlink\n version: 5af577d\n description: Sensitive credential files were modified using a non-standard tool\n expression: |-\n (\n (unlink.file.path in [ \"/etc/shadow\", \"/etc/gshadow\" ])\n && process.file.path not in [ \"/sbin/vipw\", \"/usr/sbin/vipw\", \"/sbin/vigr\", \"/usr/sbin/vigr\", \"/usr/bin/containerd\", \"/usr/local/bin/containerd\", \"/usr/bin/dockerd\", \"/usr/local/bin/dockerd\", \"/usr/sbin/groupadd\", \"/usr/sbin/useradd\", \"/usr/sbin/usermod\", \"/usr/sbin/userdel\", \"/usr/bin/gpasswd\", \"/usr/bin/chage\", \"/usr/sbin/chpasswd\", \"/usr/bin/passwd\" ]\n && process.ancestors.file.path not in [~\"/usr/bin/apt*\", \"/usr/bin/dpkg\", \"/usr/bin/rpm\", \"/usr/bin/unattended-upgrade\", \"/usr/bin/npm\", ~\"/usr/bin/pip*\", \"/usr/bin/yum\", \"/sbin/apk\", \"/usr/lib/snapd/snapd\"]\n )\n agent_version: ''\n filters: []\n- id: credential_modified_utimes\n version: 1c101338\n description: Sensitive credential files were modified using a non-standard tool\n expression: |-\n (\n (utimes.file.path in [ \"/etc/shadow\", \"/etc/gshadow\" ])\n && process.file.path not in [ \"/sbin/vipw\", \"/usr/sbin/vipw\", \"/sbin/vigr\", \"/usr/sbin/vigr\", \"/usr/bin/containerd\", \"/usr/local/bin/containerd\", \"/usr/bin/dockerd\", \"/usr/local/bin/dockerd\", \"/usr/sbin/groupadd\", \"/usr/sbin/useradd\", \"/usr/sbin/usermod\", \"/usr/sbin/userdel\", \"/usr/bin/gpasswd\", \"/usr/bin/chage\", \"/usr/sbin/chpasswd\", \"/usr/bin/passwd\" ]\n && process.ancestors.file.path not in [~\"/usr/bin/apt*\", \"/usr/bin/dpkg\", \"/usr/bin/rpm\", \"/usr/bin/unattended-upgrade\", \"/usr/bin/npm\", ~\"/usr/bin/pip*\", \"/usr/bin/yum\", \"/sbin/apk\"]\n )\n agent_version: ''\n filters: []\n- id: cron_at_job_creation_chmod\n version: 13512ebc\n description: An unauthorized job was added to cron scheduling\n expression: |-\n (\n (chmod.file.path in [ ~\"/var/spool/cron/**\", ~\"/etc/cron.*/**\", ~\"/etc/crontab\" ])\n && process.file.path not in [ \"/usr/bin/at\", \"/usr/bin/crontab\" ]\n ) && chmod.file.destination.mode != chmod.file.mode\n && process.file.path not in [~\"/usr/bin/apt*\", \"/usr/bin/dpkg\", \"/usr/bin/rpm\", \"/usr/bin/unattended-upgrade\", \"/usr/bin/containerd\", \"/usr/local/bin/containerd\", \"/usr/bin/dockerd\", \"/usr/bin/npm\", ~\"/usr/bin/pip*\"]\n agent_version: ''\n filters: []\n- id: cron_at_job_creation_chown\n version: ee7b306c\n description: An unauthorized job was added to cron scheduling\n expression: |-\n (\n (chown.file.path in [ ~\"/var/spool/cron/**\", ~\"/etc/cron.*/**\", ~\"/etc/crontab\" ])\n && process.file.path not in [ \"/usr/bin/at\", \"/usr/bin/crontab\" ]\n ) && (chown.file.destination.uid != chown.file.uid || chown.file.destination.gid != chown.file.gid)\n && process.file.path not in [~\"/usr/bin/apt*\", \"/usr/bin/dpkg\", \"/usr/bin/rpm\", \"/usr/bin/unattended-upgrade\", \"/usr/bin/containerd\", \"/usr/local/bin/containerd\", \"/usr/bin/dockerd\", \"/usr/bin/npm\", ~\"/usr/bin/pip*\"]\n agent_version: ''\n filters: []\n- id: cron_at_job_creation_link\n version: b83e03f6\n description: An unauthorized job was added to cron scheduling\n expression: |-\n (\n (link.file.path in [ ~\"/var/spool/cron/**\", ~\"/etc/cron.*/**\", ~\"/etc/crontab\" ]\n || link.file.destination.path in [ ~\"/var/spool/cron/**\", ~\"/etc/cron.*/**\", ~\"/etc/crontab\" ])\n && process.file.path not in [ \"/usr/bin/at\", \"/usr/bin/crontab\" ]\n )\n && process.file.path not in [~\"/usr/bin/apt*\", \"/usr/bin/dpkg\", \"/usr/bin/rpm\", \"/usr/bin/unattended-upgrade\", \"/usr/bin/containerd\", \"/usr/local/bin/containerd\", \"/usr/bin/dockerd\", \"/usr/bin/npm\", ~\"/usr/bin/pip*\"]\n agent_version: ''\n filters: []\n- id: cron_at_job_creation_open\n version: 561ad06\n description: An unauthorized job was added to cron scheduling\n expression: |-\n (\n open.flags & (O_CREAT|O_RDWR|O_WRONLY) > 0 &&\n (open.file.path in [ ~\"/var/spool/cron/**\", ~\"/etc/cron.*/**\", ~\"/etc/crontab\" ])\n && process.file.path not in [ \"/usr/bin/at\", \"/usr/bin/crontab\" ]\n )\n && process.file.path not in [~\"/usr/bin/apt*\", \"/usr/bin/dpkg\", \"/usr/bin/rpm\", \"/usr/bin/unattended-upgrade\", \"/usr/bin/containerd\", \"/usr/local/bin/containerd\", \"/usr/bin/dockerd\", \"/usr/bin/npm\", ~\"/usr/bin/pip*\"]\n agent_version: ''\n filters: []\n- id: cron_at_job_creation_rename\n version: 59b739d8\n description: An unauthorized job was added to cron scheduling\n expression: |-\n (\n (rename.file.path in [ ~\"/var/spool/cron/**\", ~\"/etc/cron.*/**\", ~\"/etc/crontab\" ]\n || rename.file.destination.path in [ ~\"/var/spool/cron/**\", ~\"/etc/cron.*/**\", ~\"/etc/crontab\" ])\n && process.file.path not in [ \"/usr/bin/at\", \"/usr/bin/crontab\" ]\n )\n && process.file.path not in [~\"/usr/bin/apt*\", \"/usr/bin/dpkg\", \"/usr/bin/rpm\", \"/usr/bin/unattended-upgrade\", \"/usr/bin/containerd\", \"/usr/local/bin/containerd\", \"/usr/bin/dockerd\", \"/usr/bin/npm\", ~\"/usr/bin/pip*\"]\n agent_version: ''\n filters: []\n- id: cron_at_job_creation_unlink\n version: 82b6d187\n description: An unauthorized job was added to cron scheduling\n expression: |-\n (\n (unlink.file.path in [ ~\"/var/spool/cron/**\", ~\"/etc/cron.*/**\", ~\"/etc/crontab\" ])\n && process.file.path not in [ \"/usr/bin/at\", \"/usr/bin/crontab\" ]\n )\n && process.file.path not in [~\"/usr/bin/apt*\", \"/usr/bin/dpkg\", \"/usr/bin/rpm\", \"/usr/bin/unattended-upgrade\", \"/usr/bin/containerd\", \"/usr/local/bin/containerd\", \"/usr/bin/dockerd\", \"/usr/bin/npm\", ~\"/usr/bin/pip*\"]\n agent_version: ''\n filters: []\n- id: cron_at_job_creation_utimes\n version: d460ba68\n description: An unauthorized job was added to cron scheduling\n expression: |-\n (\n (utimes.file.path in [ ~\"/var/spool/cron/**\", ~\"/etc/cron.*/**\", ~\"/etc/crontab\" ])\n && process.file.path not in [ \"/usr/bin/at\", \"/usr/bin/crontab\" ]\n )\n && process.file.path not in [~\"/usr/bin/apt*\", \"/usr/bin/dpkg\", \"/usr/bin/rpm\", \"/usr/bin/unattended-upgrade\", \"/usr/bin/containerd\", \"/usr/local/bin/containerd\", \"/usr/bin/dockerd\", \"/usr/bin/npm\", ~\"/usr/bin/pip*\"]\n agent_version: ''\n filters: []\n- id: cryptominer_args\n version: fc017137\n description: A process launched with arguments associated with cryptominers\n expression: exec.args_options in [~\"cpu-priority*\", ~\"donate-level*\"] || exec.args\n in [~\"*stratum+tcp*\"]\n agent_version: ''\n filters:\n - os == \"linux\"\n- id: cryptominer_envs\n version: 654a00aa\n description: Process environment variables match cryptocurrency miner\n expression: exec.envs in [\"POOL_USER\", \"POOL_URL\", \"POOL_PASS\", \"DONATE_LEVEL\"]\n agent_version: ''\n filters:\n - os == \"linux\"\n- id: curl_docker_socket\n version: f736b6e6\n description: The Docker socket was referenced in a cURL command\n expression: exec.file.name == \"curl\" && exec.args_flags in [\"unix-socket\"] && exec.args\n in [\"*docker.sock*\"] && container.id != \"\"\n agent_version: ''\n filters: []\n- id: database_shell_execution\n version: 3508c713\n description: A database application spawned a shell, shell utility, or HTTP utility\n expression: |-\n (exec.file.path in [ \"/bin/dash\",\n \"/usr/bin/dash\",\n \"/bin/sh\",\n \"/bin/static-sh\",\n \"/usr/bin/sh\",\n \"/bin/bash\",\n \"/usr/bin/bash\",\n \"/bin/bash-static\",\n \"/usr/bin/zsh\",\n \"/usr/bin/ash\",\n \"/usr/bin/csh\",\n \"/usr/bin/ksh\",\n \"/usr/bin/tcsh\",\n \"/usr/lib/initramfs-tools/bin/busybox\",\n \"/bin/busybox\",\n \"/usr/bin/fish\",\n \"/bin/ksh93\",\n \"/bin/rksh\",\n \"/bin/rksh93\",\n \"/bin/lksh\",\n \"/bin/mksh\",\n \"/bin/mksh-static\",\n \"/usr/bin/csharp\",\n \"/bin/posh\",\n \"/usr/bin/rc\",\n \"/bin/sash\",\n \"/usr/bin/yash\",\n \"/bin/zsh5\",\n \"/bin/zsh5-static\" ] ||\n exec.comm in [\"wget\", \"curl\", \"lwp-download\"] ||\n exec.file.path in [\"/bin/cat\",\"/bin/chgrp\",\"/bin/chmod\",\"/bin/chown\",\"/bin/cp\",\"/bin/date\",\"/bin/dd\",\"/bin/df\",\"/bin/dir\",\"/bin/echo\",\"/bin/ln\",\"/bin/ls\",\"/bin/mkdir\",\"/bin/mknod\",\"/bin/mktemp\",\"/bin/mv\",\"/bin/pwd\",\"/bin/readlink\",\"/bin/rm\",\"/bin/rmdir\",\"/bin/sleep\",\"/bin/stty\",\"/bin/sync\",\"/bin/touch\",\"/bin/uname\",\"/bin/vdir\",\"/usr/bin/arch\",\"/usr/bin/b2sum\",\"/usr/bin/base32\",\"/usr/bin/base64\",\"/usr/bin/basename\",\"/usr/bin/chcon\",\"/usr/bin/cksum\",\"/usr/bin/comm\",\"/usr/bin/csplit\",\"/usr/bin/cut\",\"/usr/bin/dircolors\",\"/usr/bin/dirname\",\"/usr/bin/du\",\"/usr/bin/env\",\"/usr/bin/expand\",\"/usr/bin/expr\",\"/usr/bin/factor\",\"/usr/bin/fmt\",\"/usr/bin/fold\",\"/usr/bin/groups\",\"/usr/bin/head\",\"/usr/bin/hostid\",\"/usr/bin/id\",\"/usr/bin/install\",\"/usr/bin/join\",\"/usr/bin/link\",\"/usr/bin/logname\",\"/usr/bin/md5sum\",\"/usr/bin/md5sum.textutils\",\"/usr/bin/mkfifo\",\"/usr/bin/nice\",\"/usr/bin/nl\",\"/usr/bin/nohup\",\"/usr/bin/nproc\",\"/usr/bin/numfmt\",\"/usr/bin/od\",\"/usr/bin/paste\",\"/usr/bin/pathchk\",\"/usr/bin/pinky\",\"/usr/bin/pr\",\"/usr/bin/printenv\",\"/usr/bin/printf\",\"/usr/bin/ptx\",\"/usr/bin/realpath\",\"/usr/bin/runcon\",\"/usr/bin/seq\",\"/usr/bin/sha1sum\",\"/usr/bin/sha224sum\",\"/usr/bin/sha256sum\",\"/usr/bin/sha384sum\",\"/usr/bin/sha512sum\",\"/usr/bin/shred\",\"/usr/bin/shuf\",\"/usr/bin/sort\",\"/usr/bin/split\",\"/usr/bin/stat\",\"/usr/bin/stdbuf\",\"/usr/bin/sum\",\"/usr/bin/tac\",\"/usr/bin/tail\",\"/usr/bin/tee\",\"/usr/bin/test\",\"/usr/bin/timeout\",\"/usr/bin/tr\",\"/usr/bin/truncate\",\"/usr/bin/tsort\",\"/usr/bin/tty\",\"/usr/bin/unexpand\",\"/usr/bin/uniq\",\"/usr/bin/unlink\",\"/usr/bin/users\",\"/usr/bin/wc\",\"/usr/bin/who\",\"/usr/bin/whoami\",\"/usr/sbin/chroot\"]) &&\n process.parent.file.name in [\"mysqld\", \"mongod\", \"postgres\"] &&\n !(process.parent.file.name == \"initdb\" &&\n exec.args == \"-c locale -a\") &&\n !(process.parent.file.name == \"postgres\" &&\n exec.args == ~\"*pg_wal*\")\n agent_version: ''\n filters:\n - os == \"linux\"\n- id: deploy_priv_container\n version: 356d5ee7\n description: A privileged container was created\n expression: exec.file.name != \"\" && container.created_at < 1s && process.cap_permitted\n & CAP_SYS_ADMIN > 0\n agent_version: ''\n filters: []\n- id: dirty_pipe_attempt\n version: 8814807c\n description: Potential Dirty pipe exploitation attempt\n expression: (splice.pipe_entry_flag & PIPE_BUF_FLAG_CAN_MERGE) != 0 && (splice.pipe_exit_flag\n & PIPE_BUF_FLAG_CAN_MERGE) == 0 && (process.uid != 0 && process.gid != 0)\n agent_version: ''\n filters: []\n- id: dirty_pipe_exploitation\n version: 9bcacfe3\n description: Potential Dirty pipe exploitation\n expression: (splice.pipe_exit_flag & PIPE_BUF_FLAG_CAN_MERGE) > 0 && (process.uid\n != 0 && process.gid != 0)\n agent_version: ''\n filters: []\n- id: dummy_rule\n version: 28ba1078\n description: Execution of a java process\n expression: exec.file.name == \"java\"\n agent_version: ''\n filters: []\n- id: dummy_rule_AszwF\n version: 28ba1078\n description: Execution of a java process\n expression: exec.file.name == \"java\"\n agent_version: ''\n filters:\n - os == \"linux\"\n- id: dummy_rule_BAiZP\n version: 28ba1078\n description: Execution of a java process\n expression: exec.file.name == \"java\"\n agent_version: ''\n filters: []\n- id: dummy_rule_CpDMZ\n version: 28ba1078\n description: Execution of a java process\n expression: exec.file.name == \"java\"\n agent_version: ''\n filters:\n - os == \"linux\"\n- id: dummy_rule_DBtCK\n version: 28ba1078\n description: Execution of a java process\n expression: exec.file.name == \"java\"\n agent_version: ''\n filters:\n - os == \"linux\"\n- id: dummy_rule_HfYXr\n version: 28ba1078\n description: Execution of a java process\n expression: exec.file.name == \"java\"\n agent_version: ''\n filters:\n - os == \"linux\"\n- id: dummy_rule_JAnCe\n version: 28ba1078\n description: Execution of a java process\n expression: exec.file.name == \"java\"\n agent_version: ''\n filters:\n - os == \"linux\"\n- id: dummy_rule_KJInv\n version: 28ba1078\n description: Execution of a java process\n expression: exec.file.name == \"java\"\n agent_version: ''\n filters:\n - os == \"linux\"\n- id: dummy_rule_KSDPb\n version: 28ba1078\n description: Execution of a java process\n expression: exec.file.name == \"java\"\n agent_version: ''\n filters:\n - os == \"linux\"\n- id: dummy_rule_LPRxi\n version: 28ba1078\n description: Execution of a java process\n expression: exec.file.name == \"java\"\n agent_version: ''\n filters:\n - os == \"linux\"\n- id: dummy_rule_PkauG\n version: 28ba1078\n description: Execution of a java process\n expression: exec.file.name == \"java\"\n agent_version: ''\n filters:\n - os == \"linux\"\n- id: dummy_rule_RMoJm\n version: 28ba1078\n description: Execution of a java process\n expression: exec.file.name == \"java\"\n agent_version: ''\n filters: []\n- id: dummy_rule_Tjzvu\n version: 28ba1078\n description: Execution of a java process\n expression: exec.file.name == \"java\"\n agent_version: ''\n filters:\n - os == \"linux\"\n- id: dummy_rule_VfQSV\n version: 28ba1078\n description: Execution of a java process\n expression: exec.file.name == \"java\"\n agent_version: ''\n filters:\n - os == \"linux\"\n- id: dummy_rule_VxNSK\n version: 28ba1078\n description: Execution of a java process\n expression: exec.file.name == \"java\"\n agent_version: ''\n filters: []\n- id: dummy_rule_XcxFr\n version: 28ba1078\n description: Execution of a java process\n expression: exec.file.name == \"java\"\n agent_version: ''\n filters:\n - os == \"linux\"\n- id: dummy_rule_bKkuv\n version: 28ba1078\n description: Execution of a java process\n expression: exec.file.name == \"java\"\n agent_version: ''\n filters:\n - os == \"linux\"\n- id: dummy_rule_bVlLJ\n version: 28ba1078\n description: Execution of a java process\n expression: exec.file.name == \"java\"\n agent_version: ''\n filters:\n - os == \"linux\"\n- id: dummy_rule_cdxqn\n version: 28ba1078\n description: Execution of a java process\n expression: exec.file.name == \"java\"\n agent_version: ''\n filters: []\n- id: dummy_rule_fWORB\n version: 28ba1078\n description: Execution of a java process\n expression: exec.file.name == \"java\"\n agent_version: ''\n filters:\n - os == \"linux\"\n- id: dummy_rule_iNwDw\n version: 28ba1078\n description: Execution of a java process\n expression: exec.file.name == \"java\"\n agent_version: ''\n filters: []\n- id: dummy_rule_ipyRF\n version: 28ba1078\n description: Execution of a java process\n expression: exec.file.name == \"java\"\n agent_version: ''\n filters:\n - os == \"linux\"\n- id: dummy_rule_ivMAv\n version: 28ba1078\n description: Execution of a java process\n expression: exec.file.name == \"java\"\n agent_version: ''\n filters:\n - os == \"linux\"\n- id: dummy_rule_jcvqK\n version: 28ba1078\n description: Execution of a java process\n expression: exec.file.name == \"java\"\n agent_version: ''\n filters:\n - os == \"linux\"\n- id: dummy_rule_lszUX\n version: 28ba1078\n description: Execution of a java process\n expression: exec.file.name == \"java\"\n agent_version: ''\n filters: []\n- id: dummy_rule_mABue\n version: 28ba1078\n description: Execution of a java process\n expression: exec.file.name == \"java\"\n agent_version: ''\n filters:\n - os == \"linux\"\n- id: dummy_rule_qDgvU\n version: 28ba1078\n description: Execution of a java process\n expression: exec.file.name == \"java\"\n agent_version: ''\n filters:\n - os == \"linux\"\n- id: dummy_rule_sUVnW\n version: 28ba1078\n description: Execution of a java process\n expression: exec.file.name == \"java\"\n agent_version: ''\n filters:\n - os == \"linux\"\n- id: dummy_rule_tSfwV\n version: 28ba1078\n description: Execution of a java process\n expression: exec.file.name == \"java\"\n agent_version: ''\n filters:\n - os == \"linux\"\n- id: dummy_rule_xkrhu\n version: 28ba1078\n description: Execution of a java process\n expression: exec.file.name == \"java\"\n agent_version: ''\n filters: []\n- id: dynamic_linker_config_unlink\n version: 1924611e\n description: A process unlinked a dynamic linker config file\n expression: unlink.file.path in [\"/etc/ld.so.preload\", \"/etc/ld.so.conf\", ~\"/etc/ld.so.conf.d/*.conf\"]\n && process.file.path not in [~\"/usr/bin/apt*\", \"/usr/bin/dpkg\", \"/usr/bin/rpm\",\n \"/usr/bin/unattended-upgrade\", \"/usr/bin/npm\", ~\"/usr/bin/pip*\", \"/usr/bin/yum\",\n \"/sbin/apk\"]\n agent_version: ''\n filters: []\n- id: dynamic_linker_config_write\n version: 764fc516\n description: A process wrote to a dynamic linker config file\n expression: open.file.path in [\"/etc/ld.so.preload\", \"/etc/ld.so.conf\", \"/etc/ld.so.conf.d/*.conf\"]\n && open.flags & (O_CREAT|O_TRUNC|O_RDWR|O_WRONLY) > 0 && process.file.path not\n in [~\"/usr/bin/apt*\", \"/usr/bin/dpkg\", \"/usr/bin/rpm\", \"/usr/bin/unattended-upgrade\",\n \"/usr/bin/containerd\", \"/usr/local/bin/containerd\", \"/usr/bin/dockerd\", \"/usr/bin/npm\",\n ~\"/usr/bin/pip*\"] && process.ancestors.file.path not in [\"/opt/datadog-agent/embedded/bin/agent\",\n \"/opt/datadog-agent/embedded/bin/system-probe\", \"/opt/datadog-agent/embedded/bin/security-agent\",\n \"/opt/datadog-agent/embedded/bin/process-agent\", \"/opt/datadog-agent/bin/agent/agent\",\n \"/opt/datadog/apm/inject/auto_inject_runc\", \"/usr/bin/dd-host-install\", \"/usr/bin/dd-host-container-install\",\n \"/usr/bin/dd-container-install\", \"/opt/datadog-agent/bin/datadog-cluster-agent\"]\n agent_version: ''\n filters: []\n- id: example_agent_rule\n version: 28ba1078\n description: An example agent rule generated in terraform\n expression: exec.file.name == \"java\"\n agent_version: ''\n filters: []\n- id: examplecreateacloudworkloadsecurityagentrulereturnsokresponse1667938921\n version: f43786f8\n description: Test Agent rule\n expression: exec.file.name == \"sh\"\n agent_version: ''\n filters: []\n- id: examplegetacloudworkloadsecurityagentrulereturnsokresponse1656001148\n version: f43786f8\n description: My Agent rule\n expression: exec.file.name == \"sh\"\n agent_version: ''\n filters: []\n- id: examplegetacloudworkloadsecurityagentrulereturnsokresponse1665706585\n version: f43786f8\n description: My Agent rule\n expression: exec.file.name == \"sh\"\n agent_version: ''\n filters: []\n- id: examplegetacloudworkloadsecurityagentrulereturnsokresponse1724373425\n version: f43786f8\n description: My Agent rule\n expression: exec.file.name == \"sh\"\n agent_version: ''\n filters:\n - os == \"linux\"\n- id: examplegetallcloudworkloadsecurityagentrulesreturnsokresponse1656001148\n version: f43786f8\n description: My Agent rule\n expression: exec.file.name == \"sh\"\n agent_version: ''\n filters: []\n- id: examplegetallcloudworkloadsecurityagentrulesreturnsokresponse1665706685\n version: f43786f8\n description: My Agent rule\n expression: exec.file.name == \"sh\"\n agent_version: ''\n filters: []\n- id: exampleupdateacloudworkloadsecurityagentrulereturnsokresponse1656001149\n version: f43786f8\n description: Test Agent rule\n expression: exec.file.name == \"sh\"\n agent_version: ''\n filters: []\n- id: exampleupdateacloudworkloadsecurityagentrulereturnsokresponse1665706668\n version: f43786f8\n description: Test Agent rule\n expression: exec.file.name == \"sh\"\n agent_version: ''\n filters: []\n- id: exampleupdateacloudworkloadsecurityagentrulereturnsokresponse1737245933\n version: f43786f8\n description: Test Agent rule\n expression: exec.file.name == \"sh\"\n agent_version: ''\n filters:\n - os == \"linux\"\n- id: exampleupdateacloudworkloadsecurityagentrulereturnsokresponse1742473058\n version: f43786f8\n description: Test Agent rule\n expression: exec.file.name == \"sh\"\n agent_version: ''\n filters:\n - os == \"linux\"\n- id: exec_lsmod\n version: 1a14c811\n description: Kernel modules were listed using the lsmod command\n expression: exec.comm == \"lsmod\"\n agent_version: ''\n filters: []\n- id: exec_whoami\n version: 90ea91b6\n description: The whoami command was executed\n expression: exec.comm == \"whoami\"\n agent_version: ''\n filters: []\n- id: gcp_imds\n version: 3035dbbf\n description: An GCP IMDS was called via a network utility\n expression: exec.comm in [\"wget\", \"curl\", \"lwp-download\"] && exec.args in [~\"*metadata.google.internal/computeMetadata/v1/instance/service-accounts/default/token\",\n ~\"*169.254.169.254/computeMetadata/v1/instance/service-accounts/default/token\"]\n agent_version: ''\n filters: []\n- id: hidden_file_executed\n version: 60fd84a9\n description: A hidden file was executed in a suspicious folder\n expression: exec.file.name =~ \".*\" && exec.file.path in [~\"/home/**\", ~\"/tmp/**\",\n ~\"/var/tmp/**\", ~\"/dev/shm/**\"]\n agent_version: ''\n filters: []\n- id: interactive_shell_in_container\n version: 757f83d3\n description: An interactive shell was started inside of a container\n expression: |-\n exec.file.path in [ \"/bin/dash\",\n \"/usr/bin/dash\",\n \"/bin/sh\",\n \"/bin/static-sh\",\n \"/usr/bin/sh\",\n \"/bin/bash\",\n \"/usr/bin/bash\",\n \"/bin/bash-static\",\n \"/usr/bin/zsh\",\n \"/usr/bin/ash\",\n \"/usr/bin/csh\",\n \"/usr/bin/ksh\",\n \"/usr/bin/tcsh\",\n \"/usr/lib/initramfs-tools/bin/busybox\",\n \"/bin/busybox\",\n \"/usr/bin/fish\",\n \"/bin/ksh93\",\n \"/bin/rksh\",\n \"/bin/rksh93\",\n \"/bin/lksh\",\n \"/bin/mksh\",\n \"/bin/mksh-static\",\n \"/usr/bin/csharp\",\n \"/bin/posh\",\n \"/usr/bin/rc\",\n \"/bin/sash\",\n \"/usr/bin/yash\",\n \"/bin/zsh5\",\n \"/bin/zsh5-static\" ] && exec.args_flags in [\"i\"] && container.id !=\"\"\n agent_version: ''\n filters: []\n- id: ip_check_domain\n version: 2d5285c0\n description: A DNS lookup was done for a IP check service\n expression: dns.question.name in [\"icanhazip.com\", \"ip-api.com\", \"myip.opendns.com\",\n \"checkip.amazonaws.com\", \"whatismyip.akamai.com\"] && process.file.name != \"\"\n agent_version: ''\n filters: []\n- id: java_shell_execution\n version: 24c2eb7c\n description: A java process spawned a shell, shell utility, or HTTP utility\n expression: |-\n (exec.file.path in [ \"/bin/dash\",\n \"/usr/bin/dash\",\n \"/bin/sh\",\n \"/bin/static-sh\",\n \"/usr/bin/sh\",\n \"/bin/bash\",\n \"/usr/bin/bash\",\n \"/bin/bash-static\",\n \"/usr/bin/zsh\",\n \"/usr/bin/ash\",\n \"/usr/bin/csh\",\n \"/usr/bin/ksh\",\n \"/usr/bin/tcsh\",\n \"/usr/lib/initramfs-tools/bin/busybox\",\n \"/bin/busybox\",\n \"/usr/bin/fish\",\n \"/bin/ksh93\",\n \"/bin/rksh\",\n \"/bin/rksh93\",\n \"/bin/lksh\",\n \"/bin/mksh\",\n \"/bin/mksh-static\",\n \"/usr/bin/csharp\",\n \"/bin/posh\",\n \"/usr/bin/rc\",\n \"/bin/sash\",\n \"/usr/bin/yash\",\n \"/bin/zsh5\",\n \"/bin/zsh5-static\" ] ||\n exec.comm in [\"wget\", \"curl\", \"lwp-download\"] ||\n exec.file.path in [\"/bin/cat\",\"/bin/chgrp\",\"/bin/chmod\",\"/bin/chown\",\"/bin/cp\",\"/bin/date\",\"/bin/dd\",\"/bin/df\",\"/bin/dir\",\"/bin/echo\",\"/bin/ln\",\"/bin/ls\",\"/bin/mkdir\",\"/bin/mknod\",\"/bin/mktemp\",\"/bin/mv\",\"/bin/pwd\",\"/bin/readlink\",\"/bin/rm\",\"/bin/rmdir\",\"/bin/sleep\",\"/bin/stty\",\"/bin/sync\",\"/bin/touch\",\"/bin/uname\",\"/bin/vdir\",\"/usr/bin/arch\",\"/usr/bin/b2sum\",\"/usr/bin/base32\",\"/usr/bin/base64\",\"/usr/bin/basename\",\"/usr/bin/chcon\",\"/usr/bin/cksum\",\"/usr/bin/comm\",\"/usr/bin/csplit\",\"/usr/bin/cut\",\"/usr/bin/dircolors\",\"/usr/bin/dirname\",\"/usr/bin/du\",\"/usr/bin/env\",\"/usr/bin/expand\",\"/usr/bin/expr\",\"/usr/bin/factor\",\"/usr/bin/fmt\",\"/usr/bin/fold\",\"/usr/bin/groups\",\"/usr/bin/head\",\"/usr/bin/hostid\",\"/usr/bin/id\",\"/usr/bin/install\",\"/usr/bin/join\",\"/usr/bin/link\",\"/usr/bin/logname\",\"/usr/bin/md5sum\",\"/usr/bin/md5sum.textutils\",\"/usr/bin/mkfifo\",\"/usr/bin/nice\",\"/usr/bin/nl\",\"/usr/bin/nohup\",\"/usr/bin/nproc\",\"/usr/bin/numfmt\",\"/usr/bin/od\",\"/usr/bin/paste\",\"/usr/bin/pathchk\",\"/usr/bin/pinky\",\"/usr/bin/pr\",\"/usr/bin/printenv\",\"/usr/bin/printf\",\"/usr/bin/ptx\",\"/usr/bin/realpath\",\"/usr/bin/runcon\",\"/usr/bin/seq\",\"/usr/bin/sha1sum\",\"/usr/bin/sha224sum\",\"/usr/bin/sha256sum\",\"/usr/bin/sha384sum\",\"/usr/bin/sha512sum\",\"/usr/bin/shred\",\"/usr/bin/shuf\",\"/usr/bin/sort\",\"/usr/bin/split\",\"/usr/bin/stat\",\"/usr/bin/stdbuf\",\"/usr/bin/sum\",\"/usr/bin/tac\",\"/usr/bin/tail\",\"/usr/bin/tee\",\"/usr/bin/test\",\"/usr/bin/timeout\",\"/usr/bin/tr\",\"/usr/bin/truncate\",\"/usr/bin/tsort\",\"/usr/bin/tty\",\"/usr/bin/unexpand\",\"/usr/bin/uniq\",\"/usr/bin/unlink\",\"/usr/bin/users\",\"/usr/bin/wc\",\"/usr/bin/who\",\"/usr/bin/whoami\",\"/usr/sbin/chroot\"])\n && process.ancestors.file.name == \"java\"\n agent_version: ''\n filters: []\n- id: java_shell_execution_parent\n version: 1bcff0aa\n description: A java process spawned a shell, shell utility, or HTTP utility\n expression: |-\n (exec.file.path in [ \"/bin/dash\",\n \"/usr/bin/dash\",\n \"/bin/sh\",\n \"/bin/static-sh\",\n \"/usr/bin/sh\",\n \"/bin/bash\",\n \"/usr/bin/bash\",\n \"/bin/bash-static\",\n \"/usr/bin/zsh\",\n \"/usr/bin/ash\",\n \"/usr/bin/csh\",\n \"/usr/bin/ksh\",\n \"/usr/bin/tcsh\",\n \"/usr/lib/initramfs-tools/bin/busybox\",\n \"/bin/busybox\",\n \"/usr/bin/fish\",\n \"/bin/ksh93\",\n \"/bin/rksh\",\n \"/bin/rksh93\",\n \"/bin/lksh\",\n \"/bin/mksh\",\n \"/bin/mksh-static\",\n \"/usr/bin/csharp\",\n \"/bin/posh\",\n \"/usr/bin/rc\",\n \"/bin/sash\",\n \"/usr/bin/yash\",\n \"/bin/zsh5\",\n \"/bin/zsh5-static\" ] ||\n exec.comm in [\"wget\", \"curl\", \"lwp-download\"] ||\n exec.file.path in [\"/bin/cat\",\"/bin/chgrp\",\"/bin/chmod\",\"/bin/chown\",\"/bin/cp\",\"/bin/date\",\"/bin/dd\",\"/bin/df\",\"/bin/dir\",\"/bin/echo\",\"/bin/ln\",\"/bin/ls\",\"/bin/mkdir\",\"/bin/mknod\",\"/bin/mktemp\",\"/bin/mv\",\"/bin/pwd\",\"/bin/readlink\",\"/bin/rm\",\"/bin/rmdir\",\"/bin/sleep\",\"/bin/stty\",\"/bin/sync\",\"/bin/touch\",\"/bin/uname\",\"/bin/vdir\",\"/usr/bin/arch\",\"/usr/bin/b2sum\",\"/usr/bin/base32\",\"/usr/bin/base64\",\"/usr/bin/basename\",\"/usr/bin/chcon\",\"/usr/bin/cksum\",\"/usr/bin/comm\",\"/usr/bin/csplit\",\"/usr/bin/cut\",\"/usr/bin/dircolors\",\"/usr/bin/dirname\",\"/usr/bin/du\",\"/usr/bin/env\",\"/usr/bin/expand\",\"/usr/bin/expr\",\"/usr/bin/factor\",\"/usr/bin/fmt\",\"/usr/bin/fold\",\"/usr/bin/groups\",\"/usr/bin/head\",\"/usr/bin/hostid\",\"/usr/bin/id\",\"/usr/bin/install\",\"/usr/bin/join\",\"/usr/bin/link\",\"/usr/bin/logname\",\"/usr/bin/md5sum\",\"/usr/bin/md5sum.textutils\",\"/usr/bin/mkfifo\",\"/usr/bin/nice\",\"/usr/bin/nl\",\"/usr/bin/nohup\",\"/usr/bin/nproc\",\"/usr/bin/numfmt\",\"/usr/bin/od\",\"/usr/bin/paste\",\"/usr/bin/pathchk\",\"/usr/bin/pinky\",\"/usr/bin/pr\",\"/usr/bin/printenv\",\"/usr/bin/printf\",\"/usr/bin/ptx\",\"/usr/bin/realpath\",\"/usr/bin/runcon\",\"/usr/bin/seq\",\"/usr/bin/sha1sum\",\"/usr/bin/sha224sum\",\"/usr/bin/sha256sum\",\"/usr/bin/sha384sum\",\"/usr/bin/sha512sum\",\"/usr/bin/shred\",\"/usr/bin/shuf\",\"/usr/bin/sort\",\"/usr/bin/split\",\"/usr/bin/stat\",\"/usr/bin/stdbuf\",\"/usr/bin/sum\",\"/usr/bin/tac\",\"/usr/bin/tail\",\"/usr/bin/tee\",\"/usr/bin/test\",\"/usr/bin/timeout\",\"/usr/bin/tr\",\"/usr/bin/truncate\",\"/usr/bin/tsort\",\"/usr/bin/tty\",\"/usr/bin/unexpand\",\"/usr/bin/uniq\",\"/usr/bin/unlink\",\"/usr/bin/users\",\"/usr/bin/wc\",\"/usr/bin/who\",\"/usr/bin/whoami\",\"/usr/sbin/chroot\"])\n && process.parent.file.name == \"java\"\n agent_version: ''\n filters:\n - os == \"linux\"\n- id: jupyter_shell_execution\n version: d2d9243c\n description: A Jupyter notebook executed a shell\n expression: (exec.file.name in [\"cat\",\"chgrp\",\"chmod\",\"chown\",\"cp\",\"date\",\"dd\",\"df\",\"dir\",\"echo\",\"ln\",\"ls\",\"mkdir\",\"mknod\",\"mktemp\",\"mv\",\"pwd\",\"readlink\",\"rm\",\"rmdir\",\"sleep\",\"stty\",\"sync\",\"touch\",\"uname\",\"vdir\",\"arch\",\"b2sum\",\"base32\",\"base64\",\"basename\",\"chcon\",\"cksum\",\"comm\",\"csplit\",\"cut\",\"dircolors\",\"dirname\",\"du\",\"env\",\"expand\",\"expr\",\"factor\",\"fmt\",\"fold\",\"groups\",\"head\",\"hostid\",\"id\",\"install\",\"join\",\"link\",\"logname\",\"md5sum\",\"textutils\",\"mkfifo\",\"nice\",\"nl\",\"nohup\",\"nproc\",\"numfmt\",\"od\",\"paste\",\"pathchk\",\"pinky\",\"pr\",\"printenv\",\"printf\",\"ptx\",\"realpath\",\"runcon\",\"seq\",\"sha1sum\",\"sha224sum\",\"sha256sum\",\"sha384sum\",\"sha512sum\",\"shred\",\"shuf\",\"sort\",\"split\",\"stat\",\"stdbuf\",\"sum\",\"tac\",\"tail\",\"tee\",\"test\",\"timeout\",\"tr\",\"truncate\",\"tsort\",\"tty\",\"unexpand\",\"uniq\",\"unlink\",\"users\",\"wc\",\"who\",\"whoami\",\"chroot\"]\n || exec.file.name in [\"wget\", \"curl\", \"lwp-download\"] || exec.file.name in [\"dash\",\"sh\",\"static-sh\",\"sh\",\"bash\",\"bash\",\"bash-static\",\"zsh\",\"ash\",\"csh\",\"ksh\",\"tcsh\",\"busybox\",\"busybox\",\"fish\",\"ksh93\",\"rksh\",\"rksh93\",\"lksh\",\"mksh\",\"mksh-static\",\"csharp\",\"posh\",\"rc\",\"sash\",\"yash\",\"zsh5\",\"zsh5-static\"])\n && process.ancestors.comm in [\"jupyter-noteboo\", \"jupyter-lab\"]\n agent_version: ''\n filters:\n - os == \"linux\"\n- id: k8s_pod_service_account_token_accessed\n version: 88c0ee3a\n description: The Kubernetes pod service account token was accessed\n expression: open.file.path in [~\"/var/run/secrets/kubernetes.io/serviceaccount/**\",\n ~\"/run/secrets/kubernetes.io/serviceaccount/**\"] && open.file.name == \"token\"\n && process.file.path not in [\"/opt/datadog-agent/embedded/bin/agent\", \"/opt/datadog-agent/embedded/bin/system-probe\",\n \"/opt/datadog-agent/embedded/bin/security-agent\", \"/opt/datadog-agent/embedded/bin/process-agent\",\n \"/opt/datadog-agent/bin/agent/agent\", \"/opt/datadog/apm/inject/auto_inject_runc\",\n \"/usr/bin/dd-host-install\", \"/usr/bin/dd-host-container-install\", \"/usr/bin/dd-container-install\",\n \"/opt/datadog-agent/bin/datadog-cluster-agent\"] && process.file.path not in [\"/usr/bin/cilium-agent\",\n \"/coredns\", \"/usr/bin/cilium-operator\", \"/manager\", \"/fluent-bit/bin/fluent-bit\",\n \"/usr/local/bin/cloud-node-manager\", \"/secrets-store-csi\", \"/bin/secrets-store-csi-driver-provider-aws\",\n \"/usr/bin/calico-node\", \"/opt/aws/amazon-cloudwatch-agent/bin/amazon-cloudwatch-agent\",\n \"/nginx-ingress-controller\", \"/cluster-autoscaler\", \"/cluster-proportional-autoscaler\",\n \"/haproxy-ingress-controller\", \"/kube-state-metrics\", \"/fluent-bit-gke-exporter\",\n \"/bin/external-secrets\", \"/node-termination-handler\", \"/fluent-bit-gke-exporter\",\n \"/bin/vault\", \"/usr/local/bin/kubectl\", \"/local-provisioner\", \"/usr/bin/gitlab-runner\",\n \"/usr/local/bin/vaultd\", \"/usr/local/bin/trace-driveline-writer\", \"/usr/local/bin/registration-controller\",\n \"/usr/local/bin/cluster-autoscaler\"] && process.ancestors.file.path not in [\"/opt/datadog-agent/embedded/bin/agent\",\n \"/opt/datadog-agent/embedded/bin/system-probe\", \"/opt/datadog-agent/embedded/bin/security-agent\",\n \"/opt/datadog-agent/embedded/bin/process-agent\", \"/opt/datadog-agent/bin/agent/agent\",\n \"/opt/datadog/apm/inject/auto_inject_runc\", \"/usr/bin/dd-host-install\", \"/usr/bin/dd-host-container-install\",\n \"/usr/bin/dd-container-install\", \"/opt/datadog-agent/bin/datadog-cluster-agent\"]\n agent_version: ''\n filters:\n - os == \"linux\"\n- id: kernel_module_chmod\n version: 82c61c82\n description: A new kernel module was added\n expression: |-\n (\n (chmod.file.path in [ ~\"/lib/modules/**\", ~\"/usr/lib/modules/**\" ])\n && process.file.path not in [~\"/usr/bin/apt*\", \"/usr/bin/dpkg\", \"/usr/bin/rpm\", \"/usr/bin/unattended-upgrade\", \"/usr/bin/npm\", ~\"/usr/bin/pip*\", \"/usr/bin/yum\", \"/sbin/apk\"]\n && process.ancestors.file.path not in [~\"/usr/bin/apt*\", \"/usr/bin/dpkg\", \"/usr/bin/rpm\", \"/usr/bin/unattended-upgrade\", \"/usr/bin/npm\", ~\"/usr/bin/pip*\", \"/usr/bin/yum\", \"/sbin/apk\"] && process.ancestors.file.path != \"/usr/bin/kmod\"\n ) && chmod.file.destination.mode != chmod.file.mode\n agent_version: ''\n filters: []\n- id: kernel_module_chown\n version: ca2cf124\n description: A new kernel module was added\n expression: |-\n (\n (chown.file.path in [ ~\"/lib/modules/**\", ~\"/usr/lib/modules/**\" ])\n && process.file.path not in [~\"/usr/bin/apt*\", \"/usr/bin/dpkg\", \"/usr/bin/rpm\", \"/usr/bin/unattended-upgrade\", \"/usr/bin/npm\", ~\"/usr/bin/pip*\", \"/usr/bin/yum\", \"/sbin/apk\", \"/usr/lib/snapd/snapd\"]\n && process.ancestors.file.path not in [~\"/usr/bin/apt*\", \"/usr/bin/dpkg\", \"/usr/bin/rpm\", \"/usr/bin/unattended-upgrade\", \"/usr/bin/npm\", ~\"/usr/bin/pip*\", \"/usr/bin/yum\", \"/sbin/apk\", \"/usr/lib/snapd/snapd\"] && process.ancestors.file.path != \"/usr/bin/kmod\"\n ) && (chown.file.destination.uid != chown.file.uid || chown.file.destination.gid != chown.file.gid)\n agent_version: ''\n filters: []\n- id: kernel_module_link\n version: a18ca197\n description: A new kernel module was added\n expression: |-\n (\n (link.file.path in [ ~\"/lib/modules/**\", ~\"/usr/lib/modules/**\" ]\n || link.file.destination.path in [ ~\"/lib/modules/**\", ~\"/usr/lib/modules/**\" ])\n && process.file.path not in [~\"/usr/bin/apt*\", \"/usr/bin/dpkg\", \"/usr/bin/rpm\", \"/usr/bin/unattended-upgrade\", \"/usr/bin/npm\", ~\"/usr/bin/pip*\", \"/usr/bin/yum\", \"/sbin/apk\", \"/usr/lib/snapd/snapd\"]\n && process.ancestors.file.path not in [~\"/usr/bin/apt*\", \"/usr/bin/dpkg\", \"/usr/bin/rpm\", \"/usr/bin/unattended-upgrade\", \"/usr/bin/npm\", ~\"/usr/bin/pip*\", \"/usr/bin/yum\", \"/sbin/apk\", \"/usr/lib/snapd/snapd\"] && process.ancestors.file.path != \"/usr/bin/kmod\"\n )\n agent_version: ''\n filters: []\n- id: kernel_module_load\n version: 904592b4\n description: A kernel module was loaded\n expression: load_module.name not in [\"nf_tables\", \"iptable_filter\", \"ip6table_filter\",\n \"bpfilter\", \"ip6_tables\", \"ip6table_nat\", \"nf_reject_ipv4\", \"ipt_REJECT\", \"iptable_raw\"]\n && process.ancestors.file.name not in [~\"falcon*\", \"unattended-upgrade\", \"apt.systemd.daily\",\n \"xtables-legacy-multi\", \"ssm-agent-worker\"]\n agent_version: ''\n filters: []\n- id: kernel_module_load_container\n version: 139b666a\n description: A container loaded a new kernel module\n expression: load_module.name != \"\" && container.id !=\"\"\n agent_version: ''\n filters: []\n- id: kernel_module_load_from_memory\n version: 78122acd\n description: A kernel module was loaded from memory\n expression: load_module.loaded_from_memory == true\n agent_version: ''\n filters:\n - os == \"linux\"\n- id: kernel_module_load_from_memory_container\n version: a277c753\n description: A kernel module was loaded from memory inside a container\n expression: load_module.loaded_from_memory == true && container.id !=\"\"\n agent_version: ''\n filters: []\n- id: kernel_module_open\n version: 55f9569\n description: A new kernel module was added\n expression: |-\n (\n open.flags & (O_CREAT|O_TRUNC|O_RDWR|O_WRONLY) > 0 &&\n (open.file.path in [ ~\"/lib/modules/**\", ~\"/usr/lib/modules/**\" ])\n && process.file.path not in [~\"/usr/bin/apt*\", \"/usr/bin/dpkg\", \"/usr/bin/rpm\", \"/usr/bin/unattended-upgrade\", \"/usr/bin/npm\", ~\"/usr/bin/pip*\", \"/usr/bin/yum\", \"/sbin/apk\"]\n && process.ancestors.file.path not in [~\"/usr/bin/apt*\", \"/usr/bin/dpkg\", \"/usr/bin/rpm\", \"/usr/bin/unattended-upgrade\", \"/usr/bin/npm\", ~\"/usr/bin/pip*\", \"/usr/bin/yum\", \"/sbin/apk\"] && process.ancestors.file.path != \"/usr/bin/kmod\"\n )\n agent_version: ''\n filters: []\n- id: kernel_module_rename\n version: 9d8cb7d8\n description: A new kernel module was added\n expression: |-\n (\n (rename.file.path in [ ~\"/lib/modules/**\", ~\"/usr/lib/modules/**\" ]\n || rename.file.destination.path in [ ~\"/lib/modules/**\", ~\"/usr/lib/modules/**\" ])\n && process.file.path not in [~\"/usr/bin/apt*\", \"/usr/bin/dpkg\", \"/usr/bin/rpm\", \"/usr/bin/unattended-upgrade\", \"/usr/bin/npm\", ~\"/usr/bin/pip*\", \"/usr/bin/yum\", \"/sbin/apk\", \"/usr/lib/snapd/snapd\"]\n && process.ancestors.file.path not in [~\"/usr/bin/apt*\", \"/usr/bin/dpkg\", \"/usr/bin/rpm\", \"/usr/bin/unattended-upgrade\", \"/usr/bin/npm\", ~\"/usr/bin/pip*\", \"/usr/bin/yum\", \"/sbin/apk\", \"/usr/lib/snapd/snapd\"] && process.ancestors.file.path != \"/usr/bin/kmod\"\n )\n agent_version: ''\n filters: []\n- id: kernel_module_unlink\n version: 652391be\n description: A new kernel module was added\n expression: |-\n (\n (unlink.file.path in [ ~\"/lib/modules/**\", ~\"/usr/lib/modules/**\" ])\n && process.file.path not in [~\"/usr/bin/apt*\", \"/usr/bin/dpkg\", \"/usr/bin/rpm\", \"/usr/bin/unattended-upgrade\", \"/usr/bin/npm\", ~\"/usr/bin/pip*\", \"/usr/bin/yum\", \"/sbin/apk\", \"/usr/lib/snapd/snapd\"]\n && process.ancestors.file.path not in [~\"/usr/bin/apt*\", \"/usr/bin/dpkg\", \"/usr/bin/rpm\", \"/usr/bin/unattended-upgrade\", \"/usr/bin/npm\", ~\"/usr/bin/pip*\", \"/usr/bin/yum\", \"/sbin/apk\", \"/usr/lib/snapd/snapd\"] && process.ancestors.file.path != \"/usr/bin/kmod\"\n )\n agent_version: ''\n filters: []\n- id: kernel_module_utimes\n version: 405d45e7\n description: A new kernel module was added\n expression: |-\n (\n (utimes.file.path in [ ~\"/lib/modules/**\", ~\"/usr/lib/modules/**\" ])\n && process.file.path not in [~\"/usr/bin/apt*\", \"/usr/bin/dpkg\", \"/usr/bin/rpm\", \"/usr/bin/unattended-upgrade\", \"/usr/bin/npm\", ~\"/usr/bin/pip*\", \"/usr/bin/yum\", \"/sbin/apk\", \"/usr/lib/snapd/snapd\"]\n && process.ancestors.file.path not in [~\"/usr/bin/apt*\", \"/usr/bin/dpkg\", \"/usr/bin/rpm\", \"/usr/bin/unattended-upgrade\", \"/usr/bin/npm\", ~\"/usr/bin/pip*\", \"/usr/bin/yum\", \"/sbin/apk\", \"/usr/lib/snapd/snapd\"] && process.ancestors.file.path != \"/usr/bin/kmod\"\n )\n agent_version: ''\n filters: []\n- id: kmod_list\n version: c353a548\n description: Kernel modules were listed using the kmod command\n expression: exec.comm == \"kmod\" && exec.args in [~\"*list*\"]\n agent_version: ''\n filters: []\n- id: ld_preload_unusual_library_path\n version: cc6fd0c4\n description: The LD_PRELOAD variable is populated by a link to a suspicious file\n directory\n expression: exec.envs in [~\"LD_PRELOAD=*/tmp/*\" ,~\"LD_PRELOAD=/dev/shm/*\" ]\n agent_version: ''\n filters: []\n- id: memfd_create\n version: 5908512a\n description: memfd object created\n expression: exec.file.name =~ \"memfd*\" && exec.file.path == \"\"\n agent_version: ''\n filters: []\n- id: mount_host_fs\n version: accb4f\n description: The host file system was mounted in a container\n expression: mount.source.path == \"/\" && mount.fs_type != \"overlay\" && container.id\n != \"\"\n agent_version: ''\n filters: []\n- id: mount_proc_hide\n version: fd887e01\n description: Process hidden using mount\n expression: mount.mountpoint.path in [~\"/proc/1*\", ~\"/proc/2*\", ~\"/proc/3*\", ~\"/proc/4*\",\n ~\"/proc/5*\", ~\"/proc/6*\", ~\"/proc/7*\", ~\"/proc/8*\", ~\"/proc/9*\"]\n agent_version: ''\n filters:\n - os == \"linux\"\n- id: net_file_download\n version: 75b930ad\n description: A suspicious file was written by a network utility\n expression: |-\n open.flags & O_CREAT > 0 && process.comm in [\"wget\", \"curl\", \"lwp-download\"]\n && (\n (open.file.path =~ \"/tmp/**\" && open.file.name in [~\"*.sh\", ~\"*.c\", ~\"*.so\", ~\"*.ko\"])\n || open.file.path in [~\"/usr/**\", ~\"/lib/**\", ~\"/etc/**\", ~\"/var/tmp/**\", ~\"/dev/shm/**\"]\n )\n agent_version: ''\n filters: []\n- id: net_unusual_request\n version: 3df2d9ef\n description: Network utility executed with suspicious URI\n expression: 'exec.comm in [\"wget\", \"curl\", \"lwp-download\"] && exec.args in [~\"*.php*\",\n ~\"*.jpg*\"] '\n agent_version: ''\n filters: []\n- id: net_util\n version: fc362090\n description: A network utility was executed\n expression: |-\n (exec.comm in [\"socat\", \"dig\", \"nslookup\", \"host\", ~\"netcat*\", ~\"nc*\", \"ncat\"] ||\n exec.comm in [\"wget\", \"curl\", \"lwp-download\"]) &&\n container.id == \"\" && exec.args not in [ ~\"*localhost*\", ~\"*127.0.0.1*\", ~\"*motd.ubuntu.com*\" ]\n agent_version: ''\n filters: []\n- id: net_util_exfiltration\n version: 5f7c8871\n description: Exfiltration attempt via network utility\n expression: \"exec.comm in [\\\"wget\\\", \\\"curl\\\", \\\"lwp-download\\\"] && \\nexec.args_options\\\n \\ in [ ~\\\"post-file=*\\\", ~\\\"post-data=*\\\", ~\\\"T=*\\\", ~\\\"d=@*\\\", ~\\\"upload-file=*\\\"\\\n , ~\\\"F=file*\\\"] &&\\nexec.args not in [~\\\"*localhost*\\\", ~\\\"*127.0.0.1*\\\"]\"\n agent_version: ''\n filters:\n - os == \"linux\"\n- id: net_util_in_container\n version: 69e03ac1\n description: A network utility was executed in a container\n expression: |-\n (exec.comm in [\"socat\", \"dig\", \"nslookup\", \"host\", ~\"netcat*\", ~\"nc*\", \"ncat\"] ||\n exec.comm in [\"wget\", \"curl\", \"lwp-download\"]) &&\n container.id != \"\" && exec.args not in [ ~\"*localhost*\", ~\"*127.0.0.1*\", ~\"*motd.ubuntu.com*\" ]\n agent_version: ''\n filters: []\n- id: net_util_in_container_v2\n version: 26d8eba1\n description: A network utility was executed in a container\n expression: |-\n (exec.comm in [\"socat\", \"dig\", \"nslookup\", \"host\", ~\"netcat*\", ~\"nc*\", \"ncat\"] ||\n exec.comm in [\"wget\", \"curl\", \"lwp-download\"]) &&\n container.id != \"\" && exec.args not in [ ~\"*localhost*\", ~\"*127.0.0.1*\", ~\"*motd.ubuntu.com*\" ] && container.created_at > 180s\n agent_version: ''\n filters: []\n- id: network_sniffing_tool\n version: 4ae409bf\n description: Local account groups were enumerated after container start up\n expression: exec.file.name in [\"tcpdump\", \"tshark\"]\n agent_version: ''\n filters: []\n- id: new_binary_execution_in_container\n version: 9dc42e1d\n description: A container executed a new binary not found in the container image\n expression: container.id != \"\" && process.file.in_upper_layer && process.file.modification_time\n < 30s && exec.file.name != \"\"\n agent_version: ''\n filters: []\n- id: new_java_detect_sync_test\n version: 28ba1078\n description: Execution of a java process\n expression: exec.file.name == \"java\"\n agent_version: ''\n filters: []\n- id: new_java_detect_sync_test_prod\n version: 28ba1078\n description: Execution of a java process\n expression: exec.file.name == \"java\"\n agent_version: ''\n filters: []\n- id: new_java_detect_sync_test_us1_prod\n version: 28ba1078\n description: Execution of a java process\n expression: exec.file.name == \"java\"\n agent_version: ''\n filters: []\n- id: nsswitch_conf_mod_chmod\n version: d301aedf\n description: nsswitch may have been modified without authorization\n expression: |-\n (\n (chmod.file.path in [ \"/etc/nsswitch.conf\" ])\n ) && chmod.file.destination.mode != chmod.file.mode\n agent_version: ''\n filters: []\n- id: nsswitch_conf_mod_chown\n version: '69383592'\n description: nsswitch may have been modified without authorization\n expression: |-\n (\n (chown.file.path in [ \"/etc/nsswitch.conf\" ])\n ) && (chown.file.destination.uid != chown.file.uid || chown.file.destination.gid != chown.file.gid) && process.file.path not in [~\"/usr/bin/apt*\", \"/usr/bin/dpkg\", \"/usr/bin/rpm\", \"/usr/bin/unattended-upgrade\", \"/usr/bin/containerd\", \"/usr/local/bin/containerd\", \"/usr/bin/dockerd\", \"/usr/bin/npm\", ~\"/usr/bin/pip*\"]\n agent_version: ''\n filters:\n - os == \"linux\"\n- id: nsswitch_conf_mod_link\n version: e0565b29\n description: Nsswitch Configuration Modified\n expression: |-\n (\n (link.file.path in [ \"/etc/nsswitch.conf\" ]\n || link.file.destination.path in [ \"/etc/nsswitch.conf\" ])\n )\n agent_version: ''\n filters: []\n- id: nsswitch_conf_mod_open\n version: b5602c6f\n description: Nsswitch Configuration Modified\n expression: |-\n (\n open.flags & ((O_RDWR|O_WRONLY|O_CREAT)) > 0 &&\n (open.file.path in [ \"/etc/nsswitch.conf\" ])\n )\n agent_version: ''\n filters: []\n- id: nsswitch_conf_mod_open_v2\n version: abef53c9\n description: nsswitch may have been modified without authorization\n expression: |-\n (\n open.flags & ((O_RDWR|O_WRONLY|O_CREAT)) > 0 &&\n (open.file.path in [ \"/etc/nsswitch.conf\" ])\n ) && container.created_at > 180s\n agent_version: ''\n filters: []\n- id: nsswitch_conf_mod_rename\n version: aad34176\n description: Nsswitch Configuration Modified\n expression: |-\n (\n (rename.file.path in [ \"/etc/nsswitch.conf\" ]\n || rename.file.destination.path in [ \"/etc/nsswitch.conf\" ])\n )\n agent_version: ''\n filters: []\n- id: nsswitch_conf_mod_unlink\n version: 8a3e2fbb\n description: Nsswitch Configuration Modified\n expression: |-\n (\n (unlink.file.path in [ \"/etc/nsswitch.conf\" ])\n )\n agent_version: ''\n filters: []\n- id: nsswitch_conf_mod_utimes\n version: 902597c0\n description: Nsswitch Configuration Modified\n expression: |-\n (\n (utimes.file.path in [ \"/etc/nsswitch.conf\" ])\n )\n agent_version: ''\n filters: []\n- id: ntds_in_commandline\n version: 5cdd4bba\n description: NTDS file referenced in commandline\n expression: exec.cmdline =~ \"*ntds.dit*\"\n agent_version: ''\n filters:\n - os == \"windows\"\n- id: offensive_k8s_tool\n version: b83fba22\n description: A known kubernetes pentesting tool has been executed\n expression: (exec.file.name in [ ~\"python*\" ] && (\"KubiScan.py\" in exec.argv ||\n \"kubestriker\" in exec.argv ) ) || exec.file.name in [ \"kubiscan\",\"kdigger\",\"kube-hunter\",\"rakkess\",\"peirates\",\"kubescape\",\"kubeaudit\",\"kube-linter\",\"stratus\",~\"botb-*\"]\n agent_version: ''\n filters: []\n- id: package_management_in_container\n version: c152fcaf\n description: Package management was detected in a container\n expression: exec.file.path in [~\"/usr/bin/apt*\", \"/usr/bin/dpkg\", \"/usr/bin/rpm\",\n \"/usr/bin/unattended-upgrade\", \"/usr/bin/npm\", ~\"/usr/bin/pip*\", \"/usr/bin/yum\",\n \"/sbin/apk\", \"/usr/lib/snapd/snapd\"] && container.id != \"\"\n agent_version: ''\n filters: []\n- id: pam_modification_chmod\n version: 974a676e\n description: PAM may have been modified without authorization\n expression: |-\n (\n (chmod.file.path in [ ~\"/etc/pam.d/**\", \"/etc/pam.conf\" ])\n ) && chmod.file.destination.mode != chmod.file.mode\n agent_version: ''\n filters: []\n- id: pam_modification_chown\n version: ca22d0ab\n description: PAM may have been modified without authorization\n expression: |-\n (\n (chown.file.path in [ ~\"/etc/pam.d/**\", \"/etc/pam.conf\" ])\n ) && (chown.file.destination.uid != chown.file.uid || chown.file.destination.gid != chown.file.gid)\n agent_version: ''\n filters: []\n- id: pam_modification_link\n version: 3d5d6b31\n description: PAM Configuration Files Modification\n expression: |-\n (\n (link.file.path in [ ~\"/etc/pam.d/*\", \"/etc/pam.conf\" ]\n || link.file.destination.path in [ ~\"/etc/pam.d/*\", \"/etc/pam.conf\" ])\n )\n agent_version: ''\n filters: []\n- id: pam_modification_open\n version: 9440f452\n description: PAM Configuration Files Modification\n expression: |-\n (\n open.flags & (O_CREAT|O_TRUNC|O_RDWR|O_WRONLY) > 0 &&\n (open.file.path in [ ~\"/etc/pam.d/*\", \"/etc/pam.conf\" ])\n )\n agent_version: ''\n filters: []\n- id: pam_modification_rename\n version: bd1d257a\n description: PAM Configuration Files Modification\n expression: |-\n (\n (rename.file.path in [ ~\"/etc/pam.d/*\", \"/etc/pam.conf\" ]\n || rename.file.destination.path in [ ~\"/etc/pam.d/*\", \"/etc/pam.conf\" ])\n )\n agent_version: ''\n filters: []\n- id: pam_modification_unlink\n version: c3dc53e1\n description: PAM Configuration Files Modification\n expression: |-\n (\n (unlink.file.path in [ ~\"/etc/pam.d/*\", \"/etc/pam.conf\" ])\n )\n agent_version: ''\n filters: []\n- id: pam_modification_utimes\n version: d377b599\n description: PAM may have been modified without authorization\n expression: |-\n (\n (utimes.file.path in [ ~\"/etc/pam.d/**\", \"/etc/pam.conf\" ])\n ) && process.file.path not in [~\"/usr/bin/apt*\", \"/usr/bin/dpkg\", \"/usr/bin/rpm\", \"/usr/bin/unattended-upgrade\", \"/usr/bin/containerd\", \"/usr/local/bin/containerd\", \"/usr/bin/dockerd\", \"/usr/bin/npm\", ~\"/usr/bin/pip*\"]\n agent_version: ''\n filters: []\n- id: passwd_execution\n version: e1d41f5e\n description: The passwd or chpasswd utility was used to modify an account password\n expression: exec.file.path in [\"/usr/bin/passwd\", \"/usr/sbin/chpasswd\"] && exec.args_flags\n not in [\"S\", \"status\"]\n agent_version: ''\n filters: []\n- id: paste_site\n version: b528c8d4\n description: A DNS lookup was done for a pastebin-like site\n expression: dns.question.name in [\"pastebin.com\", \"ghostbin.com\", \"termbin.com\",\n \"klgrth.io\"] && process.file.name != \"\"\n agent_version: ''\n filters: []\n- id: pci_11_5_critical_binaries_chmod\n version: 1945831d\n description: Critical system binaries may have been modified\n expression: |-\n (\n (chmod.file.path in [ ~\"/bin/*\", ~\"/sbin/*\", ~\"/usr/bin/*\", ~\"/usr/sbin/*\", ~\"/usr/local/bin/*\", ~\"/usr/local/sbin/*\", ~\"/boot/**\" ])\n && process.file.path not in [~\"/usr/bin/apt*\", \"/usr/bin/dpkg\", \"/usr/bin/rpm\", \"/usr/bin/unattended-upgrade\", \"/usr/bin/containerd\", \"/usr/local/bin/containerd\", \"/usr/bin/dockerd\", \"/usr/bin/npm\", ~\"/usr/bin/pip*\"]\n && process.ancestors.file.path not in [~\"/usr/bin/apt*\", \"/usr/bin/dpkg\", \"/usr/bin/rpm\", \"/usr/bin/unattended-upgrade\", \"/usr/bin/npm\", ~\"/usr/bin/pip*\", \"/usr/bin/yum\", \"/sbin/apk\", \"/usr/lib/snapd/snapd\"]\n ) && chmod.file.destination.mode != chmod.file.mode\n agent_version: ''\n filters: []\n- id: pci_11_5_critical_binaries_chown\n version: 21da2189\n description: Critical system binaries may have been modified\n expression: |-\n (\n (chown.file.path in [ ~\"/bin/*\", ~\"/sbin/*\", ~\"/usr/bin/*\", ~\"/usr/sbin/*\", ~\"/usr/local/bin/*\", ~\"/usr/local/sbin/*\", ~\"/boot/**\" ])\n && process.file.path not in [~\"/usr/bin/apt*\", \"/usr/bin/dpkg\", \"/usr/bin/rpm\", \"/usr/bin/unattended-upgrade\", \"/usr/bin/containerd\", \"/usr/local/bin/containerd\", \"/usr/bin/dockerd\", \"/usr/bin/npm\", ~\"/usr/bin/pip*\"]\n && process.ancestors.file.path not in [~\"/usr/bin/apt*\", \"/usr/bin/dpkg\", \"/usr/bin/rpm\", \"/usr/bin/unattended-upgrade\", \"/usr/bin/npm\", ~\"/usr/bin/pip*\", \"/usr/bin/yum\", \"/sbin/apk\", \"/usr/lib/snapd/snapd\"]\n ) && (chown.file.destination.uid != chown.file.uid || chown.file.destination.gid != chown.file.gid)\n agent_version: ''\n filters: []\n- id: pci_11_5_critical_binaries_link\n version: a7ac587c\n description: Critical system binaries may have been modified\n expression: |-\n (\n (link.file.path in [ ~\"/bin/*\", ~\"/sbin/*\", ~\"/usr/bin/*\", ~\"/usr/sbin/*\", ~\"/usr/local/bin/*\", ~\"/usr/local/sbin/*\", ~\"/boot/**\" ]\n || link.file.destination.path in [ ~\"/bin/*\", ~\"/sbin/*\", ~\"/usr/bin/*\", ~\"/usr/sbin/*\", ~\"/usr/local/bin/*\", ~\"/usr/local/sbin/*\", ~\"/boot/**\" ])\n && process.file.path not in [~\"/usr/bin/apt*\", \"/usr/bin/dpkg\", \"/usr/bin/rpm\", \"/usr/bin/unattended-upgrade\", \"/usr/bin/containerd\", \"/usr/local/bin/containerd\", \"/usr/bin/dockerd\", \"/usr/bin/npm\", ~\"/usr/bin/pip*\"]\n && process.ancestors.file.path not in [~\"/usr/bin/apt*\", \"/usr/bin/dpkg\", \"/usr/bin/rpm\", \"/usr/bin/unattended-upgrade\", \"/usr/bin/npm\", ~\"/usr/bin/pip*\", \"/usr/bin/yum\", \"/sbin/apk\", \"/usr/lib/snapd/snapd\"]\n )\n agent_version: ''\n filters: []\n- id: pci_11_5_critical_binaries_open\n version: f583ba7c\n description: Critical system binaries may have been modified\n expression: |-\n (\n open.flags & (O_CREAT|O_TRUNC|O_RDWR|O_WRONLY) > 0 &&\n open.file.path in [ ~\"/bin/*\", ~\"/sbin/*\", ~\"/usr/bin/*\", ~\"/usr/sbin/*\", ~\"/usr/local/bin/*\", ~\"/usr/local/sbin/*\", ~\"/boot/**\" ]\n && process.file.path not in [~\"/usr/bin/apt*\", \"/usr/bin/dpkg\", \"/usr/bin/rpm\", \"/usr/bin/unattended-upgrade\", \"/usr/bin/containerd\", \"/usr/local/bin/containerd\", \"/usr/bin/dockerd\", \"/usr/bin/npm\", ~\"/usr/bin/pip*\"]\n && process.ancestors.file.path not in [~\"/usr/bin/apt*\", \"/usr/bin/dpkg\", \"/usr/bin/rpm\", \"/usr/bin/unattended-upgrade\", \"/usr/bin/npm\", ~\"/usr/bin/pip*\", \"/usr/bin/yum\", \"/sbin/apk\", \"/usr/lib/snapd/snapd\"]\n )\n agent_version: ''\n filters: []\n- id: pci_11_5_critical_binaries_open_v2\n version: 45abd074\n description: Critical system binaries may have been modified\n expression: |-\n (\n open.flags & (O_CREAT|O_TRUNC|O_RDWR|O_WRONLY) > 0 &&\n open.file.path in [ ~\"/bin/*\", ~\"/sbin/*\", ~\"/usr/bin/*\", ~\"/usr/sbin/*\", ~\"/usr/local/bin/*\", ~\"/usr/local/sbin/*\", ~\"/boot/**\" ]\n && process.file.path not in [~\"/usr/bin/apt*\", \"/usr/bin/dpkg\", \"/usr/bin/rpm\", \"/usr/bin/unattended-upgrade\", \"/usr/bin/containerd\", \"/usr/local/bin/containerd\", \"/usr/bin/dockerd\", \"/usr/bin/npm\", ~\"/usr/bin/pip*\"]\n && process.ancestors.file.path not in [~\"/usr/bin/apt*\", \"/usr/bin/dpkg\", \"/usr/bin/rpm\", \"/usr/bin/unattended-upgrade\", \"/usr/bin/npm\", ~\"/usr/bin/pip*\", \"/usr/bin/yum\", \"/sbin/apk\", \"/usr/lib/snapd/snapd\"]\n ) && container.created_at > 90s\n agent_version: ''\n filters:\n - os == \"linux\"\n- id: pci_11_5_critical_binaries_rename\n version: e0bc0857\n description: Critical system binaries may have been modified\n expression: |-\n (\n (rename.file.path in [ ~\"/bin/*\", ~\"/sbin/*\", ~\"/usr/bin/*\", ~\"/usr/sbin/*\", ~\"/usr/local/bin/*\", ~\"/usr/local/sbin/*\", ~\"/boot/**\" ]\n || rename.file.destination.path in [ ~\"/bin/*\", ~\"/sbin/*\", ~\"/usr/bin/*\", ~\"/usr/sbin/*\", ~\"/usr/local/bin/*\", ~\"/usr/local/sbin/*\", ~\"/boot/**\" ])\n && process.file.path not in [~\"/usr/bin/apt*\", \"/usr/bin/dpkg\", \"/usr/bin/rpm\", \"/usr/bin/unattended-upgrade\", \"/usr/bin/containerd\", \"/usr/local/bin/containerd\", \"/usr/bin/dockerd\", \"/usr/bin/npm\", ~\"/usr/bin/pip*\"]\n && process.ancestors.file.path not in [~\"/usr/bin/apt*\", \"/usr/bin/dpkg\", \"/usr/bin/rpm\", \"/usr/bin/unattended-upgrade\", \"/usr/bin/npm\", ~\"/usr/bin/pip*\", \"/usr/bin/yum\", \"/sbin/apk\", \"/usr/lib/snapd/snapd\"]\n )\n agent_version: ''\n filters: []\n- id: pci_11_5_critical_binaries_unlink\n version: 3bb086ca\n description: Critical system binaries may have been modified\n expression: |-\n (\n (unlink.file.path in [ ~\"/bin/*\", ~\"/sbin/*\", ~\"/usr/bin/*\", ~\"/usr/sbin/*\", ~\"/usr/local/bin/*\", ~\"/usr/local/sbin/*\", ~\"/boot/**\" ])\n && process.file.path not in [~\"/usr/bin/apt*\", \"/usr/bin/dpkg\", \"/usr/bin/rpm\", \"/usr/bin/unattended-upgrade\", \"/usr/bin/containerd\", \"/usr/local/bin/containerd\", \"/usr/bin/dockerd\", \"/usr/bin/npm\", ~\"/usr/bin/pip*\"]\n && process.ancestors.file.path not in [~\"/usr/bin/apt*\", \"/usr/bin/dpkg\", \"/usr/bin/rpm\", \"/usr/bin/unattended-upgrade\", \"/usr/bin/npm\", ~\"/usr/bin/pip*\", \"/usr/bin/yum\", \"/sbin/apk\", \"/usr/lib/snapd/snapd\"]\n )\n agent_version: ''\n filters:\n - os == \"linux\"\n- id: pci_11_5_critical_binaries_utimes\n version: 6d979630\n description: Critical system binaries may have been modified\n expression: |-\n (\n (utimes.file.path in [ ~\"/bin/*\", ~\"/sbin/*\", ~\"/usr/bin/*\", ~\"/usr/sbin/*\", ~\"/usr/local/bin/*\", ~\"/usr/local/sbin/*\", ~\"/boot/**\" ])\n && process.file.path not in [~\"/usr/bin/apt*\", \"/usr/bin/dpkg\", \"/usr/bin/rpm\", \"/usr/bin/unattended-upgrade\", \"/usr/bin/containerd\", \"/usr/local/bin/containerd\", \"/usr/bin/dockerd\", \"/usr/bin/npm\", ~\"/usr/bin/pip*\"]\n && process.ancestors.file.path not in [~\"/usr/bin/apt*\", \"/usr/bin/dpkg\", \"/usr/bin/rpm\", \"/usr/bin/unattended-upgrade\", \"/usr/bin/npm\", ~\"/usr/bin/pip*\", \"/usr/bin/yum\", \"/sbin/apk\", \"/usr/lib/snapd/snapd\"]\n )\n agent_version: ''\n filters: []\n- id: potential_cryptominer\n version: 4241c309\n description: A process resolved a DNS name associated with cryptomining activity\n expression: dns.question.name in [~\"*minexmr.com\", ~\"*nanopool.org\", ~\"*supportxmr.com\",\n ~\"*c3pool.com\", ~\"*p2pool.io\", ~\"*ethermine.org\", ~\"*f2pool.com\", ~\"*poolin.me\",\n ~\"*rplant.xyz\"] && process.file.name != \"\"\n agent_version: ''\n filters: []\n- id: potential_web_shell_parent\n version: b67ffbcd\n description: A web application spawned a shell or shell utility\n expression: |-\n (exec.file.path in [ \"/bin/dash\",\n \"/usr/bin/dash\",\n \"/bin/sh\",\n \"/bin/static-sh\",\n \"/usr/bin/sh\",\n \"/bin/bash\",\n \"/usr/bin/bash\",\n \"/bin/bash-static\",\n \"/usr/bin/zsh\",\n \"/usr/bin/ash\",\n \"/usr/bin/csh\",\n \"/usr/bin/ksh\",\n \"/usr/bin/tcsh\",\n \"/usr/lib/initramfs-tools/bin/busybox\",\n \"/bin/busybox\",\n \"/usr/bin/fish\",\n \"/bin/ksh93\",\n \"/bin/rksh\",\n \"/bin/rksh93\",\n \"/bin/lksh\",\n \"/bin/mksh\",\n \"/bin/mksh-static\",\n \"/usr/bin/csharp\",\n \"/bin/posh\",\n \"/usr/bin/rc\",\n \"/bin/sash\",\n \"/usr/bin/yash\",\n \"/bin/zsh5\",\n \"/bin/zsh5-static\" ] || exec.comm in [\"wget\", \"curl\", \"lwp-download\"] || exec.file.path in [\"/bin/cat\",\"/bin/chgrp\",\"/bin/chmod\",\"/bin/chown\",\"/bin/cp\",\"/bin/date\",\"/bin/dd\",\"/bin/df\",\"/bin/dir\",\"/bin/echo\",\"/bin/ln\",\"/bin/ls\",\"/bin/mkdir\",\"/bin/mknod\",\"/bin/mktemp\",\"/bin/mv\",\"/bin/pwd\",\"/bin/readlink\",\"/bin/rm\",\"/bin/rmdir\",\"/bin/sleep\",\"/bin/stty\",\"/bin/sync\",\"/bin/touch\",\"/bin/uname\",\"/bin/vdir\",\"/usr/bin/arch\",\"/usr/bin/b2sum\",\"/usr/bin/base32\",\"/usr/bin/base64\",\"/usr/bin/basename\",\"/usr/bin/chcon\",\"/usr/bin/cksum\",\"/usr/bin/comm\",\"/usr/bin/csplit\",\"/usr/bin/cut\",\"/usr/bin/dircolors\",\"/usr/bin/dirname\",\"/usr/bin/du\",\"/usr/bin/env\",\"/usr/bin/expand\",\"/usr/bin/expr\",\"/usr/bin/factor\",\"/usr/bin/fmt\",\"/usr/bin/fold\",\"/usr/bin/groups\",\"/usr/bin/head\",\"/usr/bin/hostid\",\"/usr/bin/id\",\"/usr/bin/install\",\"/usr/bin/join\",\"/usr/bin/link\",\"/usr/bin/logname\",\"/usr/bin/md5sum\",\"/usr/bin/md5sum.textutils\",\"/usr/bin/mkfifo\",\"/usr/bin/nice\",\"/usr/bin/nl\",\"/usr/bin/nohup\",\"/usr/bin/nproc\",\"/usr/bin/numfmt\",\"/usr/bin/od\",\"/usr/bin/paste\",\"/usr/bin/pathchk\",\"/usr/bin/pinky\",\"/usr/bin/pr\",\"/usr/bin/printenv\",\"/usr/bin/printf\",\"/usr/bin/ptx\",\"/usr/bin/realpath\",\"/usr/bin/runcon\",\"/usr/bin/seq\",\"/usr/bin/sha1sum\",\"/usr/bin/sha224sum\",\"/usr/bin/sha256sum\",\"/usr/bin/sha384sum\",\"/usr/bin/sha512sum\",\"/usr/bin/shred\",\"/usr/bin/shuf\",\"/usr/bin/sort\",\"/usr/bin/split\",\"/usr/bin/stat\",\"/usr/bin/stdbuf\",\"/usr/bin/sum\",\"/usr/bin/tac\",\"/usr/bin/tail\",\"/usr/bin/tee\",\"/usr/bin/test\",\"/usr/bin/timeout\",\"/usr/bin/tr\",\"/usr/bin/truncate\",\"/usr/bin/tsort\",\"/usr/bin/tty\",\"/usr/bin/unexpand\",\"/usr/bin/uniq\",\"/usr/bin/unlink\",\"/usr/bin/users\",\"/usr/bin/wc\",\"/usr/bin/who\",\"/usr/bin/whoami\",\"/usr/sbin/chroot\"]) &&\n (process.parent.file.name in [\"apache2\", \"nginx\", ~\"tomcat*\", \"httpd\"] || process.parent.file.name =~ \"php*\")\n agent_version: ''\n filters: []\n- id: ps_discovery\n version: a0a32c4b\n description: Processes were listed using the ps command\n expression: exec.comm == \"ps\" && exec.argv not in [\"-p\", \"--pid\"] && process.ancestors.file.name\n not in [\"qualys-cloud-agent\", \"amazon-ssm-agent\"] && process.parent.file.name\n not in [\"rkhunter\", \"jspawnhelper\", ~\"vm-agent*\", \"PassengerAgent\", \"node\", \"wdavdaemon\",\n \"chkrootkit\", \"tsagentd\", \"wazuh-modulesd\", \"wdavdaemon\", \"talend-remote-engine-service\",\n \"check_procs\", \"newrelic-daemon\"]\n agent_version: ''\n filters:\n - os == \"linux\"\n- id: ptrace_antidebug\n version: a6289ff7\n description: A process uses an anti-debugging technique to block debuggers\n expression: ptrace.request == PTRACE_TRACEME && process.file.name != \"\"\n agent_version: ''\n filters: []\n- id: ptrace_injection\n version: 6d290a43\n description: A process attempted to inject code into another process\n expression: ptrace.request == PTRACE_POKETEXT || ptrace.request == PTRACE_POKEDATA\n || ptrace.request == PTRACE_POKEUSR\n agent_version: ''\n filters: []\n- id: pwnkit_privilege_escalation\n version: c83bbabc\n description: A process was spawned with indicators of exploitation of CVE-2021-4034\n expression: (exec.file.path == \"/usr/bin/pkexec\" && exec.envs in [~\"*SHELL*\", ~\"*PATH*\"]\n && exec.envs not in [~\"*DISPLAY*\", ~\"*DESKTOP_SESSION*\"] && exec.uid != 0)\n agent_version: ''\n filters: []\n- id: python_cli_code\n version: '989474'\n description: Python code was provided on the command line\n expression: exec.file.name == ~\"python*\" && exec.args_flags in [\"c\"] && exec.args\n in [~\"*-c*SOCK_STREAM*\", ~\"*-c*subprocess*\", \"*-c*/bash*\", \"*-c*/bin/sh*\", \"*-c*pty.spawn*\"]\n && exec.args !~ \"*setuptools*\"\n agent_version: ''\n filters: []\n- id: ransomware_note\n version: ee40f85a\n description: Possible ransomware note created under common user directories\n expression: |-\n open.flags & O_CREAT > 0\n && open.file.path in [~\"/home/**\", ~\"/root/**\", ~\"/bin/**\", ~\"/usr/bin/**\", ~\"/opt/**\", ~\"/etc/**\", ~\"/var/log/**\", ~\"/var/lib/log/**\", ~\"/var/backup/**\", ~\"/var/www/**\"]\n && open.file.name in [r\"(?i).*(restore|recover|read|instruction|how_to|ransom|lock).*(your_|crypt|lock|file|ransom).*\"] && open.file.name not in [r\".*\\.lock$\"]\n agent_version: ''\n filters:\n - os == \"linux\"\n- id: rc_scripts_modified\n version: af295b08\n description: RC scripts modified\n expression: (open.flags & (O_CREAT|O_TRUNC|O_RDWR|O_WRONLY) > 0 && (open.file.path\n in [\"/etc/rc.common\", \"/etc/rc.local\"])) && process.ancestors.file.path not in\n [~\"/usr/bin/apt*\", \"/usr/bin/dpkg\", \"/usr/bin/rpm\", \"/usr/bin/unattended-upgrade\",\n \"/usr/bin/npm\", ~\"/usr/bin/pip*\", \"/usr/bin/yum\", \"/sbin/apk\", \"/usr/lib/snapd/snapd\"]\n agent_version: ''\n filters: []\n- id: read_kubeconfig\n version: '80926379'\n description: The kubeconfig file was accessed\n expression: open.file.path in [~\"/home/*/.kube/config\", \"/root/.kube/config\"]\n agent_version: ''\n filters: []\n- id: read_release_info\n version: d0cc9710\n description: OS information was read from the /etc/lsb-release file\n expression: open.file.path == \"/etc/lsb-release\" && open.flags & O_RDONLY > 0\n agent_version: ''\n filters: []\n- id: redis_save_module\n version: b1cb9110\n description: Redis module has been created\n expression: (open.flags & (O_CREAT|O_TRUNC|O_RDWR|O_WRONLY) > 0 && open.file.path\n =~ \"/tmp/**\" && open.file.name in [~\"*.rdb\", ~\"*.aof\", ~\"*.so\"]) && process.file.name\n in [\"redis-check-rdb\", \"redis-server\"]\n agent_version: ''\n filters: []\n- id: registry_runkey_modified\n version: 3df7b8e9\n description: A Registry runkey has been modified\n expression: set.registry.key_path in [~\"*\\\\HKEY_LOCAL_MACHINE\\\\SOFTWARE\\\\Microsoft\\\\Windows\\\\CurrentVersion\\\\Run\",\n ~\"*\\\\HKEY_LOCAL_MACHINE\\\\SOFTWARE\\\\Microsoft\\\\Windows\\\\CurrentVersion\\\\Runonce\",\n ~\"*\\\\HKEY_LOCAL_MACHINE\\\\Software\\\\Wow6432Node\\\\Microsoft\\\\Windows\\\\CurrentVersion\\\\Run\",\n ~\"*\\\\HKEY_LOCAL_MACHINE\\\\Software\\\\Microsoft\\\\Windows NT\\\\CurrentVersion\\\\Terminal\n Server\\\\Install\\\\Software\\\\Microsoft\\\\Windows\\\\CurrentVersion\\\\Run\", ~\"*\\\\HKEY_LOCAL_MACHINE\\\\Software\\\\Microsoft\\\\Windows\n NT\\\\CurrentVersion\\\\Terminal Server\\\\Install\\\\Software\\\\Microsoft\\\\Windows\\\\CurrentVersion\\\\Runonce\",\n ~\"*\\\\HKEY_LOCAL_MACHINE\\\\Software\\\\Microsoft\\\\Windows NT\\\\CurrentVersion\\\\Terminal\n Server\\\\Install\\\\Software\\\\Microsoft\\\\Windows\\\\CurrentVersion\\\\RunonceEx\"]\n agent_version: ''\n filters:\n - os == \"windows\"\n- id: runc_modification\n version: c7144439\n description: The runc binary was modified in a non-standard way\n expression: |-\n open.file.path in [\"/usr/bin/runc\", \"/usr/sbin/runc\", \"/usr/bin/docker-runc\"]\n && open.flags & O_CREAT|O_TRUNC|O_RDWR|O_WRONLY > 0\n && process.file.path not in [~\"/usr/bin/apt*\", \"/usr/bin/dpkg\", \"/usr/bin/rpm\", \"/usr/bin/unattended-upgrade\", \"/usr/bin/containerd\", \"/usr/local/bin/containerd\", \"/usr/bin/dockerd\", \"/usr/bin/npm\", ~\"/usr/bin/pip*\"]\n && process.ancestors.file.path not in [~\"/usr/bin/apt*\", \"/usr/bin/dpkg\", \"/usr/bin/rpm\", \"/usr/bin/unattended-upgrade\", \"/usr/bin/npm\", ~\"/usr/bin/pip*\", \"/usr/bin/yum\", \"/sbin/apk\", \"/usr/lib/snapd/snapd\"]\n agent_version: ''\n filters: []\n- id: safeboot_modification\n version: 75fb1a6f\n description: Safeboot registry modified\n expression: set.registry.key_path =~ \"*\\\\HKEY_LOCAL_MACHINE\\\\SYSTEM\\\\CurrentControlSet\\\\Control\\\\SafeBoot\"\n agent_version: ''\n filters:\n - os == \"windows\"\n- id: scheduled_task_creation\n version: 9c3f2289\n description: A scheduled task was created\n expression: exec.file.name in [\"at.exe\",\"schtasks.exe\"]\n agent_version: ''\n filters:\n - os == \"windows\"\n- id: selinux_disable_enforcement\n version: afa9a8ba\n description: SELinux enforcement status was disabled\n expression: selinux.enforce.status in [\"permissive\", \"disabled\"] && process.ancestors.args\n != ~\"*BECOME-SUCCESS*\"\n agent_version: ''\n filters: []\n- id: service_stop\n version: 8e434232\n description: systemctl used to stop a service\n expression: exec.file.name == \"systemctl\" && exec.args in [~\"*stop*\"]\n agent_version: ''\n filters: []\n- id: shell_history_deleted\n version: ff763e6\n description: Shell History was Deleted\n expression: (unlink.file.name =~ r\".([dbazfi]*sh)(_history)$\") && process.comm\n not in [\"dockerd\", \"containerd\"]\n agent_version: ''\n filters: []\n- id: shell_history_symlink\n version: 31982e4d\n description: A symbolic link for shell history was created targeting /dev/null\n expression: exec.comm == \"ln\" && exec.args in [~\"*.*history*\", \"/dev/null\"]\n agent_version: ''\n filters: []\n- id: shell_history_truncated\n version: 38ec83e8\n description: Shell History was Deleted\n expression: open.flags & (O_CREAT|O_TRUNC|O_RDWR|O_WRONLY) > 0 && open.file.name\n =~ r\".([dbazfi]*sh)(_history)$\" && open.file.path in [~\"/root/*\", ~\"/home/**\"]\n && process.file.name == \"truncate\"\n agent_version: ''\n filters: []\n- id: shell_profile_modification\n version: d1cecdac\n description: Shell profile was modified\n expression: open.file.path in [~\"/home/*/*profile\", ~\"/home/*/*rc\"] && open.flags\n & ((O_CREAT|O_TRUNC|O_RDWR|O_WRONLY)) > 0\n agent_version: ''\n filters: []\n- id: ssh_authorized_keys_chmod\n version: e4096f79\n description: SSH modified keys may have been modified\n expression: |-\n (\n chmod.file.name in [ \"authorized_keys\", \"authorized_keys2\" ] && (chmod.file.path in [ ~\"/root/.ssh/*\", ~\"/home/*/.ssh/*\", ~\"/var/lib/*/.ssh/*\" ])\n ) && chmod.file.destination.mode != chmod.file.mode\n agent_version: ''\n filters: []\n- id: ssh_authorized_keys_chown\n version: 9639bf6\n description: SSH modified keys may have been modified\n expression: |-\n (\n chown.file.name in [ \"authorized_keys\", \"authorized_keys2\" ] && (chown.file.path in [ ~\"/root/.ssh/*\", ~\"/home/*/.ssh/*\", ~\"/var/lib/*/.ssh/*\" ])\n ) && (chown.file.destination.uid != chown.file.uid || chown.file.destination.gid != chown.file.gid)\n agent_version: ''\n filters: []\n- id: ssh_authorized_keys_link\n version: 81382bdd\n description: SSH Authorized Keys Modified\n expression: |-\n (\n link.file.name == \"authorized_keys\" && (link.file.path in [ ~\"*/.ssh/*\" ]\n || link.file.destination.path in [ ~\"*/.ssh/*\" ])\n )\n agent_version: ''\n filters: []\n- id: ssh_authorized_keys_open\n version: 1ae8f7d6\n description: SSH Authorized Keys Modified\n expression: |-\n (\n open.flags & (O_CREAT|O_TRUNC|O_RDWR|O_WRONLY) > 0 &&\n open.file.name == \"authorized_keys\" && (open.file.path in [ ~\"*/.ssh/*\" ])\n )\n agent_version: ''\n filters: []\n- id: ssh_authorized_keys_open_v2\n version: 513f8108\n description: SSH modified keys may have been modified\n expression: |-\n (\n open.flags & (O_CREAT|O_TRUNC|O_RDWR|O_WRONLY) > 0 &&\n open.file.name in [ \"authorized_keys\", \"authorized_keys2\" ] && (open.file.path in [ ~\"/root/.ssh/*\", ~\"/home/*/.ssh/*\", ~\"/var/lib/*/.ssh/*\" ])\n ) && container.created_at > 180s\n agent_version: ''\n filters: []\n- id: ssh_authorized_keys_rename\n version: fd3bdabf\n description: SSH Authorized Keys Modified\n expression: |-\n (\n rename.file.name == \"authorized_keys\" && (rename.file.path in [ ~\"*/.ssh/*\" ]\n || rename.file.destination.path in [ ~\"*/.ssh/*\" ])\n )\n agent_version: ''\n filters: []\n- id: ssh_authorized_keys_unlink\n version: 54cf4a88\n description: SSH Authorized Keys Modified\n expression: |-\n (\n unlink.file.name == \"authorized_keys\" && (unlink.file.path in [ ~\"*/.ssh/*\" ])\n )\n agent_version: ''\n filters: []\n- id: ssh_authorized_keys_utimes\n version: 59377e61\n description: SSH Authorized Keys Modified\n expression: |-\n (\n utimes.file.name == \"authorized_keys\" && (utimes.file.path in [ ~\"*/.ssh/*\" ])\n )\n agent_version: ''\n filters: []\n- id: ssh_it_tool_config_write\n version: 86ae3762\n description: The configuration directory for an ssh worm\n expression: open.file.path in [\"/root/.prng/*\", ~\"/home/*/.prng/*\", ~\"/root/.config/prng/*\",\n ~\"/home/*/.config/prng/*\"] && open.flags & (O_CREAT|O_TRUNC|O_RDWR|O_WRONLY) >\n 0\n agent_version: ''\n filters:\n - os == \"linux\"\n- id: ssl_certificate_tampering_chmod\n version: d8ac6517\n description: SSL certificates may have been tampered with\n expression: |-\n (\n (chmod.file.path in [ ~\"/etc/ssl/certs/**\", ~\"/etc/pki/**\" ])\n && process.file.path not in [~\"/usr/bin/apt*\", \"/usr/bin/dpkg\", \"/usr/bin/rpm\", \"/usr/bin/unattended-upgrade\", \"/usr/bin/npm\", ~\"/usr/bin/pip*\", \"/usr/bin/yum\", \"/sbin/apk\", \"/usr/lib/snapd/snapd\"]\n ) && chmod.file.mode != chmod.file.destination.mode\n && process.file.path != \"/usr/sbin/update-ca-certificates\"\n && process.ancestors.file.path != \"/usr/sbin/update-ca-certificates\"\n && process.ancestors.file.path not in [~\"/usr/bin/apt*\", \"/usr/bin/dpkg\", \"/usr/bin/rpm\", \"/usr/bin/unattended-upgrade\", \"/usr/bin/npm\", ~\"/usr/bin/pip*\", \"/usr/bin/yum\", \"/sbin/apk\", \"/usr/lib/snapd/snapd\"]\n && process.file.name !~ \"runc*\"\n agent_version: ''\n filters: []\n- id: ssl_certificate_tampering_chown\n version: 3d04895f\n description: SSL certificates may have been tampered with\n expression: |-\n (\n (chown.file.path in [ ~\"/etc/ssl/certs/**\", ~\"/etc/pki/**\" ])\n && process.file.path not in [~\"/usr/bin/apt*\", \"/usr/bin/dpkg\", \"/usr/bin/rpm\", \"/usr/bin/unattended-upgrade\", \"/usr/bin/npm\", ~\"/usr/bin/pip*\", \"/usr/bin/yum\", \"/sbin/apk\", \"/usr/lib/snapd/snapd\"]\n ) && (chown.file.destination.uid != chown.file.uid || chown.file.destination.gid != chown.file.gid)\n && process.file.path != \"/usr/sbin/update-ca-certificates\"\n && process.ancestors.file.path != \"/usr/sbin/update-ca-certificates\"\n && process.ancestors.file.path not in [~\"/usr/bin/apt*\", \"/usr/bin/dpkg\", \"/usr/bin/rpm\", \"/usr/bin/unattended-upgrade\", \"/usr/bin/npm\", ~\"/usr/bin/pip*\", \"/usr/bin/yum\", \"/sbin/apk\", \"/usr/lib/snapd/snapd\"]\n && process.file.name !~ \"runc*\"\n agent_version: ''\n filters:\n - os == \"linux\"\n- id: ssl_certificate_tampering_link\n version: eb594616\n description: SSL certificates may have been tampered with\n expression: |-\n (\n (link.file.path in [ ~\"/etc/ssl/certs/**\", ~\"/etc/pki/**\" ]\n || link.file.destination.path in [ ~\"/etc/ssl/certs/**\", ~\"/etc/pki/**\" ])\n && process.file.path not in [~\"/usr/bin/apt*\", \"/usr/bin/dpkg\", \"/usr/bin/rpm\", \"/usr/bin/unattended-upgrade\", \"/usr/bin/npm\", ~\"/usr/bin/pip*\", \"/usr/bin/yum\", \"/sbin/apk\", \"/usr/lib/snapd/snapd\"]\n && process.file.path != \"/usr/sbin/update-ca-certificates\"\n && process.ancestors.file.path != \"/usr/sbin/update-ca-certificates\"\n && process.ancestors.file.path not in [~\"/usr/bin/apt*\", \"/usr/bin/dpkg\", \"/usr/bin/rpm\", \"/usr/bin/unattended-upgrade\", \"/usr/bin/npm\", ~\"/usr/bin/pip*\", \"/usr/bin/yum\", \"/sbin/apk\", \"/usr/lib/snapd/snapd\"]\n && process.file.name !~ \"runc*\"\n )\n agent_version: ''\n filters: []\n- id: ssl_certificate_tampering_open\n version: c34bcf3a\n description: SSL certificates may have been tampered with\n expression: |-\n (\n open.flags & (O_CREAT|O_RDWR|O_WRONLY) > 0 &&\n (open.file.path in [ ~\"/etc/ssl/certs/**\", ~\"/etc/pki/**\" ])\n )\n && process.file.path != \"/usr/sbin/update-ca-certificates\"\n && process.ancestors.file.path != \"/usr/sbin/update-ca-certificates\"\n && process.ancestors.file.path not in [~\"/usr/bin/apt*\", \"/usr/bin/dpkg\", \"/usr/bin/rpm\", \"/usr/bin/unattended-upgrade\", \"/usr/bin/npm\", ~\"/usr/bin/pip*\", \"/usr/bin/yum\", \"/sbin/apk\", \"/usr/lib/snapd/snapd\"]\n && process.file.name !~ \"runc*\"\n agent_version: ''\n filters: []\n- id: ssl_certificate_tampering_open_v2\n version: a90058eb\n description: SSL certificates may have been tampered with\n expression: |-\n (\n open.flags & (O_CREAT|O_RDWR|O_WRONLY) > 0 &&\n (open.file.path in [ ~\"/etc/ssl/certs/**\", ~\"/etc/pki/**\" ])\n )\n && process.file.path != \"/usr/sbin/update-ca-certificates\"\n && process.ancestors.file.path != \"/usr/sbin/update-ca-certificates\"\n && process.ancestors.file.path not in [~\"/usr/bin/apt*\", \"/usr/bin/dpkg\", \"/usr/bin/rpm\", \"/usr/bin/unattended-upgrade\", \"/usr/bin/npm\", ~\"/usr/bin/pip*\", \"/usr/bin/yum\", \"/sbin/apk\", \"/usr/lib/snapd/snapd\"]\n && process.file.name !~ \"runc*\"\n && container.created_at > 180s\n agent_version: ''\n filters: []\n- id: ssl_certificate_tampering_rename\n version: e42eefb4\n description: SSL certificates may have been tampered with\n expression: |-\n (\n (rename.file.path in [ ~\"/etc/ssl/certs/**\", ~\"/etc/pki/**\" ]\n || rename.file.destination.path in [ ~\"/etc/ssl/certs/**\", ~\"/etc/pki/**\" ])\n && process.file.path not in [~\"/usr/bin/apt*\", \"/usr/bin/dpkg\", \"/usr/bin/rpm\", \"/usr/bin/unattended-upgrade\", \"/usr/bin/npm\", ~\"/usr/bin/pip*\", \"/usr/bin/yum\", \"/sbin/apk\", \"/usr/lib/snapd/snapd\"]\n )\n && process.file.path != \"/usr/sbin/update-ca-certificates\"\n && process.ancestors.file.path != \"/usr/sbin/update-ca-certificates\"\n && process.ancestors.file.path not in [~\"/usr/bin/apt*\", \"/usr/bin/dpkg\", \"/usr/bin/rpm\", \"/usr/bin/unattended-upgrade\", \"/usr/bin/npm\", ~\"/usr/bin/pip*\", \"/usr/bin/yum\", \"/sbin/apk\", \"/usr/lib/snapd/snapd\"]\n && process.file.name !~ \"runc*\"\n agent_version: ''\n filters: []\n- id: ssl_certificate_tampering_unlink\n version: 37c40311\n description: SSL certificates may have been tampered with\n expression: |-\n (\n (unlink.file.path in [ ~\"/etc/ssl/certs/**\" ])\n && process.file.path not in [~\"/usr/bin/apt*\", \"/usr/bin/dpkg\", \"/usr/bin/rpm\", \"/usr/bin/unattended-upgrade\", \"/usr/bin/npm\", ~\"/usr/bin/pip*\", \"/usr/bin/yum\", \"/sbin/apk\", \"/usr/lib/snapd/snapd\"]\n )\n && process.file.path != \"/usr/sbin/update-ca-certificates\"\n && process.ancestors.file.path != \"/usr/sbin/update-ca-certificates\"\n && process.ancestors.file.path not in [~\"/usr/bin/apt*\", \"/usr/bin/dpkg\", \"/usr/bin/rpm\", \"/usr/bin/unattended-upgrade\", \"/usr/bin/npm\", ~\"/usr/bin/pip*\", \"/usr/bin/yum\", \"/sbin/apk\", \"/usr/lib/snapd/snapd\"]\n && process.file.name !~ \"runc*\"\n agent_version: ''\n filters: []\n- id: ssl_certificate_tampering_utimes\n version: 29db81c1\n description: SSL certificates may have been tampered with\n expression: |-\n (\n (utimes.file.path in [ ~\"/etc/ssl/certs/**\" ])\n && process.file.path not in [~\"/usr/bin/apt*\", \"/usr/bin/dpkg\", \"/usr/bin/rpm\", \"/usr/bin/unattended-upgrade\", \"/usr/bin/npm\", ~\"/usr/bin/pip*\", \"/usr/bin/yum\", \"/sbin/apk\", \"/usr/lib/snapd/snapd\"]\n )\n && process.file.path != \"/usr/sbin/update-ca-certificates\"\n && process.ancestors.file.path != \"/usr/sbin/update-ca-certificates\"\n && process.ancestors.file.path not in [~\"/usr/bin/apt*\", \"/usr/bin/dpkg\", \"/usr/bin/rpm\", \"/usr/bin/unattended-upgrade\", \"/usr/bin/npm\", ~\"/usr/bin/pip*\", \"/usr/bin/yum\", \"/sbin/apk\", \"/usr/lib/snapd/snapd\"]\n && process.file.name !~ \"runc*\"\n agent_version: ''\n filters: []\n- id: sudoers_policy_modified_chmod\n version: ae70daab\n description: Sudoers policy file may have been modified without authorization\n expression: \"(\\n (chmod.file.path == \\\"/etc/sudoers\\\") \\n) && chmod.file.destination.mode\\\n \\ != chmod.file.mode && process.ancestors.file.path not in [~\\\"/usr/bin/apt*\\\"\\\n , \\\"/usr/bin/dpkg\\\", \\\"/usr/bin/rpm\\\", \\\"/usr/bin/unattended-upgrade\\\", \\\"/usr/bin/npm\\\"\\\n , ~\\\"/usr/bin/pip*\\\", \\\"/usr/bin/yum\\\", \\\"/sbin/apk\\\", \\\"/usr/lib/snapd/snapd\\\"\\\n ]\"\n agent_version: ''\n filters: []\n- id: sudoers_policy_modified_chown\n version: 898b1aa0\n description: Sudoers policy file may have been modified without authorization\n expression: |-\n (\n (chown.file.path == \"/etc/sudoers\")\n ) && (chown.file.destination.uid != chown.file.uid || chown.file.destination.gid != chown.file.gid)\n agent_version: ''\n filters: []\n- id: sudoers_policy_modified_link\n version: 1f1b8962\n description: Sudoers policy file may have been modified without authorization\n expression: |-\n (\n (link.file.path == \"/etc/sudoers\"\n || link.file.destination.path == \"/etc/sudoers\")\n )\n agent_version: ''\n filters: []\n- id: sudoers_policy_modified_open\n version: af2610b6\n description: Sudoers policy file may have been modified without authorization\n expression: |2-\n\n (open.flags & (O_CREAT|O_TRUNC|O_RDWR|O_WRONLY) > 0 &&\n (open.file.path == \"/etc/sudoers\")) && process.file.path not in [~\"/usr/bin/apt*\", \"/usr/bin/dpkg\", \"/usr/bin/rpm\", \"/usr/bin/unattended-upgrade\", \"/usr/bin/npm\", ~\"/usr/bin/pip*\", \"/usr/bin/yum\", \"/sbin/apk\", \"/usr/lib/snapd/snapd\"]\n agent_version: ''\n filters: []\n- id: sudoers_policy_modified_rename\n version: 531fc9ae\n description: Sudoers policy file may have been modified without authorization\n expression: |-\n (\n (rename.file.path == \"/etc/sudoers\"\n || rename.file.destination.path == \"/etc/sudoers\")\n )\n agent_version: ''\n filters: []\n- id: sudoers_policy_modified_unlink\n version: 5568da57\n description: Sudoers policy file may have been modified without authorization\n expression: |-\n (\n (unlink.file.path == \"/etc/sudoers\")\n )\n agent_version: ''\n filters: []\n- id: sudoers_policy_modified_utimes\n version: d99c2466\n description: Sudoers policy file may have been modified without authorization\n expression: |-\n (\n (utimes.file.path == \"/etc/sudoers\")\n ) && process.file.path not in [~\"/usr/bin/apt*\", \"/usr/bin/dpkg\", \"/usr/bin/rpm\", \"/usr/bin/unattended-upgrade\", \"/usr/bin/containerd\", \"/usr/local/bin/containerd\", \"/usr/bin/dockerd\", \"/usr/bin/npm\", ~\"/usr/bin/pip*\"]\n agent_version: ''\n filters: []\n- id: suid_file_execution\n version: 1b4f4075\n description: a SUID file was executed\n expression: (setuid.euid == 0 || setuid.uid == 0) && process.file.mode & S_ISUID\n > 0 && process.file.uid == 0 && process.uid != 0 && process.file.path != \"/usr/bin/sudo\"\n agent_version: ''\n filters: []\n- id: suspicious_container_client\n version: 8b9461f4\n description: A container management utility was executed in a container\n expression: exec.file.name in [\"docker\", \"kubectl\"] && container.id != \"\"\n agent_version: ''\n filters: []\n- id: suspicious_suid_execution\n version: 216c8207\n description: Recently written or modified suid file has been executed\n expression: ((process.file.mode & S_ISUID > 0) && process.file.modification_time\n < 30s) && exec.file.name != \"\" && process.ancestors.file.path not in [\"/opt/datadog-agent/embedded/bin/agent\",\n \"/opt/datadog-agent/embedded/bin/system-probe\", \"/opt/datadog-agent/embedded/bin/security-agent\",\n \"/opt/datadog-agent/embedded/bin/process-agent\", \"/opt/datadog-agent/bin/agent/agent\",\n \"/opt/datadog/apm/inject/auto_inject_runc\", \"/usr/bin/dd-host-install\", \"/usr/bin/dd-host-container-install\",\n \"/usr/bin/dd-container-install\", \"/opt/datadog-agent/bin/datadog-cluster-agent\"]\n agent_version: ''\n filters:\n - os == \"linux\"\n- id: systemd_modification_chmod\n version: b0643139\n description: A service may have been modified without authorization\n expression: |-\n (\n (chmod.file.path in [ ~\"/lib/systemd/system/**\", ~\"/usr/lib/systemd/system/**\", ~\"/etc/systemd/system/**\" ])\n && process.file.path not in [~\"/usr/bin/apt*\", \"/usr/bin/dpkg\", \"/usr/bin/rpm\", \"/usr/bin/unattended-upgrade\", \"/usr/bin/npm\", ~\"/usr/bin/pip*\", \"/usr/bin/yum\", \"/sbin/apk\"]\n ) && chmod.file.destination.mode != chmod.file.mode\n agent_version: ''\n filters: []\n- id: systemd_modification_chown\n version: a0497885\n description: A service may have been modified without authorization\n expression: |-\n (\n (chown.file.path in [ ~\"/lib/systemd/system/**\", ~\"/usr/lib/systemd/system/**\", ~\"/etc/systemd/system/**\" ])\n && process.file.path not in [~\"/usr/bin/apt*\", \"/usr/bin/dpkg\", \"/usr/bin/rpm\", \"/usr/bin/unattended-upgrade\", \"/usr/bin/npm\", ~\"/usr/bin/pip*\", \"/usr/bin/yum\", \"/sbin/apk\", \"/usr/lib/snapd/snapd\"]\n ) && (chown.file.destination.uid != chown.file.uid || chown.file.destination.gid != chown.file.gid)\n agent_version: ''\n filters: []\n- id: systemd_modification_link\n version: 11a77f5b\n description: A service may have been modified without authorization\n expression: |-\n (\n (link.file.path in [ ~\"/lib/systemd/system/**\", ~\"/usr/lib/systemd/system/**\", ~\"/etc/systemd/system/**\" ]\n || link.file.destination.path in [ ~\"/lib/systemd/system/**\", ~\"/usr/lib/systemd/system/**\", ~\"/etc/systemd/system/**\" ])\n && process.file.path not in [~\"/usr/bin/apt*\", \"/usr/bin/dpkg\", \"/usr/bin/rpm\", \"/usr/bin/unattended-upgrade\", \"/usr/bin/npm\", ~\"/usr/bin/pip*\", \"/usr/bin/yum\", \"/sbin/apk\", \"/usr/lib/snapd/snapd\"]\n )\n agent_version: ''\n filters: []\n- id: systemd_modification_open\n version: b6dce303\n description: A service may have been modified without authorization\n expression: |-\n (\n open.flags & (O_CREAT|O_RDWR|O_WRONLY) > 0 &&\n (open.file.path in [ ~\"/lib/systemd/system/**\", ~\"/usr/lib/systemd/system/**\", ~\"/etc/systemd/system/**\" ])\n && process.file.path not in [~\"/usr/bin/apt*\", \"/usr/bin/dpkg\", \"/usr/bin/rpm\", \"/usr/bin/unattended-upgrade\", \"/usr/bin/npm\", ~\"/usr/bin/pip*\", \"/usr/bin/yum\", \"/sbin/apk\"]\n )\n agent_version: ''\n filters: []\n- id: systemd_modification_rename\n version: 9759ce6\n description: A service may have been modified without authorization\n expression: |-\n (\n (rename.file.path in [ ~\"/lib/systemd/system/**\", ~\"/usr/lib/systemd/system/**\", ~\"/etc/systemd/system/**\" ]\n || rename.file.destination.path in [ ~\"/lib/systemd/system/**\", ~\"/usr/lib/systemd/system/**\", ~\"/etc/systemd/system/**\" ])\n && process.file.path not in [~\"/usr/bin/apt*\", \"/usr/bin/dpkg\", \"/usr/bin/rpm\", \"/usr/bin/unattended-upgrade\", \"/usr/bin/npm\", ~\"/usr/bin/pip*\", \"/usr/bin/yum\", \"/sbin/apk\", \"/usr/lib/snapd/snapd\"]\n )\n agent_version: ''\n filters: []\n- id: systemd_modification_unlink\n version: 8400ece8\n description: A service may have been modified without authorization\n expression: |-\n (\n (unlink.file.path in [ ~\"/lib/systemd/system/**\", ~\"/usr/lib/systemd/system/**\", ~\"/etc/systemd/system/**\" ])\n && process.file.path not in [~\"/usr/bin/apt*\", \"/usr/bin/dpkg\", \"/usr/bin/rpm\", \"/usr/bin/unattended-upgrade\", \"/usr/bin/npm\", ~\"/usr/bin/pip*\", \"/usr/bin/yum\", \"/sbin/apk\", \"/usr/lib/snapd/snapd\"]\n )\n agent_version: ''\n filters: []\n- id: systemd_modification_utimes\n version: 82acf2d\n description: A service may have been modified without authorization\n expression: |-\n (\n (utimes.file.path in [ ~\"/lib/systemd/system/**\", ~\"/usr/lib/systemd/system/**\", ~\"/etc/systemd/system/**\" ])\n && process.file.path not in [~\"/usr/bin/apt*\", \"/usr/bin/dpkg\", \"/usr/bin/rpm\", \"/usr/bin/unattended-upgrade\", \"/usr/bin/npm\", ~\"/usr/bin/pip*\", \"/usr/bin/yum\", \"/sbin/apk\", \"/usr/lib/snapd/snapd\"]\n )\n agent_version: ''\n filters: []\n- id: tar_execution\n version: e63af392\n description: Tar archive created\n expression: exec.file.path == \"/usr/bin/tar\" && exec.args_flags in [\"create\",\"c\"]\n agent_version: ''\n filters:\n - os == \"linux\"\n- id: testcreateacloudworkloadsecurityagentrulereturnsokresponse1677856489\n version: f43786f8\n description: Test Agent rule\n expression: exec.file.name == \"sh\"\n agent_version: ''\n filters: []\n- id: testcreateacloudworkloadsecurityagentrulereturnsokresponse1711550899\n version: f43786f8\n description: Test Agent rule\n expression: exec.file.name == \"sh\"\n agent_version: ''\n filters:\n - os == \"linux\"\n- id: testdeleteacloudworkloadsecurityagentrulereturnsokresponse1677856490\n version: f43786f8\n description: My Agent rule\n expression: exec.file.name == \"sh\"\n agent_version: ''\n filters: []\n- id: testgetacloudworkloadsecurityagentrulereturnsokresponse1677856490\n version: f43786f8\n description: My Agent rule\n expression: exec.file.name == \"sh\"\n agent_version: ''\n filters: []\n- id: testgetallcloudworkloadsecurityagentrulesreturnsokresponse1677856491\n version: f43786f8\n description: My Agent rule\n expression: exec.file.name == \"sh\"\n agent_version: ''\n filters: []\n- id: testpythonupdateacloudworkloadsecurityagentrulereturnsbadrequestresponse1654691372\n version: f43786f8\n description: My Agent rule\n expression: exec.file.name == \"sh\"\n agent_version: ''\n filters: []\n- id: testtypescriptcreateacloudworkloadsecurityagentrulereturnsokresponse1651997883\n version: f43786f8\n description: Test Agent rule\n expression: exec.file.name == \"sh\"\n agent_version: ''\n filters: []\n- id: testtypescriptcreateacloudworkloadsecurityagentrulereturnsokresponse1681222897\n version: f43786f8\n description: Test Agent rule\n expression: exec.file.name == \"sh\"\n agent_version: ''\n filters: []\n- id: testtypescriptcreateacloudworkloadsecurityagentrulereturnsokresponse1688677455\n version: f43786f8\n description: Test Agent rule\n expression: exec.file.name == \"sh\"\n agent_version: ''\n filters: []\n- id: testtypescriptcreateacloudworkloadsecurityagentrulereturnsokresponse1688739737\n version: f43786f8\n description: Test Agent rule\n expression: exec.file.name == \"sh\"\n agent_version: ''\n filters: []\n- id: testtypescriptcreateacloudworkloadsecurityagentrulereturnsokresponse1689185611\n version: f43786f8\n description: Test Agent rule\n expression: exec.file.name == \"sh\"\n agent_version: ''\n filters: []\n- id: testtypescriptcreateacloudworkloadsecurityagentrulereturnsokresponse1689275129\n version: f43786f8\n description: Test Agent rule\n expression: exec.file.name == \"sh\"\n agent_version: ''\n filters: []\n- id: testtypescriptcreateacloudworkloadsecurityagentrulereturnsokresponse1699375258\n version: f43786f8\n description: Test Agent rule\n expression: exec.file.name == \"sh\"\n agent_version: ''\n filters:\n - os == \"linux\"\n- id: testtypescriptcreateacloudworkloadsecurityagentrulereturnsokresponse1699614581\n version: f43786f8\n description: Test Agent rule\n expression: exec.file.name == \"sh\"\n agent_version: ''\n filters:\n - os == \"linux\"\n- id: testtypescriptcreateacloudworkloadsecurityagentrulereturnsokresponse1699873848\n version: f43786f8\n description: Test Agent rule\n expression: exec.file.name == \"sh\"\n agent_version: ''\n filters:\n - os == \"linux\"\n- id: testtypescriptcreateacloudworkloadsecurityagentrulereturnsokresponse1699960180\n version: f43786f8\n description: Test Agent rule\n expression: exec.file.name == \"sh\"\n agent_version: ''\n filters:\n - os == \"linux\"\n- id: testtypescriptcreateacloudworkloadsecurityagentrulereturnsokresponse1700046605\n version: f43786f8\n description: Test Agent rule\n expression: exec.file.name == \"sh\"\n agent_version: ''\n filters:\n - os == \"linux\"\n- id: testtypescriptcreateacloudworkloadsecurityagentrulereturnsokresponse1700132879\n version: f43786f8\n description: Test Agent rule\n expression: exec.file.name == \"sh\"\n agent_version: ''\n filters:\n - os == \"linux\"\n- id: testtypescriptcreateacloudworkloadsecurityagentrulereturnsokresponse1700219293\n version: f43786f8\n description: Test Agent rule\n expression: exec.file.name == \"sh\"\n agent_version: ''\n filters:\n - os == \"linux\"\n- id: testtypescriptcreateacloudworkloadsecurityagentrulereturnsokresponse1704452910\n version: f43786f8\n description: Test Agent rule\n expression: exec.file.name == \"sh\"\n agent_version: ''\n filters:\n - os == \"linux\"\n- id: testtypescriptcreateacloudworkloadsecurityagentrulereturnsokresponse1706872189\n version: f43786f8\n description: Test Agent rule\n expression: exec.file.name == \"sh\"\n agent_version: ''\n filters:\n - os == \"linux\"\n- id: testtypescriptcreateacloudworkloadsecurityagentrulereturnsokresponse1707131455\n version: f43786f8\n description: Test Agent rule\n expression: exec.file.name == \"sh\"\n agent_version: ''\n filters:\n - os == \"linux\"\n- id: testtypescriptcreateacloudworkloadsecurityagentrulereturnsokresponse1708686507\n version: f43786f8\n description: Test Agent rule\n expression: exec.file.name == \"sh\"\n agent_version: ''\n filters:\n - os == \"linux\"\n- id: testtypescriptdeleteacloudworkloadsecurityagentrulereturnsokresponse1651997884\n version: f43786f8\n description: My Agent rule\n expression: exec.file.name == \"sh\"\n agent_version: ''\n filters: []\n- id: testtypescriptdeleteacloudworkloadsecurityagentrulereturnsokresponse1681222897\n version: f43786f8\n description: My Agent rule\n expression: exec.file.name == \"sh\"\n agent_version: ''\n filters: []\n- id: testtypescriptdeleteacloudworkloadsecurityagentrulereturnsokresponse1689185612\n version: f43786f8\n description: My Agent rule\n expression: exec.file.name == \"sh\"\n agent_version: ''\n filters: []\n- id: testtypescriptdeleteacloudworkloadsecurityagentrulereturnsokresponse1689275129\n version: f43786f8\n description: My Agent rule\n expression: exec.file.name == \"sh\"\n agent_version: ''\n filters: []\n- id: testtypescriptdeleteacloudworkloadsecurityagentrulereturnsokresponse1699614582\n version: f43786f8\n description: My Agent rule\n expression: exec.file.name == \"sh\"\n agent_version: ''\n filters:\n - os == \"linux\"\n- id: testtypescriptdeleteacloudworkloadsecurityagentrulereturnsokresponse1699873849\n version: f43786f8\n description: My Agent rule\n expression: exec.file.name == \"sh\"\n agent_version: ''\n filters:\n - os == \"linux\"\n- id: testtypescriptdeleteacloudworkloadsecurityagentrulereturnsokresponse1699960180\n version: f43786f8\n description: My Agent rule\n expression: exec.file.name == \"sh\"\n agent_version: ''\n filters:\n - os == \"linux\"\n- id: testtypescriptdeleteacloudworkloadsecurityagentrulereturnsokresponse1700046606\n version: f43786f8\n description: My Agent rule\n expression: exec.file.name == \"sh\"\n agent_version: ''\n filters:\n - os == \"linux\"\n- id: testtypescriptdeleteacloudworkloadsecurityagentrulereturnsokresponse1700132879\n version: f43786f8\n description: My Agent rule\n expression: exec.file.name == \"sh\"\n agent_version: ''\n filters:\n - os == \"linux\"\n- id: testtypescriptdeleteacloudworkloadsecurityagentrulereturnsokresponse1700219293\n version: f43786f8\n description: My Agent rule\n expression: exec.file.name == \"sh\"\n agent_version: ''\n filters:\n - os == \"linux\"\n- id: testtypescriptdeleteacloudworkloadsecurityagentrulereturnsokresponse1704452910\n version: f43786f8\n description: My Agent rule\n expression: exec.file.name == \"sh\"\n agent_version: ''\n filters:\n - os == \"linux\"\n- id: testtypescriptdeleteacloudworkloadsecurityagentrulereturnsokresponse1706872189\n version: f43786f8\n description: My Agent rule\n expression: exec.file.name == \"sh\"\n agent_version: ''\n filters:\n - os == \"linux\"\n- id: testtypescriptdeleteacloudworkloadsecurityagentrulereturnsokresponse1707131456\n version: f43786f8\n description: My Agent rule\n expression: exec.file.name == \"sh\"\n agent_version: ''\n filters:\n - os == \"linux\"\n- id: testtypescriptdeleteacloudworkloadsecurityagentrulereturnsokresponse1708686507\n version: f43786f8\n description: My Agent rule\n expression: exec.file.name == \"sh\"\n agent_version: ''\n filters:\n - os == \"linux\"\n- id: testtypescriptgetacloudworkloadsecurityagentrulereturnsokresponse1651997885\n version: f43786f8\n description: My Agent rule\n expression: exec.file.name == \"sh\"\n agent_version: ''\n filters: []\n- id: testtypescriptgetacloudworkloadsecurityagentrulereturnsokresponse1681222898\n version: f43786f8\n description: My Agent rule\n expression: exec.file.name == \"sh\"\n agent_version: ''\n filters: []\n- id: testtypescriptgetacloudworkloadsecurityagentrulereturnsokresponse1689185613\n version: f43786f8\n description: My Agent rule\n expression: exec.file.name == \"sh\"\n agent_version: ''\n filters: []\n- id: testtypescriptgetacloudworkloadsecurityagentrulereturnsokresponse1689275129\n version: f43786f8\n description: My Agent rule\n expression: exec.file.name == \"sh\"\n agent_version: ''\n filters: []\n- id: testtypescriptgetacloudworkloadsecurityagentrulereturnsokresponse1699614582\n version: f43786f8\n description: My Agent rule\n expression: exec.file.name == \"sh\"\n agent_version: ''\n filters:\n - os == \"linux\"\n- id: testtypescriptgetacloudworkloadsecurityagentrulereturnsokresponse1699873850\n version: f43786f8\n description: My Agent rule\n expression: exec.file.name == \"sh\"\n agent_version: ''\n filters:\n - os == \"linux\"\n- id: testtypescriptgetacloudworkloadsecurityagentrulereturnsokresponse1699960181\n version: f43786f8\n description: My Agent rule\n expression: exec.file.name == \"sh\"\n agent_version: ''\n filters:\n - os == \"linux\"\n- id: testtypescriptgetacloudworkloadsecurityagentrulereturnsokresponse1700046606\n version: f43786f8\n description: My Agent rule\n expression: exec.file.name == \"sh\"\n agent_version: ''\n filters:\n - os == \"linux\"\n- id: testtypescriptgetacloudworkloadsecurityagentrulereturnsokresponse1700132879\n version: f43786f8\n description: My Agent rule\n expression: exec.file.name == \"sh\"\n agent_version: ''\n filters:\n - os == \"linux\"\n- id: testtypescriptgetacloudworkloadsecurityagentrulereturnsokresponse1700219294\n version: f43786f8\n description: My Agent rule\n expression: exec.file.name == \"sh\"\n agent_version: ''\n filters:\n - os == \"linux\"\n- id: testtypescriptgetacloudworkloadsecurityagentrulereturnsokresponse1704452910\n version: f43786f8\n description: My Agent rule\n expression: exec.file.name == \"sh\"\n agent_version: ''\n filters:\n - os == \"linux\"\n- id: testtypescriptgetacloudworkloadsecurityagentrulereturnsokresponse1706872190\n version: f43786f8\n description: My Agent rule\n expression: exec.file.name == \"sh\"\n agent_version: ''\n filters:\n - os == \"linux\"\n- id: testtypescriptgetacloudworkloadsecurityagentrulereturnsokresponse1707131456\n version: f43786f8\n description: My Agent rule\n expression: exec.file.name == \"sh\"\n agent_version: ''\n filters:\n - os == \"linux\"\n- id: testtypescriptgetacloudworkloadsecurityagentrulereturnsokresponse1708686507\n version: f43786f8\n description: My Agent rule\n expression: exec.file.name == \"sh\"\n agent_version: ''\n filters:\n - os == \"linux\"\n- id: testtypescriptgetallcloudworkloadsecurityagentrulesreturnsokresponse1651867149\n version: f43786f8\n description: My Agent rule\n expression: exec.file.name == \"sh\"\n agent_version: ''\n filters: []\n- id: testtypescriptgetallcloudworkloadsecurityagentrulesreturnsokresponse1651912469\n version: f43786f8\n description: My Agent rule\n expression: exec.file.name == \"sh\"\n agent_version: ''\n filters: []\n- id: testtypescriptgetallcloudworkloadsecurityagentrulesreturnsokresponse1651915814\n version: f43786f8\n description: My Agent rule\n expression: exec.file.name == \"sh\"\n agent_version: ''\n filters: []\n- id: testtypescriptgetallcloudworkloadsecurityagentrulesreturnsokresponse1651943471\n version: f43786f8\n description: My Agent rule\n expression: exec.file.name == \"sh\"\n agent_version: ''\n filters: []\n- id: testtypescriptgetallcloudworkloadsecurityagentrulesreturnsokresponse1651997885\n version: f43786f8\n description: My Agent rule\n expression: exec.file.name == \"sh\"\n agent_version: ''\n filters: []\n- id: testtypescriptgetallcloudworkloadsecurityagentrulesreturnsokresponse1652008845\n version: f43786f8\n description: My Agent rule\n expression: exec.file.name == \"sh\"\n agent_version: ''\n filters: []\n- id: testtypescriptgetallcloudworkloadsecurityagentrulesreturnsokresponse1681222898\n version: f43786f8\n description: My Agent rule\n expression: exec.file.name == \"sh\"\n agent_version: ''\n filters: []\n- id: testtypescriptgetallcloudworkloadsecurityagentrulesreturnsokresponse1689185614\n version: f43786f8\n description: My Agent rule\n expression: exec.file.name == \"sh\"\n agent_version: ''\n filters: []\n- id: testtypescriptgetallcloudworkloadsecurityagentrulesreturnsokresponse1689275129\n version: f43786f8\n description: My Agent rule\n expression: exec.file.name == \"sh\"\n agent_version: ''\n filters: []\n- id: testtypescriptgetallcloudworkloadsecurityagentrulesreturnsokresponse1699614583\n version: f43786f8\n description: My Agent rule\n expression: exec.file.name == \"sh\"\n agent_version: ''\n filters:\n - os == \"linux\"\n- id: testtypescriptgetallcloudworkloadsecurityagentrulesreturnsokresponse1699873850\n version: f43786f8\n description: My Agent rule\n expression: exec.file.name == \"sh\"\n agent_version: ''\n filters:\n - os == \"linux\"\n- id: testtypescriptgetallcloudworkloadsecurityagentrulesreturnsokresponse1699960181\n version: f43786f8\n description: My Agent rule\n expression: exec.file.name == \"sh\"\n agent_version: ''\n filters:\n - os == \"linux\"\n- id: testtypescriptgetallcloudworkloadsecurityagentrulesreturnsokresponse1700046606\n version: f43786f8\n description: My Agent rule\n expression: exec.file.name == \"sh\"\n agent_version: ''\n filters:\n - os == \"linux\"\n- id: testtypescriptgetallcloudworkloadsecurityagentrulesreturnsokresponse1700132879\n version: f43786f8\n description: My Agent rule\n expression: exec.file.name == \"sh\"\n agent_version: ''\n filters:\n - os == \"linux\"\n- id: testtypescriptgetallcloudworkloadsecurityagentrulesreturnsokresponse1700219294\n version: f43786f8\n description: My Agent rule\n expression: exec.file.name == \"sh\"\n agent_version: ''\n filters:\n - os == \"linux\"\n- id: testtypescriptgetallcloudworkloadsecurityagentrulesreturnsokresponse1700243663\n version: f43786f8\n description: My Agent rule\n expression: exec.file.name == \"sh\"\n agent_version: ''\n filters:\n - os == \"linux\"\n- id: testtypescriptgetallcloudworkloadsecurityagentrulesreturnsokresponse1704452910\n version: f43786f8\n description: My Agent rule\n expression: exec.file.name == \"sh\"\n agent_version: ''\n filters:\n - os == \"linux\"\n- id: testtypescriptgetallcloudworkloadsecurityagentrulesreturnsokresponse1706872190\n version: f43786f8\n description: My Agent rule\n expression: exec.file.name == \"sh\"\n agent_version: ''\n filters:\n - os == \"linux\"\n- id: testtypescriptgetallcloudworkloadsecurityagentrulesreturnsokresponse1707131457\n version: f43786f8\n description: My Agent rule\n expression: exec.file.name == \"sh\"\n agent_version: ''\n filters:\n - os == \"linux\"\n- id: testtypescriptgetallcloudworkloadsecurityagentrulesreturnsokresponse1708686507\n version: f43786f8\n description: My Agent rule\n expression: exec.file.name == \"sh\"\n agent_version: ''\n filters:\n - os == \"linux\"\n- id: testtypescriptupdateacloudworkloadsecurityagentrulereturnsbadrequestresponse1651997886\n version: f43786f8\n description: My Agent rule\n expression: exec.file.name == \"sh\"\n agent_version: ''\n filters: []\n- id: testtypescriptupdateacloudworkloadsecurityagentrulereturnsbadrequestresponse1681222899\n version: f43786f8\n description: My Agent rule\n expression: exec.file.name == \"sh\"\n agent_version: ''\n filters: []\n- id: testtypescriptupdateacloudworkloadsecurityagentrulereturnsbadrequestresponse1689185615\n version: f43786f8\n description: My Agent rule\n expression: exec.file.name == \"sh\"\n agent_version: ''\n filters: []\n- id: testtypescriptupdateacloudworkloadsecurityagentrulereturnsbadrequestresponse1689275130\n version: f43786f8\n description: My Agent rule\n expression: exec.file.name == \"sh\"\n agent_version: ''\n filters: []\n- id: testtypescriptupdateacloudworkloadsecurityagentrulereturnsbadrequestresponse1699614583\n version: f43786f8\n description: My Agent rule\n expression: exec.file.name == \"sh\"\n agent_version: ''\n filters:\n - os == \"linux\"\n- id: testtypescriptupdateacloudworkloadsecurityagentrulereturnsbadrequestresponse1699873851\n version: f43786f8\n description: My Agent rule\n expression: exec.file.name == \"sh\"\n agent_version: ''\n filters:\n - os == \"linux\"\n- id: testtypescriptupdateacloudworkloadsecurityagentrulereturnsbadrequestresponse1699960182\n version: f43786f8\n description: My Agent rule\n expression: exec.file.name == \"sh\"\n agent_version: ''\n filters:\n - os == \"linux\"\n- id: testtypescriptupdateacloudworkloadsecurityagentrulereturnsbadrequestresponse1700046607\n version: f43786f8\n description: My Agent rule\n expression: exec.file.name == \"sh\"\n agent_version: ''\n filters:\n - os == \"linux\"\n- id: testtypescriptupdateacloudworkloadsecurityagentrulereturnsbadrequestresponse1700132880\n version: f43786f8\n description: My Agent rule\n expression: exec.file.name == \"sh\"\n agent_version: ''\n filters:\n - os == \"linux\"\n- id: testtypescriptupdateacloudworkloadsecurityagentrulereturnsbadrequestresponse1700219294\n version: f43786f8\n description: My Agent rule\n expression: exec.file.name == \"sh\"\n agent_version: ''\n filters:\n - os == \"linux\"\n- id: testtypescriptupdateacloudworkloadsecurityagentrulereturnsbadrequestresponse1704452911\n version: f43786f8\n description: My Agent rule\n expression: exec.file.name == \"sh\"\n agent_version: ''\n filters:\n - os == \"linux\"\n- id: testtypescriptupdateacloudworkloadsecurityagentrulereturnsbadrequestresponse1706872191\n version: f43786f8\n description: My Agent rule\n expression: exec.file.name == \"sh\"\n agent_version: ''\n filters:\n - os == \"linux\"\n- id: testtypescriptupdateacloudworkloadsecurityagentrulereturnsbadrequestresponse1707131458\n version: f43786f8\n description: My Agent rule\n expression: exec.file.name == \"sh\"\n agent_version: ''\n filters:\n - os == \"linux\"\n- id: testtypescriptupdateacloudworkloadsecurityagentrulereturnsbadrequestresponse1708686508\n version: f43786f8\n description: My Agent rule\n expression: exec.file.name == \"sh\"\n agent_version: ''\n filters:\n - os == \"linux\"\n- id: testtypescriptupdateacloudworkloadsecurityagentrulereturnsokresponse1651997887\n version: f43786f8\n description: Test Agent rule\n expression: exec.file.name == \"sh\"\n agent_version: ''\n filters: []\n- id: testtypescriptupdateacloudworkloadsecurityagentrulereturnsokresponse1681222899\n version: f43786f8\n description: My Agent rule\n expression: exec.file.name == \"sh\"\n agent_version: ''\n filters: []\n- id: testtypescriptupdateacloudworkloadsecurityagentrulereturnsokresponse1688740379\n version: f43786f8\n description: My Agent rule\n expression: exec.file.name == \"sh\"\n agent_version: ''\n filters: []\n- id: testtypescriptupdateacloudworkloadsecurityagentrulereturnsokresponse1688740550\n version: f43786f8\n description: My Agent rule\n expression: exec.file.name == \"sh\"\n agent_version: ''\n filters: []\n- id: testtypescriptupdateacloudworkloadsecurityagentrulereturnsokresponse1688740628\n version: f43786f8\n description: My Agent rule\n expression: exec.file.name == \"sh\"\n agent_version: ''\n filters: []\n- id: testtypescriptupdateacloudworkloadsecurityagentrulereturnsokresponse1689185615\n version: f43786f8\n description: My Agent rule\n expression: exec.file.name == \"sh\"\n agent_version: ''\n filters: []\n- id: testtypescriptupdateacloudworkloadsecurityagentrulereturnsokresponse1689275130\n version: f43786f8\n description: My Agent rule\n expression: exec.file.name == \"sh\"\n agent_version: ''\n filters: []\n- id: testtypescriptupdateacloudworkloadsecurityagentrulereturnsokresponse1699614584\n version: f43786f8\n description: My Agent rule\n expression: exec.file.name == \"sh\"\n agent_version: ''\n filters:\n - os == \"linux\"\n- id: testtypescriptupdateacloudworkloadsecurityagentrulereturnsokresponse1699873852\n version: f43786f8\n description: My Agent rule\n expression: exec.file.name == \"sh\"\n agent_version: ''\n filters:\n - os == \"linux\"\n- id: testtypescriptupdateacloudworkloadsecurityagentrulereturnsokresponse1699960183\n version: f43786f8\n description: My Agent rule\n expression: exec.file.name == \"sh\"\n agent_version: ''\n filters:\n - os == \"linux\"\n- id: testtypescriptupdateacloudworkloadsecurityagentrulereturnsokresponse1700046608\n version: f43786f8\n description: My Agent rule\n expression: exec.file.name == \"sh\"\n agent_version: ''\n filters:\n - os == \"linux\"\n- id: testtypescriptupdateacloudworkloadsecurityagentrulereturnsokresponse1700132880\n version: f43786f8\n description: My Agent rule\n expression: exec.file.name == \"sh\"\n agent_version: ''\n filters:\n - os == \"linux\"\n- id: testtypescriptupdateacloudworkloadsecurityagentrulereturnsokresponse1700219294\n version: f43786f8\n description: My Agent rule\n expression: exec.file.name == \"sh\"\n agent_version: ''\n filters:\n - os == \"linux\"\n- id: testtypescriptupdateacloudworkloadsecurityagentrulereturnsokresponse1704452911\n version: f43786f8\n description: My Agent rule\n expression: exec.file.name == \"sh\"\n agent_version: ''\n filters:\n - os == \"linux\"\n- id: testtypescriptupdateacloudworkloadsecurityagentrulereturnsokresponse1706872191\n version: f43786f8\n description: My Agent rule\n expression: exec.file.name == \"sh\"\n agent_version: ''\n filters:\n - os == \"linux\"\n- id: testtypescriptupdateacloudworkloadsecurityagentrulereturnsokresponse1707131459\n version: f43786f8\n description: My Agent rule\n expression: exec.file.name == \"sh\"\n agent_version: ''\n filters:\n - os == \"linux\"\n- id: testtypescriptupdateacloudworkloadsecurityagentrulereturnsokresponse1708686508\n version: f43786f8\n description: My Agent rule\n expression: exec.file.name == \"sh\"\n agent_version: ''\n filters:\n - os == \"linux\"\n- id: testupdateacloudworkloadsecurityagentrulereturnsbadrequestresponse1677856492\n version: f43786f8\n description: My Agent rule\n expression: exec.file.name == \"sh\"\n agent_version: ''\n filters: []\n- id: testupdateacloudworkloadsecurityagentrulereturnsokresponse1677856493\n version: f43786f8\n description: My Agent rule\n expression: exec.file.name == \"sh\"\n agent_version: ''\n filters: []\n- id: tf_TestAccDatadogCloudWorkloadSecurityAgentRule_local_1643386657\n version: 28ba1078\n description: an agent rule\n expression: exec.file.name == \"java\"\n agent_version: ''\n filters: []\n- id: tf_TestAccDatadogCloudWorkloadSecurityAgentRule_local_1643386695\n version: 28ba1078\n description: an agent rule\n expression: exec.file.name == \"java\"\n agent_version: ''\n filters: []\n- id: tf_TestAccDatadogCloudWorkloadSecurityAgentRule_local_1643386742\n version: 28ba1078\n description: an agent rule\n expression: exec.file.name == \"java\"\n agent_version: ''\n filters: []\n- id: tf_TestAccDatadogCloudWorkloadSecurityAgentRule_local_1643386809\n version: 28ba1078\n description: an agent rule\n expression: exec.file.name == \"java\"\n agent_version: ''\n filters: []\n- id: tf_TestAccDatadogCloudWorkloadSecurityAgentRule_local_1643386858\n version: 28ba1078\n description: an agent rule\n expression: exec.file.name == \"java\"\n agent_version: ''\n filters: []\n- id: tf_TestAccDatadogCloudWorkloadSecurityAgentRule_local_1643386909\n version: 28ba1078\n description: an agent rule\n expression: exec.file.name == \"java\"\n agent_version: ''\n filters: []\n- id: tf_TestAccDatadogCloudWorkloadSecurityAgentRule_local_1643387039\n version: 28ba1078\n description: an agent rule\n expression: exec.file.name == \"java\"\n agent_version: ''\n filters: []\n- id: tf_TestAccDatadogCloudWorkloadSecurityAgentRule_local_1643387090\n version: 28ba1078\n description: an agent rule\n expression: exec.file.name == \"java\"\n agent_version: ''\n filters: []\n- id: tf_TestAccDatadogCloudWorkloadSecurityAgentRule_local_1643387148\n version: 28ba1078\n description: an agent rule\n expression: exec.file.name == \"java\"\n agent_version: ''\n filters: []\n- id: tf_TestAccDatadogCloudWorkloadSecurityAgentRule_local_1643387484\n version: 28ba1078\n description: an agent rule\n expression: exec.file.name == \"java\"\n agent_version: ''\n filters: []\n- id: tf_TestAccDatadogCloudWorkloadSecurityAgentRule_local_1643387531\n version: 28ba1078\n description: an agent rule\n expression: exec.file.name == \"java\"\n agent_version: ''\n filters: []\n- id: tf_TestAccDatadogCloudWorkloadSecurityAgentRule_local_1643387579\n version: 28ba1078\n description: an agent rule\n expression: exec.file.name == \"java\"\n agent_version: ''\n filters: []\n- id: tf_TestAccDatadogCloudWorkloadSecurityAgentRule_local_1643388161\n version: 28ba1078\n description: an agent rule\n expression: exec.file.name == \"java\"\n agent_version: ''\n filters: []\n- id: tf_TestAccDatadogCloudWorkloadSecurityAgentRule_local_1643388208\n version: 28ba1078\n description: an agent rule\n expression: exec.file.name == \"java\"\n agent_version: ''\n filters: []\n- id: tf_TestAccDatadogCloudWorkloadSecurityAgentRule_local_1643388257\n version: 28ba1078\n description: an agent rule\n expression: exec.file.name == \"java\"\n agent_version: ''\n filters: []\n- id: tf_TestAccDatadogCloudWorkloadSecurityAgentRule_local_1643388666\n version: 28ba1078\n description: an agent rule\n expression: exec.file.name == \"java\"\n agent_version: ''\n filters: []\n- id: tf_TestAccDatadogCloudWorkloadSecurityAgentRule_local_1643388726\n version: 28ba1078\n description: an agent rule\n expression: exec.file.name == \"java\"\n agent_version: ''\n filters: []\n- id: tf_TestAccDatadogCloudWorkloadSecurityAgentRule_local_1643388847\n version: 28ba1078\n description: an agent rule\n expression: exec.file.name == \"java\"\n agent_version: ''\n filters: []\n- id: tf_TestAccDatadogCloudWorkloadSecurityAgentRule_local_1643388890\n version: 28ba1078\n description: an agent rule\n expression: exec.file.name == \"java\"\n agent_version: ''\n filters: []\n- id: tf_TestAccDatadogCloudWorkloadSecurityAgentRule_local_1643388939\n version: 28ba1078\n description: an agent rule\n expression: exec.file.name == \"java\"\n agent_version: ''\n filters: []\n- id: tf_TestAccDatadogCloudWorkloadSecurityAgentRule_local_1643389111\n version: 28ba1078\n description: an agent rule\n expression: exec.file.name == \"java\"\n agent_version: ''\n filters: []\n- id: tf_TestAccDatadogCloudWorkloadSecurityAgentRule_local_1643389165\n version: 28ba1078\n description: an agent rule\n expression: exec.file.name == \"java\"\n agent_version: ''\n filters: []\n- id: tf_TestAccDatadogCloudWorkloadSecurityAgentRule_local_1643389210\n version: 28ba1078\n description: an agent rule\n expression: exec.file.name == \"java\"\n agent_version: ''\n filters: []\n- id: tf_TestAccDatadogCloudWorkloadSecurityAgentRule_local_1643389339\n version: 28ba1078\n description: an agent rule\n expression: exec.file.name == \"java\"\n agent_version: ''\n filters: []\n- id: tf_TestAccDatadogCloudWorkloadSecurityAgentRule_local_1643389389\n version: 28ba1078\n description: an agent rule\n expression: exec.file.name == \"java\"\n agent_version: ''\n filters: []\n- id: tf_TestAccDatadogCloudWorkloadSecurityAgentRule_local_1643389484\n version: 28ba1078\n description: an agent rule\n expression: exec.file.name == \"java\"\n agent_version: ''\n filters: []\n- id: tf_TestAccDatadogCloudWorkloadSecurityAgentRule_local_1643389530\n version: 28ba1078\n description: an agent rule\n expression: exec.file.name == \"java\"\n agent_version: ''\n filters: []\n- id: tf_TestAccDatadogCloudWorkloadSecurityAgentRule_local_1643389627\n version: 28ba1078\n description: an agent rule\n expression: exec.file.name == \"java\"\n agent_version: ''\n filters: []\n- id: tf_TestAccDatadogCloudWorkloadSecurityAgentRule_local_1643389685\n version: 28ba1078\n description: an agent rule\n expression: exec.file.name == \"java\"\n agent_version: ''\n filters: []\n- id: tf_TestAccDatadogCloudWorkloadSecurityAgentRule_local_1643389756\n version: 28ba1078\n description: an agent rule\n expression: exec.file.name == \"java\"\n agent_version: ''\n filters: []\n- id: tf_TestAccDatadogCloudWorkloadSecurityAgentRule_local_1643389931\n version: 28ba1078\n description: an agent rule\n expression: exec.file.name == \"java\"\n agent_version: ''\n filters: []\n- id: tf_TestAccDatadogCloudWorkloadSecurityAgentRule_local_1643389977\n version: 28ba1078\n description: an agent rule\n expression: exec.file.name == \"java\"\n agent_version: ''\n filters: []\n- id: tf_TestAccDatadogCloudWorkloadSecurityAgentRule_local_1643390108\n version: 28ba1078\n description: an agent rule\n expression: exec.file.name == \"java\"\n agent_version: ''\n filters: []\n- id: tf_TestAccDatadogCloudWorkloadSecurityAgentRule_local_1643390130\n version: 28ba1078\n description: an agent rule\n expression: exec.file.name == \"java\"\n agent_version: ''\n filters: []\n- id: tf_TestAccDatadogCloudWorkloadSecurityAgentRule_local_1643390151\n version: 28ba1078\n description: an agent rule\n expression: exec.file.name == \"java\"\n agent_version: ''\n filters: []\n- id: tf_TestAccDatadogCloudWorkloadSecurityAgentRule_local_1643391687\n version: 28ba1078\n description: an agent rule\n expression: exec.file.name == \"java\"\n agent_version: ''\n filters: []\n- id: tf_TestAccDatadogCloudWorkloadSecurityAgentRule_local_1643391707\n version: 28ba1078\n description: an agent rule\n expression: exec.file.name == \"java\"\n agent_version: ''\n filters: []\n- id: tf_TestAccDatadogCloudWorkloadSecurityAgentRule_local_1643391729\n version: 28ba1078\n description: an agent rule\n expression: exec.file.name == \"java\"\n agent_version: ''\n filters: []\n- id: tf_TestAccDatadogCloudWorkloadSecurityAgentRule_local_1643391983\n version: 28ba1078\n description: an agent rule\n expression: exec.file.name == \"java\"\n agent_version: ''\n filters: []\n- id: tf_TestAccDatadogCloudWorkloadSecurityAgentRule_local_1643392003\n version: 28ba1078\n description: an agent rule\n expression: exec.file.name == \"java\"\n agent_version: ''\n filters: []\n- id: tf_TestAccDatadogCloudWorkloadSecurityAgentRule_local_1643392026\n version: 28ba1078\n description: an agent rule\n expression: exec.file.name == \"java\"\n agent_version: ''\n filters: []\n- id: tf_TestAccDatadogCloudWorkloadSecurityAgentRule_local_1643392419\n version: 28ba1078\n description: an agent rule\n expression: exec.file.name == \"java\"\n agent_version: ''\n filters: []\n- id: tf_TestAccDatadogCloudWorkloadSecurityAgentRule_local_1643392438\n version: 28ba1078\n description: an agent rule\n expression: exec.file.name == \"java\"\n agent_version: ''\n filters: []\n- id: tf_TestAccDatadogCloudWorkloadSecurityAgentRule_local_1643392458\n version: 28ba1078\n description: an agent rule\n expression: exec.file.name == \"java\"\n agent_version: ''\n filters: []\n- id: tf_TestAccDatadogCloudWorkloadSecurityAgentRule_local_1643392885\n version: 28ba1078\n description: an agent rule\n expression: exec.file.name == \"java\"\n agent_version: ''\n filters: []\n- id: tf_TestAccDatadogCloudWorkloadSecurityAgentRule_local_1643392903\n version: 28ba1078\n description: an agent rule\n expression: exec.file.name == \"java\"\n agent_version: ''\n filters: []\n- id: tf_TestAccDatadogCloudWorkloadSecurityAgentRule_local_1643392923\n version: 28ba1078\n description: an agent rule\n expression: exec.file.name == \"java\"\n agent_version: ''\n filters: []\n- id: tf_TestAccDatadogCloudWorkloadSecurityAgentRulesDatasource_local_1643386718\n version: 28ba1078\n description: an agent rule\n expression: exec.file.name == \"java\"\n agent_version: ''\n filters: []\n- id: tf_TestAccDatadogCloudWorkloadSecurityAgentRulesDatasource_local_1643386786\n version: 28ba1078\n description: an agent rule\n expression: exec.file.name == \"java\"\n agent_version: ''\n filters: []\n- id: tf_TestAccDatadogCloudWorkloadSecurityAgentRulesDatasource_local_1643386831\n version: 28ba1078\n description: an agent rule\n expression: exec.file.name == \"java\"\n agent_version: ''\n filters: []\n- id: tf_TestAccDatadogCloudWorkloadSecurityAgentRulesDatasource_local_1643386882\n version: 28ba1078\n description: an agent rule\n expression: exec.file.name == \"java\"\n agent_version: ''\n filters: []\n- id: tf_TestAccDatadogCloudWorkloadSecurityAgentRulesDatasource_local_1643387014\n version: 28ba1078\n description: an agent rule\n expression: exec.file.name == \"java\"\n agent_version: ''\n filters: []\n- id: tf_TestAccDatadogCloudWorkloadSecurityAgentRulesDatasource_local_1643387063\n version: 28ba1078\n description: an agent rule\n expression: exec.file.name == \"java\"\n agent_version: ''\n filters: []\n- id: tf_TestAccDatadogCloudWorkloadSecurityAgentRulesDatasource_local_1643387120\n version: 28ba1078\n description: an agent rule\n expression: exec.file.name == \"java\"\n agent_version: ''\n filters: []\n- id: tf_TestAccDatadogCloudWorkloadSecurityAgentRulesDatasource_local_1643387461\n version: 28ba1078\n description: an agent rule\n expression: exec.file.name == \"java\"\n agent_version: ''\n filters: []\n- id: tf_TestAccDatadogCloudWorkloadSecurityAgentRulesDatasource_local_1643387505\n version: 28ba1078\n description: an agent rule\n expression: exec.file.name == \"java\"\n agent_version: ''\n filters: []\n- id: tf_TestAccDatadogCloudWorkloadSecurityAgentRulesDatasource_local_1643387554\n version: 28ba1078\n description: an agent rule\n expression: exec.file.name == \"java\"\n agent_version: ''\n filters: []\n- id: tf_TestAccDatadogCloudWorkloadSecurityAgentRulesDatasource_local_1643387992\n version: 28ba1078\n description: an agent rule\n expression: exec.file.name == \"java\"\n agent_version: ''\n filters: []\n- id: tf_TestAccDatadogCloudWorkloadSecurityAgentRulesDatasource_local_1643388137\n version: 2dd188de\n description: an agent rule\n expression: exec.file.name == \"go\"\n agent_version: ''\n filters: []\n- id: tf_TestAccDatadogCloudWorkloadSecurityAgentRulesDatasource_local_1643388182\n version: 2dd188de\n description: an agent rule\n expression: exec.file.name == \"go\"\n agent_version: ''\n filters: []\n- id: tf_TestAccDatadogCloudWorkloadSecurityAgentRulesDatasource_local_1643388230\n version: 2dd188de\n description: an agent rule\n expression: exec.file.name == \"go\"\n agent_version: ''\n filters: []\n- id: tf_TestAccDatadogCloudWorkloadSecurityAgentRulesDatasource_local_1643388700\n version: 2dd188de\n description: an agent rule\n expression: exec.file.name == \"go\"\n agent_version: ''\n filters: []\n- id: tf_TestAccDatadogCloudWorkloadSecurityAgentRulesDatasource_local_1643388825\n version: 2dd188de\n description: an agent rule\n expression: exec.file.name == \"go\"\n agent_version: ''\n filters: []\n- id: tf_TestAccDatadogCloudWorkloadSecurityAgentRulesDatasource_local_1643388866\n version: 2dd188de\n description: an agent rule\n expression: exec.file.name == \"go\"\n agent_version: ''\n filters: []\n- id: tf_TestAccDatadogCloudWorkloadSecurityAgentRulesDatasource_local_1643388912\n version: 2dd188de\n description: an agent rule\n expression: exec.file.name == \"go\"\n agent_version: ''\n filters: []\n- id: tf_TestAccDatadogCloudWorkloadSecurityAgentRulesDatasource_local_1643389088\n version: 2dd188de\n description: an agent rule\n expression: exec.file.name == \"go\"\n agent_version: ''\n filters: []\n- id: tf_TestAccDatadogCloudWorkloadSecurityAgentRulesDatasource_local_1643389136\n version: 2dd188de\n description: an agent rule\n expression: exec.file.name == \"go\"\n agent_version: ''\n filters: []\n- id: tf_TestAccDatadogCloudWorkloadSecurityAgentRulesDatasource_local_1643389186\n version: 2dd188de\n description: an agent rule\n expression: exec.file.name == \"go\"\n agent_version: ''\n filters: []\n- id: tf_TestAccDatadogCloudWorkloadSecurityAgentRulesDatasource_local_1643389317\n version: 2dd188de\n description: an agent rule\n expression: exec.file.name == \"go\"\n agent_version: ''\n filters: []\n- id: tf_TestAccDatadogCloudWorkloadSecurityAgentRulesDatasource_local_1643389363\n version: 2dd188de\n description: an agent rule\n expression: exec.file.name == \"go\"\n agent_version: ''\n filters: []\n- id: tf_TestAccDatadogCloudWorkloadSecurityAgentRulesDatasource_local_1643389411\n version: 2dd188de\n description: an agent rule\n expression: exec.file.name == \"go\"\n agent_version: ''\n filters: []\n- id: tf_TestAccDatadogCloudWorkloadSecurityAgentRulesDatasource_local_1643389460\n version: 2dd188de\n description: an agent rule\n expression: exec.file.name == \"go\"\n agent_version: ''\n filters: []\n- id: tf_TestAccDatadogCloudWorkloadSecurityAgentRulesDatasource_local_1643389507\n version: 2dd188de\n description: an agent rule\n expression: exec.file.name == \"go\"\n agent_version: ''\n filters: []\n- id: tf_TestAccDatadogCloudWorkloadSecurityAgentRulesDatasource_local_1643389553\n version: 2dd188de\n description: an agent rule\n expression: exec.file.name == \"go\"\n agent_version: ''\n filters: []\n- id: tf_TestAccDatadogCloudWorkloadSecurityAgentRulesDatasource_local_1643389911\n version: 2dd188de\n description: an agent rule\n expression: exec.file.name == \"go\"\n agent_version: ''\n filters: []\n- id: tf_TestAccDatadogCloudWorkloadSecurityAgentRulesDatasource_local_1643389955\n version: 2dd188de\n description: an agent rule\n expression: exec.file.name == \"go\"\n agent_version: ''\n filters: []\n- id: tf_TestAccDatadogCloudWorkloadSecurityAgentRulesDatasource_local_1643390389\n version: 2dd188de\n description: an agent rule\n expression: exec.file.name == \"go\"\n agent_version: ''\n filters: []\n- id: tf_TestAccDatadogCloudWorkloadSecurityAgentRulesDatasource_local_1643390410\n version: 2dd188de\n description: an agent rule\n expression: exec.file.name == \"go\"\n agent_version: ''\n filters: []\n- id: tf_TestAccDatadogCloudWorkloadSecurityAgentRulesDatasource_local_1643390432\n version: 2dd188de\n description: an agent rule\n expression: exec.file.name == \"go\"\n agent_version: ''\n filters: []\n- id: tty_shell_in_container\n version: 3d9489bb\n description: A shell with a TTY was executed in a container\n expression: |-\n exec.file.path in [ \"/bin/dash\",\n \"/usr/bin/dash\",\n \"/bin/sh\",\n \"/bin/static-sh\",\n \"/usr/bin/sh\",\n \"/bin/bash\",\n \"/usr/bin/bash\",\n \"/bin/bash-static\",\n \"/usr/bin/zsh\",\n \"/usr/bin/ash\",\n \"/usr/bin/csh\",\n \"/usr/bin/ksh\",\n \"/usr/bin/tcsh\",\n \"/usr/lib/initramfs-tools/bin/busybox\",\n \"/bin/busybox\",\n \"/usr/bin/fish\",\n \"/bin/ksh93\",\n \"/bin/rksh\",\n \"/bin/rksh93\",\n \"/bin/lksh\",\n \"/bin/mksh\",\n \"/bin/mksh-static\",\n \"/usr/bin/csharp\",\n \"/bin/posh\",\n \"/usr/bin/rc\",\n \"/bin/sash\",\n \"/usr/bin/yash\",\n \"/bin/zsh5\",\n \"/bin/zsh5-static\" ] && process.tty_name != \"\" && process.container.id != \"\"\n agent_version: ''\n filters: []\n- id: tunnel_traffic\n version: 816201a5\n description: Tunneling or port forwarding tool used\n expression: ((exec.comm == \"pivotnacci\" || exec.comm == \"gost\") && process.args_flags\n in [\"L\", \"C\", \"R\"]) || (exec.comm in [\"ssh\", \"sshd\"] && process.args_flags in\n [\"R\", \"L\", \"D\", \"w\"] && process.args in [r\"((25[0-5]|(2[0-4]|1\\d|[1-9])\\d)\\.?\\b){4}\"]\n ) || (exec.comm == \"sshuttle\" && process.args_flags in [\"r\", \"remote\", \"l\", \"listen\"])\n || (exec.comm == \"socat\" && process.args in [r\".*(TCP4-LISTEN:|SOCKS).*\"]) ||\n (exec.comm in [\"iodine\", \"iodined\", \"dnscat\", \"hans\", \"hans-ubuntu\", \"ptunnel-ng\",\n \"ssf\", \"3proxy\", \"ngrok\"] && process.parent.comm in [\"bash\", \"dash\", \"ash\", \"sh\",\n \"tcsh\", \"csh\", \"zsh\", \"ksh\", \"fish\"])\n agent_version: ''\n filters:\n - os == \"linux\"\n- id: user_created_tty\n version: 5b5f4a52\n description: A user was created via an interactive session\n expression: exec.file.name in [\"useradd\", \"newusers\", \"adduser\"] && exec.tty_name\n !=\"\" && process.ancestors.file.path not in [~\"/usr/bin/apt*\", \"/usr/bin/dpkg\",\n \"/usr/bin/rpm\", \"/usr/bin/unattended-upgrade\", \"/usr/bin/npm\", ~\"/usr/bin/pip*\",\n \"/usr/bin/yum\", \"/sbin/apk\", \"/usr/lib/snapd/snapd\"] && exec.args_flags not in\n [\"D\"]\n agent_version: ''\n filters: []\n- id: user_deleted_tty\n version: ad8edbe\n description: A user was deleted via an interactive session\n expression: exec.file.name in [\"userdel\", \"deluser\"] && exec.tty_name !=\"\" && process.ancestors.file.path\n not in [~\"/usr/bin/apt*\", \"/usr/bin/dpkg\", \"/usr/bin/rpm\", \"/usr/bin/unattended-upgrade\",\n \"/usr/bin/npm\", ~\"/usr/bin/pip*\", \"/usr/bin/yum\", \"/sbin/apk\", \"/usr/lib/snapd/snapd\"]\n agent_version: ''\n filters: []\n- id: windows_cryptominer_process\n version: e26f81ab\n description: A cryptominer was potentially executed\n expression: exec.cmdline in [~\"*xmrig*\", ~\"*cpu-priority*\", ~\"*donate-level*\", ~\"*randomx-1gb-pages*\",\n ~\"*stratum+tcp*\", ~\"*stratum+ssl*\", ~\"*stratum1+tcp*\", ~\"*stratum1+ssl*\", ~\"*stratum2+tcp*\",\n ~\"*stratum2+ssl*\", ~\"*nicehash*\", ~\"*yespower*\"]\n agent_version: ''\n filters:\n - os == \"windows\"\n", + "string": "# IMPORTANT: Edits to this file will not be reflected in the Datadog App and will be overwritten with new policy file downloads. Please modify rules in the Datadog App for full functionality.\nversion: '1747309778382'\nrules:\n- id: apparmor_modified_tty\n version: a7f3b5c2\n description: An AppArmor profile was modified in an interactive session\n expression: exec.file.name in [\"aa-disable\", \"aa-complain\", \"aa-audit\"] && exec.tty_name\n !=\"\"\n agent_version: ''\n filters:\n - os == \"linux\"\n- id: auditctl_usage\n version: fdc2412d\n description: The auditctl command was used to modify auditd\n expression: exec.file.name == \"auditctl\" && exec.args_flags not in [\"s\", \"l\"]\n agent_version: ''\n filters:\n - os == \"linux\"\n- id: auditd_config_modified\n version: c7f52a7a\n description: The auditd configuration file was modified without using auditctl\n expression: open.file.path == \"/etc/audit/auditd.conf\" && open.flags & (O_CREAT|O_TRUNC|O_RDWR|O_WRONLY)\n > 0 && process.file.name != \"auditctl\"\n agent_version: ''\n filters: []\n- id: auditd_rule_file_modified\n version: c533115d\n description: The auditd rules file was modified without using auditctl\n expression: open.file.path in [\"/etc/audit/rules.d/audit.rules\", \"/etc/audit/audit.rules\"]\n && open.flags & (O_CREAT|O_TRUNC|O_RDWR|O_WRONLY) > 0 && process.file.name !=\n \"auditctl\"\n agent_version: ''\n filters: []\n- id: aws_eks_service_account_token_accessed\n version: d6a7a4a0\n description: The AWS EKS service account token was accessed\n expression: open.file.path =~ \"/var/run/secrets/eks.amazonaws.com/serviceaccount/**\"\n && open.file.name == \"token\" && process.file.path not in [\"/opt/datadog-agent/embedded/bin/agent\",\n \"/opt/datadog-agent/embedded/bin/system-probe\", \"/opt/datadog-agent/embedded/bin/security-agent\",\n \"/opt/datadog-agent/embedded/bin/process-agent\", \"/opt/datadog-agent/bin/agent/agent\",\n \"/opt/datadog/apm/inject/auto_inject_runc\", \"/usr/bin/dd-host-install\", \"/usr/bin/dd-host-container-install\",\n \"/usr/bin/dd-container-install\", \"/opt/datadog-agent/bin/datadog-cluster-agent\"]\n agent_version: ''\n filters: []\n- id: aws_imds\n version: 6d47fcfe\n description: An AWS IMDS was called via a network utility\n expression: exec.comm in [\"wget\", \"curl\", \"lwp-download\"] && exec.args in [~\"*169.254.169.254/latest/meta-data/iam/security-credentials/*\",\n \"*169.254.170.2$AWS_CONTAINER_CREDENTIALS_RELATIVE_URI\", ~\"*169.254.170.2/*/credentials?id=*\"]\n agent_version: ''\n filters: []\n- id: aws_metadata_service\n version: 4601e52e\n description: EC2 Instance Metadata Service Accessed via Network Utility\n expression: exec.file.path in [\"/usr/bin/wget\", \"/usr/bin/curl\"] && exec.args in\n [~\"*169.254.169.254*\"]\n agent_version: ''\n filters: []\n- id: azure_imds\n version: 784f9a83\n description: An Azure IMDS was called via a network utility\n expression: exec.comm in [\"wget\", \"curl\", \"lwp-download\"] && exec.args in [~\"*169.254.169.254/metadata/identity/oauth2/token?api-version=*\"]\n agent_version: ''\n filters: []\n- id: chatroom_request\n version: 91aa2a0f\n description: A DNS request was made for a chatroom domain\n expression: dns.question.name in [\"discord.com\", \"api.telegram.org\", \"cdn.discordapp.com\"]\n agent_version: ''\n filters:\n - os == \"linux\"\n- id: common_net_intrusion_util\n version: c7198131\n description: A network utility (nmap) commonly used in intrusion attacks was executed\n expression: exec.file.name in [\"nmap\", \"masscan\", \"fping\", \"zgrab\", \"zgrab2\", \"rustscan\",\n \"pnscan\"] && exec.args_flags not in [\"V\", \"version\"]\n agent_version: ''\n filters: []\n- id: compile_after_delivery\n version: f41c1e36\n description: A compiler wrote a suspicious file in a container\n expression: |-\n open.flags & O_CREAT > 0\n && (\n (open.file.path =~ \"/tmp/**\" && open.file.name in [~\"*.ko\", ~\".*\"])\n || open.file.path in [~\"/var/tmp/**\", ~\"/dev/shm/**\", ~\"/root/**\", ~\"*/bin/*\", ~\"/usr/local/lib/**\"]\n )\n && (process.comm in [\"javac\", \"clang\", \"gcc\",\"bcc\"] || process.ancestors.comm in [\"javac\", \"clang\", \"gcc\",\"bcc\"])\n && process.file.name not in [\"pip\", ~\"python*\"]\n && container.id != \"\"\n agent_version: ''\n filters: []\n- id: compiler_in_container\n version: 441a7e85\n description: Compiler Executed in Container\n expression: (exec.file.name in [\"javac\", \"clang\", \"gcc\",\"bcc\"] || (exec.file.name\n == \"go\" && exec.args in [~\"*build*\", ~\"*run*\"])) && container.id !=\"\" && process.ancestors.file.path\n != \"/usr/bin/cilium-agent\"\n agent_version: ''\n filters: []\n- id: credential_modified_chmod\n version: 7e14d921\n description: Sensitive credential files were modified using a non-standard tool\n expression: |-\n (\n (chmod.file.path in [ \"/etc/shadow\", \"/etc/gshadow\" ])\n && process.file.path not in [ \"/sbin/vipw\", \"/usr/sbin/vipw\", \"/sbin/vigr\", \"/usr/sbin/vigr\", \"/usr/bin/containerd\", \"/usr/local/bin/containerd\", \"/usr/bin/dockerd\", \"/usr/local/bin/dockerd\", \"/usr/sbin/groupadd\", \"/usr/sbin/useradd\", \"/usr/sbin/usermod\", \"/usr/sbin/userdel\", \"/usr/bin/gpasswd\", \"/usr/bin/chage\", \"/usr/sbin/chpasswd\", \"/usr/bin/passwd\" ]\n && process.ancestors.file.path not in [~\"/usr/bin/apt*\", \"/usr/bin/dpkg\", \"/usr/bin/rpm\", \"/usr/bin/unattended-upgrade\", \"/usr/bin/npm\", ~\"/usr/bin/pip*\", \"/usr/bin/yum\", \"/sbin/apk\", \"/usr/lib/snapd/snapd\"]\n ) && chmod.file.destination.mode != chmod.file.mode\n agent_version: ''\n filters: []\n- id: credential_modified_chown\n version: 3731e0d5\n description: Sensitive credential files were modified using a non-standard tool\n expression: |-\n (\n (chown.file.path in [ \"/etc/shadow\", \"/etc/gshadow\" ])\n && process.file.path not in [ \"/sbin/vipw\", \"/usr/sbin/vipw\", \"/sbin/vigr\", \"/usr/sbin/vigr\", \"/usr/bin/containerd\", \"/usr/local/bin/containerd\", \"/usr/bin/dockerd\", \"/usr/local/bin/dockerd\", \"/usr/sbin/groupadd\", \"/usr/sbin/useradd\", \"/usr/sbin/usermod\", \"/usr/sbin/userdel\", \"/usr/bin/gpasswd\", \"/usr/bin/chage\", \"/usr/sbin/chpasswd\", \"/usr/bin/passwd\" ]\n && process.ancestors.file.path not in [~\"/usr/bin/apt*\", \"/usr/bin/dpkg\", \"/usr/bin/rpm\", \"/usr/bin/unattended-upgrade\", \"/usr/bin/npm\", ~\"/usr/bin/pip*\", \"/usr/bin/yum\", \"/sbin/apk\", \"/usr/lib/snapd/snapd\"]\n ) && (chown.file.destination.uid != chown.file.uid || chown.file.destination.gid != chown.file.gid)\n agent_version: ''\n filters: []\n- id: credential_modified_link\n version: 7594ec54\n description: Sensitive credential files were modified using a non-standard tool\n expression: |-\n (\n (link.file.path in [ \"/etc/shadow\", \"/etc/gshadow\" ]\n || link.file.destination.path in [ \"/etc/shadow\", \"/etc/gshadow\" ])\n && process.file.path not in [ \"/sbin/vipw\", \"/usr/sbin/vipw\", \"/sbin/vigr\", \"/usr/sbin/vigr\", \"/usr/bin/containerd\", \"/usr/local/bin/containerd\", \"/usr/bin/dockerd\", \"/usr/local/bin/dockerd\", \"/usr/sbin/groupadd\", \"/usr/sbin/useradd\", \"/usr/sbin/usermod\", \"/usr/sbin/userdel\", \"/usr/bin/gpasswd\", \"/usr/bin/chage\", \"/usr/sbin/chpasswd\", \"/usr/bin/passwd\" ]\n && process.ancestors.file.path not in [~\"/usr/bin/apt*\", \"/usr/bin/dpkg\", \"/usr/bin/rpm\", \"/usr/bin/unattended-upgrade\", \"/usr/bin/npm\", ~\"/usr/bin/pip*\", \"/usr/bin/yum\", \"/sbin/apk\", \"/usr/lib/snapd/snapd\"]\n )\n agent_version: ''\n filters: []\n- id: credential_modified_open_v2\n version: 5aec9afe\n description: Sensitive credential files were modified using a non-standard tool\n expression: |-\n (\n open.flags & ((O_CREAT|O_RDWR|O_WRONLY|O_TRUNC)) > 0 &&\n (open.file.path in [ \"/etc/shadow\", \"/etc/gshadow\" ])\n && process.file.path not in [ \"/sbin/vipw\", \"/usr/sbin/vipw\", \"/sbin/vigr\", \"/usr/sbin/vigr\", \"/usr/bin/containerd\", \"/usr/local/bin/containerd\", \"/usr/bin/dockerd\", \"/usr/local/bin/dockerd\", \"/usr/sbin/groupadd\", \"/usr/sbin/useradd\", \"/usr/sbin/usermod\", \"/usr/sbin/userdel\", \"/usr/bin/gpasswd\", \"/usr/bin/chage\", \"/usr/sbin/chpasswd\", \"/usr/bin/passwd\" ]\n && process.ancestors.file.path not in [~\"/usr/bin/apt*\", \"/usr/bin/dpkg\", \"/usr/bin/rpm\", \"/usr/bin/unattended-upgrade\", \"/usr/bin/npm\", ~\"/usr/bin/pip*\", \"/usr/bin/yum\", \"/sbin/apk\", \"/usr/lib/snapd/snapd\"]\n ) && container.created_at > 90s\n agent_version: ''\n filters:\n - os == \"linux\"\n- id: credential_modified_rename\n version: 8bb8242b\n description: Sensitive credential files were modified using a non-standard tool\n expression: |-\n (\n (rename.file.path in [ \"/etc/shadow\", \"/etc/gshadow\" ]\n || rename.file.destination.path in [ \"/etc/shadow\", \"/etc/gshadow\" ])\n && process.file.path not in [ \"/sbin/vipw\", \"/usr/sbin/vipw\", \"/sbin/vigr\", \"/usr/sbin/vigr\", \"/usr/bin/containerd\", \"/usr/local/bin/containerd\", \"/usr/bin/dockerd\", \"/usr/local/bin/dockerd\", \"/usr/sbin/groupadd\", \"/usr/sbin/useradd\", \"/usr/sbin/usermod\", \"/usr/sbin/userdel\", \"/usr/bin/gpasswd\", \"/usr/bin/chage\", \"/usr/sbin/chpasswd\", \"/usr/bin/passwd\" ]\n && process.ancestors.file.path not in [~\"/usr/bin/apt*\", \"/usr/bin/dpkg\", \"/usr/bin/rpm\", \"/usr/bin/unattended-upgrade\", \"/usr/bin/npm\", ~\"/usr/bin/pip*\", \"/usr/bin/yum\", \"/sbin/apk\", \"/usr/lib/snapd/snapd\"]\n )\n agent_version: ''\n filters: []\n- id: credential_modified_unlink\n version: 5af577d\n description: Sensitive credential files were modified using a non-standard tool\n expression: |-\n (\n (unlink.file.path in [ \"/etc/shadow\", \"/etc/gshadow\" ])\n && process.file.path not in [ \"/sbin/vipw\", \"/usr/sbin/vipw\", \"/sbin/vigr\", \"/usr/sbin/vigr\", \"/usr/bin/containerd\", \"/usr/local/bin/containerd\", \"/usr/bin/dockerd\", \"/usr/local/bin/dockerd\", \"/usr/sbin/groupadd\", \"/usr/sbin/useradd\", \"/usr/sbin/usermod\", \"/usr/sbin/userdel\", \"/usr/bin/gpasswd\", \"/usr/bin/chage\", \"/usr/sbin/chpasswd\", \"/usr/bin/passwd\" ]\n && process.ancestors.file.path not in [~\"/usr/bin/apt*\", \"/usr/bin/dpkg\", \"/usr/bin/rpm\", \"/usr/bin/unattended-upgrade\", \"/usr/bin/npm\", ~\"/usr/bin/pip*\", \"/usr/bin/yum\", \"/sbin/apk\", \"/usr/lib/snapd/snapd\"]\n )\n agent_version: ''\n filters: []\n- id: credential_modified_utimes\n version: 1c101338\n description: Sensitive credential files were modified using a non-standard tool\n expression: |-\n (\n (utimes.file.path in [ \"/etc/shadow\", \"/etc/gshadow\" ])\n && process.file.path not in [ \"/sbin/vipw\", \"/usr/sbin/vipw\", \"/sbin/vigr\", \"/usr/sbin/vigr\", \"/usr/bin/containerd\", \"/usr/local/bin/containerd\", \"/usr/bin/dockerd\", \"/usr/local/bin/dockerd\", \"/usr/sbin/groupadd\", \"/usr/sbin/useradd\", \"/usr/sbin/usermod\", \"/usr/sbin/userdel\", \"/usr/bin/gpasswd\", \"/usr/bin/chage\", \"/usr/sbin/chpasswd\", \"/usr/bin/passwd\" ]\n && process.ancestors.file.path not in [~\"/usr/bin/apt*\", \"/usr/bin/dpkg\", \"/usr/bin/rpm\", \"/usr/bin/unattended-upgrade\", \"/usr/bin/npm\", ~\"/usr/bin/pip*\", \"/usr/bin/yum\", \"/sbin/apk\"]\n )\n agent_version: ''\n filters: []\n- id: cron_at_job_creation_chmod\n version: 13512ebc\n description: An unauthorized job was added to cron scheduling\n expression: |-\n (\n (chmod.file.path in [ ~\"/var/spool/cron/**\", ~\"/etc/cron.*/**\", ~\"/etc/crontab\" ])\n && process.file.path not in [ \"/usr/bin/at\", \"/usr/bin/crontab\" ]\n ) && chmod.file.destination.mode != chmod.file.mode\n && process.file.path not in [~\"/usr/bin/apt*\", \"/usr/bin/dpkg\", \"/usr/bin/rpm\", \"/usr/bin/unattended-upgrade\", \"/usr/bin/containerd\", \"/usr/local/bin/containerd\", \"/usr/bin/dockerd\", \"/usr/bin/npm\", ~\"/usr/bin/pip*\"]\n agent_version: ''\n filters: []\n- id: cron_at_job_creation_chown\n version: ee7b306c\n description: An unauthorized job was added to cron scheduling\n expression: |-\n (\n (chown.file.path in [ ~\"/var/spool/cron/**\", ~\"/etc/cron.*/**\", ~\"/etc/crontab\" ])\n && process.file.path not in [ \"/usr/bin/at\", \"/usr/bin/crontab\" ]\n ) && (chown.file.destination.uid != chown.file.uid || chown.file.destination.gid != chown.file.gid)\n && process.file.path not in [~\"/usr/bin/apt*\", \"/usr/bin/dpkg\", \"/usr/bin/rpm\", \"/usr/bin/unattended-upgrade\", \"/usr/bin/containerd\", \"/usr/local/bin/containerd\", \"/usr/bin/dockerd\", \"/usr/bin/npm\", ~\"/usr/bin/pip*\"]\n agent_version: ''\n filters: []\n- id: cron_at_job_creation_link\n version: b83e03f6\n description: An unauthorized job was added to cron scheduling\n expression: |-\n (\n (link.file.path in [ ~\"/var/spool/cron/**\", ~\"/etc/cron.*/**\", ~\"/etc/crontab\" ]\n || link.file.destination.path in [ ~\"/var/spool/cron/**\", ~\"/etc/cron.*/**\", ~\"/etc/crontab\" ])\n && process.file.path not in [ \"/usr/bin/at\", \"/usr/bin/crontab\" ]\n )\n && process.file.path not in [~\"/usr/bin/apt*\", \"/usr/bin/dpkg\", \"/usr/bin/rpm\", \"/usr/bin/unattended-upgrade\", \"/usr/bin/containerd\", \"/usr/local/bin/containerd\", \"/usr/bin/dockerd\", \"/usr/bin/npm\", ~\"/usr/bin/pip*\"]\n agent_version: ''\n filters: []\n- id: cron_at_job_creation_open\n version: 561ad06\n description: An unauthorized job was added to cron scheduling\n expression: |-\n (\n open.flags & (O_CREAT|O_RDWR|O_WRONLY) > 0 &&\n (open.file.path in [ ~\"/var/spool/cron/**\", ~\"/etc/cron.*/**\", ~\"/etc/crontab\" ])\n && process.file.path not in [ \"/usr/bin/at\", \"/usr/bin/crontab\" ]\n )\n && process.file.path not in [~\"/usr/bin/apt*\", \"/usr/bin/dpkg\", \"/usr/bin/rpm\", \"/usr/bin/unattended-upgrade\", \"/usr/bin/containerd\", \"/usr/local/bin/containerd\", \"/usr/bin/dockerd\", \"/usr/bin/npm\", ~\"/usr/bin/pip*\"]\n agent_version: ''\n filters: []\n- id: cron_at_job_creation_rename\n version: 59b739d8\n description: An unauthorized job was added to cron scheduling\n expression: |-\n (\n (rename.file.path in [ ~\"/var/spool/cron/**\", ~\"/etc/cron.*/**\", ~\"/etc/crontab\" ]\n || rename.file.destination.path in [ ~\"/var/spool/cron/**\", ~\"/etc/cron.*/**\", ~\"/etc/crontab\" ])\n && process.file.path not in [ \"/usr/bin/at\", \"/usr/bin/crontab\" ]\n )\n && process.file.path not in [~\"/usr/bin/apt*\", \"/usr/bin/dpkg\", \"/usr/bin/rpm\", \"/usr/bin/unattended-upgrade\", \"/usr/bin/containerd\", \"/usr/local/bin/containerd\", \"/usr/bin/dockerd\", \"/usr/bin/npm\", ~\"/usr/bin/pip*\"]\n agent_version: ''\n filters: []\n- id: cron_at_job_creation_unlink\n version: 82b6d187\n description: An unauthorized job was added to cron scheduling\n expression: |-\n (\n (unlink.file.path in [ ~\"/var/spool/cron/**\", ~\"/etc/cron.*/**\", ~\"/etc/crontab\" ])\n && process.file.path not in [ \"/usr/bin/at\", \"/usr/bin/crontab\" ]\n )\n && process.file.path not in [~\"/usr/bin/apt*\", \"/usr/bin/dpkg\", \"/usr/bin/rpm\", \"/usr/bin/unattended-upgrade\", \"/usr/bin/containerd\", \"/usr/local/bin/containerd\", \"/usr/bin/dockerd\", \"/usr/bin/npm\", ~\"/usr/bin/pip*\"]\n agent_version: ''\n filters: []\n- id: cron_at_job_creation_utimes\n version: d460ba68\n description: An unauthorized job was added to cron scheduling\n expression: |-\n (\n (utimes.file.path in [ ~\"/var/spool/cron/**\", ~\"/etc/cron.*/**\", ~\"/etc/crontab\" ])\n && process.file.path not in [ \"/usr/bin/at\", \"/usr/bin/crontab\" ]\n )\n && process.file.path not in [~\"/usr/bin/apt*\", \"/usr/bin/dpkg\", \"/usr/bin/rpm\", \"/usr/bin/unattended-upgrade\", \"/usr/bin/containerd\", \"/usr/local/bin/containerd\", \"/usr/bin/dockerd\", \"/usr/bin/npm\", ~\"/usr/bin/pip*\"]\n agent_version: ''\n filters: []\n- id: cryptominer_args\n version: fc017137\n description: A process launched with arguments associated with cryptominers\n expression: exec.args_options in [~\"cpu-priority*\", ~\"donate-level*\"] || exec.args\n in [~\"*stratum+tcp*\"]\n agent_version: ''\n filters:\n - os == \"linux\"\n- id: cryptominer_envs\n version: 654a00aa\n description: Process environment variables match cryptocurrency miner\n expression: exec.envs in [\"POOL_USER\", \"POOL_URL\", \"POOL_PASS\", \"DONATE_LEVEL\"]\n agent_version: ''\n filters:\n - os == \"linux\"\n- id: curl_docker_socket\n version: f736b6e6\n description: The Docker socket was referenced in a cURL command\n expression: exec.file.name == \"curl\" && exec.args_flags in [\"unix-socket\"] && exec.args\n in [\"*docker.sock*\"] && container.id != \"\"\n agent_version: ''\n filters: []\n- id: database_shell_execution\n version: 3508c713\n description: A database application spawned a shell, shell utility, or HTTP utility\n expression: |-\n (exec.file.path in [ \"/bin/dash\",\n \"/usr/bin/dash\",\n \"/bin/sh\",\n \"/bin/static-sh\",\n \"/usr/bin/sh\",\n \"/bin/bash\",\n \"/usr/bin/bash\",\n \"/bin/bash-static\",\n \"/usr/bin/zsh\",\n \"/usr/bin/ash\",\n \"/usr/bin/csh\",\n \"/usr/bin/ksh\",\n \"/usr/bin/tcsh\",\n \"/usr/lib/initramfs-tools/bin/busybox\",\n \"/bin/busybox\",\n \"/usr/bin/fish\",\n \"/bin/ksh93\",\n \"/bin/rksh\",\n \"/bin/rksh93\",\n \"/bin/lksh\",\n \"/bin/mksh\",\n \"/bin/mksh-static\",\n \"/usr/bin/csharp\",\n \"/bin/posh\",\n \"/usr/bin/rc\",\n \"/bin/sash\",\n \"/usr/bin/yash\",\n \"/bin/zsh5\",\n \"/bin/zsh5-static\" ] ||\n exec.comm in [\"wget\", \"curl\", \"lwp-download\"] ||\n exec.file.path in [\"/bin/cat\",\"/bin/chgrp\",\"/bin/chmod\",\"/bin/chown\",\"/bin/cp\",\"/bin/date\",\"/bin/dd\",\"/bin/df\",\"/bin/dir\",\"/bin/echo\",\"/bin/ln\",\"/bin/ls\",\"/bin/mkdir\",\"/bin/mknod\",\"/bin/mktemp\",\"/bin/mv\",\"/bin/pwd\",\"/bin/readlink\",\"/bin/rm\",\"/bin/rmdir\",\"/bin/sleep\",\"/bin/stty\",\"/bin/sync\",\"/bin/touch\",\"/bin/uname\",\"/bin/vdir\",\"/usr/bin/arch\",\"/usr/bin/b2sum\",\"/usr/bin/base32\",\"/usr/bin/base64\",\"/usr/bin/basename\",\"/usr/bin/chcon\",\"/usr/bin/cksum\",\"/usr/bin/comm\",\"/usr/bin/csplit\",\"/usr/bin/cut\",\"/usr/bin/dircolors\",\"/usr/bin/dirname\",\"/usr/bin/du\",\"/usr/bin/env\",\"/usr/bin/expand\",\"/usr/bin/expr\",\"/usr/bin/factor\",\"/usr/bin/fmt\",\"/usr/bin/fold\",\"/usr/bin/groups\",\"/usr/bin/head\",\"/usr/bin/hostid\",\"/usr/bin/id\",\"/usr/bin/install\",\"/usr/bin/join\",\"/usr/bin/link\",\"/usr/bin/logname\",\"/usr/bin/md5sum\",\"/usr/bin/md5sum.textutils\",\"/usr/bin/mkfifo\",\"/usr/bin/nice\",\"/usr/bin/nl\",\"/usr/bin/nohup\",\"/usr/bin/nproc\",\"/usr/bin/numfmt\",\"/usr/bin/od\",\"/usr/bin/paste\",\"/usr/bin/pathchk\",\"/usr/bin/pinky\",\"/usr/bin/pr\",\"/usr/bin/printenv\",\"/usr/bin/printf\",\"/usr/bin/ptx\",\"/usr/bin/realpath\",\"/usr/bin/runcon\",\"/usr/bin/seq\",\"/usr/bin/sha1sum\",\"/usr/bin/sha224sum\",\"/usr/bin/sha256sum\",\"/usr/bin/sha384sum\",\"/usr/bin/sha512sum\",\"/usr/bin/shred\",\"/usr/bin/shuf\",\"/usr/bin/sort\",\"/usr/bin/split\",\"/usr/bin/stat\",\"/usr/bin/stdbuf\",\"/usr/bin/sum\",\"/usr/bin/tac\",\"/usr/bin/tail\",\"/usr/bin/tee\",\"/usr/bin/test\",\"/usr/bin/timeout\",\"/usr/bin/tr\",\"/usr/bin/truncate\",\"/usr/bin/tsort\",\"/usr/bin/tty\",\"/usr/bin/unexpand\",\"/usr/bin/uniq\",\"/usr/bin/unlink\",\"/usr/bin/users\",\"/usr/bin/wc\",\"/usr/bin/who\",\"/usr/bin/whoami\",\"/usr/sbin/chroot\"]) &&\n process.parent.file.name in [\"mysqld\", \"mongod\", \"postgres\"] &&\n !(process.parent.file.name == \"initdb\" &&\n exec.args == \"-c locale -a\") &&\n !(process.parent.file.name == \"postgres\" &&\n exec.args == ~\"*pg_wal*\")\n agent_version: ''\n filters:\n - os == \"linux\"\n- id: deploy_priv_container\n version: 356d5ee7\n description: A privileged container was created\n expression: exec.file.name != \"\" && container.created_at < 1s && process.cap_permitted\n & CAP_SYS_ADMIN > 0\n agent_version: ''\n filters: []\n- id: dirty_pipe_attempt\n version: 8814807c\n description: Potential Dirty pipe exploitation attempt\n expression: (splice.pipe_entry_flag & PIPE_BUF_FLAG_CAN_MERGE) != 0 && (splice.pipe_exit_flag\n & PIPE_BUF_FLAG_CAN_MERGE) == 0 && (process.uid != 0 && process.gid != 0)\n agent_version: ''\n filters: []\n- id: dirty_pipe_exploitation\n version: 9bcacfe3\n description: Potential Dirty pipe exploitation\n expression: (splice.pipe_exit_flag & PIPE_BUF_FLAG_CAN_MERGE) > 0 && (process.uid\n != 0 && process.gid != 0)\n agent_version: ''\n filters: []\n- id: dummy_rule\n version: 28ba1078\n description: Execution of a java process\n expression: exec.file.name == \"java\"\n agent_version: ''\n filters: []\n- id: dummy_rule_AszwF\n version: 28ba1078\n description: Execution of a java process\n expression: exec.file.name == \"java\"\n agent_version: ''\n filters:\n - os == \"linux\"\n- id: dummy_rule_BAiZP\n version: 28ba1078\n description: Execution of a java process\n expression: exec.file.name == \"java\"\n agent_version: ''\n filters: []\n- id: dummy_rule_CpDMZ\n version: 28ba1078\n description: Execution of a java process\n expression: exec.file.name == \"java\"\n agent_version: ''\n filters:\n - os == \"linux\"\n- id: dummy_rule_DBtCK\n version: 28ba1078\n description: Execution of a java process\n expression: exec.file.name == \"java\"\n agent_version: ''\n filters:\n - os == \"linux\"\n- id: dummy_rule_HfYXr\n version: 28ba1078\n description: Execution of a java process\n expression: exec.file.name == \"java\"\n agent_version: ''\n filters:\n - os == \"linux\"\n- id: dummy_rule_JAnCe\n version: 28ba1078\n description: Execution of a java process\n expression: exec.file.name == \"java\"\n agent_version: ''\n filters:\n - os == \"linux\"\n- id: dummy_rule_KJInv\n version: 28ba1078\n description: Execution of a java process\n expression: exec.file.name == \"java\"\n agent_version: ''\n filters:\n - os == \"linux\"\n- id: dummy_rule_KSDPb\n version: 28ba1078\n description: Execution of a java process\n expression: exec.file.name == \"java\"\n agent_version: ''\n filters:\n - os == \"linux\"\n- id: dummy_rule_LPRxi\n version: 28ba1078\n description: Execution of a java process\n expression: exec.file.name == \"java\"\n agent_version: ''\n filters:\n - os == \"linux\"\n- id: dummy_rule_PkauG\n version: 28ba1078\n description: Execution of a java process\n expression: exec.file.name == \"java\"\n agent_version: ''\n filters:\n - os == \"linux\"\n- id: dummy_rule_RMoJm\n version: 28ba1078\n description: Execution of a java process\n expression: exec.file.name == \"java\"\n agent_version: ''\n filters: []\n- id: dummy_rule_Tjzvu\n version: 28ba1078\n description: Execution of a java process\n expression: exec.file.name == \"java\"\n agent_version: ''\n filters:\n - os == \"linux\"\n- id: dummy_rule_VfQSV\n version: 28ba1078\n description: Execution of a java process\n expression: exec.file.name == \"java\"\n agent_version: ''\n filters:\n - os == \"linux\"\n- id: dummy_rule_VxNSK\n version: 28ba1078\n description: Execution of a java process\n expression: exec.file.name == \"java\"\n agent_version: ''\n filters: []\n- id: dummy_rule_XcxFr\n version: 28ba1078\n description: Execution of a java process\n expression: exec.file.name == \"java\"\n agent_version: ''\n filters:\n - os == \"linux\"\n- id: dummy_rule_bKkuv\n version: 28ba1078\n description: Execution of a java process\n expression: exec.file.name == \"java\"\n agent_version: ''\n filters:\n - os == \"linux\"\n- id: dummy_rule_bVlLJ\n version: 28ba1078\n description: Execution of a java process\n expression: exec.file.name == \"java\"\n agent_version: ''\n filters:\n - os == \"linux\"\n- id: dummy_rule_cdxqn\n version: 28ba1078\n description: Execution of a java process\n expression: exec.file.name == \"java\"\n agent_version: ''\n filters: []\n- id: dummy_rule_fWORB\n version: 28ba1078\n description: Execution of a java process\n expression: exec.file.name == \"java\"\n agent_version: ''\n filters:\n - os == \"linux\"\n- id: dummy_rule_iNwDw\n version: 28ba1078\n description: Execution of a java process\n expression: exec.file.name == \"java\"\n agent_version: ''\n filters: []\n- id: dummy_rule_ipyRF\n version: 28ba1078\n description: Execution of a java process\n expression: exec.file.name == \"java\"\n agent_version: ''\n filters:\n - os == \"linux\"\n- id: dummy_rule_ivMAv\n version: 28ba1078\n description: Execution of a java process\n expression: exec.file.name == \"java\"\n agent_version: ''\n filters:\n - os == \"linux\"\n- id: dummy_rule_jcvqK\n version: 28ba1078\n description: Execution of a java process\n expression: exec.file.name == \"java\"\n agent_version: ''\n filters:\n - os == \"linux\"\n- id: dummy_rule_lszUX\n version: 28ba1078\n description: Execution of a java process\n expression: exec.file.name == \"java\"\n agent_version: ''\n filters: []\n- id: dummy_rule_mABue\n version: 28ba1078\n description: Execution of a java process\n expression: exec.file.name == \"java\"\n agent_version: ''\n filters:\n - os == \"linux\"\n- id: dummy_rule_qDgvU\n version: 28ba1078\n description: Execution of a java process\n expression: exec.file.name == \"java\"\n agent_version: ''\n filters:\n - os == \"linux\"\n- id: dummy_rule_sUVnW\n version: 28ba1078\n description: Execution of a java process\n expression: exec.file.name == \"java\"\n agent_version: ''\n filters:\n - os == \"linux\"\n- id: dummy_rule_tSfwV\n version: 28ba1078\n description: Execution of a java process\n expression: exec.file.name == \"java\"\n agent_version: ''\n filters:\n - os == \"linux\"\n- id: dummy_rule_xkrhu\n version: 28ba1078\n description: Execution of a java process\n expression: exec.file.name == \"java\"\n agent_version: ''\n filters: []\n- id: dynamic_linker_config_unlink\n version: 1924611e\n description: A process unlinked a dynamic linker config file\n expression: unlink.file.path in [\"/etc/ld.so.preload\", \"/etc/ld.so.conf\", ~\"/etc/ld.so.conf.d/*.conf\"]\n && process.file.path not in [~\"/usr/bin/apt*\", \"/usr/bin/dpkg\", \"/usr/bin/rpm\",\n \"/usr/bin/unattended-upgrade\", \"/usr/bin/npm\", ~\"/usr/bin/pip*\", \"/usr/bin/yum\",\n \"/sbin/apk\"]\n agent_version: ''\n filters: []\n- id: dynamic_linker_config_write\n version: 764fc516\n description: A process wrote to a dynamic linker config file\n expression: open.file.path in [\"/etc/ld.so.preload\", \"/etc/ld.so.conf\", \"/etc/ld.so.conf.d/*.conf\"]\n && open.flags & (O_CREAT|O_TRUNC|O_RDWR|O_WRONLY) > 0 && process.file.path not\n in [~\"/usr/bin/apt*\", \"/usr/bin/dpkg\", \"/usr/bin/rpm\", \"/usr/bin/unattended-upgrade\",\n \"/usr/bin/containerd\", \"/usr/local/bin/containerd\", \"/usr/bin/dockerd\", \"/usr/bin/npm\",\n ~\"/usr/bin/pip*\"] && process.ancestors.file.path not in [\"/opt/datadog-agent/embedded/bin/agent\",\n \"/opt/datadog-agent/embedded/bin/system-probe\", \"/opt/datadog-agent/embedded/bin/security-agent\",\n \"/opt/datadog-agent/embedded/bin/process-agent\", \"/opt/datadog-agent/bin/agent/agent\",\n \"/opt/datadog/apm/inject/auto_inject_runc\", \"/usr/bin/dd-host-install\", \"/usr/bin/dd-host-container-install\",\n \"/usr/bin/dd-container-install\", \"/opt/datadog-agent/bin/datadog-cluster-agent\"]\n agent_version: ''\n filters: []\n- id: example_agent_rule\n version: 28ba1078\n description: An example agent rule generated in terraform\n expression: exec.file.name == \"java\"\n agent_version: ''\n filters: []\n- id: examplecreateacloudworkloadsecurityagentrulereturnsokresponse1667938921\n version: f43786f8\n description: Test Agent rule\n expression: exec.file.name == \"sh\"\n agent_version: ''\n filters: []\n- id: examplegetacloudworkloadsecurityagentrulereturnsokresponse1656001148\n version: f43786f8\n description: My Agent rule\n expression: exec.file.name == \"sh\"\n agent_version: ''\n filters: []\n- id: examplegetacloudworkloadsecurityagentrulereturnsokresponse1665706585\n version: f43786f8\n description: My Agent rule\n expression: exec.file.name == \"sh\"\n agent_version: ''\n filters: []\n- id: examplegetacloudworkloadsecurityagentrulereturnsokresponse1724373425\n version: f43786f8\n description: My Agent rule\n expression: exec.file.name == \"sh\"\n agent_version: ''\n filters:\n - os == \"linux\"\n- id: examplegetallcloudworkloadsecurityagentrulesreturnsokresponse1656001148\n version: f43786f8\n description: My Agent rule\n expression: exec.file.name == \"sh\"\n agent_version: ''\n filters: []\n- id: examplegetallcloudworkloadsecurityagentrulesreturnsokresponse1665706685\n version: f43786f8\n description: My Agent rule\n expression: exec.file.name == \"sh\"\n agent_version: ''\n filters: []\n- id: exampleupdateacloudworkloadsecurityagentrulereturnsokresponse1656001149\n version: f43786f8\n description: Test Agent rule\n expression: exec.file.name == \"sh\"\n agent_version: ''\n filters: []\n- id: exampleupdateacloudworkloadsecurityagentrulereturnsokresponse1665706668\n version: f43786f8\n description: Test Agent rule\n expression: exec.file.name == \"sh\"\n agent_version: ''\n filters: []\n- id: exampleupdateacloudworkloadsecurityagentrulereturnsokresponse1737245933\n version: f43786f8\n description: Test Agent rule\n expression: exec.file.name == \"sh\"\n agent_version: ''\n filters:\n - os == \"linux\"\n- id: exampleupdateacloudworkloadsecurityagentrulereturnsokresponse1742473058\n version: f43786f8\n description: Test Agent rule\n expression: exec.file.name == \"sh\"\n agent_version: ''\n filters:\n - os == \"linux\"\n- id: exec_lsmod\n version: 1a14c811\n description: Kernel modules were listed using the lsmod command\n expression: exec.comm == \"lsmod\"\n agent_version: ''\n filters: []\n- id: exec_whoami\n version: 90ea91b6\n description: The whoami command was executed\n expression: exec.comm == \"whoami\"\n agent_version: ''\n filters: []\n- id: gcp_imds\n version: 3035dbbf\n description: An GCP IMDS was called via a network utility\n expression: exec.comm in [\"wget\", \"curl\", \"lwp-download\"] && exec.args in [~\"*metadata.google.internal/computeMetadata/v1/instance/service-accounts/default/token\",\n ~\"*169.254.169.254/computeMetadata/v1/instance/service-accounts/default/token\"]\n agent_version: ''\n filters: []\n- id: hidden_file_executed\n version: 60fd84a9\n description: A hidden file was executed in a suspicious folder\n expression: exec.file.name =~ \".*\" && exec.file.path in [~\"/home/**\", ~\"/tmp/**\",\n ~\"/var/tmp/**\", ~\"/dev/shm/**\"]\n agent_version: ''\n filters: []\n- id: interactive_shell_in_container\n version: 757f83d3\n description: An interactive shell was started inside of a container\n expression: |-\n exec.file.path in [ \"/bin/dash\",\n \"/usr/bin/dash\",\n \"/bin/sh\",\n \"/bin/static-sh\",\n \"/usr/bin/sh\",\n \"/bin/bash\",\n \"/usr/bin/bash\",\n \"/bin/bash-static\",\n \"/usr/bin/zsh\",\n \"/usr/bin/ash\",\n \"/usr/bin/csh\",\n \"/usr/bin/ksh\",\n \"/usr/bin/tcsh\",\n \"/usr/lib/initramfs-tools/bin/busybox\",\n \"/bin/busybox\",\n \"/usr/bin/fish\",\n \"/bin/ksh93\",\n \"/bin/rksh\",\n \"/bin/rksh93\",\n \"/bin/lksh\",\n \"/bin/mksh\",\n \"/bin/mksh-static\",\n \"/usr/bin/csharp\",\n \"/bin/posh\",\n \"/usr/bin/rc\",\n \"/bin/sash\",\n \"/usr/bin/yash\",\n \"/bin/zsh5\",\n \"/bin/zsh5-static\" ] && exec.args_flags in [\"i\"] && container.id !=\"\"\n agent_version: ''\n filters: []\n- id: ip_check_domain\n version: 2d5285c0\n description: A DNS lookup was done for a IP check service\n expression: dns.question.name in [\"icanhazip.com\", \"ip-api.com\", \"myip.opendns.com\",\n \"checkip.amazonaws.com\", \"whatismyip.akamai.com\"] && process.file.name != \"\"\n agent_version: ''\n filters: []\n- id: java_shell_execution\n version: 24c2eb7c\n description: A java process spawned a shell, shell utility, or HTTP utility\n expression: |-\n (exec.file.path in [ \"/bin/dash\",\n \"/usr/bin/dash\",\n \"/bin/sh\",\n \"/bin/static-sh\",\n \"/usr/bin/sh\",\n \"/bin/bash\",\n \"/usr/bin/bash\",\n \"/bin/bash-static\",\n \"/usr/bin/zsh\",\n \"/usr/bin/ash\",\n \"/usr/bin/csh\",\n \"/usr/bin/ksh\",\n \"/usr/bin/tcsh\",\n \"/usr/lib/initramfs-tools/bin/busybox\",\n \"/bin/busybox\",\n \"/usr/bin/fish\",\n \"/bin/ksh93\",\n \"/bin/rksh\",\n \"/bin/rksh93\",\n \"/bin/lksh\",\n \"/bin/mksh\",\n \"/bin/mksh-static\",\n \"/usr/bin/csharp\",\n \"/bin/posh\",\n \"/usr/bin/rc\",\n \"/bin/sash\",\n \"/usr/bin/yash\",\n \"/bin/zsh5\",\n \"/bin/zsh5-static\" ] ||\n exec.comm in [\"wget\", \"curl\", \"lwp-download\"] ||\n exec.file.path in [\"/bin/cat\",\"/bin/chgrp\",\"/bin/chmod\",\"/bin/chown\",\"/bin/cp\",\"/bin/date\",\"/bin/dd\",\"/bin/df\",\"/bin/dir\",\"/bin/echo\",\"/bin/ln\",\"/bin/ls\",\"/bin/mkdir\",\"/bin/mknod\",\"/bin/mktemp\",\"/bin/mv\",\"/bin/pwd\",\"/bin/readlink\",\"/bin/rm\",\"/bin/rmdir\",\"/bin/sleep\",\"/bin/stty\",\"/bin/sync\",\"/bin/touch\",\"/bin/uname\",\"/bin/vdir\",\"/usr/bin/arch\",\"/usr/bin/b2sum\",\"/usr/bin/base32\",\"/usr/bin/base64\",\"/usr/bin/basename\",\"/usr/bin/chcon\",\"/usr/bin/cksum\",\"/usr/bin/comm\",\"/usr/bin/csplit\",\"/usr/bin/cut\",\"/usr/bin/dircolors\",\"/usr/bin/dirname\",\"/usr/bin/du\",\"/usr/bin/env\",\"/usr/bin/expand\",\"/usr/bin/expr\",\"/usr/bin/factor\",\"/usr/bin/fmt\",\"/usr/bin/fold\",\"/usr/bin/groups\",\"/usr/bin/head\",\"/usr/bin/hostid\",\"/usr/bin/id\",\"/usr/bin/install\",\"/usr/bin/join\",\"/usr/bin/link\",\"/usr/bin/logname\",\"/usr/bin/md5sum\",\"/usr/bin/md5sum.textutils\",\"/usr/bin/mkfifo\",\"/usr/bin/nice\",\"/usr/bin/nl\",\"/usr/bin/nohup\",\"/usr/bin/nproc\",\"/usr/bin/numfmt\",\"/usr/bin/od\",\"/usr/bin/paste\",\"/usr/bin/pathchk\",\"/usr/bin/pinky\",\"/usr/bin/pr\",\"/usr/bin/printenv\",\"/usr/bin/printf\",\"/usr/bin/ptx\",\"/usr/bin/realpath\",\"/usr/bin/runcon\",\"/usr/bin/seq\",\"/usr/bin/sha1sum\",\"/usr/bin/sha224sum\",\"/usr/bin/sha256sum\",\"/usr/bin/sha384sum\",\"/usr/bin/sha512sum\",\"/usr/bin/shred\",\"/usr/bin/shuf\",\"/usr/bin/sort\",\"/usr/bin/split\",\"/usr/bin/stat\",\"/usr/bin/stdbuf\",\"/usr/bin/sum\",\"/usr/bin/tac\",\"/usr/bin/tail\",\"/usr/bin/tee\",\"/usr/bin/test\",\"/usr/bin/timeout\",\"/usr/bin/tr\",\"/usr/bin/truncate\",\"/usr/bin/tsort\",\"/usr/bin/tty\",\"/usr/bin/unexpand\",\"/usr/bin/uniq\",\"/usr/bin/unlink\",\"/usr/bin/users\",\"/usr/bin/wc\",\"/usr/bin/who\",\"/usr/bin/whoami\",\"/usr/sbin/chroot\"])\n && process.ancestors.file.name == \"java\"\n agent_version: ''\n filters: []\n- id: java_shell_execution_parent\n version: 1bcff0aa\n description: A java process spawned a shell, shell utility, or HTTP utility\n expression: |-\n (exec.file.path in [ \"/bin/dash\",\n \"/usr/bin/dash\",\n \"/bin/sh\",\n \"/bin/static-sh\",\n \"/usr/bin/sh\",\n \"/bin/bash\",\n \"/usr/bin/bash\",\n \"/bin/bash-static\",\n \"/usr/bin/zsh\",\n \"/usr/bin/ash\",\n \"/usr/bin/csh\",\n \"/usr/bin/ksh\",\n \"/usr/bin/tcsh\",\n \"/usr/lib/initramfs-tools/bin/busybox\",\n \"/bin/busybox\",\n \"/usr/bin/fish\",\n \"/bin/ksh93\",\n \"/bin/rksh\",\n \"/bin/rksh93\",\n \"/bin/lksh\",\n \"/bin/mksh\",\n \"/bin/mksh-static\",\n \"/usr/bin/csharp\",\n \"/bin/posh\",\n \"/usr/bin/rc\",\n \"/bin/sash\",\n \"/usr/bin/yash\",\n \"/bin/zsh5\",\n \"/bin/zsh5-static\" ] ||\n exec.comm in [\"wget\", \"curl\", \"lwp-download\"] ||\n exec.file.path in [\"/bin/cat\",\"/bin/chgrp\",\"/bin/chmod\",\"/bin/chown\",\"/bin/cp\",\"/bin/date\",\"/bin/dd\",\"/bin/df\",\"/bin/dir\",\"/bin/echo\",\"/bin/ln\",\"/bin/ls\",\"/bin/mkdir\",\"/bin/mknod\",\"/bin/mktemp\",\"/bin/mv\",\"/bin/pwd\",\"/bin/readlink\",\"/bin/rm\",\"/bin/rmdir\",\"/bin/sleep\",\"/bin/stty\",\"/bin/sync\",\"/bin/touch\",\"/bin/uname\",\"/bin/vdir\",\"/usr/bin/arch\",\"/usr/bin/b2sum\",\"/usr/bin/base32\",\"/usr/bin/base64\",\"/usr/bin/basename\",\"/usr/bin/chcon\",\"/usr/bin/cksum\",\"/usr/bin/comm\",\"/usr/bin/csplit\",\"/usr/bin/cut\",\"/usr/bin/dircolors\",\"/usr/bin/dirname\",\"/usr/bin/du\",\"/usr/bin/env\",\"/usr/bin/expand\",\"/usr/bin/expr\",\"/usr/bin/factor\",\"/usr/bin/fmt\",\"/usr/bin/fold\",\"/usr/bin/groups\",\"/usr/bin/head\",\"/usr/bin/hostid\",\"/usr/bin/id\",\"/usr/bin/install\",\"/usr/bin/join\",\"/usr/bin/link\",\"/usr/bin/logname\",\"/usr/bin/md5sum\",\"/usr/bin/md5sum.textutils\",\"/usr/bin/mkfifo\",\"/usr/bin/nice\",\"/usr/bin/nl\",\"/usr/bin/nohup\",\"/usr/bin/nproc\",\"/usr/bin/numfmt\",\"/usr/bin/od\",\"/usr/bin/paste\",\"/usr/bin/pathchk\",\"/usr/bin/pinky\",\"/usr/bin/pr\",\"/usr/bin/printenv\",\"/usr/bin/printf\",\"/usr/bin/ptx\",\"/usr/bin/realpath\",\"/usr/bin/runcon\",\"/usr/bin/seq\",\"/usr/bin/sha1sum\",\"/usr/bin/sha224sum\",\"/usr/bin/sha256sum\",\"/usr/bin/sha384sum\",\"/usr/bin/sha512sum\",\"/usr/bin/shred\",\"/usr/bin/shuf\",\"/usr/bin/sort\",\"/usr/bin/split\",\"/usr/bin/stat\",\"/usr/bin/stdbuf\",\"/usr/bin/sum\",\"/usr/bin/tac\",\"/usr/bin/tail\",\"/usr/bin/tee\",\"/usr/bin/test\",\"/usr/bin/timeout\",\"/usr/bin/tr\",\"/usr/bin/truncate\",\"/usr/bin/tsort\",\"/usr/bin/tty\",\"/usr/bin/unexpand\",\"/usr/bin/uniq\",\"/usr/bin/unlink\",\"/usr/bin/users\",\"/usr/bin/wc\",\"/usr/bin/who\",\"/usr/bin/whoami\",\"/usr/sbin/chroot\"])\n && process.parent.file.name == \"java\"\n agent_version: ''\n filters:\n - os == \"linux\"\n- id: jupyter_shell_execution\n version: d2d9243c\n description: A Jupyter notebook executed a shell\n expression: (exec.file.name in [\"cat\",\"chgrp\",\"chmod\",\"chown\",\"cp\",\"date\",\"dd\",\"df\",\"dir\",\"echo\",\"ln\",\"ls\",\"mkdir\",\"mknod\",\"mktemp\",\"mv\",\"pwd\",\"readlink\",\"rm\",\"rmdir\",\"sleep\",\"stty\",\"sync\",\"touch\",\"uname\",\"vdir\",\"arch\",\"b2sum\",\"base32\",\"base64\",\"basename\",\"chcon\",\"cksum\",\"comm\",\"csplit\",\"cut\",\"dircolors\",\"dirname\",\"du\",\"env\",\"expand\",\"expr\",\"factor\",\"fmt\",\"fold\",\"groups\",\"head\",\"hostid\",\"id\",\"install\",\"join\",\"link\",\"logname\",\"md5sum\",\"textutils\",\"mkfifo\",\"nice\",\"nl\",\"nohup\",\"nproc\",\"numfmt\",\"od\",\"paste\",\"pathchk\",\"pinky\",\"pr\",\"printenv\",\"printf\",\"ptx\",\"realpath\",\"runcon\",\"seq\",\"sha1sum\",\"sha224sum\",\"sha256sum\",\"sha384sum\",\"sha512sum\",\"shred\",\"shuf\",\"sort\",\"split\",\"stat\",\"stdbuf\",\"sum\",\"tac\",\"tail\",\"tee\",\"test\",\"timeout\",\"tr\",\"truncate\",\"tsort\",\"tty\",\"unexpand\",\"uniq\",\"unlink\",\"users\",\"wc\",\"who\",\"whoami\",\"chroot\"]\n || exec.file.name in [\"wget\", \"curl\", \"lwp-download\"] || exec.file.name in [\"dash\",\"sh\",\"static-sh\",\"sh\",\"bash\",\"bash\",\"bash-static\",\"zsh\",\"ash\",\"csh\",\"ksh\",\"tcsh\",\"busybox\",\"busybox\",\"fish\",\"ksh93\",\"rksh\",\"rksh93\",\"lksh\",\"mksh\",\"mksh-static\",\"csharp\",\"posh\",\"rc\",\"sash\",\"yash\",\"zsh5\",\"zsh5-static\"])\n && process.ancestors.comm in [\"jupyter-noteboo\", \"jupyter-lab\"]\n agent_version: ''\n filters:\n - os == \"linux\"\n- id: k8s_pod_service_account_token_accessed\n version: 88c0ee3a\n description: The Kubernetes pod service account token was accessed\n expression: open.file.path in [~\"/var/run/secrets/kubernetes.io/serviceaccount/**\",\n ~\"/run/secrets/kubernetes.io/serviceaccount/**\"] && open.file.name == \"token\"\n && process.file.path not in [\"/opt/datadog-agent/embedded/bin/agent\", \"/opt/datadog-agent/embedded/bin/system-probe\",\n \"/opt/datadog-agent/embedded/bin/security-agent\", \"/opt/datadog-agent/embedded/bin/process-agent\",\n \"/opt/datadog-agent/bin/agent/agent\", \"/opt/datadog/apm/inject/auto_inject_runc\",\n \"/usr/bin/dd-host-install\", \"/usr/bin/dd-host-container-install\", \"/usr/bin/dd-container-install\",\n \"/opt/datadog-agent/bin/datadog-cluster-agent\"] && process.file.path not in [\"/usr/bin/cilium-agent\",\n \"/coredns\", \"/usr/bin/cilium-operator\", \"/manager\", \"/fluent-bit/bin/fluent-bit\",\n \"/usr/local/bin/cloud-node-manager\", \"/secrets-store-csi\", \"/bin/secrets-store-csi-driver-provider-aws\",\n \"/usr/bin/calico-node\", \"/opt/aws/amazon-cloudwatch-agent/bin/amazon-cloudwatch-agent\",\n \"/nginx-ingress-controller\", \"/cluster-autoscaler\", \"/cluster-proportional-autoscaler\",\n \"/haproxy-ingress-controller\", \"/kube-state-metrics\", \"/fluent-bit-gke-exporter\",\n \"/bin/external-secrets\", \"/node-termination-handler\", \"/fluent-bit-gke-exporter\",\n \"/bin/vault\", \"/usr/local/bin/kubectl\", \"/local-provisioner\", \"/usr/bin/gitlab-runner\",\n \"/usr/local/bin/vaultd\", \"/usr/local/bin/trace-driveline-writer\", \"/usr/local/bin/registration-controller\",\n \"/usr/local/bin/cluster-autoscaler\"] && process.ancestors.file.path not in [\"/opt/datadog-agent/embedded/bin/agent\",\n \"/opt/datadog-agent/embedded/bin/system-probe\", \"/opt/datadog-agent/embedded/bin/security-agent\",\n \"/opt/datadog-agent/embedded/bin/process-agent\", \"/opt/datadog-agent/bin/agent/agent\",\n \"/opt/datadog/apm/inject/auto_inject_runc\", \"/usr/bin/dd-host-install\", \"/usr/bin/dd-host-container-install\",\n \"/usr/bin/dd-container-install\", \"/opt/datadog-agent/bin/datadog-cluster-agent\"]\n agent_version: ''\n filters:\n - os == \"linux\"\n- id: kernel_module_chmod\n version: 82c61c82\n description: A new kernel module was added\n expression: |-\n (\n (chmod.file.path in [ ~\"/lib/modules/**\", ~\"/usr/lib/modules/**\" ])\n && process.file.path not in [~\"/usr/bin/apt*\", \"/usr/bin/dpkg\", \"/usr/bin/rpm\", \"/usr/bin/unattended-upgrade\", \"/usr/bin/npm\", ~\"/usr/bin/pip*\", \"/usr/bin/yum\", \"/sbin/apk\"]\n && process.ancestors.file.path not in [~\"/usr/bin/apt*\", \"/usr/bin/dpkg\", \"/usr/bin/rpm\", \"/usr/bin/unattended-upgrade\", \"/usr/bin/npm\", ~\"/usr/bin/pip*\", \"/usr/bin/yum\", \"/sbin/apk\"] && process.ancestors.file.path != \"/usr/bin/kmod\"\n ) && chmod.file.destination.mode != chmod.file.mode\n agent_version: ''\n filters: []\n- id: kernel_module_chown\n version: ca2cf124\n description: A new kernel module was added\n expression: |-\n (\n (chown.file.path in [ ~\"/lib/modules/**\", ~\"/usr/lib/modules/**\" ])\n && process.file.path not in [~\"/usr/bin/apt*\", \"/usr/bin/dpkg\", \"/usr/bin/rpm\", \"/usr/bin/unattended-upgrade\", \"/usr/bin/npm\", ~\"/usr/bin/pip*\", \"/usr/bin/yum\", \"/sbin/apk\", \"/usr/lib/snapd/snapd\"]\n && process.ancestors.file.path not in [~\"/usr/bin/apt*\", \"/usr/bin/dpkg\", \"/usr/bin/rpm\", \"/usr/bin/unattended-upgrade\", \"/usr/bin/npm\", ~\"/usr/bin/pip*\", \"/usr/bin/yum\", \"/sbin/apk\", \"/usr/lib/snapd/snapd\"] && process.ancestors.file.path != \"/usr/bin/kmod\"\n ) && (chown.file.destination.uid != chown.file.uid || chown.file.destination.gid != chown.file.gid)\n agent_version: ''\n filters: []\n- id: kernel_module_link\n version: a18ca197\n description: A new kernel module was added\n expression: |-\n (\n (link.file.path in [ ~\"/lib/modules/**\", ~\"/usr/lib/modules/**\" ]\n || link.file.destination.path in [ ~\"/lib/modules/**\", ~\"/usr/lib/modules/**\" ])\n && process.file.path not in [~\"/usr/bin/apt*\", \"/usr/bin/dpkg\", \"/usr/bin/rpm\", \"/usr/bin/unattended-upgrade\", \"/usr/bin/npm\", ~\"/usr/bin/pip*\", \"/usr/bin/yum\", \"/sbin/apk\", \"/usr/lib/snapd/snapd\"]\n && process.ancestors.file.path not in [~\"/usr/bin/apt*\", \"/usr/bin/dpkg\", \"/usr/bin/rpm\", \"/usr/bin/unattended-upgrade\", \"/usr/bin/npm\", ~\"/usr/bin/pip*\", \"/usr/bin/yum\", \"/sbin/apk\", \"/usr/lib/snapd/snapd\"] && process.ancestors.file.path != \"/usr/bin/kmod\"\n )\n agent_version: ''\n filters: []\n- id: kernel_module_load\n version: 904592b4\n description: A kernel module was loaded\n expression: load_module.name not in [\"nf_tables\", \"iptable_filter\", \"ip6table_filter\",\n \"bpfilter\", \"ip6_tables\", \"ip6table_nat\", \"nf_reject_ipv4\", \"ipt_REJECT\", \"iptable_raw\"]\n && process.ancestors.file.name not in [~\"falcon*\", \"unattended-upgrade\", \"apt.systemd.daily\",\n \"xtables-legacy-multi\", \"ssm-agent-worker\"]\n agent_version: ''\n filters: []\n- id: kernel_module_load_container\n version: 139b666a\n description: A container loaded a new kernel module\n expression: load_module.name != \"\" && container.id !=\"\"\n agent_version: ''\n filters: []\n- id: kernel_module_load_from_memory\n version: 78122acd\n description: A kernel module was loaded from memory\n expression: load_module.loaded_from_memory == true\n agent_version: ''\n filters:\n - os == \"linux\"\n- id: kernel_module_load_from_memory_container\n version: a277c753\n description: A kernel module was loaded from memory inside a container\n expression: load_module.loaded_from_memory == true && container.id !=\"\"\n agent_version: ''\n filters: []\n- id: kernel_module_open\n version: 55f9569\n description: A new kernel module was added\n expression: |-\n (\n open.flags & (O_CREAT|O_TRUNC|O_RDWR|O_WRONLY) > 0 &&\n (open.file.path in [ ~\"/lib/modules/**\", ~\"/usr/lib/modules/**\" ])\n && process.file.path not in [~\"/usr/bin/apt*\", \"/usr/bin/dpkg\", \"/usr/bin/rpm\", \"/usr/bin/unattended-upgrade\", \"/usr/bin/npm\", ~\"/usr/bin/pip*\", \"/usr/bin/yum\", \"/sbin/apk\"]\n && process.ancestors.file.path not in [~\"/usr/bin/apt*\", \"/usr/bin/dpkg\", \"/usr/bin/rpm\", \"/usr/bin/unattended-upgrade\", \"/usr/bin/npm\", ~\"/usr/bin/pip*\", \"/usr/bin/yum\", \"/sbin/apk\"] && process.ancestors.file.path != \"/usr/bin/kmod\"\n )\n agent_version: ''\n filters: []\n- id: kernel_module_rename\n version: 9d8cb7d8\n description: A new kernel module was added\n expression: |-\n (\n (rename.file.path in [ ~\"/lib/modules/**\", ~\"/usr/lib/modules/**\" ]\n || rename.file.destination.path in [ ~\"/lib/modules/**\", ~\"/usr/lib/modules/**\" ])\n && process.file.path not in [~\"/usr/bin/apt*\", \"/usr/bin/dpkg\", \"/usr/bin/rpm\", \"/usr/bin/unattended-upgrade\", \"/usr/bin/npm\", ~\"/usr/bin/pip*\", \"/usr/bin/yum\", \"/sbin/apk\", \"/usr/lib/snapd/snapd\"]\n && process.ancestors.file.path not in [~\"/usr/bin/apt*\", \"/usr/bin/dpkg\", \"/usr/bin/rpm\", \"/usr/bin/unattended-upgrade\", \"/usr/bin/npm\", ~\"/usr/bin/pip*\", \"/usr/bin/yum\", \"/sbin/apk\", \"/usr/lib/snapd/snapd\"] && process.ancestors.file.path != \"/usr/bin/kmod\"\n )\n agent_version: ''\n filters: []\n- id: kernel_module_unlink\n version: 652391be\n description: A new kernel module was added\n expression: |-\n (\n (unlink.file.path in [ ~\"/lib/modules/**\", ~\"/usr/lib/modules/**\" ])\n && process.file.path not in [~\"/usr/bin/apt*\", \"/usr/bin/dpkg\", \"/usr/bin/rpm\", \"/usr/bin/unattended-upgrade\", \"/usr/bin/npm\", ~\"/usr/bin/pip*\", \"/usr/bin/yum\", \"/sbin/apk\", \"/usr/lib/snapd/snapd\"]\n && process.ancestors.file.path not in [~\"/usr/bin/apt*\", \"/usr/bin/dpkg\", \"/usr/bin/rpm\", \"/usr/bin/unattended-upgrade\", \"/usr/bin/npm\", ~\"/usr/bin/pip*\", \"/usr/bin/yum\", \"/sbin/apk\", \"/usr/lib/snapd/snapd\"] && process.ancestors.file.path != \"/usr/bin/kmod\"\n )\n agent_version: ''\n filters: []\n- id: kernel_module_utimes\n version: 405d45e7\n description: A new kernel module was added\n expression: |-\n (\n (utimes.file.path in [ ~\"/lib/modules/**\", ~\"/usr/lib/modules/**\" ])\n && process.file.path not in [~\"/usr/bin/apt*\", \"/usr/bin/dpkg\", \"/usr/bin/rpm\", \"/usr/bin/unattended-upgrade\", \"/usr/bin/npm\", ~\"/usr/bin/pip*\", \"/usr/bin/yum\", \"/sbin/apk\", \"/usr/lib/snapd/snapd\"]\n && process.ancestors.file.path not in [~\"/usr/bin/apt*\", \"/usr/bin/dpkg\", \"/usr/bin/rpm\", \"/usr/bin/unattended-upgrade\", \"/usr/bin/npm\", ~\"/usr/bin/pip*\", \"/usr/bin/yum\", \"/sbin/apk\", \"/usr/lib/snapd/snapd\"] && process.ancestors.file.path != \"/usr/bin/kmod\"\n )\n agent_version: ''\n filters: []\n- id: kmod_list\n version: c353a548\n description: Kernel modules were listed using the kmod command\n expression: exec.comm == \"kmod\" && exec.args in [~\"*list*\"]\n agent_version: ''\n filters: []\n- id: ld_preload_unusual_library_path\n version: cc6fd0c4\n description: The LD_PRELOAD variable is populated by a link to a suspicious file\n directory\n expression: exec.envs in [~\"LD_PRELOAD=*/tmp/*\" ,~\"LD_PRELOAD=/dev/shm/*\" ]\n agent_version: ''\n filters: []\n- id: memfd_create\n version: 5908512a\n description: memfd object created\n expression: exec.file.name =~ \"memfd*\" && exec.file.path == \"\"\n agent_version: ''\n filters: []\n- id: mount_host_fs\n version: accb4f\n description: The host file system was mounted in a container\n expression: mount.source.path == \"/\" && mount.fs_type != \"overlay\" && container.id\n != \"\"\n agent_version: ''\n filters: []\n- id: mount_proc_hide\n version: fd887e01\n description: Process hidden using mount\n expression: mount.mountpoint.path in [~\"/proc/1*\", ~\"/proc/2*\", ~\"/proc/3*\", ~\"/proc/4*\",\n ~\"/proc/5*\", ~\"/proc/6*\", ~\"/proc/7*\", ~\"/proc/8*\", ~\"/proc/9*\"]\n agent_version: ''\n filters:\n - os == \"linux\"\n- id: net_file_download\n version: 75b930ad\n description: A suspicious file was written by a network utility\n expression: |-\n open.flags & O_CREAT > 0 && process.comm in [\"wget\", \"curl\", \"lwp-download\"]\n && (\n (open.file.path =~ \"/tmp/**\" && open.file.name in [~\"*.sh\", ~\"*.c\", ~\"*.so\", ~\"*.ko\"])\n || open.file.path in [~\"/usr/**\", ~\"/lib/**\", ~\"/etc/**\", ~\"/var/tmp/**\", ~\"/dev/shm/**\"]\n )\n agent_version: ''\n filters: []\n- id: net_unusual_request\n version: 3df2d9ef\n description: Network utility executed with suspicious URI\n expression: 'exec.comm in [\"wget\", \"curl\", \"lwp-download\"] && exec.args in [~\"*.php*\",\n ~\"*.jpg*\"] '\n agent_version: ''\n filters: []\n- id: net_util\n version: fc362090\n description: A network utility was executed\n expression: |-\n (exec.comm in [\"socat\", \"dig\", \"nslookup\", \"host\", ~\"netcat*\", ~\"nc*\", \"ncat\"] ||\n exec.comm in [\"wget\", \"curl\", \"lwp-download\"]) &&\n container.id == \"\" && exec.args not in [ ~\"*localhost*\", ~\"*127.0.0.1*\", ~\"*motd.ubuntu.com*\" ]\n agent_version: ''\n filters: []\n- id: net_util_exfiltration\n version: 5f7c8871\n description: Exfiltration attempt via network utility\n expression: \"exec.comm in [\\\"wget\\\", \\\"curl\\\", \\\"lwp-download\\\"] && \\nexec.args_options\\\n \\ in [ ~\\\"post-file=*\\\", ~\\\"post-data=*\\\", ~\\\"T=*\\\", ~\\\"d=@*\\\", ~\\\"upload-file=*\\\"\\\n , ~\\\"F=file*\\\"] &&\\nexec.args not in [~\\\"*localhost*\\\", ~\\\"*127.0.0.1*\\\"]\"\n agent_version: ''\n filters:\n - os == \"linux\"\n- id: net_util_in_container\n version: 69e03ac1\n description: A network utility was executed in a container\n expression: |-\n (exec.comm in [\"socat\", \"dig\", \"nslookup\", \"host\", ~\"netcat*\", ~\"nc*\", \"ncat\"] ||\n exec.comm in [\"wget\", \"curl\", \"lwp-download\"]) &&\n container.id != \"\" && exec.args not in [ ~\"*localhost*\", ~\"*127.0.0.1*\", ~\"*motd.ubuntu.com*\" ]\n agent_version: ''\n filters: []\n- id: net_util_in_container_v2\n version: 26d8eba1\n description: A network utility was executed in a container\n expression: |-\n (exec.comm in [\"socat\", \"dig\", \"nslookup\", \"host\", ~\"netcat*\", ~\"nc*\", \"ncat\"] ||\n exec.comm in [\"wget\", \"curl\", \"lwp-download\"]) &&\n container.id != \"\" && exec.args not in [ ~\"*localhost*\", ~\"*127.0.0.1*\", ~\"*motd.ubuntu.com*\" ] && container.created_at > 180s\n agent_version: ''\n filters: []\n- id: network_sniffing_tool\n version: 4ae409bf\n description: Local account groups were enumerated after container start up\n expression: exec.file.name in [\"tcpdump\", \"tshark\"]\n agent_version: ''\n filters: []\n- id: new_binary_execution_in_container\n version: 9dc42e1d\n description: A container executed a new binary not found in the container image\n expression: container.id != \"\" && process.file.in_upper_layer && process.file.modification_time\n < 30s && exec.file.name != \"\"\n agent_version: ''\n filters: []\n- id: new_java_detect_sync_test\n version: 28ba1078\n description: Execution of a java process\n expression: exec.file.name == \"java\"\n agent_version: ''\n filters: []\n- id: new_java_detect_sync_test_prod\n version: 28ba1078\n description: Execution of a java process\n expression: exec.file.name == \"java\"\n agent_version: ''\n filters: []\n- id: new_java_detect_sync_test_us1_prod\n version: 28ba1078\n description: Execution of a java process\n expression: exec.file.name == \"java\"\n agent_version: ''\n filters: []\n- id: nsswitch_conf_mod_chmod\n version: d301aedf\n description: nsswitch may have been modified without authorization\n expression: |-\n (\n (chmod.file.path in [ \"/etc/nsswitch.conf\" ])\n ) && chmod.file.destination.mode != chmod.file.mode\n agent_version: ''\n filters: []\n- id: nsswitch_conf_mod_chown\n version: '69383592'\n description: nsswitch may have been modified without authorization\n expression: |-\n (\n (chown.file.path in [ \"/etc/nsswitch.conf\" ])\n ) && (chown.file.destination.uid != chown.file.uid || chown.file.destination.gid != chown.file.gid) && process.file.path not in [~\"/usr/bin/apt*\", \"/usr/bin/dpkg\", \"/usr/bin/rpm\", \"/usr/bin/unattended-upgrade\", \"/usr/bin/containerd\", \"/usr/local/bin/containerd\", \"/usr/bin/dockerd\", \"/usr/bin/npm\", ~\"/usr/bin/pip*\"]\n agent_version: ''\n filters:\n - os == \"linux\"\n- id: nsswitch_conf_mod_link\n version: e0565b29\n description: Nsswitch Configuration Modified\n expression: |-\n (\n (link.file.path in [ \"/etc/nsswitch.conf\" ]\n || link.file.destination.path in [ \"/etc/nsswitch.conf\" ])\n )\n agent_version: ''\n filters: []\n- id: nsswitch_conf_mod_open\n version: b5602c6f\n description: Nsswitch Configuration Modified\n expression: |-\n (\n open.flags & ((O_RDWR|O_WRONLY|O_CREAT)) > 0 &&\n (open.file.path in [ \"/etc/nsswitch.conf\" ])\n )\n agent_version: ''\n filters: []\n- id: nsswitch_conf_mod_open_v2\n version: abef53c9\n description: nsswitch may have been modified without authorization\n expression: |-\n (\n open.flags & ((O_RDWR|O_WRONLY|O_CREAT)) > 0 &&\n (open.file.path in [ \"/etc/nsswitch.conf\" ])\n ) && container.created_at > 180s\n agent_version: ''\n filters: []\n- id: nsswitch_conf_mod_rename\n version: aad34176\n description: Nsswitch Configuration Modified\n expression: |-\n (\n (rename.file.path in [ \"/etc/nsswitch.conf\" ]\n || rename.file.destination.path in [ \"/etc/nsswitch.conf\" ])\n )\n agent_version: ''\n filters: []\n- id: nsswitch_conf_mod_unlink\n version: 8a3e2fbb\n description: Nsswitch Configuration Modified\n expression: |-\n (\n (unlink.file.path in [ \"/etc/nsswitch.conf\" ])\n )\n agent_version: ''\n filters: []\n- id: nsswitch_conf_mod_utimes\n version: 902597c0\n description: Nsswitch Configuration Modified\n expression: |-\n (\n (utimes.file.path in [ \"/etc/nsswitch.conf\" ])\n )\n agent_version: ''\n filters: []\n- id: ntds_in_commandline\n version: 5cdd4bba\n description: NTDS file referenced in commandline\n expression: exec.cmdline =~ \"*ntds.dit*\"\n agent_version: ''\n filters:\n - os == \"windows\"\n- id: offensive_k8s_tool\n version: b83fba22\n description: A known kubernetes pentesting tool has been executed\n expression: (exec.file.name in [ ~\"python*\" ] && (\"KubiScan.py\" in exec.argv ||\n \"kubestriker\" in exec.argv ) ) || exec.file.name in [ \"kubiscan\",\"kdigger\",\"kube-hunter\",\"rakkess\",\"peirates\",\"kubescape\",\"kubeaudit\",\"kube-linter\",\"stratus\",~\"botb-*\"]\n agent_version: ''\n filters: []\n- id: package_management_in_container\n version: c152fcaf\n description: Package management was detected in a container\n expression: exec.file.path in [~\"/usr/bin/apt*\", \"/usr/bin/dpkg\", \"/usr/bin/rpm\",\n \"/usr/bin/unattended-upgrade\", \"/usr/bin/npm\", ~\"/usr/bin/pip*\", \"/usr/bin/yum\",\n \"/sbin/apk\", \"/usr/lib/snapd/snapd\"] && container.id != \"\"\n agent_version: ''\n filters: []\n- id: pam_modification_chmod\n version: 974a676e\n description: PAM may have been modified without authorization\n expression: |-\n (\n (chmod.file.path in [ ~\"/etc/pam.d/**\", \"/etc/pam.conf\" ])\n ) && chmod.file.destination.mode != chmod.file.mode\n agent_version: ''\n filters: []\n- id: pam_modification_chown\n version: ca22d0ab\n description: PAM may have been modified without authorization\n expression: |-\n (\n (chown.file.path in [ ~\"/etc/pam.d/**\", \"/etc/pam.conf\" ])\n ) && (chown.file.destination.uid != chown.file.uid || chown.file.destination.gid != chown.file.gid)\n agent_version: ''\n filters: []\n- id: pam_modification_link\n version: 3d5d6b31\n description: PAM Configuration Files Modification\n expression: |-\n (\n (link.file.path in [ ~\"/etc/pam.d/*\", \"/etc/pam.conf\" ]\n || link.file.destination.path in [ ~\"/etc/pam.d/*\", \"/etc/pam.conf\" ])\n )\n agent_version: ''\n filters: []\n- id: pam_modification_open\n version: 9440f452\n description: PAM Configuration Files Modification\n expression: |-\n (\n open.flags & (O_CREAT|O_TRUNC|O_RDWR|O_WRONLY) > 0 &&\n (open.file.path in [ ~\"/etc/pam.d/*\", \"/etc/pam.conf\" ])\n )\n agent_version: ''\n filters: []\n- id: pam_modification_rename\n version: bd1d257a\n description: PAM Configuration Files Modification\n expression: |-\n (\n (rename.file.path in [ ~\"/etc/pam.d/*\", \"/etc/pam.conf\" ]\n || rename.file.destination.path in [ ~\"/etc/pam.d/*\", \"/etc/pam.conf\" ])\n )\n agent_version: ''\n filters: []\n- id: pam_modification_unlink\n version: c3dc53e1\n description: PAM Configuration Files Modification\n expression: |-\n (\n (unlink.file.path in [ ~\"/etc/pam.d/*\", \"/etc/pam.conf\" ])\n )\n agent_version: ''\n filters: []\n- id: pam_modification_utimes\n version: d377b599\n description: PAM may have been modified without authorization\n expression: |-\n (\n (utimes.file.path in [ ~\"/etc/pam.d/**\", \"/etc/pam.conf\" ])\n ) && process.file.path not in [~\"/usr/bin/apt*\", \"/usr/bin/dpkg\", \"/usr/bin/rpm\", \"/usr/bin/unattended-upgrade\", \"/usr/bin/containerd\", \"/usr/local/bin/containerd\", \"/usr/bin/dockerd\", \"/usr/bin/npm\", ~\"/usr/bin/pip*\"]\n agent_version: ''\n filters: []\n- id: passwd_execution\n version: e1d41f5e\n description: The passwd or chpasswd utility was used to modify an account password\n expression: exec.file.path in [\"/usr/bin/passwd\", \"/usr/sbin/chpasswd\"] && exec.args_flags\n not in [\"S\", \"status\"]\n agent_version: ''\n filters: []\n- id: paste_site\n version: b528c8d4\n description: A DNS lookup was done for a pastebin-like site\n expression: dns.question.name in [\"pastebin.com\", \"ghostbin.com\", \"termbin.com\",\n \"klgrth.io\"] && process.file.name != \"\"\n agent_version: ''\n filters: []\n- id: pci_11_5_critical_binaries_chmod\n version: 1945831d\n description: Critical system binaries may have been modified\n expression: |-\n (\n (chmod.file.path in [ ~\"/bin/*\", ~\"/sbin/*\", ~\"/usr/bin/*\", ~\"/usr/sbin/*\", ~\"/usr/local/bin/*\", ~\"/usr/local/sbin/*\", ~\"/boot/**\" ])\n && process.file.path not in [~\"/usr/bin/apt*\", \"/usr/bin/dpkg\", \"/usr/bin/rpm\", \"/usr/bin/unattended-upgrade\", \"/usr/bin/containerd\", \"/usr/local/bin/containerd\", \"/usr/bin/dockerd\", \"/usr/bin/npm\", ~\"/usr/bin/pip*\"]\n && process.ancestors.file.path not in [~\"/usr/bin/apt*\", \"/usr/bin/dpkg\", \"/usr/bin/rpm\", \"/usr/bin/unattended-upgrade\", \"/usr/bin/npm\", ~\"/usr/bin/pip*\", \"/usr/bin/yum\", \"/sbin/apk\", \"/usr/lib/snapd/snapd\"]\n ) && chmod.file.destination.mode != chmod.file.mode\n agent_version: ''\n filters: []\n- id: pci_11_5_critical_binaries_chown\n version: 21da2189\n description: Critical system binaries may have been modified\n expression: |-\n (\n (chown.file.path in [ ~\"/bin/*\", ~\"/sbin/*\", ~\"/usr/bin/*\", ~\"/usr/sbin/*\", ~\"/usr/local/bin/*\", ~\"/usr/local/sbin/*\", ~\"/boot/**\" ])\n && process.file.path not in [~\"/usr/bin/apt*\", \"/usr/bin/dpkg\", \"/usr/bin/rpm\", \"/usr/bin/unattended-upgrade\", \"/usr/bin/containerd\", \"/usr/local/bin/containerd\", \"/usr/bin/dockerd\", \"/usr/bin/npm\", ~\"/usr/bin/pip*\"]\n && process.ancestors.file.path not in [~\"/usr/bin/apt*\", \"/usr/bin/dpkg\", \"/usr/bin/rpm\", \"/usr/bin/unattended-upgrade\", \"/usr/bin/npm\", ~\"/usr/bin/pip*\", \"/usr/bin/yum\", \"/sbin/apk\", \"/usr/lib/snapd/snapd\"]\n ) && (chown.file.destination.uid != chown.file.uid || chown.file.destination.gid != chown.file.gid)\n agent_version: ''\n filters: []\n- id: pci_11_5_critical_binaries_link\n version: a7ac587c\n description: Critical system binaries may have been modified\n expression: |-\n (\n (link.file.path in [ ~\"/bin/*\", ~\"/sbin/*\", ~\"/usr/bin/*\", ~\"/usr/sbin/*\", ~\"/usr/local/bin/*\", ~\"/usr/local/sbin/*\", ~\"/boot/**\" ]\n || link.file.destination.path in [ ~\"/bin/*\", ~\"/sbin/*\", ~\"/usr/bin/*\", ~\"/usr/sbin/*\", ~\"/usr/local/bin/*\", ~\"/usr/local/sbin/*\", ~\"/boot/**\" ])\n && process.file.path not in [~\"/usr/bin/apt*\", \"/usr/bin/dpkg\", \"/usr/bin/rpm\", \"/usr/bin/unattended-upgrade\", \"/usr/bin/containerd\", \"/usr/local/bin/containerd\", \"/usr/bin/dockerd\", \"/usr/bin/npm\", ~\"/usr/bin/pip*\"]\n && process.ancestors.file.path not in [~\"/usr/bin/apt*\", \"/usr/bin/dpkg\", \"/usr/bin/rpm\", \"/usr/bin/unattended-upgrade\", \"/usr/bin/npm\", ~\"/usr/bin/pip*\", \"/usr/bin/yum\", \"/sbin/apk\", \"/usr/lib/snapd/snapd\"]\n )\n agent_version: ''\n filters: []\n- id: pci_11_5_critical_binaries_open\n version: f583ba7c\n description: Critical system binaries may have been modified\n expression: |-\n (\n open.flags & (O_CREAT|O_TRUNC|O_RDWR|O_WRONLY) > 0 &&\n open.file.path in [ ~\"/bin/*\", ~\"/sbin/*\", ~\"/usr/bin/*\", ~\"/usr/sbin/*\", ~\"/usr/local/bin/*\", ~\"/usr/local/sbin/*\", ~\"/boot/**\" ]\n && process.file.path not in [~\"/usr/bin/apt*\", \"/usr/bin/dpkg\", \"/usr/bin/rpm\", \"/usr/bin/unattended-upgrade\", \"/usr/bin/containerd\", \"/usr/local/bin/containerd\", \"/usr/bin/dockerd\", \"/usr/bin/npm\", ~\"/usr/bin/pip*\"]\n && process.ancestors.file.path not in [~\"/usr/bin/apt*\", \"/usr/bin/dpkg\", \"/usr/bin/rpm\", \"/usr/bin/unattended-upgrade\", \"/usr/bin/npm\", ~\"/usr/bin/pip*\", \"/usr/bin/yum\", \"/sbin/apk\", \"/usr/lib/snapd/snapd\"]\n )\n agent_version: ''\n filters: []\n- id: pci_11_5_critical_binaries_open_v2\n version: 45abd074\n description: Critical system binaries may have been modified\n expression: |-\n (\n open.flags & (O_CREAT|O_TRUNC|O_RDWR|O_WRONLY) > 0 &&\n open.file.path in [ ~\"/bin/*\", ~\"/sbin/*\", ~\"/usr/bin/*\", ~\"/usr/sbin/*\", ~\"/usr/local/bin/*\", ~\"/usr/local/sbin/*\", ~\"/boot/**\" ]\n && process.file.path not in [~\"/usr/bin/apt*\", \"/usr/bin/dpkg\", \"/usr/bin/rpm\", \"/usr/bin/unattended-upgrade\", \"/usr/bin/containerd\", \"/usr/local/bin/containerd\", \"/usr/bin/dockerd\", \"/usr/bin/npm\", ~\"/usr/bin/pip*\"]\n && process.ancestors.file.path not in [~\"/usr/bin/apt*\", \"/usr/bin/dpkg\", \"/usr/bin/rpm\", \"/usr/bin/unattended-upgrade\", \"/usr/bin/npm\", ~\"/usr/bin/pip*\", \"/usr/bin/yum\", \"/sbin/apk\", \"/usr/lib/snapd/snapd\"]\n ) && container.created_at > 90s\n agent_version: ''\n filters:\n - os == \"linux\"\n- id: pci_11_5_critical_binaries_rename\n version: e0bc0857\n description: Critical system binaries may have been modified\n expression: |-\n (\n (rename.file.path in [ ~\"/bin/*\", ~\"/sbin/*\", ~\"/usr/bin/*\", ~\"/usr/sbin/*\", ~\"/usr/local/bin/*\", ~\"/usr/local/sbin/*\", ~\"/boot/**\" ]\n || rename.file.destination.path in [ ~\"/bin/*\", ~\"/sbin/*\", ~\"/usr/bin/*\", ~\"/usr/sbin/*\", ~\"/usr/local/bin/*\", ~\"/usr/local/sbin/*\", ~\"/boot/**\" ])\n && process.file.path not in [~\"/usr/bin/apt*\", \"/usr/bin/dpkg\", \"/usr/bin/rpm\", \"/usr/bin/unattended-upgrade\", \"/usr/bin/containerd\", \"/usr/local/bin/containerd\", \"/usr/bin/dockerd\", \"/usr/bin/npm\", ~\"/usr/bin/pip*\"]\n && process.ancestors.file.path not in [~\"/usr/bin/apt*\", \"/usr/bin/dpkg\", \"/usr/bin/rpm\", \"/usr/bin/unattended-upgrade\", \"/usr/bin/npm\", ~\"/usr/bin/pip*\", \"/usr/bin/yum\", \"/sbin/apk\", \"/usr/lib/snapd/snapd\"]\n )\n agent_version: ''\n filters: []\n- id: pci_11_5_critical_binaries_unlink\n version: 3bb086ca\n description: Critical system binaries may have been modified\n expression: |-\n (\n (unlink.file.path in [ ~\"/bin/*\", ~\"/sbin/*\", ~\"/usr/bin/*\", ~\"/usr/sbin/*\", ~\"/usr/local/bin/*\", ~\"/usr/local/sbin/*\", ~\"/boot/**\" ])\n && process.file.path not in [~\"/usr/bin/apt*\", \"/usr/bin/dpkg\", \"/usr/bin/rpm\", \"/usr/bin/unattended-upgrade\", \"/usr/bin/containerd\", \"/usr/local/bin/containerd\", \"/usr/bin/dockerd\", \"/usr/bin/npm\", ~\"/usr/bin/pip*\"]\n && process.ancestors.file.path not in [~\"/usr/bin/apt*\", \"/usr/bin/dpkg\", \"/usr/bin/rpm\", \"/usr/bin/unattended-upgrade\", \"/usr/bin/npm\", ~\"/usr/bin/pip*\", \"/usr/bin/yum\", \"/sbin/apk\", \"/usr/lib/snapd/snapd\"]\n )\n agent_version: ''\n filters:\n - os == \"linux\"\n- id: pci_11_5_critical_binaries_utimes\n version: 6d979630\n description: Critical system binaries may have been modified\n expression: |-\n (\n (utimes.file.path in [ ~\"/bin/*\", ~\"/sbin/*\", ~\"/usr/bin/*\", ~\"/usr/sbin/*\", ~\"/usr/local/bin/*\", ~\"/usr/local/sbin/*\", ~\"/boot/**\" ])\n && process.file.path not in [~\"/usr/bin/apt*\", \"/usr/bin/dpkg\", \"/usr/bin/rpm\", \"/usr/bin/unattended-upgrade\", \"/usr/bin/containerd\", \"/usr/local/bin/containerd\", \"/usr/bin/dockerd\", \"/usr/bin/npm\", ~\"/usr/bin/pip*\"]\n && process.ancestors.file.path not in [~\"/usr/bin/apt*\", \"/usr/bin/dpkg\", \"/usr/bin/rpm\", \"/usr/bin/unattended-upgrade\", \"/usr/bin/npm\", ~\"/usr/bin/pip*\", \"/usr/bin/yum\", \"/sbin/apk\", \"/usr/lib/snapd/snapd\"]\n )\n agent_version: ''\n filters: []\n- id: potential_cryptominer\n version: 4241c309\n description: A process resolved a DNS name associated with cryptomining activity\n expression: dns.question.name in [~\"*minexmr.com\", ~\"*nanopool.org\", ~\"*supportxmr.com\",\n ~\"*c3pool.com\", ~\"*p2pool.io\", ~\"*ethermine.org\", ~\"*f2pool.com\", ~\"*poolin.me\",\n ~\"*rplant.xyz\"] && process.file.name != \"\"\n agent_version: ''\n filters: []\n- id: potential_web_shell_parent\n version: b67ffbcd\n description: A web application spawned a shell or shell utility\n expression: |-\n (exec.file.path in [ \"/bin/dash\",\n \"/usr/bin/dash\",\n \"/bin/sh\",\n \"/bin/static-sh\",\n \"/usr/bin/sh\",\n \"/bin/bash\",\n \"/usr/bin/bash\",\n \"/bin/bash-static\",\n \"/usr/bin/zsh\",\n \"/usr/bin/ash\",\n \"/usr/bin/csh\",\n \"/usr/bin/ksh\",\n \"/usr/bin/tcsh\",\n \"/usr/lib/initramfs-tools/bin/busybox\",\n \"/bin/busybox\",\n \"/usr/bin/fish\",\n \"/bin/ksh93\",\n \"/bin/rksh\",\n \"/bin/rksh93\",\n \"/bin/lksh\",\n \"/bin/mksh\",\n \"/bin/mksh-static\",\n \"/usr/bin/csharp\",\n \"/bin/posh\",\n \"/usr/bin/rc\",\n \"/bin/sash\",\n \"/usr/bin/yash\",\n \"/bin/zsh5\",\n \"/bin/zsh5-static\" ] || exec.comm in [\"wget\", \"curl\", \"lwp-download\"] || exec.file.path in [\"/bin/cat\",\"/bin/chgrp\",\"/bin/chmod\",\"/bin/chown\",\"/bin/cp\",\"/bin/date\",\"/bin/dd\",\"/bin/df\",\"/bin/dir\",\"/bin/echo\",\"/bin/ln\",\"/bin/ls\",\"/bin/mkdir\",\"/bin/mknod\",\"/bin/mktemp\",\"/bin/mv\",\"/bin/pwd\",\"/bin/readlink\",\"/bin/rm\",\"/bin/rmdir\",\"/bin/sleep\",\"/bin/stty\",\"/bin/sync\",\"/bin/touch\",\"/bin/uname\",\"/bin/vdir\",\"/usr/bin/arch\",\"/usr/bin/b2sum\",\"/usr/bin/base32\",\"/usr/bin/base64\",\"/usr/bin/basename\",\"/usr/bin/chcon\",\"/usr/bin/cksum\",\"/usr/bin/comm\",\"/usr/bin/csplit\",\"/usr/bin/cut\",\"/usr/bin/dircolors\",\"/usr/bin/dirname\",\"/usr/bin/du\",\"/usr/bin/env\",\"/usr/bin/expand\",\"/usr/bin/expr\",\"/usr/bin/factor\",\"/usr/bin/fmt\",\"/usr/bin/fold\",\"/usr/bin/groups\",\"/usr/bin/head\",\"/usr/bin/hostid\",\"/usr/bin/id\",\"/usr/bin/install\",\"/usr/bin/join\",\"/usr/bin/link\",\"/usr/bin/logname\",\"/usr/bin/md5sum\",\"/usr/bin/md5sum.textutils\",\"/usr/bin/mkfifo\",\"/usr/bin/nice\",\"/usr/bin/nl\",\"/usr/bin/nohup\",\"/usr/bin/nproc\",\"/usr/bin/numfmt\",\"/usr/bin/od\",\"/usr/bin/paste\",\"/usr/bin/pathchk\",\"/usr/bin/pinky\",\"/usr/bin/pr\",\"/usr/bin/printenv\",\"/usr/bin/printf\",\"/usr/bin/ptx\",\"/usr/bin/realpath\",\"/usr/bin/runcon\",\"/usr/bin/seq\",\"/usr/bin/sha1sum\",\"/usr/bin/sha224sum\",\"/usr/bin/sha256sum\",\"/usr/bin/sha384sum\",\"/usr/bin/sha512sum\",\"/usr/bin/shred\",\"/usr/bin/shuf\",\"/usr/bin/sort\",\"/usr/bin/split\",\"/usr/bin/stat\",\"/usr/bin/stdbuf\",\"/usr/bin/sum\",\"/usr/bin/tac\",\"/usr/bin/tail\",\"/usr/bin/tee\",\"/usr/bin/test\",\"/usr/bin/timeout\",\"/usr/bin/tr\",\"/usr/bin/truncate\",\"/usr/bin/tsort\",\"/usr/bin/tty\",\"/usr/bin/unexpand\",\"/usr/bin/uniq\",\"/usr/bin/unlink\",\"/usr/bin/users\",\"/usr/bin/wc\",\"/usr/bin/who\",\"/usr/bin/whoami\",\"/usr/sbin/chroot\"]) &&\n (process.parent.file.name in [\"apache2\", \"nginx\", ~\"tomcat*\", \"httpd\"] || process.parent.file.name =~ \"php*\")\n agent_version: ''\n filters: []\n- id: ps_discovery\n version: a0a32c4b\n description: Processes were listed using the ps command\n expression: exec.comm == \"ps\" && exec.argv not in [\"-p\", \"--pid\"] && process.ancestors.file.name\n not in [\"qualys-cloud-agent\", \"amazon-ssm-agent\"] && process.parent.file.name\n not in [\"rkhunter\", \"jspawnhelper\", ~\"vm-agent*\", \"PassengerAgent\", \"node\", \"wdavdaemon\",\n \"chkrootkit\", \"tsagentd\", \"wazuh-modulesd\", \"wdavdaemon\", \"talend-remote-engine-service\",\n \"check_procs\", \"newrelic-daemon\"]\n agent_version: ''\n filters:\n - os == \"linux\"\n- id: ptrace_antidebug\n version: a6289ff7\n description: A process uses an anti-debugging technique to block debuggers\n expression: ptrace.request == PTRACE_TRACEME && process.file.name != \"\"\n agent_version: ''\n filters: []\n- id: ptrace_injection\n version: 6d290a43\n description: A process attempted to inject code into another process\n expression: ptrace.request == PTRACE_POKETEXT || ptrace.request == PTRACE_POKEDATA\n || ptrace.request == PTRACE_POKEUSR\n agent_version: ''\n filters: []\n- id: pwnkit_privilege_escalation\n version: c83bbabc\n description: A process was spawned with indicators of exploitation of CVE-2021-4034\n expression: (exec.file.path == \"/usr/bin/pkexec\" && exec.envs in [~\"*SHELL*\", ~\"*PATH*\"]\n && exec.envs not in [~\"*DISPLAY*\", ~\"*DESKTOP_SESSION*\"] && exec.uid != 0)\n agent_version: ''\n filters: []\n- id: python_cli_code\n version: '989474'\n description: Python code was provided on the command line\n expression: exec.file.name == ~\"python*\" && exec.args_flags in [\"c\"] && exec.args\n in [~\"*-c*SOCK_STREAM*\", ~\"*-c*subprocess*\", \"*-c*/bash*\", \"*-c*/bin/sh*\", \"*-c*pty.spawn*\"]\n && exec.args !~ \"*setuptools*\"\n agent_version: ''\n filters: []\n- id: ransomware_note\n version: ee40f85a\n description: Possible ransomware note created under common user directories\n expression: |-\n open.flags & O_CREAT > 0\n && open.file.path in [~\"/home/**\", ~\"/root/**\", ~\"/bin/**\", ~\"/usr/bin/**\", ~\"/opt/**\", ~\"/etc/**\", ~\"/var/log/**\", ~\"/var/lib/log/**\", ~\"/var/backup/**\", ~\"/var/www/**\"]\n && open.file.name in [r\"(?i).*(restore|recover|read|instruction|how_to|ransom|lock).*(your_|crypt|lock|file|ransom).*\"] && open.file.name not in [r\".*\\.lock$\"]\n agent_version: ''\n filters:\n - os == \"linux\"\n- id: rc_scripts_modified\n version: af295b08\n description: RC scripts modified\n expression: (open.flags & (O_CREAT|O_TRUNC|O_RDWR|O_WRONLY) > 0 && (open.file.path\n in [\"/etc/rc.common\", \"/etc/rc.local\"])) && process.ancestors.file.path not in\n [~\"/usr/bin/apt*\", \"/usr/bin/dpkg\", \"/usr/bin/rpm\", \"/usr/bin/unattended-upgrade\",\n \"/usr/bin/npm\", ~\"/usr/bin/pip*\", \"/usr/bin/yum\", \"/sbin/apk\", \"/usr/lib/snapd/snapd\"]\n agent_version: ''\n filters: []\n- id: read_kubeconfig\n version: '80926379'\n description: The kubeconfig file was accessed\n expression: open.file.path in [~\"/home/*/.kube/config\", \"/root/.kube/config\"]\n agent_version: ''\n filters: []\n- id: read_release_info\n version: d0cc9710\n description: OS information was read from the /etc/lsb-release file\n expression: open.file.path == \"/etc/lsb-release\" && open.flags & O_RDONLY > 0\n agent_version: ''\n filters: []\n- id: redis_save_module\n version: b1cb9110\n description: Redis module has been created\n expression: (open.flags & (O_CREAT|O_TRUNC|O_RDWR|O_WRONLY) > 0 && open.file.path\n =~ \"/tmp/**\" && open.file.name in [~\"*.rdb\", ~\"*.aof\", ~\"*.so\"]) && process.file.name\n in [\"redis-check-rdb\", \"redis-server\"]\n agent_version: ''\n filters: []\n- id: registry_runkey_modified\n version: 3df7b8e9\n description: A Registry runkey has been modified\n expression: set.registry.key_path in [~\"*\\\\HKEY_LOCAL_MACHINE\\\\SOFTWARE\\\\Microsoft\\\\Windows\\\\CurrentVersion\\\\Run\",\n ~\"*\\\\HKEY_LOCAL_MACHINE\\\\SOFTWARE\\\\Microsoft\\\\Windows\\\\CurrentVersion\\\\Runonce\",\n ~\"*\\\\HKEY_LOCAL_MACHINE\\\\Software\\\\Wow6432Node\\\\Microsoft\\\\Windows\\\\CurrentVersion\\\\Run\",\n ~\"*\\\\HKEY_LOCAL_MACHINE\\\\Software\\\\Microsoft\\\\Windows NT\\\\CurrentVersion\\\\Terminal\n Server\\\\Install\\\\Software\\\\Microsoft\\\\Windows\\\\CurrentVersion\\\\Run\", ~\"*\\\\HKEY_LOCAL_MACHINE\\\\Software\\\\Microsoft\\\\Windows\n NT\\\\CurrentVersion\\\\Terminal Server\\\\Install\\\\Software\\\\Microsoft\\\\Windows\\\\CurrentVersion\\\\Runonce\",\n ~\"*\\\\HKEY_LOCAL_MACHINE\\\\Software\\\\Microsoft\\\\Windows NT\\\\CurrentVersion\\\\Terminal\n Server\\\\Install\\\\Software\\\\Microsoft\\\\Windows\\\\CurrentVersion\\\\RunonceEx\"]\n agent_version: ''\n filters:\n - os == \"windows\"\n- id: runc_modification\n version: c7144439\n description: The runc binary was modified in a non-standard way\n expression: |-\n open.file.path in [\"/usr/bin/runc\", \"/usr/sbin/runc\", \"/usr/bin/docker-runc\"]\n && open.flags & O_CREAT|O_TRUNC|O_RDWR|O_WRONLY > 0\n && process.file.path not in [~\"/usr/bin/apt*\", \"/usr/bin/dpkg\", \"/usr/bin/rpm\", \"/usr/bin/unattended-upgrade\", \"/usr/bin/containerd\", \"/usr/local/bin/containerd\", \"/usr/bin/dockerd\", \"/usr/bin/npm\", ~\"/usr/bin/pip*\"]\n && process.ancestors.file.path not in [~\"/usr/bin/apt*\", \"/usr/bin/dpkg\", \"/usr/bin/rpm\", \"/usr/bin/unattended-upgrade\", \"/usr/bin/npm\", ~\"/usr/bin/pip*\", \"/usr/bin/yum\", \"/sbin/apk\", \"/usr/lib/snapd/snapd\"]\n agent_version: ''\n filters: []\n- id: safeboot_modification\n version: 75fb1a6f\n description: Safeboot registry modified\n expression: set.registry.key_path =~ \"*\\\\HKEY_LOCAL_MACHINE\\\\SYSTEM\\\\CurrentControlSet\\\\Control\\\\SafeBoot\"\n agent_version: ''\n filters:\n - os == \"windows\"\n- id: scheduled_task_creation\n version: 9c3f2289\n description: A scheduled task was created\n expression: exec.file.name in [\"at.exe\",\"schtasks.exe\"]\n agent_version: ''\n filters:\n - os == \"windows\"\n- id: selinux_disable_enforcement\n version: afa9a8ba\n description: SELinux enforcement status was disabled\n expression: selinux.enforce.status in [\"permissive\", \"disabled\"] && process.ancestors.args\n != ~\"*BECOME-SUCCESS*\"\n agent_version: ''\n filters: []\n- id: service_stop\n version: 8e434232\n description: systemctl used to stop a service\n expression: exec.file.name == \"systemctl\" && exec.args in [~\"*stop*\"]\n agent_version: ''\n filters: []\n- id: shell_history_deleted\n version: ff763e6\n description: Shell History was Deleted\n expression: (unlink.file.name =~ r\".([dbazfi]*sh)(_history)$\") && process.comm\n not in [\"dockerd\", \"containerd\"]\n agent_version: ''\n filters: []\n- id: shell_history_symlink\n version: 31982e4d\n description: A symbolic link for shell history was created targeting /dev/null\n expression: exec.comm == \"ln\" && exec.args in [~\"*.*history*\", \"/dev/null\"]\n agent_version: ''\n filters: []\n- id: shell_history_truncated\n version: 38ec83e8\n description: Shell History was Deleted\n expression: open.flags & (O_CREAT|O_TRUNC|O_RDWR|O_WRONLY) > 0 && open.file.name\n =~ r\".([dbazfi]*sh)(_history)$\" && open.file.path in [~\"/root/*\", ~\"/home/**\"]\n && process.file.name == \"truncate\"\n agent_version: ''\n filters: []\n- id: shell_profile_modification\n version: d1cecdac\n description: Shell profile was modified\n expression: open.file.path in [~\"/home/*/*profile\", ~\"/home/*/*rc\"] && open.flags\n & ((O_CREAT|O_TRUNC|O_RDWR|O_WRONLY)) > 0\n agent_version: ''\n filters: []\n- id: ssh_authorized_keys_chmod\n version: e4096f79\n description: SSH modified keys may have been modified\n expression: |-\n (\n chmod.file.name in [ \"authorized_keys\", \"authorized_keys2\" ] && (chmod.file.path in [ ~\"/root/.ssh/*\", ~\"/home/*/.ssh/*\", ~\"/var/lib/*/.ssh/*\" ])\n ) && chmod.file.destination.mode != chmod.file.mode\n agent_version: ''\n filters: []\n- id: ssh_authorized_keys_chown\n version: 9639bf6\n description: SSH modified keys may have been modified\n expression: |-\n (\n chown.file.name in [ \"authorized_keys\", \"authorized_keys2\" ] && (chown.file.path in [ ~\"/root/.ssh/*\", ~\"/home/*/.ssh/*\", ~\"/var/lib/*/.ssh/*\" ])\n ) && (chown.file.destination.uid != chown.file.uid || chown.file.destination.gid != chown.file.gid)\n agent_version: ''\n filters: []\n- id: ssh_authorized_keys_link\n version: 81382bdd\n description: SSH Authorized Keys Modified\n expression: |-\n (\n link.file.name == \"authorized_keys\" && (link.file.path in [ ~\"*/.ssh/*\" ]\n || link.file.destination.path in [ ~\"*/.ssh/*\" ])\n )\n agent_version: ''\n filters: []\n- id: ssh_authorized_keys_open\n version: 1ae8f7d6\n description: SSH Authorized Keys Modified\n expression: |-\n (\n open.flags & (O_CREAT|O_TRUNC|O_RDWR|O_WRONLY) > 0 &&\n open.file.name == \"authorized_keys\" && (open.file.path in [ ~\"*/.ssh/*\" ])\n )\n agent_version: ''\n filters: []\n- id: ssh_authorized_keys_open_v2\n version: 513f8108\n description: SSH modified keys may have been modified\n expression: |-\n (\n open.flags & (O_CREAT|O_TRUNC|O_RDWR|O_WRONLY) > 0 &&\n open.file.name in [ \"authorized_keys\", \"authorized_keys2\" ] && (open.file.path in [ ~\"/root/.ssh/*\", ~\"/home/*/.ssh/*\", ~\"/var/lib/*/.ssh/*\" ])\n ) && container.created_at > 180s\n agent_version: ''\n filters: []\n- id: ssh_authorized_keys_rename\n version: fd3bdabf\n description: SSH Authorized Keys Modified\n expression: |-\n (\n rename.file.name == \"authorized_keys\" && (rename.file.path in [ ~\"*/.ssh/*\" ]\n || rename.file.destination.path in [ ~\"*/.ssh/*\" ])\n )\n agent_version: ''\n filters: []\n- id: ssh_authorized_keys_unlink\n version: 54cf4a88\n description: SSH Authorized Keys Modified\n expression: |-\n (\n unlink.file.name == \"authorized_keys\" && (unlink.file.path in [ ~\"*/.ssh/*\" ])\n )\n agent_version: ''\n filters: []\n- id: ssh_authorized_keys_utimes\n version: 59377e61\n description: SSH Authorized Keys Modified\n expression: |-\n (\n utimes.file.name == \"authorized_keys\" && (utimes.file.path in [ ~\"*/.ssh/*\" ])\n )\n agent_version: ''\n filters: []\n- id: ssh_it_tool_config_write\n version: 86ae3762\n description: The configuration directory for an ssh worm\n expression: open.file.path in [\"/root/.prng/*\", ~\"/home/*/.prng/*\", ~\"/root/.config/prng/*\",\n ~\"/home/*/.config/prng/*\"] && open.flags & (O_CREAT|O_TRUNC|O_RDWR|O_WRONLY) >\n 0\n agent_version: ''\n filters:\n - os == \"linux\"\n- id: ssl_certificate_tampering_chmod\n version: d8ac6517\n description: SSL certificates may have been tampered with\n expression: |-\n (\n (chmod.file.path in [ ~\"/etc/ssl/certs/**\", ~\"/etc/pki/**\" ])\n && process.file.path not in [~\"/usr/bin/apt*\", \"/usr/bin/dpkg\", \"/usr/bin/rpm\", \"/usr/bin/unattended-upgrade\", \"/usr/bin/npm\", ~\"/usr/bin/pip*\", \"/usr/bin/yum\", \"/sbin/apk\", \"/usr/lib/snapd/snapd\"]\n ) && chmod.file.mode != chmod.file.destination.mode\n && process.file.path != \"/usr/sbin/update-ca-certificates\"\n && process.ancestors.file.path != \"/usr/sbin/update-ca-certificates\"\n && process.ancestors.file.path not in [~\"/usr/bin/apt*\", \"/usr/bin/dpkg\", \"/usr/bin/rpm\", \"/usr/bin/unattended-upgrade\", \"/usr/bin/npm\", ~\"/usr/bin/pip*\", \"/usr/bin/yum\", \"/sbin/apk\", \"/usr/lib/snapd/snapd\"]\n && process.file.name !~ \"runc*\"\n agent_version: ''\n filters: []\n- id: ssl_certificate_tampering_chown\n version: 3d04895f\n description: SSL certificates may have been tampered with\n expression: |-\n (\n (chown.file.path in [ ~\"/etc/ssl/certs/**\", ~\"/etc/pki/**\" ])\n && process.file.path not in [~\"/usr/bin/apt*\", \"/usr/bin/dpkg\", \"/usr/bin/rpm\", \"/usr/bin/unattended-upgrade\", \"/usr/bin/npm\", ~\"/usr/bin/pip*\", \"/usr/bin/yum\", \"/sbin/apk\", \"/usr/lib/snapd/snapd\"]\n ) && (chown.file.destination.uid != chown.file.uid || chown.file.destination.gid != chown.file.gid)\n && process.file.path != \"/usr/sbin/update-ca-certificates\"\n && process.ancestors.file.path != \"/usr/sbin/update-ca-certificates\"\n && process.ancestors.file.path not in [~\"/usr/bin/apt*\", \"/usr/bin/dpkg\", \"/usr/bin/rpm\", \"/usr/bin/unattended-upgrade\", \"/usr/bin/npm\", ~\"/usr/bin/pip*\", \"/usr/bin/yum\", \"/sbin/apk\", \"/usr/lib/snapd/snapd\"]\n && process.file.name !~ \"runc*\"\n agent_version: ''\n filters:\n - os == \"linux\"\n- id: ssl_certificate_tampering_link\n version: eb594616\n description: SSL certificates may have been tampered with\n expression: |-\n (\n (link.file.path in [ ~\"/etc/ssl/certs/**\", ~\"/etc/pki/**\" ]\n || link.file.destination.path in [ ~\"/etc/ssl/certs/**\", ~\"/etc/pki/**\" ])\n && process.file.path not in [~\"/usr/bin/apt*\", \"/usr/bin/dpkg\", \"/usr/bin/rpm\", \"/usr/bin/unattended-upgrade\", \"/usr/bin/npm\", ~\"/usr/bin/pip*\", \"/usr/bin/yum\", \"/sbin/apk\", \"/usr/lib/snapd/snapd\"]\n && process.file.path != \"/usr/sbin/update-ca-certificates\"\n && process.ancestors.file.path != \"/usr/sbin/update-ca-certificates\"\n && process.ancestors.file.path not in [~\"/usr/bin/apt*\", \"/usr/bin/dpkg\", \"/usr/bin/rpm\", \"/usr/bin/unattended-upgrade\", \"/usr/bin/npm\", ~\"/usr/bin/pip*\", \"/usr/bin/yum\", \"/sbin/apk\", \"/usr/lib/snapd/snapd\"]\n && process.file.name !~ \"runc*\"\n )\n agent_version: ''\n filters: []\n- id: ssl_certificate_tampering_open\n version: c34bcf3a\n description: SSL certificates may have been tampered with\n expression: |-\n (\n open.flags & (O_CREAT|O_RDWR|O_WRONLY) > 0 &&\n (open.file.path in [ ~\"/etc/ssl/certs/**\", ~\"/etc/pki/**\" ])\n )\n && process.file.path != \"/usr/sbin/update-ca-certificates\"\n && process.ancestors.file.path != \"/usr/sbin/update-ca-certificates\"\n && process.ancestors.file.path not in [~\"/usr/bin/apt*\", \"/usr/bin/dpkg\", \"/usr/bin/rpm\", \"/usr/bin/unattended-upgrade\", \"/usr/bin/npm\", ~\"/usr/bin/pip*\", \"/usr/bin/yum\", \"/sbin/apk\", \"/usr/lib/snapd/snapd\"]\n && process.file.name !~ \"runc*\"\n agent_version: ''\n filters: []\n- id: ssl_certificate_tampering_open_v2\n version: a90058eb\n description: SSL certificates may have been tampered with\n expression: |-\n (\n open.flags & (O_CREAT|O_RDWR|O_WRONLY) > 0 &&\n (open.file.path in [ ~\"/etc/ssl/certs/**\", ~\"/etc/pki/**\" ])\n )\n && process.file.path != \"/usr/sbin/update-ca-certificates\"\n && process.ancestors.file.path != \"/usr/sbin/update-ca-certificates\"\n && process.ancestors.file.path not in [~\"/usr/bin/apt*\", \"/usr/bin/dpkg\", \"/usr/bin/rpm\", \"/usr/bin/unattended-upgrade\", \"/usr/bin/npm\", ~\"/usr/bin/pip*\", \"/usr/bin/yum\", \"/sbin/apk\", \"/usr/lib/snapd/snapd\"]\n && process.file.name !~ \"runc*\"\n && container.created_at > 180s\n agent_version: ''\n filters: []\n- id: ssl_certificate_tampering_rename\n version: e42eefb4\n description: SSL certificates may have been tampered with\n expression: |-\n (\n (rename.file.path in [ ~\"/etc/ssl/certs/**\", ~\"/etc/pki/**\" ]\n || rename.file.destination.path in [ ~\"/etc/ssl/certs/**\", ~\"/etc/pki/**\" ])\n && process.file.path not in [~\"/usr/bin/apt*\", \"/usr/bin/dpkg\", \"/usr/bin/rpm\", \"/usr/bin/unattended-upgrade\", \"/usr/bin/npm\", ~\"/usr/bin/pip*\", \"/usr/bin/yum\", \"/sbin/apk\", \"/usr/lib/snapd/snapd\"]\n )\n && process.file.path != \"/usr/sbin/update-ca-certificates\"\n && process.ancestors.file.path != \"/usr/sbin/update-ca-certificates\"\n && process.ancestors.file.path not in [~\"/usr/bin/apt*\", \"/usr/bin/dpkg\", \"/usr/bin/rpm\", \"/usr/bin/unattended-upgrade\", \"/usr/bin/npm\", ~\"/usr/bin/pip*\", \"/usr/bin/yum\", \"/sbin/apk\", \"/usr/lib/snapd/snapd\"]\n && process.file.name !~ \"runc*\"\n agent_version: ''\n filters: []\n- id: ssl_certificate_tampering_unlink\n version: 37c40311\n description: SSL certificates may have been tampered with\n expression: |-\n (\n (unlink.file.path in [ ~\"/etc/ssl/certs/**\" ])\n && process.file.path not in [~\"/usr/bin/apt*\", \"/usr/bin/dpkg\", \"/usr/bin/rpm\", \"/usr/bin/unattended-upgrade\", \"/usr/bin/npm\", ~\"/usr/bin/pip*\", \"/usr/bin/yum\", \"/sbin/apk\", \"/usr/lib/snapd/snapd\"]\n )\n && process.file.path != \"/usr/sbin/update-ca-certificates\"\n && process.ancestors.file.path != \"/usr/sbin/update-ca-certificates\"\n && process.ancestors.file.path not in [~\"/usr/bin/apt*\", \"/usr/bin/dpkg\", \"/usr/bin/rpm\", \"/usr/bin/unattended-upgrade\", \"/usr/bin/npm\", ~\"/usr/bin/pip*\", \"/usr/bin/yum\", \"/sbin/apk\", \"/usr/lib/snapd/snapd\"]\n && process.file.name !~ \"runc*\"\n agent_version: ''\n filters: []\n- id: ssl_certificate_tampering_utimes\n version: 29db81c1\n description: SSL certificates may have been tampered with\n expression: |-\n (\n (utimes.file.path in [ ~\"/etc/ssl/certs/**\" ])\n && process.file.path not in [~\"/usr/bin/apt*\", \"/usr/bin/dpkg\", \"/usr/bin/rpm\", \"/usr/bin/unattended-upgrade\", \"/usr/bin/npm\", ~\"/usr/bin/pip*\", \"/usr/bin/yum\", \"/sbin/apk\", \"/usr/lib/snapd/snapd\"]\n )\n && process.file.path != \"/usr/sbin/update-ca-certificates\"\n && process.ancestors.file.path != \"/usr/sbin/update-ca-certificates\"\n && process.ancestors.file.path not in [~\"/usr/bin/apt*\", \"/usr/bin/dpkg\", \"/usr/bin/rpm\", \"/usr/bin/unattended-upgrade\", \"/usr/bin/npm\", ~\"/usr/bin/pip*\", \"/usr/bin/yum\", \"/sbin/apk\", \"/usr/lib/snapd/snapd\"]\n && process.file.name !~ \"runc*\"\n agent_version: ''\n filters: []\n- id: sudoers_policy_modified_chmod\n version: ae70daab\n description: Sudoers policy file may have been modified without authorization\n expression: \"(\\n (chmod.file.path == \\\"/etc/sudoers\\\") \\n) && chmod.file.destination.mode\\\n \\ != chmod.file.mode && process.ancestors.file.path not in [~\\\"/usr/bin/apt*\\\"\\\n , \\\"/usr/bin/dpkg\\\", \\\"/usr/bin/rpm\\\", \\\"/usr/bin/unattended-upgrade\\\", \\\"/usr/bin/npm\\\"\\\n , ~\\\"/usr/bin/pip*\\\", \\\"/usr/bin/yum\\\", \\\"/sbin/apk\\\", \\\"/usr/lib/snapd/snapd\\\"\\\n ]\"\n agent_version: ''\n filters: []\n- id: sudoers_policy_modified_chown\n version: 898b1aa0\n description: Sudoers policy file may have been modified without authorization\n expression: |-\n (\n (chown.file.path == \"/etc/sudoers\")\n ) && (chown.file.destination.uid != chown.file.uid || chown.file.destination.gid != chown.file.gid)\n agent_version: ''\n filters: []\n- id: sudoers_policy_modified_link\n version: 1f1b8962\n description: Sudoers policy file may have been modified without authorization\n expression: |-\n (\n (link.file.path == \"/etc/sudoers\"\n || link.file.destination.path == \"/etc/sudoers\")\n )\n agent_version: ''\n filters: []\n- id: sudoers_policy_modified_open\n version: af2610b6\n description: Sudoers policy file may have been modified without authorization\n expression: |2-\n\n (open.flags & (O_CREAT|O_TRUNC|O_RDWR|O_WRONLY) > 0 &&\n (open.file.path == \"/etc/sudoers\")) && process.file.path not in [~\"/usr/bin/apt*\", \"/usr/bin/dpkg\", \"/usr/bin/rpm\", \"/usr/bin/unattended-upgrade\", \"/usr/bin/npm\", ~\"/usr/bin/pip*\", \"/usr/bin/yum\", \"/sbin/apk\", \"/usr/lib/snapd/snapd\"]\n agent_version: ''\n filters: []\n- id: sudoers_policy_modified_rename\n version: 531fc9ae\n description: Sudoers policy file may have been modified without authorization\n expression: |-\n (\n (rename.file.path == \"/etc/sudoers\"\n || rename.file.destination.path == \"/etc/sudoers\")\n )\n agent_version: ''\n filters: []\n- id: sudoers_policy_modified_unlink\n version: 5568da57\n description: Sudoers policy file may have been modified without authorization\n expression: |-\n (\n (unlink.file.path == \"/etc/sudoers\")\n )\n agent_version: ''\n filters: []\n- id: sudoers_policy_modified_utimes\n version: d99c2466\n description: Sudoers policy file may have been modified without authorization\n expression: |-\n (\n (utimes.file.path == \"/etc/sudoers\")\n ) && process.file.path not in [~\"/usr/bin/apt*\", \"/usr/bin/dpkg\", \"/usr/bin/rpm\", \"/usr/bin/unattended-upgrade\", \"/usr/bin/containerd\", \"/usr/local/bin/containerd\", \"/usr/bin/dockerd\", \"/usr/bin/npm\", ~\"/usr/bin/pip*\"]\n agent_version: ''\n filters: []\n- id: suid_file_execution\n version: 1b4f4075\n description: a SUID file was executed\n expression: (setuid.euid == 0 || setuid.uid == 0) && process.file.mode & S_ISUID\n > 0 && process.file.uid == 0 && process.uid != 0 && process.file.path != \"/usr/bin/sudo\"\n agent_version: ''\n filters: []\n- id: suspicious_container_client\n version: 8b9461f4\n description: A container management utility was executed in a container\n expression: exec.file.name in [\"docker\", \"kubectl\"] && container.id != \"\"\n agent_version: ''\n filters: []\n- id: suspicious_suid_execution\n version: 216c8207\n description: Recently written or modified suid file has been executed\n expression: ((process.file.mode & S_ISUID > 0) && process.file.modification_time\n < 30s) && exec.file.name != \"\" && process.ancestors.file.path not in [\"/opt/datadog-agent/embedded/bin/agent\",\n \"/opt/datadog-agent/embedded/bin/system-probe\", \"/opt/datadog-agent/embedded/bin/security-agent\",\n \"/opt/datadog-agent/embedded/bin/process-agent\", \"/opt/datadog-agent/bin/agent/agent\",\n \"/opt/datadog/apm/inject/auto_inject_runc\", \"/usr/bin/dd-host-install\", \"/usr/bin/dd-host-container-install\",\n \"/usr/bin/dd-container-install\", \"/opt/datadog-agent/bin/datadog-cluster-agent\"]\n agent_version: ''\n filters:\n - os == \"linux\"\n- id: systemd_modification_chmod\n version: b0643139\n description: A service may have been modified without authorization\n expression: |-\n (\n (chmod.file.path in [ ~\"/lib/systemd/system/**\", ~\"/usr/lib/systemd/system/**\", ~\"/etc/systemd/system/**\" ])\n && process.file.path not in [~\"/usr/bin/apt*\", \"/usr/bin/dpkg\", \"/usr/bin/rpm\", \"/usr/bin/unattended-upgrade\", \"/usr/bin/npm\", ~\"/usr/bin/pip*\", \"/usr/bin/yum\", \"/sbin/apk\"]\n ) && chmod.file.destination.mode != chmod.file.mode\n agent_version: ''\n filters: []\n- id: systemd_modification_chown\n version: a0497885\n description: A service may have been modified without authorization\n expression: |-\n (\n (chown.file.path in [ ~\"/lib/systemd/system/**\", ~\"/usr/lib/systemd/system/**\", ~\"/etc/systemd/system/**\" ])\n && process.file.path not in [~\"/usr/bin/apt*\", \"/usr/bin/dpkg\", \"/usr/bin/rpm\", \"/usr/bin/unattended-upgrade\", \"/usr/bin/npm\", ~\"/usr/bin/pip*\", \"/usr/bin/yum\", \"/sbin/apk\", \"/usr/lib/snapd/snapd\"]\n ) && (chown.file.destination.uid != chown.file.uid || chown.file.destination.gid != chown.file.gid)\n agent_version: ''\n filters: []\n- id: systemd_modification_link\n version: 11a77f5b\n description: A service may have been modified without authorization\n expression: |-\n (\n (link.file.path in [ ~\"/lib/systemd/system/**\", ~\"/usr/lib/systemd/system/**\", ~\"/etc/systemd/system/**\" ]\n || link.file.destination.path in [ ~\"/lib/systemd/system/**\", ~\"/usr/lib/systemd/system/**\", ~\"/etc/systemd/system/**\" ])\n && process.file.path not in [~\"/usr/bin/apt*\", \"/usr/bin/dpkg\", \"/usr/bin/rpm\", \"/usr/bin/unattended-upgrade\", \"/usr/bin/npm\", ~\"/usr/bin/pip*\", \"/usr/bin/yum\", \"/sbin/apk\", \"/usr/lib/snapd/snapd\"]\n )\n agent_version: ''\n filters: []\n- id: systemd_modification_open\n version: b6dce303\n description: A service may have been modified without authorization\n expression: |-\n (\n open.flags & (O_CREAT|O_RDWR|O_WRONLY) > 0 &&\n (open.file.path in [ ~\"/lib/systemd/system/**\", ~\"/usr/lib/systemd/system/**\", ~\"/etc/systemd/system/**\" ])\n && process.file.path not in [~\"/usr/bin/apt*\", \"/usr/bin/dpkg\", \"/usr/bin/rpm\", \"/usr/bin/unattended-upgrade\", \"/usr/bin/npm\", ~\"/usr/bin/pip*\", \"/usr/bin/yum\", \"/sbin/apk\"]\n )\n agent_version: ''\n filters: []\n- id: systemd_modification_rename\n version: 9759ce6\n description: A service may have been modified without authorization\n expression: |-\n (\n (rename.file.path in [ ~\"/lib/systemd/system/**\", ~\"/usr/lib/systemd/system/**\", ~\"/etc/systemd/system/**\" ]\n || rename.file.destination.path in [ ~\"/lib/systemd/system/**\", ~\"/usr/lib/systemd/system/**\", ~\"/etc/systemd/system/**\" ])\n && process.file.path not in [~\"/usr/bin/apt*\", \"/usr/bin/dpkg\", \"/usr/bin/rpm\", \"/usr/bin/unattended-upgrade\", \"/usr/bin/npm\", ~\"/usr/bin/pip*\", \"/usr/bin/yum\", \"/sbin/apk\", \"/usr/lib/snapd/snapd\"]\n )\n agent_version: ''\n filters: []\n- id: systemd_modification_unlink\n version: 8400ece8\n description: A service may have been modified without authorization\n expression: |-\n (\n (unlink.file.path in [ ~\"/lib/systemd/system/**\", ~\"/usr/lib/systemd/system/**\", ~\"/etc/systemd/system/**\" ])\n && process.file.path not in [~\"/usr/bin/apt*\", \"/usr/bin/dpkg\", \"/usr/bin/rpm\", \"/usr/bin/unattended-upgrade\", \"/usr/bin/npm\", ~\"/usr/bin/pip*\", \"/usr/bin/yum\", \"/sbin/apk\", \"/usr/lib/snapd/snapd\"]\n )\n agent_version: ''\n filters: []\n- id: systemd_modification_utimes\n version: 82acf2d\n description: A service may have been modified without authorization\n expression: |-\n (\n (utimes.file.path in [ ~\"/lib/systemd/system/**\", ~\"/usr/lib/systemd/system/**\", ~\"/etc/systemd/system/**\" ])\n && process.file.path not in [~\"/usr/bin/apt*\", \"/usr/bin/dpkg\", \"/usr/bin/rpm\", \"/usr/bin/unattended-upgrade\", \"/usr/bin/npm\", ~\"/usr/bin/pip*\", \"/usr/bin/yum\", \"/sbin/apk\", \"/usr/lib/snapd/snapd\"]\n )\n agent_version: ''\n filters: []\n- id: tar_execution\n version: e63af392\n description: Tar archive created\n expression: exec.file.path == \"/usr/bin/tar\" && exec.args_flags in [\"create\",\"c\"]\n agent_version: ''\n filters:\n - os == \"linux\"\n- id: testcreateacloudworkloadsecurityagentrulereturnsokresponse1677856489\n version: f43786f8\n description: Test Agent rule\n expression: exec.file.name == \"sh\"\n agent_version: ''\n filters: []\n- id: testcreateacloudworkloadsecurityagentrulereturnsokresponse1711550899\n version: f43786f8\n description: Test Agent rule\n expression: exec.file.name == \"sh\"\n agent_version: ''\n filters:\n - os == \"linux\"\n- id: testdeleteacloudworkloadsecurityagentrulereturnsokresponse1677856490\n version: f43786f8\n description: My Agent rule\n expression: exec.file.name == \"sh\"\n agent_version: ''\n filters: []\n- id: testgetacloudworkloadsecurityagentrulereturnsokresponse1677856490\n version: f43786f8\n description: My Agent rule\n expression: exec.file.name == \"sh\"\n agent_version: ''\n filters: []\n- id: testgetallcloudworkloadsecurityagentrulesreturnsokresponse1677856491\n version: f43786f8\n description: My Agent rule\n expression: exec.file.name == \"sh\"\n agent_version: ''\n filters: []\n- id: testpythonupdateacloudworkloadsecurityagentrulereturnsbadrequestresponse1654691372\n version: f43786f8\n description: My Agent rule\n expression: exec.file.name == \"sh\"\n agent_version: ''\n filters: []\n- id: testtypescriptcreateacloudworkloadsecurityagentrulereturnsokresponse1651997883\n version: f43786f8\n description: Test Agent rule\n expression: exec.file.name == \"sh\"\n agent_version: ''\n filters: []\n- id: testtypescriptcreateacloudworkloadsecurityagentrulereturnsokresponse1681222897\n version: f43786f8\n description: Test Agent rule\n expression: exec.file.name == \"sh\"\n agent_version: ''\n filters: []\n- id: testtypescriptcreateacloudworkloadsecurityagentrulereturnsokresponse1688677455\n version: f43786f8\n description: Test Agent rule\n expression: exec.file.name == \"sh\"\n agent_version: ''\n filters: []\n- id: testtypescriptcreateacloudworkloadsecurityagentrulereturnsokresponse1688739737\n version: f43786f8\n description: Test Agent rule\n expression: exec.file.name == \"sh\"\n agent_version: ''\n filters: []\n- id: testtypescriptcreateacloudworkloadsecurityagentrulereturnsokresponse1689185611\n version: f43786f8\n description: Test Agent rule\n expression: exec.file.name == \"sh\"\n agent_version: ''\n filters: []\n- id: testtypescriptcreateacloudworkloadsecurityagentrulereturnsokresponse1689275129\n version: f43786f8\n description: Test Agent rule\n expression: exec.file.name == \"sh\"\n agent_version: ''\n filters: []\n- id: testtypescriptcreateacloudworkloadsecurityagentrulereturnsokresponse1699375258\n version: f43786f8\n description: Test Agent rule\n expression: exec.file.name == \"sh\"\n agent_version: ''\n filters:\n - os == \"linux\"\n- id: testtypescriptcreateacloudworkloadsecurityagentrulereturnsokresponse1699614581\n version: f43786f8\n description: Test Agent rule\n expression: exec.file.name == \"sh\"\n agent_version: ''\n filters:\n - os == \"linux\"\n- id: testtypescriptcreateacloudworkloadsecurityagentrulereturnsokresponse1699873848\n version: f43786f8\n description: Test Agent rule\n expression: exec.file.name == \"sh\"\n agent_version: ''\n filters:\n - os == \"linux\"\n- id: testtypescriptcreateacloudworkloadsecurityagentrulereturnsokresponse1699960180\n version: f43786f8\n description: Test Agent rule\n expression: exec.file.name == \"sh\"\n agent_version: ''\n filters:\n - os == \"linux\"\n- id: testtypescriptcreateacloudworkloadsecurityagentrulereturnsokresponse1700046605\n version: f43786f8\n description: Test Agent rule\n expression: exec.file.name == \"sh\"\n agent_version: ''\n filters:\n - os == \"linux\"\n- id: testtypescriptcreateacloudworkloadsecurityagentrulereturnsokresponse1700132879\n version: f43786f8\n description: Test Agent rule\n expression: exec.file.name == \"sh\"\n agent_version: ''\n filters:\n - os == \"linux\"\n- id: testtypescriptcreateacloudworkloadsecurityagentrulereturnsokresponse1700219293\n version: f43786f8\n description: Test Agent rule\n expression: exec.file.name == \"sh\"\n agent_version: ''\n filters:\n - os == \"linux\"\n- id: testtypescriptcreateacloudworkloadsecurityagentrulereturnsokresponse1704452910\n version: f43786f8\n description: Test Agent rule\n expression: exec.file.name == \"sh\"\n agent_version: ''\n filters:\n - os == \"linux\"\n- id: testtypescriptcreateacloudworkloadsecurityagentrulereturnsokresponse1706872189\n version: f43786f8\n description: Test Agent rule\n expression: exec.file.name == \"sh\"\n agent_version: ''\n filters:\n - os == \"linux\"\n- id: testtypescriptcreateacloudworkloadsecurityagentrulereturnsokresponse1707131455\n version: f43786f8\n description: Test Agent rule\n expression: exec.file.name == \"sh\"\n agent_version: ''\n filters:\n - os == \"linux\"\n- id: testtypescriptcreateacloudworkloadsecurityagentrulereturnsokresponse1708686507\n version: f43786f8\n description: Test Agent rule\n expression: exec.file.name == \"sh\"\n agent_version: ''\n filters:\n - os == \"linux\"\n- id: testtypescriptdeleteacloudworkloadsecurityagentrulereturnsokresponse1651997884\n version: f43786f8\n description: My Agent rule\n expression: exec.file.name == \"sh\"\n agent_version: ''\n filters: []\n- id: testtypescriptdeleteacloudworkloadsecurityagentrulereturnsokresponse1681222897\n version: f43786f8\n description: My Agent rule\n expression: exec.file.name == \"sh\"\n agent_version: ''\n filters: []\n- id: testtypescriptdeleteacloudworkloadsecurityagentrulereturnsokresponse1689185612\n version: f43786f8\n description: My Agent rule\n expression: exec.file.name == \"sh\"\n agent_version: ''\n filters: []\n- id: testtypescriptdeleteacloudworkloadsecurityagentrulereturnsokresponse1689275129\n version: f43786f8\n description: My Agent rule\n expression: exec.file.name == \"sh\"\n agent_version: ''\n filters: []\n- id: testtypescriptdeleteacloudworkloadsecurityagentrulereturnsokresponse1699614582\n version: f43786f8\n description: My Agent rule\n expression: exec.file.name == \"sh\"\n agent_version: ''\n filters:\n - os == \"linux\"\n- id: testtypescriptdeleteacloudworkloadsecurityagentrulereturnsokresponse1699873849\n version: f43786f8\n description: My Agent rule\n expression: exec.file.name == \"sh\"\n agent_version: ''\n filters:\n - os == \"linux\"\n- id: testtypescriptdeleteacloudworkloadsecurityagentrulereturnsokresponse1699960180\n version: f43786f8\n description: My Agent rule\n expression: exec.file.name == \"sh\"\n agent_version: ''\n filters:\n - os == \"linux\"\n- id: testtypescriptdeleteacloudworkloadsecurityagentrulereturnsokresponse1700046606\n version: f43786f8\n description: My Agent rule\n expression: exec.file.name == \"sh\"\n agent_version: ''\n filters:\n - os == \"linux\"\n- id: testtypescriptdeleteacloudworkloadsecurityagentrulereturnsokresponse1700132879\n version: f43786f8\n description: My Agent rule\n expression: exec.file.name == \"sh\"\n agent_version: ''\n filters:\n - os == \"linux\"\n- id: testtypescriptdeleteacloudworkloadsecurityagentrulereturnsokresponse1700219293\n version: f43786f8\n description: My Agent rule\n expression: exec.file.name == \"sh\"\n agent_version: ''\n filters:\n - os == \"linux\"\n- id: testtypescriptdeleteacloudworkloadsecurityagentrulereturnsokresponse1704452910\n version: f43786f8\n description: My Agent rule\n expression: exec.file.name == \"sh\"\n agent_version: ''\n filters:\n - os == \"linux\"\n- id: testtypescriptdeleteacloudworkloadsecurityagentrulereturnsokresponse1706872189\n version: f43786f8\n description: My Agent rule\n expression: exec.file.name == \"sh\"\n agent_version: ''\n filters:\n - os == \"linux\"\n- id: testtypescriptdeleteacloudworkloadsecurityagentrulereturnsokresponse1707131456\n version: f43786f8\n description: My Agent rule\n expression: exec.file.name == \"sh\"\n agent_version: ''\n filters:\n - os == \"linux\"\n- id: testtypescriptdeleteacloudworkloadsecurityagentrulereturnsokresponse1708686507\n version: f43786f8\n description: My Agent rule\n expression: exec.file.name == \"sh\"\n agent_version: ''\n filters:\n - os == \"linux\"\n- id: testtypescriptgetacloudworkloadsecurityagentrulereturnsokresponse1651997885\n version: f43786f8\n description: My Agent rule\n expression: exec.file.name == \"sh\"\n agent_version: ''\n filters: []\n- id: testtypescriptgetacloudworkloadsecurityagentrulereturnsokresponse1681222898\n version: f43786f8\n description: My Agent rule\n expression: exec.file.name == \"sh\"\n agent_version: ''\n filters: []\n- id: testtypescriptgetacloudworkloadsecurityagentrulereturnsokresponse1689185613\n version: f43786f8\n description: My Agent rule\n expression: exec.file.name == \"sh\"\n agent_version: ''\n filters: []\n- id: testtypescriptgetacloudworkloadsecurityagentrulereturnsokresponse1689275129\n version: f43786f8\n description: My Agent rule\n expression: exec.file.name == \"sh\"\n agent_version: ''\n filters: []\n- id: testtypescriptgetacloudworkloadsecurityagentrulereturnsokresponse1699614582\n version: f43786f8\n description: My Agent rule\n expression: exec.file.name == \"sh\"\n agent_version: ''\n filters:\n - os == \"linux\"\n- id: testtypescriptgetacloudworkloadsecurityagentrulereturnsokresponse1699873850\n version: f43786f8\n description: My Agent rule\n expression: exec.file.name == \"sh\"\n agent_version: ''\n filters:\n - os == \"linux\"\n- id: testtypescriptgetacloudworkloadsecurityagentrulereturnsokresponse1699960181\n version: f43786f8\n description: My Agent rule\n expression: exec.file.name == \"sh\"\n agent_version: ''\n filters:\n - os == \"linux\"\n- id: testtypescriptgetacloudworkloadsecurityagentrulereturnsokresponse1700046606\n version: f43786f8\n description: My Agent rule\n expression: exec.file.name == \"sh\"\n agent_version: ''\n filters:\n - os == \"linux\"\n- id: testtypescriptgetacloudworkloadsecurityagentrulereturnsokresponse1700132879\n version: f43786f8\n description: My Agent rule\n expression: exec.file.name == \"sh\"\n agent_version: ''\n filters:\n - os == \"linux\"\n- id: testtypescriptgetacloudworkloadsecurityagentrulereturnsokresponse1700219294\n version: f43786f8\n description: My Agent rule\n expression: exec.file.name == \"sh\"\n agent_version: ''\n filters:\n - os == \"linux\"\n- id: testtypescriptgetacloudworkloadsecurityagentrulereturnsokresponse1704452910\n version: f43786f8\n description: My Agent rule\n expression: exec.file.name == \"sh\"\n agent_version: ''\n filters:\n - os == \"linux\"\n- id: testtypescriptgetacloudworkloadsecurityagentrulereturnsokresponse1706872190\n version: f43786f8\n description: My Agent rule\n expression: exec.file.name == \"sh\"\n agent_version: ''\n filters:\n - os == \"linux\"\n- id: testtypescriptgetacloudworkloadsecurityagentrulereturnsokresponse1707131456\n version: f43786f8\n description: My Agent rule\n expression: exec.file.name == \"sh\"\n agent_version: ''\n filters:\n - os == \"linux\"\n- id: testtypescriptgetacloudworkloadsecurityagentrulereturnsokresponse1708686507\n version: f43786f8\n description: My Agent rule\n expression: exec.file.name == \"sh\"\n agent_version: ''\n filters:\n - os == \"linux\"\n- id: testtypescriptgetallcloudworkloadsecurityagentrulesreturnsokresponse1651867149\n version: f43786f8\n description: My Agent rule\n expression: exec.file.name == \"sh\"\n agent_version: ''\n filters: []\n- id: testtypescriptgetallcloudworkloadsecurityagentrulesreturnsokresponse1651912469\n version: f43786f8\n description: My Agent rule\n expression: exec.file.name == \"sh\"\n agent_version: ''\n filters: []\n- id: testtypescriptgetallcloudworkloadsecurityagentrulesreturnsokresponse1651915814\n version: f43786f8\n description: My Agent rule\n expression: exec.file.name == \"sh\"\n agent_version: ''\n filters: []\n- id: testtypescriptgetallcloudworkloadsecurityagentrulesreturnsokresponse1651943471\n version: f43786f8\n description: My Agent rule\n expression: exec.file.name == \"sh\"\n agent_version: ''\n filters: []\n- id: testtypescriptgetallcloudworkloadsecurityagentrulesreturnsokresponse1651997885\n version: f43786f8\n description: My Agent rule\n expression: exec.file.name == \"sh\"\n agent_version: ''\n filters: []\n- id: testtypescriptgetallcloudworkloadsecurityagentrulesreturnsokresponse1652008845\n version: f43786f8\n description: My Agent rule\n expression: exec.file.name == \"sh\"\n agent_version: ''\n filters: []\n- id: testtypescriptgetallcloudworkloadsecurityagentrulesreturnsokresponse1681222898\n version: f43786f8\n description: My Agent rule\n expression: exec.file.name == \"sh\"\n agent_version: ''\n filters: []\n- id: testtypescriptgetallcloudworkloadsecurityagentrulesreturnsokresponse1689185614\n version: f43786f8\n description: My Agent rule\n expression: exec.file.name == \"sh\"\n agent_version: ''\n filters: []\n- id: testtypescriptgetallcloudworkloadsecurityagentrulesreturnsokresponse1689275129\n version: f43786f8\n description: My Agent rule\n expression: exec.file.name == \"sh\"\n agent_version: ''\n filters: []\n- id: testtypescriptgetallcloudworkloadsecurityagentrulesreturnsokresponse1699614583\n version: f43786f8\n description: My Agent rule\n expression: exec.file.name == \"sh\"\n agent_version: ''\n filters:\n - os == \"linux\"\n- id: testtypescriptgetallcloudworkloadsecurityagentrulesreturnsokresponse1699873850\n version: f43786f8\n description: My Agent rule\n expression: exec.file.name == \"sh\"\n agent_version: ''\n filters:\n - os == \"linux\"\n- id: testtypescriptgetallcloudworkloadsecurityagentrulesreturnsokresponse1699960181\n version: f43786f8\n description: My Agent rule\n expression: exec.file.name == \"sh\"\n agent_version: ''\n filters:\n - os == \"linux\"\n- id: testtypescriptgetallcloudworkloadsecurityagentrulesreturnsokresponse1700046606\n version: f43786f8\n description: My Agent rule\n expression: exec.file.name == \"sh\"\n agent_version: ''\n filters:\n - os == \"linux\"\n- id: testtypescriptgetallcloudworkloadsecurityagentrulesreturnsokresponse1700132879\n version: f43786f8\n description: My Agent rule\n expression: exec.file.name == \"sh\"\n agent_version: ''\n filters:\n - os == \"linux\"\n- id: testtypescriptgetallcloudworkloadsecurityagentrulesreturnsokresponse1700219294\n version: f43786f8\n description: My Agent rule\n expression: exec.file.name == \"sh\"\n agent_version: ''\n filters:\n - os == \"linux\"\n- id: testtypescriptgetallcloudworkloadsecurityagentrulesreturnsokresponse1700243663\n version: f43786f8\n description: My Agent rule\n expression: exec.file.name == \"sh\"\n agent_version: ''\n filters:\n - os == \"linux\"\n- id: testtypescriptgetallcloudworkloadsecurityagentrulesreturnsokresponse1704452910\n version: f43786f8\n description: My Agent rule\n expression: exec.file.name == \"sh\"\n agent_version: ''\n filters:\n - os == \"linux\"\n- id: testtypescriptgetallcloudworkloadsecurityagentrulesreturnsokresponse1706872190\n version: f43786f8\n description: My Agent rule\n expression: exec.file.name == \"sh\"\n agent_version: ''\n filters:\n - os == \"linux\"\n- id: testtypescriptgetallcloudworkloadsecurityagentrulesreturnsokresponse1707131457\n version: f43786f8\n description: My Agent rule\n expression: exec.file.name == \"sh\"\n agent_version: ''\n filters:\n - os == \"linux\"\n- id: testtypescriptgetallcloudworkloadsecurityagentrulesreturnsokresponse1708686507\n version: f43786f8\n description: My Agent rule\n expression: exec.file.name == \"sh\"\n agent_version: ''\n filters:\n - os == \"linux\"\n- id: testtypescriptupdateacloudworkloadsecurityagentrulereturnsbadrequestresponse1651997886\n version: f43786f8\n description: My Agent rule\n expression: exec.file.name == \"sh\"\n agent_version: ''\n filters: []\n- id: testtypescriptupdateacloudworkloadsecurityagentrulereturnsbadrequestresponse1681222899\n version: f43786f8\n description: My Agent rule\n expression: exec.file.name == \"sh\"\n agent_version: ''\n filters: []\n- id: testtypescriptupdateacloudworkloadsecurityagentrulereturnsbadrequestresponse1689185615\n version: f43786f8\n description: My Agent rule\n expression: exec.file.name == \"sh\"\n agent_version: ''\n filters: []\n- id: testtypescriptupdateacloudworkloadsecurityagentrulereturnsbadrequestresponse1689275130\n version: f43786f8\n description: My Agent rule\n expression: exec.file.name == \"sh\"\n agent_version: ''\n filters: []\n- id: testtypescriptupdateacloudworkloadsecurityagentrulereturnsbadrequestresponse1699614583\n version: f43786f8\n description: My Agent rule\n expression: exec.file.name == \"sh\"\n agent_version: ''\n filters:\n - os == \"linux\"\n- id: testtypescriptupdateacloudworkloadsecurityagentrulereturnsbadrequestresponse1699873851\n version: f43786f8\n description: My Agent rule\n expression: exec.file.name == \"sh\"\n agent_version: ''\n filters:\n - os == \"linux\"\n- id: testtypescriptupdateacloudworkloadsecurityagentrulereturnsbadrequestresponse1699960182\n version: f43786f8\n description: My Agent rule\n expression: exec.file.name == \"sh\"\n agent_version: ''\n filters:\n - os == \"linux\"\n- id: testtypescriptupdateacloudworkloadsecurityagentrulereturnsbadrequestresponse1700046607\n version: f43786f8\n description: My Agent rule\n expression: exec.file.name == \"sh\"\n agent_version: ''\n filters:\n - os == \"linux\"\n- id: testtypescriptupdateacloudworkloadsecurityagentrulereturnsbadrequestresponse1700132880\n version: f43786f8\n description: My Agent rule\n expression: exec.file.name == \"sh\"\n agent_version: ''\n filters:\n - os == \"linux\"\n- id: testtypescriptupdateacloudworkloadsecurityagentrulereturnsbadrequestresponse1700219294\n version: f43786f8\n description: My Agent rule\n expression: exec.file.name == \"sh\"\n agent_version: ''\n filters:\n - os == \"linux\"\n- id: testtypescriptupdateacloudworkloadsecurityagentrulereturnsbadrequestresponse1704452911\n version: f43786f8\n description: My Agent rule\n expression: exec.file.name == \"sh\"\n agent_version: ''\n filters:\n - os == \"linux\"\n- id: testtypescriptupdateacloudworkloadsecurityagentrulereturnsbadrequestresponse1706872191\n version: f43786f8\n description: My Agent rule\n expression: exec.file.name == \"sh\"\n agent_version: ''\n filters:\n - os == \"linux\"\n- id: testtypescriptupdateacloudworkloadsecurityagentrulereturnsbadrequestresponse1707131458\n version: f43786f8\n description: My Agent rule\n expression: exec.file.name == \"sh\"\n agent_version: ''\n filters:\n - os == \"linux\"\n- id: testtypescriptupdateacloudworkloadsecurityagentrulereturnsbadrequestresponse1708686508\n version: f43786f8\n description: My Agent rule\n expression: exec.file.name == \"sh\"\n agent_version: ''\n filters:\n - os == \"linux\"\n- id: testtypescriptupdateacloudworkloadsecurityagentrulereturnsokresponse1651997887\n version: f43786f8\n description: Test Agent rule\n expression: exec.file.name == \"sh\"\n agent_version: ''\n filters: []\n- id: testtypescriptupdateacloudworkloadsecurityagentrulereturnsokresponse1681222899\n version: f43786f8\n description: My Agent rule\n expression: exec.file.name == \"sh\"\n agent_version: ''\n filters: []\n- id: testtypescriptupdateacloudworkloadsecurityagentrulereturnsokresponse1688740379\n version: f43786f8\n description: My Agent rule\n expression: exec.file.name == \"sh\"\n agent_version: ''\n filters: []\n- id: testtypescriptupdateacloudworkloadsecurityagentrulereturnsokresponse1688740550\n version: f43786f8\n description: My Agent rule\n expression: exec.file.name == \"sh\"\n agent_version: ''\n filters: []\n- id: testtypescriptupdateacloudworkloadsecurityagentrulereturnsokresponse1688740628\n version: f43786f8\n description: My Agent rule\n expression: exec.file.name == \"sh\"\n agent_version: ''\n filters: []\n- id: testtypescriptupdateacloudworkloadsecurityagentrulereturnsokresponse1689185615\n version: f43786f8\n description: My Agent rule\n expression: exec.file.name == \"sh\"\n agent_version: ''\n filters: []\n- id: testtypescriptupdateacloudworkloadsecurityagentrulereturnsokresponse1689275130\n version: f43786f8\n description: My Agent rule\n expression: exec.file.name == \"sh\"\n agent_version: ''\n filters: []\n- id: testtypescriptupdateacloudworkloadsecurityagentrulereturnsokresponse1699614584\n version: f43786f8\n description: My Agent rule\n expression: exec.file.name == \"sh\"\n agent_version: ''\n filters:\n - os == \"linux\"\n- id: testtypescriptupdateacloudworkloadsecurityagentrulereturnsokresponse1699873852\n version: f43786f8\n description: My Agent rule\n expression: exec.file.name == \"sh\"\n agent_version: ''\n filters:\n - os == \"linux\"\n- id: testtypescriptupdateacloudworkloadsecurityagentrulereturnsokresponse1699960183\n version: f43786f8\n description: My Agent rule\n expression: exec.file.name == \"sh\"\n agent_version: ''\n filters:\n - os == \"linux\"\n- id: testtypescriptupdateacloudworkloadsecurityagentrulereturnsokresponse1700046608\n version: f43786f8\n description: My Agent rule\n expression: exec.file.name == \"sh\"\n agent_version: ''\n filters:\n - os == \"linux\"\n- id: testtypescriptupdateacloudworkloadsecurityagentrulereturnsokresponse1700132880\n version: f43786f8\n description: My Agent rule\n expression: exec.file.name == \"sh\"\n agent_version: ''\n filters:\n - os == \"linux\"\n- id: testtypescriptupdateacloudworkloadsecurityagentrulereturnsokresponse1700219294\n version: f43786f8\n description: My Agent rule\n expression: exec.file.name == \"sh\"\n agent_version: ''\n filters:\n - os == \"linux\"\n- id: testtypescriptupdateacloudworkloadsecurityagentrulereturnsokresponse1704452911\n version: f43786f8\n description: My Agent rule\n expression: exec.file.name == \"sh\"\n agent_version: ''\n filters:\n - os == \"linux\"\n- id: testtypescriptupdateacloudworkloadsecurityagentrulereturnsokresponse1706872191\n version: f43786f8\n description: My Agent rule\n expression: exec.file.name == \"sh\"\n agent_version: ''\n filters:\n - os == \"linux\"\n- id: testtypescriptupdateacloudworkloadsecurityagentrulereturnsokresponse1707131459\n version: f43786f8\n description: My Agent rule\n expression: exec.file.name == \"sh\"\n agent_version: ''\n filters:\n - os == \"linux\"\n- id: testtypescriptupdateacloudworkloadsecurityagentrulereturnsokresponse1708686508\n version: f43786f8\n description: My Agent rule\n expression: exec.file.name == \"sh\"\n agent_version: ''\n filters:\n - os == \"linux\"\n- id: testupdateacloudworkloadsecurityagentrulereturnsbadrequestresponse1677856492\n version: f43786f8\n description: My Agent rule\n expression: exec.file.name == \"sh\"\n agent_version: ''\n filters: []\n- id: testupdateacloudworkloadsecurityagentrulereturnsokresponse1677856493\n version: f43786f8\n description: My Agent rule\n expression: exec.file.name == \"sh\"\n agent_version: ''\n filters: []\n- id: tf_TestAccDatadogCloudWorkloadSecurityAgentRule_local_1643386657\n version: 28ba1078\n description: an agent rule\n expression: exec.file.name == \"java\"\n agent_version: ''\n filters: []\n- id: tf_TestAccDatadogCloudWorkloadSecurityAgentRule_local_1643386695\n version: 28ba1078\n description: an agent rule\n expression: exec.file.name == \"java\"\n agent_version: ''\n filters: []\n- id: tf_TestAccDatadogCloudWorkloadSecurityAgentRule_local_1643386742\n version: 28ba1078\n description: an agent rule\n expression: exec.file.name == \"java\"\n agent_version: ''\n filters: []\n- id: tf_TestAccDatadogCloudWorkloadSecurityAgentRule_local_1643386809\n version: 28ba1078\n description: an agent rule\n expression: exec.file.name == \"java\"\n agent_version: ''\n filters: []\n- id: tf_TestAccDatadogCloudWorkloadSecurityAgentRule_local_1643386858\n version: 28ba1078\n description: an agent rule\n expression: exec.file.name == \"java\"\n agent_version: ''\n filters: []\n- id: tf_TestAccDatadogCloudWorkloadSecurityAgentRule_local_1643386909\n version: 28ba1078\n description: an agent rule\n expression: exec.file.name == \"java\"\n agent_version: ''\n filters: []\n- id: tf_TestAccDatadogCloudWorkloadSecurityAgentRule_local_1643387039\n version: 28ba1078\n description: an agent rule\n expression: exec.file.name == \"java\"\n agent_version: ''\n filters: []\n- id: tf_TestAccDatadogCloudWorkloadSecurityAgentRule_local_1643387090\n version: 28ba1078\n description: an agent rule\n expression: exec.file.name == \"java\"\n agent_version: ''\n filters: []\n- id: tf_TestAccDatadogCloudWorkloadSecurityAgentRule_local_1643387148\n version: 28ba1078\n description: an agent rule\n expression: exec.file.name == \"java\"\n agent_version: ''\n filters: []\n- id: tf_TestAccDatadogCloudWorkloadSecurityAgentRule_local_1643387484\n version: 28ba1078\n description: an agent rule\n expression: exec.file.name == \"java\"\n agent_version: ''\n filters: []\n- id: tf_TestAccDatadogCloudWorkloadSecurityAgentRule_local_1643387531\n version: 28ba1078\n description: an agent rule\n expression: exec.file.name == \"java\"\n agent_version: ''\n filters: []\n- id: tf_TestAccDatadogCloudWorkloadSecurityAgentRule_local_1643387579\n version: 28ba1078\n description: an agent rule\n expression: exec.file.name == \"java\"\n agent_version: ''\n filters: []\n- id: tf_TestAccDatadogCloudWorkloadSecurityAgentRule_local_1643388161\n version: 28ba1078\n description: an agent rule\n expression: exec.file.name == \"java\"\n agent_version: ''\n filters: []\n- id: tf_TestAccDatadogCloudWorkloadSecurityAgentRule_local_1643388208\n version: 28ba1078\n description: an agent rule\n expression: exec.file.name == \"java\"\n agent_version: ''\n filters: []\n- id: tf_TestAccDatadogCloudWorkloadSecurityAgentRule_local_1643388257\n version: 28ba1078\n description: an agent rule\n expression: exec.file.name == \"java\"\n agent_version: ''\n filters: []\n- id: tf_TestAccDatadogCloudWorkloadSecurityAgentRule_local_1643388666\n version: 28ba1078\n description: an agent rule\n expression: exec.file.name == \"java\"\n agent_version: ''\n filters: []\n- id: tf_TestAccDatadogCloudWorkloadSecurityAgentRule_local_1643388726\n version: 28ba1078\n description: an agent rule\n expression: exec.file.name == \"java\"\n agent_version: ''\n filters: []\n- id: tf_TestAccDatadogCloudWorkloadSecurityAgentRule_local_1643388847\n version: 28ba1078\n description: an agent rule\n expression: exec.file.name == \"java\"\n agent_version: ''\n filters: []\n- id: tf_TestAccDatadogCloudWorkloadSecurityAgentRule_local_1643388890\n version: 28ba1078\n description: an agent rule\n expression: exec.file.name == \"java\"\n agent_version: ''\n filters: []\n- id: tf_TestAccDatadogCloudWorkloadSecurityAgentRule_local_1643388939\n version: 28ba1078\n description: an agent rule\n expression: exec.file.name == \"java\"\n agent_version: ''\n filters: []\n- id: tf_TestAccDatadogCloudWorkloadSecurityAgentRule_local_1643389111\n version: 28ba1078\n description: an agent rule\n expression: exec.file.name == \"java\"\n agent_version: ''\n filters: []\n- id: tf_TestAccDatadogCloudWorkloadSecurityAgentRule_local_1643389165\n version: 28ba1078\n description: an agent rule\n expression: exec.file.name == \"java\"\n agent_version: ''\n filters: []\n- id: tf_TestAccDatadogCloudWorkloadSecurityAgentRule_local_1643389210\n version: 28ba1078\n description: an agent rule\n expression: exec.file.name == \"java\"\n agent_version: ''\n filters: []\n- id: tf_TestAccDatadogCloudWorkloadSecurityAgentRule_local_1643389339\n version: 28ba1078\n description: an agent rule\n expression: exec.file.name == \"java\"\n agent_version: ''\n filters: []\n- id: tf_TestAccDatadogCloudWorkloadSecurityAgentRule_local_1643389389\n version: 28ba1078\n description: an agent rule\n expression: exec.file.name == \"java\"\n agent_version: ''\n filters: []\n- id: tf_TestAccDatadogCloudWorkloadSecurityAgentRule_local_1643389484\n version: 28ba1078\n description: an agent rule\n expression: exec.file.name == \"java\"\n agent_version: ''\n filters: []\n- id: tf_TestAccDatadogCloudWorkloadSecurityAgentRule_local_1643389530\n version: 28ba1078\n description: an agent rule\n expression: exec.file.name == \"java\"\n agent_version: ''\n filters: []\n- id: tf_TestAccDatadogCloudWorkloadSecurityAgentRule_local_1643389627\n version: 28ba1078\n description: an agent rule\n expression: exec.file.name == \"java\"\n agent_version: ''\n filters: []\n- id: tf_TestAccDatadogCloudWorkloadSecurityAgentRule_local_1643389685\n version: 28ba1078\n description: an agent rule\n expression: exec.file.name == \"java\"\n agent_version: ''\n filters: []\n- id: tf_TestAccDatadogCloudWorkloadSecurityAgentRule_local_1643389756\n version: 28ba1078\n description: an agent rule\n expression: exec.file.name == \"java\"\n agent_version: ''\n filters: []\n- id: tf_TestAccDatadogCloudWorkloadSecurityAgentRule_local_1643389931\n version: 28ba1078\n description: an agent rule\n expression: exec.file.name == \"java\"\n agent_version: ''\n filters: []\n- id: tf_TestAccDatadogCloudWorkloadSecurityAgentRule_local_1643389977\n version: 28ba1078\n description: an agent rule\n expression: exec.file.name == \"java\"\n agent_version: ''\n filters: []\n- id: tf_TestAccDatadogCloudWorkloadSecurityAgentRule_local_1643390108\n version: 28ba1078\n description: an agent rule\n expression: exec.file.name == \"java\"\n agent_version: ''\n filters: []\n- id: tf_TestAccDatadogCloudWorkloadSecurityAgentRule_local_1643390130\n version: 28ba1078\n description: an agent rule\n expression: exec.file.name == \"java\"\n agent_version: ''\n filters: []\n- id: tf_TestAccDatadogCloudWorkloadSecurityAgentRule_local_1643390151\n version: 28ba1078\n description: an agent rule\n expression: exec.file.name == \"java\"\n agent_version: ''\n filters: []\n- id: tf_TestAccDatadogCloudWorkloadSecurityAgentRule_local_1643391687\n version: 28ba1078\n description: an agent rule\n expression: exec.file.name == \"java\"\n agent_version: ''\n filters: []\n- id: tf_TestAccDatadogCloudWorkloadSecurityAgentRule_local_1643391707\n version: 28ba1078\n description: an agent rule\n expression: exec.file.name == \"java\"\n agent_version: ''\n filters: []\n- id: tf_TestAccDatadogCloudWorkloadSecurityAgentRule_local_1643391729\n version: 28ba1078\n description: an agent rule\n expression: exec.file.name == \"java\"\n agent_version: ''\n filters: []\n- id: tf_TestAccDatadogCloudWorkloadSecurityAgentRule_local_1643391983\n version: 28ba1078\n description: an agent rule\n expression: exec.file.name == \"java\"\n agent_version: ''\n filters: []\n- id: tf_TestAccDatadogCloudWorkloadSecurityAgentRule_local_1643392003\n version: 28ba1078\n description: an agent rule\n expression: exec.file.name == \"java\"\n agent_version: ''\n filters: []\n- id: tf_TestAccDatadogCloudWorkloadSecurityAgentRule_local_1643392026\n version: 28ba1078\n description: an agent rule\n expression: exec.file.name == \"java\"\n agent_version: ''\n filters: []\n- id: tf_TestAccDatadogCloudWorkloadSecurityAgentRule_local_1643392419\n version: 28ba1078\n description: an agent rule\n expression: exec.file.name == \"java\"\n agent_version: ''\n filters: []\n- id: tf_TestAccDatadogCloudWorkloadSecurityAgentRule_local_1643392438\n version: 28ba1078\n description: an agent rule\n expression: exec.file.name == \"java\"\n agent_version: ''\n filters: []\n- id: tf_TestAccDatadogCloudWorkloadSecurityAgentRule_local_1643392458\n version: 28ba1078\n description: an agent rule\n expression: exec.file.name == \"java\"\n agent_version: ''\n filters: []\n- id: tf_TestAccDatadogCloudWorkloadSecurityAgentRule_local_1643392885\n version: 28ba1078\n description: an agent rule\n expression: exec.file.name == \"java\"\n agent_version: ''\n filters: []\n- id: tf_TestAccDatadogCloudWorkloadSecurityAgentRule_local_1643392903\n version: 28ba1078\n description: an agent rule\n expression: exec.file.name == \"java\"\n agent_version: ''\n filters: []\n- id: tf_TestAccDatadogCloudWorkloadSecurityAgentRule_local_1643392923\n version: 28ba1078\n description: an agent rule\n expression: exec.file.name == \"java\"\n agent_version: ''\n filters: []\n- id: tf_TestAccDatadogCloudWorkloadSecurityAgentRulesDatasource_local_1643386718\n version: 28ba1078\n description: an agent rule\n expression: exec.file.name == \"java\"\n agent_version: ''\n filters: []\n- id: tf_TestAccDatadogCloudWorkloadSecurityAgentRulesDatasource_local_1643386786\n version: 28ba1078\n description: an agent rule\n expression: exec.file.name == \"java\"\n agent_version: ''\n filters: []\n- id: tf_TestAccDatadogCloudWorkloadSecurityAgentRulesDatasource_local_1643386831\n version: 28ba1078\n description: an agent rule\n expression: exec.file.name == \"java\"\n agent_version: ''\n filters: []\n- id: tf_TestAccDatadogCloudWorkloadSecurityAgentRulesDatasource_local_1643386882\n version: 28ba1078\n description: an agent rule\n expression: exec.file.name == \"java\"\n agent_version: ''\n filters: []\n- id: tf_TestAccDatadogCloudWorkloadSecurityAgentRulesDatasource_local_1643387014\n version: 28ba1078\n description: an agent rule\n expression: exec.file.name == \"java\"\n agent_version: ''\n filters: []\n- id: tf_TestAccDatadogCloudWorkloadSecurityAgentRulesDatasource_local_1643387063\n version: 28ba1078\n description: an agent rule\n expression: exec.file.name == \"java\"\n agent_version: ''\n filters: []\n- id: tf_TestAccDatadogCloudWorkloadSecurityAgentRulesDatasource_local_1643387120\n version: 28ba1078\n description: an agent rule\n expression: exec.file.name == \"java\"\n agent_version: ''\n filters: []\n- id: tf_TestAccDatadogCloudWorkloadSecurityAgentRulesDatasource_local_1643387461\n version: 28ba1078\n description: an agent rule\n expression: exec.file.name == \"java\"\n agent_version: ''\n filters: []\n- id: tf_TestAccDatadogCloudWorkloadSecurityAgentRulesDatasource_local_1643387505\n version: 28ba1078\n description: an agent rule\n expression: exec.file.name == \"java\"\n agent_version: ''\n filters: []\n- id: tf_TestAccDatadogCloudWorkloadSecurityAgentRulesDatasource_local_1643387554\n version: 28ba1078\n description: an agent rule\n expression: exec.file.name == \"java\"\n agent_version: ''\n filters: []\n- id: tf_TestAccDatadogCloudWorkloadSecurityAgentRulesDatasource_local_1643387992\n version: 28ba1078\n description: an agent rule\n expression: exec.file.name == \"java\"\n agent_version: ''\n filters: []\n- id: tf_TestAccDatadogCloudWorkloadSecurityAgentRulesDatasource_local_1643388137\n version: 2dd188de\n description: an agent rule\n expression: exec.file.name == \"go\"\n agent_version: ''\n filters: []\n- id: tf_TestAccDatadogCloudWorkloadSecurityAgentRulesDatasource_local_1643388182\n version: 2dd188de\n description: an agent rule\n expression: exec.file.name == \"go\"\n agent_version: ''\n filters: []\n- id: tf_TestAccDatadogCloudWorkloadSecurityAgentRulesDatasource_local_1643388230\n version: 2dd188de\n description: an agent rule\n expression: exec.file.name == \"go\"\n agent_version: ''\n filters: []\n- id: tf_TestAccDatadogCloudWorkloadSecurityAgentRulesDatasource_local_1643388700\n version: 2dd188de\n description: an agent rule\n expression: exec.file.name == \"go\"\n agent_version: ''\n filters: []\n- id: tf_TestAccDatadogCloudWorkloadSecurityAgentRulesDatasource_local_1643388825\n version: 2dd188de\n description: an agent rule\n expression: exec.file.name == \"go\"\n agent_version: ''\n filters: []\n- id: tf_TestAccDatadogCloudWorkloadSecurityAgentRulesDatasource_local_1643388866\n version: 2dd188de\n description: an agent rule\n expression: exec.file.name == \"go\"\n agent_version: ''\n filters: []\n- id: tf_TestAccDatadogCloudWorkloadSecurityAgentRulesDatasource_local_1643388912\n version: 2dd188de\n description: an agent rule\n expression: exec.file.name == \"go\"\n agent_version: ''\n filters: []\n- id: tf_TestAccDatadogCloudWorkloadSecurityAgentRulesDatasource_local_1643389088\n version: 2dd188de\n description: an agent rule\n expression: exec.file.name == \"go\"\n agent_version: ''\n filters: []\n- id: tf_TestAccDatadogCloudWorkloadSecurityAgentRulesDatasource_local_1643389136\n version: 2dd188de\n description: an agent rule\n expression: exec.file.name == \"go\"\n agent_version: ''\n filters: []\n- id: tf_TestAccDatadogCloudWorkloadSecurityAgentRulesDatasource_local_1643389186\n version: 2dd188de\n description: an agent rule\n expression: exec.file.name == \"go\"\n agent_version: ''\n filters: []\n- id: tf_TestAccDatadogCloudWorkloadSecurityAgentRulesDatasource_local_1643389317\n version: 2dd188de\n description: an agent rule\n expression: exec.file.name == \"go\"\n agent_version: ''\n filters: []\n- id: tf_TestAccDatadogCloudWorkloadSecurityAgentRulesDatasource_local_1643389363\n version: 2dd188de\n description: an agent rule\n expression: exec.file.name == \"go\"\n agent_version: ''\n filters: []\n- id: tf_TestAccDatadogCloudWorkloadSecurityAgentRulesDatasource_local_1643389411\n version: 2dd188de\n description: an agent rule\n expression: exec.file.name == \"go\"\n agent_version: ''\n filters: []\n- id: tf_TestAccDatadogCloudWorkloadSecurityAgentRulesDatasource_local_1643389460\n version: 2dd188de\n description: an agent rule\n expression: exec.file.name == \"go\"\n agent_version: ''\n filters: []\n- id: tf_TestAccDatadogCloudWorkloadSecurityAgentRulesDatasource_local_1643389507\n version: 2dd188de\n description: an agent rule\n expression: exec.file.name == \"go\"\n agent_version: ''\n filters: []\n- id: tf_TestAccDatadogCloudWorkloadSecurityAgentRulesDatasource_local_1643389553\n version: 2dd188de\n description: an agent rule\n expression: exec.file.name == \"go\"\n agent_version: ''\n filters: []\n- id: tf_TestAccDatadogCloudWorkloadSecurityAgentRulesDatasource_local_1643389911\n version: 2dd188de\n description: an agent rule\n expression: exec.file.name == \"go\"\n agent_version: ''\n filters: []\n- id: tf_TestAccDatadogCloudWorkloadSecurityAgentRulesDatasource_local_1643389955\n version: 2dd188de\n description: an agent rule\n expression: exec.file.name == \"go\"\n agent_version: ''\n filters: []\n- id: tf_TestAccDatadogCloudWorkloadSecurityAgentRulesDatasource_local_1643390389\n version: 2dd188de\n description: an agent rule\n expression: exec.file.name == \"go\"\n agent_version: ''\n filters: []\n- id: tf_TestAccDatadogCloudWorkloadSecurityAgentRulesDatasource_local_1643390410\n version: 2dd188de\n description: an agent rule\n expression: exec.file.name == \"go\"\n agent_version: ''\n filters: []\n- id: tf_TestAccDatadogCloudWorkloadSecurityAgentRulesDatasource_local_1643390432\n version: 2dd188de\n description: an agent rule\n expression: exec.file.name == \"go\"\n agent_version: ''\n filters: []\n- id: tty_shell_in_container\n version: 3d9489bb\n description: A shell with a TTY was executed in a container\n expression: |-\n exec.file.path in [ \"/bin/dash\",\n \"/usr/bin/dash\",\n \"/bin/sh\",\n \"/bin/static-sh\",\n \"/usr/bin/sh\",\n \"/bin/bash\",\n \"/usr/bin/bash\",\n \"/bin/bash-static\",\n \"/usr/bin/zsh\",\n \"/usr/bin/ash\",\n \"/usr/bin/csh\",\n \"/usr/bin/ksh\",\n \"/usr/bin/tcsh\",\n \"/usr/lib/initramfs-tools/bin/busybox\",\n \"/bin/busybox\",\n \"/usr/bin/fish\",\n \"/bin/ksh93\",\n \"/bin/rksh\",\n \"/bin/rksh93\",\n \"/bin/lksh\",\n \"/bin/mksh\",\n \"/bin/mksh-static\",\n \"/usr/bin/csharp\",\n \"/bin/posh\",\n \"/usr/bin/rc\",\n \"/bin/sash\",\n \"/usr/bin/yash\",\n \"/bin/zsh5\",\n \"/bin/zsh5-static\" ] && process.tty_name != \"\" && process.container.id != \"\"\n agent_version: ''\n filters: []\n- id: tunnel_traffic\n version: 816201a5\n description: Tunneling or port forwarding tool used\n expression: ((exec.comm == \"pivotnacci\" || exec.comm == \"gost\") && process.args_flags\n in [\"L\", \"C\", \"R\"]) || (exec.comm in [\"ssh\", \"sshd\"] && process.args_flags in\n [\"R\", \"L\", \"D\", \"w\"] && process.args in [r\"((25[0-5]|(2[0-4]|1\\d|[1-9])\\d)\\.?\\b){4}\"]\n ) || (exec.comm == \"sshuttle\" && process.args_flags in [\"r\", \"remote\", \"l\", \"listen\"])\n || (exec.comm == \"socat\" && process.args in [r\".*(TCP4-LISTEN:|SOCKS).*\"]) ||\n (exec.comm in [\"iodine\", \"iodined\", \"dnscat\", \"hans\", \"hans-ubuntu\", \"ptunnel-ng\",\n \"ssf\", \"3proxy\", \"ngrok\"] && process.parent.comm in [\"bash\", \"dash\", \"ash\", \"sh\",\n \"tcsh\", \"csh\", \"zsh\", \"ksh\", \"fish\"])\n agent_version: ''\n filters:\n - os == \"linux\"\n- id: user_created_tty\n version: 5b5f4a52\n description: A user was created via an interactive session\n expression: exec.file.name in [\"useradd\", \"newusers\", \"adduser\"] && exec.tty_name\n !=\"\" && process.ancestors.file.path not in [~\"/usr/bin/apt*\", \"/usr/bin/dpkg\",\n \"/usr/bin/rpm\", \"/usr/bin/unattended-upgrade\", \"/usr/bin/npm\", ~\"/usr/bin/pip*\",\n \"/usr/bin/yum\", \"/sbin/apk\", \"/usr/lib/snapd/snapd\"] && exec.args_flags not in\n [\"D\"]\n agent_version: ''\n filters: []\n- id: user_deleted_tty\n version: ad8edbe\n description: A user was deleted via an interactive session\n expression: exec.file.name in [\"userdel\", \"deluser\"] && exec.tty_name !=\"\" && process.ancestors.file.path\n not in [~\"/usr/bin/apt*\", \"/usr/bin/dpkg\", \"/usr/bin/rpm\", \"/usr/bin/unattended-upgrade\",\n \"/usr/bin/npm\", ~\"/usr/bin/pip*\", \"/usr/bin/yum\", \"/sbin/apk\", \"/usr/lib/snapd/snapd\"]\n agent_version: ''\n filters: []\n- id: windows_cryptominer_process\n version: e26f81ab\n description: A cryptominer was potentially executed\n expression: exec.cmdline in [~\"*xmrig*\", ~\"*cpu-priority*\", ~\"*donate-level*\", ~\"*randomx-1gb-pages*\",\n ~\"*stratum+tcp*\", ~\"*stratum+ssl*\", ~\"*stratum1+tcp*\", ~\"*stratum1+ssl*\", ~\"*stratum2+tcp*\",\n ~\"*stratum2+ssl*\", ~\"*nicehash*\", ~\"*yespower*\"]\n agent_version: ''\n filters:\n - os == \"windows\"\n", "encoding": null }, "headers": { @@ -26,7 +26,7 @@ "message": "OK" } }, - "recorded_at": "Tue, 01 Apr 2025 14:30:59 GMT" + "recorded_at": "Thu, 15 May 2025 11:49:38 GMT" } ], "recorded_with": "VCR 6.0.0" diff --git a/tests/scenarios/cassettes/v2/csm_threats/Update-a-CSM-Threats-Agent-policy-returns-Bad-Request-response.frozen b/tests/scenarios/cassettes/v2/csm_threats/Update-a-CSM-Threats-Agent-policy-returns-Bad-Request-response.frozen index 27be8fe23..002c76e4a 100644 --- a/tests/scenarios/cassettes/v2/csm_threats/Update-a-CSM-Threats-Agent-policy-returns-Bad-Request-response.frozen +++ b/tests/scenarios/cassettes/v2/csm_threats/Update-a-CSM-Threats-Agent-policy-returns-Bad-Request-response.frozen @@ -1 +1 @@ -2025-04-15T09:10:08.098Z \ No newline at end of file +2025-05-15T11:49:38.566Z \ No newline at end of file diff --git a/tests/scenarios/cassettes/v2/csm_threats/Update-a-CSM-Threats-Agent-policy-returns-Bad-Request-response.json b/tests/scenarios/cassettes/v2/csm_threats/Update-a-CSM-Threats-Agent-policy-returns-Bad-Request-response.json index 61621a698..1d534ea23 100644 --- a/tests/scenarios/cassettes/v2/csm_threats/Update-a-CSM-Threats-Agent-policy-returns-Bad-Request-response.json +++ b/tests/scenarios/cassettes/v2/csm_threats/Update-a-CSM-Threats-Agent-policy-returns-Bad-Request-response.json @@ -3,7 +3,7 @@ { "request": { "body": { - "string": "{\"data\":{\"attributes\":{\"description\":\"My agent policy\",\"enabled\":true,\"hostTags\":[\"env:staging\"],\"name\":\"testupdateacsmthreatsagentpolicyreturnsbadrequestresponse1744708208\"},\"type\":\"policy\"}}", + "string": "{\"data\":{\"attributes\":{\"description\":\"My agent policy\",\"enabled\":true,\"hostTags\":[\"env:staging\"],\"name\":\"testupdateacsmthreatsagentpolicyreturnsbadrequestresponse1747309778\"},\"type\":\"policy\"}}", "encoding": null }, "headers": { @@ -19,7 +19,7 @@ }, "response": { "body": { - "string": "{\"data\":{\"id\":\"pp8-iw5-agt\",\"type\":\"policy\",\"attributes\":{\"blockingRulesCount\":0,\"datadogManaged\":false,\"description\":\"My agent policy\",\"disabledRulesCount\":1,\"enabled\":true,\"hostTags\":[\"env:staging\"],\"monitoringRulesCount\":225,\"name\":\"testupdateacsmthreatsagentpolicyreturnsbadrequestresponse1744708208\",\"policyVersion\":\"1\",\"priority\":1000000001,\"ruleCount\":226,\"updateDate\":1744708208235,\"updater\":{\"name\":\"CI Account\",\"handle\":\"9919ec9b-ebc7-49ee-8dc8-03626e717cca\"}}}}", + "string": "{\"data\":{\"id\":\"1td-7qk-v2w\",\"type\":\"policy\",\"attributes\":{\"blockingRulesCount\":0,\"datadogManaged\":false,\"description\":\"My agent policy\",\"disabledRulesCount\":1,\"enabled\":true,\"hostTags\":[\"env:staging\"],\"monitoringRulesCount\":225,\"name\":\"testupdateacsmthreatsagentpolicyreturnsbadrequestresponse1747309778\",\"policyVersion\":\"1\",\"priority\":1000000070,\"ruleCount\":226,\"updateDate\":1747309778608,\"updater\":{\"name\":\"CI Account\",\"handle\":\"9919ec9b-ebc7-49ee-8dc8-03626e717cca\"}}}}", "encoding": null }, "headers": { @@ -32,12 +32,12 @@ "message": "OK" } }, - "recorded_at": "Tue, 15 Apr 2025 09:10:08 GMT" + "recorded_at": "Thu, 15 May 2025 11:49:38 GMT" }, { "request": { "body": { - "string": "{\"data\":{\"attributes\":{\"description\":\"My agent policy\",\"enabled\":true,\"hostTags\":[\"env:test\"],\"hostTagsLists\":[[\"env:test\"]],\"name\":\"\"},\"id\":\"pp8-iw5-agt\",\"type\":\"policy\"}}", + "string": "{\"data\":{\"attributes\":{\"description\":\"My agent policy\",\"enabled\":true,\"hostTags\":[\"env:test\"],\"hostTagsLists\":[[\"env:test\"]],\"name\":\"\"},\"id\":\"1td-7qk-v2w\",\"type\":\"policy\"}}", "encoding": null }, "headers": { @@ -49,11 +49,11 @@ ] }, "method": "patch", - "uri": "https://api.datadoghq.com/api/v2/remote_config/products/cws/policy/pp8-iw5-agt" + "uri": "https://api.datadoghq.com/api/v2/remote_config/products/cws/policy/1td-7qk-v2w" }, "response": { "body": { - "string": "{\"errors\":[{\"title\":\"failed to update policy\"}]}\n", + "string": "{\"errors\":[\"input_validation_error(Field 'tags' is invalid: cannot have both the new and the legacy field populated)\"]}", "encoding": null }, "headers": { @@ -66,7 +66,7 @@ "message": "Bad Request" } }, - "recorded_at": "Tue, 15 Apr 2025 09:10:08 GMT" + "recorded_at": "Thu, 15 May 2025 11:49:38 GMT" }, { "request": { @@ -77,7 +77,7 @@ ] }, "method": "delete", - "uri": "https://api.datadoghq.com/api/v2/remote_config/products/cws/policy/pp8-iw5-agt" + "uri": "https://api.datadoghq.com/api/v2/remote_config/products/cws/policy/1td-7qk-v2w" }, "response": { "body": { @@ -94,7 +94,7 @@ "message": "No Content" } }, - "recorded_at": "Tue, 15 Apr 2025 09:10:08 GMT" + "recorded_at": "Thu, 15 May 2025 11:49:38 GMT" } ], "recorded_with": "VCR 6.0.0" diff --git a/tests/scenarios/cassettes/v2/csm_threats/Update-a-CSM-Threats-Agent-policy-returns-Not-Found-response.frozen b/tests/scenarios/cassettes/v2/csm_threats/Update-a-CSM-Threats-Agent-policy-returns-Not-Found-response.frozen index 435b652a2..10aed880f 100644 --- a/tests/scenarios/cassettes/v2/csm_threats/Update-a-CSM-Threats-Agent-policy-returns-Not-Found-response.frozen +++ b/tests/scenarios/cassettes/v2/csm_threats/Update-a-CSM-Threats-Agent-policy-returns-Not-Found-response.frozen @@ -1 +1 @@ -2025-04-01T14:31:00.854Z \ No newline at end of file +2025-05-15T11:49:39.566Z \ No newline at end of file diff --git a/tests/scenarios/cassettes/v2/csm_threats/Update-a-CSM-Threats-Agent-policy-returns-Not-Found-response.json b/tests/scenarios/cassettes/v2/csm_threats/Update-a-CSM-Threats-Agent-policy-returns-Not-Found-response.json index 5dca340ae..edabcc3c9 100644 --- a/tests/scenarios/cassettes/v2/csm_threats/Update-a-CSM-Threats-Agent-policy-returns-Not-Found-response.json +++ b/tests/scenarios/cassettes/v2/csm_threats/Update-a-CSM-Threats-Agent-policy-returns-Not-Found-response.json @@ -32,7 +32,7 @@ "message": "Bad Request" } }, - "recorded_at": "Tue, 01 Apr 2025 14:31:00 GMT" + "recorded_at": "Thu, 15 May 2025 11:49:39 GMT" } ], "recorded_with": "VCR 6.0.0" diff --git a/tests/scenarios/cassettes/v2/csm_threats/Update-a-CSM-Threats-Agent-policy-returns-OK-response.frozen b/tests/scenarios/cassettes/v2/csm_threats/Update-a-CSM-Threats-Agent-policy-returns-OK-response.frozen index 562f84a67..0ca7f984c 100644 --- a/tests/scenarios/cassettes/v2/csm_threats/Update-a-CSM-Threats-Agent-policy-returns-OK-response.frozen +++ b/tests/scenarios/cassettes/v2/csm_threats/Update-a-CSM-Threats-Agent-policy-returns-OK-response.frozen @@ -1 +1 @@ -2025-04-15T09:10:09.401Z \ No newline at end of file +2025-05-15T11:49:39.767Z \ No newline at end of file diff --git a/tests/scenarios/cassettes/v2/csm_threats/Update-a-CSM-Threats-Agent-policy-returns-OK-response.json b/tests/scenarios/cassettes/v2/csm_threats/Update-a-CSM-Threats-Agent-policy-returns-OK-response.json index 86a384245..c9afae674 100644 --- a/tests/scenarios/cassettes/v2/csm_threats/Update-a-CSM-Threats-Agent-policy-returns-OK-response.json +++ b/tests/scenarios/cassettes/v2/csm_threats/Update-a-CSM-Threats-Agent-policy-returns-OK-response.json @@ -3,7 +3,7 @@ { "request": { "body": { - "string": "{\"data\":{\"attributes\":{\"description\":\"My agent policy\",\"enabled\":true,\"hostTags\":[\"env:staging\"],\"name\":\"testupdateacsmthreatsagentpolicyreturnsokresponse1744708209\"},\"type\":\"policy\"}}", + "string": "{\"data\":{\"attributes\":{\"description\":\"My agent policy\",\"enabled\":true,\"hostTags\":[\"env:staging\"],\"name\":\"testupdateacsmthreatsagentpolicyreturnsokresponse1747309779\"},\"type\":\"policy\"}}", "encoding": null }, "headers": { @@ -19,7 +19,7 @@ }, "response": { "body": { - "string": "{\"data\":{\"id\":\"99n-cjh-wuo\",\"type\":\"policy\",\"attributes\":{\"blockingRulesCount\":0,\"datadogManaged\":false,\"description\":\"My agent policy\",\"disabledRulesCount\":1,\"enabled\":true,\"hostTags\":[\"env:staging\"],\"monitoringRulesCount\":225,\"name\":\"testupdateacsmthreatsagentpolicyreturnsokresponse1744708209\",\"policyVersion\":\"1\",\"priority\":1000000001,\"ruleCount\":226,\"updateDate\":1744708209551,\"updater\":{\"name\":\"CI Account\",\"handle\":\"9919ec9b-ebc7-49ee-8dc8-03626e717cca\"}}}}", + "string": "{\"data\":{\"id\":\"5fp-rz1-sdc\",\"type\":\"policy\",\"attributes\":{\"blockingRulesCount\":0,\"datadogManaged\":false,\"description\":\"My agent policy\",\"disabledRulesCount\":1,\"enabled\":true,\"hostTags\":[\"env:staging\"],\"monitoringRulesCount\":225,\"name\":\"testupdateacsmthreatsagentpolicyreturnsokresponse1747309779\",\"policyVersion\":\"1\",\"priority\":1000000070,\"ruleCount\":226,\"updateDate\":1747309779800,\"updater\":{\"name\":\"CI Account\",\"handle\":\"9919ec9b-ebc7-49ee-8dc8-03626e717cca\"}}}}", "encoding": null }, "headers": { @@ -32,12 +32,12 @@ "message": "OK" } }, - "recorded_at": "Tue, 15 Apr 2025 09:10:09 GMT" + "recorded_at": "Thu, 15 May 2025 11:49:39 GMT" }, { "request": { "body": { - "string": "{\"data\":{\"attributes\":{\"description\":\"Updated agent policy\",\"enabled\":true,\"hostTagsLists\":[[\"env:test\"]],\"name\":\"updated_agent_policy\"},\"id\":\"99n-cjh-wuo\",\"type\":\"policy\"}}", + "string": "{\"data\":{\"attributes\":{\"description\":\"Updated agent policy\",\"enabled\":true,\"hostTagsLists\":[[\"env:test\"]],\"name\":\"updated_agent_policy\"},\"id\":\"5fp-rz1-sdc\",\"type\":\"policy\"}}", "encoding": null }, "headers": { @@ -49,11 +49,11 @@ ] }, "method": "patch", - "uri": "https://api.datadoghq.com/api/v2/remote_config/products/cws/policy/99n-cjh-wuo" + "uri": "https://api.datadoghq.com/api/v2/remote_config/products/cws/policy/5fp-rz1-sdc" }, "response": { "body": { - "string": "{\"data\":{\"id\":\"99n-cjh-wuo\",\"type\":\"policy\",\"attributes\":{\"blockingRulesCount\":0,\"datadogManaged\":false,\"description\":\"Updated agent policy\",\"disabledRulesCount\":1,\"enabled\":true,\"hostTagsLists\":[[\"env:test\"]],\"monitoringRulesCount\":225,\"name\":\"updated_agent_policy\",\"policyVersion\":\"2\",\"priority\":1000000001,\"ruleCount\":226,\"updateDate\":1744708210164,\"updater\":{\"name\":\"CI Account\",\"handle\":\"9919ec9b-ebc7-49ee-8dc8-03626e717cca\"}}}}", + "string": "{\"data\":{\"id\":\"5fp-rz1-sdc\",\"type\":\"policy\",\"attributes\":{\"blockingRulesCount\":0,\"datadogManaged\":false,\"description\":\"Updated agent policy\",\"disabledRulesCount\":1,\"enabled\":true,\"hostTagsLists\":[[\"env:test\"]],\"monitoringRulesCount\":225,\"name\":\"updated_agent_policy\",\"policyVersion\":\"2\",\"priority\":1000000070,\"ruleCount\":226,\"updateDate\":1747309780400,\"updater\":{\"name\":\"CI Account\",\"handle\":\"9919ec9b-ebc7-49ee-8dc8-03626e717cca\"}}}}", "encoding": null }, "headers": { @@ -66,7 +66,7 @@ "message": "OK" } }, - "recorded_at": "Tue, 15 Apr 2025 09:10:09 GMT" + "recorded_at": "Thu, 15 May 2025 11:49:39 GMT" }, { "request": { @@ -77,7 +77,7 @@ ] }, "method": "delete", - "uri": "https://api.datadoghq.com/api/v2/remote_config/products/cws/policy/99n-cjh-wuo" + "uri": "https://api.datadoghq.com/api/v2/remote_config/products/cws/policy/5fp-rz1-sdc" }, "response": { "body": { @@ -94,7 +94,7 @@ "message": "No Content" } }, - "recorded_at": "Tue, 15 Apr 2025 09:10:09 GMT" + "recorded_at": "Thu, 15 May 2025 11:49:39 GMT" } ], "recorded_with": "VCR 6.0.0" diff --git a/tests/scenarios/cassettes/v2/csm_threats/Update-a-CSM-Threats-Agent-rule-returns-Bad-Request-response.frozen b/tests/scenarios/cassettes/v2/csm_threats/Update-a-CSM-Threats-Agent-rule-returns-Bad-Request-response.frozen index 12d907c5d..4fa986b93 100644 --- a/tests/scenarios/cassettes/v2/csm_threats/Update-a-CSM-Threats-Agent-rule-returns-Bad-Request-response.frozen +++ b/tests/scenarios/cassettes/v2/csm_threats/Update-a-CSM-Threats-Agent-rule-returns-Bad-Request-response.frozen @@ -1 +1 @@ -2025-04-15T09:10:11.192Z \ No newline at end of file +2025-05-15T11:49:42.006Z \ No newline at end of file diff --git a/tests/scenarios/cassettes/v2/csm_threats/Update-a-CSM-Threats-Agent-rule-returns-Bad-Request-response.json b/tests/scenarios/cassettes/v2/csm_threats/Update-a-CSM-Threats-Agent-rule-returns-Bad-Request-response.json index e997cf7db..9500b635f 100644 --- a/tests/scenarios/cassettes/v2/csm_threats/Update-a-CSM-Threats-Agent-rule-returns-Bad-Request-response.json +++ b/tests/scenarios/cassettes/v2/csm_threats/Update-a-CSM-Threats-Agent-rule-returns-Bad-Request-response.json @@ -3,7 +3,7 @@ { "request": { "body": { - "string": "{\"data\":{\"attributes\":{\"description\":\"My agent policy\",\"enabled\":true,\"hostTags\":[\"env:staging\"],\"name\":\"testupdateacsmthreatsagentrulereturnsbadrequestresponse1744708211\"},\"type\":\"policy\"}}", + "string": "{\"data\":{\"attributes\":{\"description\":\"My agent policy\",\"enabled\":true,\"hostTags\":[\"env:staging\"],\"name\":\"testupdateacsmthreatsagentrulereturnsbadrequestresponse1747309782\"},\"type\":\"policy\"}}", "encoding": null }, "headers": { @@ -19,7 +19,7 @@ }, "response": { "body": { - "string": "{\"data\":{\"id\":\"1i5-k3r-2dg\",\"type\":\"policy\",\"attributes\":{\"blockingRulesCount\":0,\"datadogManaged\":false,\"description\":\"My agent policy\",\"disabledRulesCount\":1,\"enabled\":true,\"hostTags\":[\"env:staging\"],\"monitoringRulesCount\":225,\"name\":\"testupdateacsmthreatsagentrulereturnsbadrequestresponse1744708211\",\"policyVersion\":\"1\",\"priority\":1000000001,\"ruleCount\":226,\"updateDate\":1744708211304,\"updater\":{\"name\":\"CI Account\",\"handle\":\"9919ec9b-ebc7-49ee-8dc8-03626e717cca\"}}}}", + "string": "{\"data\":{\"id\":\"jf9-1l7-q9l\",\"type\":\"policy\",\"attributes\":{\"blockingRulesCount\":0,\"datadogManaged\":false,\"description\":\"My agent policy\",\"disabledRulesCount\":1,\"enabled\":true,\"hostTags\":[\"env:staging\"],\"monitoringRulesCount\":225,\"name\":\"testupdateacsmthreatsagentrulereturnsbadrequestresponse1747309782\",\"policyVersion\":\"1\",\"priority\":1000000070,\"ruleCount\":226,\"updateDate\":1747309782037,\"updater\":{\"name\":\"CI Account\",\"handle\":\"9919ec9b-ebc7-49ee-8dc8-03626e717cca\"}}}}", "encoding": null }, "headers": { @@ -32,12 +32,12 @@ "message": "OK" } }, - "recorded_at": "Tue, 15 Apr 2025 09:10:11 GMT" + "recorded_at": "Thu, 15 May 2025 11:49:42 GMT" }, { "request": { "body": { - "string": "{\"data\":{\"attributes\":{\"description\":\"My Agent rule\",\"enabled\":true,\"expression\":\"exec.file.name == \\\"sh\\\"\",\"name\":\"testupdateacsmthreatsagentrulereturnsbadrequestresponse1744708211\",\"policy_id\":\"1i5-k3r-2dg\",\"product_tags\":[\"security:attack\",\"technique:T1059\"]},\"type\":\"agent_rule\"}}", + "string": "{\"data\":{\"attributes\":{\"actions\":[{\"set\":{\"name\":\"test_set\",\"scope\":\"process\",\"value\":\"test_value\"}}],\"description\":\"My Agent rule\",\"enabled\":true,\"expression\":\"exec.file.name == \\\"sh\\\"\",\"name\":\"testupdateacsmthreatsagentrulereturnsbadrequestresponse1747309782\",\"policy_id\":\"jf9-1l7-q9l\",\"product_tags\":[\"security:attack\",\"technique:T1059\"]},\"type\":\"agent_rule\"}}", "encoding": null }, "headers": { @@ -53,7 +53,7 @@ }, "response": { "body": { - "string": "{\"data\":{\"id\":\"qtl-8mk-8gy\",\"type\":\"agent_rule\",\"attributes\":{\"category\":\"Process Activity\",\"creationDate\":1744708211716,\"creator\":{\"name\":\"CI Account\",\"handle\":\"9919ec9b-ebc7-49ee-8dc8-03626e717cca\"},\"defaultRule\":false,\"description\":\"My Agent rule\",\"enabled\":true,\"expression\":\"exec.file.name == \\\"sh\\\"\",\"filters\":[\"os == \\\"linux\\\"\"],\"name\":\"testupdateacsmthreatsagentrulereturnsbadrequestresponse1744708211\",\"updateDate\":1744708211716,\"updater\":{\"name\":\"CI Account\",\"handle\":\"9919ec9b-ebc7-49ee-8dc8-03626e717cca\"}}}}", + "string": "{\"data\":{\"id\":\"lcj-vq7-sqb\",\"type\":\"agent_rule\",\"attributes\":{\"actions\":[{\"set\":{\"name\":\"test_set\",\"value\":\"test_value\",\"scope\":\"process\"},\"disabled\":false}],\"category\":\"Process Activity\",\"creationDate\":1747309782533,\"creator\":{\"name\":\"CI Account\",\"handle\":\"9919ec9b-ebc7-49ee-8dc8-03626e717cca\"},\"defaultRule\":false,\"description\":\"My Agent rule\",\"enabled\":true,\"expression\":\"exec.file.name == \\\"sh\\\"\",\"filters\":[\"os == \\\"linux\\\"\"],\"monitoring\":[\"jf9-1l7-q9l\"],\"name\":\"testupdateacsmthreatsagentrulereturnsbadrequestresponse1747309782\",\"product_tags\":[\"security:attack\",\"technique:T1059\"],\"updateDate\":1747309782533,\"updater\":{\"name\":\"CI Account\",\"handle\":\"9919ec9b-ebc7-49ee-8dc8-03626e717cca\"}}}}", "encoding": null }, "headers": { @@ -66,12 +66,12 @@ "message": "OK" } }, - "recorded_at": "Tue, 15 Apr 2025 09:10:11 GMT" + "recorded_at": "Thu, 15 May 2025 11:49:42 GMT" }, { "request": { "body": { - "string": "{\"data\":{\"attributes\":{\"description\":\"My Agent rule\",\"enabled\":true,\"expression\":\"exec.file.name == \\\"sh\\\"\",\"policy_id\":\"1i5-k3r-2dg\",\"product_tags\":[]},\"id\":\"invalid-agent-rule-id\",\"type\":\"agent_rule\"}}", + "string": "{\"data\":{\"attributes\":{\"description\":\"My Agent rule\",\"enabled\":true,\"expression\":\"exec.file.name == \\\"sh\\\"\",\"policy_id\":\"jf9-1l7-q9l\",\"product_tags\":[]},\"id\":\"invalid-agent-rule-id\",\"type\":\"agent_rule\"}}", "encoding": null }, "headers": { @@ -83,7 +83,7 @@ ] }, "method": "patch", - "uri": "https://api.datadoghq.com/api/v2/remote_config/products/cws/agent_rules/qtl-8mk-8gy" + "uri": "https://api.datadoghq.com/api/v2/remote_config/products/cws/agent_rules/lcj-vq7-sqb" }, "response": { "body": { @@ -100,7 +100,7 @@ "message": "Bad Request" } }, - "recorded_at": "Tue, 15 Apr 2025 09:10:11 GMT" + "recorded_at": "Thu, 15 May 2025 11:49:42 GMT" }, { "request": { @@ -111,7 +111,7 @@ ] }, "method": "delete", - "uri": "https://api.datadoghq.com/api/v2/remote_config/products/cws/agent_rules/qtl-8mk-8gy" + "uri": "https://api.datadoghq.com/api/v2/remote_config/products/cws/agent_rules/lcj-vq7-sqb" }, "response": { "body": { @@ -128,7 +128,7 @@ "message": "No Content" } }, - "recorded_at": "Tue, 15 Apr 2025 09:10:11 GMT" + "recorded_at": "Thu, 15 May 2025 11:49:42 GMT" }, { "request": { @@ -139,7 +139,7 @@ ] }, "method": "delete", - "uri": "https://api.datadoghq.com/api/v2/remote_config/products/cws/policy/1i5-k3r-2dg" + "uri": "https://api.datadoghq.com/api/v2/remote_config/products/cws/policy/jf9-1l7-q9l" }, "response": { "body": { @@ -156,7 +156,7 @@ "message": "No Content" } }, - "recorded_at": "Tue, 15 Apr 2025 09:10:11 GMT" + "recorded_at": "Thu, 15 May 2025 11:49:42 GMT" } ], "recorded_with": "VCR 6.0.0" diff --git a/tests/scenarios/cassettes/v2/csm_threats/Update-a-CSM-Threats-Agent-rule-returns-Not-Found-response.frozen b/tests/scenarios/cassettes/v2/csm_threats/Update-a-CSM-Threats-Agent-rule-returns-Not-Found-response.frozen index 1a52f175e..65b9de2db 100644 --- a/tests/scenarios/cassettes/v2/csm_threats/Update-a-CSM-Threats-Agent-rule-returns-Not-Found-response.frozen +++ b/tests/scenarios/cassettes/v2/csm_threats/Update-a-CSM-Threats-Agent-rule-returns-Not-Found-response.frozen @@ -1 +1 @@ -2025-04-01T14:31:02.941Z \ No newline at end of file +2025-05-15T11:49:44.898Z \ No newline at end of file diff --git a/tests/scenarios/cassettes/v2/csm_threats/Update-a-CSM-Threats-Agent-rule-returns-Not-Found-response.json b/tests/scenarios/cassettes/v2/csm_threats/Update-a-CSM-Threats-Agent-rule-returns-Not-Found-response.json index eafa37bb1..297c1d1b8 100644 --- a/tests/scenarios/cassettes/v2/csm_threats/Update-a-CSM-Threats-Agent-rule-returns-Not-Found-response.json +++ b/tests/scenarios/cassettes/v2/csm_threats/Update-a-CSM-Threats-Agent-rule-returns-Not-Found-response.json @@ -3,7 +3,7 @@ { "request": { "body": { - "string": "{\"data\":{\"attributes\":{\"description\":\"My agent policy\",\"enabled\":true,\"hostTags\":[\"env:staging\"],\"name\":\"testupdateacsmthreatsagentrulereturnsnotfoundresponse1743517862\"},\"type\":\"policy\"}}", + "string": "{\"data\":{\"attributes\":{\"description\":\"My agent policy\",\"enabled\":true,\"hostTags\":[\"env:staging\"],\"name\":\"testupdateacsmthreatsagentrulereturnsnotfoundresponse1747309784\"},\"type\":\"policy\"}}", "encoding": null }, "headers": { @@ -19,7 +19,7 @@ }, "response": { "body": { - "string": "{\"data\":{\"id\":\"jnw-szj-ssb\",\"type\":\"policy\",\"attributes\":{\"blockingRulesCount\":0,\"datadogManaged\":false,\"description\":\"My agent policy\",\"disabledRulesCount\":1,\"enabled\":true,\"hostTags\":[\"env:staging\"],\"monitoringRulesCount\":225,\"name\":\"testupdateacsmthreatsagentrulereturnsnotfoundresponse1743517862\",\"policyVersion\":\"1\",\"priority\":1000000001,\"ruleCount\":226,\"updateDate\":1743517862965,\"updater\":{\"name\":\"CI Account\",\"handle\":\"9919ec9b-ebc7-49ee-8dc8-03626e717cca\"}}}}", + "string": "{\"data\":{\"id\":\"zt4-lsl-d6r\",\"type\":\"policy\",\"attributes\":{\"blockingRulesCount\":0,\"datadogManaged\":false,\"description\":\"My agent policy\",\"disabledRulesCount\":1,\"enabled\":true,\"hostTags\":[\"env:staging\"],\"monitoringRulesCount\":225,\"name\":\"testupdateacsmthreatsagentrulereturnsnotfoundresponse1747309784\",\"policyVersion\":\"1\",\"priority\":1000000070,\"ruleCount\":226,\"updateDate\":1747309784931,\"updater\":{\"name\":\"CI Account\",\"handle\":\"9919ec9b-ebc7-49ee-8dc8-03626e717cca\"}}}}", "encoding": null }, "headers": { @@ -32,12 +32,12 @@ "message": "OK" } }, - "recorded_at": "Tue, 01 Apr 2025 14:31:02 GMT" + "recorded_at": "Thu, 15 May 2025 11:49:44 GMT" }, { "request": { "body": { - "string": "{\"data\":{\"attributes\":{\"description\":\"My Agent rule\",\"enabled\":true,\"expression\":\"exec.file.name == \\\"sh\\\"\",\"policy_id\":\"jnw-szj-ssb\",\"product_tags\":[]},\"id\":\"non-existent-rule-id\",\"type\":\"agent_rule\"}}", + "string": "{\"data\":{\"attributes\":{\"description\":\"My Agent rule\",\"enabled\":true,\"expression\":\"exec.file.name == \\\"sh\\\"\",\"policy_id\":\"zt4-lsl-d6r\",\"product_tags\":[]},\"id\":\"non-existent-rule-id\",\"type\":\"agent_rule\"}}", "encoding": null }, "headers": { @@ -66,7 +66,7 @@ "message": "Not Found" } }, - "recorded_at": "Tue, 01 Apr 2025 14:31:02 GMT" + "recorded_at": "Thu, 15 May 2025 11:49:44 GMT" }, { "request": { @@ -77,7 +77,7 @@ ] }, "method": "delete", - "uri": "https://api.datadoghq.com/api/v2/remote_config/products/cws/policy/jnw-szj-ssb" + "uri": "https://api.datadoghq.com/api/v2/remote_config/products/cws/policy/zt4-lsl-d6r" }, "response": { "body": { @@ -94,7 +94,7 @@ "message": "No Content" } }, - "recorded_at": "Tue, 01 Apr 2025 14:31:02 GMT" + "recorded_at": "Thu, 15 May 2025 11:49:44 GMT" } ], "recorded_with": "VCR 6.0.0" diff --git a/tests/scenarios/cassettes/v2/csm_threats/Update-a-Cloud-Workload-Security-Agent-rule-returns-Bad-Request-response.frozen b/tests/scenarios/cassettes/v2/csm_threats/Update-a-Cloud-Workload-Security-Agent-rule-returns-Bad-Request-response.frozen index 36ea0d260..5f4958b3b 100644 --- a/tests/scenarios/cassettes/v2/csm_threats/Update-a-Cloud-Workload-Security-Agent-rule-returns-Bad-Request-response.frozen +++ b/tests/scenarios/cassettes/v2/csm_threats/Update-a-Cloud-Workload-Security-Agent-rule-returns-Bad-Request-response.frozen @@ -1 +1 @@ -2025-04-18T09:10:14.669Z \ No newline at end of file +2025-05-15T11:49:46.132Z \ No newline at end of file diff --git a/tests/scenarios/cassettes/v2/csm_threats/Update-a-Cloud-Workload-Security-Agent-rule-returns-Bad-Request-response.json b/tests/scenarios/cassettes/v2/csm_threats/Update-a-Cloud-Workload-Security-Agent-rule-returns-Bad-Request-response.json index 8fc308d7f..af1aa58fa 100644 --- a/tests/scenarios/cassettes/v2/csm_threats/Update-a-Cloud-Workload-Security-Agent-rule-returns-Bad-Request-response.json +++ b/tests/scenarios/cassettes/v2/csm_threats/Update-a-Cloud-Workload-Security-Agent-rule-returns-Bad-Request-response.json @@ -3,7 +3,7 @@ { "request": { "body": { - "string": "{\"data\":{\"attributes\":{\"description\":\"My Agent rule\",\"enabled\":true,\"expression\":\"exec.file.name == \\\"sh\\\"\",\"name\":\"testupdateacloudworkloadsecurityagentrulereturnsbadrequestresponse1744967414\"},\"type\":\"agent_rule\"}}", + "string": "{\"data\":{\"attributes\":{\"description\":\"My Agent rule\",\"enabled\":true,\"expression\":\"exec.file.name == \\\"sh\\\"\",\"name\":\"testupdateacloudworkloadsecurityagentrulereturnsbadrequestresponse1747309786\"},\"type\":\"agent_rule\"}}", "encoding": null }, "headers": { @@ -19,7 +19,7 @@ }, "response": { "body": { - "string": "{\"data\":{\"id\":\"03s-ro8-kgi\",\"attributes\":{\"version\":1,\"name\":\"testupdateacloudworkloadsecurityagentrulereturnsbadrequestresponse1744967414\",\"description\":\"My Agent rule\",\"expression\":\"exec.file.name == \\\"sh\\\"\",\"category\":\"Process Activity\",\"defaultRule\":false,\"enabled\":true,\"creationAuthorUuId\":\"9919ec9b-ebc7-49ee-8dc8-03626e717cca\",\"creationDate\":1744967414924,\"updateAuthorUuId\":\"9919ec9b-ebc7-49ee-8dc8-03626e717cca\",\"updateDate\":1744967414924,\"filters\":[\"os == \\\"linux\\\"\"],\"actions\":[],\"agentConstraint\":\"\",\"creator\":{\"name\":\"CI Account\",\"handle\":\"9919ec9b-ebc7-49ee-8dc8-03626e717cca\"},\"updater\":{\"name\":\"CI Account\",\"handle\":\"9919ec9b-ebc7-49ee-8dc8-03626e717cca\"}},\"type\":\"agent_rule\"}}\n", + "string": "{\"data\":{\"id\":\"acg-2ix-y1d\",\"attributes\":{\"version\":1,\"name\":\"testupdateacloudworkloadsecurityagentrulereturnsbadrequestresponse1747309786\",\"description\":\"My Agent rule\",\"expression\":\"exec.file.name == \\\"sh\\\"\",\"category\":\"Process Activity\",\"defaultRule\":false,\"enabled\":true,\"creationAuthorUuId\":\"9919ec9b-ebc7-49ee-8dc8-03626e717cca\",\"creationDate\":1747309786339,\"updateAuthorUuId\":\"9919ec9b-ebc7-49ee-8dc8-03626e717cca\",\"updateDate\":1747309786339,\"filters\":[\"os == \\\"linux\\\"\"],\"actions\":[],\"agentConstraint\":\"\",\"creator\":{\"name\":\"CI Account\",\"handle\":\"9919ec9b-ebc7-49ee-8dc8-03626e717cca\"},\"updater\":{\"name\":\"CI Account\",\"handle\":\"9919ec9b-ebc7-49ee-8dc8-03626e717cca\"}},\"type\":\"agent_rule\"}}\n", "encoding": null }, "headers": { @@ -32,12 +32,12 @@ "message": "OK" } }, - "recorded_at": "Fri, 18 Apr 2025 09:10:14 GMT" + "recorded_at": "Thu, 15 May 2025 11:49:46 GMT" }, { "request": { "body": { - "string": "{\"data\":{\"attributes\":{\"description\":\"My Agent rule\",\"enabled\":true,\"expression\":\"exec.file.name\"},\"id\":\"03s-ro8-kgi\",\"type\":\"agent_rule\"}}", + "string": "{\"data\":{\"attributes\":{\"description\":\"My Agent rule\",\"enabled\":true,\"expression\":\"exec.file.name\"},\"id\":\"acg-2ix-y1d\",\"type\":\"agent_rule\"}}", "encoding": null }, "headers": { @@ -49,11 +49,11 @@ ] }, "method": "patch", - "uri": "https://api.datadoghq.com/api/v2/security_monitoring/cloud_workload_security/agent_rules/03s-ro8-kgi" + "uri": "https://api.datadoghq.com/api/v2/security_monitoring/cloud_workload_security/agent_rules/acg-2ix-y1d" }, "response": { "body": { - "string": "{\"errors\":[\"input_validation_error(Field 'expression' is invalid: rule `testupdateacloudworkloadsecurityagentrulereturnsbadrequestresponse1744967414` error: rule syntax error: bool expected: 1:1: exec.file.name\\n^)\"]}\n", + "string": "{\"errors\":[\"input_validation_error(Field 'expression' is invalid: rule `testupdateacloudworkloadsecurityagentrulereturnsbadrequestresponse1747309786` error: rule syntax error: bool expected: 1:1: exec.file.name\\n^)\"]}\n", "encoding": null }, "headers": { @@ -66,7 +66,7 @@ "message": "Bad Request" } }, - "recorded_at": "Fri, 18 Apr 2025 09:10:14 GMT" + "recorded_at": "Thu, 15 May 2025 11:49:46 GMT" }, { "request": { @@ -77,7 +77,7 @@ ] }, "method": "delete", - "uri": "https://api.datadoghq.com/api/v2/security_monitoring/cloud_workload_security/agent_rules/03s-ro8-kgi" + "uri": "https://api.datadoghq.com/api/v2/security_monitoring/cloud_workload_security/agent_rules/acg-2ix-y1d" }, "response": { "body": { @@ -90,7 +90,7 @@ "message": "No Content" } }, - "recorded_at": "Fri, 18 Apr 2025 09:10:14 GMT" + "recorded_at": "Thu, 15 May 2025 11:49:46 GMT" } ], "recorded_with": "VCR 6.0.0" diff --git a/tests/scenarios/cassettes/v2/csm_threats/Update-a-Cloud-Workload-Security-Agent-rule-returns-Not-Found-response.frozen b/tests/scenarios/cassettes/v2/csm_threats/Update-a-Cloud-Workload-Security-Agent-rule-returns-Not-Found-response.frozen index 30a73c79d..7fea2940d 100644 --- a/tests/scenarios/cassettes/v2/csm_threats/Update-a-Cloud-Workload-Security-Agent-rule-returns-Not-Found-response.frozen +++ b/tests/scenarios/cassettes/v2/csm_threats/Update-a-Cloud-Workload-Security-Agent-rule-returns-Not-Found-response.frozen @@ -1 +1 @@ -2025-04-18T09:45:20.422Z \ No newline at end of file +2025-05-15T11:49:46.725Z \ No newline at end of file diff --git a/tests/scenarios/cassettes/v2/csm_threats/Update-a-Cloud-Workload-Security-Agent-rule-returns-Not-Found-response.json b/tests/scenarios/cassettes/v2/csm_threats/Update-a-Cloud-Workload-Security-Agent-rule-returns-Not-Found-response.json index 8d81d9ff2..5d0e94300 100644 --- a/tests/scenarios/cassettes/v2/csm_threats/Update-a-Cloud-Workload-Security-Agent-rule-returns-Not-Found-response.json +++ b/tests/scenarios/cassettes/v2/csm_threats/Update-a-Cloud-Workload-Security-Agent-rule-returns-Not-Found-response.json @@ -32,7 +32,7 @@ "message": "Not Found" } }, - "recorded_at": "Fri, 18 Apr 2025 09:45:20 GMT" + "recorded_at": "Thu, 15 May 2025 11:49:46 GMT" } ], "recorded_with": "VCR 6.0.0" diff --git a/tests/scenarios/cassettes/v2/csm_threats/Update-a-Cloud-Workload-Security-Agent-rule-returns-OK-response.frozen b/tests/scenarios/cassettes/v2/csm_threats/Update-a-Cloud-Workload-Security-Agent-rule-returns-OK-response.frozen index 0ad336788..2e1765687 100644 --- a/tests/scenarios/cassettes/v2/csm_threats/Update-a-Cloud-Workload-Security-Agent-rule-returns-OK-response.frozen +++ b/tests/scenarios/cassettes/v2/csm_threats/Update-a-Cloud-Workload-Security-Agent-rule-returns-OK-response.frozen @@ -1 +1 @@ -2025-04-18T09:10:15.690Z \ No newline at end of file +2025-05-15T11:49:46.794Z \ No newline at end of file diff --git a/tests/scenarios/cassettes/v2/csm_threats/Update-a-Cloud-Workload-Security-Agent-rule-returns-OK-response.json b/tests/scenarios/cassettes/v2/csm_threats/Update-a-Cloud-Workload-Security-Agent-rule-returns-OK-response.json index b549ff932..88aa09eca 100644 --- a/tests/scenarios/cassettes/v2/csm_threats/Update-a-Cloud-Workload-Security-Agent-rule-returns-OK-response.json +++ b/tests/scenarios/cassettes/v2/csm_threats/Update-a-Cloud-Workload-Security-Agent-rule-returns-OK-response.json @@ -3,7 +3,7 @@ { "request": { "body": { - "string": "{\"data\":{\"attributes\":{\"description\":\"My Agent rule\",\"enabled\":true,\"expression\":\"exec.file.name == \\\"sh\\\"\",\"name\":\"testupdateacloudworkloadsecurityagentrulereturnsokresponse1744967415\"},\"type\":\"agent_rule\"}}", + "string": "{\"data\":{\"attributes\":{\"description\":\"My Agent rule\",\"enabled\":true,\"expression\":\"exec.file.name == \\\"sh\\\"\",\"name\":\"testupdateacloudworkloadsecurityagentrulereturnsokresponse1747309786\"},\"type\":\"agent_rule\"}}", "encoding": null }, "headers": { @@ -19,7 +19,7 @@ }, "response": { "body": { - "string": "{\"data\":{\"id\":\"szj-quo-wak\",\"attributes\":{\"version\":1,\"name\":\"testupdateacloudworkloadsecurityagentrulereturnsokresponse1744967415\",\"description\":\"My Agent rule\",\"expression\":\"exec.file.name == \\\"sh\\\"\",\"category\":\"Process Activity\",\"defaultRule\":false,\"enabled\":true,\"creationAuthorUuId\":\"9919ec9b-ebc7-49ee-8dc8-03626e717cca\",\"creationDate\":1744967416010,\"updateAuthorUuId\":\"9919ec9b-ebc7-49ee-8dc8-03626e717cca\",\"updateDate\":1744967416010,\"filters\":[\"os == \\\"linux\\\"\"],\"actions\":[],\"agentConstraint\":\"\",\"creator\":{\"name\":\"CI Account\",\"handle\":\"9919ec9b-ebc7-49ee-8dc8-03626e717cca\"},\"updater\":{\"name\":\"CI Account\",\"handle\":\"9919ec9b-ebc7-49ee-8dc8-03626e717cca\"}},\"type\":\"agent_rule\"}}\n", + "string": "{\"data\":{\"id\":\"vl1-low-ydl\",\"attributes\":{\"version\":1,\"name\":\"testupdateacloudworkloadsecurityagentrulereturnsokresponse1747309786\",\"description\":\"My Agent rule\",\"expression\":\"exec.file.name == \\\"sh\\\"\",\"category\":\"Process Activity\",\"defaultRule\":false,\"enabled\":true,\"creationAuthorUuId\":\"9919ec9b-ebc7-49ee-8dc8-03626e717cca\",\"creationDate\":1747309786899,\"updateAuthorUuId\":\"9919ec9b-ebc7-49ee-8dc8-03626e717cca\",\"updateDate\":1747309786899,\"filters\":[\"os == \\\"linux\\\"\"],\"actions\":[],\"agentConstraint\":\"\",\"creator\":{\"name\":\"CI Account\",\"handle\":\"9919ec9b-ebc7-49ee-8dc8-03626e717cca\"},\"updater\":{\"name\":\"CI Account\",\"handle\":\"9919ec9b-ebc7-49ee-8dc8-03626e717cca\"}},\"type\":\"agent_rule\"}}\n", "encoding": null }, "headers": { @@ -32,12 +32,12 @@ "message": "OK" } }, - "recorded_at": "Fri, 18 Apr 2025 09:10:15 GMT" + "recorded_at": "Thu, 15 May 2025 11:49:46 GMT" }, { "request": { "body": { - "string": "{\"data\":{\"attributes\":{\"description\":\"Updated Agent rule\",\"expression\":\"exec.file.name == \\\"sh\\\"\"},\"id\":\"szj-quo-wak\",\"type\":\"agent_rule\"}}", + "string": "{\"data\":{\"attributes\":{\"description\":\"Updated Agent rule\",\"expression\":\"exec.file.name == \\\"sh\\\"\"},\"id\":\"vl1-low-ydl\",\"type\":\"agent_rule\"}}", "encoding": null }, "headers": { @@ -49,11 +49,11 @@ ] }, "method": "patch", - "uri": "https://api.datadoghq.com/api/v2/security_monitoring/cloud_workload_security/agent_rules/szj-quo-wak" + "uri": "https://api.datadoghq.com/api/v2/security_monitoring/cloud_workload_security/agent_rules/vl1-low-ydl" }, "response": { "body": { - "string": "{\"data\":{\"id\":\"szj-quo-wak\",\"attributes\":{\"version\":2,\"name\":\"testupdateacloudworkloadsecurityagentrulereturnsokresponse1744967415\",\"description\":\"Updated Agent rule\",\"expression\":\"exec.file.name == \\\"sh\\\"\",\"category\":\"Process Activity\",\"defaultRule\":false,\"enabled\":true,\"creationAuthorUuId\":\"9919ec9b-ebc7-49ee-8dc8-03626e717cca\",\"creationDate\":1744967416010,\"updateAuthorUuId\":\"9919ec9b-ebc7-49ee-8dc8-03626e717cca\",\"updateDate\":1744967416272,\"filters\":[\"os == \\\"linux\\\"\"],\"actions\":[],\"agentConstraint\":\"\",\"creator\":{\"name\":\"CI Account\",\"handle\":\"9919ec9b-ebc7-49ee-8dc8-03626e717cca\"},\"updater\":{\"name\":\"CI Account\",\"handle\":\"9919ec9b-ebc7-49ee-8dc8-03626e717cca\"}},\"type\":\"agent_rule\"}}\n", + "string": "{\"data\":{\"id\":\"vl1-low-ydl\",\"attributes\":{\"version\":2,\"name\":\"testupdateacloudworkloadsecurityagentrulereturnsokresponse1747309786\",\"description\":\"Updated Agent rule\",\"expression\":\"exec.file.name == \\\"sh\\\"\",\"category\":\"Process Activity\",\"defaultRule\":false,\"enabled\":true,\"creationAuthorUuId\":\"9919ec9b-ebc7-49ee-8dc8-03626e717cca\",\"creationDate\":1747309786899,\"updateAuthorUuId\":\"9919ec9b-ebc7-49ee-8dc8-03626e717cca\",\"updateDate\":1747309787043,\"filters\":[\"os == \\\"linux\\\"\"],\"actions\":[],\"agentConstraint\":\"\",\"creator\":{\"name\":\"CI Account\",\"handle\":\"9919ec9b-ebc7-49ee-8dc8-03626e717cca\"},\"updater\":{\"name\":\"CI Account\",\"handle\":\"9919ec9b-ebc7-49ee-8dc8-03626e717cca\"}},\"type\":\"agent_rule\"}}\n", "encoding": null }, "headers": { @@ -66,7 +66,7 @@ "message": "OK" } }, - "recorded_at": "Fri, 18 Apr 2025 09:10:15 GMT" + "recorded_at": "Thu, 15 May 2025 11:49:46 GMT" }, { "request": { @@ -77,7 +77,7 @@ ] }, "method": "delete", - "uri": "https://api.datadoghq.com/api/v2/security_monitoring/cloud_workload_security/agent_rules/szj-quo-wak" + "uri": "https://api.datadoghq.com/api/v2/security_monitoring/cloud_workload_security/agent_rules/vl1-low-ydl" }, "response": { "body": { @@ -90,7 +90,7 @@ "message": "No Content" } }, - "recorded_at": "Fri, 18 Apr 2025 09:10:15 GMT" + "recorded_at": "Thu, 15 May 2025 11:49:46 GMT" } ], "recorded_with": "VCR 6.0.0" diff --git a/tests/scenarios/features/v2/given.json b/tests/scenarios/features/v2/given.json index 696fef088..e6961de93 100644 --- a/tests/scenarios/features/v2/given.json +++ b/tests/scenarios/features/v2/given.json @@ -555,7 +555,7 @@ "parameters": [ { "name": "body", - "value": "{\n \"data\": {\n \"type\": \"agent_rule\",\n \"attributes\": {\n \"name\": \"{{ unique_lower_alnum }}\",\n \"description\": \"My Agent rule\",\n \"expression\": \"exec.file.name == \\\"sh\\\"\",\n \"enabled\": true,\n \"product_tags\": [\"security:attack\", \"technique:T1059\"],\n \"policy_id\": \"{{ policy.data.id }}\"\n }\n }\n}" + "value": "{\n \"data\": {\n \"type\": \"agent_rule\",\n \"attributes\": {\n \"name\": \"{{ unique_lower_alnum }}\",\n \"description\": \"My Agent rule\",\n \"expression\": \"exec.file.name == \\\"sh\\\"\",\n \"actions\": [{\"set\": {\"name\": \"test_set\", \"value\": \"test_value\", \"scope\": \"process\"}}],\n \"enabled\": true,\n \"product_tags\": [\"security:attack\", \"technique:T1059\"],\n \"policy_id\": \"{{ policy.data.id }}\"\n }\n }\n}" } ], "step": "there is a valid \"agent_rule_rc\" in the system",