diff --git a/cassettes/features/v2/csm_threats/Create-a-Workload-Protection-agent-rule-returns-Bad-Request-response.frozen b/cassettes/features/v2/csm_threats/Create-a-Workload-Protection-agent-rule-returns-Bad-Request-response.frozen index 3e948e09cbb..6c7d10de70b 100644 --- a/cassettes/features/v2/csm_threats/Create-a-Workload-Protection-agent-rule-returns-Bad-Request-response.frozen +++ b/cassettes/features/v2/csm_threats/Create-a-Workload-Protection-agent-rule-returns-Bad-Request-response.frozen @@ -1 +1 @@ -2025-10-10T15:20:39.566Z \ No newline at end of file +2025-10-16T16:02:45.546Z \ No newline at end of file diff --git a/cassettes/features/v2/csm_threats/Create-a-Workload-Protection-agent-rule-returns-Bad-Request-response.yml b/cassettes/features/v2/csm_threats/Create-a-Workload-Protection-agent-rule-returns-Bad-Request-response.yml index fb1cea9c31f..92fdd0962a1 100644 --- a/cassettes/features/v2/csm_threats/Create-a-Workload-Protection-agent-rule-returns-Bad-Request-response.yml +++ b/cassettes/features/v2/csm_threats/Create-a-Workload-Protection-agent-rule-returns-Bad-Request-response.yml @@ -1,9 +1,9 @@ http_interactions: -- recorded_at: Fri, 10 Oct 2025 15:20:39 GMT +- recorded_at: Thu, 16 Oct 2025 16:02:45 GMT request: body: encoding: UTF-8 - string: '{"data":{"attributes":{"description":"My agent policy","enabled":true,"hostTags":["env:staging"],"name":"testcreateaworkloadprotectionagentrulereturnsbadrequestresponse1760109639"},"type":"policy"}}' + string: '{"data":{"attributes":{"description":"My agent policy","enabled":true,"hostTags":["env:staging"],"name":"testcreateaworkloadprotectionagentrulereturnsbadrequestresponse1760630565"},"type":"policy"}}' headers: Accept: - application/json @@ -14,19 +14,19 @@ http_interactions: response: body: encoding: UTF-8 - string: '{"data":{"id":"sr5-i0h-lty","type":"policy","attributes":{"blockingRulesCount":0,"datadogManaged":false,"description":"My - agent policy","disabledRulesCount":1,"enabled":true,"hostTagsLists":[["env:staging"]],"monitoringRulesCount":7,"name":"testcreateaworkloadprotectionagentrulereturnsbadrequestresponse1760109639","pinned":false,"policyVersion":"1","ruleCount":8,"updateDate":1760109639958,"updater":{"name":"frog","handle":"frog@datadoghq.com"}}}}' + string: '{"data":{"id":"qte-y0f-deh","type":"policy","attributes":{"blockingRulesCount":0,"datadogManaged":false,"description":"My + agent policy","disabledRulesCount":1,"enabled":true,"hostTagsLists":[["env:staging"]],"monitoringRulesCount":7,"name":"testcreateaworkloadprotectionagentrulereturnsbadrequestresponse1760630565","pinned":false,"policyVersion":"1","ruleCount":8,"updateDate":1760630565905,"updater":{"name":"frog","handle":"frog@datadoghq.com"}}}}' headers: Content-Type: - application/json status: code: 200 message: OK -- recorded_at: Fri, 10 Oct 2025 15:20:39 GMT +- recorded_at: Thu, 16 Oct 2025 16:02:45 GMT request: body: encoding: UTF-8 - string: '{"data":{"attributes":{"description":"My Agent rule","enabled":true,"expression":"exec.file.name","filters":[],"name":"my_agent_rule","policy_id":"sr5-i0h-lty","product_tags":[]},"type":"agent_rule"}}' + string: '{"data":{"attributes":{"description":"My Agent rule","enabled":true,"expression":"exec.file.name","filters":[],"name":"my_agent_rule","policy_id":"qte-y0f-deh","product_tags":[]},"type":"agent_rule"}}' headers: Accept: - application/json @@ -37,22 +37,22 @@ http_interactions: response: body: encoding: UTF-8 - string: '{"errors":["input_validation_error(Field ''name'' is invalid: the name - ''my_agent_rule'' is already used by a custom rule)"]}' + string: '{"errors":["input_validation_error(Field ''expression'' is invalid: + rule `my_agent_rule` error: rule syntax error: bool expected: 1:1: exec.file.name\n^)"]}' headers: Content-Type: - application/json status: code: 400 message: Bad Request -- recorded_at: Fri, 10 Oct 2025 15:20:39 GMT +- recorded_at: Thu, 16 Oct 2025 16:02:45 GMT request: body: null headers: Accept: - '*/*' method: DELETE - uri: https://api.datadoghq.com/api/v2/remote_config/products/cws/policy/sr5-i0h-lty + uri: https://api.datadoghq.com/api/v2/remote_config/products/cws/policy/qte-y0f-deh response: body: encoding: UTF-8 diff --git a/cassettes/features/v2/csm_threats/Create-a-Workload-Protection-agent-rule-returns-OK-response.frozen b/cassettes/features/v2/csm_threats/Create-a-Workload-Protection-agent-rule-returns-OK-response.frozen index dded21a6a08..5eb0d39e892 100644 --- a/cassettes/features/v2/csm_threats/Create-a-Workload-Protection-agent-rule-returns-OK-response.frozen +++ b/cassettes/features/v2/csm_threats/Create-a-Workload-Protection-agent-rule-returns-OK-response.frozen @@ -1 +1 @@ -2025-10-10T15:20:41.757Z \ No newline at end of file +2025-10-16T16:02:47.386Z \ No newline at end of file diff --git a/cassettes/features/v2/csm_threats/Create-a-Workload-Protection-agent-rule-returns-OK-response.yml b/cassettes/features/v2/csm_threats/Create-a-Workload-Protection-agent-rule-returns-OK-response.yml index 55223f867aa..46fdd0c2c81 100644 --- a/cassettes/features/v2/csm_threats/Create-a-Workload-Protection-agent-rule-returns-OK-response.yml +++ b/cassettes/features/v2/csm_threats/Create-a-Workload-Protection-agent-rule-returns-OK-response.yml @@ -1,9 +1,9 @@ http_interactions: -- recorded_at: Fri, 10 Oct 2025 15:20:41 GMT +- recorded_at: Thu, 16 Oct 2025 16:02:47 GMT request: body: encoding: UTF-8 - string: '{"data":{"attributes":{"description":"My agent policy","enabled":true,"hostTags":["env:staging"],"name":"testcreateaworkloadprotectionagentrulereturnsokresponse1760109641"},"type":"policy"}}' + string: '{"data":{"attributes":{"description":"My agent policy","enabled":true,"hostTags":["env:staging"],"name":"testcreateaworkloadprotectionagentrulereturnsokresponse1760630567"},"type":"policy"}}' headers: Accept: - application/json @@ -14,20 +14,20 @@ http_interactions: response: body: encoding: UTF-8 - string: '{"data":{"id":"cwy-qfn-4k8","type":"policy","attributes":{"blockingRulesCount":0,"datadogManaged":false,"description":"My - agent policy","disabledRulesCount":1,"enabled":true,"hostTagsLists":[["env:staging"]],"monitoringRulesCount":7,"name":"testcreateaworkloadprotectionagentrulereturnsokresponse1760109641","pinned":false,"policyVersion":"1","ruleCount":8,"updateDate":1760109642133,"updater":{"name":"frog","handle":"frog@datadoghq.com"}}}}' + string: '{"data":{"id":"fip-pkb-s5r","type":"policy","attributes":{"blockingRulesCount":0,"datadogManaged":false,"description":"My + agent policy","disabledRulesCount":1,"enabled":true,"hostTagsLists":[["env:staging"]],"monitoringRulesCount":7,"name":"testcreateaworkloadprotectionagentrulereturnsokresponse1760630567","pinned":false,"policyVersion":"1","ruleCount":8,"updateDate":1760630567772,"updater":{"name":"frog","handle":"frog@datadoghq.com"}}}}' headers: Content-Type: - application/json status: code: 200 message: OK -- recorded_at: Fri, 10 Oct 2025 15:20:41 GMT +- recorded_at: Thu, 16 Oct 2025 16:02:47 GMT request: body: encoding: UTF-8 string: '{"data":{"attributes":{"agent_version":"> 7.60","description":"My Agent - rule","enabled":true,"expression":"exec.file.name == \"sh\"","filters":[],"name":"testcreateaworkloadprotectionagentrulereturnsokresponse1760109641","policy_id":"cwy-qfn-4k8","product_tags":[]},"type":"agent_rule"}}' + rule","enabled":true,"expression":"exec.file.name == \"sh\"","filters":[],"name":"testcreateaworkloadprotectionagentrulereturnsokresponse1760630567","policy_id":"fip-pkb-s5r","product_tags":[]},"type":"agent_rule"}}' headers: Accept: - application/json @@ -38,42 +38,24 @@ http_interactions: response: body: encoding: UTF-8 - string: '{"data":{"id":"iua-dxr-uvh","type":"agent_rule","attributes":{"category":"Process - Activity","creationDate":1760109643225,"creator":{"name":"frog","handle":"frog@datadoghq.com"},"defaultRule":false,"description":"My + string: '{"data":{"id":"x6z-2vq-clf","type":"agent_rule","attributes":{"category":"Process + Activity","creationDate":1760630568642,"creator":{"name":"frog","handle":"frog@datadoghq.com"},"defaultRule":false,"description":"My Agent rule","enabled":true,"expression":"exec.file.name == \"sh\"","filters":["os - == \"linux\""],"monitoring":["cwy-qfn-4k8"],"name":"testcreateaworkloadprotectionagentrulereturnsokresponse1760109641","product_tags":[],"updateDate":1760109643225,"updater":{"name":"frog","handle":"frog@datadoghq.com"}}}}' + == \"linux\""],"monitoring":["fip-pkb-s5r"],"name":"testcreateaworkloadprotectionagentrulereturnsokresponse1760630567","product_tags":[],"updateDate":1760630568642,"updater":{"name":"frog","handle":"frog@datadoghq.com"}}}}' headers: Content-Type: - application/json status: code: 200 message: OK -- recorded_at: Fri, 10 Oct 2025 15:20:41 GMT +- recorded_at: Thu, 16 Oct 2025 16:02:47 GMT request: body: null headers: Accept: - '*/*' method: DELETE - uri: https://api.datadoghq.com/api/v2/remote_config/products/cws/agent_rules/iua-dxr-uvh - response: - body: - encoding: UTF-8 - string: '' - headers: - Content-Type: - - application/json - status: - code: 204 - message: No Content -- recorded_at: Fri, 10 Oct 2025 15:20:41 GMT - request: - body: null - headers: - Accept: - - '*/*' - method: DELETE - uri: https://api.datadoghq.com/api/v2/remote_config/products/cws/policy/cwy-qfn-4k8 + uri: https://api.datadoghq.com/api/v2/remote_config/products/cws/policy/fip-pkb-s5r response: body: encoding: UTF-8 diff --git a/cassettes/features/v2/csm_threats/Create-a-Workload-Protection-agent-rule-with-set-action-returns-OK-response.frozen b/cassettes/features/v2/csm_threats/Create-a-Workload-Protection-agent-rule-with-set-action-returns-OK-response.frozen index 65beb25fa10..a5b409dad44 100644 --- a/cassettes/features/v2/csm_threats/Create-a-Workload-Protection-agent-rule-with-set-action-returns-OK-response.frozen +++ b/cassettes/features/v2/csm_threats/Create-a-Workload-Protection-agent-rule-with-set-action-returns-OK-response.frozen @@ -1 +1 @@ -2025-10-10T15:20:46.004Z \ No newline at end of file +2025-10-16T16:02:49.756Z \ No newline at end of file diff --git a/cassettes/features/v2/csm_threats/Create-a-Workload-Protection-agent-rule-with-set-action-returns-OK-response.yml b/cassettes/features/v2/csm_threats/Create-a-Workload-Protection-agent-rule-with-set-action-returns-OK-response.yml index 7d23cd825e7..d185e0b4531 100644 --- a/cassettes/features/v2/csm_threats/Create-a-Workload-Protection-agent-rule-with-set-action-returns-OK-response.yml +++ b/cassettes/features/v2/csm_threats/Create-a-Workload-Protection-agent-rule-with-set-action-returns-OK-response.yml @@ -1,9 +1,9 @@ http_interactions: -- recorded_at: Fri, 10 Oct 2025 15:20:46 GMT +- recorded_at: Thu, 16 Oct 2025 16:02:49 GMT request: body: encoding: UTF-8 - string: '{"data":{"attributes":{"description":"My agent policy","enabled":true,"hostTags":["env:staging"],"name":"testcreateaworkloadprotectionagentrulewithsetactionreturnsokresponse1760109646"},"type":"policy"}}' + string: '{"data":{"attributes":{"description":"My agent policy","enabled":true,"hostTags":["env:staging"],"name":"testcreateaworkloadprotectionagentrulewithsetactionreturnsokresponse1760630569"},"type":"policy"}}' headers: Accept: - application/json @@ -14,21 +14,21 @@ http_interactions: response: body: encoding: UTF-8 - string: '{"data":{"id":"c85-dqa-6no","type":"policy","attributes":{"blockingRulesCount":0,"datadogManaged":false,"description":"My - agent policy","disabledRulesCount":1,"enabled":true,"hostTagsLists":[["env:staging"]],"monitoringRulesCount":7,"name":"testcreateaworkloadprotectionagentrulewithsetactionreturnsokresponse1760109646","pinned":false,"policyVersion":"1","ruleCount":8,"updateDate":1760109646385,"updater":{"name":"frog","handle":"frog@datadoghq.com"}}}}' + string: '{"data":{"id":"32y-irg-daq","type":"policy","attributes":{"blockingRulesCount":0,"datadogManaged":false,"description":"My + agent policy","disabledRulesCount":1,"enabled":true,"hostTagsLists":[["env:staging"]],"monitoringRulesCount":7,"name":"testcreateaworkloadprotectionagentrulewithsetactionreturnsokresponse1760630569","pinned":false,"policyVersion":"1","ruleCount":8,"updateDate":1760630570147,"updater":{"name":"frog","handle":"frog@datadoghq.com"}}}}' headers: Content-Type: - application/json status: code: 200 message: OK -- recorded_at: Fri, 10 Oct 2025 15:20:46 GMT +- recorded_at: Thu, 16 Oct 2025 16:02:49 GMT request: body: encoding: UTF-8 string: '{"data":{"attributes":{"actions":[{"set":{"inherited":true,"name":"test_set","scope":"process","value":"test_value"}},{"hash":{}}],"description":"My Agent rule with set action","enabled":true,"expression":"exec.file.name == - \"sh\"","filters":[],"name":"testcreateaworkloadprotectionagentrulewithsetactionreturnsokresponse1760109646","policy_id":"c85-dqa-6no","product_tags":[]},"type":"agent_rule"}}' + \"sh\"","filters":[],"name":"testcreateaworkloadprotectionagentrulewithsetactionreturnsokresponse1760630569","policy_id":"32y-irg-daq","product_tags":[]},"type":"agent_rule"}}' headers: Accept: - application/json @@ -39,42 +39,24 @@ http_interactions: response: body: encoding: UTF-8 - string: '{"data":{"id":"ak5-bk0-dxq","type":"agent_rule","attributes":{"actions":[{"set":{"name":"test_set","value":"test_value","scope":"process","inherited":true},"disabled":false},{"hash":{},"disabled":false}],"category":"Process - Activity","creationDate":1760109647450,"creator":{"name":"frog","handle":"frog@datadoghq.com"},"defaultRule":false,"description":"My + string: '{"data":{"id":"vpy-mmr-mqt","type":"agent_rule","attributes":{"actions":[{"set":{"name":"test_set","value":"test_value","scope":"process","inherited":true},"disabled":false},{"hash":{},"disabled":false}],"category":"Process + Activity","creationDate":1760630570914,"creator":{"name":"frog","handle":"frog@datadoghq.com"},"defaultRule":false,"description":"My Agent rule with set action","enabled":true,"expression":"exec.file.name == - \"sh\"","filters":["os == \"linux\""],"monitoring":["c85-dqa-6no"],"name":"testcreateaworkloadprotectionagentrulewithsetactionreturnsokresponse1760109646","product_tags":[],"updateDate":1760109647450,"updater":{"name":"frog","handle":"frog@datadoghq.com"}}}}' + \"sh\"","filters":["os == \"linux\""],"monitoring":["32y-irg-daq"],"name":"testcreateaworkloadprotectionagentrulewithsetactionreturnsokresponse1760630569","product_tags":[],"updateDate":1760630570914,"updater":{"name":"frog","handle":"frog@datadoghq.com"}}}}' headers: Content-Type: - application/json status: code: 200 message: OK -- recorded_at: Fri, 10 Oct 2025 15:20:46 GMT +- recorded_at: Thu, 16 Oct 2025 16:02:49 GMT request: body: null headers: Accept: - '*/*' method: DELETE - uri: https://api.datadoghq.com/api/v2/remote_config/products/cws/agent_rules/ak5-bk0-dxq - response: - body: - encoding: UTF-8 - string: '' - headers: - Content-Type: - - application/json - status: - code: 204 - message: No Content -- recorded_at: Fri, 10 Oct 2025 15:20:46 GMT - request: - body: null - headers: - Accept: - - '*/*' - method: DELETE - uri: https://api.datadoghq.com/api/v2/remote_config/products/cws/policy/c85-dqa-6no + uri: https://api.datadoghq.com/api/v2/remote_config/products/cws/policy/32y-irg-daq response: body: encoding: UTF-8 diff --git a/cassettes/features/v2/csm_threats/Create-a-Workload-Protection-agent-rule-with-set-action-with-expression-returns-OK-response.frozen b/cassettes/features/v2/csm_threats/Create-a-Workload-Protection-agent-rule-with-set-action-with-expression-returns-OK-response.frozen index 58f99083554..557b7dfba21 100644 --- a/cassettes/features/v2/csm_threats/Create-a-Workload-Protection-agent-rule-with-set-action-with-expression-returns-OK-response.frozen +++ b/cassettes/features/v2/csm_threats/Create-a-Workload-Protection-agent-rule-with-set-action-with-expression-returns-OK-response.frozen @@ -1 +1 @@ -2025-10-10T15:20:50.578Z \ No newline at end of file +2025-10-16T16:02:52.432Z \ No newline at end of file diff --git a/cassettes/features/v2/csm_threats/Create-a-Workload-Protection-agent-rule-with-set-action-with-expression-returns-OK-response.yml b/cassettes/features/v2/csm_threats/Create-a-Workload-Protection-agent-rule-with-set-action-with-expression-returns-OK-response.yml index 0ca872a4b02..5025d2c5355 100644 --- a/cassettes/features/v2/csm_threats/Create-a-Workload-Protection-agent-rule-with-set-action-with-expression-returns-OK-response.yml +++ b/cassettes/features/v2/csm_threats/Create-a-Workload-Protection-agent-rule-with-set-action-with-expression-returns-OK-response.yml @@ -1,9 +1,9 @@ http_interactions: -- recorded_at: Fri, 10 Oct 2025 15:20:50 GMT +- recorded_at: Thu, 16 Oct 2025 16:02:52 GMT request: body: encoding: UTF-8 - string: '{"data":{"attributes":{"description":"My agent policy","enabled":true,"hostTags":["env:staging"],"name":"testcreateaworkloadprotectionagentrulewithsetactionwithexpressionreturnsokresponse1760109650"},"type":"policy"}}' + string: '{"data":{"attributes":{"description":"My agent policy","enabled":true,"hostTags":["env:staging"],"name":"testcreateaworkloadprotectionagentrulewithsetactionwithexpressionreturnsokresponse1760630572"},"type":"policy"}}' headers: Accept: - application/json @@ -14,21 +14,21 @@ http_interactions: response: body: encoding: UTF-8 - string: '{"data":{"id":"lrl-nbx-opl","type":"policy","attributes":{"blockingRulesCount":0,"datadogManaged":false,"description":"My - agent policy","disabledRulesCount":1,"enabled":true,"hostTagsLists":[["env:staging"]],"monitoringRulesCount":7,"name":"testcreateaworkloadprotectionagentrulewithsetactionwithexpressionreturnsokresponse1760109650","pinned":false,"policyVersion":"1","ruleCount":8,"updateDate":1760109650938,"updater":{"name":"frog","handle":"frog@datadoghq.com"}}}}' + string: '{"data":{"id":"4p0-bn9-wus","type":"policy","attributes":{"blockingRulesCount":0,"datadogManaged":false,"description":"My + agent policy","disabledRulesCount":1,"enabled":true,"hostTagsLists":[["env:staging"]],"monitoringRulesCount":7,"name":"testcreateaworkloadprotectionagentrulewithsetactionwithexpressionreturnsokresponse1760630572","pinned":false,"policyVersion":"1","ruleCount":8,"updateDate":1760630572852,"updater":{"name":"frog","handle":"frog@datadoghq.com"}}}}' headers: Content-Type: - application/json status: code: 200 message: OK -- recorded_at: Fri, 10 Oct 2025 15:20:50 GMT +- recorded_at: Thu, 16 Oct 2025 16:02:52 GMT request: body: encoding: UTF-8 string: '{"data":{"attributes":{"actions":[{"set":{"default_value":"/dev/null","expression":"open.file.path","name":"test_set","scope":"process"}}],"description":"My Agent rule with set action with expression","enabled":true,"expression":"exec.file.name - == \"sh\"","filters":[],"name":"testcreateaworkloadprotectionagentrulewithsetactionwithexpressionreturnsokresponse1760109650","policy_id":"lrl-nbx-opl","product_tags":[]},"type":"agent_rule"}}' + == \"sh\"","filters":[],"name":"testcreateaworkloadprotectionagentrulewithsetactionwithexpressionreturnsokresponse1760630572","policy_id":"4p0-bn9-wus","product_tags":[]},"type":"agent_rule"}}' headers: Accept: - application/json @@ -39,42 +39,24 @@ http_interactions: response: body: encoding: UTF-8 - string: '{"data":{"id":"ye3-8k9-6ut","type":"agent_rule","attributes":{"actions":[{"set":{"name":"test_set","default_value":"/dev/null","scope":"process","expression":"open.file.path","inherited":false},"disabled":false}],"category":"Process - Activity","creationDate":1760109651835,"creator":{"name":"frog","handle":"frog@datadoghq.com"},"defaultRule":false,"description":"My + string: '{"data":{"id":"pmh-h1z-xw6","type":"agent_rule","attributes":{"actions":[{"set":{"name":"test_set","default_value":"/dev/null","scope":"process","expression":"open.file.path","inherited":false},"disabled":false}],"category":"Process + Activity","creationDate":1760630573667,"creator":{"name":"frog","handle":"frog@datadoghq.com"},"defaultRule":false,"description":"My Agent rule with set action with expression","enabled":true,"expression":"exec.file.name - == \"sh\"","filters":["os == \"linux\""],"monitoring":["lrl-nbx-opl"],"name":"testcreateaworkloadprotectionagentrulewithsetactionwithexpressionreturnsokresponse1760109650","product_tags":[],"updateDate":1760109651835,"updater":{"name":"frog","handle":"frog@datadoghq.com"}}}}' + == \"sh\"","filters":["os == \"linux\""],"monitoring":["4p0-bn9-wus"],"name":"testcreateaworkloadprotectionagentrulewithsetactionwithexpressionreturnsokresponse1760630572","product_tags":[],"updateDate":1760630573667,"updater":{"name":"frog","handle":"frog@datadoghq.com"}}}}' headers: Content-Type: - application/json status: code: 200 message: OK -- recorded_at: Fri, 10 Oct 2025 15:20:50 GMT +- recorded_at: Thu, 16 Oct 2025 16:02:52 GMT request: body: null headers: Accept: - '*/*' method: DELETE - uri: https://api.datadoghq.com/api/v2/remote_config/products/cws/agent_rules/ye3-8k9-6ut - response: - body: - encoding: UTF-8 - string: '' - headers: - Content-Type: - - application/json - status: - code: 204 - message: No Content -- recorded_at: Fri, 10 Oct 2025 15:20:50 GMT - request: - body: null - headers: - Accept: - - '*/*' - method: DELETE - uri: https://api.datadoghq.com/api/v2/remote_config/products/cws/policy/lrl-nbx-opl + uri: https://api.datadoghq.com/api/v2/remote_config/products/cws/policy/4p0-bn9-wus response: body: encoding: UTF-8 diff --git a/cassettes/features/v2/csm_threats/Create-a-Workload-Protection-policy-returns-Bad-Request-response.frozen b/cassettes/features/v2/csm_threats/Create-a-Workload-Protection-policy-returns-Bad-Request-response.frozen index 54a7e9471ae..d3788057868 100644 --- a/cassettes/features/v2/csm_threats/Create-a-Workload-Protection-policy-returns-Bad-Request-response.frozen +++ b/cassettes/features/v2/csm_threats/Create-a-Workload-Protection-policy-returns-Bad-Request-response.frozen @@ -1 +1 @@ -2025-10-10T15:20:54.465Z \ No newline at end of file +2025-10-16T16:02:54.974Z \ No newline at end of file diff --git a/cassettes/features/v2/csm_threats/Create-a-Workload-Protection-policy-returns-Bad-Request-response.yml b/cassettes/features/v2/csm_threats/Create-a-Workload-Protection-policy-returns-Bad-Request-response.yml index bd7d9b81b32..98cb2b7c29c 100644 --- a/cassettes/features/v2/csm_threats/Create-a-Workload-Protection-policy-returns-Bad-Request-response.yml +++ b/cassettes/features/v2/csm_threats/Create-a-Workload-Protection-policy-returns-Bad-Request-response.yml @@ -1,5 +1,5 @@ http_interactions: -- recorded_at: Fri, 10 Oct 2025 15:20:54 GMT +- recorded_at: Thu, 16 Oct 2025 16:02:54 GMT request: body: encoding: UTF-8 diff --git a/cassettes/features/v2/csm_threats/Create-a-Workload-Protection-policy-returns-OK-response.frozen b/cassettes/features/v2/csm_threats/Create-a-Workload-Protection-policy-returns-OK-response.frozen index 082197c3c7f..e4869610c0d 100644 --- a/cassettes/features/v2/csm_threats/Create-a-Workload-Protection-policy-returns-OK-response.frozen +++ b/cassettes/features/v2/csm_threats/Create-a-Workload-Protection-policy-returns-OK-response.frozen @@ -1 +1 @@ -2025-10-10T15:20:54.885Z \ No newline at end of file +2025-10-16T16:02:55.426Z \ No newline at end of file diff --git a/cassettes/features/v2/csm_threats/Create-a-Workload-Protection-policy-returns-OK-response.yml b/cassettes/features/v2/csm_threats/Create-a-Workload-Protection-policy-returns-OK-response.yml index fbff7f28ce2..c216fa329c2 100644 --- a/cassettes/features/v2/csm_threats/Create-a-Workload-Protection-policy-returns-OK-response.yml +++ b/cassettes/features/v2/csm_threats/Create-a-Workload-Protection-policy-returns-OK-response.yml @@ -1,9 +1,9 @@ http_interactions: -- recorded_at: Fri, 10 Oct 2025 15:20:54 GMT +- recorded_at: Thu, 16 Oct 2025 16:02:55 GMT request: body: encoding: UTF-8 - string: '{"data":{"attributes":{"description":"My agent policy","enabled":true,"hostTagsLists":[["env:test"]],"name":"my_agent_policy_2"},"type":"policy"}}' + string: '{"data":{"attributes":{"description":"My agent policy","enabled":true,"hostTagsLists":[["env:test"]],"name":"testcreateaworkloadprotectionpolicyreturnsokresponse1760630575"},"type":"policy"}}' headers: Accept: - application/json @@ -14,22 +14,22 @@ http_interactions: response: body: encoding: UTF-8 - string: '{"data":{"id":"fwg-18e-cfb","type":"policy","attributes":{"blockingRulesCount":0,"datadogManaged":false,"description":"My - agent policy","disabledRulesCount":1,"enabled":true,"hostTagsLists":[["env:test"]],"monitoringRulesCount":7,"name":"my_agent_policy_2","pinned":false,"policyVersion":"1","ruleCount":8,"updateDate":1760109655264,"updater":{"name":"frog","handle":"frog@datadoghq.com"}}}}' + string: '{"data":{"id":"dkt-nw6-1fd","type":"policy","attributes":{"blockingRulesCount":0,"datadogManaged":false,"description":"My + agent policy","disabledRulesCount":1,"enabled":true,"hostTagsLists":[["env:test"]],"monitoringRulesCount":7,"name":"testcreateaworkloadprotectionpolicyreturnsokresponse1760630575","pinned":false,"policyVersion":"1","ruleCount":8,"updateDate":1760630575680,"updater":{"name":"frog","handle":"frog@datadoghq.com"}}}}' headers: Content-Type: - application/json status: code: 200 message: OK -- recorded_at: Fri, 10 Oct 2025 15:20:54 GMT +- recorded_at: Thu, 16 Oct 2025 16:02:55 GMT request: body: null headers: Accept: - '*/*' method: DELETE - uri: https://api.datadoghq.com/api/v2/remote_config/products/cws/policy/fwg-18e-cfb + uri: https://api.datadoghq.com/api/v2/remote_config/products/cws/policy/dkt-nw6-1fd response: body: encoding: UTF-8 diff --git a/cassettes/features/v2/csm_threats/Delete-a-Workload-Protection-agent-rule-returns-Not-Found-response.frozen b/cassettes/features/v2/csm_threats/Delete-a-Workload-Protection-agent-rule-returns-Not-Found-response.frozen index 305ade4fefe..8bdb85b0c64 100644 --- a/cassettes/features/v2/csm_threats/Delete-a-Workload-Protection-agent-rule-returns-Not-Found-response.frozen +++ b/cassettes/features/v2/csm_threats/Delete-a-Workload-Protection-agent-rule-returns-Not-Found-response.frozen @@ -1 +1 @@ -2025-10-10T15:20:56.705Z \ No newline at end of file +2025-10-16T16:02:56.973Z \ No newline at end of file diff --git a/cassettes/features/v2/csm_threats/Delete-a-Workload-Protection-agent-rule-returns-Not-Found-response.yml b/cassettes/features/v2/csm_threats/Delete-a-Workload-Protection-agent-rule-returns-Not-Found-response.yml index e76365f49d1..3f6287f9847 100644 --- a/cassettes/features/v2/csm_threats/Delete-a-Workload-Protection-agent-rule-returns-Not-Found-response.yml +++ b/cassettes/features/v2/csm_threats/Delete-a-Workload-Protection-agent-rule-returns-Not-Found-response.yml @@ -1,5 +1,5 @@ http_interactions: -- recorded_at: Fri, 10 Oct 2025 15:20:56 GMT +- recorded_at: Thu, 16 Oct 2025 16:02:56 GMT request: body: null headers: diff --git a/cassettes/features/v2/csm_threats/Delete-a-Workload-Protection-agent-rule-returns-OK-response.frozen b/cassettes/features/v2/csm_threats/Delete-a-Workload-Protection-agent-rule-returns-OK-response.frozen index 87d2cb8ed44..9cc98f9d83c 100644 --- a/cassettes/features/v2/csm_threats/Delete-a-Workload-Protection-agent-rule-returns-OK-response.frozen +++ b/cassettes/features/v2/csm_threats/Delete-a-Workload-Protection-agent-rule-returns-OK-response.frozen @@ -1 +1 @@ -2025-10-10T15:20:57.428Z \ No newline at end of file +2025-10-16T16:02:57.611Z \ No newline at end of file diff --git a/cassettes/features/v2/csm_threats/Delete-a-Workload-Protection-agent-rule-returns-OK-response.yml b/cassettes/features/v2/csm_threats/Delete-a-Workload-Protection-agent-rule-returns-OK-response.yml index a8d6fe46433..44c68422f44 100644 --- a/cassettes/features/v2/csm_threats/Delete-a-Workload-Protection-agent-rule-returns-OK-response.yml +++ b/cassettes/features/v2/csm_threats/Delete-a-Workload-Protection-agent-rule-returns-OK-response.yml @@ -1,9 +1,9 @@ http_interactions: -- recorded_at: Fri, 10 Oct 2025 15:20:57 GMT +- recorded_at: Thu, 16 Oct 2025 16:02:57 GMT request: body: encoding: UTF-8 - string: '{"data":{"attributes":{"description":"My agent policy","enabled":true,"hostTags":["env:staging"],"name":"testdeleteaworkloadprotectionagentrulereturnsokresponse1760109657"},"type":"policy"}}' + string: '{"data":{"attributes":{"description":"My agent policy","enabled":true,"hostTags":["env:staging"],"name":"testdeleteaworkloadprotectionagentrulereturnsokresponse1760630577"},"type":"policy"}}' headers: Accept: - application/json @@ -14,20 +14,20 @@ http_interactions: response: body: encoding: UTF-8 - string: '{"data":{"id":"xm5-r6n-xej","type":"policy","attributes":{"blockingRulesCount":0,"datadogManaged":false,"description":"My - agent policy","disabledRulesCount":1,"enabled":true,"hostTagsLists":[["env:staging"]],"monitoringRulesCount":7,"name":"testdeleteaworkloadprotectionagentrulereturnsokresponse1760109657","pinned":false,"policyVersion":"1","ruleCount":8,"updateDate":1760109657799,"updater":{"name":"frog","handle":"frog@datadoghq.com"}}}}' + string: '{"data":{"id":"zts-uzt-ngq","type":"policy","attributes":{"blockingRulesCount":0,"datadogManaged":false,"description":"My + agent policy","disabledRulesCount":1,"enabled":true,"hostTagsLists":[["env:staging"]],"monitoringRulesCount":7,"name":"testdeleteaworkloadprotectionagentrulereturnsokresponse1760630577","pinned":false,"policyVersion":"1","ruleCount":8,"updateDate":1760630577972,"updater":{"name":"frog","handle":"frog@datadoghq.com"}}}}' headers: Content-Type: - application/json status: code: 200 message: OK -- recorded_at: Fri, 10 Oct 2025 15:20:57 GMT +- recorded_at: Thu, 16 Oct 2025 16:02:57 GMT request: body: encoding: UTF-8 string: '{"data":{"attributes":{"actions":[{"set":{"name":"test_set","scope":"process","value":"test_value"}},{"hash":{}}],"description":"My - Agent rule","enabled":true,"expression":"exec.file.name == \"sh\"","name":"testdeleteaworkloadprotectionagentrulereturnsokresponse1760109657","policy_id":"xm5-r6n-xej","product_tags":["security:attack","technique:T1059"]},"type":"agent_rule"}}' + Agent rule","enabled":true,"expression":"exec.file.name == \"sh\"","name":"testdeleteaworkloadprotectionagentrulereturnsokresponse1760630577","policy_id":"zts-uzt-ngq","product_tags":["security:attack","technique:T1059"]},"type":"agent_rule"}}' headers: Accept: - application/json @@ -38,24 +38,24 @@ http_interactions: response: body: encoding: UTF-8 - string: '{"data":{"id":"tpa-28k-utt","type":"agent_rule","attributes":{"actions":[{"set":{"name":"test_set","value":"test_value","scope":"process","inherited":false},"disabled":false},{"hash":{},"disabled":false}],"category":"Process - Activity","creationDate":1760109658753,"creator":{"name":"frog","handle":"frog@datadoghq.com"},"defaultRule":false,"description":"My + string: '{"data":{"id":"46x-adr-zlz","type":"agent_rule","attributes":{"actions":[{"set":{"name":"test_set","value":"test_value","scope":"process","inherited":false},"disabled":false},{"hash":{},"disabled":false}],"category":"Process + Activity","creationDate":1760630578810,"creator":{"name":"frog","handle":"frog@datadoghq.com"},"defaultRule":false,"description":"My Agent rule","enabled":true,"expression":"exec.file.name == \"sh\"","filters":["os - == \"linux\""],"monitoring":["xm5-r6n-xej"],"name":"testdeleteaworkloadprotectionagentrulereturnsokresponse1760109657","product_tags":["security:attack","technique:T1059"],"updateDate":1760109658753,"updater":{"name":"frog","handle":"frog@datadoghq.com"}}}}' + == \"linux\""],"monitoring":["zts-uzt-ngq"],"name":"testdeleteaworkloadprotectionagentrulereturnsokresponse1760630577","product_tags":["security:attack","technique:T1059"],"updateDate":1760630578810,"updater":{"name":"frog","handle":"frog@datadoghq.com"}}}}' headers: Content-Type: - application/json status: code: 200 message: OK -- recorded_at: Fri, 10 Oct 2025 15:20:57 GMT +- recorded_at: Thu, 16 Oct 2025 16:02:57 GMT request: body: null headers: Accept: - '*/*' method: DELETE - uri: https://api.datadoghq.com/api/v2/remote_config/products/cws/agent_rules/tpa-28k-utt?policy_id=xm5-r6n-xej + uri: https://api.datadoghq.com/api/v2/remote_config/products/cws/agent_rules/46x-adr-zlz?policy_id=zts-uzt-ngq response: body: encoding: UTF-8 @@ -66,34 +66,14 @@ http_interactions: status: code: 204 message: No Content -- recorded_at: Fri, 10 Oct 2025 15:20:57 GMT +- recorded_at: Thu, 16 Oct 2025 16:02:57 GMT request: body: null headers: Accept: - '*/*' method: DELETE - uri: https://api.datadoghq.com/api/v2/remote_config/products/cws/agent_rules/tpa-28k-utt - response: - body: - encoding: UTF-8 - string: '{"errors":[{"title":"failed to delete rule"}]} - - ' - headers: - Content-Type: - - application/json - status: - code: 404 - message: Not Found -- recorded_at: Fri, 10 Oct 2025 15:20:57 GMT - request: - body: null - headers: - Accept: - - '*/*' - method: DELETE - uri: https://api.datadoghq.com/api/v2/remote_config/products/cws/policy/xm5-r6n-xej + uri: https://api.datadoghq.com/api/v2/remote_config/products/cws/policy/zts-uzt-ngq response: body: encoding: UTF-8 diff --git a/cassettes/features/v2/csm_threats/Delete-a-Workload-Protection-policy-returns-Not-Found-response.frozen b/cassettes/features/v2/csm_threats/Delete-a-Workload-Protection-policy-returns-Not-Found-response.frozen index de2709ec9c4..0c6bf64de66 100644 --- a/cassettes/features/v2/csm_threats/Delete-a-Workload-Protection-policy-returns-Not-Found-response.frozen +++ b/cassettes/features/v2/csm_threats/Delete-a-Workload-Protection-policy-returns-Not-Found-response.frozen @@ -1 +1 @@ -2025-10-10T15:21:03.071Z \ No newline at end of file +2025-10-16T16:03:00.767Z \ No newline at end of file diff --git a/cassettes/features/v2/csm_threats/Delete-a-Workload-Protection-policy-returns-Not-Found-response.yml b/cassettes/features/v2/csm_threats/Delete-a-Workload-Protection-policy-returns-Not-Found-response.yml index 99ddbc7d184..a98e72494a3 100644 --- a/cassettes/features/v2/csm_threats/Delete-a-Workload-Protection-policy-returns-Not-Found-response.yml +++ b/cassettes/features/v2/csm_threats/Delete-a-Workload-Protection-policy-returns-Not-Found-response.yml @@ -1,5 +1,5 @@ http_interactions: -- recorded_at: Fri, 10 Oct 2025 15:21:03 GMT +- recorded_at: Thu, 16 Oct 2025 16:03:00 GMT request: body: null headers: diff --git a/cassettes/features/v2/csm_threats/Delete-a-Workload-Protection-policy-returns-OK-response.frozen b/cassettes/features/v2/csm_threats/Delete-a-Workload-Protection-policy-returns-OK-response.frozen index 297fc82a10f..0315712f081 100644 --- a/cassettes/features/v2/csm_threats/Delete-a-Workload-Protection-policy-returns-OK-response.frozen +++ b/cassettes/features/v2/csm_threats/Delete-a-Workload-Protection-policy-returns-OK-response.frozen @@ -1 +1 @@ -2025-10-10T15:21:03.805Z \ No newline at end of file +2025-10-16T16:03:01.374Z \ No newline at end of file diff --git a/cassettes/features/v2/csm_threats/Delete-a-Workload-Protection-policy-returns-OK-response.yml b/cassettes/features/v2/csm_threats/Delete-a-Workload-Protection-policy-returns-OK-response.yml index e04e84b9248..82064cd7e0f 100644 --- a/cassettes/features/v2/csm_threats/Delete-a-Workload-Protection-policy-returns-OK-response.yml +++ b/cassettes/features/v2/csm_threats/Delete-a-Workload-Protection-policy-returns-OK-response.yml @@ -1,9 +1,9 @@ http_interactions: -- recorded_at: Fri, 10 Oct 2025 15:21:03 GMT +- recorded_at: Thu, 16 Oct 2025 16:03:01 GMT request: body: encoding: UTF-8 - string: '{"data":{"attributes":{"description":"My agent policy","enabled":true,"hostTags":["env:staging"],"name":"testdeleteaworkloadprotectionpolicyreturnsokresponse1760109663"},"type":"policy"}}' + string: '{"data":{"attributes":{"description":"My agent policy","enabled":true,"hostTags":["env:staging"],"name":"testdeleteaworkloadprotectionpolicyreturnsokresponse1760630581"},"type":"policy"}}' headers: Accept: - application/json @@ -14,22 +14,22 @@ http_interactions: response: body: encoding: UTF-8 - string: '{"data":{"id":"qdn-itt-2ed","type":"policy","attributes":{"blockingRulesCount":0,"datadogManaged":false,"description":"My - agent policy","disabledRulesCount":1,"enabled":true,"hostTagsLists":[["env:staging"]],"monitoringRulesCount":7,"name":"testdeleteaworkloadprotectionpolicyreturnsokresponse1760109663","pinned":false,"policyVersion":"1","ruleCount":8,"updateDate":1760109664181,"updater":{"name":"frog","handle":"frog@datadoghq.com"}}}}' + string: '{"data":{"id":"luu-tiz-w3q","type":"policy","attributes":{"blockingRulesCount":0,"datadogManaged":false,"description":"My + agent policy","disabledRulesCount":1,"enabled":true,"hostTagsLists":[["env:staging"]],"monitoringRulesCount":7,"name":"testdeleteaworkloadprotectionpolicyreturnsokresponse1760630581","pinned":false,"policyVersion":"1","ruleCount":8,"updateDate":1760630581737,"updater":{"name":"frog","handle":"frog@datadoghq.com"}}}}' headers: Content-Type: - application/json status: code: 200 message: OK -- recorded_at: Fri, 10 Oct 2025 15:21:03 GMT +- recorded_at: Thu, 16 Oct 2025 16:03:01 GMT request: body: null headers: Accept: - '*/*' method: DELETE - uri: https://api.datadoghq.com/api/v2/remote_config/products/cws/policy/qdn-itt-2ed + uri: https://api.datadoghq.com/api/v2/remote_config/products/cws/policy/luu-tiz-w3q response: body: encoding: UTF-8 @@ -40,14 +40,14 @@ http_interactions: status: code: 204 message: No Content -- recorded_at: Fri, 10 Oct 2025 15:21:03 GMT +- recorded_at: Thu, 16 Oct 2025 16:03:01 GMT request: body: null headers: Accept: - '*/*' method: DELETE - uri: https://api.datadoghq.com/api/v2/remote_config/products/cws/policy/qdn-itt-2ed + uri: https://api.datadoghq.com/api/v2/remote_config/products/cws/policy/luu-tiz-w3q response: body: encoding: UTF-8 diff --git a/cassettes/features/v2/csm_threats/Download-the-Workload-Protection-policy-US1-FED-returns-OK-response.frozen b/cassettes/features/v2/csm_threats/Download-the-Workload-Protection-policy-US1-FED-returns-OK-response.frozen index 4bafa3fab2b..b5ffc2188c9 100644 --- a/cassettes/features/v2/csm_threats/Download-the-Workload-Protection-policy-US1-FED-returns-OK-response.frozen +++ b/cassettes/features/v2/csm_threats/Download-the-Workload-Protection-policy-US1-FED-returns-OK-response.frozen @@ -1 +1 @@ -2025-10-10T15:21:06.447Z \ No newline at end of file +2025-10-16T16:03:03.481Z \ No newline at end of file diff --git a/cassettes/features/v2/csm_threats/Download-the-Workload-Protection-policy-US1-FED-returns-OK-response.yml b/cassettes/features/v2/csm_threats/Download-the-Workload-Protection-policy-US1-FED-returns-OK-response.yml index 14df3962f7d..33346b2ec28 100644 --- a/cassettes/features/v2/csm_threats/Download-the-Workload-Protection-policy-US1-FED-returns-OK-response.yml +++ b/cassettes/features/v2/csm_threats/Download-the-Workload-Protection-policy-US1-FED-returns-OK-response.yml @@ -1,5 +1,5 @@ http_interactions: -- recorded_at: Fri, 10 Oct 2025 15:21:06 GMT +- recorded_at: Thu, 16 Oct 2025 16:03:03 GMT request: body: null headers: @@ -12,7 +12,7 @@ http_interactions: encoding: UTF-8 string: "# IMPORTANT: Edits to this file will not be reflected in the Datadog\ \ App and will be overwritten with new policy file downloads. Please modify\ - \ rules in the Datadog App for full functionality.\nversion: '1760109666865'\n\ + \ rules in the Datadog App for full functionality.\nversion: '1760630583977'\n\ rules:\n- id: apparmor_modified_tty\n version: a7f3b5c2\n description: An\ \ AppArmor profile was modified in an interactive session\n expression: exec.file.name\ \ in [\"aa-disable\", \"aa-complain\", \"aa-audit\"] && exec.tty_name\n \ diff --git a/cassettes/features/v2/csm_threats/Download-the-Workload-Protection-policy-returns-OK-response.frozen b/cassettes/features/v2/csm_threats/Download-the-Workload-Protection-policy-returns-OK-response.frozen index 1292830f7ab..a1e520914a0 100644 --- a/cassettes/features/v2/csm_threats/Download-the-Workload-Protection-policy-returns-OK-response.frozen +++ b/cassettes/features/v2/csm_threats/Download-the-Workload-Protection-policy-returns-OK-response.frozen @@ -1 +1 @@ -2025-10-10T15:21:07.476Z \ No newline at end of file +2025-10-16T16:03:04.509Z \ No newline at end of file diff --git a/cassettes/features/v2/csm_threats/Download-the-Workload-Protection-policy-returns-OK-response.yml b/cassettes/features/v2/csm_threats/Download-the-Workload-Protection-policy-returns-OK-response.yml index 75697778522..6aa3f8989ed 100644 --- a/cassettes/features/v2/csm_threats/Download-the-Workload-Protection-policy-returns-OK-response.yml +++ b/cassettes/features/v2/csm_threats/Download-the-Workload-Protection-policy-returns-OK-response.yml @@ -1,5 +1,5 @@ http_interactions: -- recorded_at: Fri, 10 Oct 2025 15:21:07 GMT +- recorded_at: Thu, 16 Oct 2025 16:03:04 GMT request: body: null headers: @@ -10,7 +10,7 @@ http_interactions: response: body: encoding: UTF-8 - string: UEsDBBQACAAIAAAAAAAAAAAAAAAAAAAAAAANAAAAY3VzdG9tLnBvbGljecx9Sa8kt9Xl3r8ioV4fKTiTArwQ0A20F+42DO+FGBhDxjwPv/5DZsmQ7O+9zxVZkWTVqvCQbziH5L2X5w78X7e//PVv///v//jl//3j59v/SYppvE3tbcqL8ZYWlb2tRVXdmna6RfY22LSy8WSTW9Hcptze/nc4hUmb3X7pulvYJF8+HNlbu9hhHYppss1tLab81tj11rVVEe9ffmrSrk3Vhsn44+1vlQ1He6vbpEj32zBXdvzox6ftcEvnqrqlcxNPRduEVTHtP/5pscNYtM3Ptx+E5pT+8KfnT/j5T7fb7YZbkfx8+3vYJG3dhLV9fvF2S+wYD0U3ffm2H377alpUkx1++84v392Otz//+fZDVTTz9s+PTWH2h89EYVzaJvn18Ut/ffwyEUzIaICGt799yG7dYMcvf2Pb2ebHBwE/Pv6c5w+3U/zTmIdJu/7UheO4tkPyz1+VFGMYVTb5+ZaG1Wj/AMluYd1VNh5sONkwHuspf/x3DDPbTI+/ZbDTPDRjWw527NpmtEQRTiWXlH9Ewl/32y+Pb33SfykfvI4RbAOWav2AD7vZ+N/4GPN3wZdGOod/zAxqL8DWwDd8pVngGv6WUVRzjTsNfcPX0nDX8IexRhrW6NLOO3zNtGv4c7Vhae84SuYbvqEqoNIt/KZoIcyKotOe4QuqlfOzL44JdzEj7Gvf8DkXzs9+qVdEQwZBKt/wReDe8tvZIutHCLN4h88ldX32zXqgziYcpW/LLyTR1PXqp0WBfSygotk3fE2Mc8eX5xVMU0JXo3f40v3ZH2KOSDCw8e4ZvmSB+6hvZQn6ToPtkW/4nATOz368NOjHFUXU+IXPNJdGm8At/GVPQJcIU1P6hc85FVq6hj/fN4zlBiaNZ/iCBiZwDf+eEtiOoirU5fATW9mvhk8FNSKgzC38uYqRNwTxIfzCZ1RJ7VztuUcWmipMvefVZ0Iy7tzy22OFGmqs8fVqT2anr8ROOBFCUeIWe8cbFPcah70+4j2DnSrjPN7rih5RHqKWk1fsgmlKhVvsQ9NCsBp1er3GdQa7FMx5oButdzRBjXm63tqfwi6V+yteSdEPCdjd755XRjlf9yM5MNsE1Xx9TucMdh+a9pQSRFkPFV1/uTuBXRDqPrxhwoKaFX3u1ccJphh3beeL/Y487JEsfrHzgDqP64Ysxdoq8PR6PecMdsGI8/M+Tj3mdYNNE7/YZSCd7/kgQl4GULnX2EYGwr2KFRwViqpFNl+fvziDnQnq3M5blYFNBHnn1dZJIdzfYfvWYucUeX994uYEdsU9ZG3GIgbpNkjjdd01p9I5dlaW4EONfs58YjeBcJ+uipTBFmeQzOueN0a6r1JYbIY+5aiywS92TbhztbZssN9T5NKnXkcDRtz7uHGscVQ1lj73iZ0ESjg/730UgvQ15rtP3YYSQtxrlXO+opx7zJP1il1K9z4unRIkzCLafWpWlGjBnNs60xBUJMPMr0/LnsFuHjGtY+y8r1GUE9LOp4+jVHqIbRI1gRcck918YmdEuY/n6yTEHEbYWp86LeWUCOd2nsULhrUDna5PxZ7BLrmHmHaJMKYl7g3xil1z9xp1VQS4iwlB7lO3oYJLpV3b+bzqoJMBQeFTr6NCa/fl1tvKMa8ade3VzmvuodyUZSuWckOkri83PYHdcOo+D7ttMZhoEXa7V+xKu8fO8jvopLEn13dYfD12FtBAOI/nj0mjTQLsm0+tkgVcBM7j+XGpQEeOe8K9YjfMva3b4xjVEkC2PnORjAYe7HxCMyTBgvUNLUVnsAsPOSk1GoxpD1p6tXXUR63RFFGw4g5rferzjPpooR3TO7Jyx9D69O+MPhtIXWM/BMplByt91h4wFhD3tYV0aVCREVHgdd2Zj5qTJm7BKUNeeI1t2LNx0jH2SigkeoZNfOZhGXvW2zjGzscDcawwez7vQrnX61qToZtK0MOnbsOYDNzXlG5ZgDkw2Aqf+jxjKnA/HyZtM+iSID0Kr9iNdL/u63GgKTSE9LrneeDhDlsnDYI8x7z61KgZD4z7XCRrNwTSYuOxV+zMuK89mPcFoSmhK595GcY55dL1uouIowwWDIfPfBzjnBnnnaGrDBDqBP3gNbbhXLuvnz/GAbvhkDP1il0b95pVMEnMsYW11w9AO4PdEPe1xGmxYp0XzNbrXUYEyr1e1+gKQ7Qj4l73vKDE/dC/hXDkS4bAa88IE1S7z7+PeYpoHkAKv9gFd6/TEj2AKoZQetVthJDufRzZR0ypxsz8nnfpoeaE2DuqQ4IVXrVKobh7fd5ogk21KI6P5t26w24C9/U22igIeQefveYihTEeYhvRobYNtsNnrRFTnDHCHK/7OlFoHmHepUfsnHLFiKZusVNp0MkdxRt6heYu+fr5Tr+NOvkQ/j/sOL2LgGVbYIIYS3198cVJAhh9/HNNwDCFiPQCPqfeCRDEww7oW4q+aCDz6691JwnglH2i5LyTgLBtMTYzJnF9nHuWAEE+cfvvJGAZS9h1x6ivd35nCZDyE+3+nQS0fICcOuzl9arOWQJ08ImQ+04CFAmwHRnC/fqS25MEiMB8ksF4JwHTfUARcWT79b2jZwkQ1MMO2G0HO++YJu+BkJDKgxfoRg7JRkTH9VmsswR82jz9TgLKcEMfZ+hn70ZQks8yuO8kgHKBvZmwxdfrHmcJ+DSd904CSC2RZAGq/vpht2cJ+LTf6J0EsC0FDzh6e3gnQFMPR8DKCn1LsFPrnQAjPRyB0giUFcd9u76n/CQBz1GIzm+DdlQY8gXN4D0Q0vSzu8D79KBxr9BSgyDpvcPngXS//mpMkJAB03j9MI2TBBhOPBwAoxJ0JsFGrs/4nSNABFRp9wTUWYVtyhBP17flnCTgORXUOQGhSdEagXDyLYgJqqgHAoZ7jaiYEfW+jeCX2ajOCWjaAbsIwcbr3/w4SQAn0sMO4GmLrOgh0uvfejtLABcedkCsDHSSoayu778/S4AwHrxAyjvQ9Y588J0WEfwRBzsnIGpn5EsNyq+fqHaSgOeDd84JqFKCUWfY0+tLm88SwIiHI1AOG+I2QHdcXwN0lgAlPOyAuc9wBBM08+4Gn31MzgkoiwRLWSK9+xbEhGQ+IsGcN9jnHrT2nRUQUn52G3yfGtDGC1YrkAnfirBQ0kdxRH3kyJIQMfVdHfJlarp7AqYMI0mx7b7lECm96EEyLCG7FklyfXHYSQI08XEXFEME3ht0wrcaoAjzcQQitWLLMrSxbzVAcS9OkFQUqs9Rp74lcSWVj5xArRT6bEbMfasBWhMfgXBKI/TJCJb6doMmYD5qBLecI14oYu9HwJjHRcA5AelmUTQxzHF9bfxZArSPtEgXMVDZgAvPl2EacOXjCOTZgKbZoY7rp1qcJEAGPiLBdcmQR3fI1vcOIJRrD7UB5l6AdhRL4LlAihKmtIfqkKSdwYM74u76hv+TBEgvdcJ9YsDMCEE8l8lSqgIfpfKZuSPPU6jQc3kMZQH77OWBdxKwRxlik4Ca69/LPEmAnyLJfMwwtTkK4TkrQNmzQMo5AVOxw4gYdem5TphK9mla5H2SqBpWZMOGSnlulqFKU+MhEC7JgGkJUUjrmQAtJf8kDnzf+vOohA1D3IXnGIAFRPooke1LiqxsIIhnA8gCKn3khfeowtRphKFnF8gC7qVllm0JlrBGnni+CDFKqY9OkaFlOISEoJ7FEEafDZOOTSALd5jFgr3hXZJz8JmnAkkpQfsd2+rZBTJG+Gcm8H3rb9oUNoqxd57LIhijXpSgSGrsvcHGPGeEGPNTIGsXg2Fr0NbXT/s8SQDzkhPMkhFBHWOsvFsAST7LB7zPAgxrChGmuIe+g2D2eVnMO9f/oAsawZEZz/kgxonyUR671CEOsSIqPFeGMc69NMrtoQHXBSTxbQK5oJ9ViL/PAlSmhogtMnP9nO+z8L30CZbRhr3KUGrPdUGMK+VDCB1sjIX1sMSzDsi4Mp8NQH4nAdMgkJkO/O65ReK3ScDuCehGmGPB0nkujv1tRKZzAoIhxsgnJIHnHhEmJPGxA2w5gG136N23ECKk8TE5qpMtJqPReL8ICUV9DE5qZot1K7Az33GA0J9mA95JwGoEEpYjZp7LYpgMpPRwFZarBtsa3N/w+sVJAnSgGA9cE5DHA1i3QxaeawJ4EFAREOc2IAgSlGmDdL3+LceTBFBptHsCYjuD5RL9fGGJfBpn2Zj2RRJ/BKdoiqkIqz9+8VJIaT0gaQPo5qPYru1s82+Q7BT/NOZh0q4/deE4ru2Q/E8Yb7duaJM5nn791z8Et7itu6oIm9j+mg5hbdd2KH/+v3/52y+//IGcMp+Lda2yo/RBjmhLHIlCln4kfngnp95/fZ6SX/+w0R3JAq1NUIYa437h7Iw2mrpubLcj97HY6bBjOBpk1UcT0b0vdl/di7Soo+hjcupbeP0qL2aDKSJMw0clAN9OyRdkQ7imSX1slRcDOBY11nuHYftoFNq3Y/zGZR/Hdqqifgg3d8tOsjtW1kL0H6n+r1IyDfMfV32y4xQ/PP1XO31JjGBKf8TD+wydHiokrMC2X/jW3wvYJSHCOJ4R1s4Ky5YgNRfGe69gp5pTx+vejxnskWHaLyz+eQU7C5gUbrGHZITeW3TjhRedl7ATJhyv+xKHWJYKtbow4fcSdiaIY+zFeEd5LLDRhVNBX8IuVPDh9f592Fm2o7Q5ou7i857Yyp7A/vBxmrjFnu09pm7Bslwobb2A/enjlFvsi64wRT2aK6vcX8FONWeOc7ssn1D3NfbowsTWK9gfPs64xR5vGhsZsIwXtnq/hJ0w6fi8RzZG3MRYq4vt/GnsTFDH2LO9RXjfQeSF085ewi5U4DiuK7IIDa1Q5xd29z+wn3j86ouDc/zome03FMWOdbiwl+cscEmIdB3VLK1FbSvo/cIC1tPAH67N8VY/lh1HPqKOLg7jTwFnAVOO7+xhcUeXH1DFxbb9HHDi/NK6bQL3UmFRF5YonAfOBHUMvCs2hLRH2/k0bg935jiEy+yIvhXg3cUhXNaeurASIbn7S1s4TijGBNN04ci+F9AzabQkrsN3UymEtUJ+5VOer6DXkirl2shPa4CdWpj1wnq0B/p7uISn8FMtiZLK8erHyY546dD2Fzu50/gZFYZw17t/mnLcOcUSXxzIP/B/vdknRBjBXWclqtyiHA9sV9YiPsB3+5S3zanlp4LyQLtefsVy7G0ATi/szH6VAak1CwLHylWb92g3i3t08QF4gQFGaMAC5Vi3NISiminoeGEp0oOBYT4T+dGACEm042utiDUeF53fX9G+EPx/rESLwmSw/fz4+O88cEqkUdIxD/cdug+xrBcLuNPe/Ybg1FHgMjDKEMcXoGhtcFQKSVB+JywQzZnrx+2jewnd1pDzxYrHyyxwzgR1bBZ3W6HRCdL84nTOyywIaszHtcrvY6FPQ3R5imn7XvaCJJIqxyyoI0VdHxDy4hvyyyyogErtOFTaaIec9xi3C595+zYWtKHCcQbgvgnsaYl2vLiM63cWTiaAnp7SsXWc2wFVeuA+XFzQ9TILT0/peC+U1QZ+1LDZhU8dfBMLT0/p+BI5HjOmssa2vC12PMnC01M6to42W1AuB3JzcYLsZRaentIxC8m0INlKsCsH/XwTC09P6TiCvqsVRdphuHLYybex8PCUjn1EubRoVYouuzid9DsLXy8vkEAEgVGOL5SUVxhGgyR4m2n8egq4MFpK7dg7rOuCWFGs9GJ56SUKvgRLjilohxiZjpHWF1cKvUbBM1JyrC/tC8e0LmjG7+EgPMMk5jjNGsUxsr7BdHWi8TUKnjGS43h5CTfEuUFhvouD8AyQHIcGRxmj7Bukw9sCpDMUPKMjx7ugHHrENkGRvO3ueIoCbajrulkZdchUiiW7cA7Ov1LwUvLhi390XXeUjxs2UoEdF3dMfDMbD1fJHVuIvdpwkBb3+9tkthfZeHpNx5eIuCqRVg2U+N7YeDhQ4ViIDjMFzRWy+m0xxItsPH2p47iasx7BfQH57uzGw60ax3tjWDTmqUY8vk2MfJUNbahy7GGngmMoZwSl9cbGv9R2cGmo+bi+552DZrpDYVgixOXbgq1zPCgjCNMfepF38hBPMbp5QzW/7epxigceCM64dtyXu0iOvk4xhRcOW/kWFr7Em67FiGDE1BbY97eVeZxk4RlnOr6GccZRzjmy4G0i9UkWnvGl4xPR2xGW3TESf/HlfxdmhGNvadYRfVuhf1/a5iQLPuJJ2w7YmhR1+LaSn5MsPONIx3tBTx2SOkOrvxe78IwfXScyRYS2amHjiycZ/EfsnygRRjDX9fGFKLClB9btwrc7v4EDSYgkjm9VZTgiiySK+mL/8CoHVHPuOF4i8YolO2DDi5tkXuWABc4bv49gQp8kqMqLtYaXOSDMdTa7TAvYNgOvL749vMyBez0ySzsMy4E0vrjM52UOhKKObaIMJ6y2hdwvLgr+jxz8263p4RMd24H+KBHqHEV5cSL7JPanL3QcE233BPm8oIitX+wPH+j43IerwjR3GPcLX7J/BfvD9zm2++neoTAl4uXiLsHT2Alz3R0XqBlFX6K2F6vqp7G710Y43xHZAlF/cX/saexCuZ7uNNoGVVKiWS68+6zZNiZTNtUfj+B983zi4z4hL1qM20cm7NVhvL9jfGk+8X8FAAD//1BLBwhbQCtOkhMAAH0QAQBQSwMEFAAIAAgAAAAAAAAAAAAAAAAAAAAAAA4AAABkZWZhdWx0LnBvbGljeey9e3fbuNU3+v/zKVCdrnkcv4FulmU750l7XNvTyTu5eMVO+3aN83JBJCTCIgEaACUrTeeznwWApEgJlERLtuyMpquxCAIgyH3BZe/92/8PePfh8tPn69OP12/AhUekAJIB6RMB+iTAYEyCAFAmQQ8DjvsBdiX2AKFA+hicI4k8NgCnUQQQ9UzlHgZshPmYEykxBWMifUDxGEQsIO7E9OqxMQ0Y8kQdXAYYCQxC5pH+BPA4wMLWfZ9x0I+DAPRj6krCKAqInNT/a4S5IIy+Aa36YavehNw9+C/dyZv/AgAACIj3BqCxcNyAOLFAA6zLAfCwcDmJpG587WNw+s8rcPb+HYglUV2DMRIA32M3lthL2vRJIDFPujbdMwHevgW1gND4vpaUSzTI1ekhd4ip56hROWo0Hu7DZrMJPXqbVML3EcfCvId6ZF19pDpFIdado7FIu/aIQL0Ae29AHwUifZeIMy92pVN8MAQSuZK4b65Pm81mG5qXIYzma2DXp+Quxm+uW93DFnQDFnsQeSGhREiOVHXosjBE1Ms1M7R808NCwojrp+D529LnGEnoYYnd7LlTipDQEzZinFJNi3cfzq80EVwUBNgDI4IAAhTLMePDlEobJcx4MIJj0YNR9mHnCKM+hWLP32rjAZa116DmxjxQf4NxBFO2rn0FP/1kGiA+0Pz82++1/Vb3pN4+7NSTv40ASSxkI8QSQQ9J1CAobAjsxpzICXQ59jCVBAWisV97DfIdHDXr7cZ+I1flr8R7u1/7ujabdHPPhch1sRAl7HJ42IYx1cPFXn60G+WTbzHHCzlFVdgCr7jtATxoxfA2Gj4JrygmMTyiP7OcNBiKpd9uSDbE9K8oIjBRhT8iG7gsjEiAuUOo4zIqEaGYWzkiq1rQ34BQQTwMWB8gMNvBZhgC+z6cRD14EgUWhtib4YhbNEKuZokA0YH6MXD1dc91a1/B9++z88CKrfYs08eA1aws1otJ4CWahcd0v/b11StVMfs+deKBP72t6dYRZ4oJ6oi6WEjGhXlIhKQP/vQW1Bqx4I0eoQ2XBCQOIRpgKteftQ6hh/uYCgzxCInyuavZPoKs14+FiyT2oBqbgIxDQvuMh2hm1lubHz0cBWziRJyMlvGjqkMCPMDe9MMaVaV6f6SlxW38rUwrTXlDka1mIfhcaTJSB0nwP6Al8uzgosiJMA/VWs8DP4Gz00vn6l9Xzun5h3cfwV9Ac20O6MDsC0IsXBTMErOwhGm1dKUIQ8mgz4RckaxgMV8Yqg/caNFU9Pezyy1MRJx1IL+NYWt0V0bytSaidOKpDxgbBLhOqMScoqChFG0s8Yd0Yhq1GoQKqRREQ2A+Ii5WMweLqRQND/dRHEgzW80sZpIZbo3+frj5TnGZM2qVb1hya+RRC3B8F2MhNeMRIeINa5VgeAtvaQ8Ofdu6WI21rvcNTsTZiHiYZ7sWxVH6PhqLOjFLfmfUVvc1hfKqZKqY1HaTUPDnfxc+g5MwgfjPHLUlj9ORIf0pC28ssJxeqv/UQ2a+cdZ5oWKf4MB7Mz/CQiUURZgWB2H+kzJ4A1rN7L/nx46G2SLkDtUnCBFFAxxiKpcusy5NEzBtonnPsLI5H3isdVZ45MFR4MODSam+m65MjA7L1iYokmq9My3wouGgUMCjsHAdUyQlph72YBwNOPJw4TbV1XNPiEi0Py0JmIuCfPm04iQ2DxJmXMPsZkB6DUFR5Jl/jVaen6HX1njLzwOahyfp1h+q/yf0pwOo54CIY5nRdplaA6sw4pR7HX0cRLDnuH7IPBsLXmEqiCQjnGumD5cEGGOeHCgR7IFYEDpQkzCjUE0nHuIekIwFG2VLcRLCPruDd3e2ldd3mLXcK+iIPf1+MxwLag0s3YbwkcfGmjHU5SC5Bl9fFbqYVaG6m0SF/pZy2IhE44zFiiXJ1YDP3s+V6IV9yoPelFcz/rbc1PLF3KG9wewd/cwBZ3GEvJnSWGBuLQyZpdDDQWEIgwgJMS4Oy/XRABebur6lXlIEvpZ9cNtuKP30L13vZO9sNoVTPvWwkITqZXg9ZJ7eSORuq6K1tdPqE2CzeQCZyFf34jAidDCvd9QKMyCKZkuVDhvTF6B0pNeGBy0XBrRTUemwMd0pnZ3SeeZKJ8+oea0Tm1VQ7q4q+f4dlNQfzNUfEO/VC1dSAaHDF6CjgoBA9xuHd51JJR2lXq+iiip08P07mHaRZ4aVu9tpvJ3Ge0qN98L1EYswdUbtF6CS0lPyg95JFZWkXrDeD9BAgJ/A3t4n5+zzxen190/O5/N/fv7+yfnn508f3//r+yfn+vOXj2evXoG/gCb46aeiWjOdVFJrOz2000NPqYcqmoT+Ak6a4oXrLo5zx7rPWXU1J7dwwCPohvdVVNeeecGKiqfQxffvIN/JbkW102TPXpO9cK0U0xeyx7trHkP3JIBcRJW0knnBilppp0R2SmSnRFZXIpKE2Oqy8syUyHB0ApvtLhz51Sxo5gV3SmSnRHZKZDNKhEjiosAZE+qxsXC0SsgUik2ToKwRSBolwSNIgJl25boiabmitkjPcO4HXYu2GHMis43KiLjYybmD3Jzropv9m+SRN2IiJA4P2jf7m/CdXtln9aALQyTuYiWbVejDqIOkc8t6jt6GE0bL3SROKYgpiqXPOPmGPXDLeposyPOwUuK6OyBcH3txMB3EZlQ6G/SgG0TQZ7KSSrc6Rfxea4wQb4iIsaChRt3YT+RVqXZVUN+fK5KoN1cgVK2KM0CmhmRRCyaPAJuwli8ZxWMqw01MTNWV6vqitooT0wFMuBt7UCIxhIzDW9abl7bljktV5LHEg2Cr8jimQ0gDAmmv2j7N6i/wkuTxSQzJO/n9ceS37OBlq+IbuiM4OWTw2+CwkvjaDlk2LL2FB65gen/w46tu3Sooip0Y/3BizCL8/GbhmAjotw5gp2XzYF/R/FxifV7d6PxgCXzi6XsnlT+cVJZbW7cql/eoBXvdEaRtWwRvVdvqhuWr8MiVbLEPHsBuit0J8+rCXG6k3Kowh+0DeNc7gSfiuJIw202SD5al3WS5k6815avUfrdV+eqE95B2GQzDXjX5slrrdvK1k6/Hl6/hsXBigbkjDJ9ahSql6yx+DEDg17iHOcUSC6C6AcVuNiNXqV0rkDa7lg5vzr9CPX2nKaLHg0i18LOpl9YeBWqQ5ZYmjfJmKgNTeaqONvqN2t43OJxISLNNxGq6p8ysFJBewwxYZEomTuy5ufJK6+LH1AHVZDff8gGma/DHMdcve88CztEwZF5tOjM82OpXTU7zKvUARpgLIiSmBXiRAjxE5wj2GJNKlQZswChEsWRCIi6tCrmKHiizcD2ZHjjpBDDwPYgPDirqAbs5a6cHdnpgE3rgSayNL1VvlJ4WPJnaiN0ePPzWgzy04a9WNqOtrDUKva1mI1u5751G2mmkEo30wvVFqQnvyfTFYXcCR6IHv93FVfRFmb1OR4d+/+ScXl5efDxfy4C3Uw879fAHVw8LbIlPpiAOSAt+izw4castKEoNhyvLdaG/Va2CK/e+0xo7rfFjao0FRssn0xrt5ggOvB5s+qiS1ii1UO7keifXf3S5LjeWPplc9yd38P4whuGoVU2uyyyjO7neyfUfT64pG1PHCwKH4wERkk+cIZ4sjEL8ZxJ6+KtqCs7fvxdAfXd1E6SdgCGePHZI4m3LFl0jsKyno6irV8lk/PfaL79e/Mt5/+ns9L3z4fTsl3cfL26u/nV1ffHh5izmHFN5xqjkLLjC8ib5eXNlOgYfNAQ3v9FvrV56E9b6VUMYD4860Ce3yB1OCQz7ARuvSGUqxJhI13dcRvuKuOXm5bQqCNEE+GiEQQ9jOg1SHxPps1iC1CEmnyZiM4o9vPNhMGCwx6tt8xZAPKcvVVfvX9DgDzAobk/jv1SnlJWU2mEXmuR0Spv5mEpidApMvvUarF5iQd0+q4/aPeh6B9ANeEVWLwUWXsLqj2sz24nGyxKNst359iVjPHZhl0goj0glySgHOpoVjEK7FcyES8XrhfNCmQFo+7yAD33IaAz7R5UCRuZwRGfxQ7WlqDJ+6BIFu1N/L4vlS6B0t8/16TaHnFSCoNwO11fFMd1JysuSlHLz3/YFRZA+9E4iOP42qCIoC7Faly0WlhsAl4rNC+eIctPO9jmiE8bQa9/D/sSWNLiqyeeHp2TpYf72KXknTyA5OYF3J9WQdBaBFf4olIxQmJzTmublZ3qXpx+2R8KDjoQ+ceGxSyuRsCyKRJEwQmHdM0aaaYEm5+vUkpPmd2/MWHJmywPS63bKahfvrHds+NJ5q+QQbau8FfVj6I18iA/HFXnLHpmwPd564oO6l82MZSuPrfLi/RGBB51b2OKjSrxY4mWyPVasfDK23dH+MNN32QHcVrl6fMTguHMMbw8qpT58Aqfs7bHcD7RkLN/Xb5frOIH+/QHs0GoRh6Wevttklll1uvzsYMsD/mG4u/yMYqvcfdJswpa4hfe+qMTdpR6pO2bZBLOUHoNslVmi+yHstGPYH1R0Xy5zc3wmzLKzADxr6XCJ02o5h06WpaBHKOIEi/JTprM0N4GB+QdpixLZ2aiUHI0IHB9y6LeqQfaWHTIpsiW0FLnfKaVzl7O3p2SfK8xX7TEmn5U38XalYu7lf2QH46ISfOJTxFVdTh+YNWOh4ig5Qtym4rgnMRz4d7DzrZqfUdkJ4k5x7BTHCsPfhOJ45ifE21M0ZZu+beqZk0kIW8cjeFhRz5Ts+J5QzRTGs9pp8BOObqcEbS//x1CCL1hFlZ31b1NF9SMEeXcA2zisoqI2eNRfctL/hOpkp00sL7/TJi9Am5T4MW9ToaQezJOjSoF8O4WycUnaKZQHDH9dhfIQv/gXrITKTcnb1EEnUQzD6ADe42rmk1JL8rZ0x6qG4ycc327vZXv5P4Zye8GKqtwrYJuKSogIdo4QjNrNSoqq1Clgpwh2imCF4f+RFUGpx8c2FcFdM4biOITHkVdNEZQ5fOwUwU4RrDD8H10RZPhWPhlh4ShSaGyolfGuMmwr3YGSdjwFvnoKvCtsUwibxrtSLxcQITfhsbQqRVutduq1lL7KikQVqI+V+im48tmIeJVUnFLxkal1f2iDJaxKLT39LEInQ338N8bkExLrsNuGJIwQ4WkDi1PZAzOHCR8HgeMTpS0njocDLO0yeaUqgl9MRQ0weV6ovJmp2Otz2JucQHFvS26ZX3nrtGCKjLV6Dwk/fQWlN+vfZq77pFgwe133ZnvIXWp0Quua//dagycTsVbxPguxuijgGbosDLO5p5ab83Kz4tOxUvOoCQn1lNgyDjkO2QgFj8RMYhKWYxGLSdhTPWnjNugzbhoDP8dgyVEdkIgPsCR0ABoeHjVoHASbZbqwD1HbhcyznZrrzHSairpfqs8TdSHiA5Ewwn59Pxm5mdbTcf6gpJU8pi7aqqYYHd7D46ADva7tmHE9i0bOivG0asZiPcmUzAIdMx2p+oopcWo/FOtFnOkF5NJlh+a+pLbmvpWXHVXYL1109Gm7lP1m6Who19hPBpcnaGOfu3kWyKEJzbJukWM1y65N6JUc3R+GgftQogvfmWYAVjuGBX7wV1e/TANEVNWnODXwpQvbR4ewOZYWDig9Nch5F2e6BdRmXlUph5midg18TXwQ7Q70WkvUhfCLqqJQNEJmQ5mVrgnM+iSM1zw5hsh1WUwlDBElURygJ+C1EtfprfDa0d0B7CIEI1IJmSznYPpQXrP7XG+G1565O+2z5c2yVfVWWPOk1YfR5A4ediohP1k2cpU4s8QE80DGLAxtNY/bBz7pqYM3t8KgZb6WW2FQHrnwljTht/62ktxZdhOVeL3Ep2rHgYs5sMQ/bytMmG4X7sY7JrStOp/aaevZMm65T9dW+FYexvDOu4fdw0o+Enm/qYexW6k32AMZrjC8VT27HvisP4SGLffp2QqjTpoTeDAIYLdTKRzdalGoxKil3kA75lnAPKV+IFthHr+H4LCPYeu+UlKQvP/HA5mnzINkxzwp8wSOi7k0R77YkSiMMCd0sOgw8D3INZllINNDAiSzUS6aHBI4uaewfVTpQHAh7KoQQUO9zDQ/nsaOGZJn5f3ztG4vM8eUlqPJ2ZPL/1r4hbLscnoQceQhiaGLYJ6JarYubF5GG+3sh6Od1Wb1p99BjcfU3X86g9Xh4QEUcW+EuYSSx0JC17h3rIrWs0gvlR4cb0kvDSccikEXxuKkol4qh+zd6aUtIkTs9Ni2af0H0GPlu7stqbFxtw/HEkPSrYZQugDBcYkWK/SzmlVghV7/iLqx9E2rqRmwXNVsvMM/BC3s+msTu8hnoMnKrVFb0mStkxaUkxbE2c5kJU1WZgxYfva/CNB7ZW21W308FwleTXpfvMyW2u+2JLaZDU92d2K7E9tHEltgt4fa727cLvoMRH+RBXRLks8OJew1j+Fxt1pOtIXJESpuPlYyWK7Q7x9x+7HTgc+FEqvpwBetvxYZxrekv04mLej2ejBqVjs6WZj+oqBndnplp1e2SYk/gl5Z4DOxJb2CJiPo32EYWKN1HwCcsdMr+r+dXnkulPhx9ErsMcyFY+pk6BsL3GhMg6RTg72xtZRM6dGLWzHTp821JtEy5vWmG6SkoO6tnXb4DyYkD2f+Dow4GZEADzDEwkVzvmPF8NNjiHqxkpQAj0yGpUQGYIhdH1EiwrWFocx34zkKQ3BcyXxg9ed4gDA8iYvDD8RUpbvB58hT4aRXiacs+8NVWKrQyXLL+ipdbtL19dnxUKkJ81nyUMiW8NCGwpps9pGVWGWLqRB3E/ND+H+BTeA5SsBhtWgpu51gFU6e1aNLjQQznf7hFOmCw9nnyEi9+w3kK16FkX5sopefnD1HoovmUTWi207TKhJ9exPidpFjXyKXa4RKr5hKu/QY5xQIzEfE3SJfd44F7HQpHHTGlfi6LC5Kr3fMR0j+ZpbubDlkv60lYEFLzSML2vOYWm79MY+oq5+LrS1ybSvOWBEp9QQawsCE7TeIlGqXu5ITo2cgd+PxBPodD0bjStnlSuN+dnL3XOTumR/BPUM5XQBEu20x7XYojLohjO9s8NW1vRuqyvbykFk5sbwpkcsbxYA3CyQzrWCVzULrculMq1nl86b21Qx9+fne3EBigfmCl5i5ncbGu4z2yWBZrSSbgo84Lquaf5/s1ldQ6XWeL1Vs7/HCSPHKvMJilX9T1Pmqx5ui1p8p4lE4UzKv+WcqUNMk/yyl5ecplb9zU5gBkpJ0DshVmJkFtEC9Wt/m/AzVc9n59jNQz0ffxvCuF8JJt1JymM17/T+75ZfSIIsiFIpSax9p4eZi5VGss0B1zA86vfHHXDH+iAqj3CDwDFRGxIewe9eCg6Zt45Vb0ZXEB7yQ1UP56J/9+sH6Di97Lbfamzx7yuxWdj+Woi43uD0DRX0bSDjpjKCHKsGql8dFPMs12uIojqIE7lZpu1XaBoW/1PD6DIR/cnsL2eEdvG9Wc9YoDV54nsK/MNRiJ/w74d+A8Cf5Gh2XhQ6PXMfDvXgwMMHcSQrQVVN+fr48A2efPoCsi2n6yCdI+CmRDbqzagrJTz9f//P088XNB+JyJlhf3qRv9/E6zSz5D8xV5+mdTXgkrBpL8vDcnymd8X0UMI65Y5hOjXchcZN2IG1nHG18JCpi+j6MqN3AltZvzInMtktKHPJUvTnXRTf7N8kjb9Kh1/E9fkJaPTDzbkqoPuF4jILAMfo65unpSUWpTPsBhX6eVDTHlG5ANMty8V4lKvHmSk1X3qmrppybS8RRiNVr3PycfIFL/dVvXpa8+kzIJP/yImpLH2eiqpsYOa2UQ+9hxJVBf30RNbPbQfvmnJORohmW7o1+jyck1poCK7AbcyInDhYCU0lQIFZVsmE624C0EzDtBEw7eWxafos6D6flJWcDjkLwMwmwmE6g4Cp9pbOAYCpvQiGwi8XL0sYmkWWfBR7moroSNglyk+ZPqnvpgS1rTVXdW7osml0TXSRz7Y3J5fmzeWOz+t5Mx18E5mCm95fDRlrPOZiOCGchptIZIU60fqjMU6YTqnoBaS9PylrhCdkAa+kvsihpu+kYfEAUDTC/uZi+9gsgPIoixEPGpx7tUk5sVD2l4DSKTlVdYMuAq74gooBQibka/ggDYb7MUupWOVk5kgK2m8eQU9tMoFNn64kgy5lRQwgmX1/tlhGC+jsgQpNLFHtEmvy4urmUE8eE4r+trX9svir5Hp6HP6GjegtXBk4s0MBqvLz2cVYLuCwMEfU0BWOBPSCZoeTE1FkuklWIlgrkUWiLPpghmuo8HWcxH7pjfB6yhPc6/clTpkHfCJG8ZMO0UIdmxPJmtkXzcpeeZsaC0EFG4UehXzCxYbHM+GmozvUJoB6K+dfTh3qamuvFZwILYkaeX14aK+hPvHTzlOMG1cCyd3pKLsC+zaJVGi9r2ECPu+6Zq7q+0oeXM4yS3LFkK//jcspYOG5AFiv2039egbP370AsSaC2Moo3zLZshdXVQ5jAo7aDL5sqny7bHv6tlx9Bdw9b0A1Y7EHkhYSq1V0aCqVnuvlP3sNCwkivVQo5qFajCB6qDbU+2HGSLFWOZENM1ZXaG5cKsiLVxa9XmZEqaQ10a024mR42Q7iT/gH00RietO6WS+/b34HJAabNKNjlWIoGHoo6CtE3RtFY1F0WNpJXSN6gsb+f0/AFJtDvVltscak1WCQbHpLIYwOIBpjKBg572POwZ+wwqkgrjSUVE1NExFkPr1Q/OQCAKz8heYvVG0iOXLywevaG9vdsoChsEHqLXaUpJXPMb4fH1C0apzzoMyEhoUKiILDey0Ify2rZK9gHnZa4QSwk5tlL/l5sECF3iAZ4ihybv5k8JTHTra0uutDl2DPHU9BIU5lyPmzDmGoGwF6uVXUVTULPbo2mWuLffTi/0sLtqvf0wIgggADFcsz4MFXbGxX48WAEx6IHo+zTzWlqpRuN7I0HWLOcG3NN62AcQY+NacCQl9sbqVV4slXeb3VP6u3DTj352wiQxEI2QiwRVHRtEBRORSv3aZMcg9MOjpr1dmO/kavyV+K9fbaMsMbE8S3meCGnqApb4BW3PYAHrRjeRrZE+5vnFcUkhkf0Z5aTBkOx9NsNPVH8FUUEjsy52o/IBj0kcLfjeNjNRa7OLhNMJetG3TQEhPYZDzfvvJIu8VDHFjRmWeKZoVr36pphNgEbs+pqu9VpQg+zXj8WLpIYMrXqVp8LqjELdT3/3VYjm4u5VMJXvhI/S2oUlt+KYpIjKkIiAeMp9RCImDTMFUxAiALiEhabrd1Scj7sPLSTbQiXEDR9U20C0UGhe0YHhF5AKNbLw/2YBy5yfbw/JXzhvogCIvdrr8D375a75ivs19Z2T2m10iU+VP9PkA/KuKN5CAkdqHeHkrEAasL0Ma/GCD6SnLHQ4fguxkLaWOEUnH+8AkkFs1VHHgZ9xgHKOgAeCxF5HOmlxGbT9qio6yERRnNnpB4RLuOeUvL6VDQidYkDPOAorDOunZ1cj9aTaiiKdM21pboS7Q6P2mpJL5mr6BZTigPrMfciwrEwZNShWDqESh6LxJEwsFNwZsYFeyJ2fYAEoCGKXiW9BROjl4k++zZ9AiQlcofi8bbh3c4RpEEPxoEtcsx2DK7GrOgYIiFcpA+/+xGhmrbfknvfBhz1sh9t9YvHQqb1I6p/fV14KPsPVTOZvNfnkOYR1Ew3wgXHhILho9OFCaVS7zNrm5XYIyIBdlBfYu54OCC5LmZ4I6nLwZgzqbS5iEWUU+HaHDLNprJR4otwAAN8DENh82zIeZcWTtCSAzTwF9DMKijVnl3MhwfqYwAZRiU7+2RxVx8yvaCvz3hY2kP4kuTiSa/GV5MxmV7s6z2l1UF1f78MxnovPVWYLlJv0QjpjbEbIMPkA1df91zXeK/Ow+g+pPWMlK3ecAa9d9UuyuG7dQ+ZGEYk0t8wmkif0f0i7HRpCiC7nCItKAWu9ZHw34B//6eCJC9cwaEHgh8120cwW+x5y9Z4xemkA31yi9zh9GwR9gM2fojK4A6hzqywl2qM/OKQUEE8DFj/0bQF9n04iXrwJLKt/vZmNnfLGdg2uSxvtWdZZg5Yzbpb7MUk8BJ1wGOaoWrOsG2tcKC4EH9e6RSXBCQOk+Ophfy+Njc/mEHX3lq6jGvvJ4k5dbRflI0Zz3VLgOhErVRwGMmc/VcfbjbERDSGmFMcNPJ9gj5nYZ5VX4OxT1wfhGTgS8CxiAPdmZLcCKtfPlMLYB+b+ZBj4MVhBIgAkpPBAHPs1TfK7+kC+DY8tPB7bf50+qaWf8MbxVU3dFpNk0yfKJvK6vMUKj3YQnVDZxXxTe2mui4WWE4v1X/qxWysMNVQDvEKLfoEB5p7psMp3Bcui/CbOQVl/pMyeANax83pfxXkqJK277Za0DAWlEwfZVcWDsV8TsZ5i4TDCIYw23ddP2Fgzb96jZiIDKGDxVLzOAx+eG8LKMD3RNZdFAvN22efPl+cf/lweXE+p0DfvgV//ncu3d9idvnP2hrzSSnNkTsMUaT9W52ZHViB2r9SNqaA9ZUuJyOlsFiQNddT0+obuIedysRHNlj0wolJMi+mw1L3kunRDXEd3+PcVTR52hPTZvMAMpGvruSj8s6cE0lcFEy9DPF9xLj1aIXjAfaIzI5DTc2si6mLoU9Gj3WU1uOlRJtZGnE80Mdoai9tBm4ci+cOzRIi+8MgTMjpD/HE0fsfJ0SuT2hKZzMdpRco+5UYW14mAzDqIOncsp6jM48uRh6lIKZp+Cb2wC3rGcu55xmeUN0B4frYi3OnRJvRv2zQg24QQZ/Z9G91zFG1HRYRY0FDjboQuKkK6vtzRVKf0hQLRNUIx9zSGBlzc7ZSTh4BNgHJucU4y5cK/7vc26V5eAAT7sYelEgM1Z7ilvVWlLlCDatfcIk8liGSblMex3QIaUAg7VXLoFuGRfpi5PFJoDp38vvjyG8pXMo2xTd0R3ByyOC3gW2/Xik90Kalt/DAVbA5H/r4SqkoqymKnRj/cGJcimi5TTGOiYB+6wB2rP6lT4hl+TAJfOLpeyeVP5xULoCN3KZc3qMW7HVHkLZt5p+KeaM2LV+FR64GNPjQAeym2J0wry7MC6AFtynMYfsA3vVO4ImomBS9DKbvYbK0myx38rWmfJWj921TvjrhPaRdBsOwWqraUiS8nXzt5OvR5WsSSRZqOy3igxJIzISuIEAxVcPRAcMA8UEcYioFQEIwlyCZ3sn1KjYqYrf8ADbDY3hrRU6bupUyPfTUJ8iNYhhxwox5SxHUYxRJDAM8woEpGaMgwBIiz1Pd7ee8lXJ+qmq4HFGPhfewNejBCA2wqBVqppY4HUIah/9LugkPZSVCBMWS1nyl1nyt9nytdq4WJS72kfCTywkWERtjvoxPN+Kd12nqGGVXlrBx56QLORYs5i5O3OaqW/imfIrpyMqnlwmX2qBjBAiRdFPOdDUeizsB4cYd5jJsv1tbTkHNJmr8xrx7+enTe+fL1cVnpYfMxef32e/L06srdXH+6ePp9YXz/uIfF+/XVztPQaw4Eo6I0Jhiz2BL2chlUI5S1ZJUNy5iESdU6hjnR6JOs29DIZixwGvf1vy0FiGOqczVUI/vMxYiSVzISbS+Z2ALEkqWm81bJ02ogR+JhFHcC4gL+8gldABRFAUJynFFmvHACQehdISaGkvCUrLZFIQasEjLmGmg11kc97GSrATRB7hfPr8HxSD6zRLSb61ASB2VFHM7IIwWxJiSe2jeoyQI0SwY6qqOUrEgKxI+CbPi32v70wVHoZQTlr/uczSUJF/ChzLAMin5+gBH61XYa3lARLd1kAvgRtSbKoOHxUV4SKIeEjgBmZtd8swwWFob5Pg40w3IIM29TgDnksia14Bx8Mv19eWjBLeGdy04OaJw2G9bGC2/qJ8y3XQRXzOLTST82uusJsivQ+dvqWJ7odR6prQva6Ne+bMtt9JiaJ5V0vBbaZflD3NL7wxL70h7o4D0GkpLchT2TSSeMAOPxaTH7m2vZL2TPqZPrN9hKPyTA0s5nx9wWmytH9jrh+XFi7++K3zEI0vTiJV+ST7bmeaXcmpN7KzxTfiHJcXpmIFaOE9r4ErR33Mti+JknuaqTWny0x+oL5FehMybXrAxzS6yOh6SOPudVfb62S/C05/Y9Vn6O8i6CkT6KxzmKodDOn12OJQ4zB4ZjtJf0TirwjHyAkKH2XU4/ZXrVgQYZx0JKSfZ7wl109+Sxa6fXsRqwksvRklXmXRyUzFTAG0Rh4UCJPBBe7ak25ktSR+SsaTvMlooGM70rFigcK0DfAslceHSI9xlAeNipnD20V6cv8J0VLi8jxD1ZkoKn6SPXMmKJWFhHH0WFDoYcBZHhUH5GBVq+ExIUiiZuUpBUaZFt4wUPl/KGtk1G8y+d+gdznxiU1KX+F6HXxfGGA77pM/yJWq/WLguDIgyP44KBWoNXCiIw5kvxQpvGSEhcbFA+q5feK2I0OGkUMCLV4TKGYrqsn6hRN7nLzlGgXpUoSymM/wp8F3h0ketma8pfNRudyyFh935woNjS83D1qx4CZ9jr1gQF95FMF74pHNCopRs8drrzXRRfKREbvGSFOgsMS5eikL3koSYFeVS8uJVTF1UJLScfYtEb6WXMZ0Xy5iSu+L1rAjEAhd1wbjwYmOfzVyikKQlOuGF63PGspkjXRF8fZX3DCjd6OnZJ5yIu0AfGYaMDpj+FTEhBzwBncv6+dPewi2jWrx4vVq+xXS/oSpAF+jTRgwgqr2q0HM2nNK+f6/tRwNnjIINoCdsb7eqk3D0xdLAyWsfp3VnIycfLWQyO2PI/GzscDiq32RstR9ou4cDLLFD8dhJONVGl9MpCKVp4AHhMy6DSRIbReTjwR+kBOJdm8uvzdr553+7et6vuz4i1MQFmXqLI5sqxdtxbIKaNES2erzGli7UTSLtZodYqJNG2+kBV+CVVWNSD7sd6BMPQ8QlUcunamhnCX8kUOEBG9jZIz0WTLnDwGUkybxAwAaagTZrXMhiqlp8Rb74bYpzGMtQo2DogoANGuPZgt5sQYCEDNigUNZHJJgtExMxWxRiIbTtoVBPA08VilAs/fps4x5jcq5wiDnVhV/zJ55aUWWwADmjWc6stvaJ9Mqs1zxqQkI9NWEwDjkO2QgFFbkvCtjEiTgZLYu4z+INvdypp8ZVU70/kkq6jb9ZWK/sXHp+xiiWJiN1kAT/A1qiQFgUORHmIZFKun4CZ6eXztW/rpzT8w/vPuZQPh5O1KeJ2CzUmI98T6k+En647OhRz0jZAkHbIRoeHjWEHzaARzhWO8XNHi5meLidUmPRVN/oxVs2ov399ZcHq8rduiqfcDlxIhJhJ4mLthHgMgU0A+eqPlD1QbJqNMfAxcaboYDAt7DV6kE86VoosKc2YC6u67FjKvlEGw3AT+Dy3eWF87cvPzs/vz/9u3N2+tH5cPH57xevlBjq8Pxi03sil7Z8m7ZMZTSJxCngUSfRNs311+6V5LPZPYZ5WsA+48vaV2KMfOcP4o6NckWn3YZiRGDzYLSUK1Yh7V9AE/zBSMskxdLRgAkL9e75tGIRplLjJGTrwBCHqyjfB8ZjY99CZjwPO6jHqiOUy3ALXRYE2JUbUM4nMOlrAemUBkcSQTVZQX1ikGTSrEarCUUhcXWAF+ZpgolF+bFTqpg62jKXdAJMJ0neCT2nLiVaFcls8zvo8W+w1bIlfipZo2PpNgKvLlg94libGl6DfKlOL5G5zU3L6l5j39z8uj3vtmpeafmWlfO9PpxZK2mczYBn2bm2FLVoyrQGc0+yJ2RacQhJhCBjzMK0pbkvNsCya2IMbYfjt+TPCZbgge1SDexSDRRTDRQ4hg9GzSmPzL1uoUBkJS9S9WIahw4J1Veyq1qrm1gKhBsQoU/g8+03o2czbCu8eDudgy7WakPRZRj3sCs1/7iS25zAanrEevgbINsWjub1sXUgSlBxftXIYyBknk4SNcYcp6QyaaGkj4Fu/agOfZ1728KuaDXRo1h/hb2cBM3jdpqaPge5uM7np3js5NYXM3LDsYupDKa5Ladmkke1hByMmgsFxvURHWBHkhCD/wEHTX2UmJhEdAVCExifZiY3cxNnZkQpfAhtwtPlGzOlzNpoCnUSE0pxiIUaKIow9d4AyWNcuGGzrJj/NIjhwRyE4YJBlnyDxx+qIN/wG9AqjBIswmFc9KWrGK0WvEYVk9WKcmYcAGxSdu1jYO4W0mM8qnz178Iy+cqUWuKysFAINqTVDg5SrcbGam5hHMYC83X02piHotQCr2+qwesM2o/6pfHIFts686XVcNb+0E8QR4Gn+dV7RDo6iLHsG0/rgl5iPM+CHhGgeBxMUsvV5je42UFaLCxfP+cknUN5I9SJowhzJ0ATzPP+KrlKtolnWs9m/rL1sgLe3KotfwJXzrv/8+Xq83f19++fL/XfT9e/zIKM5PcFZvn4v+43sGxc1WTTbrc1XLReN2bGK6hNfposApo1xgOcb7Kdgzah4nvpoJjYGZMjdzitD5L6CQ70tNFmudB3S1MPqWeCv+SXKSg5ij/9cv7u2jn98u7c+fLx6uJaVfjzv6d28MJM9x9DUb0/NLOW84BAO/PWbxY9Ju8GpP4rmYiNL5gz01wUanq4j+JAOiMUxPhNsdvlK4miL4/5L/91y9+h0IRQH3Mi8eyTVl1iVHijFQf+3zXFAc6f/92LSSAJFfU4Jl7nP7X/XmHgggSYykLReuuWolgVFkSrC1ah2WZFq0ftqNFqejWLeyNNM06K03s7qdL/rcicL1iqEgI+Y7kqtxWsIF0g33izMube2jYL+THXIzWLmUlsJ00rM+VOmh5FmgiVWPtcjXB5sPdCkcr1API9bFau7k9sJ4u5zQneBXDuAjh3AZxfC55KUk6cnNepBRTF2EZMJE3F6Uhd6OW3+ZmmxC9eUTx2dhPYC5/A5iaJ5zmXDY+FoyPNzMiNz2fECLW6rC6c1IbH2pmNg6SvpIPNzmmoWQp/oZ7tJM+up++Vk+SnkFZ1Y57yOyl+qVKs2CgVjWcpvwkXVhbWYrvNymjfcy0yauBCplBQ5+fO1cXnf7w7u6i9BrVP1xfv02vn4+mHC4NHVlOPrCfOKP5d3WVhIxl6TXUzPRFXFdebkHcy+jJlNFXEz1k+c7NEZVGleJyK62OedHaHtt3iM5Ha/ORbjNdb5RB2J9gvWrBzK6wXIuMPPGmdl/RHPHUd3tosG2Wnrtn2+Hmpgp1k7yR7Y5KtvbnEhLoOvu8T+6mujwF3A0Zx5t376L5UdImv4tS514xMSSM3eFmgJvpSx+Anf4Sr/3jmD3ej9T00Wk2oP5fkSC6I3OocF6pBNsIcIvWdKFJbZRhxJpnLqoW39wn1nGkuTat3tqqTeb4JjLjrEzoAfcaBwFQQfQrffzRwBdm0BdoWHbTUEO3J3XPvtkzdrUCrCnlKDw/bMKYGYcGD85+4An2WgKwuoI/Vrb7Q02Zp1R4P1qBVCmW6NpWWezRu3FV+4EYOCT17eAMFfz+7BO8+nF8ZPAgUBNgDI4K0o50cMz58FChSzjqQ38awNbIlycKVkBZtBAuxRGppUh8wNtAeelodBQ2XhVEs8YfkfmPUMiB21MXp6kVJD4upFI1kTmxINsTUQNu2uif19mGnnvxdp7/1uelRZH4eeQKsymlEOu4IO+1m+9DpHB8cd6w8l0DeFlCykWoMzPQ79onrA5fFgQd6M7gJrA/O/nEB1RNg/gmb4crMbWFSCl0y5UpjLa2Zf6bWUFNgzJn5P5kdraYtljVzRxsVa9r6VjMWxlpmH8z9MlbBWmLVqxmrXy218tWMVa8WTv9Mn5Za6GrGIlfjqtBY22rGslYzlrRa3nJmjyD87fTrVFsOiKyV1pq6ipqFS3l/s9Y3rnhUkBHegHwsz0rRbh7MIwa4AcFUWtsuFwKfeB6mJn5gZvE4Iwam5nxYDNCAbiIWEXEJiwXos8B7JGC33qBfxunTFejb30GtnkMJKPoV/F5r+CzEWYyhDKPs9wjxwnUO8WV96q7qP7wm5Mu80WcZUt8pnXcD0RQWEnFDYEE8rJTZYwH33WIfto4xDE9scBA7R5Gdo8jOUWTOUaTMGwTM45NtANBy+eTU1cAp2VbACwklIt1lFwNXV1VlI0wGvqO4z4kFGlgPMrPcM+l8NJMhKcEv1KXvTI9A9QjyPZarsYfh2twflS/JEtCaZOl/FTHWx/zdZZKM4jOOgsk1e3cpigXnLESEzhR+OD1LS64o6Sf9rD9XrYCAc3h4BJE3wlwgPoGEQuljGBLPC6qtwknkuD52h46nX9BG4VNw/vEKBIwNY4NU5Kl1t9qWI/DuEujmj2JH7rARRHQA2wObr4dHRf0uxkINMnf2RVxEffSNRGrtqfZ/JIIoIulVOCFRnUWYquZJmX4DEtVRiL4xisbZjbGPJBG6CRqiEJle5iFxps4la5N++Za/2eqmQYzJnhsa+JY4kfWHbfxJ5BgSL+SE5LUN0bGnQ+MNsLFihSSHmFqqqBs5NMPNMEQq3iSyJeV1GaXYlXU1irp69pMyxUumvI6eFA4eqG/poCBgY/s25ELXAJKjfp+4IKmZwCSk/TwKyY+Py5HK0j1mOoDaDDyJmZt57dOX68sv1/X9vb324W9NePj1+177tybsfP3euvG+/9aCJ1+/v7rxXt3U/3rTe/Xvzn/q+6dnZxeX13OAJyLDO+G1vVb76Kb+6vteq2n+HLVv6q3fuvDk6/RaPSe5/r+64OC3JmwlFU5Ug+6xueie3NTbh52b+qsN8NTqm562juklPG1QcdfDXScRv+lDSlRHiDwMEAUslj0WUw+8+3wG5hpvlnvuqC1rYkFhRIxL1X+32z1KlnDTm0Q4iZZ7+zZvY3owZVqtdEmmD23Vuo0XTB5F9N9WHi8e6rjhh9lJbtEIzeajcowJ00411SAj3TbTUU0jrW3m6l06KrDbpO42qbt0VLt0VLt0VOk126Wj2qWj2qWjmhY863RU2YyzKO+wnn3UmlRNWrd6PerjIMJ8A5ulreV0uo2jicR8tTyx/9tUVhtQ3GNsOD14RY8YQhz2y53CZ6hjlgXpiiBdDKTrAL0ESGZ/PfHrOd/Mj8lMryd5rTbTqT2d1bMJXc/lZhrPzeB68k7n7XTKTmbrZKJO5+h0ek5m5mRCTufhbPrNZt3cZJvOsenUmsyo2URq5s/8tDmdLfUkaTRpJnvJTJhNgEabJ9NdNsslk1s2p5l/shksmbiSDzGdprLZKT8bZZNQMvfoKSedadIJJptX9JdPZ5Hp5JHOGXrwuRkimxjMfJCbBjLtb5T+VNfnVXxes+cVel6Pp+o70dqJmku/f6KaM42cvL/Wv4naNdo2UbJT3apVak6TpgrUcFBOXSZaMlOOqU7UqtBowEzxJeruaxZAPCMuS1fi1lY/tjvJKzsi9XT7kmhMmChBPRkkRQHqveS5YKjBaB0DRusoJrBPA8M8aK22yqi6G/Y8PpQHkJAR5KNDi/ZXD0wGWjcPd/qchY7JWKEepr+6omW+qmbiDC6a9p3k0PZ1doDrmNGbku5sUS8q3C40TypTpEWK9h2ONQY3iUad5AHO54v/fXF2nX8cR2N1GXuR4xGkEdyJTs2hLhahoxde5fdaHwUuoxoS3g70jiJZNwf4Xt1DJJiownvzAjDAA+ROYBgHkmgXbREapG44Zny4kRXOAYwwF0RITAvOesvAHVfpIn+a3DmCPcYkZBwGbMAoRLFk2p1lqRV7A+CR8yK0LOPZ1L3Y8LHBjSzK2EYFyxv24EnswaaLlggWXZT3bAP2xseg54NIlFMd1TSecQldMU1OFSIFfADR6B7et4YP0n6bsBM8S/osE6dVKJV6tT2WS9vg/gB20CEcnyyTsHLi/YgSJ/gqmWKShHMGRBdT9aY6AlGj4TNFWRxAEWGX9IkLOB6o1+GPY/n1ouUQ0iHzTC6ROTutzk0VCr6vbdXm3cX6SaqeAAM5oVjyNk6IxF2M1UpiMemIAFlVRS4kAEolUj/NA71JYrHvcfXRpVrCGId5QgGRQsf/PQot+6L8GCFb3fPa/735rb5/8/XPuf2PyTIye/tVISQ1OS2KIi2qbdW2wAt6Gl0/ydyqRvXmQRfmSVGN+iHznIAIq1l2pYwVw8dOWHE/OloqmGoQ9iApNd5N+Mqt4DazyVwWw7inPr7EwvGocDCNQ1wIeCwSKqutfejma2+WIr0jYaHIvKOc6h/RSV39X4zcepIYqK4TQ2lyFdrISaTbXH3+h2VKfCKvt043c3pKI6UeRsHAc1DsEenENBYxCpyA9Djik3z+hrlY3/fnjsbJBiPEiZ4OiQARi+JA48r3JgDpXGoGdD4fjUEC/Mg5dMMjm0dEbS5Q/6aWvsWN2dXe0L0bCkAYomg2SuMmDdO4qb0G6krHZaQXWWDGjdHQxV5m8O2TxdQNVcr6hup6EWcJYcBPYO/y86dr5+L/XJwl+ULX56ctpIYKPCdJWFeVsS4/X7z/dHr+nFjr9hjBMXFhb0QsrIULUDC/16bv8HbfMIr2ic4VTzlmAxp/G8QlvQiFDu5FfcdnzJoc9L2hdlK3LhhQNbMpGf/t8ueN0ihbU/V6Fhr1on7dDT3V698uf3Y+nF6aFIgXJb6RZtQ3dcE2QKHVI02bh11IaBRL6KJIxhxXIwtjFE8cGdPEgdUcxVqpo6uC66Qq2EsCQw9g56TVepXGjU53Po9Cq9uWjVbTA/5ppo2rL+/OU8yV6f2YaIpOS/PplGfFcv/v79/97cy5/vLx9G/vL66eXPQeJ79yiMO+hnpA9k2svg9Y7xa7Ms378ii07N7ZnNDxfDCkHpE1IPJteq5ns3fPpN7M+1DU5tMpzqcEhbocqBs8TgvVT0lCrG82QtabNEwK0/vjrtPtwB6TMsBcIytA/VXggMYNMRGQMyaLo9CLiD/tTdFnkkW/50ESuTAxzBffe2rC0p/ljTbhO+aE25EchYoDKAZ7Hg6wxN4r7Z+/qOrUdeDhfL3qlq7bbkKO+zo0Z4ShyzwM1ZRfdXcXEkp0hvClYVXJiZQOu4nDqLDDS3sB/ZiaxZTB6WehGLmi7q3gC/Cw8CqvVbosKOQE/0AoOV+YM1yPdP3jmCozTvMAMpGvrj7hQwhIB07EWLBavIzxJk+zUrl8Eknmxpxj6k6S3oDqbSnFHqKqwsiz0Ks8Xub32n49JBTfhzwLkSlcqgoUUaZGXGdcm8xmrjUOShxFjMtcN3Mlqpp7oNulgTf5K3U7ausCos28+Qt1E0sfczW4dBizBapSv51/QOFKP4ApRVIPtY0uf6Fu8ihAVNbvJ9/U3cJV8pkIHTAXI5qOYLZo7Wn3CQ4b8/xswsAW87N6XDDSlrLzj1f6wBAgIZhLUBYDapg84W0d3b7pmAAXfYMTPoStDrbwtz1AcMfbG+XtR4yFfAq2T7LNGgAOjg270IGGQNJ4YlYgpM/2bLVJe+yBHGSOmZPffTi/2ijrZzjoPRuqmBp+PeaBnmYb+40QSwQ14hBB4TSbem6YDTNHz56lp7uSLF9empGw1W6K/AF7acWDplh/fbb69F4BumghX8RUOmpOdPpWDrhOwlsN4c3psl6k6ZYpKsvjmDazWf3etpnUA6gbqZjuMhqauuZeXzj6RFcJKRthHqCJzblgAxJcbb/YbbV0pQhDyWAueLgKzZahrSjC6ZpW3ManIBvp2VDRZ+2ZMZU/DlGUknB8YjddpjudBODIbG90u0f5/CG3+bIZydD/6qQXBcAiNfxGKwEl0hft/MVB/qKTvzjMX3TzF0f5i+P8xckmzmlW3c+uCXZEsTQzZ+qwaqPv6dyZtZK4MSdSYmqOtx8TO/BbvwfJPYOsM7bQPRc3yiJM6wbK5SfwyZyWpidwhSOOFdx2s07VlJpdALBnHjI9AFLTcwJ5pepObxfWq8JPV5Pp4jNdIg5ZPnICqBl55hEJD8eCZ7haAellv7F0q+BvAbD2ZF4p9LnVPISEatQBHWAKJUdU9DPVvDqfpkaZZJFm49SPRTacgbTJcfGXz+82yqPijsC71jfIqM094r+rxW5aEUkjP0qAauq30WC/9hX890ulo7QjMp/OapHHA2Q+mrQh8WPoh+3FKmXGsaUmmGs8kz1itpXC7LXVbzW1agpRLF0kDbWoq09nqWq2Rjzvq9Lk4dkJ9JRl0iNnxSzaIUCNLGGeVvuo3qw368lkuB8y6dXjXkxlrAazXwNrz11bZCvHgl9dhD/J3U8tRRr+9jEnMHTYhhzfwYFv84ObBedblSXyHJHR3mH6RUVK/4gJqZOpvzX01tdqG5lcXyd/vbf/n/kRR6r3fJOf36qL/ZIH5pznF/Ha+ky1TWzyjL2W7U0Wq7DH3JuMm99gt0NhT9gciF6URvvTTqNplnORLE9Km+65pjB9hHr64EabIYQgvQAnvSQgL+YxG55J003ZSffEwnc2q6EZk2GhHCOpdfbeVI/lEBmDWjlaY6QY6ft3YG9JF7QczbVM1ZiJakbCTxgqiS/fr319tfbSeXthaYlicgQl/T6hAw0KaeOs90q+QIJhDkz4qnFQTZ0fsQdQX+I8qL92bAePlM/qhNvCN2y8Jd3Ii0Otu6TwER+uP/Gs5NnYnHo2Jp+3Im3GTo9QxCc5TKflc8308+NpBDnFY2D60lqzrwG6CNXm5mkDEq4C3VmFWPeDMWwfE9g5tuU4sSv4wtHzjNPh7O2Sk2mLb8JGzti2ofIHnC1G8Uxtd1hI1AuI8DXFp8hrQDLTy0Ypm2WvGdjEcLENWsaU4mC/rkdV3wjMYkXKtOEY92AR3HRFeghMJeZLBTGpB2JhnAN6HKMhiyVg/Uda7E1B8VbIJ6Q6T4ZYXFUV9go1ifgAy7ctrTvftqwoyBuQqyc9u6bSE4Z8ml8CQq3n1x+vz69S+18fc0xds1afb7ZxN5zOam446kXqHpEv0M+G9fuYCjLCOkF12aLjFAwpG9NccAaIFMuKJGCNBcBHAvQwpo9zIpRSpHNiw5m0waSo3fRE+ozup3nna7/GPXLlIlqPJjolXipqI50/T72bkJwMlSAW7r4Cr0pgInQrIlxEa69rQ48MBpirX3EPQz/WMv26xtFwiIWova5FmKj1mUiqaMlJfuuIibRpQJKmGl48FrXXv9d6TPbgBnbqKyyYNp7ziIVkwKy2i08h0SH4BvlSAAQy9eMB1yeBl86qG2WnzkRC8g1DNCqFMY+JB/7ytmidsKETqEez5C3WF//lKPSbT5HCIkyncav2xFTZ2kZV1suakhBVsPfh6vMrUIBN1sp7o/TLUr5Fxxb6zdqA3oJaQ0xEw4TzNULBGxHiKMRqJI183GrORlS0U33/5Fx//vLx7Psn5/Ty8uLj+fdPzufzf37+/sn55+dPH9//C/wFNNel/hP446h3EyJw1Bf1GLMumJI62YIpW86CmVabpeVtsDzaMRnazPGTnoOFY4RgA3PwciFsHp4UVrnJ16MDqDV3xBVrVSPMCHPNgw6mkk+0jXyxJBZCyLPmMxvJuc42S7NmZMtXZJM/bXoXOOg3+l6jtZ6cPdLSdwsTY9SOCO1jV1YE957ZVCKgwbVn/UMv25fvdO8gRMEY8cfRwazFLDywV9h49lFIAg37cPqz8+7jxbVaTy2u0X0FloKEz9XQn+Evb0G32Wo27Xf/R989XFtZV9rnbhBgPELuEA2wM83TuXQHfGma5FN76nCH5MD5Me0e4ZEHR4EPDyaliSWtnhQ9QhsokiZ0Jgu7iYaDQgGPwsK1HRQqu00j47SbFUQkMdrrEm25yJdPK05i8yBhxjXMbgak1xAURZ7599G25U87JRVqzCegTBlRiLG3GE3z2sdJPcA4cP3kd976lq4y9AHiBCCanW3ryoxvdiMZtDFEQwR749Jkwf0ZKO6MW/Tga4XQsPSV7JaMLLjsSrUSUu/l1t/BPRRlLM8tJ8dpHlQYIkp0MPQCN7aDVlbdHEpAjkM2QlV1l5DYEaXoOOVpkHTLHqEwIEMMxKZT9Xe6TTiYCBjcRRauKEmElI4pDQ0Y+EzI3LXEPMxdDoMBl34SicD1wqzu6ov0OLou/Ef19680ZW3m0HxK8ZVOzmeiuHTrzVM7XblEolrU1iNR/CWS1Rz+PYimmOLUwyc9QCx0s2EaUxt2x2KrSJotdOoWypCQ9Yiz/GVARjh/3Y9p/jKLAerFPHJZEKAe40gyXqdY5iqS/mQaTeQiivhE56MWuRijxKVSsda0sUdFwAZ1dxOZq7dm9o4wDxZ4UWAelDuJpr4Vj8I3AV4l+Pwt+L2mXmG/VurIkCRbnvdjuPp09qtzdf354vRD4skgmDtUHOkQur+JoOsVqdpuNYsniqyvZ3eJU7tcNaf1yI/WdYyJ/OgpvGKOcOnxb/GAN/KjcgrzOfeYlMRCh/k7PUK9HImx1LhjmBbLFI0iWSwz8ArFMn3MUyziGHn7z9ph5lF4LEJjHVRbzmy/XIIx7oGcdgJpqxWx/B9mOPyWfcMlLjG/1yI2xlyPZb/2uuaGXh3fzyRotydpiPxIV32tfkF3QEzDtSm6fKu5cWIyaSyYzhj3kiQNi1KmWUk6zc+gtpqFvGlLifwQ3XF8u5JvenEzuUuTlt3ZpUmbKf6R06RV8z0uGtt3SdHMxS4p2i4pWla0S4qWluySohVKdknRqiVFy4e5WLE5pgtuFCHXx20dFDEg9F7vpiQLk9Cbmi9llMxepR29/V1vJvc3gJK9jXV6ulVxcBgRjp0YuU5vEiGxxGuoEGYVIun6GrIoOwMwh/xfTs+A6W36GtrL0wCnTx8PzOOTZ2568zaIbQbtgtdnsrOGH9klgB8ZfQfgGPxi8BWgC/58//bPe3uDCPzy69mXN1esL8eI45sPxOVMsL68+acZGPgSqSXJq3ryN9mg57t9eGf/7yacBZ/aHVUxjMbtW2hWPDUup6npUEP0RUU8v+ruqA9jFjbplDHL7H6dMzdkNN2zJy+6oU37k9NJcuRiB1FJPNyLB4vFPxZYaMsulQTq+gPtN5wJuWSgFzB3CMzNTWe6iMYxPIqPICE2LwTzLukhu+r88vrz6dmFo//9cPGIFrmVcUS67TZMv42l6soEI/R2FS+jgm+ZaQNc5ilOlgwgyqSPOXgMz9xhFMKjoQ/vv9lQZEpJdfnp14vri/+j/YoWVjo/vT5dWunL1ecno2zz8BAmHxLOUmdF0o7pkEgnc5x25uI2FszK6dmZNq4kR/GMC8D6IL90UNcJoHMLdpoHnY0SfRx9gz0Swi63AW7NHqRpf8J0qRcN1d3p4Xwenvnql4v375M59fL0+pf9nJeGrpcLjj9/d3X5/vRfSe3zi6tfrz9dOlcXV1fvPn3MN0wBoddfwFUKtXkcrGcTIeG4AXGUeNvY5VJXMdKvGCbibEQ87AGWBi1q0zNYKQynClMMjvpw2OdQeoshvXOWuDTeo8xS45agt0DXYo2D7r6Ie4msTMvylhR9mRhT0oJITupaqPZnH/Yn7aaMZRzpI8oX6qjMERUsVEtQhzK7I89lasab1tXZlFO0cBBTT4cn65W92tplWRYI3ux0kkVyMZtz+QrgVFmFAnhU3l3RpPFI/Ag1hnd6oVhjf7/ocphes0iWQkQFbFC8Jr25MvWmcVQoGo/HRSSpn37K42FlK1Fe2/srebXHdSgL/s6xdlz+TqiQPNbk/u7jIPrus7EjmfpzAyT7boj5qr6/N2Exd7J2GoX2u1q9JVUKPalHi1dmV2wdy+eLs0//uPhc37+py3uZZJyaqZnqaV67qasH/Xn9FfMyB7nOSRMS6pMekWluo+SFq3l4c9cxkiGcFMvUJjKfz0BSDcxU26wcTNo2OdgrcP/eqr74r1Jn/FnUNXNar9iam1N/RrXbZFJisiB9fVWShXjaz3R+zuTnRToFr8usK6U0bB7MpjRMLPPkm1kxJAxWjX0x8pxh3MMmoMvGutc+BtMaJlBXLRTMLvSR+PhubMNqWqSgG3U1yIYZpSaV1tWF0vUJtYUYEo49IhyBqNdj944JKrXR6Vy3Fekyvg2bh52DRyEOjUblSoYUoBlTcUmyY+in6YQYpXCNtYD0XNiut08MSGN6fdCcuW7NXLdnrg9mrjsz14cz192Z6yOdymdpJnVNHuj62B1C7vWMK6gqEpiPNpJ0ekUXnM0776WcN8JOIYVzcWZTldJUtdmp3GPmjRmPDsrZr3yOs09tD8MTNYRWvxDrJ7/muGWGr9djFKSJU/iEPhL+G/Dv/1RgpeUbilb7BAofcezBJDtmRZYZECH5xOExHeLJwjXRKfic1Aam9pR9Vl4jPexQt8t8CwcJLOvp+Otq8LlJ5pdfL/7lvP90dvre+XB69su7jxc3V59+vv7n6eeL+ZP6mzOdl0T+Q83pjN58TjyH1+2EUReXdpTaDf7Jxt3OQfsj8yw2hCojKzdEfLye7edaZ1VAAbjSvHzzzhjBF3TyrEey0od+0tFc3G9gIllllbn5xNmZSkhskquohitTNWubKojH1gv3Np+/qnqhCm2TFxWfqnFceUcvmE0CNHGQlMgdapyaxSbCLL0Xkq6PRYJfozsBphMgV8kG9TBG6Y1sjGL1/92/xJLISyZRmBwifmZqv6pKJEuKfmGycP2/Y+JOCiW3sZCO52InXwNMq9Q4k8b0CGqmNL26ihgLrlAYBTgt+oxFxKiHeVLwe21fhD398e737ddUBmGhQOMUps/P+QAWLejv6IgNMbxGEvOZnmc7Tq7dEAMR9nJ333y8fv/Bn57KJn3mv+v6TL+6gfXw8DCfFgX2OQthGssK9Zlb1TVTgJHAjoaYWbDBO5uiPug6OSteb5IhRBA6KPa4VAQesgbHvs2HYma1rDovDKVWcspam6Lm589b88ettUZy3v5gVIm1WaSSPWdN6DQe93AsFqvAaC7URivDpG0uhRKQPu7LR9WHh6WBNjMKAQmOI85Qhh/cSJYFb4a8JwdpqXb5aAQx8d40U40zxLyH803NJpPRYAIaEWcDnqnYSErQkMQd4rQuCdWkxiiSOBaZLuKY4vFMTSSGciBBI1fNR3yEhQQNbVQZoSBVZZ14pp7wQSPVBUnhgAUepqCBsGgfdtOWJBhhPm1c2zdUe2pVdgyFxChQ03if8QGGyUcW0HyTipospq4TYDScOH3ruu66AF6TITUmR1Yd2G51211jt471wPvxcpZ9iP7yWza8ZNf3CK+LiRLuIHcgUAC3MQcDpmp/HoSqLxqu9iKeh1jNPATVd6pvwD74tBqJuk4eBbaMvqpiCoFrEnolKd40DAllFAqJqIe4B8Zos7E7MojhXRDCFlspVU0JDkTFBMEFe9y6sxOYY5onM5RkcjmFwJgaRyw3p9/BW8Pg8tX24jtb0TMReoH6WG3zlgr+VVJxumN/5K36/WHLIuJVt+ra8Jvups8MsMIVljfJzxv1Wn9jTG6AbKv6ix1229pyTXjaYNU5uFDDZWEUEEQLkD7C9bEXB9hzJBJDE31c6kWWVQaqslblq57qP4ykozubzc+6iEy2umoh5fpqeCLvjVNMkZ2EWK9NwFWORZqHBzD7blANTK2sbllvRRImZMJ60nOSsTqY9hl3cVgSMHt18V5VB7lqwGARGZSd5I2XUq3KTDse3MFg0FGvaBVD3Vc9GVE9GY1xk8Y8JEIYcI1aOrhiQPRU/xvHqrdqyfy3i7NPHy7g1Zezs4urqw0Q9PElMiUnFUSSEXYk1wY5u7yl2zkiQFIvj5Wb3MVCRz8L39MxFRmgQm6zV3T33gy5MwzPjs1rd6/c2fbi4tflbrsXF78ud9u9uPj1y9VnY2AzlfS/uI5jk4ZrPs9gBs/lBSPNbMEosUCj0Ot2ahqzS3Wifg2MSS4IvN5qFrlVWKzSXL2+p3B6wi4ks6YfN45OrpyGVqiaAIEiPv9meSYe2TB85/07a9noalYnTjXUDWyPlzqGHZ+k0VMw9x1XJICPeBRH5vw6FtMkH0UymFq5IBcly3p1ORV5MMcvm55v7/qrEsaMV8+5c5NsQp1fNFyxIsklkn7qT/uF3sVMYi+xTqhbyZ3k/P78/XvTMin+oFeNqpukyd/URpJgMX8/nWavkUhbn2ucqb9fXl4Wj2DOkKpcKF+bjyrK9qO4d5tYPZ+ouXLieDjAssSepqPqfjEV9argvFB5QxLf57A3OYHi3sZYJuhz1iui3kPCT19BKeD6t5nrPikWzF7Xvdkecpd6WZF/ct5xrODMmx47f10wjUx3u7n98PqctOpCpHnUhFkIR0WARrB8c1BgJjEJ1UezMdMpEJOwp3oCqopWXiZs088xWOoLbhKbqNWMTodL4xVAeSoxXdiHqO1C5tkyR0xxKXS/1D611PeTkZtNfTrOH5S0aVT3FjXF6PAeHgcd6HWRhWjLPLmWeCvbnAqfQs3YvVONklmgY4pzbRZy/0OxHsXLEdCNCjH45xSwWPZ07rQ0o+dc881wYhZAgriFEzeEcl7iEWiwoGrmnynWkykwYE35PxlKUE3jMdXMHQ2ZVNPYQjWDn1TL0I9yvwzmUS3BLKoZTKNaimFUM5hFtXD6Z/q0FH+oZvCGalwVGiyhmsENqhmcoFoeFyhFyl4A7742iy93Z9x8fFQCX8aZIubyc1HN1EntgjnkUbi4T21+KQvd5veTweU1VGOfuxZr+95Sr9pXGzG0r3LStkkHJLBciwVkhLnjth0SRgGi8mGWedMNcNsg6WYpEzxsZ+f3bMps/mz0I7u4JxLsz+/q9O2zJPSz7P5vZ4wKFuCvb958imUUywvqMo/QwdvfrvG9rH+5/vk4Lfr65o26XP/YrhIa8gbzMuhEzevinupOngL5lBGbeWRvNpGa3t3rDNQ5bNFsuZzceWVdM2uzlw11VF+p6pkvRuraJbAUJENKlR7mfBMb8a3MAsJ3UCx9xsk37DlDPBGORqiz8cbV1S9TK7iqCkI0AT4a4Yre7lU4wZcubB8dwubYBpCdx7HMfqn/9EvMLFRAbeZV1fJ3pqidZuHLdTCFxUzXwXUh/OJiuFCUBsNmpSBDSQbA5IuZ9u5pcHEt1/WQeRqxI3c7zMW7P5i1VpmJVki1sObkY+U1NrYvOLbBa0d3B7CLEIzIfTVeY+PZnVpFXss6eARey3efZ7YEISJ3V5WorYC9/mCu/oB468NLPFveLDs32gprnrT6MJrcwcOOLXtyKWtajiorcablwHENxiwM7fv33OjyfLaJJ+VE4MdlULWpeTYMyiMX3pIm/NaPqzDoemdklq4ezuuW7eWOA8FSDnSyGJLtM+E07H7HhLZV51zCt2JpYutwkAR/ASdN8eMyLtfg0M+Gb+VhDO+8e9g9tGXiL+Vb8xbrsFu+h00wXGF4378XRrib4x/AqMbm+2wYddKcwINBALtWB6pSRrXazCsxqtX2vWMesJh5JAntidK3wjx+D8FhH8PWve1Yt5x59FusxTy5HnbMU8I8RBp3L4MxZNI32VgniX3Kpc1PQfEmBh+bqu7AmPFwo9wzzeNsg01ZYLSuR5wOZgmcLzO1zDs1bJWLtywGpUpLxpfAMlO2oIymcU5LTN9KpxiEH6mTHOVyf7MkZCqLmIoYX240egh3dFq2TO/z6bUVgxw3X4Pjpv73+DXodA5eg2P9b6fT6SzwbRDCX9v80zyGAZKYowCGbJT3iZ+jZLu1Fhq+ImLqhbDUeSG1+BWTYVJNW+NN/ChUGxzakLjmqfb2LWi3zZnmRhwainb9KHORa7WP6k31v8bxa9BMfh60X4M3b1qNVvtY/VB/1zf6rMwGh92DGTaAwnwo6GvP06rQ6CImnqON/wttwAhcfXl3DjK7P14Vp/4hfHA4tgEa7QksY+LlPOS/fwdJmSrSZa/mQw61NeUncOW806+gdutzdbIu83dS7OSSKMY/5YGdReyx9bVBJSfcw84xRL1YYIgDPDIW4cR+DEPs+ogSEVbkhTRbqdMjUiAvJLTc7/s0n900q58hLD9VSoPOKikNVPfZEBd6fiPPU80Ss24hoyXHIg7xBmy8lYz+m0mBnCNtdtDjuAEpzVo4jWsPEUUDE4eVz4SfkhXoQOis+lIqV1EIqH8LD8UItscrgGrnnJrVLkCDfEqdr82VPHPgmjn5WpeUK5jru82TPISm4kAikpzSKR+UNW01oYejgE3g7AeuTHYvCMpX8+dBANRNianJe50T7Wxdv5S0DxNg7NpsWUby8iL8O6jt173AxNPkb3tYhwnNxFXfnOvim/0Mr8rExx60bxIn+WmNSwO3cY4kujEcdFPu16r4JvGd15rkj8NCVHpCqYDyOeFqyja6DmB9kLZ6JPZpD7vLdYPqPh3HQvWvKs3o/rXVfQUIk82ku8mRTC/vFq7sPmMXUxlMMvlnfHompJqbRV/16byKos8yETNbrM3e3pIF3bxbct6T1ZEkxOB/wEFTTJ2/ivJcQDdZhNdgoPA9JJHHBlDDQDVw2MOehz2D4qCRoV6DpRUTmPaIsx5eqT52Y07kBK78hDT6cuUGOnp0YfXsDe3v2UBR2DDBng0US5Yk8HHmEUc8jd4As/SSlntThVdSy17BPui0xA1iIZUOTYb/e7FBhNwhGmBRSHyQ3kyegnk+b8HDtcK2F/ua/7yCz3e5099pGlRbckKsM/KwWIL08HW1UM8qOqJzLGCnS+GgswQOp3huXOrCp7FMzEdI/hbSXyy4jaW7sKUGVlnQnsfUcit3ngy2iZzzhLAx23GDXL7eOuyepGk0Kh62FWrYD9ntclfiAPkM5G48nkC/48HImsRgkdzZ3Rl3cvdc5O6Zu4Q+QzldEES8bTHtdiiMuiGM72yxErW9G6rK9vLOoDmxvCmRyxvFgDcLJDOtYJXNQuty6UyrWeXzpvbVDH0VT9GZgcRCL9bKXmLm9oydb0kt8z46uUBZ1fz7ZLe+gkqv83ypYnuPF0aKV+YVFqv8m6LOVz3eFLX+TBGPwpmSec0/U4GaJvlnKS0/T6n8nZvCDJCUpHNArsLMLKAF6tVTHFs9uXouc4V+Bur56NsY3vVCOOl6VVZRZQ4Gy11Qy3xIn93yq5hrrzBWiwKxj7Rwc7HyKNZZoDrmB53e+GOuGH9EhVHuAPwMVEbEh7B714KDpm3jlVvRlbjvvpDVQ/non/36wfoOL3stt9qbPHvK7FZ2P5aiLneAfwaK+jaQcNIZQQ9VChgu92Z/lmu00tHuVmm7Vdq05mMIf2kAwzMQ/sntLWSHd/C+WSloqzwa4XkKf9lod8K/E/5pzc0Iv4jQmGKvHJ4oqQiSiiBfcTNSnYWZoMFiqZ46k0zFomZYR4PJ5dgwx1Xzt3oab8hWOIXSs/ZlbdQrf7blVlqcgeRZG34r7bL8YW7pnWHpHWlvpNieUCI5CvvGE1aYgaeggPOvZL2TPsZACM41SiAE58r5/IDTYmv9wF4/LC9e/PVT2MK5pgbG0NqGz3am+aWcWhM7axg4RGtxOmZQkvBgKhhv34Ky+ctLlA7jBTesCHFM5Y+rrx9TS89n7shVXO4bJBFf7DR4jThA3PXJCK+cRuUh6rd1fJdUsjt3FllLaw/Ei6jIjjk91857Zqi11zV3A1Q4gS4LgrkJrjhZNmHymdLK2IMekqgaOUIkcbnT7WcdDwSMY2kBrToWhA4AAjJJ3Kxzoauix8yQELg21M5CjJXPhJz67Avh1/Ur1glbny6VgivarZM0nMp8PjOxVKOOnJiVikOoM+tjbUUFVpsSgMD19b+eLJIiJc5Je0nE/m49s1vP7NYzxfWMknC7q/hLCChaQYPFlOLAkRz1+8RN36Aw3+saaubQaZq4BH3Gx4h7qihL/JK03KzG8gMrlPkMuGtERkxS5LqkNk3end4cMCFrhRiB2YXBe7VaO1P/fK59nQWPTScpdVsIfza710xXn1U13d+5+mc8X1vX47W9vfbhb014+PX7Xvu3Jux8/d668b7/1oInX1/deK9u6n+96b36d+c/ta/ACmcr/FjKANcWDUZHwpkJTv3SHvKBhgyYf823GUZu2YCvzy478P27q+uLj2++X306+/XqVcnXIswjVD/S/NJZRjwqVO+vQc1HVKR/YdyLqYzVZWQYEdKB+dR99ecg4uxepyigA86Gxc+Z7BGmDzazAUjA6EEt+WP+NZoY1JI/38yfofmj9efXtY9QKi0/Do/aGXwzlKmMVZLd2MOjpbjtJtANKNl61OX6mNlC+eygHFi6DTX4hupF1L0UbUPNi7bydM4svZedbtpq8JjOlpfmX38ydI7DThfiEaYSSk4GA8yxVxntPeECbZtxBA76NvpPER10Qgy11JSqLuhzFgLpYx3jZXbjj8IYQ25T4nMWpbdv549p16bEqplDDrsd6BMPQ8Ql6SO3YrbwmOoj6qWbgGsfp3WfPJ56iqceWMhRnAqSMdYeKW66UvTTmnl/Y4G5k6IaSjmxi4iqVdg9jwgCiAINqq5GPsIgwdrYKFGaRxM4bB1Dl9hQL7AlyF2NFHl6TqV4rK4M7pXnqd+51LG5hevqIY4v/XjNdvqThW+er3/AsJJqbx3ooF9kDhZYTB/AsUkGvBU4Nqn5VByb4avi0hTHFo71sF5+ejjYcen6XLgs8efhQStD/kqOtqolw5oyYsg8Z5q71xlwFlvzseYYEnmeAY1SawsRewzkW22WCyWxmejw/0/d1e20jgPhV4lyddTdtE33AOJiL7ptgWopINqlQooUOck0NSSxcZyUrBDPvrKdtClNt79UOnfgeIwnM5ofO3zfKgBArot0sR+V58PoWt12Vz68Fr3O/8WW3KfnS6eqpUo8opcXVcOzKUCgH9xu7JZHjwIHNwMHUWrj0IvtJ9POyY2rHGIMjlbiq9HyqeBp/UF3mJolnuf4W1wDnVeddoqd19EsruNYaZG2xF+Qb14YUD5PWKAgRxq1RggcyVP7Bkbh4h/xS7tvKFKhH2si1yIQIorcKbRUO4ujdxlVOAldpGLYlHOZwz4+1kXBORgKndKavnHin5r+glJ0uKedKODMwPGYpKfa+BXAX4zMRMAZg9OVIif4HiDCtMKjqq4s5zb/1N0pIyEotaSVfXBfifq9lAcXYvOQoiSlCCF+AMZiQP6EVb6ZYAYT8n54VmmahsJu3IBTYl42CwJgQ7HgGRNJ8l7mp9rN7gr8xXYI4TYDH8ecZfYrZPYXENrlCKOkNCGlFVLaK2TbQ9fuhzrjv1VRfcbA68Uu6mLvpQOPm797z/btfad9aw/anZv+Xc8a3l+Nxu3HnjXALiMxmfACq0i7G1mdhAlvehK1JomsfoSvcAADRCmOfGv4PBz1BnUcYUsofwxAim0bZdNsGfL1Zkah7F6mdllGOfEZolPs2k5AJHqhrRbY3QeWltOK5fL9fLc/XJxXXVQf7g+dhVKZdd/vWgUD3SijoDXV82H/oRsEj/JoZ4j9CLwu4mgQ+6f0irOzP4w4cVJg3OAsyQFc2K63qcvOEUqcujy8Vhm/rZUmytKTEq6ScpBtj1W0n9En8dqvE77ASrk0EXUaEXWD6iRqHolEdxhACkE+xFDkkfDdMH3HoMif08TLy50k/I279MtIHAfLI+bqJHN1Vmt1Vqs0K8IuTBdceBnElMzgGOx2m4qIn5fnBoOYJMyFPQFNCwdKqIc47B5GlNxJk8nsrQqteN/g8SBeEYZ4Nav8I1U7ghm3DgpHSBWSDnV3MxaSJzVkCv8e0ZDbVAXjXM1fyqghVsW9yPZrq/uCrnV+Lp5ipI0H/e8y3UsV9nTFWdanLoOh3HdN/113QwUDWXUvudyHjUP8wNJh71Sokc2fF0b+MowFiKuEMWOS1XXbKv2/AAAA//9QSwcIgsxtSENdAACoHwMAUEsBAhQAFAAIAAgAAAAAAFtAK06SEwAAfRABAA0AAAAAAAAAAAAAAAAAAAAAAGN1c3RvbS5wb2xpY3lQSwECFAAUAAgACAAAAAAAgsxtSENdAACoHwMADgAAAAAAAAAAAAAAAADNEwAAZGVmYXVsdC5wb2xpY3lQSwUGAAAAAAIAAgB3AAAATHEAAAAA + string: UEsDBBQACAAIAAAAAAAAAAAAAAAAAAAAAAANAAAAY3VzdG9tLnBvbGljeQEAAP//UEsHCAAAAAAFAAAAAAAAAFBLAwQUAAgACAAAAAAAAAAAAAAAAAAAAAAADgAAAGRlZmF1bHQucG9saWN57L17d9u4vSj6//4UqG7X7MQn0MuSbOfutNdNPJ2cycMrdtrTNc7hgkhIhEUCNABKVprms98FgKRICZRES7bsROnqWAQBEOTvBfye/w94+/7846fL0w+XL8GZR6QAkgHpEwEGJMBgQoIAUCZBHwOOBwF2JfYAoUD6GLxBEnlsCE6jCCDqmc59DNgY8wknUmIKJkT6gOIJiFhA3KmZ1WMTGjDkiTo4DzASGITMI4Mp4HGAhW36AeNgEAcBGMTUlYRRFBA5rf/XGHNBGH0JWvXuUf0Qcrf3X3qSl/8FAAAQEO8lQBPhuAFxYoGGWLcD4GHhchJJPfjSx+D0nxfg9bu3IJZETQ0mSAB8i91YYi8ZMyCBxDyZ2kzPBHj1CtQCQuPbWtIu0TDXp4/cEaaeo1blqNV4eACbzSb06HXSCd9GHAvzHuqRdfWR6hSFWE+OJiKd2iMC9QPsvQQDFIj0XSLOvNiVTvHBEEjkSuK+vDxtNpttaF6GMJrvgV2fkpsYv7xs9bot6AYs9iDyQkKJkByp7tBlYYiolxtmYPmyj4WEEddPwYu3pc8xktDDErvZc2cQIaEnbMA4pRoWb9+/udBAcFEQYA+MCQIIUCwnjI9SKG0VMJPhGE5EH0bZh10AjPoUCj3/qE2GWNZegJob80D9DSYRTNG69gX88osZgPhQ4/Mf32sHrd5Jvd3t1JO/jQBJLGQjxBJBD0nUIChsCOzGnMgpdDn2MJUEBaJxUHsB8hMcNevtxkEj1+WvxHt1UPuyMZr0cs+FyHWxECXo0u22YUz1crGXX22uv4j7c0PqzWY3wTJChUTUxVB9APX+EEVkq0j2NeZ4KZqpDjtANLc9hIetGF5HowdBtPQDN4iGkZw2GIql325INsL0rygiMOGjjxCHNkYDl4URCTB3CHVcRiUiFHMrRmRdC8wfECqIhwEbAATmJ9gOQmDfh9OoD0+iwIIQz+Yw4hqNkatRIkB0qH4MXX3dd93aF/Dt27wQWXPUM4vsGbKaFcX6MQm8hC3xmB7Uvjx/rjpm36dOPPCnVzU9OuJMIUFdUbuQjAvzkAhJH/zpFag1YsEbfUIbLglIHEI0xFRuLvK60MMDTAWGeIxEueBrto8g6w9i4SKJPajWJiDjkNAB4yGaE5kb46OHo4BNnYiT8Sp8VH1IgIfYm31Yw6rU7Pe0L7mOv5ZxpRluKLDVLABfaE1W6iAJ/ge0RB4dXBQ5Eeah2ih64Bfw+vTcufjXhXP65v3bD+AvoGmb/8//nrVwJHFAQiLnPuZ/lqIO0gApfC2B5exS/VPv+BKUzV/oOiA40Fxmts7CfeGyCL9cYBzmn5TBS9BqZv8qYHcHZtgBsXBRMI+ohb1dq6U7RRhKBn0m5DYxeuhGy8Ts31+f70DIctaB/DqGrfFNGTpvJGRToVofMjYMcJ1QiTlFQUMJkVji96nQHbca6VanITAfExcrqchiKkXDwwMUB9JI4rldXiK9N5jvh5PlCsuccav8JJc7PIxbgOObGAupEY8IEW+ZYwaja3hN+3Dk2w4Maq11vdV1Is7GxMM8O84pjNL30UTUiTkLOeO2uq8hlGeTM6arzuGEgj//u/AZnAQJxCLbkzyuzvXsk9t43sIKC51QFGFaXIT5twHTeyB0NMgWIXekPkGIKBriEFO5cgt5boaA2RCNewaVjeLkvvaQ4ZEHx4EPD6el/G626zI8LNt3oUiqvdyswYtGw0IDj8LCdUyRlJh62INxNOTIw4XbVHfPPSEi0cGsJWAuCvLts47T2DxImHWNspsB6TcERZFn/mu48uLuY2OOt1pR0uyepDoRqP6fwJ8OoZYBEccyJ+a3wPVm2OtoPRnBnuP6IfNsKHiBqSCSjHFumNa6CTDBPNG0EeyBWBA6VEKYUajEiYe4ByRjwVbRUpyEcMBu4M2NbVf5DWYjnxV4xDP9fnMYC2oNLN2G8JHHJhox1OUwuQZfnhemmGehepqEhf6RYtiYRJMMxYotydWQz9/PtehDS4qD3gxXM/y23NT0xdyRfcD8Hf3MIWdxhLy51lhgbm0MmaXRw0FhCcMICTEpLsv10RAXh7q+pV/SBL6UfXDbSS/99E+d72TvbA68Mzz1sJCE6m14PWSePiTlbqumjbnT+gKw2TyETOS7e3EYETpcZD1qhxkQBbOVTIdN6BNgOtJrw8OWCwPaqch02ITumc6e6TxyppNH1DzXic0uKHdXtXz7Bkr6Dxf6D4n3/IkzqYDQ0RPgUUFAoPuVw5vOtBKPUq9XkUUVJvj2DcymyCPD2tPtOd6e4z0kx3vi/IhFmDrj9hNgSakF4LB/UoUlqResDwI0FOAX8OzZR+f1p7PTy28fnU9v/vnp20fnn58+fnj3r28fnctPnz+8fv48Ue0X2ZqZpBJb2/OhPR96SD5U0dz1F3DSFE+cd3GcU+s+ZtbVnF7DIY+gG95WYV3PzAtWZDyFKb59A/lJ9juqPSd79JzsiXOlmD6RM95N8xi6JwHkIqrElcwLVuRKeyayZyJ7JrI+E5EkxFaXlUfGREbjE9hs9+DYr2ZBMy+4ZyJ7JrJnItthIkQSFwXOhFCPTYSjWULGUGycBGWDQDIoiapBAsyNK+cVycg1uUWqw7kd9izcYsKJzA4qY+JiJ+cOcvVGN10dXCWPvBJTIXF42L462IZf+Nr+uIc9GCJxEyvarAIfRh0knWvWd/QxnDBa7iZxSkFMUSx9xslX7IFr1tdgQZ6HFRPX0wHh+tiLg9kitsPS2bAP3SCCPpOVWLrVKeJ7rTFGvCEixoKGWnXjIKFXxdpVQ/1goUmi/kKDUL0qSoCMDckiF0weAbZhLV+xivtkhtsQTNWZ6uakdggjzAUREtOCr1HRjekQJviNPSiRGEHG4TXr5/rPBfA0u4d1NbkC70qqLNxb6t1kpdsST4Od0u2EjiANCKT9auc5q1/BU6LbBzE47+n856PzMkXOTsk8dMdw2mXw67BbicxtSpstU3nhgWuY8u/8+KpHwQoMZU/uPy25swg/PqkeEwH91iHstGye82uavUus3usbu+9MqQ+8HdhT709LveXW4J3S7y1qwX5vDGnbFj1d1fa7ZTosPHItW/GdF7AX2T8b0feg0dB5UJIQc0ts2zbJv9zsulPyD9uH8KZ/Ak/EcSXytxtZ70x9ezG8p8iHEcPllsud0mEnvIW0x2AY9qvRodVOuafDPR0+HjocHQsnFpg7wuCzlfhS+M9nDwII/B73MadYYgHUNKA4zXboL7X8BdJm+dMB4PlXqKfvNMvncieQLjPJjdRLa58LtchyW5xOEGg6A9N5xra2+o3a3lc4mkpIs2PMejyqzPAWkH7DLFhkzChOLN4r2mHAkFf3Cjxs+a2Isz42zZW2+vfJfKoxjfzIO3gLgJ/HQ2LVexbSZo1C5tVmIunOhtZqhF+Vl3c7R7DPmFQcPGBDRiGKJRMScWlNuVCFsZQZCx+MsZx0Ahj4HsSHhxUZi90yuAYD2TOWTYlsz1iqM5YHsQQ/VUZUqh95MD4Uu33Y/dqHPLQlF65sulyD3dwTGyosbz1D5xqL2rO4PYtbyuKeOAMqta8+GAPq9qZwLPrw601chQGVGVN1yPC3j87p+fnZhzcbWVfXZA/3wMv2/GbPb35MfrPEIvxgHOeQtODXyINTt9qWp9T8uwZDsO9R1rLtrjn7ng1tQpJ7NvRTsaEllukHY0Pt5hgOvT5s+qgSGyo1Q6/BEPaMYlOi2TOKn4tRlJvOH4xRDKY38LYbw3DcqsYoyuzkazCEPaPYlGj2jOJHZxSUTajjBYHD8ZAIyafOCE+Xhvf+M4np/V0NBW/evRNAfXd1E6STgBGe3nes73XLFo4msKynq6irV8mYxvfab7+f/ct59/H16Tvn/enr395+OLu6+NfF5dn7q9cx55jK14xKzoILLK+Sn1cXZmLwXue251f6rdVLb8MZZN3Y4O5RB/rkGrmjGYDhIGCTNaFMhZgQ6fqOy+hAAbfcKyHtCkI0BT4aY9DHmM6yP0yI9FksQepvla+/sh1JEd74MBgy2OfVTrZLcqenL1VX71/g4HcwG++O4//IPk/dbg+acpiKm/mYSmJ4Cky+9QaoXmIn3z2qj9t96HqH0A14RVQvzdi9AtXv15C5J42nRRpl+oPdU8Zk4sIekVAekUqUUZ5BbJ4wCuPWMLWuJK8njgtlRrTd4wLu+pDRGA6OKkU6LSTonU/Mq61tlRPzrmCwe/b3tFC+JEf17rE+PeaQk0q5XXeD9VUTBO8p5WlRSrnFc/eEIsgAeicRnHwdViGUpUmQV20WVts8V5LNE8eIcuPT7jGiE8bQa9/CwdRWabyqUeqHh2SpdWD3kLyRJ5CcnMCbk2qpp5ZlAf1RIBmhMNHTmuHlOr3z0/e7A+FhR0KfuPDYpZVAWBZ8pEAYoTC10cwaNDhfpKYhXQOVyGljzgQ03x6Qfq9T1rt4ZzO14VPHrRIl2k5xKxrE0Bv7EHcnFXHLHn+yO9x6YEXd00bGsp3HTnHx9ojAw841bPFxJVws8YPZHSpW1oztdrU/jPguU8DtFKsnRwxOOsfw+rBSTdEHcGzfHcr9QFvG8nP9brGOE+jfHsIOrRZXWurcvEtkmWenq3UHO17wD4Pd5TqKnWL3SbMJW+Ia3vqiEnaX+szukWUbyFKqBtkpskS3I9hpx3AwrOhgXeY3+UiQZW8BeNTU4RKn1XK6Tlb+o08o4gSLci3T67Toh8nOB9IRJbSzVSo5GhM46XLot6rlri5TMimwJbAUud8ppHOX87dnYF9ozHftMyYflTfxbqli4eV/ZAfjIhN8YC3iui6ndyxHs5RxlKgQd8k4bkkMh/4N7Hyt5mdUpkHcM44941hj+dtgHI9cQ7w7RlN26NslnzmZhrB1PIbdinym5MT3gGymsJ71tMEPuLo9E7S9/M/BBJ8wiyrT9e+SRQ0iBHlvCNs4rMKitqjqL9H0PyA72XMTy8vvuckT4CYlfsy7ZCipB/P0qFIg356hbJ2S9gzlDsvflKHcxS/+CTOhclPyLnnQSRTDMDqEt7ia+aTUkrwr3rGu4fgB17c/e9le/udgbk+YUZV7BeySUQkRwc4RglG7WYlRlToF7BnBnhGssfyfmRGUenzskhHcNGMojkN4HHnVGEGZw8eeEewZwRrL/9EZQZbfyidjLBwFCp0bau18V1luKz2BonY8S3z1EPmusI0hbDvflXq5gAi5DY+ldSHaarVTr6X0VdYEqkADrNhPwZXPBsSLpOMMivcMrduuLc9hVWhp8bMsOxka4L8xJh8QWN1eG5IwQoSnA1Y7lRXuLSk4J3wcBI5PFLecOh4OsLTT5IXqCH4zHXXGyjeFztsRxd6Aw/70BIpbW43V/M5bV5NTYKzV+0j46Ssovln/Onc9IMWG+eu6Nz9D7lJnJ7Tu+b/XGjwRxJrF+yzE6qKQz9BlYZjJnlpO5uWk4sOhUvOoCQn1FNkyDjkO2RgF94RMYhqWZ0sW07Cv5tPGbTBg3AwGfg7BElUdkIgPsSR0CBoeHjdoHATbRbpwAFHbhcyzac11QUMNRT0v1fpE3Yj4UCSIcFA/SFZuxHq6zh8UtJLH1EU75RTj7i08DjrQ69nUjJtZNHJWjIdlMxbrScZklvCY2UrVV0yBU/uhUC/iTG8gV247NPYlvTX2rb3tqIJ+6aZjQNul6DcPRwO7xkGyuDxAGwfczaNALpvQPOoWMVaj7MaAXsvRfSs5cMG6QBe+MyswrU4MS/zgLy5+mwWIqK4PoTXwpQvbR13YnEgLBpRqDXLexRlvAbW5V1XMYa6pXQNfEh9EuwO95hJ1Ifwiqyg0jZE5UGatGyZmfRDEa54cQ+S6LKYShoiSKA7QA+Baiev0TnDt6OYQ9hCCEamUmSznYHpXXLP7XG8H1x65O+2jxc2yXfVOUPOkNYDR9AZ2O5UyP1kOcpUws8QEc0fELCxtPY/bOz7poYM3d4KgZb6WO0FQHrnwmjTh18GuCgVaThOVcL3Ep2qPgcsxsMQ/bydImB4XbiZ7JLTtOh/aaevRIm65T9dO8FZ2Y3jj3cJet5KPRN5v6m7oVuoNdkeEKyxvXc+uOz7rp+Cw5T49O0HUaXMKD4cB7HUqhaNbLQqVELXUG2iPPEuQp9QPZCfI4/cRHA0wbN1WKgqS9/+4I/KUeZDskWeGPMIAwoYtp6kKXCt6jRYSe+orIqpRqTh2O9iS7uXGIbNgy8xclO1jSrxSZqYFIXyvTKOvZtH37wTQpZZ8ETgu5tKo07EjURhhTuhwmaL1HcgNmSdOM0OSpGer33zaJXB6S2H7qJKydWlKWyGChnoZUSg9GI3Io/KseliXojkVsEXtO68V/q+lXyir3KcXEUcekhi6COaRqGabwubBtdXJfjjY2bnHd1DjMXUP7sY+7mIM7HYPoYj7Y8wllDwWErrGdWa108pqvlSqlN8RXxpNORTDHozFSUW+VJ4Oec+Xdph9Y8/Hdg3rn4CPlZ+cd8TGJr0BnEgMSa9a9tcl2TFXcLHCPOtZXNaY9WfkjaVvWo3NgNWsZusT/hSwsPOvbZzQHwEnK7f07YiTtU5aUE5bEGcnk7U4WZmhZbVdZVmy9LW51X738VgoeD3qffI0W2ob3RHZZvZR2duT7Z5s74lsgd3WbL+7dZvzIyD9ZdblHVE+60rYbx7D4161enNLC09UPHysZQxeY96f8fix54GPBRLr8cAnzb+WOR3siH+dTFvQ7fdh1KymOllaWqTAZ/Z8Zc9XdgmJn4GvLPFH2RFfQdMx9G8wDKyR0HdISrLnK/rfnq88Fkj8OHwl9hjmwjF9sswmS9xozIBkUpPXZGflrlLVi1uxiqrNtSbhMub1ZgekpKHubVzS+ScjkrsjfwdGnIxJgIcYYuGiBb+8YmjvMUT9WFFKgMemelVCAzDEro8oEWFurIj7c8PrzWYLCixj4kFEPfVzSLxVQxTdecwMUD9c5PrrpxcqJ7syL5HHSHbBcSVDhdVz5A5k9yDOFHv0vQP6lp5wHyP2htN+Jey1nHnXQd7CJKu9BdaZcpuu0j8xtpYagB8ltlo9tvPYuqWAO5t1aS2k3GGRzv225nFT2hLbzWOktW61iEG7PWcdmilMs44xZ27SvXC4N5Rdoq5/jCjbv91CdfB1UHaPXttBr3Kt7WNEL9E8qoZeNk1uRfTa3XZitxmh9/S0jJ50jluvWIy/VFl5CgTmY+LukII6xwJ2ehQOO5NKFFQW/af3peYjJH8zf45s22q/rWltyUiNjUvG85habv2chpjq2t+NibttzVRYoK/eCTSAgQnar7YCFO4tC2a2012JtvIR0N1kMoV+x4PRpFJ9ytLotj3dPRa6e+Tq30dIp0tSWe+aTHsdCqNeCOMbWwL82rMrqtqe5ZPu5cjyqoQurxQCXi2hzLSDlTYLo8upM+1mpc+r2hez9NUa34WFxALzJS8xdzvNruEyOiDDVb2Seiw+4risa/59sltfQKXXebxQsb3HEwPFc/MKy1n+VZHnqxmvilx/rolH4VzLIuef60DNkPyzFJdfhFT+zlVBAiQtqQzIdZiTApqgnm/uWfEI2XOZHeIRsOejrxN40w/htFepvNT2Y1se3fZLcZBlcThFqrWvtHBzOfMo9lnCOhYXnd74OXeMPyLDKDenPAKWEfER7N204LBpO3jldnQlUTBPZPdQvvpHv3+wvsPT3sut9yaPHjL7nd2PxajLjYiPgFFfBxJOO2PooUqFGcqjfx7lHm15rFKRAve7tP0ubYvEX2rifQTEP72+hqx7A2+b1VxdSkN0HifxLw0o2hP/nvi3QPxJxVfHZaHDI9fxcD8eDk3KgqSI8LpFgz+dvwavP74H2RSzArQPUDJYIluC2qpFaD/+evnP009nV++Jy5lgA3mVvt2Hy7Q27T8wV5Ond7bh+7BuxNTdqwencMa3UcA45o5BOrXepcBNxoF0nHHp8ZGomBX8bkDtBbbCoBNOZHZcUuSQh+rVG910dXCVPPIqXXod3+IHhNUda3engBoQjicoCBzDr2Oeak8qUmU6DyjM86CkOaF0C6RZVs37ImGJVxdKXHmnrhI5V+eIoxCr17j6NfkC5/qrXz0tevWZkEkF92XQlj7OSFUPMXRaqQrn3YArg8HmJGqk22H76g0nYwUzLN0r/R4PCKwNCVZgN+ZETh0sBKaSoECsy2TDVNqAdBIwmwTMJrlvWH6NOneH5TlnQ45C8CsJsJgJUHCRvtLrgGAqr0IhsIvF0+LGphTugAUe5qI6EzYltpPhD8p76aGt7lVV3lu6LZrfE50lsvbKVAP+1byx2X1vZ+LPAnMwN/vTQSPN5xxMx4SzEFPpjBEnmj9UxikzCVWzgHSWB0Wt8IRsAbX0F7GI9eTn1YWZGLxHFA0xvzqbvfYTADyKIsRDxme+81JObVA9peA0ik5VX2CroQ1MaRVCJeZq+WN8LyVWjqSA7eYx5NQmCXSJFS0IZiVUEILJ11enZYSg/g6I0OQSxR6RpsaKHi7l1Enqq9Q2V5uvC75urw1JGCHC0wGWI/SSY7J+C1cGTizQ0Gq8vPRx1gu4LAwR9TQEY4E9IJmB5NT0WU2SVYCWEuRRaItzmAOamjxdZy2DCuJD4Rifh1RFU9MFlIIaeAFq4wektK2AykuOTUs5aQYyb+5wtEh9qU4zFoQOMzjfCxSDqS3v0Jy3hppc6wH1Usx/Pa3a0zDdLJoWWLLD5LHmqaGC/sQrj1A5bFADLCeoh8QC7NvsWqXRzQYN9Lrrnrmq6yutwpxDlOTOlz2mzDBlIhw3IMvZ++k/L8Drd29BLEmgDjT50mf3ggQetam/bAx9tnm7+7derYjudVvQDVjsQeSFhKo9Xhp6peXd4ifvYyFhpHcsFRXTCiJ4pI7VWr3jJNXuHMlGmKordUIuJWQFqrPfLzJTVTIa6NEacHMzbAdwJ4ND6KMJPGndWACXM0zNs/PvwJQV1HYV7HIsRQOPRB2F6CujaCLqLgsbydskL9M4OKjlPRDnCg2rtevXLXR6Vm6TqTVYJBsekshjQ4iGmMoGDvvY87BnLDWqSTOUFR0TY0XEWR+v1T9REcC1n5C8xfoDJEcuXto9e0P7ezZQFDYIvcau4qKSOea3w2PqFs1XHvSZkJBQIVEQWO9lYZhlvewd7ItOW9wgFhLz7CW/FwdEyB2hIZ5lUM7fTJ6SGPLynD1C6mBmCitmmDLGAeZsZvG7O9PpQZdjz6i6oKHJMhbfbcOYalTBXm5Uvv98zGa3rcM8c50hoVChfnXxQELPbg+nmtu8ff/mQjMWV31HD4wJAghQLCeMj1KRsVVmMxmO4UT0YZR98AUpoaGmITYZYo3Sbsw1LgWTCHpsQgOGvNzpTJ0DksP6Qat3Um93O/XkbyNAEgvZCLFEUOFNg6BwRrq5b5zUSZ1NcNSstxsHjVyXvxLv1TaO7w+APt1E5GkSoS6G6gOo94coIluVeF9jjpeimeqwA0Rz20N42IrhdTR6EERLP3CDaBjJaYOhWPrthhZnf0URgWOjFnyEOLQxGvSRwL2O42E3F3g7v78xnax6BjMQEDpgPNy+7026N0UdW8ybZW9qlmpVNWiE2UZ2onWPCa1OE3qY9QexcJHEkKnjgvpcRiao68Xvth7YXMylIr7yI8TrpEexZLJkQHJERUgkYDyFHgIRkwa5gikIUUBcwmJzJl0JzrupczvZSXYFQNM31RYcHdP6zPCA0AsIxXozexDzwEWujw9mgC/cF1FA5EHtOfj2zXLXfIWD2sb7i1YrPZvonA1Jiogy7Gh2IaFD9e5QMhZADZgB5tUQwUeSMxY6HN/EWEgbKpyCNx8uQNLB6BiQh8GAcYCyCYDHQkTuh3opsZnkPSrqekmE0ZyK1yPCZdxTTF4rdSNSlzjAQ47COuPaV8v1aD3phqJI99yYqivBrnvUVucNyVwFt5hSHFi19MsAx8KQUYdi6RAqeSwSP8jADsE5iQueidj1ARKAhih6nswWTA1fJlp1b+YESErkjsT96Q96nSNIgz6MA1vgm02Lr9as4BgiIVykdfeDiFAN26/Jva9DjvrZj7b6xWMh0/4R1b++LNUp/0P1TIT35hjSPIIa6ca44FdRsNt0ejCBVOo8Zx2zFnpEJMAOGkjMHQ8HJDfFHG4kfTmYcCYVNxexiHIsXFtzZiWPtgp8EQ5hgI9hKGyOGQs6iET1l2j+wF9AM+ugWHt2sRjdqJUWMowSPcS8/iHZ3NVHTJ8G6nMOovYIxO9GDZLMalxNGZPpxYE+8Fr9aw8OynLNZyqP2Sb1Go2RPrW7ATJIPnT1dd91jfPtYq7ru4yeo7L1B86l2F53ivIc+3qGjAwjEulvGE2lz+hBMTd8aZ0uO50iTSgFrPWR8F+Cf/+nAiWvzv50h+1es30Es82et2qPVxQnHeiTa+SOZkpROAjY5C4sgzuEOvPEXsox8ptDQgXxMGCDe+MW2PfhNOrDk8i2+3s2d7hbjcA24bJ61DPLNnPIatbTYj8mgZewAx7TLHnrHNrWamDdIhGKp7gkIHGY6M6W4vs62Hw/CLrx0TL7RE6fYzRisXQwjUOc+JaqPW8ZdiYDQYS5Whr2tM+Jkme5GTQvGBNJsIKWG8QeoUPg+tgd6R/ZLDymkoT4RQofkBG/eKE2TBwoNBAR0lEmkdqJiBfgncLrmT/Ze+bFgRoQatV+xAiV4gVQ5+F0b5bNIupbpZos1+qhNfHLPAe9ql2Zg9IVXVD9kyQqMh9RkY2/0uSxZJT6fo2DhpBIxiINcEwaJRKj3L10JluSgtyomHhOiKKrohZ4UYZc6WohV7Uvz9daIZKSN1zj5bPuW2m4KlJYd4A75CyO1utNsWzElNyaAE7wyy9XtPCyhDpxFGHuBGiKufoWcx0KtpOrlQYI3ZTEka4yh+TMJ2uOKBhQ1htTMKGsNyRnRCkdMGdGWey3zJAyHw5cNKWU3F2wlSz2K+tSwaCSEleJScV2O29UUUi5uVxZfd7ptQ5zb6vOzRwLFvMNjj1cO/xKzKmjXYFtIuKNHgkQnarTLQ4jmXN5MgQnpqIxwpzioJGfEww4C/Pbmxdg4hPXByEZ+hJwLOJAT6Z2hRFWvxTUwcTH5gzFMfDiMAJEAMnJcIg59u6H21+HXRu3X7S7XtXyb6h5/xWdddNiXtO46aw+T6HTnd0xrqhN9FTevwssZ5fqn3oxGyrMdrVOLncq0F8eB/kdR33uvnBZhF8ubGrNPymDl6B13Jz9q0Ajq08SBXJpQYNYUDLNTioTh0I+J8O8ZcRhCEMYla/unyCwxl+tV0hIRu2WllLN/SB499YWQ4dviay7KBYat19//HT25vP787M3C5vuV6/An/89a1mBLv/ZmBs+KKQ5ckchinRIhzOntStA+3fKJhSwgdr/k7FiWCzIhuvjzPpKv7tp8uMjW22YgpY9OUuly1L3kiOVG+I6vsW5q2j6sFa2ZvMQMpHvruijsjaXE0lcFMwc6/FtxLhVHc/xEHtEZiY00zObYuZV75PxfZlf+rwUaHPHaY6H2vTyAtSShZtYmgVDSwJkfxSECTj9EZ46WmfmhDpzdQpnI47SC5T9SvaVTxMBGHWQdK5Z39El5Zcn26YgpmnGAuyBa9Y3bmJq86twQk0HhOtjL85ZFrbDf9mwD90ggj6z8d/qabbHiDdExFjQUKsu5CpQDfWDhSapNfvFBlE1qD+nTkHGfyrTriSPANvIQr3D1AJPNbf+IYwwF0RIXMwPUKC67iFM8Bt7UCIxgozDa9bP9Z9zkGl2D3VOfAXeRdq8Y0aCErotS9a9S7qd0BGkAYG0H1WkW3ua7idDtw+SxXpP5z8fnZdmHNslmYfuGE67DH4d2s7/lWoubpvKCw9cJ731XR9fqWZ5NYayJ/efltxLk0fvktxjIqDfOoSdVUEc9502+m6U+sDbgT31/rTUuyST8y7p9xa1YL83hrRtc2moWAhz23RYeOR6uX/vuoC9yP7ZiL6XpAn0oCQh5tvLEmgl/yX5gXdJ/mH7EN70T+CJsMXR3yEz8N2oby+G9xT5MGJ4SareXdJhJ7yFtMdgGNoMG3dI0runwz0dPho6nEaShdqSjfiwJE926twYoJiqRev8IQDxYRxiKgVAQjCXIJneyc0qtkqK1/wQNsNjeG1NpzoL1mB66amnrRvFMOKEGQOgArzHKJIYBniMA9MyQUGAJUSep6Y7yPkA56I/1HI5oh4Lb2Fr2IcRGmJRK/RMbZU6o0Qc/i/pJriWtQgRFFtai51ai73ai73auV6UuNhHwk8up1hEbIL5Knzeis97p6lTlriyBNk7J72Z85ZxRq9uA53hKaZjK56eJ1hqyycnQIikm2Kmcd90pyAk23ZDzxL+XtsKDWs0Ues3BvDzjx/fOZ8vzj4pfmUuPr3Lfp+fXlyoizcfP5xenjnvzv5x9m5z9vQQwIoj4YgITSj2TMJJG7hM6sOUtSTdjRNdxAmVOuXJPUGnObAlJZrzUdARI2Axg8Ssh3r8gLEQSeJCTqLN/SJbkFCy2rGgddKEOhs0kTCK+wFx4QC5hA4hiqIgKX1QEWY8cMJhKB2hRGhJsOfM8T3UWQw1jZkBej/G8QArykrS/AH386d3oJhTZ7uA9FtrAFLH+sbcniVOE2JMyS0071ES2m82FnXVR7FYkDUJn4RZ8/fawWxjUmjlhOWvBxyNJMm38JEMsExavtwhfGkd9NqB262HJOojgZPMs3guM9McgqW9QQ6PM96ATPrZF0kW2iRe9QVgHPx2eXl+LykjwpsWnB5ROBq0LYiW3/zPkG622a+ZTSkSfu1F1hPk96uLt1SzvVFqPlM6l3VQv/zZlltpMzTPKhn4tXTK8oe5pXdGpXekfVBA+g3FJTkKBya+XZiFx2LaZ7e2V7LeSR8zINbvMBL+yaGlnS8uOG229g/s/cPy5uVf3xU+4pFlaMRKvySfn0zjSzm0pnbU+Cr8bklzumagNs6zHrhSTpWFkUVyMk9z1eE1+ekP1ZdIL0LmzS7YhGYXWR8PSZz9zjp7g+wX4elP7Pos/R1kUwUi/RWOcp3DEZ09OxxJHGaPDMfpr2iSdeEYeQGho+w6nP3KTSsCjLOJhJTT7PeUuulvyWLXTy9iJfDSi3EyVUad3HTMGEBbxGGhAQl82J5v6XXmW9KHZCjpu4wWGkZzMysUKFzrtBmFlrhw6RHusoBxMdc4/2gvzl9hOi5c3kaIenMthU8yQK5kxZawsI4BCwoT6MCswqJ8jAo9fCYkKbTMXaV50GZN14wUPl+KGtk1G86/d+h15z6xaalLfKuTmhTWGI4GZMDyLeq8WLguLIgyP44KDWoPXGiIw7kvxQpvGSEhcbFB+q5feK2I0NG00MCLV4TKOYjqtkGhRd7mLzlGgXpUoS2mc/gp8E3h0ketua8pfNRudyyN3d5i4+GxpWe3NU9ewufYKzbEhXcRjBc+6QKRKCZbvPb6c1MUHymRW7wkBThLjIuXojC9JCFmRbqUvHgVUxcVAS3n3yLhW+llTBfJMqbkpng9TwKxwEVeMCm82MRnc5coJGmLroLl+pyxTHKkO4Ivz/M+DKUHPS19wqm4CbRqMWR0yPSviAk55EkO2myePz1bemRUmxevX8hmOTtvqA7QBVoriQFEtecVZs6WUzr399pBNHQmKNhCTqLdnVZ1Za6BWJmO4NLHad/5fAT3logg0zFkHkH2JHNq3mRttR/ouIcDLLFD8cRJMNUGl9NZTmozwAPCZ1wG0yR6jMj7SyqUAoj3bM7ONuvpn/9tArLrro8INZFTpt/y2K9KEYkcm7AvXTdDPV4XnCj0TWIR55dY6JPGI+oFV8CVtTM9HDUhoZ6iWsYhxyEbo+AuKJKUEAnY0I4hqWYwRRCThyop8gkCNtQ4tF37QhZ41uJrosYfs3THsQx1eindELBhYzLf0J9vCJCQARsW2gaIBPNtYirmm0IshDY/FPrpjI6FJhRLvz4/uM+YXGgcYU51YyFhQjFfbs6+lrPAbayUflDsiwI2dSJOxqtS2WRBmV5O8akTlqrZ74krXcdfLahXpppeFBrF1mSlDpLgf0BLFACLIifCPCRSUdcv4PXpuXPxrwvn9M37tx/SOOz5+fNhsRxJHJCQyLmPuS2eWDa/jSXm12llh9bBJjz7cQRn3z0ZjofHwg9XaVa1wM32P9rM0vDwuCH8sAE8wrE6CG9Xd5pl/++U2sJmvFTvTbMVHRxsvvtZm6dUyl00b5VvH9WbrZYeFWAhoJCMz/KmrglBwuXUiUiEnSS23gbD8zSRKnij+gPVHyT76iRrUWHwdoAo8DVstfoQT3sWID5TR1QX1/XaMZV8qs0q4Bdw/vb8zPnb51+dX9+d/t15ffrBeX/26e9nzxUX0aylOPSWyJUjX6UjUxaWRGkVCngkkVjNzU83lUi82TuGeVjAAeOrxldCjPzkd8KOrWJFp92GYkxg83C8EivWAa0SNz8ZaJmkWDo66cZS1v1m1rGYHlvn2si2ySEO1+Hfd4zpx74FzHgx3bFeq45yL8uX7LIgwK7cAn8/gclcS0CnhACSCCp5B7VOJfEsrgYrziJHZ4Fe4SDlBhhxBR4fpwcVPWwlWKrQXlaNuGXbKdrqa2UJWMZhI/cuG4PgAXxJvClFIXF1PCXmaTG0JR7bGSxMH202TiYBZpKkRpreEW0VMG1+Az3+FbZatlKlJadHLN1G4NUFq0ccazvYC5Bv1aXQMt/PWVvdaxyYm4v57R7MRbOaa2V+5DQ2DxJmXaOZiyfpNwRFkWf+u4WzZSVmv518qXasLU06NkNak2ZZsgdEWtGFJEKQMbaam2wVZTdMEbYbjN+RUzJYkQJ2X/pqX/qqvPQV4sNxc4YjC69baBBZy5NkvZjGoUNC9ZXsrNbqw5jWPgiI0Oah/Pjt8NksNR1ergzJVavQbEPBZRT3sSs1/riS2zwUa3rFevlbANsO7EbaphKIkqRWv+vEgSA0iZLBBHOcgsqUMFUbbj36Xr1NO7e2jV3RpKdXsfHOeg0QNI/byVkmr6na5PNTPHFy+4s5uuHYxVQGs2rsMxvevZrpDsfNpQTj+ogOsSNJiMH/gMOmVnIn9jrdgdAkC1czo5sFwZlZ+AofQtuXdft/ikPncir/6ZWBb6nu/S+gFS5FifW14gsmyEKfRB1efMlCDxRFmHovgeQxLtywGQ7NP60mP1xQky9ZZMlXvP+lCvIVJyr9xVewJWJd9qWr2GSXvEYVi+yalGr8W2x0euljYO4WaqrdK4UObsIyCs3YYuKRs5QItsQXDw9TvsgmSjoxDmOB+SacccJDUepgom+qxQ85Cu/3S+OxLRR87kur5Wz8oR9AtWO+lFqe0yfS0bG8Zd941hf0E9+QLPYXAYonwTS1ym7/iJxpQWNh+fq5GIBcmseFrPu2TjbRNetnM+3aZlkj4eS6I38BF87b//P54tM39ffvn87134+Xv81n+8mfLMwG9H/dbmHjua7Jrt1ua4ub3nlmxkuozdkaLAKaXcodfMuys4e2OONb6aCY2BGTI3c06w+S/kki+Nmg7WKh75bWq1TPBH/Jb3RQYkc5/fzm7aVz+vntG+fzh4uzS9Xhz/+e+XgUJN1/DET1CdNILecOcaTmrV8ue0zey039KxHExtXRmRsuCj09PEBxIJ0xCmL8sjjt6p1E0VXN/Mt/3fJ3KAwh1MecSDz/pHW3GBXeaM2F/3dNYYDz53/3YxJIQkU9jonX+U/tv9dYuCABprLQtNm+pUhWhQ3R+oRVGLZd0upTe9p4JV7N8cBQ05wP7uzenqr0vzWR8wlTVQLAR0xX5daGNagL5Advl8bca9thIb/meqSkmBFie2paGyn31HQv1ESoxNorb4zLcxksJancDCA/w3bp6vbEppvMHU7wPj55H5+8j0/+UnAzk3Lq5DyqLTl/jHXFBIpVFEfqQm+/zc+kavPcFcUTZy/AnrgAWxASj1OWjY6FowMpzcqNw64uN5ri3dpCbXQsTH3TZK5kgu3KNNQsze6inu0kz66n75Wj5IegVnVjEfJ7Kn6qVKzQKCWNR0m/NAqdxMujCsGyAaBRCBLnEZDMkNeMbpdsb7rYQrY1vOjj8P2qRpmHk5qjNAqTar1X9FlOwyzAq+/gqnaQrhwcXNUKNeZzXZDnLbtN0ptX1H6fLh1NxYrbcuX8QqJVc6Clb0gEXfkUQVc8RXVY+ZTkU5uawpRJG0wgnnVZwW+vagmcUwaaXBqmm1xkbHfuOs94k1sW1pvcyRPywVXty3Jr2J4hg0fKkBOOlfK8x8mUEwytwpD1Dqo4brsceOC5Fg5sUpTN0k++eeNcnH36x9vXZ7UXoPbx8uxdeu18OH1/ZnKg1tQj64mPoX9Td1nYSJZeU9PMzJSq42anpP3G6WnSacqkHzN95iRIZVKleJKS632an3ojmwrvkVBt/kRUTBCwjmVsT9hPmrBzu68nQuN3NH8tUvo9msJG1zZzc5kpLNt9Py5WsKfsPWXfJ2WvSiO+fI+dZA6+P7Pbyde92W1vdtub3aqZ3ewJFlGEXB+3lSyjQ0Jv9dFQstBFJojTlzIyaYLn95mziV59B7XIjw5qS3utk89x5fhrNEZqzLXmMj4OIsz3dkKwUkb9zFI3L80eg8DVMS1iSl0H3w6IXcD6GHA3YBRnUZL3HlFCV8R8zYjQrEyRITdJsUFNDKTOspf8Ea7+45k/3I0291NvNaH+XJLnjShgPhClc1zoBtkYc4jUd6JIkjGGEWeSuaxaArsBoZ7jcuyZdD/CBjPVJ4v/ERhx1yd0CAaMA4GpINoXaXBv6RNl05YrChfCVNQSa4uBrLpWRvZuqzjdGrBq9uBswuV5arvdNoypyaHowcVPDBbTf3W77Xqz2cp3hoTC/KetANUV9VeWQNUa1FyYabsQbk+GG0A4rXKyMWxXR4NtPVB56EYOCT0r2Z1S8PfX5+Dt+zcXJk8kCgLsgTFBOkhJThgf3UuVEs46kF/HsDW2VfqegYWsUYTBBrAQS+QhiepDxoY6ukkzsaDhsjCKJX6f3G+MWya/PXVxqmRQNMdiKkUjEaINyUaY6s3NQat3Um93O/Xk7ybzbY5N2+UUG+d1HBLpuGPstJvtrtM5PjzuWHEuqYZTKKCF1GBghPbEJ64PXBYHHujPJQxkA/D6H2dQPQHmn7AdrMxcvqelKU1nWGmOvDXzn9mR1jSYM2n+T3YYquljZ83c0SfDmj5C1cwxsZYd8nK/zNGulhzNauboVkuPajVzNKuFsz+zp6XHrJo5VtXUEapmjkw1czyqmeNQLX/8sedv+eP0y4xbDomslfaahdmZ7U75fPOei1zhqCBjvAX6aM/ycpTQRbt5uJgqzw0IptI6di0i8OO+gyJiEsC60h4k+ncif4v74PT8reG8c323i9C837EgtMsoxa6sI8/jdZ8JmR1IUUTq5kUUvJd7I6wDiGMYIIk5CmDIxlrWl8Cj2W7pJMkSw4R7VtuV+MTzMDWR73Mb/jkmZHqChZQQQGfaF7GIiEtYLMCABd49ZdzvDwdlfKaoIKjnkhMWVXPfaw2fhTjLryPDKPs9RrxwnctVuzltrRv52u11oE88DBGXZIBcuWxz2uvozamBTZLYNh8xSyqiw6LHzaoCDKd0MfxB44eQiBv0EMTDShDdVz2Ga+zD1jGG4Ykth+VeU7vX1O41tQuaWlwSBQEWc8JvoU7J6o1FT2d7zY5xXkgoEalepZjyaV1WNsZk6DsK+5xYzDJ2F5Mqmy3WTJrNFb5OalLo1rdmRqBmBPkZy9nY3ZLx3h6Vb6eTTLvJse0iYmyA+dvzpMboJxwF00v29lwUG96wEBE61/j+9HXackHJIJlnc0m3RtrebvcIIm+MuUB8CgmF0scwJJ4XVDtBkchxfeyOHE+/oA3Cp+DNhwsQMDaKTXplT52ZBowDBN6eAz38Xlz1OmwMER3C9tAW4+BRUb+JsVCLzGk7iYuoj76SSO8jX4AaiaDaXCZX4ZREdRZhqoYnbfoNSFRHIfrKKJpkNyY+kkToIWiEQmRmWUwmOwuq2Bj0q9U1zVYvTd6T6EugSXwaJ7R+N6UNiRwD4qWYkLy2AXqSxdnUq1KokJSGV1sVdSNXxWE7CJGSN4kCC0LYDxcPiRSFFRDhJF/m1SttiVjoETFu0k0eN1+ATudwc8axQ+zRmYeEg4cKHg4KAjaxH4TOdA8gORoMiAuSnkmSwnSee0Gb4+PyFO2pjiFdQFHRkOr5eO3j58vzz5f1g2fP2t0/mrD75duz9h9N2PnyrXXlffujBU++fHt+5T2/qv/1qv/8353/1A9OX78+O79cSDcqsmyjvPas1T66qj//9qzVNH+O2lf11h89ePJldq2ek1z/X91w+EcTtpIOJ2pA79hc9E6u6u1u56r+fAvCaP1jV1vnwyI8HVDx5MRdJyGP2UNK2E+IPAwQBSyWfRZTD7z99BosDN4u9tzQ61VMRxP0q1eg1+sdreYHm0Km1Uq3dfrEqvZ+vGAoK1aFauVLCUKdc8tmXZsv3nLU0gfkCe5nvavB9RqN0Xxlc8eYyO1AVgMySO+ysPksqZnNCXFf2Bzsz8X7c/G+sPm+sPm+sHl6zfaFzfeFzfeFzWcNj7qweSZxciezKo6syfg77+B3Vx38Oo6mEvP5fXn6QsUN+f82ndV5FfcZG810vegewwbCQXmo3xx0zLYg3RGkm4F0H6C3AIn014Jfy3wjHxNJr4W8ZpupaE+leibQtSw3YjwnwbXwTuV2KrITaZ0I6lRGp+I5kcyJQE7lcCZ+M6mbE7apjE1FayJRM0Fq5GdebM6kpRaShpNmtJdIwkwAGm6eiLtMyiXCLZNp5j+ZBEsEV/IhZmIqk055aZQJoUT2aJGTSppUwGRyRX/5VIrMhEcqM/TicxIiEwxGHuTEQMb9DdOf8fo8i89z9jxDz/PxlH0nXDthc+n3T1hzxpGT99f8N2G7htsmTHbGWzVLzXHSlIEaDMqxy4RLZswx5YmaFRoOmDG+hN19yXJ1zZHLyp24ddSP7X303OoulDu+JBwTJkxQC4OkKUD9pywLRrpyjGMqxzgKCexiYJSvMKMNQarvlv2HuvIQEjKGfNy1cH/1wGShdfNwZ8BZ6JjKnuphWZGRfFeNxFltJzpwEh3vi0zf65jVm5befFM/KtwuDE86U6RJig4cjnXBLBKNO8kDnE9n//vs9WX+cRxN1GXsRY5HkC63RnQJU3WxrJRZ4VW+1wYocBnVoT/2qmwoknWj7/fqHiLBVDXemheAAR4idwrDOJBExwGI0JTVghPGR1vZ4RzCCHNBhMS04NtZ0Bx3jmCfMQkZhwEbMgpRLJl2f7mjS9wiSq8qZD/zDjd4ZUomFHF+q4jujfrwJPZg00UrEJ0uK2e/BZPjowFRjpSrcSDj0btmed8qQAr4EKLxLbxtje7Ejbah5n+U8FlFTutAKnVsuy+vtuHtIeygLpycrKKwcuD9iBQn+DplVpNC+aZ+DKbqTXWeB11KjinI4gCKCLtkQFzA8VC9Dr8fw60Xra6eFDLPFOJcMLPqmtqh4Afa1GzeXWxeXPsByv8kEEvexgmRuImxkuzLQUcEyLoqcCEBUEqR+mke6E8Tg3ufq48u1ZbCxDsQCogUOt7zXmA5EOXH+my3zWv/9+qP+sHVlz/nziOmROf87ee2qOko0qTaXkjdp8Xo5sXx17WJNw97MA+KatAPmecERFjNpGuVexzdd7XH2/HRSsJUi7DHuKn1bsNdbg2vl20WghzFffXxJRaOR4WDaRziQpRrEVBZb+1Gt9h7uxDpHwkLRBZ95dT8iE7r6v9i7NaTqrp1XVVZg6swRk4jPebi0z8sIvGBHN86vcxnKQ10uxsEA89BsUekE9NYxChwAtLniE/zpQsXArzfvXF0iSgwRpxocUgEiFgUB7qkWn8KkC5Ebuqt5cM5SIBBVoHrXqAeHtk8FGop68vSIV3V0reYZZG9ogCEIYrmwzyu0jiPJGOoCexIL7LIjivDoYuzzJV2SzZTV9QkQdX9Is4SwIBfwLPzTx8vnbP/c/ba1C4Hm+PTDuoqB56TVHuviljnn87efTx985hQ6/oYwQlxYX9MLKiFCwn3vtdm7/DqwCCKdovONc8wZgscfxfAJf0IhQ7uRwPHZ2xkg+Y7A+2kb10woHpmIhn/7fzXrcIo21P1+xYY9aNB3Q09Nevfzn913p+eO68/nZ1enpW4NppVX9UF2wKE1g8UbnZ7kNAoltBFkYw5rgYWxiieOjKmif+pUY1aoaO7gsukK3iWxPUews5Jq/U8DfudnXzuBVbXLRusZgr3WZHJi89v36SZ7Wb3Y6IhOmtNyhfOGnJkefD3d2//9tq5/Pzh9G/vzi4enPSavePFYNcV41fDPMThQOf3QPZDrL4PWP8auzIteXovsOzd2PzQ8WI0pV6RNaLyVarXs9mf8+W3/yj6NNRegJyBu9CiGkxhfKjbgbrB47RR/ZQkxPpmI2T9qWbWtcbtcc/pdWCfSRlgrhNjQP1V4JDGDTEVkDMmi6vQm4g/PZtlG0o2/Z4HSeTCxFBefO9cein1WV5qk7pjNM6O5ChUGEAxeObhAEvsPdcu+su6zkz5d8frdY90vXYTcjzQ0TljDF3mYahEftXTXUgo8eIwWh1ZlWikdORNHEaFE146CxjE1GymTIk6FoqxK+reGrb5u0VYea3SbUEaYaX1Lu8JJW/iMMohf+F+stLN1TFVJE7zEDKR764+4V0ASIdOxFiwXsiMcQZPCzK7fBpJ5sacY+pOk9mAmm0lxO7CqsLIs8CrPGTme+2gHhKKb0OeRckULlUHiihTK64zrk1Yc9c6jU0cRYzL3DQLLaqbe6jHpbE3+St1O2rrBqLNrvkLdRNLH3O1uHQZ8w2q06Cdf0DhSj+AKUZSD7XNLH+hbvIoQFTWb6df1d3CVfKZCB0yFyOarsDS5DGKJK6P2/XbkJPhZkFDqUzoHr4A2woeegB9Zp5kTLDZcpJRjwvG2hj35sOF1kkCJARzCcoiTQ0dJeSjY+i3HQbgoq9wykew1cEWErKHIe7J56HI554CMR+CGnT5deyZ3CEcGyyiQ507S6evs2bQ+oRdTGUwzcYbLUAyHnsgl2vJ7Abevn9zsVWKyIqP9W1J7NTy6zEPtIBvHDRCLBHUqaoIChs6IxSR03xKqIbZHVhzn+aL1Dtq3wr+B7TaTZFX7Zd2PGyKzXeG628sKuS8WooXMZWOksbOwIoBl0lsrQG80Wvr7aEemSaUuR+jarafuLUdY/UC6oYqZuebhoauuTcQjtYlKyJlY8wDNLW5NWyBgqudVHutlu4UYSgZzEUuV4HZqlQvCnC6pzVN6EOAjfRtVW/mLakxlT8OUBSTcHxiN5qmZ6wkN5M5WOlx9/L5Q27zajOUof+rK00Wci2p5TdaST4lfdHOXxzmLzr5i27+ope/OMpfHOcvTg4WwpTHzZkGIlEzfFdc3Rz/N8aHdY/d1ZM6HcI+oR7Un7UaA6ZYGpmcOsXaMOd0QQ+vaHnCiZSYGpX9faaz/DroQ3LLIOtMLBiVi01lEaZ1k6HmF/DRaIBTrWJBbbOGa3A2qRLW2QUAz8xDZkotJfiTPGCq7+x2YYMs/HT7mu520z3piOWjM4CS9XOPSKgjFjxLNhaQfvYbS7dKUjIANt4mVIrGbjW7kFCdCEEHsULJERWDjOmvj6epoSnZ/tkw9UMRDecy9eSw+POnt1vFUXFD4E3rK2TU5vLx39XiQ61JcnUae4My19FQMa//fqpwlPbU4qfzXOT+MosfTduQ+DH0w/ZyljLnrFMTzDXezx4x51hhDvfqtxLaGkIUy6RIwfcadbXGmaphG8QMPwe//JINLexVMq36DGVSIaaQRTs5qJUlyNNqH9Wb9WY9EbMHIZNePe7HVMZqMQc1sLGg2yFaOZZE7MWMLLn7qfVLZ2S+TwGGum3I8Q0c+jbfvvmcg+uiRB4jMtg7TL+oSOEfMSF1qsdXBt76Wh1Qk+vL5K/36v8zP+JIzZ4f8usrdXFQ8sCcg/4yXNscqXaZZD9Dr1WnnuUs7D5PPZPmV9jrUNgXNqeoJ8XR/rTnaBrlXCTLC12lp7lZ9kFCPa0S0qYVIUg/wMksSSIZ85gtS9Ks8lXvxIJ3NkuoWZNBoQSh6nmMUhvuZzOGlss4GdTKs1FGCqO+fQP2kXTJyPHCyJSfmRBqJPwEs5Jg9oPal+cb76F3FwOXcChHUDIYEDrUSS9tKPZOERpI8usDEytrvG9Tz07sATSQOF9wQnvtg3sqiXrCbbEpNiSTbuTFoWZiUviIjzaXQGu5bTZnbpvJ560Im4nTJxTxaS6B1GqhM/v8eBauTvEEmLk0+xzo5GGEalv6bAAJ10lNWgVYt8MJbB8T2Dm2Ve2xc/qCdnvOo3L+dony2+J4sRU13i54/5Cz5VlKU6shFhL1AyJ8DfFZVjggmZllq5DN6jENbWS4zMAuY0pxUD+o60VtZhAmW8wiWRG4bZ0brpj/dU2QMj9e4v+ib+u9YiyM1wQZUsZxBmipzZTm2CLIkM4MLdsFLY8iC2htdGVx5MrU6ibbwabAuT+FaasFzfeFyRtAnZaex1FV9anAauBKFp30y6Db5xiNWCwBG9zTeWCWynGN2mkaZmaJxY134ThZk4gPsXzV0lL1Vcua/3sLHPdBDSdUesKAT7OBgFArgX64fHORGp8HmGPqmuPc4rCte5911vM+Uy9S94h8gu5lbKConIyxMzoWpdvRUzCibEJzMUkgUigrkjhNFgAfCdDHmN6P0jCFSOfElh3Vlq0HfK9FU+kzepCWPK39HvfJhYtoPZrqetspqY11cW71bkJyMlKEWLj7HDwvyVaiRxHhIlp7URt5ZDjEXP2K+xj6sabpFzWORiMsRO1FLcJE7dxF0kVTTvJbBwqlQwOSDNWJ9WNRe/G91meyD7egzFljK731Sm0sJENmNW99DInOBGESsAqAQMZ+POD6JPBSQbdVdOpMJSRfMUTj0gT+MfHAX14VDVi2JBnq0Sx5i83Jf3X9he0XdmIRprNwbXs5vWwzpDrrDW9JZDZ49v7i03NQSPatmfdW4ZeVt4yOLfCbNxO+ArWGmIqGiWJthII3IsRRiNVKGvlw7ZwZsWjK/PbRufz0+cPrbx+d0/Pzsw9vvn10Pr3556dvH51/fvr44d2/wF9Ac1PoP4AzmHo3IQJHfVGPMeuGKemTbZiygw6YG7VdWF4Hq4N8k6XNaSi1DBaOIYItyODVRNjsnhQOL8nXo0OzmY24Qq1qgBljrnHQwVTyqXbQWE6JhcwJ2fA5FcPCZNuFWTOy1fmy0Z/2+xA4GDQGXqO1GZ3d09Z3B4IxakeEDrArK6akn1M3IKBP5/M+y+ft87d6dhCiYIL4/fBg1mIWHHhWUB4MUEgCne3k9Ffn7YezS7WfWt6j9/yuSoq/vAK9ZqvZtN/9H323u5xZI/1pC1/IR8KfXQP9GXHgvSwoyNbHtkraj7Wz6q+BccgdoSF2ZsWJVx6gz82QfD1jHSSUmDTu07IWHnlwHPjwcFpaTdfqq9MntIEiaQLOsmC1aDQsNPAoLFzbU5tlt2lk/NCzhogkbiG6RdvG8u2zjtPYPEiYdY2ymwHpNwRFkWf+e2+n+nuTaHevqRshISbe8pywlz5O+gHGgesnv/P23XSTojXTU4BoZjTRnRnf7jk0aGOIRgj2J6V11YsImcMWvfhaIaAyfSW7iSxziLxQo4TUR8HND4ClaaHW34k2T47T4s8wRJToFAJLlISHray70WnoWqhjVJV3CYkdUZpTqrx+mB7ZJxQGZIRBbobtYEWn14TDqYDBjU2DW1JBLF1TGu0y9JmQuWuJeZi7HAVDLv0kuIbrfV3d1RepnaMu/HuNVakksrZjjZlBfC2TzFzsox69fWinG59IVIt1vEeI32WbtENbzlZQw+gf74QXmOLUDy3VYRam2TKeUFvWnOUxsWmp3pnzMkNC1iPO8pcBGeP89SCm+cssNK4f88hlQYD6jCPJeJ1imetIBtNZkJ2LKOJTXchf5ELvEsdfhZ6zwR4VARvWXboOFm6KY7vz2ogwD5Z4A2EelDs7pz5C94JZAV4nMcQr8L2mXuGgVuqHk9SxX3TDufj4+nfn4vLT2en7xBFHMHekAOwQerCNhAit+9qaLgOoH23q3RX50UO4dh3hUgV1UQUd+VE5ePmCa1cKX6Hzbzh9Qr0cfLHUCQExLbYpsotksc3kPSm2aUVUsYlj5B3sytlrRwgWoYmOQy/HtN/OwQT3QY4vgXTUmhUv7mbX/Jp9wBW+XN9rEZtgrtdyUHtRc0Ovjm9xcZtpL2US+ZHu+kL9gu6QmIEbg3P1UbbdahYtJGygjxsSp+4j1RwNIiaNgdWZ4H5SymRZYUErSGdVTNRRtlBdcCWQ78I4jq/Xiq4oHlb3xQSzO/tignPNP3IxwWre80VfgH3pQHOxLx24Lx2YNe1LB6Yt+9KBhZZ96cBqpQPzgVrWvDWzDTeKkOvjto7mGRJ6q49SkoVJ8FjNlzJKpFfpRK++65PkwRZy16/ep9+DoiY7rDg4jAjHToxcpz+NkFjh1lQIFQyRdH2d5ytTARgzwufT18DMNnsR7YZqChrMHg/M45Nnbvv4NoxtFnecd0tNDtbwAzsH8AOjbwGcgN9M9hHogj/fvvrzs2fDCPz2++vPLy/YQE4Qx1fvicuZYAN59U+zMPA5UpuS5/Xkb3I+z09798n+3214Mz60v6xCGJ1Pc6nh8tT4xKbGSZ06Myrm2azuL3s3ZGHTThmyzJ/YOXNDRtNTe/KiWzq2PzicJEcudhCVxMP9eLic/GOBhbYdU0mg7j/Ujs0ZkUsG+gFzR8Dc3HYFmmgSw6P4CBJi83Mw75Kq4NXk55efTl+fOfq/78/u0ea3dhxIr92G6bexdF0bYIRer+MGVXB+M2OAyzyFyZIBRJn0MQf34To8ikJ4NPLh7VdbjqVSUJ1//P3s8uz/aMenpZ3enF6eruz0+eLTg0G22e3mQnWK0FkTtBM6ItLJPLudhcCSJVI51Z5pw0qiiWdcADYAeSWfuk4Srbdgp3nY2SrQJ9FX2Cch7HFbOrp5VZp2eEw3e9FI3Z3p5vNp0y9+O3v3LpGp56eXvx3k/EB0v1yChzdvL87fnf4r6f3m7OL3y4/nzsXZxcXbjx/yA9NE7Ztv4SrFAt1PDnYTwuG4AXEUedvQ5Vx3MdSvECbibEw87AGWxttqzT5YK06oClIMjwZwNOBQestT7eescGlASpmhxi3JQARdiyUOugci7ie0MmvLG1L0ZWJLSRsiOa1rojqYf9iftB81lnGklZSP0pN6LqSw2T2pq82F+bKVUIsjKliotqoOZXaXovPU2jfrq6uTp9n+QUw9HYGvTwDqEJhVSSF4u2InC0ljNi/5NRKxZR0KidLyjpOmDE/i0ahz8KcXCoUODorOj+k1i2RpOrSADYvXpL/Qpt40jgpNk8mkmDXtl1/yud+yHSuvPfsref6M65gc/I1j7YH9jVAheazB/c3HQfTNZxNHMvXnCkj2zQDzef3g2ZTF3MnG6RTP39QuL+lSmEk9Wjw352frWj6dvf74j7NP9YOruryVScW4uZ4pP+e1q7p60J8331mvctXrnDQhoT7pE5nWJkteuJqrOncdQxnCSTMC20jm02uQdANz3bZLB9O2jQ6eFbD/2bpBBc/TqIL5DINGr6/Qmhv7AKPagTNpMVXMvjwvqeo9m2cmxzP6eZLuyZsi61olSZuH8yVJE78f8tXsLBIEq4a+GHnOKO5jE5lmQ91LH4NZDxNxrDYU5rR6T3h8M7HlJVvGoBt1tciGWaUGlebVhdbNAbWDYBiOPSIcgajXZ7eOiY61wemNHivS7X4bNrudw3sBDo3G5UyGFNKQpuSSVLfRT9MFbUpTk9YC0ndhu94+MQlJ0+vD5tx1a+66PXd9OHfdmbvuzl335q6PdCmuEh42M4pq8EDXx+4Icq9vnFJVk8B8vJUi7jtz8Esxb4ydQgn2omRTndJS05n27j7rPk3Gh+XoVy7j7KLtbrlzDaDVL8QGya8FbJnD680QpSz0Cvz7PxVQafXBo9U+gcJHHHswqW5bEWWGREg+dXhMR3i6dE90Cj4lvYHpPUOftfdId1P+9phvwSCBZT1df10tPidkfvv97F/Ou4+vT985709f//b2w9nVxcdfL/95+ulsUaN/9VrXFZL/UDKd0atPif/xppMw6uLSiVL7wj/ZpNc5bH9gnsXWUGVl5QaLD5fz81yaXEABuNC4fPXWmMuXTPKoV7LWh37Q1ZzdbkGQrLPL3H7h+4wlJF6G67CGC9M1G5syiPvmC7c278CqfKEKbJMXFR+rYVz5RE8YTQI0dZCUyB3phDvLTYlZeT4kXR+LJBGPngSYSYBcp5rb3RClP7YhitVT+OAcSyLPmURhomz8xNR5VbVIljT9xmTh+n/HxJ0WWq5jIR3PxU6+B5h1qXEmjYkS1ExrenURMRZcoDAKcNr0CYuIUQ/zpOF77UCEff3xbg/s11QGYaFBp+JMn5/zFixa2t/SMRtheIkk5nMzz0+cXLshBiLs5+6+/HD57r0/094mc+a/6+ZIv74httvt5osLwQFnIUyjaqHWuVXdMwUYCezoXDlLDnivZ+krdJ+cta8/zVJdEDoszriSBO6yB8e+zddibresJi8spVaiZa3NKkTk9a15dWutkejl75weY2MUqWT32TAHHI/7OBbLWWC0EJGjmWEyNleIDEgfD+S98sNuaTzOHENAguOIM5Tlym4k24KXI96Xw7RVu4Y0gph4L5spxxlh3sf5oeaQyWgwBY2IsyHPWGwkJWhI4o5w2peESqjpMnaxyHgRxxRP5noiMZJDCRq5bj7iYywkaGjjyxgFKSvrxHP9hA8aKS9IGocs8DAFDYRFu9tLR5JgjPlscO3AQO2hWdkxFBKjQInxAeNDDJOPLKD5JhU5WUxdJ8BoNHUG1n3dZSELT5ZyMlFZdWC71Wv3jH071gsfxKtR9i78y2/ZcoO7vkd4XUwVcQc5hUAhS49RDJiug8VsWgPRcLW/8WIW4cyXUH2n+hbsiA/Lkajr5BMdl8FXdUyzPJuyeEmhRJ0QhTIKhUTUQ9wDE7TdKB8ZxPAmCGGLrVWWqSQjRcUC3wV73KbSCSwgzYMZSjK6nCXjmBlHLDdn38HbwODyxfbie1vRIyF6gQZYHfNWEv5F0nF2Yr/no/ptt2Uh8apHdW34TU/Tr016hgssr5KfV+q1/saY3ALY1vUr6/ba2nJNeDrAIoNdFkYBQbRiciHh+tiLA+w5EomRCVIu9TbLOgPVWbPydbX6dwPp+MZm87NuIpOjrtpIub5ansh77RRL3CeR2BsDcB21SLN7CLPvBtXC1M7qmvWrgQlroecka3UwHTDu4rAktPbi7J3qDnLdgMmKZPL9JG+8EmpVJO1keAODYUe9opUM9Vz1ZEX1ZDXGnRrzkAhhUnTU0sXNFb7M+L9xwHqltsx/O3v98f0ZvPj8+vXZxcUWALpVilwKTiqIJGPsSK4NcnZ6S49zRICkXz7pb3IXCx0nLXxPx15keRdyh72iW/h2wJ0lI+3YvHuflTvlnp39vtq99+zs99XuvWdnv3+++GQMbKaT/i+u49iUnFusqZklCvOCsUa2YJxYoFHo9To1nT1MTaJ+DY1JLgi8/noWuXVQrJKs3tyjONWwC8mstf2No5MrZyEYqidAoFg/Yrs4E49tyYgX/UBr2epqVmdPtdQtHI9XOoYdn6T5EGDuO64JAB/xKI6M/rq0tEbSKxcMo2hZ7y5nJA8W8GXb8vZmsC5gzHq1zF0Qsgl0ftN5lxVIzpH0U7/bz/QmZhJ7iXVC3UruJPr7N+/emZFJ83u9a1TTJEP+pg6SBIvF+6mYvUQiHf1GZ6v6+/n5eVEF8xqpzoX2jfGoIm3fixu4ienziZKVU8fDAZYl9jQdffeb6ah3BW8KnbdE8QMO+9MTKG5tiGXCQ+e9Iup9JPz0FRQDrn+dux6QYsP8dd2bnyF3qbcV+SfnHccKzryp2vnLEjEyO+3mzsObY9K6G5HmURNmoR7lqSLvejgoIJOYhuqj2ZDpFIhp2FfzAdVFMy8T3unnECz1BTcVWtRuRpd+pvEa6XsqIV04gKjtQubZSmDMMljoealdtNQPkpWbQ326zh8UtGn89w45xbh7C4+DDvR6yAK0VZ5cK7yVbU6FD8Fm7N6phsks4TFFWZsF5/9QqEfx6lTuhoWYRO4UsFj2dXnAtHrtwvDtYGIWQIK4BRO3lK69xCPQZI2qmf/MskKZBpPWKf8nyydU05mbauaOTq5U01mIaibTUi3Lk5T7ZbIj1ZLsRjWT/aiWZjuqmexGtXD2Z/a0NFNRzWQmqnHVaLIO1UyGoZrJKFTLZxB6iNSXq90ZtxJH1YExJbcwn3quCvJHnCnAr9ahagJIehdMJ/eC8QNq82FZ6mJ/kCwuz80aB9y1WOafrfTAfb4Vo/w6Wrk7OivdleMFZIy547YdEkYBovJuVnwzDXDbIJlmJRLc7RTo922Mb1GP+oGd3RIJDhZPgPr26ySctOz+H68ZFSzAX16+/BjLKJZn1GUeocNXf1ziW1n/fPnrcdr05eVLdbm5iq9S/uUtVpPQBcw3TaWqJ3mIZKqM2Ewpz+arx2lNgK7MnktXmm2tkzvPrftrbSKzJTLVV6p75reRuoEJLAXJkq9KD3O+jUP79iXGGtggfAfF0mecfMWeM8JT4ei8dzbcuLj4bWYxV11BiKbAR2Nc0TO+Cib40oXtoy5sTmwpufPZMbNf6p9+iblNDajNvaraKs81tdPSg7kJZsk20z1zXQi/uHEuNKWBs1kryLIuA2CK5Mxm93Q6c03X9ZB5OgtI7naYi6G/M2qtI4nWKBCxofCx4hqb2Dccu8C1o5tD2EMIRuS2Gq6xyfypriKuZRPcA67lp88jW5J1IndXtahjg73/cKH/kHibp6x4tLhZpmPaCWqetAYwmt7AbsdWTLwUNS1qzUqYaVFOboCYhaV9+5ZbXR7PtvGkHAn8uAiqDjWPBkF55MJr0oRfB3EVBN1Mn2aZ6u64bjle7jEQrMRAJ4s32T0SzkL090ho23UulKkrtiZ2EQdJ8Bdw0hQ/LuJynXL60eCt7MbwxruFvazI5Vp4a95iE3TLz7ANhCss79u3wgr3Mv4OiGrsw48GUafNKTwcBrBndbYqRVSrfb0Solrt5HvkAcuRR5LQXh1+J8jj9xEcDTBs3drUuuXIo99iI+TJzbBHnhLkIdK4hpl8RKYilA11kjipARnGSUG+NIHe1OTcpmo6MGE83Cr2zIpX21KsLDFw1yNOh/MAzreZXuadGrbOxVsWg1KlLeMjQ5kVaEEZTWOiVpjJFU8x2YCkLp2UK3jOkvCqLLoqYny10egu2NFp2crbl5fSPG7q/x7ropovwLH+b6fT6SzxgxDC39j80zyGAZKYowCGbJz3n1+AZLu1US0sBcTUY2Glo0Nq8SuW36Qatsbz+F6gNuzasnYtQu3VK9BuG53mVpwfij4AUeZO12of1Zvqf43jF6CZ/DxsvwAvX7Yarfax+qH+bm70WRsNur3DOTSAwnwo6Gsv1arp1o0vhBMxz1EMYoBFWhqwJCMSxZNkEIiYB9JBBY86YhL4/h73MadYYpF1EzMxcS8oJFq2CJ2tZFnF0m2MsjdqZG/UOLAFWBKdy0JiqlaQeHhNUairUtWnYWAPK5w9NHPpzAL41LMDU95qLtYvf4dFstC2OW6uJWfWiCoq+jscQoMsqp8pAZ8mOS3mfgeLLi/dzmG92ezmchgWgwPWRPyYeI763sudHxC4+Pz2jcJSXKg1ci/Y253Ysn49E1jGxMuFkXz7BpI21aTbni/ikTYj/gIunLf6Ff4Cmot9sinzd9JE5CWo+ad8lnQRe2xzMVjJU73bOYaoHwsMcYDHxhUicZyAIXZ9RIkIl6HPcb3ZbEHzBY0FHcsh8SqiT1op2OkTKZAXEloeT3Garyyc9c8ynD9USZHOOiVF1PTZEpdGVCDPU8MSF4hCQVmORRziLfhDVHKQ2U6B8hxoMxbjuAEprRs6yxcRIoqGJr4xqRFaLFCkEwxk3VdCuQoPQYNr2BVj2J6skdQ+FyygpIZOniu1bHIlzxwj57TEm4JyDdeWXvMkn5pWYSARScX3FA/Khraa0MNRwKZw/gNXBrsXBOUn3zdBANRNiampSp8j7fU3N3cjYOza7L6G8vIk/B3UDupeYOLU8rc9rMPv5vIVXL3RzVcHWR44E3d+2L5Kgk9mPc5NGps3SKIrg0FX5f7iCm+SmBTNSX4eFKLSE4oFlMuEixna6D6ADUA66p7Qpz3qreYNavp0HUvZv+o0x/s3ZvcVUgNtp9xUDmR6R7h0M/gJu5jKYJrRP+Mz/akabvaJ1cV5FUafAvMrs8WwPXu2Yg+46O6f9/p2JAkx+B9w2BQzR8kiPReyBi3Lg2IOIx6SyGNDqNOrNf5/9q63qW1d6X8Vj19BnwqSkITyzDB3eoFzDnNK2ym5h+k0jEexFcfFtowsJ6SX289+R5IV/5MSm4Sc0MsbEqSVI1m7q5W0+1sUjJDjIEego3DENblrWUKY7QxGqBY9shPi0Tmo/Qsyqrl2Ax6VvZR8MUL1OA9hFByKIOpDmFCcJtCyqkg+DkdFAYsEr4q6TOFpqNQE6k7LEttPYsp0aNr9n8UGEbTvoIviQkIRWZn+CiL5fCBP1wovcH/AWdYphFTofWrfy/h2zQUMT6KFE2rIu416UddN1Er3XQy6/RC43RXIVMVrGa2HLIcVEi8h/SxkollSjai9tCU/91jSniShoip3XWOsOnT5RRCc/h4v49UmWq9/Ig979GfZT73DUsudxr94B+RuNpuDSdcBkTKfyDK5U3sLv8rdrsjdjntc76CcLonn/7vFtN8NQdQPQHKvCkUy94YhK9vL+1rnxHKokcshY8DhEsmUBErZLLTWS6ckU8rn0LwVXa/jiF3qSBJz+043iFJ16Rp9BZUYD8/zoSPNj2dRdWs0Gs7uzopqHC9sKvbFEJar/GFR57MnDotav1REoqBUUtX8JYJQNMn/FtPy1ZnK1wwLK0BaIteAHEFpFeACtb+Nk66tq2ddpMEOqOfjHzNwPwrAvO80saJ0/jurPbx1Lto7Z34V014W+qpQIOqeFiqXK48izRLVUe20rPjftBh/RYWh96/fAZURkTvQv28Dt6XaeOUsOo13/AuxHvS933n7QTmGl23L1RvJzs/Mq2X3aylqfXzJDijq7z4F8+4UOLBRPL4+WGQnbTRtb1+ttFcrLaN8DuHXxgftgPDPv38HuHcPHlqNYiL1wT67Kfy63r4K/6vwZ5SbEf44grMQOXr0r5TQSAmNPOFmpHoRxQXd5VKd+Z9kYmEK1uG4jjk2zHFVtWrE4bxUhRmqpfJZykYj/W8rqmTxAq9S2fCH9pH6H7O1NXfaGqpuxNjeCz1KYDAWzrOx6LjE56wOSVkjf0ageVYapWielXJS7bAsVtL7avpAX7z87UsE0UpTgSiqbEPKD+P8op+tuZo1BDKpslj22dDkHskE4/TU0K1fTqp0MCl4bkWQoJD+uvr6ObV0NdwlR1gBaD06aLX6QE4GW+lJs9g9Cslyv8QBJAYk9sSbotoZkJ6irtvv7lMitf9okRW5toGkCGhuidN27h8oumq+Ne0NzNoJsLHvF6Iaq4trC6SvSRIjBziQQv309fot7g0m2009CFLX/mZzGECK9M7AX3hMnyEcXguxdEnsha4BDZomagdMU7Gi58yI4tsq5N1CnOQExzSLJYjjyQEf4oGH15/MRkEfnfaJDIkUr0+sXs1mhyTjsY8m2LVKPrul/dBgQSgV6fNHhRFblcFK4bWdjWL9Q6r6fti9XgckIXe5RU4+7/QSoep1uFDlk1R7IWCjaThvdC7MWMsLrbLPfnkry3Fq2Y7VgMZg8HVrkTlyHk86K9BSXo3dV2P31dgtGrtMwtWhBy8hQK2GBkvCEPkWJXA89mw5goJxxynYis/T6RFqjDGZQeKwokWCrrTlZjXWxFemnCgBa0feFNMQ2rZnGo+PpYQ2Lo6pWYg5KVuBH5gpf8b+fDFvy8Dd0rhg1XE8KWdhLD3qCyPjzztnf2ZVak5HzL29Tu9bC/RuH/c631qge/vYHjqP39rg5HZ/6OwPD/4xHO3/u/sf89ZQQonHk4RSH5nLOsMjK4Vhwr7xiAufh9FXh3m6wCfXdXhw9rkLPlxeDy4+/v/j9aezP6/3NW/Lw44X8p8U33g2KCeM2dPfGuYEhrH8BMkoCWnC/o0EI4LQFa96zD6OIoIfeCqZ0CX4rvg60w1k9sNiNTDSpCGGmX6Iv0ITG2b68UN83IkPrj9v1z5fa2Q29o47C+h8QKWMNZLdxEHTlTkzROCkwWTrWfdmM6wKDdVDWbDOH7KnxAeORDpi66KqXK6Z2rrF0beKgiRhubwKnlSF4ngyG9RCrOh1+wBNUUgBJZ7rIma7qpR/DS7gF3dWjPyxav4zNB2euIiZmpTRGmOCAw6Tws1efjrwLIxxR1RKvHLdeHpaPcNfeyY2leGpfKZyLDblrKOAJxVsPmn8xmPltmEwQZJ26xH9WfYLXzGBxcUj7aP5TJH7jeLv1szonsSISAgiiy6OWUpCxagK5yRTDxowNHgKDNbzKTJSZKSNTkrreA7u2u+A7amgWpACZoH1FDp8FQ7RjP0nUAodh33PJQXPmbr1g2xf+mmt6nBwEUB8vv5RUq3FoH3Ul3BEKVqeXve0j/pc9/DRK8hrMniaCrUGg6eU22LwBXg20ua6VzC4g7h96yD/lanXZ9pVGaB7R+0FrGN65qnNiriCEQPsWFkSd8slOFEm5s4xJHQcgQjIjJc4cbCRb7VZLqSe6oJYcfaZjoWz2J7ytgH+LnwtlJW/s83UMlWU8vTi0VOxZ0scbOYfKopnE4R8c+39TLNldyNYnzM0glFkeYETW3+1rTTLvYohbtDIyCUjM1JS5BiXV+fX07ZRPQneLGvAvuo4lfX8AM7iAy8Wo5h22C/wN88mkNcnxBcYOYdvDgNEIb8DOvRgkCFH5Hp/KDLG7Wk0V6YIYQTtCeqI/bIXPnCtQnFgQ6HDJpTyJe/xUacFF+g90SR6Y64kPDXM73AK1+e0LSmcGRo5hOceXOmD8k+CZ0zh3KDROW+yBW+U0IsUHKW6MF/M+U/TnhAcIDEsPssusu+w+D+3DmbNFipFtORNMHZ9BLIC/s0T683YI2iMH9ZfVVptIIB5V1zotE9aMhM8EOlQwRjaXujmkw82m3eBVmSNMKYWQa4XUzK37tDcKiGMFzWMaGWwVoZsZdyheX1c8qfBJLn3qpzPMaIHshcHrO+5E5U//rz4an34dPb+g3X1/uyPy48Xw+tPvw1u3n+5GF55NsExHlMJrmV8HAzPEsK46S9mmuJweBl6v3k+uoJR5IXu8Prr9eDi6sALvSEb/CYQVOruxNvtjsTjlIN90lTbZB5R7BIYTTzbGvmYQ9Na4gHNeaDwOEM+Lu3Pc/PDcV/l9rA+P5xlg5oPP12eD2V60cE8QkZL1F9ffj73/S/87Ojac0PknEMKr2J3m1zR6x2BOBlNEaGAkiRFHCJNr9mLzBFwYMVUvaom/72RI+SmZ4SpWJT9ef0796dN+jjW+rqUcNDsKGF2GmZ2g9hJvHFwyDaTPpoiPy0iMHRw8ADa7ghE0EUSOo3fHiXB/1E7KpXEsV8saVeJ2lWqTpWqk6MKPRtNskSncxRHeIY2kbp0lRHRPekDgmKcEBs9Ea1aMlASOZCi5mpEtNvqYjK7V0HRP1V5fGavyENxdVX5Fx/aBqaxtlLYwFLBc103n0bZcqsTOUU/NjiRdayCm3SYL2pSA08Y92y111r3Mhf34hh96kHj5uryuabuuyqxgOIs66fJlSHv9xvzrWkHArdUdfFZ3IfdBN5nMr2+2BbMaat7DNKXATLUYY67R3jK7rpW+n8DAAD//1BLBwg8pT2FuGMAABRMAwBQSwECFAAUAAgACAAAAAAAAAAAAAUAAAAAAAAADQAAAAAAAAAAAAAAAAAAAAAAY3VzdG9tLnBvbGljeVBLAQIUABQACAAIAAAAAAA8pT2FuGMAABRMAwAOAAAAAAAAAAAAAAAAAEAAAABkZWZhdWx0LnBvbGljeVBLBQYAAAAAAgACAHcAAAA0ZAAAAAA= headers: Content-Type: - application/zip diff --git a/cassettes/features/v2/csm_threats/Get-a-Workload-Protection-agent-rule-US1-FED-returns-Not-Found-response.frozen b/cassettes/features/v2/csm_threats/Get-a-Workload-Protection-agent-rule-US1-FED-returns-Not-Found-response.frozen index 9656c92c77a..d60da2df463 100644 --- a/cassettes/features/v2/csm_threats/Get-a-Workload-Protection-agent-rule-US1-FED-returns-Not-Found-response.frozen +++ b/cassettes/features/v2/csm_threats/Get-a-Workload-Protection-agent-rule-US1-FED-returns-Not-Found-response.frozen @@ -1 +1 @@ -2025-10-10T15:21:08.449Z \ No newline at end of file +2025-10-16T16:03:05.263Z \ No newline at end of file diff --git a/cassettes/features/v2/csm_threats/Get-a-Workload-Protection-agent-rule-US1-FED-returns-Not-Found-response.yml b/cassettes/features/v2/csm_threats/Get-a-Workload-Protection-agent-rule-US1-FED-returns-Not-Found-response.yml index 0f9f4df2812..ce0d8124e39 100644 --- a/cassettes/features/v2/csm_threats/Get-a-Workload-Protection-agent-rule-US1-FED-returns-Not-Found-response.yml +++ b/cassettes/features/v2/csm_threats/Get-a-Workload-Protection-agent-rule-US1-FED-returns-Not-Found-response.yml @@ -1,5 +1,5 @@ http_interactions: -- recorded_at: Fri, 10 Oct 2025 15:21:08 GMT +- recorded_at: Thu, 16 Oct 2025 16:03:05 GMT request: body: null headers: diff --git a/cassettes/features/v2/csm_threats/Get-a-Workload-Protection-agent-rule-US1-FED-returns-OK-response.frozen b/cassettes/features/v2/csm_threats/Get-a-Workload-Protection-agent-rule-US1-FED-returns-OK-response.frozen index 27d8adf4be4..8b3bfe1d024 100644 --- a/cassettes/features/v2/csm_threats/Get-a-Workload-Protection-agent-rule-US1-FED-returns-OK-response.frozen +++ b/cassettes/features/v2/csm_threats/Get-a-Workload-Protection-agent-rule-US1-FED-returns-OK-response.frozen @@ -1 +1 @@ -2025-10-10T15:21:08.896Z \ No newline at end of file +2025-10-16T16:03:05.692Z \ No newline at end of file diff --git a/cassettes/features/v2/csm_threats/Get-a-Workload-Protection-agent-rule-US1-FED-returns-OK-response.yml b/cassettes/features/v2/csm_threats/Get-a-Workload-Protection-agent-rule-US1-FED-returns-OK-response.yml index 5f6efb01ac2..e6b30e3c664 100644 --- a/cassettes/features/v2/csm_threats/Get-a-Workload-Protection-agent-rule-US1-FED-returns-OK-response.yml +++ b/cassettes/features/v2/csm_threats/Get-a-Workload-Protection-agent-rule-US1-FED-returns-OK-response.yml @@ -1,10 +1,10 @@ http_interactions: -- recorded_at: Fri, 10 Oct 2025 15:21:08 GMT +- recorded_at: Thu, 16 Oct 2025 16:03:05 GMT request: body: encoding: UTF-8 string: '{"data":{"attributes":{"description":"My Agent rule","enabled":true,"expression":"exec.file.name - == \"sh\"","name":"testgetaworkloadprotectionagentruleus1fedreturnsokresponse1760109668"},"type":"agent_rule"}}' + == \"sh\"","name":"testgetaworkloadprotectionagentruleus1fedreturnsokresponse1760630585"},"type":"agent_rule"}}' headers: Accept: - application/json @@ -15,8 +15,8 @@ http_interactions: response: body: encoding: UTF-8 - string: '{"data":{"id":"bpy-c0l-ijc","attributes":{"version":1,"name":"testgetaworkloadprotectionagentruleus1fedreturnsokresponse1760109668","description":"My - Agent rule","expression":"exec.file.name == \"sh\"","category":"Process Activity","defaultRule":false,"enabled":true,"creationAuthorUuId":"3ad549bf-eba0-11e9-a77a-0705486660d0","creationDate":1760109669336,"updateAuthorUuId":"3ad549bf-eba0-11e9-a77a-0705486660d0","updateDate":1760109669336,"filters":["os + string: '{"data":{"id":"zzl-iw3-hku","attributes":{"version":1,"name":"testgetaworkloadprotectionagentruleus1fedreturnsokresponse1760630585","description":"My + Agent rule","expression":"exec.file.name == \"sh\"","category":"Process Activity","defaultRule":false,"enabled":true,"creationAuthorUuId":"3ad549bf-eba0-11e9-a77a-0705486660d0","creationDate":1760630586302,"updateAuthorUuId":"3ad549bf-eba0-11e9-a77a-0705486660d0","updateDate":1760630586302,"filters":["os == \"linux\""],"actions":[],"agentConstraint":"","creator":{"name":"frog","handle":"frog@datadoghq.com"},"updater":{"name":"frog","handle":"frog@datadoghq.com"}},"type":"agent_rule"}} ' @@ -26,35 +26,35 @@ http_interactions: status: code: 200 message: OK -- recorded_at: Fri, 10 Oct 2025 15:21:08 GMT +- recorded_at: Thu, 16 Oct 2025 16:03:05 GMT request: body: null headers: Accept: - application/json method: GET - uri: https://api.datadoghq.com/api/v2/security_monitoring/cloud_workload_security/agent_rules/bpy-c0l-ijc + uri: https://api.datadoghq.com/api/v2/security_monitoring/cloud_workload_security/agent_rules/zzl-iw3-hku response: body: encoding: UTF-8 - string: '{"data":{"id":"bpy-c0l-ijc","type":"agent_rule","attributes":{"actions":[],"agentConstraint":"","category":"Process - Activity","creationAuthorUuId":"3ad549bf-eba0-11e9-a77a-0705486660d0","creationDate":1760109669336,"creator":{"name":"frog","handle":"frog@datadoghq.com"},"defaultRule":false,"description":"My + string: '{"data":{"id":"zzl-iw3-hku","type":"agent_rule","attributes":{"actions":[],"agentConstraint":"","category":"Process + Activity","creationAuthorUuId":"3ad549bf-eba0-11e9-a77a-0705486660d0","creationDate":1760630586302,"creator":{"name":"frog","handle":"frog@datadoghq.com"},"defaultRule":false,"description":"My Agent rule","enabled":true,"expression":"exec.file.name == \"sh\"","filters":["os - == \"linux\""],"name":"testgetaworkloadprotectionagentruleus1fedreturnsokresponse1760109668","updateAuthorUuId":"3ad549bf-eba0-11e9-a77a-0705486660d0","updateDate":1760109669336,"updater":{"name":"frog","handle":"frog@datadoghq.com"},"version":1}}}' + == \"linux\""],"name":"testgetaworkloadprotectionagentruleus1fedreturnsokresponse1760630585","updateAuthorUuId":"3ad549bf-eba0-11e9-a77a-0705486660d0","updateDate":1760630586302,"updater":{"name":"frog","handle":"frog@datadoghq.com"},"version":1}}}' headers: Content-Type: - application/vnd.api+json status: code: 200 message: OK -- recorded_at: Fri, 10 Oct 2025 15:21:08 GMT +- recorded_at: Thu, 16 Oct 2025 16:03:05 GMT request: body: null headers: Accept: - '*/*' method: DELETE - uri: https://api.datadoghq.com/api/v2/security_monitoring/cloud_workload_security/agent_rules/bpy-c0l-ijc + uri: https://api.datadoghq.com/api/v2/security_monitoring/cloud_workload_security/agent_rules/zzl-iw3-hku response: body: encoding: UTF-8 diff --git a/cassettes/features/v2/csm_threats/Get-a-Workload-Protection-agent-rule-returns-Not-Found-response.frozen b/cassettes/features/v2/csm_threats/Get-a-Workload-Protection-agent-rule-returns-Not-Found-response.frozen index 0b64b75c8b4..2d6417cb316 100644 --- a/cassettes/features/v2/csm_threats/Get-a-Workload-Protection-agent-rule-returns-Not-Found-response.frozen +++ b/cassettes/features/v2/csm_threats/Get-a-Workload-Protection-agent-rule-returns-Not-Found-response.frozen @@ -1 +1 @@ -2025-10-10T15:21:10.333Z \ No newline at end of file +2025-10-16T16:03:07.353Z \ No newline at end of file diff --git a/cassettes/features/v2/csm_threats/Get-a-Workload-Protection-agent-rule-returns-Not-Found-response.yml b/cassettes/features/v2/csm_threats/Get-a-Workload-Protection-agent-rule-returns-Not-Found-response.yml index 56b8bc214b7..c375c09c1b2 100644 --- a/cassettes/features/v2/csm_threats/Get-a-Workload-Protection-agent-rule-returns-Not-Found-response.yml +++ b/cassettes/features/v2/csm_threats/Get-a-Workload-Protection-agent-rule-returns-Not-Found-response.yml @@ -1,5 +1,5 @@ http_interactions: -- recorded_at: Fri, 10 Oct 2025 15:21:10 GMT +- recorded_at: Thu, 16 Oct 2025 16:03:07 GMT request: body: null headers: diff --git a/cassettes/features/v2/csm_threats/Get-a-Workload-Protection-agent-rule-returns-OK-response.frozen b/cassettes/features/v2/csm_threats/Get-a-Workload-Protection-agent-rule-returns-OK-response.frozen index 35c8858ab88..90536af84b9 100644 --- a/cassettes/features/v2/csm_threats/Get-a-Workload-Protection-agent-rule-returns-OK-response.frozen +++ b/cassettes/features/v2/csm_threats/Get-a-Workload-Protection-agent-rule-returns-OK-response.frozen @@ -1 +1 @@ -2025-10-10T15:21:10.974Z \ No newline at end of file +2025-10-16T16:03:08.037Z \ No newline at end of file diff --git a/cassettes/features/v2/csm_threats/Get-a-Workload-Protection-agent-rule-returns-OK-response.yml b/cassettes/features/v2/csm_threats/Get-a-Workload-Protection-agent-rule-returns-OK-response.yml index f1f24b13e96..168e4974e6c 100644 --- a/cassettes/features/v2/csm_threats/Get-a-Workload-Protection-agent-rule-returns-OK-response.yml +++ b/cassettes/features/v2/csm_threats/Get-a-Workload-Protection-agent-rule-returns-OK-response.yml @@ -1,9 +1,9 @@ http_interactions: -- recorded_at: Fri, 10 Oct 2025 15:21:10 GMT +- recorded_at: Thu, 16 Oct 2025 16:03:08 GMT request: body: encoding: UTF-8 - string: '{"data":{"attributes":{"description":"My agent policy","enabled":true,"hostTags":["env:staging"],"name":"testgetaworkloadprotectionagentrulereturnsokresponse1760109670"},"type":"policy"}}' + string: '{"data":{"attributes":{"description":"My agent policy","enabled":true,"hostTags":["env:staging"],"name":"testgetaworkloadprotectionagentrulereturnsokresponse1760630588"},"type":"policy"}}' headers: Accept: - application/json @@ -14,20 +14,20 @@ http_interactions: response: body: encoding: UTF-8 - string: '{"data":{"id":"03k-bzr-nas","type":"policy","attributes":{"blockingRulesCount":0,"datadogManaged":false,"description":"My - agent policy","disabledRulesCount":1,"enabled":true,"hostTagsLists":[["env:staging"]],"monitoringRulesCount":7,"name":"testgetaworkloadprotectionagentrulereturnsokresponse1760109670","pinned":false,"policyVersion":"1","ruleCount":8,"updateDate":1760109671322,"updater":{"name":"frog","handle":"frog@datadoghq.com"}}}}' + string: '{"data":{"id":"abq-okp-uf1","type":"policy","attributes":{"blockingRulesCount":0,"datadogManaged":false,"description":"My + agent policy","disabledRulesCount":1,"enabled":true,"hostTagsLists":[["env:staging"]],"monitoringRulesCount":7,"name":"testgetaworkloadprotectionagentrulereturnsokresponse1760630588","pinned":false,"policyVersion":"1","ruleCount":8,"updateDate":1760630588400,"updater":{"name":"frog","handle":"frog@datadoghq.com"}}}}' headers: Content-Type: - application/json status: code: 200 message: OK -- recorded_at: Fri, 10 Oct 2025 15:21:10 GMT +- recorded_at: Thu, 16 Oct 2025 16:03:08 GMT request: body: encoding: UTF-8 string: '{"data":{"attributes":{"actions":[{"set":{"name":"test_set","scope":"process","value":"test_value"}},{"hash":{}}],"description":"My - Agent rule","enabled":true,"expression":"exec.file.name == \"sh\"","name":"testgetaworkloadprotectionagentrulereturnsokresponse1760109670","policy_id":"03k-bzr-nas","product_tags":["security:attack","technique:T1059"]},"type":"agent_rule"}}' + Agent rule","enabled":true,"expression":"exec.file.name == \"sh\"","name":"testgetaworkloadprotectionagentrulereturnsokresponse1760630588","policy_id":"abq-okp-uf1","product_tags":["security:attack","technique:T1059"]},"type":"agent_rule"}}' headers: Accept: - application/json @@ -38,63 +38,45 @@ http_interactions: response: body: encoding: UTF-8 - string: '{"data":{"id":"ftd-agj-4eh","type":"agent_rule","attributes":{"actions":[{"set":{"name":"test_set","value":"test_value","scope":"process","inherited":false},"disabled":false},{"hash":{},"disabled":false}],"category":"Process - Activity","creationDate":1760109672543,"creator":{"name":"frog","handle":"frog@datadoghq.com"},"defaultRule":false,"description":"My + string: '{"data":{"id":"geu-klw-pc1","type":"agent_rule","attributes":{"actions":[{"set":{"name":"test_set","value":"test_value","scope":"process","inherited":false},"disabled":false},{"hash":{},"disabled":false}],"category":"Process + Activity","creationDate":1760630589190,"creator":{"name":"frog","handle":"frog@datadoghq.com"},"defaultRule":false,"description":"My Agent rule","enabled":true,"expression":"exec.file.name == \"sh\"","filters":["os - == \"linux\""],"monitoring":["03k-bzr-nas"],"name":"testgetaworkloadprotectionagentrulereturnsokresponse1760109670","product_tags":["security:attack","technique:T1059"],"updateDate":1760109672543,"updater":{"name":"frog","handle":"frog@datadoghq.com"}}}}' + == \"linux\""],"monitoring":["abq-okp-uf1"],"name":"testgetaworkloadprotectionagentrulereturnsokresponse1760630588","product_tags":["security:attack","technique:T1059"],"updateDate":1760630589190,"updater":{"name":"frog","handle":"frog@datadoghq.com"}}}}' headers: Content-Type: - application/json status: code: 200 message: OK -- recorded_at: Fri, 10 Oct 2025 15:21:10 GMT +- recorded_at: Thu, 16 Oct 2025 16:03:08 GMT request: body: null headers: Accept: - application/json method: GET - uri: https://api.datadoghq.com/api/v2/remote_config/products/cws/agent_rules/ftd-agj-4eh?policy_id=03k-bzr-nas + uri: https://api.datadoghq.com/api/v2/remote_config/products/cws/agent_rules/geu-klw-pc1?policy_id=abq-okp-uf1 response: body: encoding: UTF-8 - string: '{"data":{"id":"ftd-agj-4eh","type":"agent_rule","attributes":{"actions":[{"set":{"name":"test_set","value":"test_value","scope":"process","inherited":false},"disabled":false},{"hash":{},"disabled":false}],"category":"Process - Activity","creationDate":1760109672543,"creator":{"name":"frog","handle":"frog@datadoghq.com"},"defaultRule":false,"description":"My + string: '{"data":{"id":"geu-klw-pc1","type":"agent_rule","attributes":{"actions":[{"set":{"name":"test_set","value":"test_value","scope":"process","inherited":false},"disabled":false},{"hash":{},"disabled":false}],"category":"Process + Activity","creationDate":1760630589190,"creator":{"name":"frog","handle":"frog@datadoghq.com"},"defaultRule":false,"description":"My Agent rule","enabled":true,"expression":"exec.file.name == \"sh\"","filters":["os - == \"linux\""],"monitoring":["03k-bzr-nas"],"name":"testgetaworkloadprotectionagentrulereturnsokresponse1760109670","product_tags":["security:attack","technique:T1059"],"updateDate":1760109672543,"updater":{"name":"frog","handle":"frog@datadoghq.com"}}}}' + == \"linux\""],"monitoring":["abq-okp-uf1"],"name":"testgetaworkloadprotectionagentrulereturnsokresponse1760630588","product_tags":["security:attack","technique:T1059"],"updateDate":1760630589190,"updater":{"name":"frog","handle":"frog@datadoghq.com"}}}}' headers: Content-Type: - application/json status: code: 200 message: OK -- recorded_at: Fri, 10 Oct 2025 15:21:10 GMT +- recorded_at: Thu, 16 Oct 2025 16:03:08 GMT request: body: null headers: Accept: - '*/*' method: DELETE - uri: https://api.datadoghq.com/api/v2/remote_config/products/cws/agent_rules/ftd-agj-4eh - response: - body: - encoding: UTF-8 - string: '' - headers: - Content-Type: - - application/json - status: - code: 204 - message: No Content -- recorded_at: Fri, 10 Oct 2025 15:21:10 GMT - request: - body: null - headers: - Accept: - - '*/*' - method: DELETE - uri: https://api.datadoghq.com/api/v2/remote_config/products/cws/policy/03k-bzr-nas + uri: https://api.datadoghq.com/api/v2/remote_config/products/cws/policy/abq-okp-uf1 response: body: encoding: UTF-8 diff --git a/cassettes/features/v2/csm_threats/Get-a-Workload-Protection-policy-returns-Not-Found-response.frozen b/cassettes/features/v2/csm_threats/Get-a-Workload-Protection-policy-returns-Not-Found-response.frozen index 75eb7e4f66c..69e25f412b0 100644 --- a/cassettes/features/v2/csm_threats/Get-a-Workload-Protection-policy-returns-Not-Found-response.frozen +++ b/cassettes/features/v2/csm_threats/Get-a-Workload-Protection-policy-returns-Not-Found-response.frozen @@ -1 +1 @@ -2025-10-10T15:21:15.632Z \ No newline at end of file +2025-10-16T16:03:11.133Z \ No newline at end of file diff --git a/cassettes/features/v2/csm_threats/Get-a-Workload-Protection-policy-returns-Not-Found-response.yml b/cassettes/features/v2/csm_threats/Get-a-Workload-Protection-policy-returns-Not-Found-response.yml index 6fed16c43a3..68128441608 100644 --- a/cassettes/features/v2/csm_threats/Get-a-Workload-Protection-policy-returns-Not-Found-response.yml +++ b/cassettes/features/v2/csm_threats/Get-a-Workload-Protection-policy-returns-Not-Found-response.yml @@ -1,5 +1,5 @@ http_interactions: -- recorded_at: Fri, 10 Oct 2025 15:21:15 GMT +- recorded_at: Thu, 16 Oct 2025 16:03:11 GMT request: body: null headers: diff --git a/cassettes/features/v2/csm_threats/Get-a-Workload-Protection-policy-returns-OK-response.frozen b/cassettes/features/v2/csm_threats/Get-a-Workload-Protection-policy-returns-OK-response.frozen index f514714bddf..79f9eedda58 100644 --- a/cassettes/features/v2/csm_threats/Get-a-Workload-Protection-policy-returns-OK-response.frozen +++ b/cassettes/features/v2/csm_threats/Get-a-Workload-Protection-policy-returns-OK-response.frozen @@ -1 +1 @@ -2025-10-10T15:21:16.325Z \ No newline at end of file +2025-10-16T16:03:12.066Z \ No newline at end of file diff --git a/cassettes/features/v2/csm_threats/Get-a-Workload-Protection-policy-returns-OK-response.yml b/cassettes/features/v2/csm_threats/Get-a-Workload-Protection-policy-returns-OK-response.yml index b48c5e43647..da14ab8f490 100644 --- a/cassettes/features/v2/csm_threats/Get-a-Workload-Protection-policy-returns-OK-response.yml +++ b/cassettes/features/v2/csm_threats/Get-a-Workload-Protection-policy-returns-OK-response.yml @@ -1,9 +1,9 @@ http_interactions: -- recorded_at: Fri, 10 Oct 2025 15:21:16 GMT +- recorded_at: Thu, 16 Oct 2025 16:03:12 GMT request: body: encoding: UTF-8 - string: '{"data":{"attributes":{"description":"My agent policy","enabled":true,"hostTags":["env:staging"],"name":"testgetaworkloadprotectionpolicyreturnsokresponse1760109676"},"type":"policy"}}' + string: '{"data":{"attributes":{"description":"My agent policy","enabled":true,"hostTags":["env:staging"],"name":"testgetaworkloadprotectionpolicyreturnsokresponse1760630592"},"type":"policy"}}' headers: Accept: - application/json @@ -14,41 +14,41 @@ http_interactions: response: body: encoding: UTF-8 - string: '{"data":{"id":"lwx-2sg-6dt","type":"policy","attributes":{"blockingRulesCount":0,"datadogManaged":false,"description":"My - agent policy","disabledRulesCount":1,"enabled":true,"hostTagsLists":[["env:staging"]],"monitoringRulesCount":7,"name":"testgetaworkloadprotectionpolicyreturnsokresponse1760109676","pinned":false,"policyVersion":"1","ruleCount":8,"updateDate":1760109676701,"updater":{"name":"frog","handle":"frog@datadoghq.com"}}}}' + string: '{"data":{"id":"miv-j2d-z7r","type":"policy","attributes":{"blockingRulesCount":0,"datadogManaged":false,"description":"My + agent policy","disabledRulesCount":1,"enabled":true,"hostTagsLists":[["env:staging"]],"monitoringRulesCount":7,"name":"testgetaworkloadprotectionpolicyreturnsokresponse1760630592","pinned":false,"policyVersion":"1","ruleCount":8,"updateDate":1760630592456,"updater":{"name":"frog","handle":"frog@datadoghq.com"}}}}' headers: Content-Type: - application/json status: code: 200 message: OK -- recorded_at: Fri, 10 Oct 2025 15:21:16 GMT +- recorded_at: Thu, 16 Oct 2025 16:03:12 GMT request: body: null headers: Accept: - application/json method: GET - uri: https://api.datadoghq.com/api/v2/remote_config/products/cws/policy/lwx-2sg-6dt + uri: https://api.datadoghq.com/api/v2/remote_config/products/cws/policy/miv-j2d-z7r response: body: encoding: UTF-8 - string: '{"data":{"id":"lwx-2sg-6dt","type":"policy","attributes":{"blockingRulesCount":0,"datadogManaged":false,"description":"My - agent policy","disabledRulesCount":0,"enabled":true,"hostTagsLists":[["env:staging"]],"monitoringRulesCount":0,"name":"testgetaworkloadprotectionpolicyreturnsokresponse1760109676","pinned":false,"policyVersion":"1","ruleCount":0,"updateDate":1760109676701,"updater":{"name":"frog","handle":"frog@datadoghq.com"}}}}' + string: '{"data":{"id":"miv-j2d-z7r","type":"policy","attributes":{"blockingRulesCount":0,"datadogManaged":false,"description":"My + agent policy","disabledRulesCount":0,"enabled":true,"hostTagsLists":[["env:staging"]],"monitoringRulesCount":0,"name":"testgetaworkloadprotectionpolicyreturnsokresponse1760630592","pinned":false,"policyVersion":"1","ruleCount":0,"updateDate":1760630592456,"updater":{"name":"frog","handle":"frog@datadoghq.com"}}}}' headers: Content-Type: - application/json status: code: 200 message: OK -- recorded_at: Fri, 10 Oct 2025 15:21:16 GMT +- recorded_at: Thu, 16 Oct 2025 16:03:12 GMT request: body: null headers: Accept: - '*/*' method: DELETE - uri: https://api.datadoghq.com/api/v2/remote_config/products/cws/policy/lwx-2sg-6dt + uri: https://api.datadoghq.com/api/v2/remote_config/products/cws/policy/miv-j2d-z7r response: body: encoding: UTF-8 diff --git a/cassettes/features/v2/csm_threats/Get-all-Workload-Protection-agent-rules-US1-FED-returns-OK-response.frozen b/cassettes/features/v2/csm_threats/Get-all-Workload-Protection-agent-rules-US1-FED-returns-OK-response.frozen index ab80071ac04..faa7e24048b 100644 --- a/cassettes/features/v2/csm_threats/Get-all-Workload-Protection-agent-rules-US1-FED-returns-OK-response.frozen +++ b/cassettes/features/v2/csm_threats/Get-all-Workload-Protection-agent-rules-US1-FED-returns-OK-response.frozen @@ -1 +1 @@ -2025-10-10T15:21:19.417Z \ No newline at end of file +2025-10-16T16:03:14.374Z \ No newline at end of file diff --git a/cassettes/features/v2/csm_threats/Get-all-Workload-Protection-agent-rules-US1-FED-returns-OK-response.yml b/cassettes/features/v2/csm_threats/Get-all-Workload-Protection-agent-rules-US1-FED-returns-OK-response.yml index b1544bfbe7c..d3fae0bfffd 100644 --- a/cassettes/features/v2/csm_threats/Get-all-Workload-Protection-agent-rules-US1-FED-returns-OK-response.yml +++ b/cassettes/features/v2/csm_threats/Get-all-Workload-Protection-agent-rules-US1-FED-returns-OK-response.yml @@ -1,5 +1,5 @@ http_interactions: -- recorded_at: Fri, 10 Oct 2025 15:21:19 GMT +- recorded_at: Thu, 16 Oct 2025 16:03:14 GMT request: body: null headers: diff --git a/cassettes/features/v2/csm_threats/Get-all-Workload-Protection-agent-rules-returns-OK-response.frozen b/cassettes/features/v2/csm_threats/Get-all-Workload-Protection-agent-rules-returns-OK-response.frozen index db6e5a0f548..213bd77af46 100644 --- a/cassettes/features/v2/csm_threats/Get-all-Workload-Protection-agent-rules-returns-OK-response.frozen +++ b/cassettes/features/v2/csm_threats/Get-all-Workload-Protection-agent-rules-returns-OK-response.frozen @@ -1 +1 @@ -2025-10-10T15:21:20.533Z \ No newline at end of file +2025-10-16T16:03:15.220Z \ No newline at end of file diff --git a/cassettes/features/v2/csm_threats/Get-all-Workload-Protection-agent-rules-returns-OK-response.yml b/cassettes/features/v2/csm_threats/Get-all-Workload-Protection-agent-rules-returns-OK-response.yml index 76f8ac2e732..d5fddce4a5b 100644 --- a/cassettes/features/v2/csm_threats/Get-all-Workload-Protection-agent-rules-returns-OK-response.yml +++ b/cassettes/features/v2/csm_threats/Get-all-Workload-Protection-agent-rules-returns-OK-response.yml @@ -1,5 +1,5 @@ http_interactions: -- recorded_at: Fri, 10 Oct 2025 15:21:20 GMT +- recorded_at: Thu, 16 Oct 2025 16:03:15 GMT request: body: null headers: @@ -10,203 +10,159 @@ http_interactions: response: body: encoding: UTF-8 - string: '{"data":[{"id":"0rc-s4t-d0f","type":"agent_rule","attributes":{"category":"Process - Activity","creationDate":1735562223000,"creator":{"name":"frog","handle":"frog@datadoghq.com"},"defaultRule":false,"description":"Test - Agent rule","enabled":true,"expression":"exec.file.name == \"sh\"","filters":["os - == \"linux\""],"monitoring":["CWS_CUSTOM-canary"],"name":"exampleupdateacsmthreatsagentrulereturnsokresponse1735562223","updateDate":1735562225000,"updater":{"name":"frog","handle":"frog@datadoghq.com"}}},{"id":"ti4-rku-0ke","type":"agent_rule","attributes":{"category":"Process - Activity","creationDate":1746789271799,"creator":{"name":"CI Account","handle":"9919ec9b-ebc7-49ee-8dc8-03626e717cca"},"defaultRule":false,"description":"My - Agent rule","enabled":true,"expression":"exec.file.name == \"sh\"","filters":["os - == \"linux\""],"monitoring":["CWS_CUSTOM-canary"],"name":"testtypescriptupdateacsmthreatsagentrulereturnsbadrequestresponse1746789271","updateDate":1746789271799,"updater":{"name":"CI - Account","handle":"9919ec9b-ebc7-49ee-8dc8-03626e717cca"}}},{"id":"piq-bha-m6t","type":"agent_rule","attributes":{"category":"Process - Activity","creationDate":1714279024000,"creator":{"name":"","handle":"frog@datadoghq.com"},"defaultRule":false,"description":"My - Agent rule","enabled":true,"expression":"exec.file.name == \"sh\"","filters":["os - == \"linux\""],"monitoring":["CWS_CUSTOM-canary"],"name":"examplegetacsmthreatsagentrulereturnsokresponse1714279024","updateDate":1714279024000,"updater":{"name":"","handle":"frog@datadoghq.com"}}},{"id":"1l2-7qh-mfa","type":"agent_rule","attributes":{"category":"Process - Activity","creationDate":1717432623000,"creator":{"name":"","handle":"frog@datadoghq.com"},"defaultRule":false,"description":"Test - Agent rule","enabled":true,"expression":"exec.file.name == \"sh\"","filters":["os - == \"linux\""],"monitoring":["CWS_CUSTOM-canary"],"name":"exampleupdateacsmthreatsagentrulereturnsokresponse1717432622","updateDate":1717432626000,"updater":{"name":"","handle":"frog@datadoghq.com"}}},{"id":"00d-kfn-fwm","type":"agent_rule","attributes":{"category":"Process - Activity","creationDate":1740025013000,"creator":{"name":"frog","handle":"frog@datadoghq.com"},"defaultRule":false,"description":"Test - Agent rule","enabled":true,"expression":"exec.file.name == \"sh\"","filters":["os - == \"linux\""],"monitoring":["CWS_CUSTOM-canary"],"name":"exampleupdateacsmthreatsagentrulereturnsokresponse1740025013","updateDate":1740025019000,"updater":{"name":"frog","handle":"frog@datadoghq.com"}}},{"id":"igb-n2l-mh4","type":"agent_rule","attributes":{"category":"Process - Activity","creationDate":1746635706008,"creator":{"name":"frog","handle":"frog@datadoghq.com"},"defaultRule":false,"description":"My - Agent rule","enabled":true,"expression":"exec.file.name == \"sh\"","filters":["os - == \"linux\""],"monitoring":["CWS_CUSTOM-canary"],"name":"testdeleteacsmthreatsagentrulereturnsokresponse1746635705","updateDate":1746635706008,"updater":{"name":"frog","handle":"frog@datadoghq.com"}}},{"id":"434-kuh-g0w","type":"agent_rule","attributes":{"category":"Process - Activity","creationDate":1746184344309,"creator":{"name":"CI Account","handle":"9919ec9b-ebc7-49ee-8dc8-03626e717cca"},"defaultRule":false,"description":"My - Agent rule","enabled":true,"expression":"exec.file.name == \"sh\"","filters":["os - == \"linux\""],"monitoring":["CWS_CUSTOM-canary"],"name":"testtypescriptupdateacsmthreatsagentrulereturnsokresponse1746184344","updateDate":1746184344309,"updater":{"name":"CI - Account","handle":"9919ec9b-ebc7-49ee-8dc8-03626e717cca"}}},{"id":"def-000-crv","type":"agent_rule","attributes":{"category":"File - Activity","creationDate":1753453274000,"creator":{"name":"Datadog","handle":""},"defaultRule":true,"description":"Sudoers - policy file may have been modified without authorization","enabled":true,"expression":"(\n (chmod.file.path - in [\"/etc/sudoers\", ~\"/etc/sudoers.d/*\"])\n) \u0026\u0026 chmod.file.destination.mode - != chmod.file.mode \u0026\u0026 process.ancestors.file.path not in [~\"/usr/bin/apt*\", - \"/usr/bin/dpkg\", \"/usr/bin/rpm\", \"/usr/bin/unattended-upgrade\", \"/usr/bin/npm\", - ~\"/usr/bin/pip*\", ~\"/usr/local/bin/pip*\", \"/usr/bin/yum\", \"/sbin/apk\", - \"/usr/lib/snapd/snapd\"]","filters":["os == \"linux\""],"monitoring":["compliance.policy"],"name":"sudoers_policy_modified_chmod","product_tags":["tactic:TA0004-privilege-escalation","technique:T1548-abuse-elevation-control-mechanism","policy:compliance"],"updateDate":1753453274000,"updater":{"name":"Datadog","handle":""}}},{"id":"def-000-969","type":"agent_rule","attributes":{"category":"Process - Activity","creationDate":1754579371000,"creator":{"name":"Datadog","handle":""},"defaultRule":true,"description":"Process + string: '{"data":[{"id":"def-000-y27","type":"agent_rule","attributes":{"category":"File + Activity","creationDate":1759956888000,"creator":{"name":"Datadog","handle":""},"defaultRule":true,"description":"RC + scripts modified","enabled":true,"expression":"(open.flags \u0026 (O_CREAT|O_TRUNC|O_APPEND|O_RDWR|O_WRONLY) + \u003e 0 \u0026\u0026 (open.file.path in [\"/etc/rc.common\", \"/etc/rc.local\"])) + \u0026\u0026 process.ancestors.file.path not in [~\"/usr/bin/apt*\", \"/usr/bin/dpkg\", + \"/usr/bin/rpm\", \"/usr/bin/unattended-upgrade\", \"/usr/bin/npm\", ~\"/usr/bin/pip*\", + ~\"/usr/local/bin/pip*\", \"/usr/bin/yum\", \"/sbin/apk\", \"/usr/lib/snapd/snapd\"]","filters":["os + == \"linux\""],"monitoring":["threat-detection.policy"],"name":"rc_scripts_modified","product_tags":["tactic:TA0003-persistence","technique:T1037-boot-or-logon-initialization-scripts","policy:threat-detection"],"updateDate":1759956888000,"updater":{"name":"Datadog","handle":""}}},{"id":"def-000-wqf","type":"agent_rule","attributes":{"category":"File + Activity","creationDate":1759956888000,"creator":{"name":"Datadog","handle":""},"defaultRule":true,"description":"Windows + update registry key modified","enabled":true,"expression":"set.registry.key_path + in [~\"HKEY_LOCAL_MACHINE\\SOFTWARE\\Policies\\Microsoft\\WindowsUpdate*\"]","filters":["os + == \"windows\""],"monitoring":["threat-detection.policy"],"name":"windows_update_registry_key_modified","product_tags":["tactic:TA0005-defense-evasion","technique:T1112-modify-registry","policy:threat-detection"],"updateDate":1759956888000,"updater":{"name":"Datadog","handle":""}}},{"id":"wpz-bim-6rb","type":"agent_rule","attributes":{"category":"Process + Activity","creationDate":1759956888000,"creator":{"name":"Datadog","handle":""},"defaultRule":true,"description":"A + process was spawned with indicators of exploitation of CVE-2021-4034","enabled":true,"expression":"(exec.file.path + == \"/usr/bin/pkexec\" \u0026\u0026 exec.envs in [~\"*SHELL*\", ~\"*PATH*\"] + \u0026\u0026 exec.envs not in [~\"*DISPLAY*\", ~\"*DESKTOP_SESSION*\"] \u0026\u0026 + exec.uid != 0)","filters":["os == \"linux\""],"monitoring":["threat-detection.policy"],"name":"pwnkit_privilege_escalation","product_tags":["tactic:TA0004-privilege-escalation","technique:T1068-exploitation-for-privilege-escalation","policy:threat-detection"],"updateDate":1759956888000,"updater":{"name":"Datadog","handle":""}}},{"id":"def-000-gqa","type":"agent_rule","attributes":{"category":"File + Activity","creationDate":1759956888000,"creator":{"name":"Datadog","handle":""},"defaultRule":true,"description":"Windows + boot registry key modified","enabled":true,"expression":"set.registry.key_path + in [~\"HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Windows NT\\CurrentVersion\\IniFileMapping\\SYSTEM.ini\\boot*\"]","filters":["os + == \"windows\""],"monitoring":["threat-detection.policy"],"name":"windows_boot_registry_key_modified","product_tags":["tactic:TA0005-defense-evasion","technique:T1112-modify-registry","policy:threat-detection"],"updateDate":1759956888000,"updater":{"name":"Datadog","handle":""}}},{"id":"def-000-x7z","type":"agent_rule","attributes":{"category":"Process + Activity","creationDate":1759956888000,"creator":{"name":"Datadog","handle":""},"defaultRule":true,"description":"Process + executed with arguments common with Inveigh tool usage","enabled":true,"expression":"exec.cmdline + in [~\"*SpooferIP*\", ~\"*ReplyToIPs*\", ~\"*ReplyToDomains*\", ~\"*ReplyToMACs*\", + ~\"*SnifferIP*\"]","filters":["os == \"windows\""],"monitoring":["threat-detection.policy"],"name":"inveigh_tool_usage","product_tags":["tactic:TA0009-collection","technique:T1557-adversary-in-the-middle","policy:threat-detection"],"updateDate":1759956888000,"updater":{"name":"Datadog","handle":""}}},{"id":"def-000-pnt","type":"agent_rule","attributes":{"category":"Kernel + Activity","creationDate":1759956888000,"creator":{"name":"Datadog","handle":""},"defaultRule":true,"description":"A + process connected to a penetration testing domain","enabled":true,"expression":"connect.addr.hostname + in [~\"*.interact.sh\", ~\"*.oast.pro\", ~\"*.oast.live\", ~\"*.oast.fun\", + ~\"*.oast.me\", ~\"*.burpcollaborator.net\", ~\"*.oastify.com\", ~\"*canarytokens.com\", + ~\"*.requestbin.net\", ~\"*.dnslog.cn\"] \u0026\u0026 connect.addr.is_public + == true","filters":["os == \"linux\""],"monitoring":["threat-detection.policy"],"name":"pentest_domain","product_tags":["tactic:TA0001-initial-access","technique:T1190-exploit-public-facing-application","policy:threat-detection"],"updateDate":1759956888000,"updater":{"name":"Datadog","handle":""}}},{"id":"def-000-krr","type":"agent_rule","attributes":{"category":"File + Activity","creationDate":1759956888000,"creator":{"name":"Datadog","handle":""},"defaultRule":true,"description":"A + process removed itself from the filesystem","enabled":true,"expression":"unlink.file.path + == process.file.path","filters":["os == \"linux\""],"monitoring":["threat-detection.policy"],"name":"unlink_self","product_tags":["tactic:TA0005-defense-evasion","technique:T1070-indicator-removal","subtechnique:T1070.001-file-deletion","policy:threat-detection"],"updateDate":1759956888000,"updater":{"name":"Datadog","handle":""}}},{"id":"v2b-cd3-clr","type":"agent_rule","attributes":{"category":"File + Activity","creationDate":1759956888000,"creator":{"name":"Datadog","handle":""},"defaultRule":true,"description":"nsswitch + may have been modified without authorization","enabled":true,"expression":"(\n (chown.file.path + in [ \"/etc/nsswitch.conf\" ])\n) \u0026\u0026 (chown.file.destination.uid + != chown.file.uid || chown.file.destination.gid != chown.file.gid) \u0026\u0026 + process.file.path not in [~\"/usr/bin/apt*\", \"/usr/bin/dpkg\", \"/usr/bin/rpm\", + \"/usr/bin/unattended-upgrade\", \"/usr/bin/containerd\", \"/usr/local/bin/containerd\", + \"/usr/bin/dockerd\", \"/usr/bin/npm\", ~\"/usr/bin/pip*\", ~\"/usr/local/bin/pip*\"]","filters":["os + == \"linux\""],"monitoring":["compliance.policy"],"name":"nsswitch_conf_mod_chown","product_tags":["tactic:TA0003-persistence","technique:T1556-modify-authentication-process","policy:compliance"],"updateDate":1759956888000,"updater":{"name":"Datadog","handle":""}}},{"id":"q0u-s8m-8pd","type":"agent_rule","attributes":{"category":"File + Activity","creationDate":1759956888000,"creator":{"name":"Datadog","handle":""},"defaultRule":true,"description":"Critical + system binaries may have been modified","enabled":true,"expression":"(\n (utimes.file.path + in [ ~\"/bin/*\", ~\"/sbin/*\", ~\"/usr/bin/*\", ~\"/usr/sbin/*\", ~\"/usr/local/bin/*\", + ~\"/usr/local/sbin/*\", ~\"/boot/**\" ])\n \u0026\u0026 process.file.path + not in [~\"/usr/bin/apt*\", \"/usr/bin/dpkg\", \"/usr/bin/rpm\", \"/usr/bin/unattended-upgrade\", + \"/usr/bin/containerd\", \"/usr/local/bin/containerd\", \"/usr/bin/dockerd\", + \"/usr/bin/npm\", ~\"/usr/bin/pip*\", ~\"/usr/local/bin/pip*\"]\n \u0026\u0026 + process.ancestors.file.path not in [~\"/usr/bin/apt*\", \"/usr/bin/dpkg\", + \"/usr/bin/rpm\", \"/usr/bin/unattended-upgrade\", \"/usr/bin/npm\", ~\"/usr/bin/pip*\", + ~\"/usr/local/bin/pip*\", \"/usr/bin/yum\", \"/sbin/apk\", \"/usr/lib/snapd/snapd\"]\n)","filters":["os + == \"linux\""],"monitoring":["compliance.policy"],"name":"pci_11_5_critical_binaries_utimes","product_tags":["tactic:TA0005-defense-evasion","technique:T1036-masquerading","policy:compliance"],"updateDate":1759956888000,"updater":{"name":"Datadog","handle":""}}},{"id":"wgv-wsb-pse","type":"agent_rule","attributes":{"category":"Process + Activity","creationDate":1759956888000,"creator":{"name":"Datadog","handle":""},"defaultRule":true,"description":"An + AWS IMDS was called via a network utility","enabled":true,"expression":"exec.comm + in [\"wget\", \"curl\", \"lwp-download\"] \u0026\u0026 exec.args in [~\"*169.254.169.254/latest/meta-data/iam/security-credentials/*\", + ~\"*169.254.170.2/*/credentials?id=*\"]","filters":["os == \"linux\""],"monitoring":["best-practice.policy","threat-detection.policy"],"name":"aws_imds","product_tags":["tactic:TA0006-credential-access","technique:T1552-unsecured-credentials","subtechnique:T1552.005-cloud-instance-metadata-api","policy:best-practice","policy:threat-detection"],"updateDate":1759956888000,"updater":{"name":"Datadog","handle":""}}},{"id":"def-000-j1p","type":"agent_rule","attributes":{"category":"File + Activity","creationDate":1759956888000,"creator":{"name":"Datadog","handle":""},"defaultRule":true,"description":"Windows + Known DLLs location registry key modified","enabled":true,"expression":"set.registry.key_path + in [~\"HKEY_LOCAL_MACHINE\\SYSTEM\\CurrentControlSet\\Control\\Session Manager\\KnownDLLs*\"]","filters":["os + == \"windows\""],"monitoring":["compliance.policy"],"name":"known_dll_registry_key_modified","product_tags":["tactic:TA0005-defense-evasion","technique:T1574-hijack-execution-flow","policy:compliance"],"updateDate":1759956888000,"updater":{"name":"Datadog","handle":""}}},{"id":"def-000-mfu","type":"agent_rule","attributes":{"category":"Process + Activity","creationDate":1759956888000,"creator":{"name":"Datadog","handle":""},"defaultRule":true,"description":"A + Jupyter notebook executed a shell","enabled":true,"expression":"(exec.file.name + in [\"cat\",\"chgrp\",\"chmod\",\"chown\",\"cp\",\"date\",\"dd\",\"df\",\"dir\",\"echo\",\"ln\",\"ls\",\"mkdir\",\"mknod\",\"mktemp\",\"mv\",\"pwd\",\"readlink\",\"rm\",\"rmdir\",\"sleep\",\"stty\",\"sync\",\"touch\",\"uname\",\"vdir\",\"arch\",\"b2sum\",\"base32\",\"base64\",\"basename\",\"chcon\",\"cksum\",\"comm\",\"csplit\",\"cut\",\"dircolors\",\"dirname\",\"du\",\"env\",\"expand\",\"expr\",\"factor\",\"fmt\",\"fold\",\"groups\",\"head\",\"hostid\",\"id\",\"install\",\"join\",\"link\",\"logname\",\"md5sum\",\"textutils\",\"mkfifo\",\"nice\",\"nl\",\"nohup\",\"nproc\",\"numfmt\",\"od\",\"paste\",\"pathchk\",\"pinky\",\"pr\",\"printenv\",\"printf\",\"ptx\",\"realpath\",\"runcon\",\"seq\",\"sha1sum\",\"sha224sum\",\"sha256sum\",\"sha384sum\",\"sha512sum\",\"shred\",\"shuf\",\"sort\",\"split\",\"stat\",\"stdbuf\",\"sum\",\"tac\",\"tail\",\"tee\",\"test\",\"timeout\",\"tr\",\"truncate\",\"tsort\",\"tty\",\"unexpand\",\"uniq\",\"unlink\",\"users\",\"wc\",\"who\",\"whoami\",\"chroot\"] + || exec.file.name in [\"wget\", \"curl\", \"lwp-download\"] || exec.file.name + in [\"dash\",\"sh\",\"static-sh\",\"sh\",\"bash\",\"bash\",\"bash-static\",\"zsh\",\"ash\",\"csh\",\"ksh\",\"tcsh\",\"busybox\",\"busybox\",\"fish\",\"ksh93\",\"rksh\",\"rksh93\",\"lksh\",\"mksh\",\"mksh-static\",\"csharp\",\"posh\",\"rc\",\"sash\",\"yash\",\"zsh5\",\"zsh5-static\"]) + \u0026\u0026 process.ancestors.comm in [\"jupyter-noteboo\", \"jupyter-lab\"]","filters":["os + == \"linux\""],"monitoring":["threat-detection.policy"],"name":"jupyter_shell_execution","product_tags":["tactic:TA0001-initial-access","technique:T1190-exploit-public-facing-application","policy:threat-detection"],"updateDate":1759956888000,"updater":{"name":"Datadog","handle":""}}},{"id":"j8a-wic-bvi","type":"agent_rule","attributes":{"category":"Process + Activity","creationDate":1759956888000,"creator":{"name":"Datadog","handle":""},"defaultRule":true,"description":"The + LD_PRELOAD variable is populated by a link to a suspicious file directory","enabled":true,"expression":"exec.envs + in [~\"LD_PRELOAD=*/tmp/*\", ~\"LD_PRELOAD=/dev/shm/*\"]","filters":["os == + \"linux\""],"monitoring":["threat-detection.policy"],"name":"ld_preload_unusual_library_path","product_tags":["tactic:TA0004-privilege-escalation","technique:T1574-hijack-execution-flow","policy:threat-detection"],"updateDate":1759956888000,"updater":{"name":"Datadog","handle":""}}},{"id":"def-000-969","type":"agent_rule","attributes":{"category":"Process + Activity","creationDate":1759956888000,"creator":{"name":"Datadog","handle":""},"defaultRule":true,"description":"Process arguments indicating possible netcat shell detected","enabled":true,"expression":"exec.file.name - in [\"netcat\", \"nc\", \"ncat\"] \u0026\u0026 ((exec.args_flags in [\"l\"] - \u0026\u0026 exec.args_flags in [\"p\"]) || (exec.args_flags in [\"n\"] \u0026\u0026 - exec.args_flags in [\"v\"]) || (exec.args in [~\"*/bin/bash*\", ~\"*/bin/sh*\"]))","filters":["os - == \"linux\""],"monitoring":["threat-detection.policy"],"name":"netcat_shell","product_tags":["tactic:TA0001-initial-access","technique:T1190-exploit-public-facing-application","policy:threat-detection"],"updateDate":1754579371000,"updater":{"name":"Datadog","handle":""}}},{"id":"def-000-b5z","type":"agent_rule","attributes":{"category":"Process - Activity","creationDate":1754579371000,"creator":{"name":"Datadog","handle":""},"defaultRule":true,"description":"process - arguments match rubeus credential theft tool","enabled":true,"expression":"exec.cmdline - in [~\"*asreproast*\", ~\"*/service:krbtgt*\", ~\"*dump /luid:0x*\", ~\"*kerberoast*\", - ~\"*createonly /program*\", ~\"*ptt /ticket*\", ~\"*impersonateuser*\", ~\"*renew - /ticket*\", ~\"*asktgt /user*\", ~\"*harvest /interval*\", ~\"*s4u /user*\", - ~\"*hash /password*\", ~\"*golden /aes256*\", ~\"*silver /user*\", \"*rubeus*\"]","filters":["os - == \"windows\""],"monitoring":["threat-detection.policy"],"name":"rubeus_execution","product_tags":["tactic:TA0006-credential-access","technique:T1558-steal-or-forge-kerberos-tickets","policy:threat-detection"],"updateDate":1754579371000,"updater":{"name":"Datadog","handle":""}}},{"id":"sqi-q1z-onu","type":"agent_rule","attributes":{"category":"Process - Activity","creationDate":1754579371000,"creator":{"name":"Datadog","handle":""},"defaultRule":true,"description":"Network - utility executed with suspicious URI","enabled":true,"expression":"exec.comm - in [\"wget\", \"curl\", \"lwp-download\"] \u0026\u0026 exec.args in [~\"*.php*\", - ~\"*.jpg*\"] ","filters":["os == \"linux\""],"monitoring":["threat-detection.policy"],"name":"net_unusual_request","product_tags":["tactic:TA0011-command-and-control","technique:T1105-ingress-tool-transfer","policy:threat-detection"],"updateDate":1754579371000,"updater":{"name":"Datadog","handle":""}}},{"id":"def-000-guo","type":"agent_rule","attributes":{"category":"Process - Activity","creationDate":1754579371000,"creator":{"name":"Datadog","handle":""},"defaultRule":true,"description":"A - process was executed matching arguments for a UAC bypass technique common - in powershell empire","enabled":true,"expression":"exec.cmdline in [~\"*-NoP - -NonI -w Hidden -c $x=$((gp HKCU:Software\\Microsoft\\Windows Update).Update)*\", - ~\"*-NoP -NonI -c $x=$((gp HKCU:Software\\Microsoft\\Windows Update).Update);*\"]","filters":["os - == \"windows\""],"monitoring":["threat-detection.policy"],"name":"powershell_empire_uac_bypass","product_tags":["tactic:TA0006-credential-access","technique:T1003-os-credential-dumping","policy:threat-detection"],"updateDate":1754579371000,"updater":{"name":"Datadog","handle":""}}},{"id":"def-000-41f","type":"agent_rule","attributes":{"category":"Kernel - Activity","creationDate":1754579371000,"creator":{"name":"Datadog","handle":""},"defaultRule":true,"description":"SSH + in [\"netcat\", \"nc\", ~\"nc.*\", \"ncat\"] \u0026\u0026 ((exec.args_flags + in [\"l\"] \u0026\u0026 exec.args_flags in [\"p\"]) || (exec.args_flags in + [\"n\"] \u0026\u0026 exec.args_flags in [\"v\"]) || (exec.args in [~\"*/bin/bash*\", + ~\"*/bin/sh*\"]))","filters":["os == \"linux\""],"monitoring":["threat-detection.policy"],"name":"netcat_shell","product_tags":["tactic:TA0001-initial-access","technique:T1190-exploit-public-facing-application","policy:threat-detection"],"updateDate":1759956888000,"updater":{"name":"Datadog","handle":""}}},{"id":"def-000-rpp","type":"agent_rule","attributes":{"category":"Process + Activity","creationDate":1759956888000,"creator":{"name":"Datadog","handle":""},"defaultRule":true,"description":"nohup + was used to ignore process termination signals","enabled":true,"expression":"exec.file.name + != \"\" \u0026\u0026 process.parent.comm == \"nohup\"","filters":["os == \"linux\""],"monitoring":["threat-detection.policy"],"name":"nohup_usage","product_tags":["tactic:TA0005-defense-evasion","technique:T1564-hide-artifacts","subtechnique:T1564.011-ignore-process-interrupts","policy:threat-detection"],"updateDate":1759956888000,"updater":{"name":"Datadog","handle":""}}},{"id":"kpm-7kh-xz5","type":"agent_rule","attributes":{"category":"Kernel + Activity","creationDate":1759956888000,"creator":{"name":"Datadog","handle":""},"defaultRule":true,"description":"A + process attempted to inject code into another process","enabled":true,"expression":"ptrace.request + == PTRACE_POKETEXT || ptrace.request == PTRACE_POKEDATA || ptrace.request + == PTRACE_POKEUSR","filters":["os == \"linux\""],"monitoring":["threat-detection.policy"],"name":"ptrace_injection","product_tags":["tactic:TA0005-defense-evasion","technique:T1055-process-injection","policy:threat-detection"],"updateDate":1759956888000,"updater":{"name":"Datadog","handle":""}}},{"id":"def-000-41f","type":"agent_rule","attributes":{"category":"Kernel + Activity","creationDate":1759956888000,"creator":{"name":"Datadog","handle":""},"defaultRule":true,"description":"SSH initiated a connection on a nonstandard port","enabled":true,"expression":"connect.addr.port in [80, 8080, 88, 443, 8443, 4444] \u0026\u0026 process.file.name == \"ssh\"","filters":["os - == \"linux\""],"monitoring":["threat-detection.policy"],"name":"ssh_nonstandard_connection","product_tags":["tactic:TA0008-lateral-movement","technique:T1021-remote-services","policy:threat-detection"],"updateDate":1754579371000,"updater":{"name":"Datadog","handle":""}}},{"id":"64n-p6m-uq1","type":"agent_rule","attributes":{"category":"File - Activity","creationDate":1754579371000,"creator":{"name":"Datadog","handle":""},"defaultRule":true,"description":"A - service may have been modified without authorization","enabled":true,"expression":"(\n ( link.file.path - in [ ~\"/lib/systemd/system/**\", ~\"/usr/lib/systemd/system/**\", ~\"/etc/systemd/system/**\", - ~\"/usr/local/lib/systemd/system/**\", ~\"/run/systemd/system/**\"]\n || - link.file.destination.path in [ ~\"/etc/systemd/user/**\", ~\"/usr/lib/systemd/user/**\", - ~\"/home/*/.config/systemd/user/**\", ~\"/home/*/.local/share/systemd/user/**\", - ~\"/run/systemd/user/**\"] \n || link.file.destination.path in [ ~\"/lib/systemd/system/**\", - ~\"/usr/lib/systemd/system/**\", ~\"/etc/systemd/system/**\", ~\"/usr/local/lib/systemd/system/**\", - ~\"/run/systemd/system/**\"] \n || link.file.path in [ ~\"/etc/systemd/user/**\", - ~\"/usr/lib/systemd/user/**\", ~\"/home/*/.config/systemd/user/**\", ~\"/home/*/.local/share/systemd/user/**\", - ~\"/run/systemd/user/**\"])\n \u0026\u0026 process.file.path not in [~\"/usr/bin/apt*\", - \"/usr/bin/dpkg\", \"/usr/bin/rpm\", \"/usr/bin/unattended-upgrade\", \"/usr/bin/npm\", - ~\"/usr/bin/pip*\", ~\"/usr/local/bin/pip*\", \"/usr/bin/yum\", \"/sbin/apk\", - \"/usr/lib/snapd/snapd\"]\n)","filters":["os == \"linux\""],"monitoring":["compliance.policy","threat-detection.policy"],"name":"systemd_modification_link","product_tags":["tactic:TA0002-execution","technique:T1569-system-services","policy:threat-detection","policy:compliance"],"updateDate":1754579371000,"updater":{"name":"Datadog","handle":""}}},{"id":"fog-8k1-fzi","type":"agent_rule","attributes":{"category":"Process - Activity","creationDate":1733704624000,"creator":{"name":"","handle":"frog@datadoghq.com"},"defaultRule":false,"description":"My - Agent rule","enabled":true,"expression":"exec.file.name == \"sh\"","filters":["os - == \"linux\""],"monitoring":["CWS_CUSTOM-canary"],"name":"examplegetacsmthreatsagentrulereturnsokresponse1733704624","updateDate":1733704624000,"updater":{"name":"","handle":"frog@datadoghq.com"}}},{"id":"5rb-4q9-p5g","type":"agent_rule","attributes":{"category":"Process - Activity","creationDate":1716813423000,"creator":{"name":"","handle":"frog@datadoghq.com"},"defaultRule":false,"description":"Test - Agent rule","enabled":true,"expression":"exec.file.name == \"sh\"","filters":["os - == \"linux\""],"monitoring":["CWS_CUSTOM-canary"],"name":"exampleupdateacsmthreatsagentrulereturnsokresponse1716813422","updateDate":1716813424000,"updater":{"name":"","handle":"frog@datadoghq.com"}}},{"id":"def-000-a0x","type":"agent_rule","attributes":{"actions":[{"filter":"${process.correlation_key} - != \"\"","set":{"name":"parent_correlation_keys","default_value":"","append":true,"scope":"process","expression":"${process.correlation_key}","inherited":true},"disabled":false},{"set":{"name":"correlation_key","default_value":"","scope":"process","expression":"\"k8s_session_${builtins.uuid4}\"","inherited":true},"disabled":false}],"category":"Process - Activity","creationDate":1754579371000,"creator":{"name":"Datadog","handle":""},"defaultRule":true,"description":"Track - execution context from k8s user session","enabled":true,"expression":"exec.user_session.k8s_username - != \"\" \u0026\u0026 ${process.correlation_key} in [\"\", ~\"cgroup_*\", - ~\"auid_*\", ~\"service_*\", ~\"service_new_cgroup_*\", ~\"interactive_shell_*\"]","filters":["os - == \"linux\""],"monitoring":["threat-detection.policy"],"name":"execution_context_k8s_usersession_entrypoint","product_tags":["policy:threat-detection"],"silent":true,"updateDate":1754579371000,"updater":{"name":"Datadog","handle":""}}},{"id":"def-000-6ku","type":"agent_rule","attributes":{"actions":[{"filter":"${process.correlation_key} - != \"\"","set":{"name":"parent_correlation_keys","default_value":"","append":true,"scope":"process","expression":"${process.correlation_key}","inherited":true},"disabled":false},{"set":{"name":"correlation_key","default_value":"","scope":"process","expression":"\"service_new_cgroup_${builtins.uuid4}\"","inherited":true},"disabled":false}],"category":"Process - Activity","creationDate":1754579371000,"creator":{"name":"Datadog","handle":""},"defaultRule":true,"description":"Track - execution context from new service cgroup","enabled":true,"expression":"(exec.envs - in [\"DD_SERVICE\", \"OTEL_SERVICE_NAME\"] || \"tags.datadoghq.com/service\" - in container.tags) \u0026\u0026 ${process.correlation_key} in [~\"service_*\"] - \u0026\u0026 process.cgroup.id != process.parent.cgroup.id","filters":["os - == \"linux\""],"monitoring":["threat-detection.policy"],"name":"execution_context_service_new_cgroup","product_tags":["policy:threat-detection"],"silent":true,"updateDate":1754579371000,"updater":{"name":"Datadog","handle":""}}},{"id":"def-000-6oh","type":"agent_rule","attributes":{"category":"File - Activity","creationDate":1754579371000,"creator":{"name":"Datadog","handle":""},"defaultRule":true,"description":"A - Registry runkey has been modified","enabled":true,"expression":"set.registry.key_path - in [~\"HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Run\", - ~\"HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Runonce\", - ~\"HKEY_LOCAL_MACHINE\\Software\\Wow6432Node\\Microsoft\\Windows\\CurrentVersion\\Run\", - ~\"HKEY_LOCAL_MACHINE\\Software\\Microsoft\\Windows NT\\CurrentVersion\\Terminal - Server\\Install\\Software\\Microsoft\\Windows\\CurrentVersion\\Run\", ~\"HKEY_LOCAL_MACHINE\\Software\\Microsoft\\Windows - NT\\CurrentVersion\\Terminal Server\\Install\\Software\\Microsoft\\Windows\\CurrentVersion\\Runonce\", - ~\"HKEY_LOCAL_MACHINE\\Software\\Microsoft\\Windows NT\\CurrentVersion\\Terminal - Server\\Install\\Software\\Microsoft\\Windows\\CurrentVersion\\RunonceEx\"]","filters":["os - == \"windows\""],"monitoring":["threat-detection.policy"],"name":"registry_runkey_modified","product_tags":["tactic:TA0003-persistence","technique:T1547-boot-or-logon-autostart-execution","policy:threat-detection"],"updateDate":1754579371000,"updater":{"name":"Datadog","handle":""}}},{"id":"def-000-zo8","type":"agent_rule","attributes":{"category":"Process - Activity","creationDate":1754579371000,"creator":{"name":"Datadog","handle":""},"defaultRule":true,"description":"Recently - written or modified suid file has been executed","enabled":true,"expression":"((process.file.mode - \u0026 S_ISUID \u003e 0) \u0026\u0026 process.file.modification_time \u003c - 30s) \u0026\u0026 exec.file.name != \"\" \u0026\u0026 process.ancestors.file.path - not in [\"/opt/datadog-agent/embedded/bin/agent\", \"/opt/datadog-agent/embedded/bin/system-probe\", - \"/opt/datadog-agent/embedded/bin/security-agent\", \"/opt/datadog-agent/embedded/bin/process-agent\", - \"/opt/datadog-agent/embedded/bin/trace-agent\", \"/opt/datadog-agent/bin/agent/agent\", - \"/opt/datadog/apm/inject/auto_inject_runc\", \"/usr/bin/dd-host-install\", - \"/usr/bin/dd-host-container-install\", \"/usr/bin/dd-container-install\", - \"/opt/datadog-agent/bin/datadog-cluster-agent\", ~\"/opt/datadog-packages/**\", - ~\"/opt/datadog-installer/**\"]","filters":["os == \"linux\""],"monitoring":["threat-detection.policy"],"name":"suspicious_suid_execution","product_tags":["tactic:TA0004-privilege-escalation","technique:T1548-abuse-elevation-control-mechanism","policy:threat-detection"],"updateDate":1754579371000,"updater":{"name":"Datadog","handle":""}}},{"id":"svl-2s4-jd4","type":"agent_rule","attributes":{"category":"Process - Activity","creationDate":1730450224000,"creator":{"name":"","handle":"frog@datadoghq.com"},"defaultRule":false,"description":"My - Agent rule","enabled":true,"expression":"exec.file.name == \"sh\"","filters":["os - == \"linux\""],"monitoring":["CWS_CUSTOM-canary"],"name":"examplegetacsmthreatsagentrulereturnsokresponse1730450223","updateDate":1730450224000,"updater":{"name":"","handle":"frog@datadoghq.com"}}},{"id":"syl-o29-0dq","type":"agent_rule","attributes":{"category":"Process - Activity","creationDate":1714826223000,"creator":{"name":"","handle":"frog@datadoghq.com"},"defaultRule":false,"description":"My - Agent rule","enabled":true,"expression":"exec.file.name == \"sh\"","filters":["os - == \"linux\""],"monitoring":["CWS_CUSTOM-canary"],"name":"exampleupdateacsmthreatsagentrulereturnsokresponse1714826223","updateDate":1714826223000,"updater":{"name":"","handle":"frog@datadoghq.com"}}},{"id":"0t6-uce-ee0","type":"agent_rule","attributes":{"category":"Process - Activity","creationDate":1734899824000,"creator":{"name":"frog","handle":"frog@datadoghq.com"},"defaultRule":false,"description":"My - Agent rule","enabled":true,"expression":"exec.file.name == \"sh\"","filters":["os - == \"linux\""],"monitoring":["CWS_CUSTOM-canary"],"name":"examplegetacsmthreatsagentrulereturnsokresponse1734899824","updateDate":1734899824000,"updater":{"name":"frog","handle":"frog@datadoghq.com"}}},{"id":"bou-hvm-24h","type":"agent_rule","attributes":{"category":"Process - Activity","creationDate":1715474223000,"creator":{"name":"","handle":"frog@datadoghq.com"},"defaultRule":false,"description":"Test - Agent rule","enabled":true,"expression":"exec.file.name == \"sh\"","filters":["os - == \"linux\""],"monitoring":["CWS_CUSTOM-canary"],"name":"exampleupdateacsmthreatsagentrulereturnsokresponse1715474222","updateDate":1715474224000,"updater":{"name":"","handle":"frog@datadoghq.com"}}},{"id":"mtg-s1f-xy5","type":"agent_rule","attributes":{"category":"Process - Activity","creationDate":1716050223000,"creator":{"name":"","handle":"frog@datadoghq.com"},"defaultRule":false,"description":"Test - Agent rule","enabled":true,"expression":"exec.file.name == \"sh\"","filters":["os - == \"linux\""],"monitoring":["CWS_CUSTOM-canary"],"name":"exampleupdateacsmthreatsagentrulereturnsokresponse1716050222","updateDate":1716050224000,"updater":{"name":"","handle":"frog@datadoghq.com"}}},{"id":"xa1-b6v-n2l","type":"agent_rule","attributes":{"category":"File - Activity","creationDate":1754579371000,"creator":{"name":"Datadog","handle":""},"defaultRule":true,"description":"An - unauthorized job was added to cron scheduling","enabled":true,"expression":"(\n (rename.file.path - in [ ~\"/var/spool/cron/**\", ~\"/etc/cron.*/**\", ~\"/etc/crontab\", ~\"/etc/crontabs/**\"]\n || - rename.file.destination.path in [ ~\"/var/spool/cron/**\", ~\"/etc/cron.*/**\", - ~\"/etc/crontab\" ])\n \u0026\u0026 process.file.path not in [ \"/usr/bin/at\", - \"/usr/bin/crontab\" ]\n)\n\u0026\u0026 process.file.path not in [~\"/usr/bin/apt*\", - \"/usr/bin/dpkg\", \"/usr/bin/rpm\", \"/usr/bin/unattended-upgrade\", \"/usr/bin/containerd\", - \"/usr/local/bin/containerd\", \"/usr/bin/dockerd\", \"/usr/bin/npm\", ~\"/usr/bin/pip*\", - ~\"/usr/local/bin/pip*\"]","filters":["os == \"linux\""],"monitoring":["compliance.policy","threat-detection.policy"],"name":"cron_at_job_creation_rename","product_tags":["tactic:TA0002-execution","technique:T1053-scheduled-task-or-job","policy:threat-detection","policy:compliance"],"updateDate":1754579371000,"updater":{"name":"Datadog","handle":""}}},{"id":"7q3-6aa-pix","type":"agent_rule","attributes":{"category":"File - Activity","creationDate":1754579371000,"creator":{"name":"Datadog","handle":""},"defaultRule":true,"description":"SSH - modified keys may have been modified","enabled":true,"expression":"(\n chown.file.name - in [ \"authorized_keys\", \"authorized_keys2\" ] \u0026\u0026 (chown.file.path + == \"linux\""],"monitoring":["threat-detection.policy"],"name":"ssh_nonstandard_connection","product_tags":["tactic:TA0008-lateral-movement","technique:T1021-remote-services","policy:threat-detection"],"updateDate":1759956888000,"updater":{"name":"Datadog","handle":""}}},{"id":"def-000-qwu","type":"agent_rule","attributes":{"category":"File + Activity","creationDate":1759956888000,"creator":{"name":"Datadog","handle":""},"defaultRule":true,"description":"SSH + modified keys may have been modified","enabled":true,"expression":"(\n open.flags + \u0026 (O_CREAT|O_TRUNC|O_APPEND|O_RDWR|O_WRONLY) \u003e 0 \u0026\u0026\n open.file.name + in [ \"authorized_keys\", \"authorized_keys2\" ] \u0026\u0026 (open.file.path in [ ~\"/root/.ssh/*\", ~\"/home/*/.ssh/*\", ~\"/var/lib/*/.ssh/*\" ])\n) - \u0026\u0026 (chown.file.destination.uid != chown.file.uid || chown.file.destination.gid - != chown.file.gid)","filters":["os == \"linux\""],"monitoring":["compliance.policy","threat-detection.policy"],"name":"ssh_authorized_keys_chown","product_tags":["tactic:TA0003-persistence","technique:T1098-account-manipulation","policy:threat-detection","policy:compliance"],"updateDate":1754579371000,"updater":{"name":"Datadog","handle":""}}},{"id":"def-000-l8e","type":"agent_rule","attributes":{"category":"File - Activity","creationDate":1753453274000,"creator":{"name":"Datadog","handle":""},"defaultRule":true,"description":"Sudoers - policy file may have been modified without authorization","enabled":true,"expression":"(\n (chown.file.path - in [\"/etc/sudoers\", ~\"/etc/sudoers.d/*\"])\n) \u0026\u0026 (chown.file.destination.uid - != chown.file.uid || chown.file.destination.gid != chown.file.gid)","filters":["os - == \"linux\""],"monitoring":["compliance.policy"],"name":"sudoers_policy_modified_chown","product_tags":["tactic:TA0004-privilege-escalation","technique:T1548-abuse-elevation-control-mechanism","policy:compliance"],"updateDate":1753453274000,"updater":{"name":"Datadog","handle":""}}},{"id":"zfb-ixo-o4w","type":"agent_rule","attributes":{"category":"File - Activity","creationDate":1754579371000,"creator":{"name":"Datadog","handle":""},"defaultRule":true,"description":"A + \u0026\u0026 container.id != \"\" \u0026\u0026 container.created_at \u003e + 90s","filters":["os == \"linux\""],"monitoring":["compliance.policy","threat-detection.policy"],"name":"ssh_authorized_keys_open_v2","product_tags":["tactic:TA0003-persistence","technique:T1098-account-manipulation","policy:compliance","policy:threat-detection"],"updateDate":1759956888000,"updater":{"name":"Datadog","handle":""}}},{"id":"def-000-wv3","type":"agent_rule","attributes":{"actions":[{"hash":{},"disabled":false}],"category":"File + Activity","creationDate":1759956888000,"creator":{"name":"Datadog","handle":""},"defaultRule":true,"description":"Redis + module has been created","enabled":true,"expression":"(open.flags \u0026 (O_CREAT|O_TRUNC|O_RDWR|O_WRONLY) + \u003e 0 \u0026\u0026 open.file.path =~ \"/tmp/**\" \u0026\u0026 open.file.name + in [~\"*.rdb\", ~\"*.aof\", ~\"*.so\"]) \u0026\u0026 process.file.name in + [\"redis-check-rdb\", \"redis-server\"]","filters":["os == \"linux\""],"monitoring":["threat-detection.policy"],"name":"redis_save_module","product_tags":["tactic:TA0002-execution","technique:T1129-shared-modules","policy:threat-detection"],"updateDate":1759956888000,"updater":{"name":"Datadog","handle":""}}},{"id":"def-000-hbr","type":"agent_rule","attributes":{"category":"Process + Activity","creationDate":1759956888000,"creator":{"name":"Datadog","handle":""},"defaultRule":true,"description":"process + arguments match sliver c2 implant","enabled":true,"expression":"exec.cmdline + =~ \"*NoExit *\" \u0026\u0026 exec.cmdline =~ \"*Command *\" \u0026\u0026 + exec.cmdline =~ \"*[Console]::OutputEncoding=[Text.UTF8Encoding]::UTF8*\"","filters":["os + == \"windows\""],"monitoring":["threat-detection.policy"],"name":"sliver_c2_implant_execution","product_tags":["tactic:TA0011-command-and-control","technique:T1071-application-layer-protocol","policy:threat-detection"],"updateDate":1759956888000,"updater":{"name":"Datadog","handle":""}}},{"id":"def-000-tig","type":"agent_rule","attributes":{"category":"Process + Activity","creationDate":1759956888000,"creator":{"name":"Datadog","handle":""},"defaultRule":true,"description":"A + user was added to the sudo group","enabled":true,"expression":"exec.file.name + == \"usermod\" \u0026\u0026 (exec.args_flags in [\"aG\"] || exec.args_flags + in [\"G\"]) \u0026\u0026 exec.args_flags not in [\"r\"] \u0026\u0026 (exec.argv + == \"sudo\" || exec.argv == \"wheel\")","filters":["os == \"linux\""],"monitoring":["threat-detection.policy"],"name":"usermod_privileged_group","product_tags":["tactic:TA0004-privilege-escalation","technique:T1098-account-manipulation","policy:threat-detection"],"updateDate":1759956888000,"updater":{"name":"Datadog","handle":""}}},{"id":"2dz-kyt-nme","type":"agent_rule","attributes":{"category":"File + Activity","creationDate":1759956888000,"creator":{"name":"Datadog","handle":""},"defaultRule":true,"description":"A + new kernel module was added","enabled":true,"expression":"(\n (chmod.file.path + in [ ~\"/lib/modules/**\", ~\"/usr/lib/modules/**\", ~\"/usr/lib/modules-load.d/**\", + ~\"/etc/modules-load.d/**\", ~\"/etc/modprobe.d/**\" ])\n \u0026\u0026 + process.file.path not in [~\"/usr/bin/apt*\", \"/usr/bin/dpkg\", \"/usr/bin/rpm\", + \"/usr/bin/unattended-upgrade\", \"/usr/bin/npm\", ~\"/usr/bin/pip*\", ~\"/usr/local/bin/pip*\", + \"/usr/bin/yum\", \"/sbin/apk\", \"/usr/lib/snapd/snapd\"]\n \u0026\u0026 + process.ancestors.file.path not in [~\"/usr/bin/apt*\", \"/usr/bin/dpkg\", + \"/usr/bin/rpm\", \"/usr/bin/unattended-upgrade\", \"/usr/bin/npm\", ~\"/usr/bin/pip*\", + ~\"/usr/local/bin/pip*\", \"/usr/bin/yum\", \"/sbin/apk\", \"/usr/lib/snapd/snapd\"] + \u0026\u0026 process.ancestors.file.path != \"/usr/bin/kmod\"\n) \u0026\u0026 + chmod.file.destination.mode != chmod.file.mode","filters":["os == \"linux\""],"monitoring":["compliance.policy"],"name":"kernel_module_chmod","product_tags":["tactic:TA0003-persistence","technique:T1547-boot-or-logon-autostart-execution","policy:compliance"],"updateDate":1759956888000,"updater":{"name":"Datadog","handle":""}}},{"id":"zfb-ixo-o4w","type":"agent_rule","attributes":{"category":"File + Activity","creationDate":1759956888000,"creator":{"name":"Datadog","handle":""},"defaultRule":true,"description":"A suspicious file was written by a network utility","enabled":true,"expression":"open.flags \u0026 O_CREAT \u003e 0 \u0026\u0026 process.comm in [\"wget\", \"curl\", \"lwp-download\"]\n\u0026\u0026 (\n (open.file.path =~ \"/tmp/**\" \u0026\u0026 open.file.name in [~\"*.sh\", ~\"*.c\", ~\"*.so\", ~\"*.ko\"])\n || open.file.path in [~\"/usr/**\", ~\"/lib/**\", ~\"/etc/**\", ~\"/var/tmp/**\", ~\"/dev/shm/**\"]\n)","filters":["os - == \"linux\""],"monitoring":["threat-detection.policy"],"name":"net_file_download","product_tags":["tactic:TA0011-command-and-control","technique:T1105-ingress-tool-transfer","policy:threat-detection"],"updateDate":1754579371000,"updater":{"name":"Datadog","handle":""}}},{"id":"rwf-5af-jaw","type":"agent_rule","attributes":{"category":"Process - Activity","creationDate":1733618223000,"creator":{"name":"","handle":"frog@datadoghq.com"},"defaultRule":false,"description":"My - Agent rule","enabled":true,"expression":"exec.file.name == \"sh\"","filters":["os - == \"linux\""],"monitoring":["CWS_CUSTOM-canary"],"name":"exampleupdateacsmthreatsagentrulereturnsokresponse1733618222","updateDate":1733618223000,"updater":{"name":"","handle":"frog@datadoghq.com"}}},{"id":"p6o-t98-nm1","type":"agent_rule","attributes":{"category":"Process - Activity","creationDate":1735691823000,"creator":{"name":"frog","handle":"frog@datadoghq.com"},"defaultRule":false,"description":"Test - Agent rule","enabled":true,"expression":"exec.file.name == \"sh\"","filters":["os - == \"linux\""],"monitoring":["CWS_CUSTOM-canary"],"name":"exampleupdateacsmthreatsagentrulereturnsokresponse1735691823","updateDate":1735691824000,"updater":{"name":"frog","handle":"frog@datadoghq.com"}}},{"id":"voe-mel-8yq","type":"agent_rule","attributes":{"category":"Process - Activity","creationDate":1746611600937,"creator":{"name":"frog","handle":"frog@datadoghq.com"},"defaultRule":false,"description":"My - Agent rule","enabled":true,"expression":"exec.file.name == \"sh\"","filters":["os - == \"linux\""],"monitoring":["CWS_CUSTOM-canary"],"name":"testgetacsmthreatsagentrulereturnsokresponse1746611600","updateDate":1746611600937,"updater":{"name":"frog","handle":"frog@datadoghq.com"}}},{"id":"def-000-0en","type":"agent_rule","attributes":{"category":"Process - Activity","creationDate":1754579371000,"creator":{"name":"Datadog","handle":""},"defaultRule":true,"description":"The - debugfs was executed in a container","enabled":true,"expression":"exec.comm - == \"debugfs\" \u0026\u0026 container.id != \"\"","filters":["os == \"linux\""],"monitoring":["threat-detection.policy"],"name":"debugfs_in_container","product_tags":["tactic:TA0007-discovery","technique:T1613-container-and-resource-discovery","policy:threat-detection"],"updateDate":1754579371000,"updater":{"name":"Datadog","handle":""}}},{"id":"def-000-ab6","type":"agent_rule","attributes":{"category":"Network - Activity","creationDate":1754579371000,"creator":{"name":"Datadog","handle":""},"defaultRule":true,"description":"Recently - modified file requested credentials from IMDS","enabled":true,"expression":"imds.url - =~ \"/*/meta-data/iam/security-credentials/*\" \u0026\u0026 (process.parent.file.modification_time - \u003c 120s || process.file.modification_time \u003c 30s)","filters":["os - == \"linux\""],"monitoring":["threat-detection.policy"],"name":"modified_file_requesting_imds_creds","product_tags":["tactic:TA0006-credential-access","technique:T1552-unsecured-credentials","policy:threat-detection"],"updateDate":1754579371000,"updater":{"name":"Datadog","handle":""}}},{"id":"hk2-qrd-3jt","type":"agent_rule","attributes":{"category":"Process - Activity","creationDate":1714667824000,"creator":{"name":"","handle":"frog@datadoghq.com"},"defaultRule":false,"description":"My - Agent rule","enabled":true,"expression":"exec.file.name == \"sh\"","filters":["os - == \"linux\""],"monitoring":["CWS_CUSTOM-canary"],"name":"examplegetacsmthreatsagentrulereturnsokresponse1714667824","updateDate":1714667824000,"updater":{"name":"","handle":"frog@datadoghq.com"}}},{"id":"i0b-hk0-7h3","type":"agent_rule","attributes":{"category":"Process - Activity","creationDate":1715560625000,"creator":{"name":"","handle":"frog@datadoghq.com"},"defaultRule":false,"description":"My - Agent rule","enabled":true,"expression":"exec.file.name == \"sh\"","filters":["os - == \"linux\""],"monitoring":["CWS_CUSTOM-canary"],"name":"examplegetacsmthreatsagentrulereturnsokresponse1715560625","updateDate":1715560625000,"updater":{"name":"","handle":"frog@datadoghq.com"}}},{"id":"3gw-vkx-b7s","type":"agent_rule","attributes":{"category":"Process - Activity","creationDate":1728419826000,"creator":{"name":"","handle":"frog@datadoghq.com"},"defaultRule":false,"description":"My - Agent rule","enabled":true,"expression":"exec.file.name == \"sh\"","filters":["os - == \"linux\""],"monitoring":["CWS_CUSTOM-canary"],"name":"examplegetacsmthreatsagentrulereturnsokresponse1728419824","updateDate":1728419826000,"updater":{"name":"","handle":"frog@datadoghq.com"}}},{"id":"d5b-olo-ecr","type":"agent_rule","attributes":{"category":"Process - Activity","creationDate":1746789273109,"creator":{"name":"CI Account","handle":"9919ec9b-ebc7-49ee-8dc8-03626e717cca"},"defaultRule":false,"description":"My - Agent rule","enabled":true,"expression":"exec.file.name == \"sh\"","filters":["os - == \"linux\""],"monitoring":["CWS_CUSTOM-canary"],"name":"testtypescriptupdateacsmthreatsagentrulereturnsokresponse1746789272","updateDate":1746789273109,"updater":{"name":"CI - Account","handle":"9919ec9b-ebc7-49ee-8dc8-03626e717cca"}}},{"id":"xgw-28i-480","type":"agent_rule","attributes":{"category":"Process - Activity","creationDate":1754579371000,"creator":{"name":"Datadog","handle":""},"defaultRule":true,"description":"A - container executed a new binary not found in the container image","enabled":true,"expression":"container.id - != \"\" \u0026\u0026 process.file.in_upper_layer \u0026\u0026 process.file.modification_time - \u003c 30s \u0026\u0026 exec.file.name != \"\"","filters":["os == \"linux\""],"monitoring":["threat-detection.policy"],"name":"new_binary_execution_in_container","product_tags":["tactic:TA0011-command-and-control","technique:T1105-ingress-tool-transfer","policy:threat-detection"],"updateDate":1754579371000,"updater":{"name":"Datadog","handle":""}}},{"id":"eor-xnf-mac","type":"agent_rule","attributes":{"category":"Process - Activity","creationDate":1746616279688,"creator":{"name":"CI Account","handle":"9919ec9b-ebc7-49ee-8dc8-03626e717cca"},"defaultRule":false,"description":"My - Agent rule","enabled":true,"expression":"exec.file.name == \"sh\"","filters":["os - == \"linux\""],"monitoring":["CWS_CUSTOM-canary"],"name":"testtypescriptupdateacsmthreatsagentrulereturnsokresponse1746616279","updateDate":1746616279688,"updater":{"name":"CI - Account","handle":"9919ec9b-ebc7-49ee-8dc8-03626e717cca"}}},{"id":"9pu-mp3-xea","type":"agent_rule","attributes":{"category":"File - Activity","creationDate":1753453274000,"creator":{"name":"Datadog","handle":""},"defaultRule":true,"description":"Critical - system binaries may have been modified","enabled":true,"expression":"(\n (rename.file.path - in [ ~\"/bin/*\", ~\"/sbin/*\", ~\"/usr/bin/*\", ~\"/usr/sbin/*\", ~\"/usr/local/bin/*\", - ~\"/usr/local/sbin/*\", ~\"/boot/**\" ]\n || rename.file.destination.path + == \"linux\""],"monitoring":["threat-detection.policy"],"name":"net_file_download","product_tags":["tactic:TA0011-command-and-control","technique:T1105-ingress-tool-transfer","policy:threat-detection"],"updateDate":1759956888000,"updater":{"name":"Datadog","handle":""}}},{"id":"a52-req-ghm","type":"agent_rule","attributes":{"category":"Process + Activity","creationDate":1759956888000,"creator":{"name":"Datadog","handle":""},"defaultRule":true,"description":"Exfiltration + attempt via network utility","enabled":true,"expression":"exec.comm in [\"wget\", + \"curl\", \"lwp-download\"] \u0026\u0026\nexec.args_options in [ ~\"post-file=*\", + ~\"post-data=*\", ~\"T=*\", ~\"d=@*\", ~\"upload-file=*\", ~\"F=file*\"] \u0026\u0026\nexec.args + not in [~\"*localhost*\", ~\"*127.0.0.1*\"]","filters":["os == \"linux\""],"monitoring":["threat-detection.policy"],"name":"net_util_exfiltration","product_tags":["tactic:TA0010-exfiltration","technique:T1048-exfiltration-over-alternative-protocol","policy:threat-detection"],"updateDate":1759956888000,"updater":{"name":"Datadog","handle":""}}},{"id":"td2-31c-ln4","type":"agent_rule","attributes":{"category":"File + Activity","creationDate":1759956888000,"creator":{"name":"Datadog","handle":""},"defaultRule":true,"description":"Sensitive + credential files were modified using a non-standard tool","enabled":true,"expression":"(\n (chown.file.path + in [ \"/etc/shadow\", \"/etc/gshadow\" ])\n \u0026\u0026 process.file.path + not in [ \"/sbin/vipw\", \"/usr/sbin/vipw\", \"/sbin/vigr\", \"/usr/sbin/vigr\", + \"/usr/bin/containerd\", \"/usr/local/bin/containerd\", \"/usr/bin/dockerd\", + \"/usr/local/bin/dockerd\", \"/usr/sbin/groupadd\", \"/usr/sbin/useradd\", + \"/usr/sbin/usermod\", \"/usr/sbin/userdel\", \"/usr/bin/gpasswd\", \"/usr/bin/chage\", + \"/usr/sbin/chpasswd\", \"/usr/bin/passwd\" ]\n \u0026\u0026 process.ancestors.file.path + not in [~\"/usr/bin/apt*\", \"/usr/bin/dpkg\", \"/usr/bin/rpm\", \"/usr/bin/unattended-upgrade\", + \"/usr/bin/npm\", ~\"/usr/bin/pip*\", ~\"/usr/local/bin/pip*\", \"/usr/bin/yum\", + \"/sbin/apk\", \"/usr/lib/snapd/snapd\"]\n) \u0026\u0026 (chown.file.destination.uid + != chown.file.uid || chown.file.destination.gid != chown.file.gid)","filters":["os + == \"linux\""],"monitoring":["compliance.policy"],"name":"credential_modified_chown","product_tags":["tactic:TA0006-credential-access","technique:T1003-os-credential-dumping","policy:compliance"],"updateDate":1759956888000,"updater":{"name":"Datadog","handle":""}}},{"id":"def-000-xg6","type":"agent_rule","attributes":{"category":"File + Activity","creationDate":1759956888000,"creator":{"name":"Datadog","handle":""},"defaultRule":true,"description":"a + critical windows file was modified","enabled":true,"expression":"write.file.device_path + in [~\"\\Device\\*\\windows\\system32\\**\"]","filters":["os == \"windows\""],"monitoring":["compliance.policy"],"name":"critical_windows_files_modified","product_tags":["tactic:TA0005-defense-evasion","technique:T1036-masquerading","policy:compliance"],"updateDate":1759956888000,"updater":{"name":"Datadog","handle":""}}},{"id":"7vi-w5r-h15","type":"agent_rule","attributes":{"category":"File + Activity","creationDate":1759956888000,"creator":{"name":"Datadog","handle":""},"defaultRule":true,"description":"Critical + system binaries may have been modified","enabled":true,"expression":"(\n (chmod.file.path in [ ~\"/bin/*\", ~\"/sbin/*\", ~\"/usr/bin/*\", ~\"/usr/sbin/*\", ~\"/usr/local/bin/*\", ~\"/usr/local/sbin/*\", ~\"/boot/**\" ])\n \u0026\u0026 process.file.path not in [~\"/usr/bin/apt*\", \"/usr/bin/dpkg\", \"/usr/bin/rpm\", \"/usr/bin/unattended-upgrade\", @@ -214,68 +170,54 @@ http_interactions: \"/usr/bin/npm\", ~\"/usr/bin/pip*\", ~\"/usr/local/bin/pip*\"]\n \u0026\u0026 process.ancestors.file.path not in [~\"/usr/bin/apt*\", \"/usr/bin/dpkg\", \"/usr/bin/rpm\", \"/usr/bin/unattended-upgrade\", \"/usr/bin/npm\", ~\"/usr/bin/pip*\", - ~\"/usr/local/bin/pip*\", \"/usr/bin/yum\", \"/sbin/apk\", \"/usr/lib/snapd/snapd\"]\n)","filters":["os - == \"linux\""],"monitoring":["compliance.policy"],"name":"pci_11_5_critical_binaries_rename","product_tags":["tactic:TA0005-defense-evasion","technique:T1036-masquerading","policy:compliance"],"updateDate":1753453274000,"updater":{"name":"Datadog","handle":""}}},{"id":"ezw-7rm-wca","type":"agent_rule","attributes":{"category":"Process - Activity","creationDate":1735634224000,"creator":{"name":"frog","handle":"frog@datadoghq.com"},"defaultRule":false,"description":"My - Agent rule","enabled":true,"expression":"exec.file.name == \"sh\"","filters":["os - == \"linux\""],"monitoring":["CWS_CUSTOM-canary"],"name":"exampledeleteacsmthreatsagentrulereturnsokresponse1735634224","updateDate":1735634224000,"updater":{"name":"frog","handle":"frog@datadoghq.com"}}},{"id":"4fo-giq-5f8","type":"agent_rule","attributes":{"category":"Process - Activity","creationDate":1715416623000,"creator":{"name":"","handle":"frog@datadoghq.com"},"defaultRule":false,"description":"Test - Agent rule","enabled":true,"expression":"exec.file.name == \"sh\"","filters":["os - == \"linux\""],"monitoring":["CWS_CUSTOM-canary"],"name":"exampleupdateacsmthreatsagentrulereturnsokresponse1715416622","updateDate":1715416624000,"updater":{"name":"","handle":"frog@datadoghq.com"}}},{"id":"dou-40j-cpw","type":"agent_rule","attributes":{"category":"Process - Activity","creationDate":1721378223000,"creator":{"name":"","handle":"frog@datadoghq.com"},"defaultRule":false,"description":"Test - Agent rule","enabled":true,"expression":"exec.file.name == \"sh\"","filters":["os - == \"linux\""],"monitoring":["CWS_CUSTOM-canary"],"name":"exampleupdateacsmthreatsagentrulereturnsokresponse1721378223","updateDate":1721378224000,"updater":{"name":"","handle":"frog@datadoghq.com"}}},{"id":"ag7-847-gm6","type":"agent_rule","attributes":{"category":"Process - Activity","creationDate":1746529951029,"creator":{"name":"CI Account","handle":"9919ec9b-ebc7-49ee-8dc8-03626e717cca"},"defaultRule":false,"description":"My - Agent rule","enabled":true,"expression":"exec.file.name == \"sh\"","filters":["os - == \"linux\""],"monitoring":["CWS_CUSTOM-canary"],"name":"testtypescriptupdateacsmthreatsagentrulereturnsbadrequestresponse1746529950","updateDate":1746529951029,"updater":{"name":"CI - Account","handle":"9919ec9b-ebc7-49ee-8dc8-03626e717cca"}}},{"id":"9ws-qol-qpn","type":"agent_rule","attributes":{"category":"Process - Activity","creationDate":1746529951975,"creator":{"name":"CI Account","handle":"9919ec9b-ebc7-49ee-8dc8-03626e717cca"},"defaultRule":false,"description":"My - Agent rule","enabled":true,"expression":"exec.file.name == \"sh\"","filters":["os - == \"linux\""],"monitoring":["CWS_CUSTOM-canary"],"name":"testtypescriptupdateacsmthreatsagentrulereturnsokresponse1746529951","updateDate":1746529951975,"updater":{"name":"CI - Account","handle":"9919ec9b-ebc7-49ee-8dc8-03626e717cca"}}},{"id":"x7i-34j-1rv","type":"agent_rule","attributes":{"category":"File - Activity","creationDate":1753453274000,"creator":{"name":"Datadog","handle":""},"defaultRule":true,"description":"PAM - may have been modified without authorization","enabled":true,"expression":"(\n (link.file.path - in [ ~\"/etc/pam.d/**\", \"/etc/pam.conf\", ~\"/lib/security/*\", ~\"/usr/lib/security/*\", - ~\"/lib64/security/*\", ~\"/usr/lib64/security/*\"]\n || link.file.destination.path + ~\"/usr/local/bin/pip*\", \"/usr/bin/yum\", \"/sbin/apk\", \"/usr/lib/snapd/snapd\"]\n) + \u0026\u0026 chmod.file.destination.mode != chmod.file.mode","filters":["os + == \"linux\""],"monitoring":["compliance.policy"],"name":"pci_11_5_critical_binaries_chmod","product_tags":["tactic:TA0005-defense-evasion","technique:T1036-masquerading","policy:compliance"],"updateDate":1759956888000,"updater":{"name":"Datadog","handle":""}}},{"id":"def-000-myb","type":"agent_rule","attributes":{"category":"File + Activity","creationDate":1759956888000,"creator":{"name":"Datadog","handle":""},"defaultRule":true,"description":"Sudoers + policy file may have been modified without authorization","enabled":true,"expression":"(\n (link.file.path + in [\"/etc/sudoers\", ~\"/etc/sudoers.d/*\"]\n || link.file.destination.path + in [\"/etc/sudoers\", ~\"/etc/sudoers.d/*\"])\n)","filters":["os == \"linux\""],"monitoring":["compliance.policy"],"name":"sudoers_policy_modified_link","product_tags":["tactic:TA0004-privilege-escalation","technique:T1548-abuse-elevation-control-mechanism","subtechnique:T1548.001-setuid-and-setgid","subtechnique:T1548.003-sudo-and-sudo-caching","policy:compliance"],"updateDate":1759956888000,"updater":{"name":"Datadog","handle":""}}},{"id":"def-000-0fx","type":"agent_rule","attributes":{"category":"Process + Activity","creationDate":1759956888000,"creator":{"name":"Datadog","handle":""},"defaultRule":true,"description":"Shell + process spawned from print server","enabled":true,"expression":"exec.file.name + != \"\" \u0026\u0026 process.parent.file.name == \"foomatic-rip\"","filters":["os + == \"linux\""],"monitoring":["threat-detection.policy"],"name":"cups_spawned_shell","product_tags":["tactic:TA0001-initial-access","technique:T1190-exploit-public-facing-application","policy:threat-detection"],"updateDate":1759956888000,"updater":{"name":"Datadog","handle":""}}},{"id":"def-000-0en","type":"agent_rule","attributes":{"category":"Process + Activity","creationDate":1759956888000,"creator":{"name":"Datadog","handle":""},"defaultRule":true,"description":"The + debugfs was executed in a container","enabled":true,"expression":"exec.comm + == \"debugfs\" \u0026\u0026 container.id != \"\"","filters":["os == \"linux\""],"monitoring":["threat-detection.policy"],"name":"debugfs_in_container","product_tags":["tactic:TA0007-discovery","technique:T1613-container-and-resource-discovery","policy:threat-detection"],"updateDate":1759956888000,"updater":{"name":"Datadog","handle":""}}},{"id":"7q3-6aa-pix","type":"agent_rule","attributes":{"category":"File + Activity","creationDate":1759956888000,"creator":{"name":"Datadog","handle":""},"defaultRule":true,"description":"SSH + modified keys may have been modified","enabled":true,"expression":"(\n chown.file.name + in [ \"authorized_keys\", \"authorized_keys2\" ] \u0026\u0026 (chown.file.path + in [ ~\"/root/.ssh/*\", ~\"/home/*/.ssh/*\", ~\"/var/lib/*/.ssh/*\" ])\n) + \u0026\u0026 (chown.file.destination.uid != chown.file.uid || chown.file.destination.gid + != chown.file.gid)","filters":["os == \"linux\""],"monitoring":["compliance.policy","threat-detection.policy"],"name":"ssh_authorized_keys_chown","product_tags":["tactic:TA0003-persistence","technique:T1098-account-manipulation","policy:compliance","policy:threat-detection"],"updateDate":1759956888000,"updater":{"name":"Datadog","handle":""}}},{"id":"jr3-0m8-jlj","type":"agent_rule","attributes":{"actions":[{"hash":{},"disabled":false}],"category":"Process + Activity","creationDate":1759956888000,"creator":{"name":"Datadog","handle":""},"defaultRule":true,"description":"A + process launched with arguments associated with cryptominers","enabled":true,"expression":"exec.args_options + in [~\"cpu-priority*\", ~\"donate-level*\", ~\"wallet-address*\"] || exec.args_flags + == \"randomx-1gb-pages\" || exec.args in [~\"*stratum+tcp*\", ~\"*stratum+ssl*\", + ~\"*stratum1+tcp*\", ~\"*stratum1+ssl*\", ~\"*stratum2+tcp*\", ~\"*stratum2+ssl*\", + ~\"*nicehash*\", ~\"*yespower*\"]","filters":["os == \"linux\""],"monitoring":["threat-detection.policy"],"name":"cryptominer_args","product_tags":["tactic:TA0040-impact","technique:T1496-resource-hijacking","policy:threat-detection"],"updateDate":1759956888000,"updater":{"name":"Datadog","handle":""}}},{"id":"def-000-bus","type":"agent_rule","attributes":{"category":"File + Activity","creationDate":1759956888000,"creator":{"name":"Datadog","handle":""},"defaultRule":true,"description":"The + executable bit was added to a newly created file","enabled":true,"expression":"chmod.file.in_upper_layer + \u0026\u0026\nchmod.file.change_time \u003c 30s \u0026\u0026\ncontainer.id + != \"\" \u0026\u0026\nchmod.file.destination.mode != chmod.file.mode \u0026\u0026\nchmod.file.destination.mode + \u0026 S_IXUSR|S_IXGRP|S_IXOTH \u003e 0 \u0026\u0026\nprocess.argv in [\"+x\"]","filters":["os + == \"linux\""],"monitoring":["threat-detection.policy"],"name":"executable_bit_added","product_tags":["tactic:TA0005-defense-evasion","technique:T1222-file-and-directory-permissions-modification","policy:threat-detection"],"updateDate":1759956888000,"updater":{"name":"Datadog","handle":""}}},{"id":"def-000-o1o","type":"agent_rule","attributes":{"actions":[{"hash":{"field":"process.file"},"disabled":false}],"category":"Kernel + Activity","creationDate":1759956888000,"creator":{"name":"Datadog","handle":""},"defaultRule":true,"description":"A + process made a connection to a port associated with P2PInfect malware","enabled":true,"expression":"(connect.addr.family + == AF_INET || connect.addr.family == AF_INET6) \u0026\u0026 connect.addr.is_public + == true \u0026\u0026 connect.addr.port \u003e= 60100 \u0026\u0026 connect.addr.port + \u003c= 60150","filters":["os == \"linux\""],"monitoring":["threat-detection.policy"],"name":"p2pinfect_connection","product_tags":["tactic:TA0011-command-and-control","technique:T1071-application-layer-protocol","policy:threat-detection"],"updateDate":1759956888000,"updater":{"name":"Datadog","handle":""}}},{"id":"l2e-aka-bw6","type":"agent_rule","attributes":{"category":"Process + Activity","creationDate":1759956888000,"creator":{"name":"Datadog","handle":""},"defaultRule":true,"description":"The + passwd or chpasswd utility was used to modify an account password","enabled":true,"expression":"exec.file.path + in [\"/usr/bin/passwd\", \"/usr/sbin/chpasswd\"] \u0026\u0026 exec.args_flags + not in [\"S\", \"status\"]","filters":["os == \"linux\""],"monitoring":["threat-detection.policy"],"name":"passwd_execution","product_tags":["tactic:TA0003-persistence","tactic:TA0040-impact","technique:T1098-account-manipulation","technique:T1531-account-access-removal","policy:threat-detection"],"updateDate":1759956888000,"updater":{"name":"Datadog","handle":""}}},{"id":"pfu-dvh-e5w","type":"agent_rule","attributes":{"category":"File + Activity","creationDate":1759956888000,"creator":{"name":"Datadog","handle":""},"defaultRule":true,"description":"PAM + may have been modified without authorization","enabled":true,"expression":"(\n (chown.file.path in [ ~\"/etc/pam.d/**\", \"/etc/pam.conf\", ~\"/lib/security/*\", ~\"/usr/lib/security/*\", - ~\"/lib64/security/*\", ~\"/usr/lib64/security/*\"])\n)","filters":["os == - \"linux\""],"monitoring":["compliance.policy"],"name":"pam_modification_link","product_tags":["tactic:TA0003-persistence","technique:T1556-modify-authentication-process","policy:compliance"],"updateDate":1753453274000,"updater":{"name":"Datadog","handle":""}}},{"id":"gx3-4a5-w9a","type":"agent_rule","attributes":{"category":"Kernel - Activity","creationDate":1754579371000,"creator":{"name":"Datadog","handle":""},"defaultRule":true,"description":"A - kernel module was loaded from memory inside a container","enabled":true,"expression":"load_module.loaded_from_memory - == true \u0026\u0026 container.id !=\"\"","filters":["os == \"linux\""],"monitoring":["threat-detection.policy"],"name":"kernel_module_load_from_memory_container","product_tags":["tactic:TA0003-persistence","technique:T1547-boot-or-logon-autostart-execution","policy:threat-detection"],"updateDate":1754579371000,"updater":{"name":"Datadog","handle":""}}},{"id":"def-000-qwm","type":"agent_rule","attributes":{"category":"File - Activity","creationDate":1754579371000,"creator":{"name":"Datadog","handle":""},"defaultRule":true,"description":"The - kubeconfig file was accessed","enabled":true,"expression":"open.file.path - in [~\"/home/*/.kube/config\", \"/root/.kube/config\"]","filters":["os == - \"linux\""],"monitoring":["threat-detection.policy"],"name":"read_kubeconfig","product_tags":["tactic:TA0007-discovery","technique:T1613-container-and-resource-discovery","policy:threat-detection"],"updateDate":1754579371000,"updater":{"name":"Datadog","handle":""}}},{"id":"cx8-x1r-vs8","type":"agent_rule","attributes":{"category":"Process - Activity","creationDate":1746630369591,"creator":{"name":"frog","handle":"frog@datadoghq.com"},"defaultRule":false,"description":"My - Agent rule","enabled":true,"expression":"exec.file.name == \"sh\"","filters":["os - == \"linux\""],"monitoring":["CWS_CUSTOM-canary"],"name":"testdeleteacsmthreatsagentrulereturnsokresponse1746630369","updateDate":1746630369591,"updater":{"name":"frog","handle":"frog@datadoghq.com"}}},{"id":"h4n-yuq-2mp","type":"agent_rule","attributes":{"category":"Process - Activity","creationDate":1715632623000,"creator":{"name":"","handle":"frog@datadoghq.com"},"defaultRule":false,"description":"Test - Agent rule","enabled":true,"expression":"exec.file.name == \"sh\"","filters":["os - == \"linux\""],"monitoring":["CWS_CUSTOM-canary"],"name":"exampleupdateacsmthreatsagentrulereturnsokresponse1715632622","updateDate":1715632624000,"updater":{"name":"","handle":"frog@datadoghq.com"}}},{"id":"def-000-lt6","type":"agent_rule","attributes":{"category":"Process - Activity","creationDate":1753453274000,"creator":{"name":"Datadog","handle":""},"defaultRule":true,"description":"A - process was executed in a Kubernetes user session","enabled":true,"expression":"exec.user_session.k8s_username - != \"\"","filters":["os == \"linux\""],"monitoring":["compliance.policy"],"name":"k8s_user_session","product_tags":["policy:compliance"],"updateDate":1753453274000,"updater":{"name":"Datadog","handle":""}}},{"id":"def-000-j1p","type":"agent_rule","attributes":{"category":"File - Activity","creationDate":1753453274000,"creator":{"name":"Datadog","handle":""},"defaultRule":true,"description":"Windows - Known DLLs location registry key modified","enabled":true,"expression":"set.registry.key_path - in [~\"HKEY_LOCAL_MACHINE\\SYSTEM\\CurrentControlSet\\Control\\Session Manager\\KnownDLLs*\"]","filters":["os - == \"windows\""],"monitoring":["compliance.policy"],"name":"known_dll_registry_key_modified","product_tags":["tactic:TA0005-defense-evasion","technique:T1574-hijack-execution-flow","policy:compliance"],"updateDate":1753453274000,"updater":{"name":"Datadog","handle":""}}},{"id":"def-000-wnn","type":"agent_rule","attributes":{"category":"File - Activity","creationDate":1753453274000,"creator":{"name":"Datadog","handle":""},"defaultRule":true,"description":"Windows - firewall configuration registry key modified","enabled":true,"expression":"set.registry.key_path - in [~\"HKEY_LOCAL_MACHINE\\SYSTEM\\CurrentControlSet\\Services\\SharedAccess\\Parameters\\FirewallPolicy\\*\"]","filters":["os - == \"windows\""],"monitoring":["compliance.policy"],"name":"windows_firewall_configuration_registry_key_modified","product_tags":["tactic:TA0005-defense-evasion","technique:T1112-modify-registry","policy:compliance"],"updateDate":1753453274000,"updater":{"name":"Datadog","handle":""}}},{"id":"ucb-5zb-rmj","type":"agent_rule","attributes":{"category":"File - Activity","creationDate":1753453274000,"creator":{"name":"Datadog","handle":""},"defaultRule":true,"description":"A - new kernel module was added","enabled":true,"expression":"(\n (link.file.path - in [ ~\"/lib/modules/**\", ~\"/usr/lib/modules/**\" ]\n || link.file.destination.path - in [ ~\"/lib/modules/**\", ~\"/usr/lib/modules/**\" ])\n \u0026\u0026 process.file.path - not in [~\"/usr/bin/apt*\", \"/usr/bin/dpkg\", \"/usr/bin/rpm\", \"/usr/bin/unattended-upgrade\", - \"/usr/bin/npm\", ~\"/usr/bin/pip*\", ~\"/usr/local/bin/pip*\", \"/usr/bin/yum\", - \"/sbin/apk\", \"/usr/lib/snapd/snapd\"]\n \u0026\u0026 process.ancestors.file.path - not in [~\"/usr/bin/apt*\", \"/usr/bin/dpkg\", \"/usr/bin/rpm\", \"/usr/bin/unattended-upgrade\", - \"/usr/bin/npm\", ~\"/usr/bin/pip*\", ~\"/usr/local/bin/pip*\", \"/usr/bin/yum\", - \"/sbin/apk\", \"/usr/lib/snapd/snapd\"] \u0026\u0026 process.ancestors.file.path - != \"/usr/bin/kmod\"\n)","filters":["os == \"linux\""],"monitoring":["compliance.policy"],"name":"kernel_module_link","product_tags":["tactic:TA0003-persistence","technique:T1547-boot-or-logon-autostart-execution","policy:compliance"],"updateDate":1753453274000,"updater":{"name":"Datadog","handle":""}}},{"id":"ssp-47a-p20","type":"agent_rule","attributes":{"category":"File - Activity","creationDate":1753453274000,"creator":{"name":"Datadog","handle":""},"defaultRule":true,"description":"Critical + ~\"/lib64/security/*\", ~\"/usr/lib64/security/*\" ])\n) \u0026\u0026 (chown.file.destination.uid + != chown.file.uid || chown.file.destination.gid != chown.file.gid)","filters":["os + == \"linux\""],"monitoring":["compliance.policy"],"name":"pam_modification_chown","product_tags":["tactic:TA0003-persistence","technique:T1556-modify-authentication-process","policy:compliance"],"updateDate":1759956888000,"updater":{"name":"Datadog","handle":""}}},{"id":"ssp-47a-p20","type":"agent_rule","attributes":{"category":"File + Activity","creationDate":1759956888000,"creator":{"name":"Datadog","handle":""},"defaultRule":true,"description":"Critical system binaries may have been modified","enabled":true,"expression":"(\n (unlink.file.path in [ ~\"/bin/*\", ~\"/sbin/*\", ~\"/usr/bin/*\", ~\"/usr/sbin/*\", ~\"/usr/local/bin/*\", ~\"/usr/local/sbin/*\", ~\"/boot/**\" ])\n \u0026\u0026 process.file.path @@ -285,234 +227,118 @@ http_interactions: process.ancestors.file.path not in [~\"/usr/bin/apt*\", \"/usr/bin/dpkg\", \"/usr/bin/rpm\", \"/usr/bin/unattended-upgrade\", \"/usr/bin/npm\", ~\"/usr/bin/pip*\", ~\"/usr/local/bin/pip*\", \"/usr/bin/yum\", \"/sbin/apk\", \"/usr/lib/snapd/snapd\"]\n)","filters":["os - == \"linux\""],"monitoring":["compliance.policy"],"name":"pci_11_5_critical_binaries_unlink","product_tags":["tactic:TA0005-defense-evasion","technique:T1036-masquerading","policy:compliance"],"updateDate":1753453274000,"updater":{"name":"Datadog","handle":""}}},{"id":"def-000-4xu","type":"agent_rule","attributes":{"category":"Process - Activity","creationDate":1754579371000,"creator":{"name":"Datadog","handle":""},"defaultRule":true,"description":"Kernel - modules were listed using the lsmod command","enabled":true,"expression":"exec.comm - == \"lsmod\"","filters":["os == \"linux\""],"monitoring":["threat-detection.policy"],"name":"exec_lsmod","product_tags":["tactic:TA0007-discovery","technique:T1082-system-information-discovery","policy:threat-detection"],"updateDate":1754579371000,"updater":{"name":"Datadog","handle":""}}},{"id":"jeh-18e-m9h","type":"agent_rule","attributes":{"category":"Process - Activity","creationDate":1754579371000,"creator":{"name":"Datadog","handle":""},"defaultRule":true,"description":"An - interactive shell was started inside of a container","enabled":true,"expression":"exec.file.path - in [ \"/bin/dash\",\n \"/usr/bin/dash\",\n \"/bin/sh\",\n \"/bin/static-sh\",\n \"/usr/bin/sh\",\n \"/bin/bash\",\n \"/usr/bin/bash\",\n \"/bin/bash-static\",\n \"/usr/bin/zsh\",\n \"/usr/bin/ash\",\n \"/usr/bin/csh\",\n \"/usr/bin/ksh\",\n \"/usr/bin/tcsh\",\n \"/usr/lib/initramfs-tools/bin/busybox\",\n \"/bin/busybox\",\n \"/usr/bin/fish\",\n \"/bin/ksh93\",\n \"/bin/rksh\",\n \"/bin/rksh93\",\n \"/bin/lksh\",\n \"/bin/mksh\",\n \"/bin/mksh-static\",\n \"/usr/bin/csharp\",\n \"/bin/posh\",\n \"/usr/bin/rc\",\n \"/bin/sash\",\n \"/usr/bin/yash\",\n \"/bin/zsh5\",\n \"/bin/zsh5-static\" - ] \u0026\u0026 exec.args_flags in [\"i\"] \u0026\u0026 container.id !=\"\"","filters":["os - == \"linux\""],"monitoring":["threat-detection.policy"],"name":"interactive_shell_in_container","product_tags":["tactic:TA0002-execution","technique:T1609-container-administration-command","policy:threat-detection"],"updateDate":1754579371000,"updater":{"name":"Datadog","handle":""}}},{"id":"def-000-wok","type":"agent_rule","attributes":{"category":"File - Activity","creationDate":1754579371000,"creator":{"name":"Datadog","handle":""},"defaultRule":true,"description":"Device - rule created","enabled":true,"expression":"open.file.path in [~\"/etc/udev/rules.d/*\", - ~\"/lib/udev/rules.d/*\", ~\"/usr/lib/udev/rules.d/*\", ~\"/usr/local/lib/udev/rules.d/*\", - ~\"/run/udev/rules.d/*\"] \u0026\u0026 open.flags \u0026 O_CREAT \u003e 0","filters":["os - == \"linux\""],"monitoring":["threat-detection.policy"],"name":"udev_modification","product_tags":["tactic:TA0003-persistence","technique:T1546-event-triggered-execution","policy:threat-detection"],"updateDate":1754579371000,"updater":{"name":"Datadog","handle":""}}},{"id":"ekr-3xj-8yj","type":"agent_rule","attributes":{"category":"Process - Activity","creationDate":1735619823000,"creator":{"name":"frog","handle":"frog@datadoghq.com"},"defaultRule":false,"description":"Test - Agent rule","enabled":true,"expression":"exec.file.name == \"sh\"","filters":["os - == \"linux\""],"monitoring":["CWS_CUSTOM-canary"],"name":"exampleupdateacsmthreatsagentrulereturnsokresponse1735619823","updateDate":1735619825000,"updater":{"name":"frog","handle":"frog@datadoghq.com"}}},{"id":"0zl-ilo-guv","type":"agent_rule","attributes":{"category":"Process - Activity","creationDate":1716050224000,"creator":{"name":"","handle":"frog@datadoghq.com"},"defaultRule":false,"description":"My - Agent rule","enabled":true,"expression":"exec.file.name == \"sh\"","filters":["os - == \"linux\""],"monitoring":["CWS_CUSTOM-canary"],"name":"examplegetacsmthreatsagentrulereturnsokresponse1716050224","updateDate":1716050224000,"updater":{"name":"","handle":"frog@datadoghq.com"}}},{"id":"fiw-wuv-ueg","type":"agent_rule","attributes":{"category":"Process - Activity","creationDate":1734914224000,"creator":{"name":"frog","handle":"frog@datadoghq.com"},"defaultRule":false,"description":"My - Agent rule","enabled":true,"expression":"exec.file.name == \"sh\"","filters":["os - == \"linux\""],"monitoring":["CWS_CUSTOM-canary"],"name":"examplegetacsmthreatsagentrulereturnsokresponse1734914224","updateDate":1734914224000,"updater":{"name":"frog","handle":"frog@datadoghq.com"}}},{"id":"c79-8dg-klx","type":"agent_rule","attributes":{"category":"Process - Activity","creationDate":1715445423000,"creator":{"name":"","handle":"frog@datadoghq.com"},"defaultRule":false,"description":"Test - Agent rule","enabled":true,"expression":"exec.file.name == \"sh\"","filters":["os - == \"linux\""],"monitoring":["CWS_CUSTOM-canary"],"name":"exampleupdateacsmthreatsagentrulereturnsokresponse1715445422","updateDate":1715445424000,"updater":{"name":"","handle":"frog@datadoghq.com"}}},{"id":"tiy-95c-mkc","type":"agent_rule","attributes":{"category":"Process - Activity","creationDate":1723797423000,"creator":{"name":"","handle":"frog@datadoghq.com"},"defaultRule":false,"description":"Test - Agent rule","enabled":true,"expression":"exec.file.name == \"sh\"","filters":["os - == \"linux\""],"monitoring":["CWS_CUSTOM-canary"],"name":"exampleupdateacsmthreatsagentrulereturnsokresponse1723797423","updateDate":1723797424000,"updater":{"name":"","handle":"frog@datadoghq.com"}}},{"id":"v9x-9ib-tr7","type":"agent_rule","attributes":{"category":"File - Activity","creationDate":1737288363000,"creator":{"name":"CI Account","handle":"9919ec9b-ebc7-49ee-8dc8-03626e717cca"},"defaultRule":false,"description":"im - a rule","enabled":true,"expression":"open.file.name == \"etc/shadow/password\"","filters":["os - == \"linux\""],"monitoring":["CWS_CUSTOM-canary"],"name":"qljifimbbh","updateDate":1737288363000,"updater":{"name":"CI - Account","handle":"9919ec9b-ebc7-49ee-8dc8-03626e717cca"}}},{"id":"zjt-hio-sx0","type":"agent_rule","attributes":{"category":"File - Activity","creationDate":1748011784397,"creator":{"name":"frog","handle":"frog@datadoghq.com"},"defaultRule":false,"description":"initial - description","enabled":true,"expression":"open.file.name == \"etc/shadow/password\"","filters":["os - == \"linux\""],"monitoring":["CWS_CUSTOM-canary"],"name":"wgxsdtgtmx","product_tags":["compliance_framework:HIPAA"],"updateDate":1748011784397,"updater":{"name":"frog","handle":"frog@datadoghq.com"}}},{"id":"def-000-x51","type":"agent_rule","attributes":{"category":"File - Activity","creationDate":1754579371000,"creator":{"name":"Datadog","handle":""},"defaultRule":true,"description":"Safeboot - registry modified","enabled":true,"expression":"set.registry.key_path in [~\"HKEY_LOCAL_MACHINE\\System\\CurrentControlSet\\Control\\SafeBoot\"]","filters":["os - == \"windows\""],"monitoring":["compliance.policy","threat-detection.policy"],"name":"safeboot_modification","product_tags":["tactic:TA0005-defense-evasion","technique:T1562-impair-defenses","policy:threat-detection","policy:compliance"],"updateDate":1754579371000,"updater":{"name":"Datadog","handle":""}}},{"id":"def-000-bxs","type":"agent_rule","attributes":{"category":"File - Activity","creationDate":1753453274000,"creator":{"name":"Datadog","handle":""},"defaultRule":true,"description":"Sudoers - policy file may have been modified without authorization","enabled":true,"expression":"(\n (unlink.file.path - in [\"/etc/sudoers\", ~\"/etc/sudoers.d/*\"])\n)","filters":["os == \"linux\""],"monitoring":["compliance.policy"],"name":"sudoers_policy_modified_unlink","product_tags":["tactic:TA0004-privilege-escalation","technique:T1548-abuse-elevation-control-mechanism","policy:compliance"],"updateDate":1753453274000,"updater":{"name":"Datadog","handle":""}}},{"id":"tlu-qlm-1ow","type":"agent_rule","attributes":{"category":"File - Activity","creationDate":1754579371000,"creator":{"name":"Datadog","handle":""},"defaultRule":true,"description":"The - runc binary was modified in a non-standard way","enabled":true,"expression":"open.file.path - in [\"/usr/bin/runc\", \"/usr/sbin/runc\", \"/usr/bin/docker-runc\"]\n\u0026\u0026 - open.flags \u0026 O_CREAT|O_TRUNC|O_APPEND|O_RDWR|O_WRONLY \u003e 0\n\u0026\u0026 - process.file.path not in [~\"/usr/bin/apt*\", \"/usr/bin/dpkg\", \"/usr/bin/rpm\", - \"/usr/bin/unattended-upgrade\", \"/usr/bin/containerd\", \"/usr/local/bin/containerd\", - \"/usr/bin/dockerd\", \"/usr/bin/npm\", ~\"/usr/bin/pip*\", ~\"/usr/local/bin/pip*\"]\n\u0026\u0026 - process.ancestors.file.path not in [~\"/usr/bin/apt*\", \"/usr/bin/dpkg\", + == \"linux\""],"monitoring":["compliance.policy"],"name":"pci_11_5_critical_binaries_unlink","product_tags":["tactic:TA0005-defense-evasion","technique:T1036-masquerading","policy:compliance"],"updateDate":1759956888000,"updater":{"name":"Datadog","handle":""}}},{"id":"def-000-fbb","type":"agent_rule","attributes":{"category":"Kernel + Activity","creationDate":1759956888000,"creator":{"name":"Datadog","handle":""},"defaultRule":true,"description":"Library + libpam.so hooked using eBPF","enabled":true,"expression":"bpf.cmd == BPF_MAP_CREATE + \u0026\u0026 process.args in [r\"libpam\\.so\"]","filters":["os == \"linux\""],"monitoring":["threat-detection.policy"],"name":"libpam_ebpf_hook","product_tags":["tactic:TA0006-credential-access","technique:T1056-input-capture","policy:threat-detection"],"updateDate":1759956888000,"updater":{"name":"Datadog","handle":""}}},{"id":"def-000-oag","type":"agent_rule","attributes":{"category":"Process + Activity","creationDate":1759956888000,"creator":{"name":"Datadog","handle":""},"defaultRule":true,"description":"systemd + spawned shell","enabled":true,"expression":"exec.file.path in [ \"/bin/dash\",\n \"/usr/bin/dash\",\n \"/bin/sh\",\n \"/bin/static-sh\",\n \"/usr/bin/sh\",\n \"/bin/bash\",\n \"/usr/bin/bash\",\n \"/bin/bash-static\",\n \"/usr/bin/zsh\",\n \"/usr/bin/ash\",\n \"/usr/bin/csh\",\n \"/usr/bin/ksh\",\n \"/usr/bin/tcsh\",\n \"/usr/lib/initramfs-tools/bin/busybox\",\n \"/bin/busybox\",\n \"/usr/bin/fish\",\n \"/bin/ksh93\",\n \"/bin/rksh\",\n \"/bin/rksh93\",\n \"/bin/lksh\",\n \"/bin/mksh\",\n \"/bin/mksh-static\",\n \"/usr/bin/csharp\",\n \"/bin/posh\",\n \"/usr/bin/rc\",\n \"/bin/sash\",\n \"/usr/bin/yash\",\n \"/bin/zsh5\",\n \"/bin/zsh5-static\" + ] \u0026\u0026 process.ancestors.file.path == \"/usr/lib/systemd/systemd-executor\" + \u0026\u0026 process.parent.file.path not in [~\"/usr/bin/apt*\", \"/usr/bin/dpkg\", \"/usr/bin/rpm\", \"/usr/bin/unattended-upgrade\", \"/usr/bin/npm\", ~\"/usr/bin/pip*\", ~\"/usr/local/bin/pip*\", \"/usr/bin/yum\", \"/sbin/apk\", \"/usr/lib/snapd/snapd\"]","filters":["os - == \"linux\""],"monitoring":["threat-detection.policy"],"name":"runc_modification","product_tags":["tactic:TA0004-privilege-escalation","technique:T1611-escape-to-host","policy:threat-detection"],"updateDate":1754579371000,"updater":{"name":"Datadog","handle":""}}},{"id":"k8w-brg-51l","type":"agent_rule","attributes":{"category":"Process - Activity","creationDate":1715445426000,"creator":{"name":"","handle":"frog@datadoghq.com"},"defaultRule":false,"description":"My - Agent rule","enabled":true,"expression":"exec.file.name == \"sh\"","filters":["os - == \"linux\""],"monitoring":["CWS_CUSTOM-canary"],"name":"examplecreateacsmthreatsagentrulereturnsokresponse1715445424","updateDate":1715445426000,"updater":{"name":"","handle":"frog@datadoghq.com"}}},{"id":"eue-gqs-59v","type":"agent_rule","attributes":{"category":"Process - Activity","creationDate":1715503024000,"creator":{"name":"","handle":"frog@datadoghq.com"},"defaultRule":false,"description":"My - Agent rule","enabled":true,"expression":"exec.file.name == \"sh\"","filters":["os - == \"linux\""],"monitoring":["CWS_CUSTOM-canary"],"name":"examplecreateacsmthreatsagentrulereturnsokresponse1715503024","updateDate":1715503024000,"updater":{"name":"","handle":"frog@datadoghq.com"}}},{"id":"s9m-foq-qqz","type":"agent_rule","attributes":{"category":"File - Activity","creationDate":1753453274000,"creator":{"name":"Datadog","handle":""},"defaultRule":true,"description":"Sensitive - credential files were modified using a non-standard tool","enabled":true,"expression":"(\n (chmod.file.path - in [ \"/etc/shadow\", \"/etc/gshadow\" ])\n \u0026\u0026 process.file.path - not in [ \"/sbin/vipw\", \"/usr/sbin/vipw\", \"/sbin/vigr\", \"/usr/sbin/vigr\", - \"/usr/bin/containerd\", \"/usr/local/bin/containerd\", \"/usr/bin/dockerd\", - \"/usr/local/bin/dockerd\", \"/usr/sbin/groupadd\", \"/usr/sbin/useradd\", - \"/usr/sbin/usermod\", \"/usr/sbin/userdel\", \"/usr/bin/gpasswd\", \"/usr/bin/chage\", - \"/usr/sbin/chpasswd\", \"/usr/bin/passwd\" ]\n \u0026\u0026 process.ancestors.file.path - not in [~\"/usr/bin/apt*\", \"/usr/bin/dpkg\", \"/usr/bin/rpm\", \"/usr/bin/unattended-upgrade\", - \"/usr/bin/npm\", ~\"/usr/bin/pip*\", ~\"/usr/local/bin/pip*\", \"/usr/bin/yum\", - \"/sbin/apk\", \"/usr/lib/snapd/snapd\"]\n) \u0026\u0026 chmod.file.destination.mode - != chmod.file.mode","filters":["os == \"linux\""],"monitoring":["compliance.policy"],"name":"credential_modified_chmod","product_tags":["tactic:TA0006-credential-access","technique:T1003-os-credential-dumping","policy:compliance"],"updateDate":1753453274000,"updater":{"name":"Datadog","handle":""}}},{"id":"245-ynt-xcy","type":"agent_rule","attributes":{"category":"Process - Activity","creationDate":1714610223000,"creator":{"name":"","handle":"frog@datadoghq.com"},"defaultRule":false,"description":"Test - Agent rule","enabled":true,"expression":"exec.file.name == \"sh\"","filters":["os - == \"linux\""],"monitoring":["CWS_CUSTOM-canary"],"name":"exampleupdateacsmthreatsagentrulereturnsokresponse1714610223","updateDate":1714610224000,"updater":{"name":"","handle":"frog@datadoghq.com"}}},{"id":"k95-kl4-jxt","type":"agent_rule","attributes":{"category":"Process - Activity","creationDate":1714696623000,"creator":{"name":"","handle":"frog@datadoghq.com"},"defaultRule":false,"description":"Test - Agent rule","enabled":true,"expression":"exec.file.name == \"sh\"","filters":["os - == \"linux\""],"monitoring":["CWS_CUSTOM-canary"],"name":"exampleupdateacsmthreatsagentrulereturnsokresponse1714696623","updateDate":1714696627000,"updater":{"name":"","handle":"frog@datadoghq.com"}}},{"id":"4mu-d2x-fyk","type":"agent_rule","attributes":{"category":"File - Activity","creationDate":1753453274000,"creator":{"name":"Datadog","handle":""},"defaultRule":true,"description":"nsswitch - may have been modified without authorization","enabled":true,"expression":"(\n (unlink.file.path - in [ \"/etc/nsswitch.conf\" ])\n)","filters":["os == \"linux\""],"monitoring":["compliance.policy"],"name":"nsswitch_conf_mod_unlink","product_tags":["tactic:TA0003-persistence","technique:T1556-modify-authentication-process","policy:compliance"],"updateDate":1753453274000,"updater":{"name":"Datadog","handle":""}}},{"id":"191-ty1-ede","type":"agent_rule","attributes":{"category":"File - Activity","creationDate":1753453274000,"creator":{"name":"Datadog","handle":""},"defaultRule":true,"description":"SSL - certificates may have been tampered with","enabled":true,"expression":"(\n open.flags - \u0026 (O_CREAT|O_RDWR|O_WRONLY) \u003e 0 \u0026\u0026\n (open.file.path - in [ ~\"/etc/ssl/certs/**\", ~\"/etc/pki/**\" ])\n)\n\u0026\u0026 process.file.path - != \"/usr/sbin/update-ca-certificates\"\n\u0026\u0026 process.ancestors.file.path - != \"/usr/sbin/update-ca-certificates\"\n\u0026\u0026 process.ancestors.file.path - not in [~\"/usr/bin/apt*\", \"/usr/bin/dpkg\", \"/usr/bin/rpm\", \"/usr/bin/unattended-upgrade\", - \"/usr/bin/npm\", ~\"/usr/bin/pip*\", ~\"/usr/local/bin/pip*\", \"/usr/bin/yum\", - \"/sbin/apk\", \"/usr/lib/snapd/snapd\"]\n\u0026\u0026 process.file.name !~ - \"runc*\"","filters":["os == \"linux\""],"monitoring":["compliance.policy"],"name":"ssl_certificate_tampering_open","product_tags":["tactic:TA0005-defense-evasion","technique:T1553-subvert-trust-controls","policy:compliance"],"updateDate":1753453274000,"updater":{"name":"Datadog","handle":""}}},{"id":"def-000-a65","type":"agent_rule","attributes":{"category":"Network - Activity","creationDate":1754579371000,"creator":{"name":"Datadog","handle":""},"defaultRule":true,"description":"Web - application requested IMDSv1 credentials","enabled":true,"expression":"imds.aws.is_imds_v2 - == false \u0026\u0026 imds.url =~ \"*/*/meta-data/iam/security-credentials/*\" - \u0026\u0026 (process.ancestors.file.name in [\"apache2\", \"nginx\", ~\"tomcat*\", - \"httpd\"] || process.ancestors.file.name =~ \"php*\" || process.ancestors.file.name - == \"java\")","filters":["os == \"linux\""],"monitoring":["threat-detection.policy"],"name":"webapp_imds_V1_request","product_tags":["tactic:TA0040-impact","technique:T1531-account-access-removal","policy:threat-detection"],"updateDate":1754579371000,"updater":{"name":"Datadog","handle":""}}},{"id":"zsr-y94-6u2","type":"agent_rule","attributes":{"category":"Process - Activity","creationDate":1734482226000,"creator":{"name":"frog","handle":"frog@datadoghq.com"},"defaultRule":false,"description":"My - Agent rule","enabled":true,"expression":"exec.file.name == \"sh\"","filters":["os - == \"linux\""],"monitoring":["CWS_CUSTOM-canary"],"name":"examplegetacsmthreatsagentrulereturnsokresponse1734482224","updateDate":1734482226000,"updater":{"name":"frog","handle":"frog@datadoghq.com"}}},{"id":"def-000-eho","type":"agent_rule","attributes":{"category":"File - Activity","creationDate":1754579371000,"creator":{"name":"Datadog","handle":""},"defaultRule":true,"description":"Container - escape attempted by overwriting release_agent","enabled":true,"expression":"open.file.name - == \"release_agent\" \u0026\u0026 open.file.path in [\"/tmp/**\", \"/home/**\", - \"/root/**\", \"/*\"] \u0026\u0026 open.flags \u0026 O_CREAT|O_TRUNC|O_APPEND|O_RDWR|O_WRONLY - \u003e 0","filters":["os == \"linux\""],"monitoring":["threat-detection.policy"],"name":"release_agent_escape","product_tags":["tactic:TA0004-privilege-escalation","technique:T1611-escape-to-host","policy:threat-detection"],"updateDate":1754579371000,"updater":{"name":"Datadog","handle":""}}},{"id":"18r-273-a6u","type":"agent_rule","attributes":{"category":"Process - Activity","creationDate":1735547824000,"creator":{"name":"frog","handle":"frog@datadoghq.com"},"defaultRule":false,"description":"My - Agent rule","enabled":true,"expression":"exec.file.name == \"sh\"","filters":["os - == \"linux\""],"monitoring":["CWS_CUSTOM-canary"],"name":"examplegetacsmthreatsagentrulereturnsokresponse1735547824","updateDate":1735547824000,"updater":{"name":"frog","handle":"frog@datadoghq.com"}}},{"id":"sim-wjp-rxz","type":"agent_rule","attributes":{"category":"File - Activity","creationDate":1748011504465,"creator":{"name":"frog","handle":"frog@datadoghq.com"},"defaultRule":false,"description":"initial - description","enabled":true,"expression":"open.file.name == \"etc/shadow/password\"","filters":["os - == \"linux\""],"monitoring":["CWS_CUSTOM-canary"],"name":"rawfdmzxlc","product_tags":["compliance_framework:HIPAA"],"updateDate":1748011504465,"updater":{"name":"frog","handle":"frog@datadoghq.com"}}},{"id":"gyo-ajy-16h","type":"agent_rule","attributes":{"category":"Process - Activity","creationDate":1746633521705,"creator":{"name":"frog","handle":"frog@datadoghq.com"},"defaultRule":false,"description":"My - Agent rule","enabled":true,"expression":"exec.file.name == \"sh\"","filters":["os - == \"linux\""],"monitoring":["CWS_CUSTOM-canary"],"name":"testdeleteacsmthreatsagentrulereturnsokresponse1746633521","updateDate":1746633521705,"updater":{"name":"frog","handle":"frog@datadoghq.com"}}},{"id":"g7f-kfr-tdb","type":"agent_rule","attributes":{"category":"Process - Activity","creationDate":1754579371000,"creator":{"name":"Datadog","handle":""},"defaultRule":true,"description":"Python - code was provided on the command line","enabled":true,"expression":"exec.file.name - == ~\"python*\" \u0026\u0026 exec.args_flags in [\"c\"] \u0026\u0026 exec.args - in [~\"*-c*SOCK_STREAM*\", ~\"*-c*subprocess*\", ~\"*-c*/bash*\", ~\"*-c*/bin/sh*\", - ~\"*-c*pty.spawn*\"] \u0026\u0026 exec.args !~ \"*setuptools*\"","filters":["os - == \"linux\""],"monitoring":["threat-detection.policy"],"name":"python_cli_code","product_tags":["tactic:TA0002-execution","technique:T1059-command-and-scripting-interpreter","policy:threat-detection"],"updateDate":1754579371000,"updater":{"name":"Datadog","handle":""}}},{"id":"wvg-hbj-6o2","type":"agent_rule","attributes":{"category":"Process - Activity","creationDate":1720600623000,"creator":{"name":"","handle":"frog@datadoghq.com"},"defaultRule":false,"description":"Test - Agent rule","enabled":true,"expression":"exec.file.name == \"sh\"","filters":["os - == \"linux\""],"monitoring":["CWS_CUSTOM-canary"],"name":"exampleupdateacsmthreatsagentrulereturnsokresponse1720600622","updateDate":1720600624000,"updater":{"name":"","handle":"frog@datadoghq.com"}}},{"id":"qfa-phf-txa","type":"agent_rule","attributes":{"category":"Process - Activity","creationDate":1746529940327,"creator":{"name":"CI Account","handle":"9919ec9b-ebc7-49ee-8dc8-03626e717cca"},"defaultRule":false,"description":"My - Agent rule","enabled":true,"expression":"exec.file.name == \"sh\"","filters":["os - == \"linux\""],"monitoring":["CWS_CUSTOM-canary"],"name":"testtypescriptcreateacsmthreatsagentrulereturnsokresponse1746529940","updateDate":1746529940327,"updater":{"name":"CI - Account","handle":"9919ec9b-ebc7-49ee-8dc8-03626e717cca"}}},{"id":"v64-qmf-tal","type":"agent_rule","attributes":{"category":"Process - Activity","creationDate":1740543488000,"creator":{"name":"CI Account","handle":"9919ec9b-ebc7-49ee-8dc8-03626e717cca"},"defaultRule":false,"description":"My - Agent rule","enabled":true,"expression":"exec.file.name == \"sh\"","filters":["os - == \"linux\""],"monitoring":["CWS_CUSTOM-canary"],"name":"testtypescriptupdateacsmthreatsagentrulereturnsokresponse1740543488","updateDate":1740543488000,"updater":{"name":"CI - Account","handle":"9919ec9b-ebc7-49ee-8dc8-03626e717cca"}}},{"id":"dfr-by9-sx8","type":"agent_rule","attributes":{"category":"File - Activity","creationDate":1754579371000,"creator":{"name":"Datadog","handle":""},"defaultRule":true,"description":"Shell - History was Deleted","enabled":true,"expression":"unlink.file.name in [\".bash_history\", - \".zsh_history\", \".fish_history\", \"fish_history\", \".dash_history\", - \".sh_history\"] \u0026\u0026 unlink.file.path in [~\"/root/**\", ~\"/home/**\"] - \u0026\u0026 process.comm not in [\"dockerd\", \"containerd\"]","filters":["os - == \"linux\""],"monitoring":["compliance.policy","threat-detection.policy"],"name":"shell_history_deleted","product_tags":["tactic:TA0005-defense-evasion","technique:T1070-indicator-removal","policy:threat-detection","policy:compliance"],"updateDate":1754579371000,"updater":{"name":"Datadog","handle":""}}},{"id":"def-000-but","type":"agent_rule","attributes":{"category":"Process - Activity","creationDate":1754579371000,"creator":{"name":"Datadog","handle":""},"defaultRule":true,"description":"A - java process spawned a shell, shell utility, or HTTP utility","enabled":true,"expression":"(exec.file.path - in [ \"/bin/dash\",\n \"/usr/bin/dash\",\n \"/bin/sh\",\n \"/bin/static-sh\",\n \"/usr/bin/sh\",\n \"/bin/bash\",\n \"/usr/bin/bash\",\n \"/bin/bash-static\",\n \"/usr/bin/zsh\",\n \"/usr/bin/ash\",\n \"/usr/bin/csh\",\n \"/usr/bin/ksh\",\n \"/usr/bin/tcsh\",\n \"/usr/lib/initramfs-tools/bin/busybox\",\n \"/bin/busybox\",\n \"/usr/bin/fish\",\n \"/bin/ksh93\",\n \"/bin/rksh\",\n \"/bin/rksh93\",\n \"/bin/lksh\",\n \"/bin/mksh\",\n \"/bin/mksh-static\",\n \"/usr/bin/csharp\",\n \"/bin/posh\",\n \"/usr/bin/rc\",\n \"/bin/sash\",\n \"/usr/bin/yash\",\n \"/bin/zsh5\",\n \"/bin/zsh5-static\" - ] ||\n exec.comm in [\"wget\", \"curl\", \"lwp-download\"] ||\n exec.file.path - in [\"/bin/cat\",\"/bin/chgrp\",\"/bin/chmod\",\"/bin/chown\",\"/bin/cp\",\"/bin/date\",\"/bin/dd\",\"/bin/df\",\"/bin/dir\",\"/bin/echo\",\"/bin/ln\",\"/bin/ls\",\"/bin/mkdir\",\"/bin/mknod\",\"/bin/mktemp\",\"/bin/mv\",\"/bin/pwd\",\"/bin/readlink\",\"/bin/rm\",\"/bin/rmdir\",\"/bin/sleep\",\"/bin/stty\",\"/bin/sync\",\"/bin/touch\",\"/bin/uname\",\"/bin/vdir\",\"/usr/bin/arch\",\"/usr/bin/b2sum\",\"/usr/bin/base32\",\"/usr/bin/base64\",\"/usr/bin/basename\",\"/usr/bin/chcon\",\"/usr/bin/cksum\",\"/usr/bin/comm\",\"/usr/bin/csplit\",\"/usr/bin/cut\",\"/usr/bin/dircolors\",\"/usr/bin/dirname\",\"/usr/bin/du\",\"/usr/bin/env\",\"/usr/bin/expand\",\"/usr/bin/expr\",\"/usr/bin/factor\",\"/usr/bin/fmt\",\"/usr/bin/fold\",\"/usr/bin/groups\",\"/usr/bin/head\",\"/usr/bin/hostid\",\"/usr/bin/id\",\"/usr/bin/install\",\"/usr/bin/join\",\"/usr/bin/link\",\"/usr/bin/logname\",\"/usr/bin/md5sum\",\"/usr/bin/md5sum.textutils\",\"/usr/bin/mkfifo\",\"/usr/bin/nice\",\"/usr/bin/nl\",\"/usr/bin/nohup\",\"/usr/bin/nproc\",\"/usr/bin/numfmt\",\"/usr/bin/od\",\"/usr/bin/paste\",\"/usr/bin/pathchk\",\"/usr/bin/pinky\",\"/usr/bin/pr\",\"/usr/bin/printenv\",\"/usr/bin/printf\",\"/usr/bin/ptx\",\"/usr/bin/realpath\",\"/usr/bin/runcon\",\"/usr/bin/seq\",\"/usr/bin/sha1sum\",\"/usr/bin/sha224sum\",\"/usr/bin/sha256sum\",\"/usr/bin/sha384sum\",\"/usr/bin/sha512sum\",\"/usr/bin/shred\",\"/usr/bin/shuf\",\"/usr/bin/sort\",\"/usr/bin/split\",\"/usr/bin/stat\",\"/usr/bin/stdbuf\",\"/usr/bin/sum\",\"/usr/bin/tac\",\"/usr/bin/tail\",\"/usr/bin/tee\",\"/usr/bin/test\",\"/usr/bin/timeout\",\"/usr/bin/tr\",\"/usr/bin/truncate\",\"/usr/bin/tsort\",\"/usr/bin/tty\",\"/usr/bin/unexpand\",\"/usr/bin/uniq\",\"/usr/bin/unlink\",\"/usr/bin/users\",\"/usr/bin/wc\",\"/usr/bin/who\",\"/usr/bin/whoami\",\"/usr/sbin/chroot\",\"/bin/busybox\"])\n\u0026\u0026 - process.parent.file.name in [\"java\", \"jspawnhelper\"]","filters":["os == - \"linux\""],"monitoring":["threat-detection.policy"],"name":"java_shell_execution_parent","product_tags":["tactic:TA0001-initial-access","technique:T1190-exploit-public-facing-application","policy:threat-detection"],"updateDate":1754579371000,"updater":{"name":"Datadog","handle":""}}},{"id":"def-000-nip","type":"agent_rule","attributes":{"category":"Process - Activity","creationDate":1754579371000,"creator":{"name":"Datadog","handle":""},"defaultRule":true,"description":"Browser - WebDriver spawned shell","enabled":true,"expression":"process.parent.file.name - in [~\"chromedriver*\", \"geckodriver\"] \u0026\u0026 exec.file.name not in - [\"chrome\", \"google-chrome\", \"chromium\", \"firefox\"]","filters":["os - == \"linux\""],"monitoring":["threat-detection.policy"],"name":"webdriver_spawned_shell","product_tags":["tactic:TA0001-initial-access","technique:T1190-exploit-public-facing-application","policy:threat-detection"],"updateDate":1754579371000,"updater":{"name":"Datadog","handle":""}}},{"id":"ast-isd-tty","type":"agent_rule","attributes":{"category":"Process - Activity","creationDate":1715645381000,"creator":{"name":"CI Account","handle":"9919ec9b-ebc7-49ee-8dc8-03626e717cca"},"defaultRule":false,"description":"My - Agent rule","enabled":true,"expression":"exec.file.name == \"sh\"","filters":["os - == \"linux\""],"monitoring":["CWS_CUSTOM-canary"],"name":"testgocreateacsmthreatsagentrulereturnsokresponse1715645381","updateDate":1715645381000,"updater":{"name":"CI - Account","handle":"9919ec9b-ebc7-49ee-8dc8-03626e717cca"}}},{"id":"ylx-z1o-jjd","type":"agent_rule","attributes":{"category":"Process - Activity","creationDate":1746184343494,"creator":{"name":"CI Account","handle":"9919ec9b-ebc7-49ee-8dc8-03626e717cca"},"defaultRule":false,"description":"My - Agent rule","enabled":true,"expression":"exec.file.name == \"sh\"","filters":["os - == \"linux\""],"monitoring":["CWS_CUSTOM-canary"],"name":"testtypescriptupdateacsmthreatsagentrulereturnsbadrequestresponse1746184343","updateDate":1746184343494,"updater":{"name":"CI - Account","handle":"9919ec9b-ebc7-49ee-8dc8-03626e717cca"}}},{"id":"kas-gb6-imd","type":"agent_rule","attributes":{"category":"Process - Activity","creationDate":1746611611223,"creator":{"name":"frog","handle":"frog@datadoghq.com"},"defaultRule":false,"description":"My - Agent rule","enabled":true,"expression":"exec.file.name == \"sh\"","filters":["os - == \"linux\""],"monitoring":["CWS_CUSTOM-canary"],"name":"testupdateacsmthreatsagentrulereturnsbadrequestresponse1746611610","updateDate":1746611611223,"updater":{"name":"frog","handle":"frog@datadoghq.com"}}},{"id":"900-1sj-xhs","type":"agent_rule","attributes":{"category":"File - Activity","creationDate":1753453274000,"creator":{"name":"Datadog","handle":""},"defaultRule":true,"description":"PAM + == \"linux\""],"monitoring":["threat-detection.policy"],"name":"systemd_spawned_shell","product_tags":["tactic:TA0002-execution","technique:T1053-scheduled-task","subtechnique:T1053.006-systemd-timers","policy:threat-detection"],"updateDate":1759956888000,"updater":{"name":"Datadog","handle":""}}},{"id":"e5h-onu-f7l","type":"agent_rule","attributes":{"category":"File + Activity","creationDate":1759956888000,"creator":{"name":"Datadog","handle":""},"defaultRule":true,"description":"nsswitch + may have been modified without authorization","enabled":true,"expression":"(\n open.flags + \u0026 ((O_RDWR|O_WRONLY|O_CREAT)) \u003e 0 \u0026\u0026\n (open.file.path + in [ \"/etc/nsswitch.conf\" ])\n) \u0026\u0026 process.file.path not in [~\"/usr/bin/apt*\", + \"/usr/bin/dpkg\", \"/usr/bin/rpm\", \"/usr/bin/unattended-upgrade\", \"/usr/bin/containerd\", + \"/usr/local/bin/containerd\", \"/usr/bin/dockerd\", \"/usr/bin/npm\", ~\"/usr/bin/pip*\", + ~\"/usr/local/bin/pip*\"]","filters":["os == \"linux\""],"monitoring":["compliance.policy"],"name":"nsswitch_conf_mod_open","product_tags":["tactic:TA0003-persistence","technique:T1556-modify-authentication-process","policy:compliance"],"updateDate":1759956888000,"updater":{"name":"Datadog","handle":""}}},{"id":"def-000-wnn","type":"agent_rule","attributes":{"category":"File + Activity","creationDate":1759956888000,"creator":{"name":"Datadog","handle":""},"defaultRule":true,"description":"Windows + firewall configuration registry key modified","enabled":true,"expression":"set.registry.key_path + in [~\"HKEY_LOCAL_MACHINE\\SYSTEM\\CurrentControlSet\\Services\\SharedAccess\\Parameters\\FirewallPolicy\\*\"]","filters":["os + == \"windows\""],"monitoring":["compliance.policy"],"name":"windows_firewall_configuration_registry_key_modified","product_tags":["tactic:TA0005-defense-evasion","technique:T1112-modify-registry","policy:compliance"],"updateDate":1759956888000,"updater":{"name":"Datadog","handle":""}}},{"id":"7ts-208-rn4","type":"agent_rule","attributes":{"category":"Process + Activity","creationDate":1759956888000,"creator":{"name":"Datadog","handle":""},"defaultRule":true,"description":"An + AppArmor profile was modified in an interactive session","enabled":true,"expression":"exec.file.name + in [\"aa-disable\", \"aa-complain\", \"aa-audit\"] \u0026\u0026 exec.tty_name + !=\"\"","filters":["os == \"linux\""],"monitoring":["threat-detection.policy"],"name":"apparmor_modified_tty","product_tags":["tactic:TA0005-defense-evasion","technique:T1562-impair-defenses","policy:threat-detection"],"updateDate":1759956888000,"updater":{"name":"Datadog","handle":""}}},{"id":"def-000-jl7","type":"agent_rule","attributes":{"category":"Process + Activity","creationDate":1759956888000,"creator":{"name":"Datadog","handle":""},"defaultRule":true,"description":"openssl + used to establish backdoor","enabled":true,"expression":"exec.comm == \"openssl\" + \u0026\u0026 exec.args =~ \"*s_client*\"","filters":["os == \"linux\""],"monitoring":["threat-detection.policy"],"name":"openssl_backdoor","product_tags":["tactic:TA0002-execution","technique:T1059-command-and-scripting-interpreter","policy:threat-detection"],"updateDate":1759956888000,"updater":{"name":"Datadog","handle":""}}},{"id":"def-000-b5z","type":"agent_rule","attributes":{"category":"Process + Activity","creationDate":1759956888000,"creator":{"name":"Datadog","handle":""},"defaultRule":true,"description":"process + arguments match rubeus credential theft tool","enabled":true,"expression":"exec.cmdline + in [~\"*asreproast*\", ~\"*/service:krbtgt*\", ~\"*dump /luid:0x*\", ~\"*kerberoast*\", + ~\"*createonly /program*\", ~\"*ptt /ticket*\", ~\"*impersonateuser*\", ~\"*renew + /ticket*\", ~\"*asktgt /user*\", ~\"*harvest /interval*\", ~\"*s4u /user*\", + ~\"*hash /password*\", ~\"*golden /aes256*\", ~\"*silver /user*\", \"*rubeus*\"]","filters":["os + == \"windows\""],"monitoring":["threat-detection.policy"],"name":"rubeus_execution","product_tags":["tactic:TA0006-credential-access","technique:T1558-steal-or-forge-kerberos-tickets","policy:threat-detection"],"updateDate":1759956888000,"updater":{"name":"Datadog","handle":""}}},{"id":"900-1sj-xhs","type":"agent_rule","attributes":{"category":"File + Activity","creationDate":1759956888000,"creator":{"name":"Datadog","handle":""},"defaultRule":true,"description":"PAM may have been modified without authorization","enabled":true,"expression":"(\n (unlink.file.path in [ ~\"/etc/pam.d/**\", \"/etc/pam.conf\", ~\"/lib/security/*\", ~\"/usr/lib/security/*\", ~\"/lib64/security/*\", ~\"/usr/lib64/security/*\" ])\n)","filters":["os == - \"linux\""],"monitoring":["compliance.policy"],"name":"pam_modification_unlink","product_tags":["tactic:TA0003-persistence","technique:T1556-modify-authentication-process","policy:compliance"],"updateDate":1753453274000,"updater":{"name":"Datadog","handle":""}}},{"id":"wzz-ni8-56v","type":"agent_rule","attributes":{"category":"Process - Activity","creationDate":1733963824000,"creator":{"name":"frog","handle":"frog@datadoghq.com"},"defaultRule":false,"description":"My - Agent rule","enabled":true,"expression":"exec.file.name == \"sh\"","filters":["os - == \"linux\""],"monitoring":["CWS_CUSTOM-canary"],"name":"examplegetacsmthreatsagentrulereturnsokresponse1733963824","updateDate":1733963824000,"updater":{"name":"frog","handle":"frog@datadoghq.com"}}},{"id":"1ys-tf8-u32","type":"agent_rule","attributes":{"category":"Process - Activity","creationDate":1735562224000,"creator":{"name":"frog","handle":"frog@datadoghq.com"},"defaultRule":false,"description":"My - Agent rule","enabled":true,"expression":"exec.file.name == \"sh\"","filters":["os - == \"linux\""],"monitoring":["CWS_CUSTOM-canary"],"name":"examplegetacsmthreatsagentrulereturnsokresponse1735562224","updateDate":1735562224000,"updater":{"name":"frog","handle":"frog@datadoghq.com"}}},{"id":"ou7-vxd-f9m","type":"agent_rule","attributes":{"category":"Process - Activity","creationDate":1746611594063,"creator":{"name":"frog","handle":"frog@datadoghq.com"},"defaultRule":false,"description":"My - Agent rule","enabled":true,"expression":"exec.file.name == \"sh\"","filters":["os - == \"linux\""],"monitoring":["CWS_CUSTOM-canary"],"name":"testcreateacsmthreatsagentrulereturnsokresponse1746611593","updateDate":1746611594063,"updater":{"name":"frog","handle":"frog@datadoghq.com"}}},{"id":"9wz-mgt-zkp","type":"agent_rule","attributes":{"category":"Process - Activity","creationDate":1715546226000,"creator":{"name":"","handle":"frog@datadoghq.com"},"defaultRule":false,"description":"My - Agent rule","enabled":true,"expression":"exec.file.name == \"sh\"","filters":["os - == \"linux\""],"monitoring":["CWS_CUSTOM-canary"],"name":"examplecreateacsmthreatsagentrulereturnsokresponse1715546226","updateDate":1715546226000,"updater":{"name":"","handle":"frog@datadoghq.com"}}},{"id":"sfj-gky-roy","type":"agent_rule","attributes":{"category":"Process - Activity","creationDate":1732869424000,"creator":{"name":"","handle":"frog@datadoghq.com"},"defaultRule":false,"description":"My - Agent rule","enabled":true,"expression":"exec.file.name == \"sh\"","filters":["os - == \"linux\""],"monitoring":["CWS_CUSTOM-canary"],"name":"examplegetacsmthreatsagentrulereturnsokresponse1732869424","updateDate":1732869424000,"updater":{"name":"","handle":"frog@datadoghq.com"}}},{"id":"ybg-c9d-29b","type":"agent_rule","attributes":{"category":"Process - Activity","creationDate":1723034223000,"creator":{"name":"","handle":"frog@datadoghq.com"},"defaultRule":false,"description":"Test - Agent rule","enabled":true,"expression":"exec.file.name == \"sh\"","filters":["os - == \"linux\""],"monitoring":["CWS_CUSTOM-canary"],"name":"exampleupdateacsmthreatsagentrulereturnsokresponse1723034223","updateDate":1723034224000,"updater":{"name":"","handle":"frog@datadoghq.com"}}},{"id":"a1s-8yo-pst","type":"agent_rule","attributes":{"category":"Process - Activity","creationDate":1746630365537,"creator":{"name":"frog","handle":"frog@datadoghq.com"},"defaultRule":false,"description":"My - Agent rule","enabled":true,"expression":"exec.file.name == \"sh\"","filters":["os - == \"linux\""],"monitoring":["CWS_CUSTOM-canary"],"name":"testcreateacsmthreatsagentrulereturnsokresponse1746630365","updateDate":1746630365537,"updater":{"name":"frog","handle":"frog@datadoghq.com"}}},{"id":"def-000-fn2","type":"agent_rule","attributes":{"category":"Process - Activity","creationDate":1754579371000,"creator":{"name":"Datadog","handle":""},"defaultRule":true,"description":"Shell - profile was modified","enabled":true,"expression":"open.file.path in [~\"/home/*/*profile\", - ~\"/home/*/*rc\"] \u0026\u0026 open.flags \u0026 ((O_CREAT|O_TRUNC|O_RDWR|O_WRONLY)) - \u003e 0","filters":["os == \"linux\""],"monitoring":["compliance.policy","threat-detection.policy"],"name":"shell_profile_modification","product_tags":["tactic:TA0003-persistence","technique:T1547-boot-or-logon-autostart-execution","policy:threat-detection","policy:compliance"],"updateDate":1754579371000,"updater":{"name":"Datadog","handle":""}}},{"id":"def-000-brb","type":"agent_rule","attributes":{"category":"Process - Activity","creationDate":1754579371000,"creator":{"name":"Datadog","handle":""},"defaultRule":true,"description":"regedit - used to export critical registry hive","enabled":true,"expression":"exec.file.name - in [\"reg.exe\", \"regedit.exe\"] \u0026\u0026 exec.cmdline in [~\"*hklm*\", - ~\"*hkey_local_machine*\", ~\"*system*\", ~\"*sam*\", ~\"*security*\"]","filters":["os - == \"windows\""],"monitoring":["threat-detection.policy"],"name":"critical_registry_export","product_tags":["tactic:TA0006-credential-access","technique:T1003-os-credential-dumping","policy:threat-detection"],"updateDate":1754579371000,"updater":{"name":"Datadog","handle":""}}},{"id":"gyq-tpv-vvr","type":"agent_rule","attributes":{"category":"Process - Activity","creationDate":1746195381263,"creator":{"name":"frog","handle":"frog@datadoghq.com"},"defaultRule":false,"description":"My - Agent rule","enabled":true,"expression":"exec.file.name == \"sh\"","filters":["os - == \"linux\""],"monitoring":["CWS_CUSTOM-canary"],"name":"testdeleteacsmthreatsagentrulereturnsokresponse1746195381","updateDate":1746195381263,"updater":{"name":"frog","handle":"frog@datadoghq.com"}}},{"id":"def-000-fdc","type":"agent_rule","attributes":{"actions":[{"filter":"${process.correlation_key} - != \"\"","set":{"name":"parent_correlation_keys","default_value":"","append":true,"scope":"process","expression":"${process.correlation_key}","inherited":true},"disabled":false},{"set":{"name":"correlation_key","default_value":"","scope":"process","expression":"\"service_${builtins.uuid4}\"","inherited":true},"disabled":false}],"category":"Process - Activity","creationDate":1754579371000,"creator":{"name":"Datadog","handle":""},"defaultRule":true,"description":"Track - execution context from service","enabled":true,"expression":"(exec.envs in - [\"DD_SERVICE\", \"OTEL_SERVICE_NAME\"] || \"tags.datadoghq.com/service\" - in container.tags) \u0026\u0026 ${process.correlation_key} in [\"\", ~\"cgroup_*\", - ~\"auid_*\"]","filters":["os == \"linux\""],"monitoring":["threat-detection.policy"],"name":"execution_context_service","product_tags":["policy:threat-detection"],"silent":true,"updateDate":1754579371000,"updater":{"name":"Datadog","handle":""}}},{"id":"4mc-0xr-vlw","type":"agent_rule","attributes":{"category":"Process - Activity","creationDate":1714264624000,"creator":{"name":"","handle":"frog@datadoghq.com"},"defaultRule":false,"description":"My - Agent rule","enabled":true,"expression":"exec.file.name == \"sh\"","filters":["os - == \"linux\""],"monitoring":["CWS_CUSTOM-canary"],"name":"examplecreateacsmthreatsagentrulereturnsokresponse1714264624","updateDate":1714264624000,"updater":{"name":"","handle":"frog@datadoghq.com"}}},{"id":"4qm-ikt-fpr","type":"agent_rule","attributes":{"category":"Process - Activity","creationDate":1721954224000,"creator":{"name":"","handle":"frog@datadoghq.com"},"defaultRule":false,"description":"My - Agent rule","enabled":true,"expression":"exec.file.name == \"sh\"","filters":["os - == \"linux\""],"monitoring":["CWS_CUSTOM-canary"],"name":"examplegetacsmthreatsagentrulereturnsokresponse1721954223","updateDate":1721954224000,"updater":{"name":"","handle":"frog@datadoghq.com"}}},{"id":"bcc-gqn-ty6","type":"agent_rule","attributes":{"category":"Process - Activity","creationDate":1746443531257,"creator":{"name":"CI Account","handle":"9919ec9b-ebc7-49ee-8dc8-03626e717cca"},"defaultRule":false,"description":"My - Agent rule","enabled":true,"expression":"exec.file.name == \"sh\"","filters":["os - == \"linux\""],"monitoring":["CWS_CUSTOM-canary"],"name":"testtypescriptgetacsmthreatsagentrulereturnsokresponse1746443531","updateDate":1746443531257,"updater":{"name":"CI - Account","handle":"9919ec9b-ebc7-49ee-8dc8-03626e717cca"}}},{"id":"p4n-ijm-zeu","type":"agent_rule","attributes":{"category":"Process - Activity","creationDate":1714155721000,"creator":{"name":"","handle":"frog@datadoghq.com"},"defaultRule":false,"description":"My - Agent rule","enabled":true,"expression":"exec.file.name == \"sh\"","filters":["os - == \"linux\""],"monitoring":["CWS_CUSTOM-canary"],"name":"examplegetacsmthreatsagentrulereturnsokresponse1714155721","updateDate":1714155721000,"updater":{"name":"","handle":"frog@datadoghq.com"}}},{"id":"xx5-jk7-v7j","type":"agent_rule","attributes":{"category":"Process - Activity","creationDate":1746631365451,"creator":{"name":"frog","handle":"frog@datadoghq.com"},"defaultRule":false,"description":"My - Agent rule","enabled":true,"expression":"exec.file.name == \"sh\"","filters":["os - == \"linux\""],"monitoring":["CWS_CUSTOM-canary"],"name":"testgetacsmthreatsagentrulereturnsokresponse1746631365","updateDate":1746631365451,"updater":{"name":"frog","handle":"frog@datadoghq.com"}}},{"id":"def-000-2k6","type":"agent_rule","attributes":{"category":"Process - Activity","creationDate":1754579371000,"creator":{"name":"Datadog","handle":""},"defaultRule":true,"description":"Suspicious - usage of ntdsutil","enabled":true,"expression":"exec.file.name == \"ntdsutil.exe\" - \u0026\u0026 exec.cmdline in [~\"*ntds*\", ~\"*create*\"]","filters":["os - == \"windows\""],"monitoring":["threat-detection.policy"],"name":"suspicious_ntdsutil_usage","product_tags":["tactic:TA0006-credential-access","technique:T1003-os-credential-dumping","policy:threat-detection"],"updateDate":1754579371000,"updater":{"name":"Datadog","handle":""}}},{"id":"def-000-oil","type":"agent_rule","attributes":{"category":"Process - Activity","creationDate":1754579371000,"creator":{"name":"Datadog","handle":""},"defaultRule":true,"description":"The - unshare utility was executed in a container","enabled":true,"expression":"exec.comm - == \"unshare\" \u0026\u0026 container.id != \"\"","filters":["os == \"linux\""],"monitoring":["threat-detection.policy"],"name":"unshare_in_container","product_tags":["tactic:TA0004-privilege-escalation","technique:T1611-escape-to-host","policy:threat-detection"],"updateDate":1754579371000,"updater":{"name":"Datadog","handle":""}}},{"id":"td2-31c-ln4","type":"agent_rule","attributes":{"category":"File - Activity","creationDate":1753453274000,"creator":{"name":"Datadog","handle":""},"defaultRule":true,"description":"Sensitive - credential files were modified using a non-standard tool","enabled":true,"expression":"(\n (chown.file.path + \"linux\""],"monitoring":["compliance.policy"],"name":"pam_modification_unlink","product_tags":["tactic:TA0003-persistence","technique:T1556-modify-authentication-process","policy:compliance"],"updateDate":1759956888000,"updater":{"name":"Datadog","handle":""}}},{"id":"def-000-lt6","type":"agent_rule","attributes":{"category":"Process + Activity","creationDate":1759956888000,"creator":{"name":"Datadog","handle":""},"defaultRule":true,"description":"A + process was executed in a Kubernetes user session","enabled":true,"expression":"exec.user_session.k8s_username + != \"\"","filters":["os == \"linux\""],"monitoring":["compliance.policy"],"name":"k8s_user_session","product_tags":["policy:compliance"],"updateDate":1759956888000,"updater":{"name":"Datadog","handle":""}}},{"id":"prk-6q1-g0m","type":"agent_rule","attributes":{"category":"File + Activity","creationDate":1759956888000,"creator":{"name":"Datadog","handle":""},"defaultRule":true,"description":"A + service may have been modified without authorization","enabled":true,"expression":"(\n ( rename.file.path + in [ ~\"/lib/systemd/system/**\", ~\"/usr/lib/systemd/system/**\", ~\"/etc/systemd/system/**\", + ~\"/usr/local/lib/systemd/system/**\", ~\"/run/systemd/system/**\"] \n || + rename.file.path in [ ~\"/etc/systemd/user/**\", ~\"/usr/lib/systemd/user/**\", + ~\"/home/*/.config/systemd/user/**\", ~\"/home/*/.local/share/systemd/user/**\", + ~\"/run/systemd/user/**\"]\n || rename.file.destination.path in [ ~\"/lib/systemd/system/**\", + ~\"/usr/lib/systemd/system/**\", ~\"/etc/systemd/system/**\", ~\"/usr/local/lib/systemd/system/**\", + ~\"/run/systemd/system/**\"] \n || rename.file.destination.path in [ ~\"/etc/systemd/user/**\", + ~\"/usr/lib/systemd/user/**\", ~\"/home/*/.config/systemd/user/**\", ~\"/home/*/.local/share/systemd/user/**\", + ~\"/run/systemd/user/**\"])\n \u0026\u0026 process.file.path not in [~\"/usr/bin/apt*\", + \"/usr/bin/dpkg\", \"/usr/bin/rpm\", \"/usr/bin/unattended-upgrade\", \"/usr/bin/npm\", + ~\"/usr/bin/pip*\", ~\"/usr/local/bin/pip*\", \"/usr/bin/yum\", \"/sbin/apk\", + \"/usr/lib/snapd/snapd\"]\n)","filters":["os == \"linux\""],"monitoring":["compliance.policy","threat-detection.policy"],"name":"systemd_modification_rename","product_tags":["tactic:TA0002-execution","technique:T1569-system-services","policy:compliance","policy:threat-detection"],"updateDate":1759956888000,"updater":{"name":"Datadog","handle":""}}},{"id":"def-000-tat","type":"agent_rule","attributes":{"category":"File + Activity","creationDate":1759956888000,"creator":{"name":"Datadog","handle":""},"defaultRule":true,"description":"Windows + RPC COM debugging registry key modified","enabled":true,"expression":"set.registry.key_path + in [~\"HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Windows NT\\CurrentVersion\\Windows*\"]","filters":["os + == \"windows\""],"monitoring":["compliance.policy"],"name":"windows_com_rpc_debugging_registry_key_modified","product_tags":["tactic:TA0005-defense-evasion","technique:T1112-modify-registry","policy:compliance"],"updateDate":1759956888000,"updater":{"name":"Datadog","handle":""}}},{"id":"jlt-y4v-dax","type":"agent_rule","attributes":{"category":"File + Activity","creationDate":1759956888000,"creator":{"name":"Datadog","handle":""},"defaultRule":true,"description":"A + service may have been modified without authorization","enabled":true,"expression":"(\n (unlink.file.path + in [ ~\"/lib/systemd/system/**\", ~\"/usr/lib/systemd/system/**\", ~\"/etc/systemd/system/**\", + ~\"/usr/local/lib/systemd/system/**\", ~\"/run/systemd/system/**\"] || unlink.file.path + in [ ~\"/etc/systemd/user/**\", ~\"/usr/lib/systemd/user/**\", ~\"/home/*/.config/systemd/user/**\", + ~\"/home/*/.local/share/systemd/user/**\", ~\"/run/systemd/user/**\"])\n \u0026\u0026 + process.file.path not in [~\"/usr/bin/apt*\", \"/usr/bin/dpkg\", \"/usr/bin/rpm\", + \"/usr/bin/unattended-upgrade\", \"/usr/bin/npm\", ~\"/usr/bin/pip*\", ~\"/usr/local/bin/pip*\", + \"/usr/bin/yum\", \"/sbin/apk\", \"/usr/lib/snapd/snapd\"]\n)","filters":["os + == \"linux\""],"monitoring":["compliance.policy","threat-detection.policy"],"name":"systemd_modification_unlink","product_tags":["tactic:TA0002-execution","technique:T1569-system-services","policy:compliance","policy:threat-detection"],"updateDate":1759956888000,"updater":{"name":"Datadog","handle":""}}},{"id":"def-000-n3u","type":"agent_rule","attributes":{"category":"File + Activity","creationDate":1759956888000,"creator":{"name":"Datadog","handle":""},"defaultRule":true,"description":"Windows + shell folders registry key modified","enabled":true,"expression":"set.registry.key_path + in [~\"HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Explorer\\Shell + Folders*\", ~\"HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Explorer\\User + Shell Folders*\"]","filters":["os == \"windows\""],"monitoring":["compliance.policy"],"name":"windows_shell_folders_registry_key_modified","product_tags":["tactic:TA0005-defense-evasion","technique:T1036-masquerading","policy:compliance"],"updateDate":1759956888000,"updater":{"name":"Datadog","handle":""}}},{"id":"def-000-d4i","type":"agent_rule","attributes":{"category":"Process + Activity","creationDate":1759956888000,"creator":{"name":"Datadog","handle":""},"defaultRule":true,"description":"NTDS + file referenced in commandline","enabled":true,"expression":"exec.cmdline + =~ \"*ntds.dit*\"","filters":["os == \"windows\""],"monitoring":["threat-detection.policy"],"name":"ntds_in_commandline","product_tags":["tactic:TA0006-credential-access","technique:T1003-os-credential-dumping","policy:threat-detection"],"updateDate":1759956888000,"updater":{"name":"Datadog","handle":""}}},{"id":"9pu-mp3-xea","type":"agent_rule","attributes":{"category":"File + Activity","creationDate":1759956888000,"creator":{"name":"Datadog","handle":""},"defaultRule":true,"description":"Critical + system binaries may have been modified","enabled":true,"expression":"(\n (rename.file.path + in [ ~\"/bin/*\", ~\"/sbin/*\", ~\"/usr/bin/*\", ~\"/usr/sbin/*\", ~\"/usr/local/bin/*\", + ~\"/usr/local/sbin/*\", ~\"/boot/**\" ]\n || rename.file.destination.path + in [ ~\"/bin/*\", ~\"/sbin/*\", ~\"/usr/bin/*\", ~\"/usr/sbin/*\", ~\"/usr/local/bin/*\", + ~\"/usr/local/sbin/*\", ~\"/boot/**\" ])\n \u0026\u0026 process.file.path + not in [~\"/usr/bin/apt*\", \"/usr/bin/dpkg\", \"/usr/bin/rpm\", \"/usr/bin/unattended-upgrade\", + \"/usr/bin/containerd\", \"/usr/local/bin/containerd\", \"/usr/bin/dockerd\", + \"/usr/bin/npm\", ~\"/usr/bin/pip*\", ~\"/usr/local/bin/pip*\"]\n \u0026\u0026 + process.ancestors.file.path not in [~\"/usr/bin/apt*\", \"/usr/bin/dpkg\", + \"/usr/bin/rpm\", \"/usr/bin/unattended-upgrade\", \"/usr/bin/npm\", ~\"/usr/bin/pip*\", + ~\"/usr/local/bin/pip*\", \"/usr/bin/yum\", \"/sbin/apk\", \"/usr/lib/snapd/snapd\"]\n)","filters":["os + == \"linux\""],"monitoring":["compliance.policy"],"name":"pci_11_5_critical_binaries_rename","product_tags":["tactic:TA0005-defense-evasion","technique:T1036-masquerading","policy:compliance"],"updateDate":1759956888000,"updater":{"name":"Datadog","handle":""}}},{"id":"def-000-bxs","type":"agent_rule","attributes":{"category":"File + Activity","creationDate":1759956888000,"creator":{"name":"Datadog","handle":""},"defaultRule":true,"description":"Sudoers + policy file may have been modified without authorization","enabled":true,"expression":"(\n (unlink.file.path + in [\"/etc/sudoers\", ~\"/etc/sudoers.d/*\"])\n)","filters":["os == \"linux\""],"monitoring":["compliance.policy"],"name":"sudoers_policy_modified_unlink","product_tags":["tactic:TA0004-privilege-escalation","technique:T1548-abuse-elevation-control-mechanism","subtechnique:T1548.001-setuid-and-setgid","subtechnique:T1548.003-sudo-and-sudo-caching","policy:compliance"],"updateDate":1759956888000,"updater":{"name":"Datadog","handle":""}}},{"id":"def-000-r6p","type":"agent_rule","attributes":{"actions":[{"set":{"name":"correlation_key_file_path","field":"unlink.file.path","scope":"cgroup","inherited":false},"disabled":false}],"category":"File + Activity","creationDate":1759956888000,"creator":{"name":"Datadog","handle":""},"defaultRule":true,"description":"A + file was deleted shortly after it was executed","enabled":true,"expression":"unlink.file.path + in ${cgroup.chain_exec_unlink}","filters":["os == \"linux\""],"monitoring":["threat-detection.policy"],"name":"delete_new_process","product_tags":["tactic:TA0005-defense-evasion","technique:T1070-indicator-removal","policy:threat-detection"],"updateDate":1759956888000,"updater":{"name":"Datadog","handle":""}}},{"id":"def-000-rb4","type":"agent_rule","attributes":{"category":"Process + Activity","creationDate":1759956888000,"creator":{"name":"Datadog","handle":""},"defaultRule":true,"description":"GitHub + API was contacted","enabled":true,"expression":"connect.addr.hostname =~ \"api.github.com\"","filters":["os + == \"linux\""],"monitoring":["threat-detection.policy"],"name":"github_api_contacted","product_tags":["tactic:TA0008-lateral-movement","technique:T1021-remote-services","policy:threat-detection"],"updateDate":1759956888000,"updater":{"name":"Datadog","handle":""}}},{"id":"def-000-qem","type":"agent_rule","attributes":{"category":"Process + Activity","creationDate":1759956888000,"creator":{"name":"Datadog","handle":""},"defaultRule":true,"description":"A + user was deleted via an interactive session","enabled":true,"expression":"exec.file.name + in [\"userdel\", \"deluser\"] \u0026\u0026 exec.tty_name !=\"\" \u0026\u0026 + process.ancestors.file.path not in [~\"/usr/bin/apt*\", \"/usr/bin/dpkg\", + \"/usr/bin/rpm\", \"/usr/bin/unattended-upgrade\", \"/usr/bin/npm\", ~\"/usr/bin/pip*\", + ~\"/usr/local/bin/pip*\", \"/usr/bin/yum\", \"/sbin/apk\", \"/usr/lib/snapd/snapd\"]","filters":["os + == \"linux\""],"monitoring":["threat-detection.policy"],"name":"user_deleted_tty","product_tags":["tactic:TA0040-impact","technique:T1531-account-access-removal","policy:threat-detection"],"updateDate":1759956888000,"updater":{"name":"Datadog","handle":""}}},{"id":"def-000-3b9","type":"agent_rule","attributes":{"category":"File + Activity","creationDate":1759956888000,"creator":{"name":"Datadog","handle":""},"defaultRule":true,"description":"Sensitive + credential files were modified using a non-standard tool","enabled":true,"expression":"(\n open.flags + \u0026 ((O_CREAT|O_RDWR|O_WRONLY|O_TRUNC)) \u003e 0 \u0026\u0026\n (open.file.path in [ \"/etc/shadow\", \"/etc/gshadow\" ])\n \u0026\u0026 process.file.path not in [ \"/sbin/vipw\", \"/usr/sbin/vipw\", \"/sbin/vigr\", \"/usr/sbin/vigr\", \"/usr/bin/containerd\", \"/usr/local/bin/containerd\", \"/usr/bin/dockerd\", @@ -521,217 +347,9 @@ http_interactions: \"/usr/sbin/chpasswd\", \"/usr/bin/passwd\" ]\n \u0026\u0026 process.ancestors.file.path not in [~\"/usr/bin/apt*\", \"/usr/bin/dpkg\", \"/usr/bin/rpm\", \"/usr/bin/unattended-upgrade\", \"/usr/bin/npm\", ~\"/usr/bin/pip*\", ~\"/usr/local/bin/pip*\", \"/usr/bin/yum\", - \"/sbin/apk\", \"/usr/lib/snapd/snapd\"]\n) \u0026\u0026 (chown.file.destination.uid - != chown.file.uid || chown.file.destination.gid != chown.file.gid)","filters":["os - == \"linux\""],"monitoring":["compliance.policy"],"name":"credential_modified_chown","product_tags":["tactic:TA0006-credential-access","technique:T1003-os-credential-dumping","policy:compliance"],"updateDate":1753453274000,"updater":{"name":"Datadog","handle":""}}},{"id":"mqh-lgo-brj","type":"agent_rule","attributes":{"category":"File - Activity","creationDate":1753453274000,"creator":{"name":"Datadog","handle":""},"defaultRule":true,"description":"nsswitch - may have been modified without authorization","enabled":true,"expression":"(\n (chmod.file.path - in [ \"/etc/nsswitch.conf\" ])\n) \u0026\u0026 chmod.file.destination.mode - != chmod.file.mode \u0026\u0026 process.file.path not in [~\"/usr/bin/apt*\", - \"/usr/bin/dpkg\", \"/usr/bin/rpm\", \"/usr/bin/unattended-upgrade\", \"/usr/bin/containerd\", - \"/usr/local/bin/containerd\", \"/usr/bin/dockerd\", \"/usr/bin/npm\", ~\"/usr/bin/pip*\", - ~\"/usr/local/bin/pip*\"]","filters":["os == \"linux\""],"monitoring":["compliance.policy"],"name":"nsswitch_conf_mod_chmod","product_tags":["tactic:TA0003-persistence","technique:T1556-modify-authentication-process","policy:compliance"],"updateDate":1753453274000,"updater":{"name":"Datadog","handle":""}}},{"id":"9y1-cbb-p03","type":"agent_rule","attributes":{"category":"File - Activity","creationDate":1753453274000,"creator":{"name":"Datadog","handle":""},"defaultRule":true,"description":"SSL - certificates may have been tampered with","enabled":true,"expression":"(\n (unlink.file.path - in [ ~\"/etc/ssl/certs/**\" ])\n \u0026\u0026 process.file.path not in - [~\"/usr/bin/apt*\", \"/usr/bin/dpkg\", \"/usr/bin/rpm\", \"/usr/bin/unattended-upgrade\", - \"/usr/bin/npm\", ~\"/usr/bin/pip*\", ~\"/usr/local/bin/pip*\", \"/usr/bin/yum\", - \"/sbin/apk\", \"/usr/lib/snapd/snapd\"]\n)\n\u0026\u0026 process.file.path - != \"/usr/sbin/update-ca-certificates\"\n\u0026\u0026 process.ancestors.file.path - != \"/usr/sbin/update-ca-certificates\"\n\u0026\u0026 process.ancestors.file.path - not in [~\"/usr/bin/apt*\", \"/usr/bin/dpkg\", \"/usr/bin/rpm\", \"/usr/bin/unattended-upgrade\", - \"/usr/bin/npm\", ~\"/usr/bin/pip*\", ~\"/usr/local/bin/pip*\", \"/usr/bin/yum\", - \"/sbin/apk\", \"/usr/lib/snapd/snapd\"]\n\u0026\u0026 process.file.name !~ - \"runc*\"","filters":["os == \"linux\""],"monitoring":["compliance.policy"],"name":"ssl_certificate_tampering_unlink","product_tags":["tactic:TA0005-defense-evasion","technique:T1553-subvert-trust-controls","policy:compliance"],"updateDate":1753453274000,"updater":{"name":"Datadog","handle":""}}},{"id":"def-000-mpd","type":"agent_rule","attributes":{"category":"Kernel - Activity","creationDate":1754579371000,"creator":{"name":"Datadog","handle":""},"defaultRule":true,"description":"A - process connected to a cryptocurrency mining pool","enabled":true,"expression":"connect.addr.hostname - in [~\"*.minexmr.com\", \"minexmr.com\", ~\"*.nanopool.org\", \"nanopool.org\", - ~\"*.supportxmr.com\", \"supportxmr.com\", ~\"*.c3pool.com\", \"c3pool.com\", - ~\"*.p2pool.io\", \"p2pool.io\", ~\"*.ethermine.org\", \"ethermine.org\", - ~\"*.f2pool.com\", \"f2pool.com\", ~\"*.poolin.me\", \"poolin.me\", ~\"*.rplant.xyz\", - \"rplant.xyz\", ~\"*.miningocean.org\", \"miningocean.org\"]","filters":["os - == \"linux\""],"monitoring":["threat-detection.policy"],"name":"mining_pool_domain","product_tags":["tactic:TA0040-impact","technique:T1496-resource-hijacking","policy:threat-detection"],"updateDate":1754579371000,"updater":{"name":"Datadog","handle":""}}},{"id":"kpm-7kh-xz5","type":"agent_rule","attributes":{"category":"Kernel - Activity","creationDate":1754579371000,"creator":{"name":"Datadog","handle":""},"defaultRule":true,"description":"A - process attempted to inject code into another process","enabled":true,"expression":"ptrace.request - == PTRACE_POKETEXT || ptrace.request == PTRACE_POKEDATA || ptrace.request - == PTRACE_POKEUSR","filters":["os == \"linux\""],"monitoring":["threat-detection.policy"],"name":"ptrace_injection","product_tags":["tactic:TA0005-defense-evasion","technique:T1055-process-injection","policy:threat-detection"],"updateDate":1754579371000,"updater":{"name":"Datadog","handle":""}}},{"id":"def-000-dar","type":"agent_rule","attributes":{"category":"Kernel - Activity","creationDate":1754579371000,"creator":{"name":"Datadog","handle":""},"defaultRule":true,"description":"A - shell made an outbound network connection","enabled":true,"expression":"(connect.addr.family - == AF_INET || connect.addr.family == AF_INET6) \u0026\u0026 process.file.name - in [\"dash\",\"sh\",\"static-sh\",\"sh\",\"bash\",\"bash\",\"bash-static\",\"zsh\",\"ash\",\"csh\",\"ksh\",\"tcsh\",\"busybox\",\"busybox\",\"fish\",\"ksh93\",\"rksh\",\"rksh93\",\"lksh\",\"mksh\",\"mksh-static\",\"csharp\",\"posh\",\"rc\",\"sash\",\"yash\",\"zsh5\",\"zsh5-static\"] - \u0026\u0026 connect.addr.is_public == true","filters":["os == \"linux\""],"monitoring":["threat-detection.policy"],"name":"shell_net_connection","product_tags":["tactic:TA0002-execution","technique:T1059-command-and-scripting-interpreter","policy:threat-detection"],"updateDate":1754579371000,"updater":{"name":"Datadog","handle":""}}},{"id":"def-000-krr","type":"agent_rule","attributes":{"category":"File - Activity","creationDate":1754579371000,"creator":{"name":"Datadog","handle":""},"defaultRule":true,"description":"A - process removed itself from the filesystem","enabled":true,"expression":"unlink.file.path - == process.file.path","filters":["os == \"linux\""],"monitoring":["threat-detection.policy"],"name":"unlink_self","product_tags":["tactic:TA0005-defense-evasion","technique:T1564-hide-artifacts","policy:threat-detection"],"updateDate":1754579371000,"updater":{"name":"Datadog","handle":""}}},{"id":"hhl-9nk-8ls","type":"agent_rule","attributes":{"category":"Process - Activity","creationDate":1715819826000,"creator":{"name":"","handle":"frog@datadoghq.com"},"defaultRule":false,"description":"My - Agent rule","enabled":true,"expression":"exec.file.name == \"sh\"","filters":["os - == \"linux\""],"monitoring":["CWS_CUSTOM-canary"],"name":"examplecreateacsmthreatsagentrulereturnsokresponse1715819824","updateDate":1715819826000,"updater":{"name":"","handle":"frog@datadoghq.com"}}},{"id":"shf-bur-1id","type":"agent_rule","attributes":{"category":"Process - Activity","creationDate":1735288624000,"creator":{"name":"frog","handle":"frog@datadoghq.com"},"defaultRule":false,"description":"My - Agent rule","enabled":true,"expression":"exec.file.name == \"sh\"","filters":["os - == \"linux\""],"monitoring":["CWS_CUSTOM-canary"],"name":"examplegetacsmthreatsagentrulereturnsokresponse1735288624","updateDate":1735288624000,"updater":{"name":"frog","handle":"frog@datadoghq.com"}}},{"id":"qk2-gkn-517","type":"agent_rule","attributes":{"category":"Process - Activity","creationDate":1730162223000,"creator":{"name":"","handle":"frog@datadoghq.com"},"defaultRule":false,"description":"Test - Agent rule","enabled":true,"expression":"exec.file.name == \"sh\"","filters":["os - == \"linux\""],"monitoring":["CWS_CUSTOM-canary"],"name":"exampleupdateacsmthreatsagentrulereturnsokresponse1730162223","updateDate":1730162225000,"updater":{"name":"","handle":"frog@datadoghq.com"}}},{"id":"v2b-cd3-clr","type":"agent_rule","attributes":{"category":"File - Activity","creationDate":1753453274000,"creator":{"name":"Datadog","handle":""},"defaultRule":true,"description":"nsswitch - may have been modified without authorization","enabled":true,"expression":"(\n (chown.file.path - in [ \"/etc/nsswitch.conf\" ])\n) \u0026\u0026 (chown.file.destination.uid - != chown.file.uid || chown.file.destination.gid != chown.file.gid) \u0026\u0026 - process.file.path not in [~\"/usr/bin/apt*\", \"/usr/bin/dpkg\", \"/usr/bin/rpm\", - \"/usr/bin/unattended-upgrade\", \"/usr/bin/containerd\", \"/usr/local/bin/containerd\", - \"/usr/bin/dockerd\", \"/usr/bin/npm\", ~\"/usr/bin/pip*\", ~\"/usr/local/bin/pip*\"]","filters":["os - == \"linux\""],"monitoring":["compliance.policy"],"name":"nsswitch_conf_mod_chown","product_tags":["tactic:TA0003-persistence","technique:T1556-modify-authentication-process","policy:compliance"],"updateDate":1753453274000,"updater":{"name":"Datadog","handle":""}}},{"id":"def-000-dpm","type":"agent_rule","attributes":{"category":"Process - Activity","creationDate":1754579371000,"creator":{"name":"Datadog","handle":""},"defaultRule":true,"description":"A - process attempted to enable writing to model-specific registers","enabled":true,"expression":"exec.comm - == \"modprobe\" \u0026\u0026 process.args =~ \"*msr*allow_writes*\"","filters":["os - == \"linux\""],"monitoring":["threat-detection.policy"],"name":"kernel_msr_write","product_tags":["tactic:TA0040-impact","technique:T1496-resource-hijacking","policy:threat-detection"],"updateDate":1754579371000,"updater":{"name":"Datadog","handle":""}}},{"id":"460-gys-lqp","type":"agent_rule","attributes":{"category":"Network - Activity","creationDate":1754579371000,"creator":{"name":"Datadog","handle":""},"defaultRule":true,"description":"A - DNS lookup was done for a pastebin-like site","enabled":true,"expression":"dns.question.name - in [\"pastebin.com\", \"ghostbin.com\", \"termbin.com\", \"klgrth.io\", \"rentry.co\", - \"transfer.sh\"] \u0026\u0026 process.file.name != \"\"","filters":["os == - \"linux\""],"monitoring":["threat-detection.policy"],"name":"paste_site","product_tags":["tactic:TA0011-command-and-control","technique:T1105-ingress-tool-transfer","policy:threat-detection"],"updateDate":1754579371000,"updater":{"name":"Datadog","handle":""}}},{"id":"def-000-vjv","type":"agent_rule","attributes":{"category":"Process - Activity","creationDate":1754579371000,"creator":{"name":"Datadog","handle":""},"defaultRule":true,"description":"Command - executed via WMI","enabled":true,"expression":"exec.file.name in [~\"powershell*\",\"cmd.exe\"] - \u0026\u0026 process.parent.file.name == \"WmiPrvSE.exe\"","filters":["os - == \"windows\""],"monitoring":["threat-detection.policy"],"name":"wmi_spawning_shell","product_tags":["tactic:TA0002-execution","technique:T1047-windows-management-instrumentation","policy:threat-detection"],"updateDate":1754579371000,"updater":{"name":"Datadog","handle":""}}},{"id":"w60-a8d-qrd","type":"agent_rule","attributes":{"category":"Process - Activity","creationDate":1734439024000,"creator":{"name":"frog","handle":"frog@datadoghq.com"},"defaultRule":false,"description":"My - Agent rule","enabled":true,"expression":"exec.file.name == \"sh\"","filters":["os - == \"linux\""],"monitoring":["CWS_CUSTOM-canary"],"name":"examplegetacsmthreatsagentrulereturnsokresponse1734439023","updateDate":1734439024000,"updater":{"name":"frog","handle":"frog@datadoghq.com"}}},{"id":"i5i-xfz-wxs","type":"agent_rule","attributes":{"category":"Process - Activity","creationDate":1746195393441,"creator":{"name":"frog","handle":"frog@datadoghq.com"},"defaultRule":false,"description":"My - Agent rule","enabled":true,"expression":"exec.file.name == \"sh\"","filters":["os - == \"linux\""],"monitoring":["CWS_CUSTOM-canary"],"name":"testupdateacsmthreatsagentrulereturnsbadrequestresponse1746195393","updateDate":1746195393441,"updater":{"name":"frog","handle":"frog@datadoghq.com"}}},{"id":"3i1-zpd-ycj","type":"agent_rule","attributes":{"category":"File - Activity","creationDate":1753453274000,"creator":{"name":"Datadog","handle":""},"defaultRule":true,"description":"A - new kernel module was added","enabled":true,"expression":"(\n (rename.file.path - in [ ~\"/lib/modules/**\", ~\"/usr/lib/modules/**\" ]\n || rename.file.destination.path - in [ ~\"/lib/modules/**\", ~\"/usr/lib/modules/**\" ])\n \u0026\u0026 process.file.path - not in [~\"/usr/bin/apt*\", \"/usr/bin/dpkg\", \"/usr/bin/rpm\", \"/usr/bin/unattended-upgrade\", - \"/usr/bin/npm\", ~\"/usr/bin/pip*\", ~\"/usr/local/bin/pip*\", \"/usr/bin/yum\", - \"/sbin/apk\", \"/usr/lib/snapd/snapd\"]\n \u0026\u0026 process.ancestors.file.path - not in [~\"/usr/bin/apt*\", \"/usr/bin/dpkg\", \"/usr/bin/rpm\", \"/usr/bin/unattended-upgrade\", - \"/usr/bin/npm\", ~\"/usr/bin/pip*\", ~\"/usr/local/bin/pip*\", \"/usr/bin/yum\", - \"/sbin/apk\", \"/usr/lib/snapd/snapd\"] \u0026\u0026 process.ancestors.file.path - != \"/usr/bin/kmod\"\n)","filters":["os == \"linux\""],"monitoring":["compliance.policy"],"name":"kernel_module_rename","product_tags":["tactic:TA0003-persistence","technique:T1547-boot-or-logon-autostart-execution","policy:compliance"],"updateDate":1753453274000,"updater":{"name":"Datadog","handle":""}}},{"id":"def-000-do7","type":"agent_rule","attributes":{"category":"File - Activity","creationDate":1754579371000,"creator":{"name":"Datadog","handle":""},"defaultRule":true,"description":"Possible - ransomware note created under common user directories","enabled":true,"expression":"open.flags - \u0026 O_CREAT \u003e 0\n\u0026\u0026 open.file.path in [~\"/home/**\", ~\"/root/**\", - ~\"/bin/**\", ~\"/usr/bin/**\", ~\"/opt/**\", ~\"/etc/**\", ~\"/var/log/**\", - ~\"/var/lib/log/**\", ~\"/var/backup/**\", ~\"/var/www/**\"]\n\u0026\u0026 - (open.file.name in [r\"(?i)(restore|recover|instruction|help|how_to|how\\ - to|ransom).*(your_|recover|crypt|lock|ransom|instruction|files)\"] || open.file.name - in [r\"RECOVER.*\\.txt\"]) \u0026\u0026 open.file.name not in [r\"\\.lock$\"]","filters":["os - == \"linux\""],"monitoring":["threat-detection.policy"],"name":"ransomware_note","product_tags":["tactic:TA0040-impact","technique:T1490-inhibit-system-recovery","policy:threat-detection"],"updateDate":1754579371000,"updater":{"name":"Datadog","handle":""}}},{"id":"d7t-4i4-tex","type":"agent_rule","attributes":{"category":"Process - Activity","creationDate":1722659826000,"creator":{"name":"","handle":"frog@datadoghq.com"},"defaultRule":false,"description":"My - Agent rule","enabled":true,"expression":"exec.file.name == \"sh\"","filters":["os - == \"linux\""],"monitoring":["CWS_CUSTOM-canary"],"name":"examplegetacsmthreatsagentrulereturnsokresponse1722659824","updateDate":1722659826000,"updater":{"name":"","handle":"frog@datadoghq.com"}}},{"id":"3ox-06e-x4c","type":"agent_rule","attributes":{"category":"Process - Activity","creationDate":1734093424000,"creator":{"name":"frog","handle":"frog@datadoghq.com"},"defaultRule":false,"description":"My - Agent rule","enabled":true,"expression":"exec.file.name == \"sh\"","filters":["os - == \"linux\""],"monitoring":["CWS_CUSTOM-canary"],"name":"examplegetacsmthreatsagentrulereturnsokresponse1734093423","updateDate":1734093424000,"updater":{"name":"frog","handle":"frog@datadoghq.com"}}},{"id":"eqx-iiy-wru","type":"agent_rule","attributes":{"category":"Process - Activity","creationDate":1746195384460,"creator":{"name":"frog","handle":"frog@datadoghq.com"},"defaultRule":false,"description":"My - Agent rule","enabled":true,"expression":"exec.file.name == \"sh\"","filters":["os - == \"linux\""],"monitoring":["CWS_CUSTOM-canary"],"name":"testgetacsmthreatsagentrulereturnsokresponse1746195384","updateDate":1746195384460,"updater":{"name":"frog","handle":"frog@datadoghq.com"}}},{"id":"6at-weo-6ya","type":"agent_rule","attributes":{"category":"Process - Activity","creationDate":1746635720659,"creator":{"name":"frog","handle":"frog@datadoghq.com"},"defaultRule":false,"description":"My - Agent rule","enabled":true,"expression":"exec.file.name == \"sh\"","filters":["os - == \"linux\""],"monitoring":["CWS_CUSTOM-canary"],"name":"testupdateacsmthreatsagentrulereturnsbadrequestresponse1746635720","updateDate":1746635720659,"updater":{"name":"frog","handle":"frog@datadoghq.com"}}},{"id":"ukn-yjf-h6a","type":"agent_rule","attributes":{"category":"Process - Activity","creationDate":1719981424000,"creator":{"name":"","handle":"frog@datadoghq.com"},"defaultRule":false,"description":"My - Agent rule","enabled":true,"expression":"exec.file.name == \"sh\"","filters":["os - == \"linux\""],"monitoring":["CWS_CUSTOM-canary"],"name":"examplegetacsmthreatsagentrulereturnsokresponse1719981423","updateDate":1719981424000,"updater":{"name":"","handle":"frog@datadoghq.com"}}},{"id":"def-000-j45","type":"agent_rule","attributes":{"category":"Kernel - Activity","creationDate":1754579371000,"creator":{"name":"Datadog","handle":""},"defaultRule":true,"description":"A - process is tracing privileged processes or sshd for possible credential dumping","enabled":true,"expression":"(ptrace.request - == PTRACE_PEEKTEXT || ptrace.request == PTRACE_PEEKDATA || ptrace.request - == PTRACE_PEEKUSR) \u0026\u0026 ptrace.tracee.euid == 0 \u0026\u0026 process.comm - not in [\"dlv\", \"dlv-linux-amd64\", \"strace\", \"gdb\", \"lldb-server\"]","filters":["os - == \"linux\""],"monitoring":["threat-detection.policy"],"name":"sensitive_tracing","product_tags":["tactic:TA0004-privilege-escalation","technique:T1055-process-injection","policy:threat-detection"],"updateDate":1754579371000,"updater":{"name":"Datadog","handle":""}}},{"id":"7s9-sfq-2km","type":"agent_rule","attributes":{"category":"Process - Activity","creationDate":1732552624000,"creator":{"name":"","handle":"frog@datadoghq.com"},"defaultRule":false,"description":"My - Agent rule","enabled":true,"expression":"exec.file.name == \"sh\"","filters":["os - == \"linux\""],"monitoring":["CWS_CUSTOM-canary"],"name":"examplegetacsmthreatsagentrulereturnsokresponse1732552624","updateDate":1732552624000,"updater":{"name":"","handle":"frog@datadoghq.com"}}},{"id":"def-000-ev8","type":"agent_rule","attributes":{"category":"Process - Activity","creationDate":1754579371000,"creator":{"name":"Datadog","handle":""},"defaultRule":true,"description":"The - wrmsr program executed","enabled":true,"expression":"exec.comm == \"wrmsr\"","filters":["os - == \"linux\""],"monitoring":["threat-detection.policy"],"name":"exec_wrmsr","product_tags":["tactic:TA0040-impact","technique:T1496-resource-hijacking","policy:threat-detection"],"updateDate":1754579371000,"updater":{"name":"Datadog","handle":""}}},{"id":"def-000-fsu","type":"agent_rule","attributes":{"category":"Process - Activity","creationDate":1754579371000,"creator":{"name":"Datadog","handle":""},"defaultRule":true,"description":"A - process is masquerading as a kernel thread by using bracket notation in its - name","enabled":true,"expression":"(exec.comm in [r\"^\\[.*\\]$\"] || exec.argv0 - in [r\"^\\[.*\\]$\"]) \u0026\u0026 (process.parent.ppid !=2 || process.args - != \"\")","filters":["os == \"linux\""],"monitoring":["threat-detection.policy"],"name":"kernel_process_masquerade","product_tags":["tactic:TA0005-defense-evasion","technique:T1036-masquerading","policy:threat-detection"],"updateDate":1754579371000,"updater":{"name":"Datadog","handle":""}}},{"id":"rc4-b53-3sj","type":"agent_rule","attributes":{"category":"Process - Activity","creationDate":1715863024000,"creator":{"name":"","handle":"frog@datadoghq.com"},"defaultRule":false,"description":"My - Agent rule","enabled":true,"expression":"exec.file.name == \"sh\"","filters":["os - == \"linux\""],"monitoring":["CWS_CUSTOM-canary"],"name":"examplecreateacsmthreatsagentrulereturnsokresponse1715863024","updateDate":1715863024000,"updater":{"name":"","handle":"frog@datadoghq.com"}}},{"id":"ssm-zlm-vqh","type":"agent_rule","attributes":{"category":"Process - Activity","creationDate":1720312626000,"creator":{"name":"","handle":"frog@datadoghq.com"},"defaultRule":false,"description":"My - Agent rule","enabled":true,"expression":"exec.file.name == \"sh\"","filters":["os - == \"linux\""],"monitoring":["CWS_CUSTOM-canary"],"name":"examplegetacsmthreatsagentrulereturnsokresponse1720312624","updateDate":1720312626000,"updater":{"name":"","handle":"frog@datadoghq.com"}}},{"id":"lrg-avx-x1k","type":"agent_rule","attributes":{"category":"Kernel - Activity","creationDate":1754579371000,"creator":{"name":"Datadog","handle":""},"defaultRule":true,"description":"A - kernel module was loaded from memory","enabled":true,"expression":"load_module.loaded_from_memory - == true","filters":["os == \"linux\""],"monitoring":["threat-detection.policy"],"name":"kernel_module_load_from_memory","product_tags":["tactic:TA0003-persistence","technique:T1547-boot-or-logon-autostart-execution","policy:threat-detection"],"updateDate":1754579371000,"updater":{"name":"Datadog","handle":""}}},{"id":"9n1-l1g-u4k","type":"agent_rule","attributes":{"category":"Process - Activity","creationDate":1721853424000,"creator":{"name":"","handle":"frog@datadoghq.com"},"defaultRule":false,"description":"My - Agent rule","enabled":true,"expression":"exec.file.name == \"sh\"","filters":["os - == \"linux\""],"monitoring":["CWS_CUSTOM-canary"],"name":"examplegetacsmthreatsagentrulereturnsokresponse1721853423","updateDate":1721853424000,"updater":{"name":"","handle":"frog@datadoghq.com"}}},{"id":"w6f-wte-i63","type":"agent_rule","attributes":{"category":"File - Activity","creationDate":1753453274000,"creator":{"name":"Datadog","handle":""},"defaultRule":true,"description":"SSL - certificates may have been tampered with","enabled":true,"expression":"(\n (link.file.path - in [ ~\"/etc/ssl/certs/**\", ~\"/etc/pki/**\" ]\n || link.file.destination.path - in [ ~\"/etc/ssl/certs/**\", ~\"/etc/pki/**\" ])\n \u0026\u0026 process.file.path - not in [~\"/usr/bin/apt*\", \"/usr/bin/dpkg\", \"/usr/bin/rpm\", \"/usr/bin/unattended-upgrade\", - \"/usr/bin/npm\", ~\"/usr/bin/pip*\", ~\"/usr/local/bin/pip*\", \"/usr/bin/yum\", - \"/sbin/apk\", \"/usr/lib/snapd/snapd\"]\n \u0026\u0026 process.file.path - != \"/usr/sbin/update-ca-certificates\"\n \u0026\u0026 process.ancestors.file.path - != \"/usr/sbin/update-ca-certificates\"\n \u0026\u0026 process.ancestors.file.path - not in [~\"/usr/bin/apt*\", \"/usr/bin/dpkg\", \"/usr/bin/rpm\", \"/usr/bin/unattended-upgrade\", - \"/usr/bin/npm\", ~\"/usr/bin/pip*\", ~\"/usr/local/bin/pip*\", \"/usr/bin/yum\", - \"/sbin/apk\", \"/usr/lib/snapd/snapd\"]\n \u0026\u0026 process.file.name - !~ \"runc*\"\n)","filters":["os == \"linux\""],"monitoring":["compliance.policy"],"name":"ssl_certificate_tampering_link","product_tags":["tactic:TA0005-defense-evasion","technique:T1553-subvert-trust-controls","policy:compliance"],"updateDate":1753453274000,"updater":{"name":"Datadog","handle":""}}},{"id":"647-nlb-uld","type":"agent_rule","attributes":{"category":"Process - Activity","creationDate":1754579371000,"creator":{"name":"Datadog","handle":""},"defaultRule":true,"description":"A - network utility (such as nmap) commonly used in intrusion attacks was executed","enabled":true,"expression":"exec.file.name - in [\"nmap\", \"masscan\", \"fping\", \"zmap\", \"zgrab\", \"zgrab2\", \"rustscan\", - \"pnscan\"] \u0026\u0026 exec.args_flags not in [\"V\", \"version\"]","filters":["os - == \"linux\""],"monitoring":["threat-detection.policy"],"name":"common_net_intrusion_util","product_tags":["tactic:TA0007-discovery","technique:T1046-network-service-discovery","policy:threat-detection"],"updateDate":1754579371000,"updater":{"name":"Datadog","handle":""}}},{"id":"def-000-8j2","type":"agent_rule","attributes":{"category":"Process - Activity","creationDate":1754579371000,"creator":{"name":"Datadog","handle":""},"defaultRule":true,"description":"A - web application spawned a shell or shell utility","enabled":true,"expression":"(exec.file.path - in [ \"/bin/dash\",\n \"/usr/bin/dash\",\n \"/bin/sh\",\n \"/bin/static-sh\",\n \"/usr/bin/sh\",\n \"/bin/bash\",\n \"/usr/bin/bash\",\n \"/bin/bash-static\",\n \"/usr/bin/zsh\",\n \"/usr/bin/ash\",\n \"/usr/bin/csh\",\n \"/usr/bin/ksh\",\n \"/usr/bin/tcsh\",\n \"/usr/lib/initramfs-tools/bin/busybox\",\n \"/bin/busybox\",\n \"/usr/bin/fish\",\n \"/bin/ksh93\",\n \"/bin/rksh\",\n \"/bin/rksh93\",\n \"/bin/lksh\",\n \"/bin/mksh\",\n \"/bin/mksh-static\",\n \"/usr/bin/csharp\",\n \"/bin/posh\",\n \"/usr/bin/rc\",\n \"/bin/sash\",\n \"/usr/bin/yash\",\n \"/bin/zsh5\",\n \"/bin/zsh5-static\" - ] || exec.comm in [\"wget\", \"curl\", \"lwp-download\"] || exec.file.path - in [\"/bin/cat\",\"/bin/chgrp\",\"/bin/chmod\",\"/bin/chown\",\"/bin/cp\",\"/bin/date\",\"/bin/dd\",\"/bin/df\",\"/bin/dir\",\"/bin/echo\",\"/bin/ln\",\"/bin/ls\",\"/bin/mkdir\",\"/bin/mknod\",\"/bin/mktemp\",\"/bin/mv\",\"/bin/pwd\",\"/bin/readlink\",\"/bin/rm\",\"/bin/rmdir\",\"/bin/sleep\",\"/bin/stty\",\"/bin/sync\",\"/bin/touch\",\"/bin/uname\",\"/bin/vdir\",\"/usr/bin/arch\",\"/usr/bin/b2sum\",\"/usr/bin/base32\",\"/usr/bin/base64\",\"/usr/bin/basename\",\"/usr/bin/chcon\",\"/usr/bin/cksum\",\"/usr/bin/comm\",\"/usr/bin/csplit\",\"/usr/bin/cut\",\"/usr/bin/dircolors\",\"/usr/bin/dirname\",\"/usr/bin/du\",\"/usr/bin/env\",\"/usr/bin/expand\",\"/usr/bin/expr\",\"/usr/bin/factor\",\"/usr/bin/fmt\",\"/usr/bin/fold\",\"/usr/bin/groups\",\"/usr/bin/head\",\"/usr/bin/hostid\",\"/usr/bin/id\",\"/usr/bin/install\",\"/usr/bin/join\",\"/usr/bin/link\",\"/usr/bin/logname\",\"/usr/bin/md5sum\",\"/usr/bin/md5sum.textutils\",\"/usr/bin/mkfifo\",\"/usr/bin/nice\",\"/usr/bin/nl\",\"/usr/bin/nohup\",\"/usr/bin/nproc\",\"/usr/bin/numfmt\",\"/usr/bin/od\",\"/usr/bin/paste\",\"/usr/bin/pathchk\",\"/usr/bin/pinky\",\"/usr/bin/pr\",\"/usr/bin/printenv\",\"/usr/bin/printf\",\"/usr/bin/ptx\",\"/usr/bin/realpath\",\"/usr/bin/runcon\",\"/usr/bin/seq\",\"/usr/bin/sha1sum\",\"/usr/bin/sha224sum\",\"/usr/bin/sha256sum\",\"/usr/bin/sha384sum\",\"/usr/bin/sha512sum\",\"/usr/bin/shred\",\"/usr/bin/shuf\",\"/usr/bin/sort\",\"/usr/bin/split\",\"/usr/bin/stat\",\"/usr/bin/stdbuf\",\"/usr/bin/sum\",\"/usr/bin/tac\",\"/usr/bin/tail\",\"/usr/bin/tee\",\"/usr/bin/test\",\"/usr/bin/timeout\",\"/usr/bin/tr\",\"/usr/bin/truncate\",\"/usr/bin/tsort\",\"/usr/bin/tty\",\"/usr/bin/unexpand\",\"/usr/bin/uniq\",\"/usr/bin/unlink\",\"/usr/bin/users\",\"/usr/bin/wc\",\"/usr/bin/who\",\"/usr/bin/whoami\",\"/usr/sbin/chroot\",\"/bin/busybox\"]) - \u0026\u0026\n(process.parent.file.name in [\"apache2\", \"nginx\", ~\"tomcat*\", - \"httpd\"] || process.parent.file.name =~ \"php*\")","filters":["os == \"linux\""],"monitoring":["threat-detection.policy"],"name":"potential_web_shell_parent","product_tags":["tactic:TA0002-execution","technique:T1210-exploitation-of-remote-services","policy:threat-detection"],"updateDate":1754579371000,"updater":{"name":"Datadog","handle":""}}},{"id":"def-000-mmo","type":"agent_rule","attributes":{"category":"File - Activity","creationDate":1753453274000,"creator":{"name":"Datadog","handle":""},"defaultRule":true,"description":"Sudoers - policy file may have been modified without authorization","enabled":true,"expression":"(open.flags - \u0026 (O_CREAT|O_TRUNC|O_APPEND|O_RDWR|O_WRONLY) \u003e 0 \u0026\u0026\n(open.file.path - in [\"/etc/sudoers\", ~\"/etc/sudoers.d/*\"])) \u0026\u0026 process.file.path - not in [~\"/usr/bin/apt*\", \"/usr/bin/dpkg\", \"/usr/bin/rpm\", \"/usr/bin/unattended-upgrade\", - \"/usr/bin/npm\", ~\"/usr/bin/pip*\", ~\"/usr/local/bin/pip*\", \"/usr/bin/yum\", - \"/sbin/apk\", \"/usr/lib/snapd/snapd\"]","filters":["os == \"linux\""],"monitoring":["compliance.policy"],"name":"sudoers_policy_modified_open","product_tags":["tactic:TA0004-privilege-escalation","technique:T1548-abuse-elevation-control-mechanism","policy:compliance"],"updateDate":1753453274000,"updater":{"name":"Datadog","handle":""}}},{"id":"def-000-550","type":"agent_rule","attributes":{"category":"File - Activity","creationDate":1753453274000,"creator":{"name":"Datadog","handle":""},"defaultRule":true,"description":"Sudoers - policy file may have been modified without authorization","enabled":true,"expression":"(\n (rename.file.path - in [\"/etc/sudoers\", ~\"/etc/sudoers.d/*\"]\n || rename.file.destination.path - in [\"/etc/sudoers\",~\"/etc/sudoers.d/*\"])\n)","filters":["os == \"linux\""],"monitoring":["compliance.policy"],"name":"sudoers_policy_modified_rename","product_tags":["tactic:TA0004-privilege-escalation","technique:T1548-abuse-elevation-control-mechanism","policy:compliance"],"updateDate":1753453274000,"updater":{"name":"Datadog","handle":""}}},{"id":"def-000-mxb","type":"agent_rule","attributes":{"category":"File - Activity","creationDate":1754579371000,"creator":{"name":"Datadog","handle":""},"defaultRule":true,"description":"The - host file system was mounted in a container","enabled":true,"expression":"mount.source.path - == \"/\" \u0026\u0026 mount.fs_type != \"overlay\" \u0026\u0026 container.id - != \"\"","filters":["os == \"linux\""],"monitoring":["threat-detection.policy"],"name":"mount_host_fs","product_tags":["tactic:TA0004-privilege-escalation","technique:T1611-escape-to-host","policy:threat-detection"],"updateDate":1754579371000,"updater":{"name":"Datadog","handle":""}}},{"id":"def-000-d4i","type":"agent_rule","attributes":{"category":"Process - Activity","creationDate":1754579371000,"creator":{"name":"Datadog","handle":""},"defaultRule":true,"description":"NTDS - file referenced in commandline","enabled":true,"expression":"exec.cmdline - =~ \"*ntds.dit*\"","filters":["os == \"windows\""],"monitoring":["threat-detection.policy"],"name":"ntds_in_commandline","product_tags":["tactic:TA0006-credential-access","technique:T1003-os-credential-dumping","policy:threat-detection"],"updateDate":1754579371000,"updater":{"name":"Datadog","handle":""}}},{"id":"afj-5sv-2wb","type":"agent_rule","attributes":{"category":"Process - Activity","creationDate":1754579371000,"creator":{"name":"Datadog","handle":""},"defaultRule":true,"description":"A - container management utility was executed in a container","enabled":true,"expression":"exec.file.name - in [\"docker\", \"kubectl\", \"ctr\"] \u0026\u0026 container.id != \"\"","filters":["os - == \"linux\""],"monitoring":["threat-detection.policy"],"name":"suspicious_container_client","product_tags":["tactic:TA0002-execution","technique:T1609-container-administration-command","technique:T1610-deploy-container","policy:threat-detection"],"updateDate":1754579371000,"updater":{"name":"Datadog","handle":""}}},{"id":"4bk-eaa-j5w","type":"agent_rule","attributes":{"category":"Process - Activity","creationDate":1728664623000,"creator":{"name":"","handle":"frog@datadoghq.com"},"defaultRule":false,"description":"My - Agent rule","enabled":true,"expression":"exec.file.name == \"sh\"","filters":["os - == \"linux\""],"monitoring":["CWS_CUSTOM-canary"],"name":"exampleupdateacsmthreatsagentrulereturnsokresponse1728664622","updateDate":1728664623000,"updater":{"name":"","handle":"frog@datadoghq.com"}}},{"id":"5ok-zd7-gf9","type":"agent_rule","attributes":{"category":"File - Activity","creationDate":1748012897594,"creator":{"name":"frog","handle":"frog@datadoghq.com"},"defaultRule":false,"description":"initial - description","enabled":true,"expression":"open.file.name == \"etc/shadow/password\"","filters":["os - == \"linux\""],"monitoring":["CWS_CUSTOM-canary"],"name":"khuiwwlgzk","product_tags":["compliance_framework:HIPAA"],"updateDate":1748012897594,"updater":{"name":"frog","handle":"frog@datadoghq.com"}}},{"id":"n8l-rby-b42","type":"agent_rule","attributes":{"category":"Process - Activity","creationDate":1735072624000,"creator":{"name":"frog","handle":"frog@datadoghq.com"},"defaultRule":false,"description":"My - Agent rule","enabled":true,"expression":"exec.file.name == \"sh\"","filters":["os - == \"linux\""],"monitoring":["CWS_CUSTOM-canary"],"name":"examplegetacsmthreatsagentrulereturnsokresponse1735072624","updateDate":1735072624000,"updater":{"name":"frog","handle":"frog@datadoghq.com"}}},{"id":"f4p-2wj-hrf","type":"agent_rule","attributes":{"category":"Process - Activity","creationDate":1715459823000,"creator":{"name":"","handle":"frog@datadoghq.com"},"defaultRule":false,"description":"Test - Agent rule","enabled":true,"expression":"exec.file.name == \"sh\"","filters":["os - == \"linux\""],"monitoring":["CWS_CUSTOM-canary"],"name":"exampleupdateacsmthreatsagentrulereturnsokresponse1715459822","updateDate":1715459824000,"updater":{"name":"","handle":"frog@datadoghq.com"}}},{"id":"uis-h13-41q","type":"agent_rule","attributes":{"category":"File - Activity","creationDate":1754579371000,"creator":{"name":"Datadog","handle":""},"defaultRule":true,"description":"An - unauthorized job was added to cron scheduling","enabled":true,"expression":"(\n open.flags - \u0026 (O_CREAT|O_RDWR|O_WRONLY) \u003e 0 \u0026\u0026\n (open.file.path - in [ ~\"/var/spool/cron/**\", ~\"/etc/cron.*/**\", ~\"/etc/crontab\", ~\"/etc/crontabs/**\"])\n \u0026\u0026 - process.file.path not in [ \"/usr/bin/at\", \"/usr/bin/crontab\" ]\n)\n\u0026\u0026 - process.file.path not in [~\"/usr/bin/apt*\", \"/usr/bin/dpkg\", \"/usr/bin/rpm\", - \"/usr/bin/unattended-upgrade\", \"/usr/bin/containerd\", \"/usr/local/bin/containerd\", - \"/usr/bin/dockerd\", \"/usr/bin/npm\", ~\"/usr/bin/pip*\", ~\"/usr/local/bin/pip*\"]","filters":["os - == \"linux\""],"monitoring":["compliance.policy","threat-detection.policy"],"name":"cron_at_job_creation_open","product_tags":["tactic:TA0002-execution","technique:T1053-scheduled-task-or-job","policy:threat-detection","policy:compliance"],"updateDate":1754579371000,"updater":{"name":"Datadog","handle":""}}},{"id":"9ym-18v-5zi","type":"agent_rule","attributes":{"category":"File - Activity","creationDate":1753453274000,"creator":{"name":"Datadog","handle":""},"defaultRule":true,"description":"Critical + \"/sbin/apk\", \"/usr/lib/snapd/snapd\"]\n) \u0026\u0026 container.id != \"\" + \u0026\u0026 container.created_at \u003e 90s","filters":["os == \"linux\""],"monitoring":["compliance.policy"],"name":"credential_modified_open_v2","product_tags":["tactic:TA0006-credential-access","technique:T1003-os-credential-dumping","policy:compliance"],"updateDate":1759956888000,"updater":{"name":"Datadog","handle":""}}},{"id":"9ym-18v-5zi","type":"agent_rule","attributes":{"category":"File + Activity","creationDate":1759956888000,"creator":{"name":"Datadog","handle":""},"defaultRule":true,"description":"Critical system binaries may have been modified","enabled":true,"expression":"(\n (link.file.path in [ ~\"/bin/*\", ~\"/sbin/*\", ~\"/usr/bin/*\", ~\"/usr/sbin/*\", ~\"/usr/local/bin/*\", ~\"/usr/local/sbin/*\", ~\"/boot/**\" ]\n || link.file.destination.path @@ -743,128 +361,61 @@ http_interactions: process.ancestors.file.path not in [~\"/usr/bin/apt*\", \"/usr/bin/dpkg\", \"/usr/bin/rpm\", \"/usr/bin/unattended-upgrade\", \"/usr/bin/npm\", ~\"/usr/bin/pip*\", ~\"/usr/local/bin/pip*\", \"/usr/bin/yum\", \"/sbin/apk\", \"/usr/lib/snapd/snapd\"]\n)","filters":["os - == \"linux\""],"monitoring":["compliance.policy"],"name":"pci_11_5_critical_binaries_link","product_tags":["tactic:TA0005-defense-evasion","technique:T1036-masquerading","policy:compliance"],"updateDate":1753453274000,"updater":{"name":"Datadog","handle":""}}},{"id":"def-000-j1b","type":"agent_rule","attributes":{"category":"Process - Activity","creationDate":1754579371000,"creator":{"name":"Datadog","handle":""},"defaultRule":true,"description":"Looney + == \"linux\""],"monitoring":["compliance.policy"],"name":"pci_11_5_critical_binaries_link","product_tags":["tactic:TA0005-defense-evasion","technique:T1036-masquerading","policy:compliance"],"updateDate":1759956888000,"updater":{"name":"Datadog","handle":""}}},{"id":"def-000-u1r","type":"agent_rule","attributes":{"category":"File + Activity","creationDate":1759956888000,"creator":{"name":"Datadog","handle":""},"defaultRule":true,"description":"A + process deleted common system log files","enabled":true,"expression":"unlink.file.path + in [\"/var/run/utmp\", \"/var/log/wtmp\", \"/var/log/btmp\", \"/var/log/lastlog\", + \"/var/log/faillog\", \"/var/log/syslog\", \"/var/log/messages\", \"/var/log/secure\", + \"/var/log/auth.log\", \"/var/log/boot.log\", \"/var/log/kern.log\"] \u0026\u0026 + process.comm not in [\"dockerd\", \"containerd\"]","filters":["os == \"linux\""],"monitoring":["threat-detection.policy"],"name":"delete_system_log","product_tags":["tactic:TA0005-defense-evasion","technique:T1070-indicator-removal","policy:threat-detection"],"updateDate":1759956888000,"updater":{"name":"Datadog","handle":""}}},{"id":"def-000-j1b","type":"agent_rule","attributes":{"category":"Process + Activity","creationDate":1759956888000,"creator":{"name":"Datadog","handle":""},"defaultRule":true,"description":"Looney Tunables (CVE-2023-4911) exploit attempted","enabled":true,"expression":"exec.file.mode \u0026 S_ISUID \u003e 0 \u0026\u0026 exec.file.uid == 0 \u0026\u0026 exec.uid != 0 \u0026\u0026 exec.envs in [~\"*GLIBC_TUNABLES*\"]","filters":["os == - \"linux\""],"monitoring":["threat-detection.policy"],"name":"looney_tunables_exploit","product_tags":["tactic:TA0004-privilege-escalation","technique:T1068-exploitation-for-privilege-escalation","policy:threat-detection"],"updateDate":1754579371000,"updater":{"name":"Datadog","handle":""}}},{"id":"50t-g20-n4o","type":"agent_rule","attributes":{"category":"File - Activity","creationDate":1710772096000,"creator":{"name":"","handle":"frog@datadoghq.com"},"defaultRule":false,"description":"","enabled":true,"expression":"open.file.name - == \"etc/shadow/password\"","filters":["os == \"linux\""],"monitoring":["CWS_CUSTOM-canary"],"name":"Randomname","updateDate":1710772096000,"updater":{"name":"","handle":"frog@datadoghq.com"}}},{"id":"rsm-fam-pfp","type":"agent_rule","attributes":{"category":"Process - Activity","creationDate":1714869424000,"creator":{"name":"","handle":"frog@datadoghq.com"},"defaultRule":false,"description":"My - Agent rule","enabled":true,"expression":"exec.file.name == \"sh\"","filters":["os - == \"linux\""],"monitoring":["CWS_CUSTOM-canary"],"name":"examplecreateacsmthreatsagentrulereturnsokresponse1714869424","updateDate":1714869424000,"updater":{"name":"","handle":"frog@datadoghq.com"}}},{"id":"def-000-h19","type":"agent_rule","attributes":{"category":"File - Activity","creationDate":1754579371000,"creator":{"name":"Datadog","handle":""},"defaultRule":true,"description":"The - container breakout CVE-2024-21626 was successful","enabled":true,"expression":"chdir.syscall.path - =~ \"/proc/self/fd/*\" \u0026\u0026 chdir.file.path == \"/sys/fs/cgroup\" - \u0026\u0026 process.file.name =~ \"runc.*\"","filters":["os == \"linux\""],"monitoring":["threat-detection.policy"],"name":"runc_leaky_fd","product_tags":["tactic:TA0004-privilege-escalation","technique:T1611-escape-to-host","policy:threat-detection"],"updateDate":1754579371000,"updater":{"name":"Datadog","handle":""}}},{"id":"35e-29w-qhu","type":"agent_rule","attributes":{"category":"Process - Activity","creationDate":1715128624000,"creator":{"name":"","handle":"frog@datadoghq.com"},"defaultRule":false,"description":"My - Agent rule","enabled":true,"expression":"exec.file.name == \"sh\"","filters":["os - == \"linux\""],"monitoring":["CWS_CUSTOM-canary"],"name":"examplegetacsmthreatsagentrulereturnsokresponse1715128624","updateDate":1715128624000,"updater":{"name":"","handle":"frog@datadoghq.com"}}},{"id":"sic-1px-69u","type":"agent_rule","attributes":{"category":"Process - Activity","creationDate":1717418225000,"creator":{"name":"","handle":"frog@datadoghq.com"},"defaultRule":false,"description":"My - Agent rule","enabled":true,"expression":"exec.file.name == \"sh\"","filters":["os - == \"linux\""],"monitoring":["CWS_CUSTOM-canary"],"name":"examplegetacsmthreatsagentrulereturnsokresponse1717418224","updateDate":1717418225000,"updater":{"name":"","handle":"frog@datadoghq.com"}}},{"id":"vxv-90c-vm4","type":"agent_rule","attributes":{"category":"Process - Activity","creationDate":1714279023000,"creator":{"name":"","handle":"frog@datadoghq.com"},"defaultRule":false,"description":"Test - Agent rule","enabled":true,"expression":"exec.file.name == \"sh\"","filters":["os - == \"linux\""],"monitoring":["CWS_CUSTOM-canary"],"name":"exampleupdateacsmthreatsagentrulereturnsokresponse1714279022","updateDate":1714279024000,"updater":{"name":"","handle":"frog@datadoghq.com"}}},{"id":"m7d-vlh-3yq","type":"agent_rule","attributes":{"category":"Process - Activity","creationDate":1754579371000,"creator":{"name":"Datadog","handle":""},"defaultRule":true,"description":"Package - management was detected in a container","enabled":true,"expression":"exec.file.path - in [~\"/usr/bin/apt*\", \"/usr/bin/dpkg\", \"/usr/bin/rpm\", \"/usr/bin/unattended-upgrade\", - \"/usr/bin/npm\", ~\"/usr/bin/pip*\", ~\"/usr/local/bin/pip*\", \"/usr/bin/yum\", - \"/sbin/apk\", \"/usr/lib/snapd/snapd\"] \u0026\u0026 container.id != \"\"","filters":["os - == \"linux\""],"monitoring":["best-practice.policy","threat-detection.policy"],"name":"package_management_in_container","product_tags":["tactic:TA0002-execution","technique:T1059-command-and-scripting-interpreter","policy:threat-detection","policy:best-practice"],"updateDate":1754579371000,"updater":{"name":"Datadog","handle":""}}},{"id":"def-000-jm5","type":"agent_rule","attributes":{"actions":[{"set":{"name":"core_pattern_write_container_id","field":"container.id","scope":"container","ttl":1800000000000,"inherited":false},"disabled":false}],"category":"File - Activity","creationDate":1754579371000,"creator":{"name":"Datadog","handle":""},"defaultRule":true,"description":"Detect - any attempt to modify /proc/sys/kernel/core_pattern from a container, which - might result to escape to host when a core dump is triggered.","enabled":true,"expression":"open.file.name - == \"core_pattern\" \u0026\u0026\nopen.file.filesystem == \"proc\" \u0026\u0026\nopen.flags - \u0026 (O_CREAT|O_TRUNC|O_APPEND|O_RDWR|O_WRONLY) \u003e 0 \u0026\u0026 \ncontainer.id - != \"\"","filters":["os == \"linux\""],"monitoring":["threat-detection.policy"],"name":"core_pattern_write","product_tags":["tactic:TA0004-privilege-escalation","technique:T1611-escape-to-host","policy:threat-detection"],"updateDate":1754579371000,"updater":{"name":"Datadog","handle":""}}},{"id":"jx5-yfk-osv","type":"agent_rule","attributes":{"category":"Process - Activity","creationDate":1746789254740,"creator":{"name":"CI Account","handle":"9919ec9b-ebc7-49ee-8dc8-03626e717cca"},"defaultRule":false,"description":"My - Agent rule","enabled":true,"expression":"exec.file.name == \"sh\"","filters":["os - == \"linux\""],"monitoring":["CWS_CUSTOM-canary"],"name":"testtypescriptcreateacsmthreatsagentrulereturnsokresponse1746789254","updateDate":1746789254740,"updater":{"name":"CI - Account","handle":"9919ec9b-ebc7-49ee-8dc8-03626e717cca"}}},{"id":"dkb-9ud-0ca","type":"agent_rule","attributes":{"category":"Kernel - Activity","creationDate":1754579371000,"creator":{"name":"Datadog","handle":""},"defaultRule":true,"description":"A - container loaded a new kernel module","enabled":true,"expression":"load_module.name - != \"\" \u0026\u0026 container.id !=\"\"","filters":["os == \"linux\""],"monitoring":["threat-detection.policy"],"name":"kernel_module_load_container","product_tags":["tactic:TA0003-persistence","technique:T1547-boot-or-logon-autostart-execution","policy:threat-detection"],"updateDate":1754579371000,"updater":{"name":"Datadog","handle":""}}},{"id":"5jy-8qa-vwx","type":"agent_rule","attributes":{"category":"Process - Activity","creationDate":1724216976000,"creator":{"name":"","handle":"frog@datadoghq.com"},"defaultRule":false,"description":"My - Agent rule","enabled":true,"expression":"exec.file.name == \"sh\"","filters":["os - == \"linux\""],"monitoring":["CWS_CUSTOM-canary"],"name":"testrustupdateacsmthreatsagentrulereturnsbadrequestresponse1724216976","updateDate":1724216976000,"updater":{"name":"","handle":"frog@datadoghq.com"}}},{"id":"zdz-ued-luw","type":"agent_rule","attributes":{"category":"Process - Activity","creationDate":1714797424000,"creator":{"name":"","handle":"frog@datadoghq.com"},"defaultRule":false,"description":"My - Agent rule","enabled":true,"expression":"exec.file.name == \"sh\"","filters":["os - == \"linux\""],"monitoring":["CWS_CUSTOM-canary"],"name":"examplegetacsmthreatsagentrulereturnsokresponse1714797424","updateDate":1714797424000,"updater":{"name":"","handle":"frog@datadoghq.com"}}},{"id":"1m6-dg0-lq9","type":"agent_rule","attributes":{"category":"Process - Activity","creationDate":1714624623000,"creator":{"name":"","handle":"frog@datadoghq.com"},"defaultRule":false,"description":"Test - Agent rule","enabled":true,"expression":"exec.file.name == \"sh\"","filters":["os - == \"linux\""],"monitoring":["CWS_CUSTOM-canary"],"name":"exampleupdateacsmthreatsagentrulereturnsokresponse1714624623","updateDate":1714624624000,"updater":{"name":"","handle":"frog@datadoghq.com"}}},{"id":"fxe-inc-9zj","type":"agent_rule","attributes":{"category":"Process - Activity","creationDate":1719938223000,"creator":{"name":"","handle":"frog@datadoghq.com"},"defaultRule":false,"description":"Test - Agent rule","enabled":true,"expression":"exec.file.name == \"sh\"","filters":["os - == \"linux\""],"monitoring":["CWS_CUSTOM-canary"],"name":"exampleupdateacsmthreatsagentrulereturnsokresponse1719938222","updateDate":1719938225000,"updater":{"name":"","handle":"frog@datadoghq.com"}}},{"id":"orc-g8c-fmh","type":"agent_rule","attributes":{"category":"Process - Activity","creationDate":1746097919884,"creator":{"name":"CI Account","handle":"9919ec9b-ebc7-49ee-8dc8-03626e717cca"},"defaultRule":false,"description":"My - Agent rule","enabled":true,"expression":"exec.file.name == \"sh\"","filters":["os - == \"linux\""],"monitoring":["CWS_CUSTOM-canary"],"name":"testtypescriptgetacsmthreatsagentrulereturnsokresponse1746097919","updateDate":1746097919884,"updater":{"name":"CI - Account","handle":"9919ec9b-ebc7-49ee-8dc8-03626e717cca"}}},{"id":"43q-0jv-1zb","type":"agent_rule","attributes":{"category":"Process - Activity","creationDate":1746616279053,"creator":{"name":"CI Account","handle":"9919ec9b-ebc7-49ee-8dc8-03626e717cca"},"defaultRule":false,"description":"My - Agent rule","enabled":true,"expression":"exec.file.name == \"sh\"","filters":["os - == \"linux\""],"monitoring":["CWS_CUSTOM-canary"],"name":"testtypescriptupdateacsmthreatsagentrulereturnsbadrequestresponse1746616279","updateDate":1746616279053,"updater":{"name":"CI - Account","handle":"9919ec9b-ebc7-49ee-8dc8-03626e717cca"}}},{"id":"qoe-y42-hqp","type":"agent_rule","attributes":{"category":"Process - Activity","creationDate":1716554224000,"creator":{"name":"","handle":"frog@datadoghq.com"},"defaultRule":false,"description":"My - Agent rule","enabled":true,"expression":"exec.file.name == \"sh\"","filters":["os - == \"linux\""],"monitoring":["CWS_CUSTOM-canary"],"name":"examplegetacsmthreatsagentrulereturnsokresponse1716554224","updateDate":1716554224000,"updater":{"name":"","handle":"frog@datadoghq.com"}}},{"id":"rv8-utm-cs5","type":"agent_rule","attributes":{"category":"Process - Activity","creationDate":1746702690686,"creator":{"name":"CI Account","handle":"9919ec9b-ebc7-49ee-8dc8-03626e717cca"},"defaultRule":false,"description":"My - Agent rule","enabled":true,"expression":"exec.file.name == \"sh\"","filters":["os - == \"linux\""],"monitoring":["CWS_CUSTOM-canary"],"name":"testtypescriptupdateacsmthreatsagentrulereturnsbadrequestresponse1746702690","updateDate":1746702690686,"updater":{"name":"CI - Account","handle":"9919ec9b-ebc7-49ee-8dc8-03626e717cca"}}},{"id":"tps-9zv-vpp","type":"agent_rule","attributes":{"category":"Process - Activity","creationDate":1734899823000,"creator":{"name":"frog","handle":"frog@datadoghq.com"},"defaultRule":false,"description":"Test - Agent rule","enabled":true,"expression":"exec.file.name == \"sh\"","filters":["os - == \"linux\""],"monitoring":["CWS_CUSTOM-canary"],"name":"exampleupdateacsmthreatsagentrulereturnsokresponse1734899823","updateDate":1734899825000,"updater":{"name":"frog","handle":"frog@datadoghq.com"}}},{"id":"w95-d3h-c3r","type":"agent_rule","attributes":{"category":"Process - Activity","creationDate":1735864623000,"creator":{"name":"frog","handle":"frog@datadoghq.com"},"defaultRule":false,"description":"Test - Agent rule","enabled":true,"expression":"exec.file.name == \"sh\"","filters":["os - == \"linux\""],"monitoring":["CWS_CUSTOM-canary"],"name":"exampleupdateacsmthreatsagentrulereturnsokresponse1735864622","updateDate":1735864625000,"updater":{"name":"frog","handle":"frog@datadoghq.com"}}},{"id":"def-000-ehx","type":"agent_rule","attributes":{"category":"Process - Activity","creationDate":1754579371000,"creator":{"name":"Datadog","handle":""},"defaultRule":true,"description":"The - auditd rules file was modified without using auditctl","enabled":true,"expression":"open.file.path - in [\"/etc/audit/rules.d/audit.rules\", \"/etc/audit/audit.rules\"] \u0026\u0026 - open.flags \u0026 (O_CREAT|O_TRUNC|O_APPEND|O_RDWR|O_WRONLY) \u003e 0 \u0026\u0026 - process.file.name != \"auditctl\"","filters":["os == \"linux\""],"monitoring":["threat-detection.policy"],"name":"auditd_rule_file_modified","product_tags":["tactic:TA0005-defense-evasion","technique:T1562-impair-defenses","policy:threat-detection"],"updateDate":1754579371000,"updater":{"name":"Datadog","handle":""}}},{"id":"def-000-18q","type":"agent_rule","attributes":{"category":"Process - Activity","creationDate":1754579371000,"creator":{"name":"Datadog","handle":""},"defaultRule":true,"description":"Tar - archive created","enabled":true,"expression":"exec.file.path == \"/usr/bin/tar\" - \u0026\u0026 exec.args_flags in [\"create\",\"c\"]","filters":["os == \"linux\""],"monitoring":["threat-detection.policy"],"name":"tar_execution","product_tags":["tactic:TA0009-collection","technique:T1560-archive-collected-data","policy:threat-detection"],"updateDate":1754579371000,"updater":{"name":"Datadog","handle":""}}},{"id":"6ak-6po-dd6","type":"agent_rule","attributes":{"category":"Process - Activity","creationDate":1716640623000,"creator":{"name":"","handle":"frog@datadoghq.com"},"defaultRule":false,"description":"Test - Agent rule","enabled":true,"expression":"exec.file.name == \"sh\"","filters":["os - == \"linux\""],"monitoring":["CWS_CUSTOM-canary"],"name":"exampleupdateacsmthreatsagentrulereturnsokresponse1716640622","updateDate":1716640624000,"updater":{"name":"","handle":"frog@datadoghq.com"}}},{"id":"hcr-3py-6it","type":"agent_rule","attributes":{"category":"Process - Activity","creationDate":1736807340000,"creator":{"name":"frog","handle":"frog@datadoghq.com"},"defaultRule":false,"description":"Test - Agent rule","enabled":true,"expression":"exec.file.name == \"sh\"","filters":["os - == \"linux\""],"monitoring":["CWS_CUSTOM-canary"],"name":"exampleupdateacsmthreatsagentrulereturnsokresponse1736807340","updateDate":1736807342000,"updater":{"name":"frog","handle":"frog@datadoghq.com"}}},{"id":"x2p-h4q-sxd","type":"agent_rule","attributes":{"category":"Process - Activity","creationDate":1746702682078,"creator":{"name":"CI Account","handle":"9919ec9b-ebc7-49ee-8dc8-03626e717cca"},"defaultRule":false,"description":"My - Agent rule","enabled":true,"expression":"exec.file.name == \"sh\"","filters":["os - == \"linux\""],"monitoring":["CWS_CUSTOM-canary"],"name":"testtypescriptcreateacsmthreatsagentrulereturnsokresponse1746702682","updateDate":1746702682078,"updater":{"name":"CI - Account","handle":"9919ec9b-ebc7-49ee-8dc8-03626e717cca"}}},{"id":"fyq-x5u-mv1","type":"agent_rule","attributes":{"category":"File - Activity","creationDate":1753453274000,"creator":{"name":"Datadog","handle":""},"defaultRule":true,"description":"A - new kernel module was added","enabled":true,"expression":"(\n (utimes.file.path - in [ ~\"/lib/modules/**\", ~\"/usr/lib/modules/**\" ])\n \u0026\u0026 process.file.path - not in [~\"/usr/bin/apt*\", \"/usr/bin/dpkg\", \"/usr/bin/rpm\", \"/usr/bin/unattended-upgrade\", - \"/usr/bin/npm\", ~\"/usr/bin/pip*\", ~\"/usr/local/bin/pip*\", \"/usr/bin/yum\", - \"/sbin/apk\", \"/usr/lib/snapd/snapd\"]\n \u0026\u0026 process.ancestors.file.path + \"linux\""],"monitoring":["threat-detection.policy"],"name":"looney_tunables_exploit","product_tags":["tactic:TA0004-privilege-escalation","technique:T1068-exploitation-for-privilege-escalation","policy:threat-detection"],"updateDate":1759956888000,"updater":{"name":"Datadog","handle":""}}},{"id":"def-000-6oh","type":"agent_rule","attributes":{"category":"File + Activity","creationDate":1759956888000,"creator":{"name":"Datadog","handle":""},"defaultRule":true,"description":"A + Registry runkey has been modified","enabled":true,"expression":"set.registry.key_path + in [~\"HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Run\", + ~\"HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Runonce\", + ~\"HKEY_LOCAL_MACHINE\\Software\\Wow6432Node\\Microsoft\\Windows\\CurrentVersion\\Run\", + ~\"HKEY_LOCAL_MACHINE\\Software\\Microsoft\\Windows NT\\CurrentVersion\\Terminal + Server\\Install\\Software\\Microsoft\\Windows\\CurrentVersion\\Run\", ~\"HKEY_LOCAL_MACHINE\\Software\\Microsoft\\Windows + NT\\CurrentVersion\\Terminal Server\\Install\\Software\\Microsoft\\Windows\\CurrentVersion\\Runonce\", + ~\"HKEY_LOCAL_MACHINE\\Software\\Microsoft\\Windows NT\\CurrentVersion\\Terminal + Server\\Install\\Software\\Microsoft\\Windows\\CurrentVersion\\RunonceEx\"]","filters":["os + == \"windows\""],"monitoring":["threat-detection.policy"],"name":"registry_runkey_modified","product_tags":["tactic:TA0003-persistence","technique:T1547-boot-or-logon-autostart-execution","policy:threat-detection"],"updateDate":1759956888000,"updater":{"name":"Datadog","handle":""}}},{"id":"y5i-yxn-27t","type":"agent_rule","attributes":{"category":"File + Activity","creationDate":1759956888000,"creator":{"name":"Datadog","handle":""},"defaultRule":true,"description":"SSL + certificates may have been tampered with","enabled":true,"expression":"(\n (chmod.file.path + in [ ~\"/etc/ssl/certs/**\", ~\"/etc/pki/**\" ])\n \u0026\u0026 process.file.path not in [~\"/usr/bin/apt*\", \"/usr/bin/dpkg\", \"/usr/bin/rpm\", \"/usr/bin/unattended-upgrade\", \"/usr/bin/npm\", ~\"/usr/bin/pip*\", ~\"/usr/local/bin/pip*\", \"/usr/bin/yum\", - \"/sbin/apk\", \"/usr/lib/snapd/snapd\"] \u0026\u0026 process.ancestors.file.path - != \"/usr/bin/kmod\"\n)","filters":["os == \"linux\""],"monitoring":["compliance.policy"],"name":"kernel_module_utimes","product_tags":["tactic:TA0003-persistence","technique:T1547-boot-or-logon-autostart-execution","policy:compliance"],"updateDate":1753453274000,"updater":{"name":"Datadog","handle":""}}},{"id":"def-000-5wh","type":"agent_rule","attributes":{"category":"Process - Activity","creationDate":1754579371000,"creator":{"name":"Datadog","handle":""},"defaultRule":true,"description":"a - SUID file was executed","enabled":true,"expression":"(setuid.euid == 0 || - setuid.uid == 0) \u0026\u0026 process.file.mode \u0026 S_ISUID \u003e 0 \u0026\u0026 - process.file.uid == 0 \u0026\u0026 process.uid != 0 \u0026\u0026 process.file.path - != \"/usr/bin/sudo\"","filters":["os == \"linux\""],"monitoring":["threat-detection.policy"],"name":"suid_file_execution","product_tags":["tactic:TA0004-privilege-escalation","technique:T1548-abuse-elevation-control-mechanism","policy:threat-detection"],"updateDate":1754579371000,"updater":{"name":"Datadog","handle":""}}},{"id":"def-000-eck","type":"agent_rule","attributes":{"category":"File - Activity","creationDate":1754579371000,"creator":{"name":"Datadog","handle":""},"defaultRule":true,"description":"Dll - written to a suspicious directory","enabled":true,"expression":"create.file.name - =~ \"*.dll\" \u0026\u0026 create.file.device_path not in [~\"\\Device\\*\\Windows\\System32\\**\", - ~\"\\Device\\*\\ProgramData\\docker\\**\"] \u0026\u0026 process.file.name - != \"dockerd.exe\"","filters":["os == \"windows\""],"monitoring":["threat-detection.policy"],"name":"suspicious_dll_write","product_tags":["tactic:TA0002-execution","technique:T1609-container-administration-command","technique:T1610-deploy-container","policy:threat-detection"],"updateDate":1754579371000,"updater":{"name":"Datadog","handle":""}}},{"id":"qo2-qin-6hg","type":"agent_rule","attributes":{"category":"Process - Activity","creationDate":1714351023000,"creator":{"name":"","handle":"frog@datadoghq.com"},"defaultRule":false,"description":"Test - Agent rule","enabled":true,"expression":"exec.file.name == \"sh\"","filters":["os - == \"linux\""],"monitoring":["CWS_CUSTOM-canary"],"name":"exampleupdateacsmthreatsagentrulereturnsokresponse1714351022","updateDate":1714351024000,"updater":{"name":"","handle":"frog@datadoghq.com"}}},{"id":"mzh-gda-c24","type":"agent_rule","attributes":{"category":"Process - Activity","creationDate":1715762223000,"creator":{"name":"","handle":"frog@datadoghq.com"},"defaultRule":false,"description":"Test - Agent rule","enabled":true,"expression":"exec.file.name == \"sh\"","filters":["os - == \"linux\""],"monitoring":["CWS_CUSTOM-canary"],"name":"exampleupdateacsmthreatsagentrulereturnsokresponse1715762222","updateDate":1715762224000,"updater":{"name":"","handle":"frog@datadoghq.com"}}},{"id":"kv9-026-vhz","type":"agent_rule","attributes":{"category":"File - Activity","creationDate":1753453274000,"creator":{"name":"Datadog","handle":""},"defaultRule":true,"description":"Sensitive - credential files were modified using a non-standard tool","enabled":true,"expression":"(\n (utimes.file.path + \"/sbin/apk\", \"/usr/lib/snapd/snapd\"]\n) \u0026\u0026 chmod.file.mode != + chmod.file.destination.mode\n\u0026\u0026 process.file.path != \"/usr/sbin/update-ca-certificates\"\n\u0026\u0026 + process.ancestors.file.path != \"/usr/sbin/update-ca-certificates\"\n\u0026\u0026 + process.ancestors.file.path not in [~\"/usr/bin/apt*\", \"/usr/bin/dpkg\", + \"/usr/bin/rpm\", \"/usr/bin/unattended-upgrade\", \"/usr/bin/npm\", ~\"/usr/bin/pip*\", + ~\"/usr/local/bin/pip*\", \"/usr/bin/yum\", \"/sbin/apk\", \"/usr/lib/snapd/snapd\"]\n\u0026\u0026 + process.file.name !~ \"runc*\"","filters":["os == \"linux\""],"monitoring":["compliance.policy"],"name":"ssl_certificate_tampering_chmod","product_tags":["tactic:TA0005-defense-evasion","technique:T1553-subvert-trust-controls","policy:compliance"],"updateDate":1759956888000,"updater":{"name":"Datadog","handle":""}}},{"id":"def-000-2wg","type":"agent_rule","attributes":{"category":"Process + Activity","creationDate":1759956888000,"creator":{"name":"Datadog","handle":""},"defaultRule":true,"description":"find + command searching for container management socket","enabled":true,"expression":"exec.comm + == \"find\" \u0026\u0026 exec.args in [~\"*.sock*\"]","filters":["os == \"linux\""],"monitoring":["threat-detection.policy"],"name":"find_mgmt_socket","product_tags":["tactic:TA0007-discovery","technique:T1613-container-and-resource-discovery","policy:threat-detection"],"updateDate":1759956888000,"updater":{"name":"Datadog","handle":""}}},{"id":"def-000-do7","type":"agent_rule","attributes":{"category":"File + Activity","creationDate":1759956888000,"creator":{"name":"Datadog","handle":""},"defaultRule":true,"description":"Possible + ransomware note created under common user directories","enabled":true,"expression":"open.flags + \u0026 O_CREAT \u003e 0\n\u0026\u0026 open.file.path in [~\"/home/**\", ~\"/root/**\", + ~\"/bin/**\", ~\"/usr/bin/**\", ~\"/opt/**\", ~\"/etc/**\", ~\"/var/log/**\", + ~\"/var/lib/log/**\", ~\"/var/backup/**\", ~\"/var/www/**\"]\n\u0026\u0026 + (open.file.name in [r\"(?i)(restore|recover|instruction|help|how_to|how\\ + to|ransom).*(your_|recover|crypt|lock|ransom|instruction|files)\"] || open.file.name + in [r\"RECOVER.*\\.txt\"]) \u0026\u0026 open.file.name not in [r\"\\.lock$\"]","filters":["os + == \"linux\""],"monitoring":["threat-detection.policy"],"name":"ransomware_note","product_tags":["tactic:TA0040-impact","technique:T1490-inhibit-system-recovery","policy:threat-detection"],"updateDate":1759956888000,"updater":{"name":"Datadog","handle":""}}},{"id":"def-000-juz","type":"agent_rule","attributes":{"actions":[{"set":{"name":"ratelimit_priv_container","field":"container.id","scope":"container","ttl":10000000000,"inherited":false},"disabled":false}],"category":"Process + Activity","creationDate":1759956888000,"creator":{"name":"Datadog","handle":""},"defaultRule":true,"description":"A + privileged container was created","enabled":true,"expression":"exec.file.name + != \"\" \u0026\u0026 container.id != \"\" \u0026\u0026 container.created_at + \u003c 1s \u0026\u0026 process.cap_permitted \u0026 CAP_SYS_ADMIN \u003e 0 + \u0026\u0026 container.id != ${container.ratelimit_priv_container}","filters":["os + == \"linux\""],"monitoring":["best-practice.policy","threat-detection.policy"],"name":"deploy_priv_container","product_tags":["tactic:TA0004-privilege-escalation","technique:T1611-escape-to-host","policy:best-practice","policy:threat-detection"],"updateDate":1759956888000,"updater":{"name":"Datadog","handle":""}}},{"id":"s9m-foq-qqz","type":"agent_rule","attributes":{"category":"File + Activity","creationDate":1759956888000,"creator":{"name":"Datadog","handle":""},"defaultRule":true,"description":"Sensitive + credential files were modified using a non-standard tool","enabled":true,"expression":"(\n (chmod.file.path in [ \"/etc/shadow\", \"/etc/gshadow\" ])\n \u0026\u0026 process.file.path not in [ \"/sbin/vipw\", \"/usr/sbin/vipw\", \"/sbin/vigr\", \"/usr/sbin/vigr\", \"/usr/bin/containerd\", \"/usr/local/bin/containerd\", \"/usr/bin/dockerd\", @@ -873,109 +424,161 @@ http_interactions: \"/usr/sbin/chpasswd\", \"/usr/bin/passwd\" ]\n \u0026\u0026 process.ancestors.file.path not in [~\"/usr/bin/apt*\", \"/usr/bin/dpkg\", \"/usr/bin/rpm\", \"/usr/bin/unattended-upgrade\", \"/usr/bin/npm\", ~\"/usr/bin/pip*\", ~\"/usr/local/bin/pip*\", \"/usr/bin/yum\", - \"/sbin/apk\", \"/usr/lib/snapd/snapd\"]\n)","filters":["os == \"linux\""],"monitoring":["compliance.policy"],"name":"credential_modified_utimes","product_tags":["tactic:TA0006-credential-access","technique:T1003-os-credential-dumping","policy:compliance"],"updateDate":1753453274000,"updater":{"name":"Datadog","handle":""}}},{"id":"xg2-lum-j2a","type":"agent_rule","attributes":{"category":"Process - Activity","creationDate":1714783024000,"creator":{"name":"","handle":"frog@datadoghq.com"},"defaultRule":false,"description":"My - Agent rule","enabled":true,"expression":"exec.file.name == \"sh\"","filters":["os - == \"linux\""],"monitoring":["CWS_CUSTOM-canary"],"name":"examplecreateacsmthreatsagentrulereturnsokresponse1714783024","updateDate":1714783024000,"updater":{"name":"","handle":"frog@datadoghq.com"}}},{"id":"sz5-kvy-3kd","type":"agent_rule","attributes":{"category":"Process - Activity","creationDate":1732927024000,"creator":{"name":"","handle":"frog@datadoghq.com"},"defaultRule":false,"description":"My - Agent rule","enabled":true,"expression":"exec.file.name == \"sh\"","filters":["os - == \"linux\""],"monitoring":["CWS_CUSTOM-canary"],"name":"examplegetacsmthreatsagentrulereturnsokresponse1732927024","updateDate":1732927024000,"updater":{"name":"","handle":"frog@datadoghq.com"}}},{"id":"mgl-xtg-ctl","type":"agent_rule","attributes":{"category":"Process - Activity","creationDate":1715027823000,"creator":{"name":"","handle":"frog@datadoghq.com"},"defaultRule":false,"description":"Test - Agent rule","enabled":true,"expression":"exec.file.name == \"sh\"","filters":["os - == \"linux\""],"monitoring":["CWS_CUSTOM-canary"],"name":"exampleupdateacsmthreatsagentrulereturnsokresponse1715027822","updateDate":1715027824000,"updater":{"name":"","handle":"frog@datadoghq.com"}}},{"id":"mcv-y5o-zg5","type":"agent_rule","attributes":{"category":"File - Activity","creationDate":1754579371000,"creator":{"name":"Datadog","handle":""},"defaultRule":true,"description":"An - unauthorized job was added to cron scheduling","enabled":true,"expression":"(\n (link.file.path - in [ ~\"/var/spool/cron/**\", ~\"/etc/cron.*/**\", ~\"/etc/crontab\", ~\"/etc/crontabs/**\"]\n || - link.file.destination.path in [ ~\"/var/spool/cron/**\", ~\"/etc/cron.*/**\", - ~\"/etc/crontab\" ])\n \u0026\u0026 process.file.path not in [ \"/usr/bin/at\", - \"/usr/bin/crontab\" ]\n)\n\u0026\u0026 process.file.path not in [~\"/usr/bin/apt*\", - \"/usr/bin/dpkg\", \"/usr/bin/rpm\", \"/usr/bin/unattended-upgrade\", \"/usr/bin/containerd\", - \"/usr/local/bin/containerd\", \"/usr/bin/dockerd\", \"/usr/bin/npm\", ~\"/usr/bin/pip*\", - ~\"/usr/local/bin/pip*\"]","filters":["os == \"linux\""],"monitoring":["compliance.policy","threat-detection.policy"],"name":"cron_at_job_creation_link","product_tags":["tactic:TA0002-execution","technique:T1053-scheduled-task-or-job","policy:threat-detection","policy:compliance"],"updateDate":1754579371000,"updater":{"name":"Datadog","handle":""}}},{"id":"kid-vkk-fj9","type":"agent_rule","attributes":{"category":"Process - Activity","creationDate":1715603823000,"creator":{"name":"","handle":"frog@datadoghq.com"},"defaultRule":false,"description":"Test - Agent rule","enabled":true,"expression":"exec.file.name == \"sh\"","filters":["os - == \"linux\""],"monitoring":["CWS_CUSTOM-canary"],"name":"exampleupdateacsmthreatsagentrulereturnsokresponse1715603822","updateDate":1715603824000,"updater":{"name":"","handle":"frog@datadoghq.com"}}},{"id":"klx-4zm-eg5","type":"agent_rule","attributes":{"category":"Process - Activity","creationDate":1746184334893,"creator":{"name":"CI Account","handle":"9919ec9b-ebc7-49ee-8dc8-03626e717cca"},"defaultRule":false,"description":"My - Agent rule","enabled":true,"expression":"exec.file.name == \"sh\"","filters":["os - == \"linux\""],"monitoring":["CWS_CUSTOM-canary"],"name":"testtypescriptdeleteacsmthreatsagentrulereturnsokresponse1746184334","updateDate":1746184334893,"updater":{"name":"CI - Account","handle":"9919ec9b-ebc7-49ee-8dc8-03626e717cca"}}},{"id":"56y-vsb-zqu","type":"agent_rule","attributes":{"category":"File - Activity","creationDate":1753453274000,"creator":{"name":"Datadog","handle":""},"defaultRule":true,"description":"A - new kernel module was added","enabled":true,"expression":"(\n open.flags - \u0026 (O_CREAT|O_TRUNC|O_APPEND|O_RDWR|O_WRONLY) \u003e 0 \u0026\u0026\n (open.file.path - in [ ~\"/lib/modules/**\", ~\"/usr/lib/modules/**\" ])\n \u0026\u0026 process.file.path - not in [~\"/usr/bin/apt*\", \"/usr/bin/dpkg\", \"/usr/bin/rpm\", \"/usr/bin/unattended-upgrade\", - \"/usr/bin/npm\", ~\"/usr/bin/pip*\", ~\"/usr/local/bin/pip*\", \"/usr/bin/yum\", - \"/sbin/apk\", \"/usr/lib/snapd/snapd\"]\n \u0026\u0026 process.ancestors.file.path - not in [~\"/usr/bin/apt*\", \"/usr/bin/dpkg\", \"/usr/bin/rpm\", \"/usr/bin/unattended-upgrade\", - \"/usr/bin/npm\", ~\"/usr/bin/pip*\", ~\"/usr/local/bin/pip*\", \"/usr/bin/yum\", - \"/sbin/apk\", \"/usr/lib/snapd/snapd\"] \u0026\u0026 process.ancestors.file.path - != \"/usr/bin/kmod\"\n)","filters":["os == \"linux\""],"monitoring":["compliance.policy"],"name":"kernel_module_open","product_tags":["tactic:TA0003-persistence","technique:T1547-boot-or-logon-autostart-execution","policy:compliance"],"updateDate":1753453274000,"updater":{"name":"Datadog","handle":""}}},{"id":"jlt-y4v-dax","type":"agent_rule","attributes":{"category":"File - Activity","creationDate":1754579371000,"creator":{"name":"Datadog","handle":""},"defaultRule":true,"description":"A - service may have been modified without authorization","enabled":true,"expression":"(\n (unlink.file.path + \"/sbin/apk\", \"/usr/lib/snapd/snapd\"]\n) \u0026\u0026 chmod.file.destination.mode + != chmod.file.mode","filters":["os == \"linux\""],"monitoring":["compliance.policy"],"name":"credential_modified_chmod","product_tags":["tactic:TA0006-credential-access","technique:T1003-os-credential-dumping","policy:compliance"],"updateDate":1759956888000,"updater":{"name":"Datadog","handle":""}}},{"id":"sej-11b-ey6","type":"agent_rule","attributes":{"category":"File + Activity","creationDate":1759956888000,"creator":{"name":"Datadog","handle":""},"defaultRule":true,"description":"Potential + Dirty pipe exploitation attempt","enabled":true,"expression":"(splice.pipe_entry_flag + \u0026 PIPE_BUF_FLAG_CAN_MERGE) != 0 \u0026\u0026 (splice.pipe_exit_flag \u0026 + PIPE_BUF_FLAG_CAN_MERGE) == 0 \u0026\u0026 (process.uid != 0 \u0026\u0026 + process.gid != 0)","filters":["os == \"linux\""],"monitoring":["threat-detection.policy"],"name":"dirty_pipe_attempt","product_tags":["tactic:TA0004-privilege-escalation","technique:T1068-exploitation-for-privilege-escalation","policy:threat-detection"],"updateDate":1759956888000,"updater":{"name":"Datadog","handle":""}}},{"id":"def-000-t06","type":"agent_rule","attributes":{"category":"Process + Activity","creationDate":1759956888000,"creator":{"name":"Datadog","handle":""},"defaultRule":true,"description":"find + command searching for sensitive files","enabled":true,"expression":"exec.comm + == \"find\" \u0026\u0026 exec.args in [~\"*credentials*\"]","filters":["os + == \"linux\""],"monitoring":["threat-detection.policy"],"name":"find_credentials","product_tags":["tactic:TA0006-credential-access","technique:T1552-unsecured-credentials","subtechnique:T1552.001-credentials-in-files","policy:threat-detection"],"updateDate":1759956888000,"updater":{"name":"Datadog","handle":""}}},{"id":"def-000-m7t","type":"agent_rule","attributes":{"category":"Process + Activity","creationDate":1759956888000,"creator":{"name":"Datadog","handle":""},"defaultRule":true,"description":"The + LD_AUDIT variable is populated by a link to a suspicious file directory","enabled":true,"expression":"process.envs + in [\"LD_AUDIT\"] \u0026\u0026 \n(\n mmap.file.path in [~\"/home/*\", ~\"/tmp/*\", + ~\"/dev/shm/*\"] || \n mmap.file.in_upper_layer == true\n) \u0026\u0026\nmmap.protection + \u0026 (PROT_EXEC) \u003e 0 ","filters":["os == \"linux\""],"monitoring":["threat-detection.policy"],"name":"ld_audit_unusual_library_path","product_tags":["tactic:TA0004-privilege-escalation","technique:T1574-hijack-execution-flow","policy:threat-detection"],"updateDate":1759956888000,"updater":{"name":"Datadog","handle":""}}},{"id":"def-000-9rk","type":"agent_rule","attributes":{"category":"Process + Activity","creationDate":1759956888000,"creator":{"name":"Datadog","handle":""},"defaultRule":true,"description":"Local + account groups were enumerated after container start up","enabled":true,"expression":"exec.file.name + in [\"tcpdump\", \"tshark\"]","filters":["os == \"linux\""],"monitoring":["threat-detection.policy"],"name":"network_sniffing_tool","product_tags":["tactic:TA0007-discovery","technique:T1040-network-sniffing","policy:threat-detection"],"updateDate":1759956888000,"updater":{"name":"Datadog","handle":""}}},{"id":"def-000-lel","type":"agent_rule","attributes":{"category":"Process + Activity","creationDate":1759956888000,"creator":{"name":"Datadog","handle":""},"defaultRule":true,"description":"Perl + executed with suspicious argument","enabled":true,"expression":"exec.file.name + == ~\"perl*\" \u0026\u0026 exec.args_flags in [\"e\"] \u0026\u0026 (exec.args + in [~\"*SOCK_STREAM*\", ~\"*sockaddr_in*\"])","filters":["os == \"linux\""],"monitoring":["threat-detection.policy"],"name":"perl_shell","product_tags":["tactic:TA0001-execution","technique:T1059-command-and-scripting-interpreter","policy:threat-detection"],"updateDate":1759956888000,"updater":{"name":"Datadog","handle":""}}},{"id":"def-000-531","type":"agent_rule","attributes":{"category":"File + Activity","creationDate":1759956888000,"creator":{"name":"Datadog","handle":""},"defaultRule":true,"description":"A + container performed various enumeration activities including checking container + runtime, process privileges, user namespace mappings, Linux Security Modules, + mount points, and network namespaces.","enabled":true,"expression":"container.id + != \"\" \u0026\u0026 (\n open.file.path in [~\"/run/systemd/container\"] + ||\n open.file.path in [~\"/proc/*/status\", ~\"/proc/*/task/*/status\"] + ||\n (open.file.path in [~\"/proc/*/uid_map\"] \u0026\u0026 process.file.name + not in [\"runc\"]) ||\n open.file.path in [~\"/proc/*/attr/current\"] ||\n open.file.path + in [~\"/proc/*/mountinfo\"] ||\n open.file.path in [~\"/proc/*/cgroup\"] + ||\n open.file.path in [~\"/proc/net/unix\"]\n) \u0026\u0026\nprocess.file.in_upper_layer + \u0026\u0026 \nprocess.file.path not in [\"/opt/datadog-agent/embedded/bin/agent\", + \"/opt/datadog-agent/embedded/bin/system-probe\", \"/opt/datadog-agent/embedded/bin/security-agent\", + \"/opt/datadog-agent/embedded/bin/process-agent\", \"/opt/datadog-agent/embedded/bin/trace-agent\", + \"/opt/datadog-agent/bin/agent/agent\", \"/opt/datadog/apm/inject/auto_inject_runc\", + \"/usr/bin/dd-host-install\", \"/usr/bin/dd-host-container-install\", \"/usr/bin/dd-container-install\", + \"/opt/datadog-agent/bin/datadog-cluster-agent\", ~\"/opt/datadog-packages/**\", + ~\"/opt/datadog-installer/**\"] ","filters":["os == \"linux\""],"monitoring":["threat-detection.policy"],"name":"container_breakout_enumeration_tool","product_tags":["tactic:TA0007-discovery","technique:T1613-container-and-resource-discovery","policy:threat-detection"],"updateDate":1759956888000,"updater":{"name":"Datadog","handle":""}}},{"id":"caz-yrk-14e","type":"agent_rule","attributes":{"category":"Network + Activity","creationDate":1759956888000,"creator":{"name":"Datadog","handle":""},"defaultRule":true,"description":"A + process resolved a DNS name associated with cryptomining activity","enabled":true,"expression":"dns.question.name + in [~\"*.minexmr.com\", \"minexmr.com\", ~\"*.nanopool.org\", \"nanopool.org\", + ~\"*.supportxmr.com\", \"supportxmr.com\", ~\"*.c3pool.com\", \"c3pool.com\", + ~\"*.p2pool.io\", \"p2pool.io\", ~\"*.ethermine.org\", \"ethermine.org\", + ~\"*.f2pool.com\", \"f2pool.com\", ~\"*.poolin.me\", \"poolin.me\", ~\"*.rplant.xyz\", + \"rplant.xyz\", ~\"*.miningocean.org\", \"miningocean.org\", \"donate.v2.xmrig.com\"] + \u0026\u0026 process.file.name != \"\"","filters":["os == \"linux\""],"monitoring":["threat-detection.policy"],"name":"mining_pool_lookup","product_tags":["tactic:TA0040-impact","technique:T1496-resource-hijacking","policy:threat-detection"],"updateDate":1759956888000,"updater":{"name":"Datadog","handle":""}}},{"id":"def-000-zse","type":"agent_rule","attributes":{"category":"Process + Activity","creationDate":1759956888000,"creator":{"name":"Datadog","handle":""},"defaultRule":true,"description":"PHP + web application spawning shell","enabled":true,"expression":"exec.file.name + in [~\"powershell*\",\"cmd.exe\"] \u0026\u0026 process.parent.file.name in + [\"php.exe\",\"php-cgi.exe\"]","filters":["os == \"windows\""],"monitoring":["threat-detection.policy"],"name":"php_spawning_shell","product_tags":["tactic:TA0002-execution","technique:T1210-exploitation-of-remote-services","policy:threat-detection"],"updateDate":1759956888000,"updater":{"name":"Datadog","handle":""}}},{"id":"g7f-kfr-tdb","type":"agent_rule","attributes":{"category":"Process + Activity","creationDate":1759956888000,"creator":{"name":"Datadog","handle":""},"defaultRule":true,"description":"Python + code was provided on the command line","enabled":true,"expression":"exec.file.name + == ~\"python*\" \u0026\u0026 exec.args_flags in [\"c\"] \u0026\u0026 exec.args + in [~\"*-c*SOCK_STREAM*\", ~\"*-c*subprocess*\", ~\"*-c*/bash*\", ~\"*-c*/bin/sh*\", + ~\"*-c*pty.spawn*\"] \u0026\u0026 exec.args !~ \"*setuptools*\"","filters":["os + == \"linux\""],"monitoring":["threat-detection.policy"],"name":"python_cli_code","product_tags":["tactic:TA0002-execution","technique:T1059-command-and-scripting-interpreter","subtechnique:T1059.006-python","policy:threat-detection"],"updateDate":1759956888000,"updater":{"name":"Datadog","handle":""}}},{"id":"dfr-by9-sx8","type":"agent_rule","attributes":{"category":"File + Activity","creationDate":1759956888000,"creator":{"name":"Datadog","handle":""},"defaultRule":true,"description":"Shell + History was Deleted","enabled":true,"expression":"unlink.file.name in [\".bash_history\", + \".zsh_history\", \".fish_history\", \"fish_history\", \".dash_history\", + \".sh_history\"] \u0026\u0026 unlink.file.path in [~\"/root/**\", ~\"/home/**\"] + \u0026\u0026 process.comm not in [\"dockerd\", \"containerd\"]","filters":["os + == \"linux\""],"monitoring":["compliance.policy","threat-detection.policy"],"name":"shell_history_deleted","product_tags":["tactic:TA0005-defense-evasion","technique:T1070-indicator-removal","policy:compliance","policy:threat-detection"],"updateDate":1759956888000,"updater":{"name":"Datadog","handle":""}}},{"id":"t5u-qdx-650","type":"agent_rule","attributes":{"category":"File + Activity","creationDate":1759956888000,"creator":{"name":"Datadog","handle":""},"defaultRule":true,"description":"SSH + modified keys may have been modified","enabled":true,"expression":"(\n rename.file.name + in [ \"authorized_keys\", \"authorized_keys2\" ] \u0026\u0026 (rename.file.path + in [ ~\"/root/.ssh/*\", ~\"/home/*/.ssh/*\", ~\"/var/lib/*/.ssh/*\" ]\n || + rename.file.destination.path in [ ~\"/root/.ssh/*\", ~\"/home/*/.ssh/*\", + ~\"/var/lib/*/.ssh/*\" ])\n)","filters":["os == \"linux\""],"monitoring":["compliance.policy","threat-detection.policy"],"name":"ssh_authorized_keys_rename","product_tags":["tactic:TA0003-persistence","technique:T1098-account-manipulation","policy:compliance","policy:threat-detection"],"updateDate":1759956888000,"updater":{"name":"Datadog","handle":""}}},{"id":"def-000-q5e","type":"agent_rule","attributes":{"actions":[{"filter":"${process.correlation_key} + != \"\"","set":{"name":"parent_correlation_keys","default_value":"","append":true,"scope":"process","expression":"${process.correlation_key}","inherited":true},"disabled":false},{"set":{"name":"correlation_key","default_value":"","scope":"process","expression":"\"package_install_${builtins.uuid4}\"","inherited":true},"disabled":false}],"category":"Process + Activity","creationDate":1759956888000,"creator":{"name":"Datadog","handle":""},"defaultRule":true,"description":"Track + execution context of npm package installation","enabled":true,"expression":"exec.file.name + in [~\"node\", ~\"npm\"] \u0026\u0026 \n(process.args =~ \"* install *\" || + process.args =~ \"* add *\" || process.args =~ \"* i *\" || \n process.args + =~ \"* in *\" || process.args =~ \"* ins *\" || process.args =~ \"* inst *\" + || \n process.args =~ \"* insta *\" || process.args =~ \"* instal *\" || process.args + =~ \"* isnt *\" || \n process.args =~ \"* isnta *\" || process.args =~ \"* + isntal *\" || process.args =~ \"* isntall *\") \u0026\u0026\nnot(process.args + =~ \"*-e *\") \u0026\u0026\n${process.correlation_key} in [\"\", ~\"cgroup_*\", + ~\"auid_*\", ~\"service_*\", ~\"service_new_cgroup_*\", ~\"interactive_shell_*\", + ~\"k8s_session_*\"]","filters":["os == \"linux\""],"monitoring":["threat-detection.policy"],"name":"execution_context_npm_install","product_tags":["policy:threat-detection"],"silent":true,"updateDate":1759956888000,"updater":{"name":"Datadog","handle":""}}},{"id":"def-000-h1x","type":"agent_rule","attributes":{"category":"Process + Activity","creationDate":1759956888000,"creator":{"name":"Datadog","handle":""},"defaultRule":true,"description":"A + container management socket was referenced in a cURL command","enabled":true,"expression":"exec.file.name + == \"curl\" \u0026\u0026 exec.args_flags in [\"unix-socket\"] \u0026\u0026 + exec.args in [~\"*docker.sock*\", ~\"*dockershim.sock*\", ~\"*containerd.sock*\", + ~\"*crio.sock*\", ~\"*frakti.sock*\", ~\"*rktlet.sock*\"] \u0026\u0026 container.id + != \"\"","filters":["os == \"linux\""],"monitoring":["threat-detection.policy"],"name":"curl_mgmt_socket","product_tags":["tactic:TA0007-discovery","technique:T1613-container-and-resource-discovery","policy:threat-detection"],"updateDate":1759956888000,"updater":{"name":"Datadog","handle":""}}},{"id":"def-000-a0x","type":"agent_rule","attributes":{"actions":[{"filter":"${process.correlation_key} + != \"\"","set":{"name":"parent_correlation_keys","default_value":"","append":true,"scope":"process","expression":"${process.correlation_key}","inherited":true},"disabled":false},{"set":{"name":"correlation_key","default_value":"","scope":"process","expression":"\"k8s_session_${builtins.uuid4}\"","inherited":true},"disabled":false}],"category":"Process + Activity","creationDate":1759956888000,"creator":{"name":"Datadog","handle":""},"defaultRule":true,"description":"Track + execution context from k8s user session","enabled":true,"expression":"exec.user_session.k8s_username + != \"\" \u0026\u0026 ${process.correlation_key} in [\"\", ~\"cgroup_*\", + ~\"auid_*\", ~\"service_*\", ~\"service_new_cgroup_*\", ~\"interactive_shell_*\"]","filters":["os + == \"linux\""],"monitoring":["threat-detection.policy"],"name":"execution_context_k8s_usersession_entrypoint","product_tags":["policy:threat-detection"],"silent":true,"updateDate":1759956888000,"updater":{"name":"Datadog","handle":""}}},{"id":"4mu-d2x-fyk","type":"agent_rule","attributes":{"category":"File + Activity","creationDate":1759956888000,"creator":{"name":"Datadog","handle":""},"defaultRule":true,"description":"nsswitch + may have been modified without authorization","enabled":true,"expression":"(\n (unlink.file.path + in [ \"/etc/nsswitch.conf\" ])\n)","filters":["os == \"linux\""],"monitoring":["compliance.policy"],"name":"nsswitch_conf_mod_unlink","product_tags":["tactic:TA0003-persistence","technique:T1556-modify-authentication-process","policy:compliance"],"updateDate":1759956888000,"updater":{"name":"Datadog","handle":""}}},{"id":"dmf-a2c-odj","type":"agent_rule","attributes":{"category":"Process + Activity","creationDate":1759956888000,"creator":{"name":"Datadog","handle":""},"defaultRule":true,"description":"A + symbolic link for shell history was created targeting /dev/null","enabled":true,"expression":"exec.comm + == \"ln\" \u0026\u0026 exec.args in [~\"*.*history*\", \"/dev/null\"]","filters":["os + == \"linux\""],"monitoring":["compliance.policy","threat-detection.policy"],"name":"shell_history_symlink","product_tags":["tactic:TA0005-defense-evasion","technique:T1070-indicator-removal","policy:compliance","policy:threat-detection"],"updateDate":1759956888000,"updater":{"name":"Datadog","handle":""}}},{"id":"htc-275-0wt","type":"agent_rule","attributes":{"category":"File + Activity","creationDate":1759956888000,"creator":{"name":"Datadog","handle":""},"defaultRule":true,"description":"SSH + modified keys may have been modified","enabled":true,"expression":"(\n chmod.file.name + in [ \"authorized_keys\", \"authorized_keys2\" ] \u0026\u0026 (chmod.file.path + in [ ~\"/root/.ssh/*\", ~\"/home/*/.ssh/*\", ~\"/var/lib/*/.ssh/*\" ])\n) + \u0026\u0026 chmod.file.destination.mode != chmod.file.mode","filters":["os + == \"linux\""],"monitoring":["compliance.policy","threat-detection.policy"],"name":"ssh_authorized_keys_chmod","product_tags":["tactic:TA0003-persistence","technique:T1098-account-manipulation","policy:compliance","policy:threat-detection"],"updateDate":1759956888000,"updater":{"name":"Datadog","handle":""}}},{"id":"48s-46n-g4w","type":"agent_rule","attributes":{"category":"File + Activity","creationDate":1759956888000,"creator":{"name":"Datadog","handle":""},"defaultRule":true,"description":"A + service may have been modified without authorization","enabled":true,"expression":"(\n (chmod.file.path in [ ~\"/lib/systemd/system/**\", ~\"/usr/lib/systemd/system/**\", ~\"/etc/systemd/system/**\", - ~\"/usr/local/lib/systemd/system/**\", ~\"/run/systemd/system/**\"] || unlink.file.path - in [ ~\"/etc/systemd/user/**\", ~\"/usr/lib/systemd/user/**\", ~\"/home/*/.config/systemd/user/**\", - ~\"/home/*/.local/share/systemd/user/**\", ~\"/run/systemd/user/**\"])\n \u0026\u0026 + ~\"/usr/local/lib/systemd/system/**\", ~\"/run/systemd/system/**\"])\n \u0026\u0026 process.file.path not in [~\"/usr/bin/apt*\", \"/usr/bin/dpkg\", \"/usr/bin/rpm\", \"/usr/bin/unattended-upgrade\", \"/usr/bin/npm\", ~\"/usr/bin/pip*\", ~\"/usr/local/bin/pip*\", - \"/usr/bin/yum\", \"/sbin/apk\", \"/usr/lib/snapd/snapd\"]\n)","filters":["os - == \"linux\""],"monitoring":["compliance.policy","threat-detection.policy"],"name":"systemd_modification_unlink","product_tags":["tactic:TA0002-execution","technique:T1569-system-services","policy:threat-detection","policy:compliance"],"updateDate":1754579371000,"updater":{"name":"Datadog","handle":""}}},{"id":"def-000-g5v","type":"agent_rule","attributes":{"category":"Kernel - Activity","creationDate":1754579371000,"creator":{"name":"Datadog","handle":""},"defaultRule":true,"description":"A - process connected to an SSH server","enabled":true,"expression":"connect.addr.port - == 22 \u0026\u0026 (connect.addr.family == AF_INET || connect.addr.family - == AF_INET6) \u0026\u0026 connect.addr.ip not in [127.0.0.0/8, 0.0.0.0/32, - ::1/128, ::/128]","filters":["os == \"linux\""],"monitoring":["threat-detection.policy"],"name":"ssh_outbound_connection","product_tags":["tactic:TA0008-lateral-movement","technique:T1563-remote-service-session-hijacking","policy:threat-detection"],"updateDate":1754579371000,"updater":{"name":"Datadog","handle":""}}},{"id":"94l-lhd-e33","type":"agent_rule","attributes":{"category":"File - Activity","creationDate":1753453274000,"creator":{"name":"Datadog","handle":""},"defaultRule":true,"description":"A - new kernel module was added","enabled":true,"expression":"(\n (chown.file.path - in [ ~\"/lib/modules/**\", ~\"/usr/lib/modules/**\" ])\n \u0026\u0026 process.file.path - not in [~\"/usr/bin/apt*\", \"/usr/bin/dpkg\", \"/usr/bin/rpm\", \"/usr/bin/unattended-upgrade\", + \"/usr/bin/yum\", \"/sbin/apk\", \"/usr/lib/snapd/snapd\"]\n) \u0026\u0026 + chmod.file.destination.mode != chmod.file.mode","filters":["os == \"linux\""],"monitoring":["compliance.policy","threat-detection.policy"],"name":"systemd_modification_chmod","product_tags":["tactic:TA0002-execution","technique:T1569-system-services","policy:compliance","policy:threat-detection"],"updateDate":1759956888000,"updater":{"name":"Datadog","handle":""}}},{"id":"def-000-6jw","type":"agent_rule","attributes":{"category":"Process + Activity","creationDate":1759956888000,"creator":{"name":"Datadog","handle":""},"defaultRule":true,"description":"Process + environment variables match cryptocurrency miner","enabled":true,"expression":"exec.envs + in [\"POOL_USER\", \"POOL_URL\", \"POOL_PASS\", \"DONATE_LEVEL\"]","filters":["os + == \"linux\""],"monitoring":["threat-detection.policy"],"name":"cryptominer_envs","product_tags":["tactic:TA0040-impact","technique:T1496-resource-hijacking","policy:threat-detection"],"updateDate":1759956888000,"updater":{"name":"Datadog","handle":""}}},{"id":"def-000-npv","type":"agent_rule","attributes":{"category":"File + Activity","creationDate":1759956888000,"creator":{"name":"Datadog","handle":""},"defaultRule":true,"description":"Detects + CVE-2022-0543","enabled":true,"expression":"(open.file.path =~ \"/usr/lib/x86_64-linux-gnu/*\" + \u0026\u0026 open.file.name in [\"libc-2.29.so\", \"libc-2.30.so\", \"libc-2.31.so\", + \"libc-2.32.so\", \"libc-2.33.so\", \"libc-2.34.so\", \"libc-2.35.so\", \"libc-2.36.so\", + \"libc-2.37.so\"]) \u0026\u0026 process.ancestors.comm in [\"redis-check-rdb\", + \"redis-server\"]","filters":["os == \"linux\""],"monitoring":["threat-detection.policy"],"name":"redis_sandbox_escape","product_tags":["tactic:TA0001-initial-access","technique:T1190-exploit-public-facing-application","policy:threat-detection"],"updateDate":1759956888000,"updater":{"name":"Datadog","handle":""}}},{"id":"def-000-18q","type":"agent_rule","attributes":{"category":"Process + Activity","creationDate":1759956888000,"creator":{"name":"Datadog","handle":""},"defaultRule":true,"description":"Tar + archive created","enabled":true,"expression":"exec.file.path == \"/usr/bin/tar\" + \u0026\u0026 exec.args_flags in [\"create\",\"c\"]","filters":["os == \"linux\""],"monitoring":["threat-detection.policy"],"name":"tar_execution","product_tags":["tactic:TA0009-collection","technique:T1560-archive-collected-data","subtechnique:T1560.001-archive-via-utility","policy:threat-detection"],"updateDate":1759956888000,"updater":{"name":"Datadog","handle":""}}},{"id":"07y-k18-cih","type":"agent_rule","attributes":{"category":"Process + Activity","creationDate":1759956888000,"creator":{"name":"Datadog","handle":""},"defaultRule":true,"description":"A + user was created via an interactive session","enabled":true,"expression":"exec.file.name + in [\"useradd\", \"newusers\", \"adduser\"] \u0026\u0026 exec.tty_name !=\"\" + \u0026\u0026 process.ancestors.file.path not in [~\"/usr/bin/apt*\", \"/usr/bin/dpkg\", + \"/usr/bin/rpm\", \"/usr/bin/unattended-upgrade\", \"/usr/bin/npm\", ~\"/usr/bin/pip*\", + ~\"/usr/local/bin/pip*\", \"/usr/bin/yum\", \"/sbin/apk\", \"/usr/lib/snapd/snapd\"] + \u0026\u0026 exec.args_flags not in [\"D\"]","filters":["os == \"linux\""],"monitoring":["threat-detection.policy"],"name":"user_created_tty","product_tags":["tactic:TA0003-persistence","technique:T1136-create-account","subtechnique:T1136.001-local-account","policy:threat-detection"],"updateDate":1759956888000,"updater":{"name":"Datadog","handle":""}}},{"id":"ayv-hqe-lx8","type":"agent_rule","attributes":{"category":"File + Activity","creationDate":1759956888000,"creator":{"name":"Datadog","handle":""},"defaultRule":true,"description":"SSL + certificates may have been tampered with","enabled":true,"expression":"(\n (utimes.file.path + in [ ~\"/etc/ssl/certs/**\" ])\n \u0026\u0026 process.file.path not in + [~\"/usr/bin/apt*\", \"/usr/bin/dpkg\", \"/usr/bin/rpm\", \"/usr/bin/unattended-upgrade\", \"/usr/bin/npm\", ~\"/usr/bin/pip*\", ~\"/usr/local/bin/pip*\", \"/usr/bin/yum\", - \"/sbin/apk\", \"/usr/lib/snapd/snapd\"]\n \u0026\u0026 process.ancestors.file.path + \"/sbin/apk\", \"/usr/lib/snapd/snapd\"]\n)\n\u0026\u0026 process.file.path + != \"/usr/sbin/update-ca-certificates\"\n\u0026\u0026 process.ancestors.file.path + != \"/usr/sbin/update-ca-certificates\"\n\u0026\u0026 process.ancestors.file.path not in [~\"/usr/bin/apt*\", \"/usr/bin/dpkg\", \"/usr/bin/rpm\", \"/usr/bin/unattended-upgrade\", \"/usr/bin/npm\", ~\"/usr/bin/pip*\", ~\"/usr/local/bin/pip*\", \"/usr/bin/yum\", - \"/sbin/apk\", \"/usr/lib/snapd/snapd\"] \u0026\u0026 process.ancestors.file.path - != \"/usr/bin/kmod\"\n) \u0026\u0026 (chown.file.destination.uid != chown.file.uid - || chown.file.destination.gid != chown.file.gid)","filters":["os == \"linux\""],"monitoring":["compliance.policy"],"name":"kernel_module_chown","product_tags":["tactic:TA0003-persistence","technique:T1547-boot-or-logon-autostart-execution","policy:compliance"],"updateDate":1753453274000,"updater":{"name":"Datadog","handle":""}}},{"id":"def-000-i9x","type":"agent_rule","attributes":{"category":"File - Activity","creationDate":1753453274000,"creator":{"name":"Datadog","handle":""},"defaultRule":true,"description":"nsswitch - may have been modified without authorization","enabled":true,"expression":"(\n open.flags - \u0026 ((O_RDWR|O_WRONLY|O_CREAT)) \u003e 0 \u0026\u0026\n (open.file.path - in [ \"/etc/nsswitch.conf\" ])\n) \u0026\u0026 container.id != \"\" \u0026\u0026 - container.created_at \u003e 90s \u0026\u0026 process.file.path not in [~\"/usr/bin/apt*\", - \"/usr/bin/dpkg\", \"/usr/bin/rpm\", \"/usr/bin/unattended-upgrade\", \"/usr/bin/containerd\", - \"/usr/local/bin/containerd\", \"/usr/bin/dockerd\", \"/usr/bin/npm\", ~\"/usr/bin/pip*\", - ~\"/usr/local/bin/pip*\"]","filters":["os == \"linux\""],"monitoring":["compliance.policy"],"name":"nsswitch_conf_mod_open_v2","product_tags":["tactic:TA0003-persistence","technique:T1556-modify-authentication-process","policy:compliance"],"updateDate":1753453274000,"updater":{"name":"Datadog","handle":""}}},{"id":"hgr-nny-7zr","type":"agent_rule","attributes":{"category":"Process - Activity","creationDate":1720471023000,"creator":{"name":"","handle":"frog@datadoghq.com"},"defaultRule":false,"description":"Test - Agent rule","enabled":true,"expression":"exec.file.name == \"sh\"","filters":["os - == \"linux\""],"monitoring":["CWS_CUSTOM-canary"],"name":"exampleupdateacsmthreatsagentrulereturnsokresponse1720471022","updateDate":1720471024000,"updater":{"name":"","handle":"frog@datadoghq.com"}}},{"id":"egv-kvz-h9q","type":"agent_rule","attributes":{"category":"Process - Activity","creationDate":1746529942370,"creator":{"name":"CI Account","handle":"9919ec9b-ebc7-49ee-8dc8-03626e717cca"},"defaultRule":false,"description":"My - Agent rule","enabled":true,"expression":"exec.file.name == \"sh\"","filters":["os - == \"linux\""],"monitoring":["CWS_CUSTOM-canary"],"name":"testtypescriptdeleteacsmthreatsagentrulereturnsokresponse1746529942","updateDate":1746529942370,"updater":{"name":"CI - Account","handle":"9919ec9b-ebc7-49ee-8dc8-03626e717cca"}}},{"id":"zkc-kqn-frn","type":"agent_rule","attributes":{"category":"Process - Activity","creationDate":1746616273510,"creator":{"name":"CI Account","handle":"9919ec9b-ebc7-49ee-8dc8-03626e717cca"},"defaultRule":false,"description":"My - Agent rule","enabled":true,"expression":"exec.file.name == \"sh\"","filters":["os - == \"linux\""],"monitoring":["CWS_CUSTOM-canary"],"name":"testtypescriptgetacsmthreatsagentrulereturnsokresponse1746616273","updateDate":1746616273510,"updater":{"name":"CI - Account","handle":"9919ec9b-ebc7-49ee-8dc8-03626e717cca"}}},{"id":"def-000-4tl","type":"agent_rule","attributes":{"category":"Process - Activity","creationDate":1754579371000,"creator":{"name":"Datadog","handle":""},"defaultRule":true,"description":"Certutil - was executed to transmit or decode a potentially malicious file","enabled":true,"expression":"exec.file.name - == \"certutil.exe\" \u0026\u0026 ((exec.cmdline =~ \"*urlcache*\" \u0026\u0026 - exec.cmdline =~ \"*split*\") || exec.cmdline =~ \"*decode*\")","filters":["os - == \"windows\""],"monitoring":["threat-detection.policy"],"name":"certutil_usage","product_tags":["tactic:TA0011-command-and-control","technique:T1105-ingress-tool-transfer","policy:threat-detection"],"updateDate":1754579371000,"updater":{"name":"Datadog","handle":""}}},{"id":"def-000-oy4","type":"agent_rule","attributes":{"category":"Process - Activity","creationDate":1754579371000,"creator":{"name":"Datadog","handle":""},"defaultRule":true,"description":"A - tool used to dump process memory has been executed","enabled":true,"expression":"exec.file.name - in [\"procmon.exe\",\"procdump.exe\"]","filters":["os == \"windows\""],"monitoring":["threat-detection.policy"],"name":"procdump_execution","product_tags":["tactic:TA0006-credential-access","technique:T1003-os-credential-dumping","policy:threat-detection"],"updateDate":1754579371000,"updater":{"name":"Datadog","handle":""}}},{"id":"ro3-z56-52j","type":"agent_rule","attributes":{"category":"Process - Activity","creationDate":1732221423000,"creator":{"name":"","handle":"frog@datadoghq.com"},"defaultRule":false,"description":"Test - Agent rule","enabled":true,"expression":"exec.file.name == \"sh\"","filters":["os - == \"linux\""],"monitoring":["CWS_CUSTOM-canary"],"name":"exampleupdateacsmthreatsagentrulereturnsokresponse1732221423","updateDate":1732221424000,"updater":{"name":"","handle":"frog@datadoghq.com"}}},{"id":"vyd-2vb-tnk","type":"agent_rule","attributes":{"category":"Process - Activity","creationDate":1738469890000,"creator":{"name":"frog","handle":"frog@datadoghq.com"},"defaultRule":false,"description":"My - Agent rule","enabled":true,"expression":"exec.file.name == \"sh\"","filters":["os - == \"linux\""],"monitoring":["CWS_CUSTOM-canary"],"name":"examplecreateacsmthreatsagentrulereturnsokresponse1738469890","updateDate":1738469890000,"updater":{"name":"frog","handle":"frog@datadoghq.com"}}},{"id":"tw0-y2e-9wf","type":"agent_rule","attributes":{"category":"Process - Activity","creationDate":1738627773000,"creator":{"name":"CI Account","handle":"9919ec9b-ebc7-49ee-8dc8-03626e717cca"},"defaultRule":false,"description":"My - Agent rule","enabled":true,"expression":"exec.file.name == \"sh\"","filters":["os - == \"linux\""],"monitoring":["CWS_CUSTOM-canary"],"name":"testgocreateacsmthreatsagentrulereturnsokresponse1738627773","updateDate":1738627773000,"updater":{"name":"CI - Account","handle":"9919ec9b-ebc7-49ee-8dc8-03626e717cca"}}},{"id":"def-000-3b9","type":"agent_rule","attributes":{"category":"File - Activity","creationDate":1753453274000,"creator":{"name":"Datadog","handle":""},"defaultRule":true,"description":"Sensitive - credential files were modified using a non-standard tool","enabled":true,"expression":"(\n open.flags - \u0026 ((O_CREAT|O_RDWR|O_WRONLY|O_TRUNC)) \u003e 0 \u0026\u0026\n (open.file.path + \"/sbin/apk\", \"/usr/lib/snapd/snapd\"]\n\u0026\u0026 process.file.name !~ + \"runc*\"","filters":["os == \"linux\""],"monitoring":["compliance.policy"],"name":"ssl_certificate_tampering_utimes","product_tags":["tactic:TA0005-defense-evasion","technique:T1553-subvert-trust-controls","policy:compliance"],"updateDate":1759956888000,"updater":{"name":"Datadog","handle":""}}},{"id":"def-000-ly8","type":"agent_rule","attributes":{"category":"Process + Activity","creationDate":1759956888000,"creator":{"name":"Datadog","handle":""},"defaultRule":true,"description":"The + auditd configuration file was modified without using auditctl","enabled":true,"expression":"open.file.path + == \"/etc/audit/auditd.conf\" \u0026\u0026 open.flags \u0026 (O_CREAT|O_TRUNC|O_APPEND|O_RDWR|O_WRONLY) + \u003e 0 \u0026\u0026 process.file.name != \"auditctl\"","filters":["os == + \"linux\""],"monitoring":["threat-detection.policy"],"name":"auditd_config_modified","product_tags":["tactic:TA0005-defense-evasion","technique:T1562-impair-defenses","policy:threat-detection"],"updateDate":1759956888000,"updater":{"name":"Datadog","handle":""}}},{"id":"0yj-grp-cmx","type":"agent_rule","attributes":{"category":"File + Activity","creationDate":1759956888000,"creator":{"name":"Datadog","handle":""},"defaultRule":true,"description":"Sensitive + credential files were modified using a non-standard tool","enabled":true,"expression":"(\n (rename.file.path + in [ \"/etc/shadow\", \"/etc/gshadow\" ]\n || rename.file.destination.path in [ \"/etc/shadow\", \"/etc/gshadow\" ])\n \u0026\u0026 process.file.path not in [ \"/sbin/vipw\", \"/usr/sbin/vipw\", \"/sbin/vigr\", \"/usr/sbin/vigr\", \"/usr/bin/containerd\", \"/usr/local/bin/containerd\", \"/usr/bin/dockerd\", @@ -984,851 +587,325 @@ http_interactions: \"/usr/sbin/chpasswd\", \"/usr/bin/passwd\" ]\n \u0026\u0026 process.ancestors.file.path not in [~\"/usr/bin/apt*\", \"/usr/bin/dpkg\", \"/usr/bin/rpm\", \"/usr/bin/unattended-upgrade\", \"/usr/bin/npm\", ~\"/usr/bin/pip*\", ~\"/usr/local/bin/pip*\", \"/usr/bin/yum\", - \"/sbin/apk\", \"/usr/lib/snapd/snapd\"]\n) \u0026\u0026 container.id != \"\" - \u0026\u0026 container.created_at \u003e 90s","filters":["os == \"linux\""],"monitoring":["compliance.policy"],"name":"credential_modified_open_v2","product_tags":["tactic:TA0006-credential-access","technique:T1003-os-credential-dumping","policy:compliance"],"updateDate":1753453274000,"updater":{"name":"Datadog","handle":""}}},{"id":"def-000-7m7","type":"agent_rule","attributes":{"category":"Process - Activity","creationDate":1754579371000,"creator":{"name":"Datadog","handle":""},"defaultRule":true,"description":"The - auditctl command was used to modify auditd","enabled":true,"expression":"exec.file.name - == \"auditctl\" \u0026\u0026 exec.args_flags not in [\"s\", \"l\"]","filters":["os - == \"linux\""],"monitoring":["threat-detection.policy"],"name":"auditctl_usage","product_tags":["tactic:TA0005-defense-evasion","technique:T1562-impair-defenses","policy:threat-detection"],"updateDate":1754579371000,"updater":{"name":"Datadog","handle":""}}},{"id":"iyj-haq-dvu","type":"agent_rule","attributes":{"category":"Process - Activity","creationDate":1715373426000,"creator":{"name":"","handle":"frog@datadoghq.com"},"defaultRule":false,"description":"My - Agent rule","enabled":true,"expression":"exec.file.name == \"sh\"","filters":["os - == \"linux\""],"monitoring":["CWS_CUSTOM-canary"],"name":"examplegetacsmthreatsagentrulereturnsokresponse1715373425","updateDate":1715373426000,"updater":{"name":"","handle":"frog@datadoghq.com"}}},{"id":"912-lu2-2sg","type":"agent_rule","attributes":{"category":"Process - Activity","creationDate":1731203077000,"creator":{"name":"CI Account","handle":"9919ec9b-ebc7-49ee-8dc8-03626e717cca"},"defaultRule":false,"description":"My - Agent rule","enabled":true,"expression":"exec.file.name == \"sh\"","filters":["os - == \"linux\""],"monitoring":["CWS_CUSTOM-canary"],"name":"testpythoncreateacsmthreatsagentrulereturnsokresponse1731203077","updateDate":1731203077000,"updater":{"name":"CI - Account","handle":"9919ec9b-ebc7-49ee-8dc8-03626e717cca"}}},{"id":"qba-1qm-uj5","type":"agent_rule","attributes":{"category":"Process - Activity","creationDate":1721075824000,"creator":{"name":"","handle":"frog@datadoghq.com"},"defaultRule":false,"description":"My - Agent rule","enabled":true,"expression":"exec.file.name == \"sh\"","filters":["os - == \"linux\""],"monitoring":["CWS_CUSTOM-canary"],"name":"examplegetacsmthreatsagentrulereturnsokresponse1721075824","updateDate":1721075824000,"updater":{"name":"","handle":"frog@datadoghq.com"}}},{"id":"981-x7o-izo","type":"agent_rule","attributes":{"category":"Process - Activity","creationDate":1735749424000,"creator":{"name":"frog","handle":"frog@datadoghq.com"},"defaultRule":false,"description":"My - Agent rule","enabled":true,"expression":"exec.file.name == \"sh\"","filters":["os - == \"linux\""],"monitoring":["CWS_CUSTOM-canary"],"name":"examplegetacsmthreatsagentrulereturnsokresponse1735749424","updateDate":1735749424000,"updater":{"name":"frog","handle":"frog@datadoghq.com"}}},{"id":"ocv-we5-g5y","type":"agent_rule","attributes":{"category":"Process - Activity","creationDate":1715661423000,"creator":{"name":"","handle":"frog@datadoghq.com"},"defaultRule":false,"description":"My - Agent rule","enabled":true,"expression":"exec.file.name == \"sh\"","filters":["os - == \"linux\""],"monitoring":["CWS_CUSTOM-canary"],"name":"exampleupdateacsmthreatsagentrulereturnsokresponse1715661422","updateDate":1715661423000,"updater":{"name":"","handle":"frog@datadoghq.com"}}},{"id":"ya9-48i-611","type":"agent_rule","attributes":{"category":"Process - Activity","creationDate":1734496623000,"creator":{"name":"frog","handle":"frog@datadoghq.com"},"defaultRule":false,"description":"Test - Agent rule","enabled":true,"expression":"exec.file.name == \"sh\"","filters":["os - == \"linux\""],"monitoring":["CWS_CUSTOM-canary"],"name":"exampleupdateacsmthreatsagentrulereturnsokresponse1734496623","updateDate":1734496625000,"updater":{"name":"frog","handle":"frog@datadoghq.com"}}},{"id":"v5x-8l4-d6a","type":"agent_rule","attributes":{"category":"File - Activity","creationDate":1754579371000,"creator":{"name":"Datadog","handle":""},"defaultRule":true,"description":"Shell - History was Deleted","enabled":true,"expression":"open.flags \u0026 (O_CREAT|O_TRUNC|O_APPEND|O_RDWR|O_WRONLY) - \u003e 0 \u0026\u0026 open.file.name in [\".bash_history\", \".zsh_history\", - \".fish_history\", \"fish_history\", \".dash_history\", \".sh_history\"] \u0026\u0026 - open.file.path in [~\"/root/*\", ~\"/home/**\"] \u0026\u0026 process.file.name - == \"truncate\"","filters":["os == \"linux\""],"monitoring":["compliance.policy","threat-detection.policy"],"name":"shell_history_truncated","product_tags":["tactic:TA0005-defense-evasion","technique:T1070-indicator-removal","policy:threat-detection","policy:compliance"],"updateDate":1754579371000,"updater":{"name":"Datadog","handle":""}}},{"id":"wwy-h4d-pwm","type":"agent_rule","attributes":{"category":"File - Activity","creationDate":1754579371000,"creator":{"name":"Datadog","handle":""},"defaultRule":true,"description":"A - service may have been modified without authorization","enabled":true,"expression":"(\n (chown.file.path - in [ ~\"/lib/systemd/system/**\", ~\"/usr/lib/systemd/system/**\", ~\"/etc/systemd/system/**\", - ~\"/usr/local/lib/systemd/system/**\", ~\"/run/systemd/system/**\"])\n \u0026\u0026 - process.file.path not in [~\"/usr/bin/apt*\", \"/usr/bin/dpkg\", \"/usr/bin/rpm\", - \"/usr/bin/unattended-upgrade\", \"/usr/bin/npm\", ~\"/usr/bin/pip*\", ~\"/usr/local/bin/pip*\", - \"/usr/bin/yum\", \"/sbin/apk\", \"/usr/lib/snapd/snapd\"]\n) \u0026\u0026 - (chown.file.destination.uid != chown.file.uid || chown.file.destination.gid - != chown.file.gid)","filters":["os == \"linux\""],"monitoring":["compliance.policy","threat-detection.policy"],"name":"systemd_modification_chown","product_tags":["tactic:TA0002-execution","technique:T1569-system-services","policy:threat-detection","policy:compliance"],"updateDate":1754579371000,"updater":{"name":"Datadog","handle":""}}},{"id":"def-000-qem","type":"agent_rule","attributes":{"category":"Process - Activity","creationDate":1754579371000,"creator":{"name":"Datadog","handle":""},"defaultRule":true,"description":"A - user was deleted via an interactive session","enabled":true,"expression":"exec.file.name - in [\"userdel\", \"deluser\"] \u0026\u0026 exec.tty_name !=\"\" \u0026\u0026 - process.ancestors.file.path not in [~\"/usr/bin/apt*\", \"/usr/bin/dpkg\", - \"/usr/bin/rpm\", \"/usr/bin/unattended-upgrade\", \"/usr/bin/npm\", ~\"/usr/bin/pip*\", - ~\"/usr/local/bin/pip*\", \"/usr/bin/yum\", \"/sbin/apk\", \"/usr/lib/snapd/snapd\"]","filters":["os - == \"linux\""],"monitoring":["threat-detection.policy"],"name":"user_deleted_tty","product_tags":["tactic:TA0040-impact","technique:T1531-account-access-removal","policy:threat-detection"],"updateDate":1754579371000,"updater":{"name":"Datadog","handle":""}}},{"id":"jf1-ep2-li7","type":"agent_rule","attributes":{"category":"Process - Activity","creationDate":1745209090000,"creator":{"name":"frog","handle":"frog@datadoghq.com"},"defaultRule":false,"description":"My - Agent rule","enabled":true,"expression":"exec.file.name == \"sh\"","filters":["os - == \"linux\""],"monitoring":["CWS_CUSTOM-canary"],"name":"examplecreateacsmthreatsagentrulereturnsokresponse1745209090","updateDate":1745209090000,"updater":{"name":"frog","handle":"frog@datadoghq.com"}}},{"id":"1cw-vgz-eaz","type":"agent_rule","attributes":{"category":"Process - Activity","creationDate":1746628446463,"creator":{"name":"frog","handle":"frog@datadoghq.com"},"defaultRule":false,"description":"My - Agent rule","enabled":true,"expression":"exec.file.name == \"sh\"","filters":["os - == \"linux\""],"monitoring":["CWS_CUSTOM-canary"],"name":"testupdateacsmthreatsagentrulereturnsbadrequestresponse1746628446","updateDate":1746628446463,"updater":{"name":"frog","handle":"frog@datadoghq.com"}}},{"id":"def-000-qf8","type":"agent_rule","attributes":{"category":"Process - Activity","creationDate":1754579371000,"creator":{"name":"Datadog","handle":""},"defaultRule":true,"description":"sharpup - tool used for local privilege escalation","enabled":true,"expression":"exec.file.name - == \"sharpup.exe\" \u0026\u0026 exec.cmdline in [~\"*HijackablePaths*\", ~\"*UnquotedServicePath*\", - ~\"*ProcessDLLHijack*\", ~\"*ModifiableServiceBinaries*\", ~\"*ModifiableScheduledTask*\", - ~\"*DomainGPPPassword*\", ~\"*CachedGPPPassword*\"]","filters":["os == \"windows\""],"monitoring":["threat-detection.policy"],"name":"sharpup_tool_usage","product_tags":["tactic:TA0004-privilege-escalation","technique:T1068-exploitation-for-privilege-escalation","policy:threat-detection"],"updateDate":1754579371000,"updater":{"name":"Datadog","handle":""}}},{"id":"rta-b8v-4uf","type":"agent_rule","attributes":{"category":"Process - Activity","creationDate":1714322223000,"creator":{"name":"","handle":"frog@datadoghq.com"},"defaultRule":false,"description":"Test - Agent rule","enabled":true,"expression":"exec.file.name == \"sh\"","filters":["os - == \"linux\""],"monitoring":["CWS_CUSTOM-canary"],"name":"exampleupdateacsmthreatsagentrulereturnsokresponse1714322222","updateDate":1714322224000,"updater":{"name":"","handle":"frog@datadoghq.com"}}},{"id":"hsg-toh-i57","type":"agent_rule","attributes":{"category":"Process - Activity","creationDate":1723610223000,"creator":{"name":"","handle":"frog@datadoghq.com"},"defaultRule":false,"description":"Test - Agent rule","enabled":true,"expression":"exec.file.name == \"sh\"","filters":["os - == \"linux\""],"monitoring":["CWS_CUSTOM-canary"],"name":"exampleupdateacsmthreatsagentrulereturnsokresponse1723610223","updateDate":1723610224000,"updater":{"name":"","handle":"frog@datadoghq.com"}}},{"id":"bjk-8om-6ua","type":"agent_rule","attributes":{"category":"Process - Activity","creationDate":1746184333160,"creator":{"name":"CI Account","handle":"9919ec9b-ebc7-49ee-8dc8-03626e717cca"},"defaultRule":false,"description":"My - Agent rule","enabled":true,"expression":"exec.file.name == \"sh\"","filters":["os - == \"linux\""],"monitoring":["CWS_CUSTOM-canary"],"name":"testtypescriptcreateacsmthreatsagentrulereturnsokresponse1746184333","updateDate":1746184333160,"updater":{"name":"CI - Account","handle":"9919ec9b-ebc7-49ee-8dc8-03626e717cca"}}},{"id":"07u-iqk-me5","type":"agent_rule","attributes":{"category":"Process - Activity","creationDate":1746631377837,"creator":{"name":"frog","handle":"frog@datadoghq.com"},"defaultRule":false,"description":"My - Agent rule","enabled":true,"expression":"exec.file.name == \"sh\"","filters":["os - == \"linux\""],"monitoring":["CWS_CUSTOM-canary"],"name":"testupdateacsmthreatsagentrulereturnsokresponse1746631377","updateDate":1746631377837,"updater":{"name":"frog","handle":"frog@datadoghq.com"}}},{"id":"wgv-wsb-pse","type":"agent_rule","attributes":{"category":"Process - Activity","creationDate":1754579371000,"creator":{"name":"Datadog","handle":""},"defaultRule":true,"description":"An - AWS IMDS was called via a network utility","enabled":true,"expression":"exec.comm - in [\"wget\", \"curl\", \"lwp-download\"] \u0026\u0026 exec.args in [~\"*169.254.169.254/latest/meta-data/iam/security-credentials/*\", - ~\"*169.254.170.2/*/credentials?id=*\"]","filters":["os == \"linux\""],"monitoring":["best-practice.policy","threat-detection.policy"],"name":"aws_imds","product_tags":["tactic:TA0006-credential-access","technique:T1552-unsecured-credentials","policy:best-practice","policy:threat-detection"],"updateDate":1754579371000,"updater":{"name":"Datadog","handle":""}}},{"id":"def-000-jed","type":"agent_rule","attributes":{"category":"File - Activity","creationDate":1753453274000,"creator":{"name":"Datadog","handle":""},"defaultRule":true,"description":"Windows - registry hives file location key modified","enabled":true,"expression":"set.registry.key_path - in [~\"HKEY_LOCAL_MACHINE\\SYSTEM\\CurrentControlSet\\Control\\hivelist*\"]","filters":["os - == \"windows\""],"monitoring":["compliance.policy"],"name":"registry_hives_file_path_key_modified","product_tags":["tactic:TA0005-defense-evasion","technique:T1112-modify-registry","policy:compliance"],"updateDate":1753453274000,"updater":{"name":"Datadog","handle":""}}},{"id":"y0y-3gl-645","type":"agent_rule","attributes":{"category":"File - Activity","creationDate":1754579371000,"creator":{"name":"Datadog","handle":""},"defaultRule":true,"description":"SSH + \"/sbin/apk\", \"/usr/lib/snapd/snapd\"]\n)","filters":["os == \"linux\""],"monitoring":["compliance.policy"],"name":"credential_modified_rename","product_tags":["tactic:TA0006-credential-access","technique:T1003-os-credential-dumping","policy:compliance"],"updateDate":1759956888000,"updater":{"name":"Datadog","handle":""}}},{"id":"def-000-x51","type":"agent_rule","attributes":{"category":"File + Activity","creationDate":1759956888000,"creator":{"name":"Datadog","handle":""},"defaultRule":true,"description":"Safeboot + registry modified","enabled":true,"expression":"set.registry.key_path in [~\"HKEY_LOCAL_MACHINE\\System\\CurrentControlSet\\Control\\SafeBoot\"]","filters":["os + == \"windows\""],"monitoring":["compliance.policy","threat-detection.policy"],"name":"safeboot_modification","product_tags":["tactic:TA0005-defense-evasion","technique:T1562-impair-defenses","policy:compliance","policy:threat-detection"],"updateDate":1759956888000,"updater":{"name":"Datadog","handle":""}}},{"id":"def-000-hc1","type":"agent_rule","attributes":{"actions":[{"filter":"${process.correlation_key} + != \"\"","set":{"name":"parent_correlation_keys","default_value":"","append":true,"scope":"process","expression":"${process.correlation_key}","inherited":true},"disabled":false},{"set":{"name":"correlation_key","default_value":"","scope":"process","expression":"\"auid_${builtins.uuid4}\"","inherited":true},"disabled":false}],"category":"Process + Activity","creationDate":1759956888000,"creator":{"name":"Datadog","handle":""},"defaultRule":true,"description":"Track + execution context from auid","enabled":true,"expression":"exec.auid \u003e= + 0 \u0026\u0026 exec.auid != AUDIT_AUID_UNSET \u0026\u0026 ${process.correlation_key} + in [\"\", ~\"cgroup_*\"]","filters":["os == \"linux\""],"monitoring":["threat-detection.policy"],"name":"execution_context_auid","product_tags":["policy:threat-detection"],"silent":true,"updateDate":1759956888000,"updater":{"name":"Datadog","handle":""}}},{"id":"def-000-2k6","type":"agent_rule","attributes":{"category":"Process + Activity","creationDate":1759956888000,"creator":{"name":"Datadog","handle":""},"defaultRule":true,"description":"Suspicious + usage of ntdsutil","enabled":true,"expression":"exec.file.name == \"ntdsutil.exe\" + \u0026\u0026 exec.cmdline in [~\"*ntds*\", ~\"*create*\"]","filters":["os + == \"windows\""],"monitoring":["threat-detection.policy"],"name":"suspicious_ntdsutil_usage","product_tags":["tactic:TA0006-credential-access","technique:T1003-os-credential-dumping","policy:threat-detection"],"updateDate":1759956888000,"updater":{"name":"Datadog","handle":""}}},{"id":"y0y-3gl-645","type":"agent_rule","attributes":{"category":"File + Activity","creationDate":1759956888000,"creator":{"name":"Datadog","handle":""},"defaultRule":true,"description":"SSH modified keys may have been modified","enabled":true,"expression":"(\n unlink.file.name in [ \"authorized_keys\", \"authorized_keys2\" ] \u0026\u0026 (unlink.file.path in [ ~\"/root/.ssh/*\", ~\"/home/*/.ssh/*\", ~\"/var/lib/*/.ssh/*\" ])\n)","filters":["os - == \"linux\""],"monitoring":["compliance.policy","threat-detection.policy"],"name":"ssh_authorized_keys_unlink","product_tags":["tactic:TA0003-persistence","technique:T1098-account-manipulation","policy:threat-detection","policy:compliance"],"updateDate":1754579371000,"updater":{"name":"Datadog","handle":""}}},{"id":"48s-46n-g4w","type":"agent_rule","attributes":{"category":"File - Activity","creationDate":1754579371000,"creator":{"name":"Datadog","handle":""},"defaultRule":true,"description":"A - service may have been modified without authorization","enabled":true,"expression":"(\n (chmod.file.path - in [ ~\"/lib/systemd/system/**\", ~\"/usr/lib/systemd/system/**\", ~\"/etc/systemd/system/**\", - ~\"/usr/local/lib/systemd/system/**\", ~\"/run/systemd/system/**\"])\n \u0026\u0026 - process.file.path not in [~\"/usr/bin/apt*\", \"/usr/bin/dpkg\", \"/usr/bin/rpm\", - \"/usr/bin/unattended-upgrade\", \"/usr/bin/npm\", ~\"/usr/bin/pip*\", ~\"/usr/local/bin/pip*\", - \"/usr/bin/yum\", \"/sbin/apk\", \"/usr/lib/snapd/snapd\"]\n) \u0026\u0026 - chmod.file.destination.mode != chmod.file.mode","filters":["os == \"linux\""],"monitoring":["compliance.policy","threat-detection.policy"],"name":"systemd_modification_chmod","product_tags":["tactic:TA0002-execution","technique:T1569-system-services","policy:threat-detection","policy:compliance"],"updateDate":1754579371000,"updater":{"name":"Datadog","handle":""}}},{"id":"qd9-39s-51s","type":"agent_rule","attributes":{"category":"Process - Activity","creationDate":1721666223000,"creator":{"name":"","handle":"frog@datadoghq.com"},"defaultRule":false,"description":"Test - Agent rule","enabled":true,"expression":"exec.file.name == \"sh\"","filters":["os - == \"linux\""],"monitoring":["CWS_CUSTOM-canary"],"name":"exampleupdateacsmthreatsagentrulereturnsokresponse1721666223","updateDate":1721666224000,"updater":{"name":"","handle":"frog@datadoghq.com"}}},{"id":"def-000-xg6","type":"agent_rule","attributes":{"category":"File - Activity","creationDate":1753453274000,"creator":{"name":"Datadog","handle":""},"defaultRule":true,"description":"a - critical windows file was modified","enabled":true,"expression":"write.file.device_path - in [~\"\\Device\\*\\windows\\system32\\**\"]","filters":["os == \"windows\""],"monitoring":["compliance.policy"],"name":"critical_windows_files_modified","product_tags":["tactic:TA0005-defense-evasion","technique:T1036-masquerading","policy:compliance"],"updateDate":1753453274000,"updater":{"name":"Datadog","handle":""}}},{"id":"def-000-zse","type":"agent_rule","attributes":{"category":"Process - Activity","creationDate":1754579371000,"creator":{"name":"Datadog","handle":""},"defaultRule":true,"description":"PHP - web application spawning shell","enabled":true,"expression":"exec.file.name - in [~\"powershell*\",\"cmd.exe\"] \u0026\u0026 process.parent.file.name in - [\"php.exe\",\"php-cgi.exe\"]","filters":["os == \"windows\""],"monitoring":["threat-detection.policy"],"name":"php_spawning_shell","product_tags":["tactic:TA0002-execution","technique:T1210-exploitation-of-remote-services","policy:threat-detection"],"updateDate":1754579371000,"updater":{"name":"Datadog","handle":""}}},{"id":"def-000-925","type":"agent_rule","attributes":{"category":"Process - Activity","creationDate":1754579371000,"creator":{"name":"Datadog","handle":""},"defaultRule":true,"description":"A - shell with a TTY was executed in a container","enabled":true,"expression":"exec.file.path - in [ \"/bin/dash\",\n \"/usr/bin/dash\",\n \"/bin/sh\",\n \"/bin/static-sh\",\n \"/usr/bin/sh\",\n \"/bin/bash\",\n \"/usr/bin/bash\",\n \"/bin/bash-static\",\n \"/usr/bin/zsh\",\n \"/usr/bin/ash\",\n \"/usr/bin/csh\",\n \"/usr/bin/ksh\",\n \"/usr/bin/tcsh\",\n \"/usr/lib/initramfs-tools/bin/busybox\",\n \"/bin/busybox\",\n \"/usr/bin/fish\",\n \"/bin/ksh93\",\n \"/bin/rksh\",\n \"/bin/rksh93\",\n \"/bin/lksh\",\n \"/bin/mksh\",\n \"/bin/mksh-static\",\n \"/usr/bin/csharp\",\n \"/bin/posh\",\n \"/usr/bin/rc\",\n \"/bin/sash\",\n \"/usr/bin/yash\",\n \"/bin/zsh5\",\n \"/bin/zsh5-static\" - ] \u0026\u0026 process.tty_name != \"\" \u0026\u0026 process.container.id - != \"\"","filters":["os == \"linux\""],"monitoring":["threat-detection.policy"],"name":"tty_shell_in_container","product_tags":["tactic:TA0002-execution","technique:T1609-container-administration-command","policy:threat-detection"],"updateDate":1754579371000,"updater":{"name":"Datadog","handle":""}}},{"id":"dtv-dxk-3pn","type":"agent_rule","attributes":{"category":"Process - Activity","creationDate":1746616272397,"creator":{"name":"CI Account","handle":"9919ec9b-ebc7-49ee-8dc8-03626e717cca"},"defaultRule":false,"description":"My - Agent rule","enabled":true,"expression":"exec.file.name == \"sh\"","filters":["os - == \"linux\""],"monitoring":["CWS_CUSTOM-canary"],"name":"testtypescriptdeleteacsmthreatsagentrulereturnsokresponse1746616272","updateDate":1746616272397,"updater":{"name":"CI - Account","handle":"9919ec9b-ebc7-49ee-8dc8-03626e717cca"}}},{"id":"ehh-ypb-9pl","type":"agent_rule","attributes":{"category":"Process - Activity","creationDate":1754579371000,"creator":{"name":"Datadog","handle":""},"defaultRule":true,"description":"A - compiler was executed inside of a container","enabled":true,"expression":"(exec.comm - in [\"javac\", \"clang\", \"gcc\", \"bcc\"] || exec.file.name in [\"javac\", - \"clang\", \"gcc\", \"bcc\"] || (exec.file.name == \"go\" \u0026\u0026 exec.args - in [~\"*build*\", ~\"*run*\"])) \u0026\u0026 container.id !=\"\" \u0026\u0026 - process.ancestors.file.path != \"/usr/bin/cilium-agent\"","filters":["os == - \"linux\""],"monitoring":["best-practice.policy","threat-detection.policy"],"name":"compiler_in_container","product_tags":["tactic:TA0005-defense-evasion","technique:T1027-obfuscated-files-or-information","policy:best-practice","policy:threat-detection"],"updateDate":1754579371000,"updater":{"name":"Datadog","handle":""}}},{"id":"lkj-jnb-khe","type":"agent_rule","attributes":{"actions":[{"set":{"name":"imds_v1_usage_services","field":"process.file.name","append":true,"ttl":10000000000,"inherited":false},"disabled":false}],"category":"Network - Activity","creationDate":1752506673000,"creator":{"name":"Datadog","handle":""},"defaultRule":true,"description":"An - AWS IMDSv1 request was issued","disabled":["best-practice.policy"],"enabled":false,"expression":"imds.cloud_provider - == \"aws\" \u0026\u0026 imds.aws.is_imds_v2 == false \u0026\u0026 process.file.name - not in ${imds_v1_usage_services}","filters":["os == \"linux\""],"name":"imds_v1_usage","product_tags":["tactic:TA0006-credential-access","technique:T1552-unsecured-credentials","policy:best-practice"],"updateDate":1752506673000,"updater":{"name":"Datadog","handle":""}}},{"id":"zt8-od0-yxu","type":"agent_rule","attributes":{"category":"Process - Activity","creationDate":1730205424000,"creator":{"name":"","handle":"frog@datadoghq.com"},"defaultRule":false,"description":"My - Agent rule","enabled":true,"expression":"exec.file.name == \"sh\"","filters":["os - == \"linux\""],"monitoring":["CWS_CUSTOM-canary"],"name":"examplegetacsmthreatsagentrulereturnsokresponse1730205423","updateDate":1730205424000,"updater":{"name":"","handle":"frog@datadoghq.com"}}},{"id":"def-000-n3u","type":"agent_rule","attributes":{"category":"File - Activity","creationDate":1753453274000,"creator":{"name":"Datadog","handle":""},"defaultRule":true,"description":"Windows - shell folders registry key modified","enabled":true,"expression":"set.registry.key_path - in [~\"HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Explorer\\Shell - Folders*\", ~\"HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Explorer\\User - Shell Folders*\"]","filters":["os == \"windows\""],"monitoring":["compliance.policy"],"name":"windows_shell_folders_registry_key_modified","product_tags":["tactic:TA0005-defense-evasion","technique:T1036-masquerading","policy:compliance"],"updateDate":1753453274000,"updater":{"name":"Datadog","handle":""}}},{"id":"caz-yrk-14e","type":"agent_rule","attributes":{"category":"Network - Activity","creationDate":1754579371000,"creator":{"name":"Datadog","handle":""},"defaultRule":true,"description":"A - process resolved a DNS name associated with cryptomining activity","enabled":true,"expression":"dns.question.name + == \"linux\""],"monitoring":["compliance.policy","threat-detection.policy"],"name":"ssh_authorized_keys_unlink","product_tags":["tactic:TA0003-persistence","technique:T1098-account-manipulation","policy:compliance","policy:threat-detection"],"updateDate":1759956888000,"updater":{"name":"Datadog","handle":""}}},{"id":"422-svi-03v","type":"agent_rule","attributes":{"category":"File + Activity","creationDate":1759956888000,"creator":{"name":"Datadog","handle":""},"defaultRule":true,"description":"Potential + Dirty pipe exploitation","enabled":true,"expression":"(splice.pipe_exit_flag + \u0026 PIPE_BUF_FLAG_CAN_MERGE) \u003e 0 \u0026\u0026 (process.uid != 0 \u0026\u0026 + process.gid != 0)","filters":["os == \"linux\""],"monitoring":["threat-detection.policy"],"name":"dirty_pipe_exploitation","product_tags":["tactic:TA0004-privilege-escalation","technique:T1068-exploitation-for-privilege-escalation","policy:threat-detection"],"updateDate":1759956888000,"updater":{"name":"Datadog","handle":""}}},{"id":"def-000-oil","type":"agent_rule","attributes":{"category":"Process + Activity","creationDate":1759956888000,"creator":{"name":"Datadog","handle":""},"defaultRule":true,"description":"The + unshare utility was executed in a container","enabled":true,"expression":"exec.comm + == \"unshare\" \u0026\u0026 container.id != \"\"","filters":["os == \"linux\""],"monitoring":["threat-detection.policy"],"name":"unshare_in_container","product_tags":["tactic:TA0004-privilege-escalation","technique:T1611-escape-to-host","policy:threat-detection"],"updateDate":1759956888000,"updater":{"name":"Datadog","handle":""}}},{"id":"def-000-nin","type":"agent_rule","attributes":{"category":"Network + Activity","creationDate":1759956888000,"creator":{"name":"Datadog","handle":""},"defaultRule":true,"description":"A + DNS request was made for a chatroom domain","enabled":true,"expression":"dns.question.name + in [\"discord.com\", \"api.telegram.org\", \"cdn.discordapp.com\"]","filters":["os + == \"linux\""],"monitoring":["threat-detection.policy"],"name":"chatroom_request","product_tags":["tactic:TA0011-command-and-control","technique:T1572-protocol-tunneling","policy:threat-detection"],"updateDate":1759956888000,"updater":{"name":"Datadog","handle":""}}},{"id":"smg-le8-msf","type":"agent_rule","attributes":{"actions":[{"hash":{},"disabled":false}],"category":"File + Activity","creationDate":1759956888000,"creator":{"name":"Datadog","handle":""},"defaultRule":true,"description":"A + compiler wrote a suspicious file in a container","enabled":true,"expression":"open.flags + \u0026 O_CREAT \u003e 0\n\u0026\u0026 (\n (open.file.path =~ \"/tmp/**\" + \u0026\u0026 open.file.name in [~\"*.ko\", ~\".*\"])\n || open.file.path + in [~\"/var/tmp/**\", ~\"/root/**\", ~\"*/bin/*\", ~\"/usr/local/lib/**\"]\n)\n\u0026\u0026 + (process.comm in [\"javac\", \"clang\", \"gcc\", \"bcc\"] || process.ancestors.comm + in [\"javac\", \"clang\", \"gcc\", \"bcc\"] || process.file.name in [\"javac\", + \"clang\", \"gcc\", \"bcc\"] || process.ancestors.file.name in [\"javac\", + \"clang\", \"gcc\", \"bcc\"])\n\u0026\u0026 process.file.name not in [\"pip\", + ~\"python*\"]\n\u0026\u0026 container.id != \"\"","filters":["os == \"linux\""],"monitoring":["threat-detection.policy"],"name":"compile_after_delivery","product_tags":["tactic:TA0004-privilege-escalation","tactic:TA0005-defense-evasion","technique:T1027-obfuscated-files-or-information","technique:T1574-hijack-execution-flow","policy:threat-detection"],"updateDate":1759956888000,"updater":{"name":"Datadog","handle":""}}},{"id":"def-000-mpd","type":"agent_rule","attributes":{"category":"Kernel + Activity","creationDate":1759956888000,"creator":{"name":"Datadog","handle":""},"defaultRule":true,"description":"A + process connected to a cryptocurrency mining pool","enabled":true,"expression":"connect.addr.hostname in [~\"*.minexmr.com\", \"minexmr.com\", ~\"*.nanopool.org\", \"nanopool.org\", ~\"*.supportxmr.com\", \"supportxmr.com\", ~\"*.c3pool.com\", \"c3pool.com\", ~\"*.p2pool.io\", \"p2pool.io\", ~\"*.ethermine.org\", \"ethermine.org\", ~\"*.f2pool.com\", \"f2pool.com\", ~\"*.poolin.me\", \"poolin.me\", ~\"*.rplant.xyz\", - \"rplant.xyz\", ~\"*.miningocean.org\", \"miningocean.org\"] \u0026\u0026 - process.file.name != \"\"","filters":["os == \"linux\""],"monitoring":["threat-detection.policy"],"name":"mining_pool_lookup","product_tags":["tactic:TA0040-impact","technique:T1496-resource-hijacking","policy:threat-detection"],"updateDate":1754579371000,"updater":{"name":"Datadog","handle":""}}},{"id":"def-000-hbr","type":"agent_rule","attributes":{"category":"Process - Activity","creationDate":1754579371000,"creator":{"name":"Datadog","handle":""},"defaultRule":true,"description":"process - arguments match sliver c2 implant","enabled":true,"expression":"exec.cmdline - =~ \"*NoExit *\" \u0026\u0026 exec.cmdline =~ \"*Command *\" \u0026\u0026 - exec.cmdline =~ \"*[Console]::OutputEncoding=[Text.UTF8Encoding]::UTF8*\"","filters":["os - == \"windows\""],"monitoring":["threat-detection.policy"],"name":"sliver_c2_implant_execution","product_tags":["tactic:TA0011-command-and-control","technique:T1071-application-layer-protocol","policy:threat-detection"],"updateDate":1754579371000,"updater":{"name":"Datadog","handle":""}}},{"id":"def-000-76q","type":"agent_rule","attributes":{"category":"File - Activity","creationDate":1754579371000,"creator":{"name":"Datadog","handle":""},"defaultRule":true,"description":"Windows - cryptographic blocking policy modified","enabled":true,"expression":"set.registry.key_path - in [~\"HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Cryptography\\OID\\EncodingType - 0\\CryptSIPDllRemoveSignedDataMsg*\"]","filters":["os == \"windows\""],"monitoring":["threat-detection.policy"],"name":"windows_cryptographic_blocking_policy_registry_key_modified","product_tags":["tactic:TA0005-defense-evasion","technique:T1553-subvert-trust-controls","policy:threat-detection"],"updateDate":1754579371000,"updater":{"name":"Datadog","handle":""}}},{"id":"ycc-lv0-6oj","type":"agent_rule","attributes":{"category":"Process - Activity","creationDate":1730939824000,"creator":{"name":"","handle":"frog@datadoghq.com"},"defaultRule":false,"description":"My - Agent rule","enabled":true,"expression":"exec.file.name == \"sh\"","filters":["os - == \"linux\""],"monitoring":["CWS_CUSTOM-canary"],"name":"examplegetacsmthreatsagentrulereturnsokresponse1730939824","updateDate":1730939824000,"updater":{"name":"","handle":"frog@datadoghq.com"}}},{"id":"v14-hvg-0fd","type":"agent_rule","attributes":{"category":"Process - Activity","creationDate":1735216626000,"creator":{"name":"frog","handle":"frog@datadoghq.com"},"defaultRule":false,"description":"My - Agent rule","enabled":true,"expression":"exec.file.name == \"sh\"","filters":["os - == \"linux\""],"monitoring":["CWS_CUSTOM-canary"],"name":"examplegetacsmthreatsagentrulereturnsokresponse1735216624","updateDate":1735216626000,"updater":{"name":"frog","handle":"frog@datadoghq.com"}}},{"id":"aij-phz-7iz","type":"agent_rule","attributes":{"category":"Process - Activity","creationDate":1746630373819,"creator":{"name":"frog","handle":"frog@datadoghq.com"},"defaultRule":false,"description":"My - Agent rule","enabled":true,"expression":"exec.file.name == \"sh\"","filters":["os - == \"linux\""],"monitoring":["CWS_CUSTOM-canary"],"name":"testgetacsmthreatsagentrulereturnsokresponse1746630373","updateDate":1746630373819,"updater":{"name":"frog","handle":"frog@datadoghq.com"}}},{"id":"qzk-a8h-ikx","type":"agent_rule","attributes":{"category":"Process - Activity","creationDate":1746195394785,"creator":{"name":"frog","handle":"frog@datadoghq.com"},"defaultRule":false,"description":"My - Agent rule","enabled":true,"expression":"exec.file.name == \"sh\"","filters":["os - == \"linux\""],"monitoring":["CWS_CUSTOM-canary"],"name":"testupdateacsmthreatsagentrulereturnsokresponse1746195394","updateDate":1746195394785,"updater":{"name":"frog","handle":"frog@datadoghq.com"}}},{"id":"44y-bei-bqj","type":"agent_rule","attributes":{"category":"Process - Activity","creationDate":1746633539277,"creator":{"name":"frog","handle":"frog@datadoghq.com"},"defaultRule":false,"description":"My - Agent rule","enabled":true,"expression":"exec.file.name == \"sh\"","filters":["os - == \"linux\""],"monitoring":["CWS_CUSTOM-canary"],"name":"testupdateacsmthreatsagentrulereturnsokresponse1746633538","updateDate":1746633539277,"updater":{"name":"frog","handle":"frog@datadoghq.com"}}},{"id":"2rq-drz-11u","type":"agent_rule","attributes":{"category":"File - Activity","creationDate":1754579371000,"creator":{"name":"Datadog","handle":""},"defaultRule":true,"description":"A - process unlinked a dynamic linker config file","enabled":true,"expression":"unlink.file.path - in [\"/etc/ld.so.preload\", \"/etc/ld.so.conf\", ~\"/etc/ld.so.conf.d/*.conf\"] - \u0026\u0026 process.file.path not in [~\"/usr/bin/apt*\", \"/usr/bin/dpkg\", - \"/usr/bin/rpm\", \"/usr/bin/unattended-upgrade\", \"/usr/bin/npm\", ~\"/usr/bin/pip*\", - ~\"/usr/local/bin/pip*\", \"/usr/bin/yum\", \"/sbin/apk\", \"/usr/lib/snapd/snapd\"]","filters":["os - == \"linux\""],"monitoring":["threat-detection.policy"],"name":"dynamic_linker_config_unlink","product_tags":["tactic:TA0004-privilege-escalation","technique:T1574-hijack-execution-flow","policy:threat-detection"],"updateDate":1754579371000,"updater":{"name":"Datadog","handle":""}}},{"id":"fmr-do0-8np","type":"agent_rule","attributes":{"category":"File - Activity","creationDate":1748003540353,"creator":{"name":"frog","handle":"frog@datadoghq.com"},"defaultRule":false,"description":"initial - description","enabled":true,"expression":"open.file.name == \"etc/shadow/password\"","filters":["os - == \"linux\""],"monitoring":["CWS_CUSTOM-canary"],"name":"fcggsfqidc","product_tags":["compliance_framework:HIPAA"],"updateDate":1748003540353,"updater":{"name":"frog","handle":"frog@datadoghq.com"}}},{"id":"8rl-d3i-xyv","type":"agent_rule","attributes":{"category":"Process - Activity","creationDate":1746195378531,"creator":{"name":"frog","handle":"frog@datadoghq.com"},"defaultRule":false,"description":"My - Agent rule","enabled":true,"expression":"exec.file.name == \"sh\"","filters":["os - == \"linux\""],"monitoring":["CWS_CUSTOM-canary"],"name":"testcreateacsmthreatsagentrulereturnsokresponse1746195378","updateDate":1746195378531,"updater":{"name":"frog","handle":"frog@datadoghq.com"}}},{"id":"o5t-b08-86p","type":"agent_rule","attributes":{"category":"File - Activity","creationDate":1753453274000,"creator":{"name":"Datadog","handle":""},"defaultRule":true,"description":"SSL - certificates may have been tampered with","enabled":true,"expression":"(\n (rename.file.path - in [ ~\"/etc/ssl/certs/**\", ~\"/etc/pki/**\" ]\n || rename.file.destination.path - in [ ~\"/etc/ssl/certs/**\", ~\"/etc/pki/**\" ])\n \u0026\u0026 process.file.path - not in [~\"/usr/bin/apt*\", \"/usr/bin/dpkg\", \"/usr/bin/rpm\", \"/usr/bin/unattended-upgrade\", - \"/usr/bin/npm\", ~\"/usr/bin/pip*\", ~\"/usr/local/bin/pip*\", \"/usr/bin/yum\", - \"/sbin/apk\", \"/usr/lib/snapd/snapd\"]\n)\n\u0026\u0026 process.file.path - != \"/usr/sbin/update-ca-certificates\"\n\u0026\u0026 process.ancestors.file.path - != \"/usr/sbin/update-ca-certificates\"\n\u0026\u0026 process.ancestors.file.path - not in [~\"/usr/bin/apt*\", \"/usr/bin/dpkg\", \"/usr/bin/rpm\", \"/usr/bin/unattended-upgrade\", - \"/usr/bin/npm\", ~\"/usr/bin/pip*\", ~\"/usr/local/bin/pip*\", \"/usr/bin/yum\", - \"/sbin/apk\", \"/usr/lib/snapd/snapd\"]\n\u0026\u0026 process.file.name !~ - \"runc*\"","filters":["os == \"linux\""],"monitoring":["compliance.policy"],"name":"ssl_certificate_tampering_rename","product_tags":["tactic:TA0005-defense-evasion","technique:T1553-subvert-trust-controls","policy:compliance"],"updateDate":1753453274000,"updater":{"name":"Datadog","handle":""}}},{"id":"def-000-xv7","type":"agent_rule","attributes":{"category":"Process - Activity","creationDate":1754579371000,"creator":{"name":"Datadog","handle":""},"defaultRule":true,"description":"Kernel - modules were listed using the kmod command","enabled":true,"expression":"exec.comm - == \"kmod\" \u0026\u0026 exec.args in [~\"*list*\"]","filters":["os == \"linux\""],"monitoring":["threat-detection.policy"],"name":"kmod_list","product_tags":["tactic:TA0007-discovery","technique:T1082-system-information-discovery","policy:threat-detection"],"updateDate":1754579371000,"updater":{"name":"Datadog","handle":""}}},{"id":"hlp-8dr-0i3","type":"agent_rule","attributes":{"category":"Process - Activity","creationDate":1725467825000,"creator":{"name":"","handle":"frog@datadoghq.com"},"defaultRule":false,"description":"My - Agent rule","enabled":true,"expression":"exec.file.name == \"sh\"","filters":["os - == \"linux\""],"monitoring":["CWS_CUSTOM-canary"],"name":"examplegetacsmthreatsagentrulereturnsokresponse1725467823","updateDate":1725467825000,"updater":{"name":"","handle":"frog@datadoghq.com"}}},{"id":"ps4-63s-bzc","type":"agent_rule","attributes":{"category":"Process - Activity","creationDate":1714567023000,"creator":{"name":"","handle":"frog@datadoghq.com"},"defaultRule":false,"description":"Test - Agent rule","enabled":true,"expression":"exec.file.name == \"sh\"","filters":["os - == \"linux\""],"monitoring":["CWS_CUSTOM-canary"],"name":"exampleupdateacsmthreatsagentrulereturnsokresponse1714567023","updateDate":1714567024000,"updater":{"name":"","handle":"frog@datadoghq.com"}}},{"id":"l9m-5ce-g9i","type":"agent_rule","attributes":{"category":"Process - Activity","creationDate":1734525423000,"creator":{"name":"frog","handle":"frog@datadoghq.com"},"defaultRule":false,"description":"My - Agent rule","enabled":true,"expression":"exec.file.name == \"sh\"","filters":["os - == \"linux\""],"monitoring":["CWS_CUSTOM-canary"],"name":"exampleupdateacsmthreatsagentrulereturnsokresponse1734525422","updateDate":1734525423000,"updater":{"name":"frog","handle":"frog@datadoghq.com"}}},{"id":"def-000-qwu","type":"agent_rule","attributes":{"category":"File - Activity","creationDate":1754579371000,"creator":{"name":"Datadog","handle":""},"defaultRule":true,"description":"SSH - modified keys may have been modified","enabled":true,"expression":"(\n open.flags - \u0026 (O_CREAT|O_TRUNC|O_APPEND|O_RDWR|O_WRONLY) \u003e 0 \u0026\u0026\n open.file.name - in [ \"authorized_keys\", \"authorized_keys2\" ] \u0026\u0026 (open.file.path - in [ ~\"/root/.ssh/*\", ~\"/home/*/.ssh/*\", ~\"/var/lib/*/.ssh/*\" ])\n) - \u0026\u0026 container.id != \"\" \u0026\u0026 container.created_at \u003e - 90s","filters":["os == \"linux\""],"monitoring":["compliance.policy","threat-detection.policy"],"name":"ssh_authorized_keys_open_v2","product_tags":["tactic:TA0003-persistence","technique:T1098-account-manipulation","policy:threat-detection","policy:compliance"],"updateDate":1754579371000,"updater":{"name":"Datadog","handle":""}}},{"id":"07y-k18-cih","type":"agent_rule","attributes":{"category":"Process - Activity","creationDate":1754579371000,"creator":{"name":"Datadog","handle":""},"defaultRule":true,"description":"A - user was created via an interactive session","enabled":true,"expression":"exec.file.name - in [\"useradd\", \"newusers\", \"adduser\"] \u0026\u0026 exec.tty_name !=\"\" - \u0026\u0026 process.ancestors.file.path not in [~\"/usr/bin/apt*\", \"/usr/bin/dpkg\", - \"/usr/bin/rpm\", \"/usr/bin/unattended-upgrade\", \"/usr/bin/npm\", ~\"/usr/bin/pip*\", - ~\"/usr/local/bin/pip*\", \"/usr/bin/yum\", \"/sbin/apk\", \"/usr/lib/snapd/snapd\"] - \u0026\u0026 exec.args_flags not in [\"D\"]","filters":["os == \"linux\""],"monitoring":["threat-detection.policy"],"name":"user_created_tty","product_tags":["tactic:TA0003-persistence","technique:T1136-create-account","policy:threat-detection"],"updateDate":1754579371000,"updater":{"name":"Datadog","handle":""}}},{"id":"4mx-n6o-mmb","type":"agent_rule","attributes":{"category":"File - Activity","creationDate":1754579371000,"creator":{"name":"Datadog","handle":""},"defaultRule":true,"description":"An - unauthorized job was added to cron scheduling","enabled":true,"expression":"(\n (utimes.file.path + \"rplant.xyz\", ~\"*.miningocean.org\", \"miningocean.org\", \"donate.v2.xmrig.com\"] + \u0026\u0026 connect.addr.is_public == true \u0026\u0026 connect.addr.port + not in [53, 80, 443]","filters":["os == \"linux\""],"monitoring":["threat-detection.policy"],"name":"mining_pool_domain","product_tags":["tactic:TA0040-impact","technique:T1496-resource-hijacking","policy:threat-detection"],"updateDate":1759956888000,"updater":{"name":"Datadog","handle":""}}},{"id":"def-000-psd","type":"agent_rule","attributes":{"category":"Kernel + Activity","creationDate":1759956888000,"creator":{"name":"Datadog","handle":""},"defaultRule":true,"description":"A + process connected to a paste site","enabled":true,"expression":"connect.addr.hostname + in [\"pastebin.com\", \"ghostbin.com\", \"termbin.com\", \"klgrth.io\", \"rentry.co\", + \"transfer.sh\"] \u0026\u0026 connect.addr.is_public == true \u0026\u0026 + connect.addr.port in [80, 443]","filters":["os == \"linux\""],"monitoring":["threat-detection.policy"],"name":"paste_site_domain","product_tags":["tactic:TA0011-command-and-control","technique:T1105-ingress-tool-transfer","policy:threat-detection"],"updateDate":1759956888000,"updater":{"name":"Datadog","handle":""}}},{"id":"m23-qb9-9s8","type":"agent_rule","attributes":{"category":"File + Activity","creationDate":1759956888000,"creator":{"name":"Datadog","handle":""},"defaultRule":true,"description":"An + unauthorized job was added to cron scheduling","enabled":true,"expression":"(\n (unlink.file.path in [ ~\"/var/spool/cron/**\", ~\"/etc/cron.*/**\", ~\"/etc/crontab\", ~\"/etc/crontabs/**\"])\n \u0026\u0026 process.file.path not in [ \"/usr/bin/at\", \"/usr/bin/crontab\" ]\n)\n\u0026\u0026 process.file.path not in [~\"/usr/bin/apt*\", \"/usr/bin/dpkg\", \"/usr/bin/rpm\", \"/usr/bin/unattended-upgrade\", \"/usr/bin/containerd\", \"/usr/local/bin/containerd\", \"/usr/bin/dockerd\", \"/usr/bin/npm\", ~\"/usr/bin/pip*\", ~\"/usr/local/bin/pip*\"]","filters":["os - == \"linux\""],"monitoring":["compliance.policy","threat-detection.policy"],"name":"cron_at_job_creation_utimes","product_tags":["tactic:TA0002-execution","technique:T1053-scheduled-task-or-job","policy:threat-detection","policy:compliance"],"updateDate":1754579371000,"updater":{"name":"Datadog","handle":""}}},{"id":"sej-11b-ey6","type":"agent_rule","attributes":{"category":"File - Activity","creationDate":1754579371000,"creator":{"name":"Datadog","handle":""},"defaultRule":true,"description":"Potential - Dirty pipe exploitation attempt","enabled":true,"expression":"(splice.pipe_entry_flag - \u0026 PIPE_BUF_FLAG_CAN_MERGE) != 0 \u0026\u0026 (splice.pipe_exit_flag \u0026 - PIPE_BUF_FLAG_CAN_MERGE) == 0 \u0026\u0026 (process.uid != 0 \u0026\u0026 - process.gid != 0)","filters":["os == \"linux\""],"monitoring":["threat-detection.policy"],"name":"dirty_pipe_attempt","product_tags":["tactic:TA0004-privilege-escalation","technique:T1068-exploitation-for-privilege-escalation","policy:threat-detection"],"updateDate":1754579371000,"updater":{"name":"Datadog","handle":""}}},{"id":"def-000-qnj","type":"agent_rule","attributes":{"category":"Kernel - Activity","creationDate":1754579371000,"creator":{"name":"Datadog","handle":""},"defaultRule":true,"description":"A - process made an outbound IRC connection","enabled":true,"expression":"connect.addr.port - == 6667 \u0026\u0026 connect.addr.is_public == true","filters":["os == \"linux\""],"monitoring":["threat-detection.policy"],"name":"irc_connection","product_tags":["tactic:TA0011-command-and-control","technique:T1071-application-layer-protocol","policy:threat-detection"],"updateDate":1754579371000,"updater":{"name":"Datadog","handle":""}}},{"id":"def-000-bv2","type":"agent_rule","attributes":{"category":"Process - Activity","creationDate":1754579371000,"creator":{"name":"Datadog","handle":""},"defaultRule":true,"description":"Process - matches known relay attack tool","enabled":true,"expression":"exec.file.name - in [~\"*PetitPotam*\", ~\"*RottenPotato*\", ~\"*HotPotato*\", ~\"*JuicyPotato*\", - ~\"*just_dce_*\", ~\"*Juicy Potato*\", \"rot.exe\", \"Potato.exe\", \"SpoolSample.exe\", - \"Responder.exe\", ~\"*smbrelayx*\", ~\"*smbrelayx*\", ~\"*ntlmrelayx*\", - ~\"*LocalPotato*\"] || exec.cmdline in [~\"*Invoke-Tater*\", ~\"*smbrelay*\", - ~\"*ntlmrelay*\", ~\"*cme smb*\", ~\"*ntlm:NTLMhash*\", ~\"*Invoke-PetitPotam*\"]","filters":["os - == \"windows\""],"monitoring":["threat-detection.policy"],"name":"relay_attack_tool_execution","product_tags":["tactic:TA0006-credential-access","technique:T1555-credentials-from-password-stores","policy:threat-detection"],"updateDate":1754579371000,"updater":{"name":"Datadog","handle":""}}},{"id":"aoo-snu-t5u","type":"agent_rule","attributes":{"category":"Process - Activity","creationDate":1714423023000,"creator":{"name":"","handle":"frog@datadoghq.com"},"defaultRule":false,"description":"Test - Agent rule","enabled":true,"expression":"exec.file.name == \"sh\"","filters":["os - == \"linux\""],"monitoring":["CWS_CUSTOM-canary"],"name":"exampleupdateacsmthreatsagentrulereturnsokresponse1714423023","updateDate":1714423024000,"updater":{"name":"","handle":"frog@datadoghq.com"}}},{"id":"710-xzg-ays","type":"agent_rule","attributes":{"category":"Process - Activity","creationDate":1714480623000,"creator":{"name":"","handle":"frog@datadoghq.com"},"defaultRule":false,"description":"Test - Agent rule","enabled":true,"expression":"exec.file.name == \"sh\"","filters":["os - == \"linux\""],"monitoring":["CWS_CUSTOM-canary"],"name":"exampleupdateacsmthreatsagentrulereturnsokresponse1714480623","updateDate":1714480624000,"updater":{"name":"","handle":"frog@datadoghq.com"}}},{"id":"oed-ka8-syl","type":"agent_rule","attributes":{"category":"Process - Activity","creationDate":1711550899000,"creator":{"name":"CI Account","handle":"9919ec9b-ebc7-49ee-8dc8-03626e717cca"},"defaultRule":false,"description":"My - Agent rule","enabled":true,"expression":"exec.file.name == \"sh\"","filters":["os - == \"linux\""],"monitoring":["CWS_CUSTOM-canary"],"name":"my_agent_rule","updateDate":1711550899000,"updater":{"name":"CI - Account","handle":"9919ec9b-ebc7-49ee-8dc8-03626e717cca"}}},{"id":"vca-vvl-m7a","type":"agent_rule","attributes":{"category":"Process - Activity","creationDate":1746631358513,"creator":{"name":"frog","handle":"frog@datadoghq.com"},"defaultRule":false,"description":"My - Agent rule","enabled":true,"expression":"exec.file.name == \"sh\"","filters":["os - == \"linux\""],"monitoring":["CWS_CUSTOM-canary"],"name":"testcreateacsmthreatsagentrulereturnsokresponse1746631358","updateDate":1746631358513,"updater":{"name":"frog","handle":"frog@datadoghq.com"}}},{"id":"pxk-42u-fga","type":"agent_rule","attributes":{"category":"File - Activity","creationDate":1753453274000,"creator":{"name":"Datadog","handle":""},"defaultRule":true,"description":"PAM - may have been modified without authorization","enabled":true,"expression":"(\n (utimes.file.path - in [ ~\"/etc/pam.d/**\", \"/etc/pam.conf\", ~\"/lib/security/*\", ~\"/usr/lib/security/*\", - ~\"/lib64/security/*\", ~\"/usr/lib64/security/*\" ])\n) \u0026\u0026 process.file.path - not in [~\"/usr/bin/apt*\", \"/usr/bin/dpkg\", \"/usr/bin/rpm\", \"/usr/bin/unattended-upgrade\", - \"/usr/bin/containerd\", \"/usr/local/bin/containerd\", \"/usr/bin/dockerd\", - \"/usr/bin/npm\", ~\"/usr/bin/pip*\", ~\"/usr/local/bin/pip*\"]","filters":["os - == \"linux\""],"monitoring":["compliance.policy"],"name":"pam_modification_utimes","product_tags":["tactic:TA0003-persistence","technique:T1556-modify-authentication-process","policy:compliance"],"updateDate":1753453274000,"updater":{"name":"Datadog","handle":""}}},{"id":"5zt-j5u-aqm","type":"agent_rule","attributes":{"category":"Process - Activity","creationDate":1715287024000,"creator":{"name":"","handle":"frog@datadoghq.com"},"defaultRule":false,"description":"My - Agent rule","enabled":true,"expression":"exec.file.name == \"sh\"","filters":["os - == \"linux\""],"monitoring":["CWS_CUSTOM-canary"],"name":"examplecreateacsmthreatsagentrulereturnsokresponse1715287024","updateDate":1715287024000,"updater":{"name":"","handle":"frog@datadoghq.com"}}},{"id":"uhw-kuq-ute","type":"agent_rule","attributes":{"category":"Process - Activity","creationDate":1721119025000,"creator":{"name":"","handle":"frog@datadoghq.com"},"defaultRule":false,"description":"My - Agent rule","enabled":true,"expression":"exec.file.name == \"sh\"","filters":["os - == \"linux\""],"monitoring":["CWS_CUSTOM-canary"],"name":"examplegetacsmthreatsagentrulereturnsokresponse1721119024","updateDate":1721119025000,"updater":{"name":"","handle":"frog@datadoghq.com"}}},{"id":"xw4-uw8-mmx","type":"agent_rule","attributes":{"category":"Process - Activity","creationDate":1725885424000,"creator":{"name":"","handle":"frog@datadoghq.com"},"defaultRule":false,"description":"My - Agent rule","enabled":true,"expression":"exec.file.name == \"sh\"","filters":["os - == \"linux\""],"monitoring":["CWS_CUSTOM-canary"],"name":"examplegetacsmthreatsagentrulereturnsokresponse1725885424","updateDate":1725885424000,"updater":{"name":"","handle":"frog@datadoghq.com"}}},{"id":"m77-qgu-c48","type":"agent_rule","attributes":{"category":"Process - Activity","creationDate":1717677423000,"creator":{"name":"","handle":"frog@datadoghq.com"},"defaultRule":false,"description":"Test - Agent rule","enabled":true,"expression":"exec.file.name == \"sh\"","filters":["os - == \"linux\""],"monitoring":["CWS_CUSTOM-canary"],"name":"exampleupdateacsmthreatsagentrulereturnsokresponse1717677422","updateDate":1717677424000,"updater":{"name":"","handle":"frog@datadoghq.com"}}},{"id":"yel-n8d-fhc","type":"agent_rule","attributes":{"category":"Process - Activity","creationDate":1746443527243,"creator":{"name":"CI Account","handle":"9919ec9b-ebc7-49ee-8dc8-03626e717cca"},"defaultRule":false,"description":"My - Agent rule","enabled":true,"expression":"exec.file.name == \"sh\"","filters":["os - == \"linux\""],"monitoring":["CWS_CUSTOM-canary"],"name":"testtypescriptcreateacsmthreatsagentrulereturnsokresponse1746443527","updateDate":1746443527243,"updater":{"name":"CI - Account","handle":"9919ec9b-ebc7-49ee-8dc8-03626e717cca"}}},{"id":"w7o-w48-j34","type":"agent_rule","attributes":{"category":"File - Activity","creationDate":1753453274000,"creator":{"name":"Datadog","handle":""},"defaultRule":true,"description":"PAM - may have been modified without authorization","enabled":true,"expression":"(\n open.flags - \u0026 (O_CREAT|O_TRUNC|O_APPEND|O_RDWR|O_WRONLY) \u003e 0 \u0026\u0026\n (open.file.path - in [ ~\"/etc/pam.d/**\", \"/etc/pam.conf\", ~\"/lib/security/*\", ~\"/usr/lib/security/*\", - ~\"/lib64/security/*\", ~\"/usr/lib64/security/*\" ])\n)","filters":["os == - \"linux\""],"monitoring":["compliance.policy"],"name":"pam_modification_open","product_tags":["tactic:TA0003-persistence","technique:T1556-modify-authentication-process","policy:compliance"],"updateDate":1753453274000,"updater":{"name":"Datadog","handle":""}}},{"id":"def-000-bnt","type":"agent_rule","attributes":{"actions":[{"filter":"${process.correlation_key} - != \"\"","set":{"name":"parent_correlation_keys","default_value":"","append":true,"scope":"process","expression":"${process.correlation_key}","inherited":true},"disabled":false},{"set":{"name":"correlation_key","default_value":"","scope":"process","expression":"\"cgroup_${builtins.uuid4}\"","inherited":true},"disabled":false}],"category":"Process - Activity","creationDate":1754579371000,"creator":{"name":"Datadog","handle":""},"defaultRule":true,"description":"Track - execution context from cgroup","enabled":true,"expression":"exec.cgroup.id - != process.parent.cgroup.id \u0026\u0026 ${process.correlation_key} in [\"\", - ~\"cgroup_*\"]","filters":["os == \"linux\""],"monitoring":["threat-detection.policy"],"name":"execution_context_cgroup","product_tags":["policy:threat-detection"],"silent":true,"updateDate":1754579371000,"updater":{"name":"Datadog","handle":""}}},{"id":"def-000-kjt","type":"agent_rule","attributes":{"actions":[{"filter":"${process.correlation_key} - != \"\"","set":{"name":"parent_correlation_keys","default_value":"","append":true,"scope":"process","expression":"${process.correlation_key}","inherited":true},"disabled":false},{"set":{"name":"correlation_key","default_value":"","scope":"process","expression":"\"service_new_cgroup_${builtins.uuid4}\"","inherited":true},"disabled":false}],"category":"Process - Activity","creationDate":1754579371000,"creator":{"name":"Datadog","handle":""},"defaultRule":true,"description":"Track - execution context from new service cgroup write","enabled":true,"expression":"cgroup_write.pid - \u003e 0 \u0026\u0026 (process.envs in [\"DD_SERVICE\", \"OTEL_SERVICE_NAME\"] - || \"tags.datadoghq.com/service\" in container.tags) \u0026\u0026 ${process.correlation_key} - in [~\"service_*\"]","filters":["os == \"linux\""],"monitoring":["threat-detection.policy"],"name":"execution_context_service_new_cgroup_write","product_tags":["policy:threat-detection"],"silent":true,"updateDate":1754579371000,"updater":{"name":"Datadog","handle":""}}},{"id":"def-000-psd","type":"agent_rule","attributes":{"category":"Kernel - Activity","creationDate":1754579371000,"creator":{"name":"Datadog","handle":""},"defaultRule":true,"description":"A - process connected to a paste site","enabled":true,"expression":"connect.addr.hostname - in [\"pastebin.com\", \"ghostbin.com\", \"termbin.com\", \"klgrth.io\", \"rentry.co\", - \"transfer.sh\"]","filters":["os == \"linux\""],"monitoring":["threat-detection.policy"],"name":"paste_site_domain","product_tags":["tactic:TA0011-command-and-control","technique:T1105-ingress-tool-transfer","policy:threat-detection"],"updateDate":1754579371000,"updater":{"name":"Datadog","handle":""}}},{"id":"def-000-uv8","type":"agent_rule","attributes":{"category":"Process - Activity","creationDate":1754579371000,"creator":{"name":"Datadog","handle":""},"defaultRule":true,"description":"systemctl - used to stop a service","enabled":true,"expression":"exec.file.name == \"systemctl\" - \u0026\u0026 exec.args in [~\"*stop*\"]","filters":["os == \"linux\""],"monitoring":["threat-detection.policy"],"name":"service_stop","product_tags":["tactic:TA0040-impact","technique:T1489-service-stop","policy:threat-detection"],"updateDate":1754579371000,"updater":{"name":"Datadog","handle":""}}},{"id":"3kk-4rm-qug","type":"agent_rule","attributes":{"category":"Process - Activity","creationDate":1718426224000,"creator":{"name":"","handle":"frog@datadoghq.com"},"defaultRule":false,"description":"My - Agent rule","enabled":true,"expression":"exec.file.name == \"sh\"","filters":["os - == \"linux\""],"monitoring":["CWS_CUSTOM-canary"],"name":"examplegetacsmthreatsagentrulereturnsokresponse1718426224","updateDate":1718426224000,"updater":{"name":"","handle":"frog@datadoghq.com"}}},{"id":"l57-d8u-edg","type":"agent_rule","attributes":{"category":"Process - Activity","creationDate":1733546224000,"creator":{"name":"","handle":"frog@datadoghq.com"},"defaultRule":false,"description":"My - Agent rule","enabled":true,"expression":"exec.file.name == \"sh\"","filters":["os - == \"linux\""],"monitoring":["CWS_CUSTOM-canary"],"name":"examplegetacsmthreatsagentrulereturnsokresponse1733546224","updateDate":1733546224000,"updater":{"name":"","handle":"frog@datadoghq.com"}}},{"id":"wwv-c72-w2g","type":"agent_rule","attributes":{"category":"Process - Activity","creationDate":1745986689000,"creator":{"name":"CI Account","handle":"9919ec9b-ebc7-49ee-8dc8-03626e717cca"},"defaultRule":false,"description":"My - Agent rule","enabled":true,"expression":"exec.file.name == \"sh\"","filters":["os - == \"linux\""],"monitoring":["CWS_CUSTOM-canary"],"name":"testtypescriptgetacsmthreatsagentrulereturnsokresponse1745986689","updateDate":1745986689000,"updater":{"name":"CI - Account","handle":"9919ec9b-ebc7-49ee-8dc8-03626e717cca"}}},{"id":"htc-275-0wt","type":"agent_rule","attributes":{"category":"File - Activity","creationDate":1754579371000,"creator":{"name":"Datadog","handle":""},"defaultRule":true,"description":"SSH - modified keys may have been modified","enabled":true,"expression":"(\n chmod.file.name - in [ \"authorized_keys\", \"authorized_keys2\" ] \u0026\u0026 (chmod.file.path - in [ ~\"/root/.ssh/*\", ~\"/home/*/.ssh/*\", ~\"/var/lib/*/.ssh/*\" ])\n) - \u0026\u0026 chmod.file.destination.mode != chmod.file.mode","filters":["os - == \"linux\""],"monitoring":["compliance.policy","threat-detection.policy"],"name":"ssh_authorized_keys_chmod","product_tags":["tactic:TA0003-persistence","technique:T1098-account-manipulation","policy:threat-detection","policy:compliance"],"updateDate":1754579371000,"updater":{"name":"Datadog","handle":""}}},{"id":"7y2-ihu-hm2","type":"agent_rule","attributes":{"category":"Process - Activity","creationDate":1754579371000,"creator":{"name":"Datadog","handle":""},"defaultRule":true,"description":"A - network utility was executed","enabled":true,"expression":"(exec.comm in [\"socat\", - \"dig\", \"nslookup\", \"host\", ~\"netcat*\", ~\"nc*\", \"ncat\"] ||\n exec.comm - in [\"wget\", \"curl\", \"lwp-download\"]) \u0026\u0026\ncontainer.id == \"\" - \u0026\u0026 exec.args not in [ ~\"*localhost*\", ~\"*127.0.0.1*\", ~\"*motd.ubuntu.com*\" - ]","filters":["os == \"linux\""],"monitoring":["threat-detection.policy"],"name":"net_util","product_tags":["tactic:TA0011-command-and-control","technique:T1105-ingress-tool-transfer","policy:threat-detection"],"updateDate":1754579371000,"updater":{"name":"Datadog","handle":""}}},{"id":"wgq-lg4-tas","type":"agent_rule","attributes":{"category":"Kernel - Activity","creationDate":1754579371000,"creator":{"name":"Datadog","handle":""},"defaultRule":true,"description":"SELinux - enforcement status was disabled","enabled":true,"expression":"selinux.enforce.status - in [\"permissive\", \"disabled\"] \u0026\u0026 process.ancestors.args != ~\"*BECOME-SUCCESS*\"","filters":["os - == \"linux\""],"monitoring":["threat-detection.policy"],"name":"selinux_disable_enforcement","product_tags":["tactic:TA0005-defense-evasion","technique:T1562-impair-defenses","policy:threat-detection"],"updateDate":1754579371000,"updater":{"name":"Datadog","handle":""}}},{"id":"def-000-hlr","type":"agent_rule","attributes":{"category":"Process - Activity","creationDate":1754579371000,"creator":{"name":"Datadog","handle":""},"defaultRule":true,"description":"Tunneling - or port forwarding tool used","enabled":true,"expression":"((exec.comm == - \"pivotnacci\" || exec.comm == \"gost\") \u0026\u0026 process.args_flags in - [\"L\", \"C\", \"R\"]) || (exec.comm in [\"ssh\", \"sshd\"] \u0026\u0026 process.args_flags - in [\"R\", \"L\", \"D\", \"w\"] \u0026\u0026 process.args in [r\"((25[0-5]|(2[0-4]|1\\d|[1-9])\\d)\\.?\\b){4}\"] - ) || (exec.comm == \"sshuttle\" \u0026\u0026 process.args_flags in [\"r\", - \"remote\", \"l\", \"listen\"]) || (exec.comm == \"socat\" \u0026\u0026 process.args - in [r\"(TCP4-LISTEN:|SOCKS)\"]) || (exec.comm in [\"iodine\", \"iodined\", - \"dnscat\", \"hans\", \"hans-ubuntu\", \"ptunnel-ng\", \"ssf\", \"3proxy\", - \"ngrok\"] \u0026\u0026 process.parent.comm in [\"bash\", \"dash\", \"ash\", - \"sh\", \"tcsh\", \"csh\", \"zsh\", \"ksh\", \"fish\"])","filters":["os == - \"linux\""],"monitoring":["threat-detection.policy"],"name":"tunnel_traffic","product_tags":["tactic:TA0011-command-and-control","technique:T1572-protocol-tunneling","policy:threat-detection"],"updateDate":1754579371000,"updater":{"name":"Datadog","handle":""}}},{"id":"ges-qo5-4p8","type":"agent_rule","attributes":{"category":"Process - Activity","creationDate":1746635709720,"creator":{"name":"frog","handle":"frog@datadoghq.com"},"defaultRule":false,"description":"My - Agent rule","enabled":true,"expression":"exec.file.name == \"sh\"","filters":["os - == \"linux\""],"monitoring":["CWS_CUSTOM-canary"],"name":"testgetacsmthreatsagentrulereturnsokresponse1746635709","updateDate":1746635709720,"updater":{"name":"frog","handle":"frog@datadoghq.com"}}},{"id":"rno-53m-mf3","type":"agent_rule","attributes":{"category":"Process - Activity","creationDate":1714538225000,"creator":{"name":"","handle":"frog@datadoghq.com"},"defaultRule":false,"description":"My - Agent rule","enabled":true,"expression":"exec.file.name == \"sh\"","filters":["os - == \"linux\""],"monitoring":["CWS_CUSTOM-canary"],"name":"examplegetacsmthreatsagentrulereturnsokresponse1714538225","updateDate":1714538225000,"updater":{"name":"","handle":"frog@datadoghq.com"}}},{"id":"5b4-k0v-rzw","type":"agent_rule","attributes":{"category":"Process - Activity","creationDate":1734424624000,"creator":{"name":"frog","handle":"frog@datadoghq.com"},"defaultRule":false,"description":"My - Agent rule","enabled":true,"expression":"exec.file.name == \"sh\"","filters":["os - == \"linux\""],"monitoring":["CWS_CUSTOM-canary"],"name":"examplegetacsmthreatsagentrulereturnsokresponse1734424623","updateDate":1734424624000,"updater":{"name":"frog","handle":"frog@datadoghq.com"}}},{"id":"def-000-y7j","type":"agent_rule","attributes":{"category":"File - Activity","creationDate":1753453274000,"creator":{"name":"Datadog","handle":""},"defaultRule":true,"description":"Critical - system binaries may have been modified","enabled":true,"expression":"(\n open.flags - \u0026 (O_CREAT|O_TRUNC|O_APPEND|O_RDWR|O_WRONLY) \u003e 0 \u0026\u0026\n open.file.path - in [ ~\"/bin/*\", ~\"/sbin/*\", ~\"/usr/bin/*\", ~\"/usr/sbin/*\", ~\"/usr/local/bin/*\", - ~\"/usr/local/sbin/*\", ~\"/boot/**\" ]\n \u0026\u0026 process.file.path - not in [~\"/usr/bin/apt*\", \"/usr/bin/dpkg\", \"/usr/bin/rpm\", \"/usr/bin/unattended-upgrade\", - \"/usr/bin/containerd\", \"/usr/local/bin/containerd\", \"/usr/bin/dockerd\", - \"/usr/bin/npm\", ~\"/usr/bin/pip*\", ~\"/usr/local/bin/pip*\"]\n \u0026\u0026 - process.ancestors.file.path not in [~\"/usr/bin/apt*\", \"/usr/bin/dpkg\", - \"/usr/bin/rpm\", \"/usr/bin/unattended-upgrade\", \"/usr/bin/npm\", ~\"/usr/bin/pip*\", - ~\"/usr/local/bin/pip*\", \"/usr/bin/yum\", \"/sbin/apk\", \"/usr/lib/snapd/snapd\"]\n) - \u0026\u0026 container.id != \"\" \u0026\u0026 container.created_at \u003e - 90s","filters":["os == \"linux\""],"monitoring":["compliance.policy"],"name":"pci_11_5_critical_binaries_open_v2","product_tags":["tactic:TA0005-defense-evasion","technique:T1036-masquerading","policy:compliance"],"updateDate":1753453274000,"updater":{"name":"Datadog","handle":""}}},{"id":"def-000-lc2","type":"agent_rule","attributes":{"category":"Kernel - Activity","creationDate":1754579371000,"creator":{"name":"Datadog","handle":""},"defaultRule":true,"description":"Remote - access was created using a terminal-sharing service","enabled":true,"expression":"connect.addr.hostname - in [\"ssh.tmate.io\"]","filters":["os == \"linux\""],"monitoring":["threat-detection.policy"],"name":"tmate_usage","product_tags":["tactic:TA0011-command-and-control","technique:T1219-remote-access-tools","policy:threat-detection"],"updateDate":1754579371000,"updater":{"name":"Datadog","handle":""}}},{"id":"ulx-voj-zk3","type":"agent_rule","attributes":{"category":"Process - Activity","creationDate":1714883824000,"creator":{"name":"","handle":"frog@datadoghq.com"},"defaultRule":false,"description":"My - Agent rule","enabled":true,"expression":"exec.file.name == \"sh\"","filters":["os - == \"linux\""],"monitoring":["CWS_CUSTOM-canary"],"name":"examplecreateacsmthreatsagentrulereturnsokresponse1714883824","updateDate":1714883824000,"updater":{"name":"","handle":"frog@datadoghq.com"}}},{"id":"e6l-qo1-y2e","type":"agent_rule","attributes":{"category":"Process - Activity","creationDate":1714682223000,"creator":{"name":"","handle":"frog@datadoghq.com"},"defaultRule":false,"description":"Test - Agent rule","enabled":true,"expression":"exec.file.name == \"sh\"","filters":["os - == \"linux\""],"monitoring":["CWS_CUSTOM-canary"],"name":"exampleupdateacsmthreatsagentrulereturnsokresponse1714682223","updateDate":1714682224000,"updater":{"name":"","handle":"frog@datadoghq.com"}}},{"id":"uqg-z0t-83n","type":"agent_rule","attributes":{"category":"Process - Activity","creationDate":1715575023000,"creator":{"name":"","handle":"frog@datadoghq.com"},"defaultRule":false,"description":"Test - Agent rule","enabled":true,"expression":"exec.file.name == \"sh\"","filters":["os - == \"linux\""],"monitoring":["CWS_CUSTOM-canary"],"name":"exampleupdateacsmthreatsagentrulereturnsokresponse1715575022","updateDate":1715575024000,"updater":{"name":"","handle":"frog@datadoghq.com"}}},{"id":"6w8-3xn-j4c","type":"agent_rule","attributes":{"category":"Process - Activity","creationDate":1736066223000,"creator":{"name":"frog","handle":"frog@datadoghq.com"},"defaultRule":false,"description":"Test - Agent rule","enabled":true,"expression":"exec.file.name == \"sh\"","filters":["os - == \"linux\""],"monitoring":["CWS_CUSTOM-canary"],"name":"exampleupdateacsmthreatsagentrulereturnsokresponse1736066222","updateDate":1736066224000,"updater":{"name":"frog","handle":"frog@datadoghq.com"}}},{"id":"def-000-pnt","type":"agent_rule","attributes":{"category":"Kernel - Activity","creationDate":1754579371000,"creator":{"name":"Datadog","handle":""},"defaultRule":true,"description":"A - process connected to a penetration testing domain","enabled":true,"expression":"connect.addr.hostname - in [~\"*.interact.sh\", ~\"*.oast.pro\", ~\"*.oast.live\", ~\"*.oast.fun\", - ~\"*.oast.me\", ~\"*.burpcollaborator.net\", ~\"*.oastify.com\", ~\"*canarytokens.com\", - ~\"*.requestbin.net\", ~\"*.dnslog.cn\"]","filters":["os == \"linux\""],"monitoring":["threat-detection.policy"],"name":"pentest_domain","product_tags":["tactic:TA0001-initial-access","technique:T1190-exploit-public-facing-application","policy:threat-detection"],"updateDate":1754579371000,"updater":{"name":"Datadog","handle":""}}},{"id":"vvb-sfk-jn1","type":"agent_rule","attributes":{"category":"Process - Activity","creationDate":1724647024000,"creator":{"name":"","handle":"frog@datadoghq.com"},"defaultRule":false,"description":"My - Agent rule","enabled":true,"expression":"exec.file.name == \"sh\"","filters":["os - == \"linux\""],"monitoring":["CWS_CUSTOM-canary"],"name":"examplegetacsmthreatsagentrulereturnsokresponse1724647024","updateDate":1724647024000,"updater":{"name":"","handle":"frog@datadoghq.com"}}},{"id":"uyv-a9k-8l7","type":"agent_rule","attributes":{"category":"Process - Activity","creationDate":1734395826000,"creator":{"name":"frog","handle":"frog@datadoghq.com"},"defaultRule":false,"description":"My - Agent rule","enabled":true,"expression":"exec.file.name == \"sh\"","filters":["os - == \"linux\""],"monitoring":["CWS_CUSTOM-canary"],"name":"examplegetacsmthreatsagentrulereturnsokresponse1734395824","updateDate":1734395826000,"updater":{"name":"frog","handle":"frog@datadoghq.com"}}},{"id":"6bp-g7f-vgp","type":"agent_rule","attributes":{"category":"Process - Activity","creationDate":1746789261585,"creator":{"name":"CI Account","handle":"9919ec9b-ebc7-49ee-8dc8-03626e717cca"},"defaultRule":false,"description":"My - Agent rule","enabled":true,"expression":"exec.file.name == \"sh\"","filters":["os - == \"linux\""],"monitoring":["CWS_CUSTOM-canary"],"name":"testtypescriptgetacsmthreatsagentrulereturnsokresponse1746789261","updateDate":1746789261585,"updater":{"name":"CI - Account","handle":"9919ec9b-ebc7-49ee-8dc8-03626e717cca"}}},{"id":"8tp-dmg-o8w","type":"agent_rule","attributes":{"category":"Process - Activity","creationDate":1746702691437,"creator":{"name":"CI Account","handle":"9919ec9b-ebc7-49ee-8dc8-03626e717cca"},"defaultRule":false,"description":"My - Agent rule","enabled":true,"expression":"exec.file.name == \"sh\"","filters":["os - == \"linux\""],"monitoring":["CWS_CUSTOM-canary"],"name":"testtypescriptupdateacsmthreatsagentrulereturnsokresponse1746702691","updateDate":1746702691437,"updater":{"name":"CI - Account","handle":"9919ec9b-ebc7-49ee-8dc8-03626e717cca"}}},{"id":"q0u-s8m-8pd","type":"agent_rule","attributes":{"category":"File - Activity","creationDate":1753453274000,"creator":{"name":"Datadog","handle":""},"defaultRule":true,"description":"Critical - system binaries may have been modified","enabled":true,"expression":"(\n (utimes.file.path - in [ ~\"/bin/*\", ~\"/sbin/*\", ~\"/usr/bin/*\", ~\"/usr/sbin/*\", ~\"/usr/local/bin/*\", - ~\"/usr/local/sbin/*\", ~\"/boot/**\" ])\n \u0026\u0026 process.file.path + == \"linux\""],"monitoring":["compliance.policy","threat-detection.policy"],"name":"cron_at_job_creation_unlink","product_tags":["tactic:TA0003-persistence","technique:T1053-scheduled-task-or-job","subtechnique:T1053.003-cron","policy:compliance","policy:threat-detection"],"updateDate":1759956888000,"updater":{"name":"Datadog","handle":""}}},{"id":"fyq-x5u-mv1","type":"agent_rule","attributes":{"category":"File + Activity","creationDate":1759956888000,"creator":{"name":"Datadog","handle":""},"defaultRule":true,"description":"A + new kernel module was added","enabled":true,"expression":"(\n (utimes.file.path + in [ ~\"/lib/modules/**\", ~\"/usr/lib/modules/**\", ~\"/usr/lib/modules-load.d/**\", + ~\"/etc/modules-load.d/**\", ~\"/etc/modprobe.d/**\" ])\n \u0026\u0026 + process.file.path not in [~\"/usr/bin/apt*\", \"/usr/bin/dpkg\", \"/usr/bin/rpm\", + \"/usr/bin/unattended-upgrade\", \"/usr/bin/npm\", ~\"/usr/bin/pip*\", ~\"/usr/local/bin/pip*\", + \"/usr/bin/yum\", \"/sbin/apk\", \"/usr/lib/snapd/snapd\"]\n \u0026\u0026 + process.ancestors.file.path not in [~\"/usr/bin/apt*\", \"/usr/bin/dpkg\", + \"/usr/bin/rpm\", \"/usr/bin/unattended-upgrade\", \"/usr/bin/npm\", ~\"/usr/bin/pip*\", + ~\"/usr/local/bin/pip*\", \"/usr/bin/yum\", \"/sbin/apk\", \"/usr/lib/snapd/snapd\"] + \u0026\u0026 process.ancestors.file.path != \"/usr/bin/kmod\"\n)","filters":["os + == \"linux\""],"monitoring":["compliance.policy"],"name":"kernel_module_utimes","product_tags":["tactic:TA0003-persistence","technique:T1547-boot-or-logon-autostart-execution","policy:compliance"],"updateDate":1759956888000,"updater":{"name":"Datadog","handle":""}}},{"id":"wwy-h4d-pwm","type":"agent_rule","attributes":{"category":"File + Activity","creationDate":1759956888000,"creator":{"name":"Datadog","handle":""},"defaultRule":true,"description":"A + service may have been modified without authorization","enabled":true,"expression":"(\n (chown.file.path + in [ ~\"/lib/systemd/system/**\", ~\"/usr/lib/systemd/system/**\", ~\"/etc/systemd/system/**\", + ~\"/usr/local/lib/systemd/system/**\", ~\"/run/systemd/system/**\"])\n \u0026\u0026 + process.file.path not in [~\"/usr/bin/apt*\", \"/usr/bin/dpkg\", \"/usr/bin/rpm\", + \"/usr/bin/unattended-upgrade\", \"/usr/bin/npm\", ~\"/usr/bin/pip*\", ~\"/usr/local/bin/pip*\", + \"/usr/bin/yum\", \"/sbin/apk\", \"/usr/lib/snapd/snapd\"]\n) \u0026\u0026 + (chown.file.destination.uid != chown.file.uid || chown.file.destination.gid + != chown.file.gid)","filters":["os == \"linux\""],"monitoring":["compliance.policy","threat-detection.policy"],"name":"systemd_modification_chown","product_tags":["tactic:TA0002-execution","technique:T1569-system-services","policy:compliance","policy:threat-detection"],"updateDate":1759956888000,"updater":{"name":"Datadog","handle":""}}},{"id":"def-000-4tl","type":"agent_rule","attributes":{"category":"Process + Activity","creationDate":1759956888000,"creator":{"name":"Datadog","handle":""},"defaultRule":true,"description":"Certutil + was executed to transmit or decode a potentially malicious file","enabled":true,"expression":"exec.file.name + == \"certutil.exe\" \u0026\u0026 ((exec.cmdline =~ \"*urlcache*\" \u0026\u0026 + exec.cmdline =~ \"*split*\") || exec.cmdline =~ \"*decode*\")","filters":["os + == \"windows\""],"monitoring":["threat-detection.policy"],"name":"certutil_usage","product_tags":["tactic:TA0011-command-and-control","technique:T1105-ingress-tool-transfer","policy:threat-detection"],"updateDate":1759956888000,"updater":{"name":"Datadog","handle":""}}},{"id":"xgw-28i-480","type":"agent_rule","attributes":{"category":"Process + Activity","creationDate":1759956888000,"creator":{"name":"Datadog","handle":""},"defaultRule":true,"description":"A + container executed a new binary not found in the container image","enabled":true,"expression":"container.id + != \"\" \u0026\u0026 process.file.in_upper_layer \u0026\u0026 process.file.modification_time + \u003c 30s \u0026\u0026 exec.file.name != \"\"","filters":["os == \"linux\""],"monitoring":["threat-detection.policy"],"name":"new_binary_execution_in_container","product_tags":["tactic:TA0011-command-and-control","technique:T1105-ingress-tool-transfer","policy:threat-detection"],"updateDate":1759956888000,"updater":{"name":"Datadog","handle":""}}},{"id":"def-000-qwm","type":"agent_rule","attributes":{"category":"File + Activity","creationDate":1759956888000,"creator":{"name":"Datadog","handle":""},"defaultRule":true,"description":"The + kubeconfig file was accessed","enabled":true,"expression":"open.file.path + in [~\"/home/*/.kube/config\", \"/root/.kube/config\"]","filters":["os == + \"linux\""],"monitoring":["threat-detection.policy"],"name":"read_kubeconfig","product_tags":["tactic:TA0007-discovery","technique:T1613-container-and-resource-discovery","policy:threat-detection"],"updateDate":1759956888000,"updater":{"name":"Datadog","handle":""}}},{"id":"fpa-r6g-2em","type":"agent_rule","attributes":{"category":"File + Activity","creationDate":1759956888000,"creator":{"name":"Datadog","handle":""},"defaultRule":true,"description":"Critical + system binaries may have been modified","enabled":true,"expression":"(\n open.flags + \u0026 (O_CREAT|O_TRUNC|O_APPEND|O_RDWR|O_WRONLY) \u003e 0 \u0026\u0026\n open.file.path + in [ ~\"/bin/*\", ~\"/sbin/*\", ~\"/usr/bin/*\", ~\"/usr/sbin/*\", ~\"/usr/local/bin/*\", + ~\"/usr/local/sbin/*\", ~\"/boot/**\" ]\n \u0026\u0026 process.file.path not in [~\"/usr/bin/apt*\", \"/usr/bin/dpkg\", \"/usr/bin/rpm\", \"/usr/bin/unattended-upgrade\", \"/usr/bin/containerd\", \"/usr/local/bin/containerd\", \"/usr/bin/dockerd\", \"/usr/bin/npm\", ~\"/usr/bin/pip*\", ~\"/usr/local/bin/pip*\"]\n \u0026\u0026 process.ancestors.file.path not in [~\"/usr/bin/apt*\", \"/usr/bin/dpkg\", \"/usr/bin/rpm\", \"/usr/bin/unattended-upgrade\", \"/usr/bin/npm\", ~\"/usr/bin/pip*\", ~\"/usr/local/bin/pip*\", \"/usr/bin/yum\", \"/sbin/apk\", \"/usr/lib/snapd/snapd\"]\n)","filters":["os - == \"linux\""],"monitoring":["compliance.policy"],"name":"pci_11_5_critical_binaries_utimes","product_tags":["tactic:TA0005-defense-evasion","technique:T1036-masquerading","policy:compliance"],"updateDate":1753453274000,"updater":{"name":"Datadog","handle":""}}},{"id":"ftd-d3e-byt","type":"agent_rule","attributes":{"category":"Process - Activity","creationDate":1721666224000,"creator":{"name":"","handle":"frog@datadoghq.com"},"defaultRule":false,"description":"My - Agent rule","enabled":true,"expression":"exec.file.name == \"sh\"","filters":["os - == \"linux\""],"monitoring":["CWS_CUSTOM-canary"],"name":"examplegetacsmthreatsagentrulereturnsokresponse1721666224","updateDate":1721666224000,"updater":{"name":"","handle":"frog@datadoghq.com"}}},{"id":"xxc-35o-apy","type":"agent_rule","attributes":{"category":"Process - Activity","creationDate":1729427824000,"creator":{"name":"","handle":"frog@datadoghq.com"},"defaultRule":false,"description":"My - Agent rule","enabled":true,"expression":"exec.file.name == \"sh\"","filters":["os - == \"linux\""],"monitoring":["CWS_CUSTOM-canary"],"name":"examplegetacsmthreatsagentrulereturnsokresponse1729427824","updateDate":1729427824000,"updater":{"name":"","handle":"frog@datadoghq.com"}}},{"id":"v8l-tbq-nkc","type":"agent_rule","attributes":{"category":"Process - Activity","creationDate":1746611597548,"creator":{"name":"frog","handle":"frog@datadoghq.com"},"defaultRule":false,"description":"My - Agent rule","enabled":true,"expression":"exec.file.name == \"sh\"","filters":["os - == \"linux\""],"monitoring":["CWS_CUSTOM-canary"],"name":"testdeleteacsmthreatsagentrulereturnsokresponse1746611597","updateDate":1746611597548,"updater":{"name":"frog","handle":"frog@datadoghq.com"}}},{"id":"m23-qb9-9s8","type":"agent_rule","attributes":{"category":"File - Activity","creationDate":1754579371000,"creator":{"name":"Datadog","handle":""},"defaultRule":true,"description":"An - unauthorized job was added to cron scheduling","enabled":true,"expression":"(\n (unlink.file.path - in [ ~\"/var/spool/cron/**\", ~\"/etc/cron.*/**\", ~\"/etc/crontab\", ~\"/etc/crontabs/**\"])\n \u0026\u0026 - process.file.path not in [ \"/usr/bin/at\", \"/usr/bin/crontab\" ]\n)\n\u0026\u0026 - process.file.path not in [~\"/usr/bin/apt*\", \"/usr/bin/dpkg\", \"/usr/bin/rpm\", - \"/usr/bin/unattended-upgrade\", \"/usr/bin/containerd\", \"/usr/local/bin/containerd\", - \"/usr/bin/dockerd\", \"/usr/bin/npm\", ~\"/usr/bin/pip*\", ~\"/usr/local/bin/pip*\"]","filters":["os - == \"linux\""],"monitoring":["compliance.policy","threat-detection.policy"],"name":"cron_at_job_creation_unlink","product_tags":["tactic:TA0002-execution","technique:T1053-scheduled-task-or-job","policy:threat-detection","policy:compliance"],"updateDate":1754579371000,"updater":{"name":"Datadog","handle":""}}},{"id":"def-000-vqm","type":"agent_rule","attributes":{"category":"Process - Activity","creationDate":1754579371000,"creator":{"name":"Datadog","handle":""},"defaultRule":true,"description":"A - scheduled task was created","enabled":true,"expression":"exec.cmdline in [~\"*at.exe\",~\"*schtasks*\"] - \u0026\u0026 exec.cmdline =~ \"*create*\"","filters":["os == \"windows\""],"monitoring":["threat-detection.policy"],"name":"scheduled_task_creation","product_tags":["tactic:TA0003-persistence","technique:T1053-scheduled-task-or-job","policy:threat-detection"],"updateDate":1754579371000,"updater":{"name":"Datadog","handle":""}}},{"id":"3xf-404-qez","type":"agent_rule","attributes":{"category":"Process - Activity","creationDate":1714667823000,"creator":{"name":"","handle":"frog@datadoghq.com"},"defaultRule":false,"description":"Test - Agent rule","enabled":true,"expression":"exec.file.name == \"sh\"","filters":["os - == \"linux\""],"monitoring":["CWS_CUSTOM-canary"],"name":"exampleupdateacsmthreatsagentrulereturnsokresponse1714667823","updateDate":1714667824000,"updater":{"name":"","handle":"frog@datadoghq.com"}}},{"id":"g9j-hhf-7at","type":"agent_rule","attributes":{"category":"Process - Activity","creationDate":1722703023000,"creator":{"name":"","handle":"frog@datadoghq.com"},"defaultRule":false,"description":"Test - Agent rule","enabled":true,"expression":"exec.file.name == \"sh\"","filters":["os - == \"linux\""],"monitoring":["CWS_CUSTOM-canary"],"name":"exampleupdateacsmthreatsagentrulereturnsokresponse1722703023","updateDate":1722703024000,"updater":{"name":"","handle":"frog@datadoghq.com"}}},{"id":"o9g-ptk-2zv","type":"agent_rule","attributes":{"category":"Process - Activity","creationDate":1733575024000,"creator":{"name":"","handle":"frog@datadoghq.com"},"defaultRule":false,"description":"My - Agent rule","enabled":true,"expression":"exec.file.name == \"sh\"","filters":["os - == \"linux\""],"monitoring":["CWS_CUSTOM-canary"],"name":"examplegetacsmthreatsagentrulereturnsokresponse1733575024","updateDate":1733575024000,"updater":{"name":"","handle":"frog@datadoghq.com"}}},{"id":"def-000-ly8","type":"agent_rule","attributes":{"category":"Process - Activity","creationDate":1754579371000,"creator":{"name":"Datadog","handle":""},"defaultRule":true,"description":"The - auditd configuration file was modified without using auditctl","enabled":true,"expression":"open.file.path - == \"/etc/audit/auditd.conf\" \u0026\u0026 open.flags \u0026 (O_CREAT|O_TRUNC|O_APPEND|O_RDWR|O_WRONLY) - \u003e 0 \u0026\u0026 process.file.name != \"auditctl\"","filters":["os == - \"linux\""],"monitoring":["threat-detection.policy"],"name":"auditd_config_modified","product_tags":["tactic:TA0005-defense-evasion","technique:T1562-impair-defenses","policy:threat-detection"],"updateDate":1754579371000,"updater":{"name":"Datadog","handle":""}}},{"id":"k1r-tva-i6e","type":"agent_rule","attributes":{"category":"Process - Activity","creationDate":1727829423000,"creator":{"name":"","handle":"frog@datadoghq.com"},"defaultRule":false,"description":"Test - Agent rule","enabled":true,"expression":"exec.file.name == \"sh\"","filters":["os - == \"linux\""],"monitoring":["CWS_CUSTOM-canary"],"name":"exampleupdateacsmthreatsagentrulereturnsokresponse1727829422","updateDate":1727829425000,"updater":{"name":"","handle":"frog@datadoghq.com"}}},{"id":"lhe-ksz-xyj","type":"agent_rule","attributes":{"category":"Process - Activity","creationDate":1711595493000,"creator":{"name":"CI Account","handle":"9919ec9b-ebc7-49ee-8dc8-03626e717cca"},"defaultRule":false,"description":"My - Agent rule","enabled":true,"expression":"exec.file.name == \"sh\"","filters":["os - == \"linux\""],"monitoring":["CWS_CUSTOM-canary"],"name":"testjavagetacsmthreatsagentrulereturnsokresponse1711595493","updateDate":1711595493000,"updater":{"name":"CI - Account","handle":"9919ec9b-ebc7-49ee-8dc8-03626e717cca"}}},{"id":"97d-p9d-x1d","type":"agent_rule","attributes":{"category":"Process - Activity","creationDate":1714941423000,"creator":{"name":"","handle":"frog@datadoghq.com"},"defaultRule":false,"description":"Test - Agent rule","enabled":true,"expression":"exec.file.name == \"sh\"","filters":["os - == \"linux\""],"monitoring":["CWS_CUSTOM-canary"],"name":"exampleupdateacsmthreatsagentrulereturnsokresponse1714941422","updateDate":1714941424000,"updater":{"name":"","handle":"frog@datadoghq.com"}}},{"id":"a9f-o95-atg","type":"agent_rule","attributes":{"category":"Process - Activity","creationDate":1715128623000,"creator":{"name":"","handle":"frog@datadoghq.com"},"defaultRule":false,"description":"Test - Agent rule","enabled":true,"expression":"exec.file.name == \"sh\"","filters":["os - == \"linux\""],"monitoring":["CWS_CUSTOM-canary"],"name":"exampleupdateacsmthreatsagentrulereturnsokresponse1715128622","updateDate":1715128624000,"updater":{"name":"","handle":"frog@datadoghq.com"}}},{"id":"hsx-x1l-3zb","type":"agent_rule","attributes":{"category":"Process - Activity","creationDate":1746097926103,"creator":{"name":"CI Account","handle":"9919ec9b-ebc7-49ee-8dc8-03626e717cca"},"defaultRule":false,"description":"My - Agent rule","enabled":true,"expression":"exec.file.name == \"sh\"","filters":["os - == \"linux\""],"monitoring":["CWS_CUSTOM-canary"],"name":"testtypescriptupdateacsmthreatsagentrulereturnsbadrequestresponse1746097925","updateDate":1746097926103,"updater":{"name":"CI - Account","handle":"9919ec9b-ebc7-49ee-8dc8-03626e717cca"}}},{"id":"pz7-rvb-ckm","type":"agent_rule","attributes":{"category":"Process - Activity","creationDate":1734692969000,"creator":{"name":"CI Account","handle":"9919ec9b-ebc7-49ee-8dc8-03626e717cca"},"defaultRule":false,"description":"Test - Agent rule","enabled":true,"expression":"exec.file.name == \"sh\"","filters":["os - == \"linux\""],"monitoring":["CWS_CUSTOM-canary"],"name":"testtypescriptupdateacsmthreatsagentrulereturnsokresponse1734692969","updateDate":1734692970000,"updater":{"name":"CI - Account","handle":"9919ec9b-ebc7-49ee-8dc8-03626e717cca"}}},{"id":"pfu-dvh-e5w","type":"agent_rule","attributes":{"category":"File - Activity","creationDate":1753453274000,"creator":{"name":"Datadog","handle":""},"defaultRule":true,"description":"PAM - may have been modified without authorization","enabled":true,"expression":"(\n (chown.file.path - in [ ~\"/etc/pam.d/**\", \"/etc/pam.conf\", ~\"/lib/security/*\", ~\"/usr/lib/security/*\", - ~\"/lib64/security/*\", ~\"/usr/lib64/security/*\" ])\n) \u0026\u0026 (chown.file.destination.uid - != chown.file.uid || chown.file.destination.gid != chown.file.gid)","filters":["os - == \"linux\""],"monitoring":["compliance.policy"],"name":"pam_modification_chown","product_tags":["tactic:TA0003-persistence","technique:T1556-modify-authentication-process","policy:compliance"],"updateDate":1753453274000,"updater":{"name":"Datadog","handle":""}}},{"id":"2s5-ipa-ooo","type":"agent_rule","attributes":{"category":"File - Activity","creationDate":1754579371000,"creator":{"name":"Datadog","handle":""},"defaultRule":true,"description":"A - process wrote to a dynamic linker config file","enabled":true,"expression":"open.file.path - in [\"/etc/ld.so.preload\", \"/etc/ld.so.conf\", ~\"/etc/ld.so.conf.d/*.conf\"] - \u0026\u0026 open.flags \u0026 (O_CREAT|O_TRUNC|O_APPEND|O_RDWR|O_WRONLY) - \u003e 0 \u0026\u0026 process.file.path not in [~\"/usr/bin/apt*\", \"/usr/bin/dpkg\", - \"/usr/bin/rpm\", \"/usr/bin/unattended-upgrade\", \"/usr/bin/containerd\", - \"/usr/local/bin/containerd\", \"/usr/bin/dockerd\", \"/usr/bin/npm\", ~\"/usr/bin/pip*\", - ~\"/usr/local/bin/pip*\"] \u0026\u0026 process.ancestors.file.path not in - [\"/opt/datadog-agent/embedded/bin/agent\", \"/opt/datadog-agent/embedded/bin/system-probe\", - \"/opt/datadog-agent/embedded/bin/security-agent\", \"/opt/datadog-agent/embedded/bin/process-agent\", - \"/opt/datadog-agent/embedded/bin/trace-agent\", \"/opt/datadog-agent/bin/agent/agent\", - \"/opt/datadog/apm/inject/auto_inject_runc\", \"/usr/bin/dd-host-install\", - \"/usr/bin/dd-host-container-install\", \"/usr/bin/dd-container-install\", - \"/opt/datadog-agent/bin/datadog-cluster-agent\", ~\"/opt/datadog-packages/**\", - ~\"/opt/datadog-installer/**\"] \u0026\u0026 process.argv0 not in [\"runc\", - \"/usr/bin/runc\", \"/usr/sbin/runc\"]","filters":["os == \"linux\""],"monitoring":["threat-detection.policy"],"name":"dynamic_linker_config_write","product_tags":["tactic:TA0004-privilege-escalation","technique:T1574-hijack-execution-flow","policy:threat-detection"],"updateDate":1754579371000,"updater":{"name":"Datadog","handle":""}}},{"id":"jbe-827-tq7","type":"agent_rule","attributes":{"category":"Process - Activity","creationDate":1732768624000,"creator":{"name":"","handle":"frog@datadoghq.com"},"defaultRule":false,"description":"My - Agent rule","enabled":true,"expression":"exec.file.name == \"sh\"","filters":["os - == \"linux\""],"monitoring":["CWS_CUSTOM-canary"],"name":"exampledeleteacsmthreatsagentrulereturnsokresponse1732768624","updateDate":1732768624000,"updater":{"name":"","handle":"frog@datadoghq.com"}}},{"id":"rgf-wo7-4fj","type":"agent_rule","attributes":{"category":"Process - Activity","creationDate":1715402226000,"creator":{"name":"","handle":"frog@datadoghq.com"},"defaultRule":false,"description":"My - Agent rule","enabled":true,"expression":"exec.file.name == \"sh\"","filters":["os - == \"linux\""],"monitoring":["CWS_CUSTOM-canary"],"name":"examplegetacsmthreatsagentrulereturnsokresponse1715402224","updateDate":1715402226000,"updater":{"name":"","handle":"frog@datadoghq.com"}}},{"id":"nor-y5a-3sn","type":"agent_rule","attributes":{"category":"Process - Activity","creationDate":1715373423000,"creator":{"name":"","handle":"frog@datadoghq.com"},"defaultRule":false,"description":"Test - Agent rule","enabled":true,"expression":"exec.file.name == \"sh\"","filters":["os - == \"linux\""],"monitoring":["CWS_CUSTOM-canary"],"name":"exampleupdateacsmthreatsagentrulereturnsokresponse1715373422","updateDate":1715373424000,"updater":{"name":"","handle":"frog@datadoghq.com"}}},{"id":"nue-wxi-y3i","type":"agent_rule","attributes":{"category":"Process - Activity","creationDate":1735720623000,"creator":{"name":"frog","handle":"frog@datadoghq.com"},"defaultRule":false,"description":"Test - Agent rule","enabled":true,"expression":"exec.file.name == \"sh\"","filters":["os - == \"linux\""],"monitoring":["CWS_CUSTOM-canary"],"name":"exampleupdateacsmthreatsagentrulereturnsokresponse1735720623","updateDate":1735720626000,"updater":{"name":"frog","handle":"frog@datadoghq.com"}}},{"id":"91f-pyq-54k","type":"agent_rule","attributes":{"category":"File - Activity","creationDate":1754579371000,"creator":{"name":"Datadog","handle":""},"defaultRule":true,"description":"SSH - modified keys may have been modified","enabled":true,"expression":"(\n link.file.name - in [ \"authorized_keys\", \"authorized_keys2\" ] \u0026\u0026 (link.file.path - in [ ~\"/root/.ssh/*\", ~\"/home/*/.ssh/*\", ~\"/var/lib/*/.ssh/*\" ]\n || - link.file.destination.path in [ ~\"/root/.ssh/*\", ~\"/home/*/.ssh/*\", ~\"/var/lib/*/.ssh/*\" - ])\n)","filters":["os == \"linux\""],"monitoring":["compliance.policy","threat-detection.policy"],"name":"ssh_authorized_keys_link","product_tags":["tactic:TA0003-persistence","technique:T1098-account-manipulation","policy:threat-detection","policy:compliance"],"updateDate":1754579371000,"updater":{"name":"Datadog","handle":""}}},{"id":"7zw-qbm-y6d","type":"agent_rule","attributes":{"category":"File - Activity","creationDate":1754579371000,"creator":{"name":"Datadog","handle":""},"defaultRule":true,"description":"A - service may have been modified without authorization","enabled":true,"expression":"(\n open.flags - \u0026 (O_CREAT|O_RDWR|O_WRONLY) \u003e 0 \u0026\u0026\n (open.file.path - in [ ~\"/lib/systemd/system/**\", ~\"/usr/lib/systemd/system/**\", ~\"/etc/systemd/system/**\", - ~\"/usr/local/lib/systemd/system/**\", ~\"/run/systemd/system/**\"] || open.file.path - in [ ~\"/etc/systemd/user/**\", ~\"/usr/lib/systemd/user/**\", ~\"/home/*/.config/systemd/user/**\", - ~\"/home/*/.local/share/systemd/user/**\", ~\"/run/systemd/user/**\"])\n \u0026\u0026 - process.file.path not in [~\"/usr/bin/apt*\", \"/usr/bin/dpkg\", \"/usr/bin/rpm\", - \"/usr/bin/unattended-upgrade\", \"/usr/bin/npm\", ~\"/usr/bin/pip*\", ~\"/usr/local/bin/pip*\", - \"/usr/bin/yum\", \"/sbin/apk\", \"/usr/lib/snapd/snapd\"]\n)","filters":["os - == \"linux\""],"monitoring":["compliance.policy","threat-detection.policy"],"name":"systemd_modification_open","product_tags":["tactic:TA0002-execution","technique:T1569-system-services","policy:threat-detection","policy:compliance"],"updateDate":1754579371000,"updater":{"name":"Datadog","handle":""}}},{"id":"def-000-o1o","type":"agent_rule","attributes":{"category":"Kernel - Activity","creationDate":1754579371000,"creator":{"name":"Datadog","handle":""},"defaultRule":true,"description":"A - process made a connection to a port associated with P2PInfect malware","enabled":true,"expression":"(connect.addr.family - == AF_INET || connect.addr.family == AF_INET6) \u0026\u0026 connect.addr.is_public - == true \u0026\u0026 connect.addr.port \u003e= 60100 \u0026\u0026 connect.addr.port - \u003c= 60150","filters":["os == \"linux\""],"monitoring":["threat-detection.policy"],"name":"p2pinfect_connection","product_tags":["tactic:TA0011-command-and-control","technique:T1071-application-layer-protocol","policy:threat-detection"],"updateDate":1754579371000,"updater":{"name":"Datadog","handle":""}}},{"id":"def-000-wv3","type":"agent_rule","attributes":{"actions":[{"hash":{},"disabled":false}],"category":"File - Activity","creationDate":1754579371000,"creator":{"name":"Datadog","handle":""},"defaultRule":true,"description":"Redis - module has been created","enabled":true,"expression":"(open.flags \u0026 (O_CREAT|O_TRUNC|O_RDWR|O_WRONLY) - \u003e 0 \u0026\u0026 open.file.path =~ \"/tmp/**\" \u0026\u0026 open.file.name - in [~\"*.rdb\", ~\"*.aof\", ~\"*.so\"]) \u0026\u0026 process.file.name in - [\"redis-check-rdb\", \"redis-server\"]","filters":["os == \"linux\""],"monitoring":["threat-detection.policy"],"name":"redis_save_module","product_tags":["tactic:TA0002-execution","technique:T1129-shared-modules","policy:threat-detection"],"updateDate":1754579371000,"updater":{"name":"Datadog","handle":""}}},{"id":"7zf-mmz-56y","type":"agent_rule","attributes":{"category":"Process - Activity","creationDate":1746616270272,"creator":{"name":"CI Account","handle":"9919ec9b-ebc7-49ee-8dc8-03626e717cca"},"defaultRule":false,"description":"My - Agent rule","enabled":true,"expression":"exec.file.name == \"sh\"","filters":["os - == \"linux\""],"monitoring":["CWS_CUSTOM-canary"],"name":"testtypescriptcreateacsmthreatsagentrulereturnsokresponse1746616270","updateDate":1746616270272,"updater":{"name":"CI - Account","handle":"9919ec9b-ebc7-49ee-8dc8-03626e717cca"}}},{"id":"e5h-onu-f7l","type":"agent_rule","attributes":{"category":"File - Activity","creationDate":1753453274000,"creator":{"name":"Datadog","handle":""},"defaultRule":true,"description":"nsswitch - may have been modified without authorization","enabled":true,"expression":"(\n open.flags - \u0026 ((O_RDWR|O_WRONLY|O_CREAT)) \u003e 0 \u0026\u0026\n (open.file.path - in [ \"/etc/nsswitch.conf\" ])\n) \u0026\u0026 process.file.path not in [~\"/usr/bin/apt*\", - \"/usr/bin/dpkg\", \"/usr/bin/rpm\", \"/usr/bin/unattended-upgrade\", \"/usr/bin/containerd\", - \"/usr/local/bin/containerd\", \"/usr/bin/dockerd\", \"/usr/bin/npm\", ~\"/usr/bin/pip*\", - ~\"/usr/local/bin/pip*\"]","filters":["os == \"linux\""],"monitoring":["compliance.policy"],"name":"nsswitch_conf_mod_open","product_tags":["tactic:TA0003-persistence","technique:T1556-modify-authentication-process","policy:compliance"],"updateDate":1753453274000,"updater":{"name":"Datadog","handle":""}}},{"id":"def-000-o13","type":"agent_rule","attributes":{"category":"File - Activity","creationDate":1754579371000,"creator":{"name":"Datadog","handle":""},"defaultRule":true,"description":"The - configuration directory for an ssh worm","enabled":true,"expression":"open.file.path - in [~\"/root/.prng/*\", ~\"/home/*/.prng/*\", ~\"/root/.config/prng/*\", ~\"/home/*/.config/prng/*\"] - \u0026\u0026 open.flags \u0026 (O_CREAT|O_TRUNC|O_APPEND|O_RDWR|O_WRONLY) - \u003e 0","filters":["os == \"linux\""],"monitoring":["threat-detection.policy"],"name":"ssh_it_tool_config_write","product_tags":["tactic:TA0003-persistence","technique:T1098-account-manipulation","policy:threat-detection"],"updateDate":1754579371000,"updater":{"name":"Datadog","handle":""}}},{"id":"prk-6q1-g0m","type":"agent_rule","attributes":{"category":"File - Activity","creationDate":1754579371000,"creator":{"name":"Datadog","handle":""},"defaultRule":true,"description":"A - service may have been modified without authorization","enabled":true,"expression":"(\n ( rename.file.path + == \"linux\""],"monitoring":["compliance.policy"],"name":"pci_11_5_critical_binaries_open","product_tags":["tactic:TA0005-defense-evasion","technique:T1036-masquerading","policy:compliance"],"updateDate":1759956888000,"updater":{"name":"Datadog","handle":""}}},{"id":"64n-p6m-uq1","type":"agent_rule","attributes":{"category":"File + Activity","creationDate":1759956888000,"creator":{"name":"Datadog","handle":""},"defaultRule":true,"description":"A + service may have been modified without authorization","enabled":true,"expression":"(\n ( link.file.path in [ ~\"/lib/systemd/system/**\", ~\"/usr/lib/systemd/system/**\", ~\"/etc/systemd/system/**\", - ~\"/usr/local/lib/systemd/system/**\", ~\"/run/systemd/system/**\"] \n || - rename.file.path in [ ~\"/etc/systemd/user/**\", ~\"/usr/lib/systemd/user/**\", + ~\"/usr/local/lib/systemd/system/**\", ~\"/run/systemd/system/**\"]\n || + link.file.destination.path in [ ~\"/etc/systemd/user/**\", ~\"/usr/lib/systemd/user/**\", ~\"/home/*/.config/systemd/user/**\", ~\"/home/*/.local/share/systemd/user/**\", - ~\"/run/systemd/user/**\"]\n || rename.file.destination.path in [ ~\"/lib/systemd/system/**\", + ~\"/run/systemd/user/**\"] \n || link.file.destination.path in [ ~\"/lib/systemd/system/**\", ~\"/usr/lib/systemd/system/**\", ~\"/etc/systemd/system/**\", ~\"/usr/local/lib/systemd/system/**\", - ~\"/run/systemd/system/**\"] \n || rename.file.destination.path in [ ~\"/etc/systemd/user/**\", + ~\"/run/systemd/system/**\"] \n || link.file.path in [ ~\"/etc/systemd/user/**\", ~\"/usr/lib/systemd/user/**\", ~\"/home/*/.config/systemd/user/**\", ~\"/home/*/.local/share/systemd/user/**\", ~\"/run/systemd/user/**\"])\n \u0026\u0026 process.file.path not in [~\"/usr/bin/apt*\", \"/usr/bin/dpkg\", \"/usr/bin/rpm\", \"/usr/bin/unattended-upgrade\", \"/usr/bin/npm\", ~\"/usr/bin/pip*\", ~\"/usr/local/bin/pip*\", \"/usr/bin/yum\", \"/sbin/apk\", - \"/usr/lib/snapd/snapd\"]\n)","filters":["os == \"linux\""],"monitoring":["compliance.policy","threat-detection.policy"],"name":"systemd_modification_rename","product_tags":["tactic:TA0002-execution","technique:T1569-system-services","policy:threat-detection","policy:compliance"],"updateDate":1754579371000,"updater":{"name":"Datadog","handle":""}}},{"id":"def-000-fbb","type":"agent_rule","attributes":{"category":"Kernel - Activity","creationDate":1754579371000,"creator":{"name":"Datadog","handle":""},"defaultRule":true,"description":"Library - libpam.so hooked using eBPF","enabled":true,"expression":"bpf.cmd == BPF_MAP_CREATE - \u0026\u0026 process.args in [r\"libpam\\.so\"]","filters":["os == \"linux\""],"monitoring":["threat-detection.policy"],"name":"libpam_ebpf_hook","product_tags":["tactic:TA0006-credential-access","technique:T1056-input-capture","policy:threat-detection"],"updateDate":1754579371000,"updater":{"name":"Datadog","handle":""}}},{"id":"w3d-qp8-3yb","type":"agent_rule","attributes":{"category":"Process - Activity","creationDate":1716309424000,"creator":{"name":"","handle":"frog@datadoghq.com"},"defaultRule":false,"description":"My - Agent rule","enabled":true,"expression":"exec.file.name == \"sh\"","filters":["os - == \"linux\""],"monitoring":["CWS_CUSTOM-canary"],"name":"examplecreateacsmthreatsagentrulereturnsokresponse1716309424","updateDate":1716309424000,"updater":{"name":"","handle":"frog@datadoghq.com"}}},{"id":"ulc-hn1-cz5","type":"agent_rule","attributes":{"category":"Process - Activity","creationDate":1725295024000,"creator":{"name":"","handle":"frog@datadoghq.com"},"defaultRule":false,"description":"My - Agent rule","enabled":true,"expression":"exec.file.name == \"sh\"","filters":["os - == \"linux\""],"monitoring":["CWS_CUSTOM-canary"],"name":"exampledeleteacsmthreatsagentrulereturnsokresponse1725295023","updateDate":1725295024000,"updater":{"name":"","handle":"frog@datadoghq.com"}}},{"id":"3cv-rwp-2t7","type":"agent_rule","attributes":{"category":"Process - Activity","creationDate":1724215024000,"creator":{"name":"","handle":"frog@datadoghq.com"},"defaultRule":false,"description":"My - Agent rule","enabled":true,"expression":"exec.file.name == \"sh\"","filters":["os - == \"linux\""],"monitoring":["CWS_CUSTOM-canary"],"name":"examplegetacsmthreatsagentrulereturnsokresponse1724215024","updateDate":1724215024000,"updater":{"name":"","handle":"frog@datadoghq.com"}}},{"id":"3ht-mqm-ybx","type":"agent_rule","attributes":{"category":"Process - Activity","creationDate":1746628432905,"creator":{"name":"frog","handle":"frog@datadoghq.com"},"defaultRule":false,"description":"My - Agent rule","enabled":true,"expression":"exec.file.name == \"sh\"","filters":["os - == \"linux\""],"monitoring":["CWS_CUSTOM-canary"],"name":"testdeleteacsmthreatsagentrulereturnsokresponse1746628432","updateDate":1746628432905,"updater":{"name":"frog","handle":"frog@datadoghq.com"}}},{"id":"kvo-o7f-pgu","type":"agent_rule","attributes":{"category":"Process - Activity","creationDate":1746789257870,"creator":{"name":"CI Account","handle":"9919ec9b-ebc7-49ee-8dc8-03626e717cca"},"defaultRule":false,"description":"My - Agent rule","enabled":true,"expression":"exec.file.name == \"sh\"","filters":["os - == \"linux\""],"monitoring":["CWS_CUSTOM-canary"],"name":"testtypescriptdeleteacsmthreatsagentrulereturnsokresponse1746789257","updateDate":1746789257870,"updater":{"name":"CI - Account","handle":"9919ec9b-ebc7-49ee-8dc8-03626e717cca"}}},{"id":"fyp-i9k-cv7","type":"agent_rule","attributes":{"category":"Process - Activity","creationDate":1746630386239,"creator":{"name":"frog","handle":"frog@datadoghq.com"},"defaultRule":false,"description":"My - Agent rule","enabled":true,"expression":"exec.file.name == \"sh\"","filters":["os - == \"linux\""],"monitoring":["CWS_CUSTOM-canary"],"name":"testupdateacsmthreatsagentrulereturnsokresponse1746630385","updateDate":1746630386239,"updater":{"name":"frog","handle":"frog@datadoghq.com"}}},{"id":"hba-kfe-1xr","type":"agent_rule","attributes":{"category":"File - Activity","creationDate":1754579371000,"creator":{"name":"Datadog","handle":""},"defaultRule":true,"description":"SSH - modified keys may have been modified","enabled":true,"expression":"(\n utimes.file.name - in [ \"authorized_keys\", \"authorized_keys2\" ] \u0026\u0026 (utimes.file.path - in [ ~\"/root/.ssh/*\", ~\"/home/*/.ssh/*\", ~\"/var/lib/*/.ssh/*\" ])\n)","filters":["os - == \"linux\""],"monitoring":["compliance.policy","threat-detection.policy"],"name":"ssh_authorized_keys_utimes","product_tags":["tactic:TA0003-persistence","technique:T1098-account-manipulation","policy:threat-detection","policy:compliance"],"updateDate":1754579371000,"updater":{"name":"Datadog","handle":""}}},{"id":"1gj-w3o-5qw","type":"agent_rule","attributes":{"category":"File - Activity","creationDate":1746013904000,"creator":{"name":"Thibault Viennot","handle":"thibault.viennot@datadoghq.com"},"defaultRule":false,"description":"im - a rule","disabled":["CWS_CUSTOM-canary"],"enabled":false,"expression":"open.file.name - == \"etc/shadow/password\"","filters":["os == \"linux\""],"name":"ssotlbqrax","updateDate":1746013904000,"updater":{"name":"Thibault - Viennot","handle":"thibault.viennot@datadoghq.com"}}},{"id":"tth-j42-vc4","type":"agent_rule","attributes":{"category":"Process - Activity","creationDate":1732591470000,"creator":{"name":"CI Account","handle":"9919ec9b-ebc7-49ee-8dc8-03626e717cca"},"defaultRule":false,"description":"My - Agent rule","enabled":true,"expression":"exec.file.name == \"sh\"","filters":["os - == \"linux\""],"monitoring":["CWS_CUSTOM-canary"],"name":"testjavacreateacsmthreatsagentrulereturnsokresponse1732591469","updateDate":1732591470000,"updater":{"name":"CI - Account","handle":"9919ec9b-ebc7-49ee-8dc8-03626e717cca"}}},{"id":"y5i-yxn-27t","type":"agent_rule","attributes":{"category":"File - Activity","creationDate":1753453274000,"creator":{"name":"Datadog","handle":""},"defaultRule":true,"description":"SSL - certificates may have been tampered with","enabled":true,"expression":"(\n (chmod.file.path + \"/usr/lib/snapd/snapd\"]\n)","filters":["os == \"linux\""],"monitoring":["compliance.policy","threat-detection.policy"],"name":"systemd_modification_link","product_tags":["tactic:TA0002-execution","technique:T1569-system-services","policy:compliance","policy:threat-detection"],"updateDate":1759956888000,"updater":{"name":"Datadog","handle":""}}},{"id":"def-000-brb","type":"agent_rule","attributes":{"category":"Process + Activity","creationDate":1759956888000,"creator":{"name":"Datadog","handle":""},"defaultRule":true,"description":"regedit + used to export critical registry hive","enabled":true,"expression":"exec.file.name + in [\"reg.exe\", \"regedit.exe\"] \u0026\u0026 exec.cmdline in [~\"*hklm*\", + ~\"*hkey_local_machine*\", ~\"*system*\", ~\"*sam*\", ~\"*security*\"]","filters":["os + == \"windows\""],"monitoring":["threat-detection.policy"],"name":"critical_registry_export","product_tags":["tactic:TA0006-credential-access","technique:T1003-os-credential-dumping","policy:threat-detection"],"updateDate":1759956888000,"updater":{"name":"Datadog","handle":""}}},{"id":"qt9-i99-q9p","type":"agent_rule","attributes":{"category":"File + Activity","creationDate":1759956888000,"creator":{"name":"Datadog","handle":""},"defaultRule":true,"description":"nsswitch + may have been modified without authorization","enabled":true,"expression":"(\n (utimes.file.path + in [ \"/etc/nsswitch.conf\" ])\n)","filters":["os == \"linux\""],"monitoring":["compliance.policy"],"name":"nsswitch_conf_mod_utimes","product_tags":["tactic:TA0003-persistence","technique:T1556-modify-authentication-process","policy:compliance"],"updateDate":1759956888000,"updater":{"name":"Datadog","handle":""}}},{"id":"wri-hx3-4n3","type":"agent_rule","attributes":{"category":"File + Activity","creationDate":1759956888000,"creator":{"name":"Datadog","handle":""},"defaultRule":true,"description":"PAM + may have been modified without authorization","enabled":true,"expression":"(\n (rename.file.path + in [ ~\"/etc/pam.d/**\", \"/etc/pam.conf\", ~\"/lib/security/*\", ~\"/usr/lib/security/*\", + ~\"/lib64/security/*\", ~\"/usr/lib64/security/*\" ]\n || rename.file.destination.path + in [ ~\"/etc/pam.d/**\", \"/etc/pam.conf\", ~\"/lib/security/*\", ~\"/usr/lib/security/*\", + ~\"/lib64/security/*\", ~\"/usr/lib64/security/*\" ])\n)","filters":["os == + \"linux\""],"monitoring":["compliance.policy"],"name":"pam_modification_rename","product_tags":["tactic:TA0003-persistence","technique:T1556-modify-authentication-process","policy:compliance"],"updateDate":1759956888000,"updater":{"name":"Datadog","handle":""}}},{"id":"def-000-mr5","type":"agent_rule","attributes":{"category":"File + Activity","creationDate":1759956888000,"creator":{"name":"Datadog","handle":""},"defaultRule":true,"description":"Process + hidden using mount","enabled":true,"expression":"mount.mountpoint.path in + [~\"/proc/1*\", ~\"/proc/2*\", ~\"/proc/3*\", ~\"/proc/4*\", ~\"/proc/5*\", + ~\"/proc/6*\", ~\"/proc/7*\", ~\"/proc/8*\", ~\"/proc/9*\"] \u0026\u0026 process.argv0 + not in [\"runc\", ~\"/*/runc\"]","filters":["os == \"linux\""],"monitoring":["threat-detection.policy"],"name":"mount_proc_hide","product_tags":["tactic:TA0005-defense-evasion","technique:T1564-hide-artifacts","subtechnique:T1564.003-bind-mounts","policy:threat-detection"],"updateDate":1759956888000,"updater":{"name":"Datadog","handle":""}}},{"id":"w6f-wte-i63","type":"agent_rule","attributes":{"category":"File + Activity","creationDate":1759956888000,"creator":{"name":"Datadog","handle":""},"defaultRule":true,"description":"SSL + certificates may have been tampered with","enabled":true,"expression":"(\n (link.file.path + in [ ~\"/etc/ssl/certs/**\", ~\"/etc/pki/**\" ]\n || link.file.destination.path in [ ~\"/etc/ssl/certs/**\", ~\"/etc/pki/**\" ])\n \u0026\u0026 process.file.path not in [~\"/usr/bin/apt*\", \"/usr/bin/dpkg\", \"/usr/bin/rpm\", \"/usr/bin/unattended-upgrade\", \"/usr/bin/npm\", ~\"/usr/bin/pip*\", ~\"/usr/local/bin/pip*\", \"/usr/bin/yum\", - \"/sbin/apk\", \"/usr/lib/snapd/snapd\"]\n) \u0026\u0026 chmod.file.mode != - chmod.file.destination.mode\n\u0026\u0026 process.file.path != \"/usr/sbin/update-ca-certificates\"\n\u0026\u0026 - process.ancestors.file.path != \"/usr/sbin/update-ca-certificates\"\n\u0026\u0026 - process.ancestors.file.path not in [~\"/usr/bin/apt*\", \"/usr/bin/dpkg\", - \"/usr/bin/rpm\", \"/usr/bin/unattended-upgrade\", \"/usr/bin/npm\", ~\"/usr/bin/pip*\", - ~\"/usr/local/bin/pip*\", \"/usr/bin/yum\", \"/sbin/apk\", \"/usr/lib/snapd/snapd\"]\n\u0026\u0026 - process.file.name !~ \"runc*\"","filters":["os == \"linux\""],"monitoring":["compliance.policy"],"name":"ssl_certificate_tampering_chmod","product_tags":["tactic:TA0005-defense-evasion","technique:T1553-subvert-trust-controls","policy:compliance"],"updateDate":1753453274000,"updater":{"name":"Datadog","handle":""}}},{"id":"def-000-npv","type":"agent_rule","attributes":{"category":"File - Activity","creationDate":1754579371000,"creator":{"name":"Datadog","handle":""},"defaultRule":true,"description":"Detects - CVE-2022-0543","enabled":true,"expression":"(open.file.path =~ \"/usr/lib/x86_64-linux-gnu/*\" - \u0026\u0026 open.file.name in [\"libc-2.29.so\", \"libc-2.30.so\", \"libc-2.31.so\", - \"libc-2.32.so\", \"libc-2.33.so\", \"libc-2.34.so\", \"libc-2.35.so\", \"libc-2.36.so\", - \"libc-2.37.so\"]) \u0026\u0026 process.ancestors.comm in [\"redis-check-rdb\", - \"redis-server\"]","filters":["os == \"linux\""],"monitoring":["threat-detection.policy"],"name":"redis_sandbox_escape","product_tags":["tactic:TA0001-initial-access","technique:T1190-exploit-public-facing-application","policy:threat-detection"],"updateDate":1754579371000,"updater":{"name":"Datadog","handle":""}}},{"id":"b79-xcg-63p","type":"agent_rule","attributes":{"category":"Process - Activity","creationDate":1719059824000,"creator":{"name":"","handle":"frog@datadoghq.com"},"defaultRule":false,"description":"My - Agent rule","enabled":true,"expression":"exec.file.name == \"sh\"","filters":["os - == \"linux\""],"monitoring":["CWS_CUSTOM-canary"],"name":"examplegetacsmthreatsagentrulereturnsokresponse1719059824","updateDate":1719059824000,"updater":{"name":"","handle":"frog@datadoghq.com"}}},{"id":"kbx-ylg-k86","type":"agent_rule","attributes":{"category":"Process - Activity","creationDate":1734597423000,"creator":{"name":"frog","handle":"frog@datadoghq.com"},"defaultRule":false,"description":"Test - Agent rule","enabled":true,"expression":"exec.file.name == \"sh\"","filters":["os - == \"linux\""],"monitoring":["CWS_CUSTOM-canary"],"name":"exampleupdateacsmthreatsagentrulereturnsokresponse1734597422","updateDate":1734597424000,"updater":{"name":"frog","handle":"frog@datadoghq.com"}}},{"id":"rec-v3q-e1c","type":"agent_rule","attributes":{"category":"Process - Activity","creationDate":1734770223000,"creator":{"name":"frog","handle":"frog@datadoghq.com"},"defaultRule":false,"description":"Test - Agent rule","enabled":true,"expression":"exec.file.name == \"sh\"","filters":["os - == \"linux\""],"monitoring":["CWS_CUSTOM-canary"],"name":"exampleupdateacsmthreatsagentrulereturnsokresponse1734770223","updateDate":1734770227000,"updater":{"name":"frog","handle":"frog@datadoghq.com"}}},{"id":"34t-hic-8cn","type":"agent_rule","attributes":{"category":"File - Activity","creationDate":1753453274000,"creator":{"name":"Datadog","handle":""},"defaultRule":true,"description":"PAM - may have been modified without authorization","enabled":true,"expression":"(\n (chmod.file.path - in [ ~\"/etc/pam.d/**\", \"/etc/pam.conf\", ~\"/lib/security/*\", ~\"/usr/lib/security/*\", - ~\"/lib64/security/*\", ~\"/usr/lib64/security/*\"])\n) \u0026\u0026 chmod.file.destination.mode - != chmod.file.mode","filters":["os == \"linux\""],"monitoring":["compliance.policy"],"name":"pam_modification_chmod","product_tags":["tactic:TA0003-persistence","technique:T1556-modify-authentication-process","policy:compliance"],"updateDate":1753453274000,"updater":{"name":"Datadog","handle":""}}},{"id":"def-000-a41","type":"agent_rule","attributes":{"category":"Process - Activity","creationDate":1754579371000,"creator":{"name":"Datadog","handle":""},"defaultRule":true,"description":"The - base64 command was used to decode information","enabled":true,"expression":"exec.file.name - == \"base64\" \u0026\u0026 exec.args_flags in [\"d\"]","filters":["os == \"linux\""],"monitoring":["threat-detection.policy"],"name":"base64_decode","product_tags":["tactic:TA0005-defense-evasion","technique:T1140-deobfuscate-or-decode-files-or-information","policy:threat-detection"],"updateDate":1754579371000,"updater":{"name":"Datadog","handle":""}}},{"id":"f2b-qds-3f4","type":"agent_rule","attributes":{"category":"Process - Activity","creationDate":1718815023000,"creator":{"name":"","handle":"frog@datadoghq.com"},"defaultRule":false,"description":"Test - Agent rule","enabled":true,"expression":"exec.file.name == \"sh\"","filters":["os - == \"linux\""],"monitoring":["CWS_CUSTOM-canary"],"name":"exampleupdateacsmthreatsagentrulereturnsokresponse1718815022","updateDate":1718815024000,"updater":{"name":"","handle":"frog@datadoghq.com"}}},{"id":"gds-0mc-sle","type":"agent_rule","attributes":{"category":"Process - Activity","creationDate":1733330223000,"creator":{"name":"","handle":"frog@datadoghq.com"},"defaultRule":false,"description":"Test - Agent rule","enabled":true,"expression":"exec.file.name == \"sh\"","filters":["os - == \"linux\""],"monitoring":["CWS_CUSTOM-canary"],"name":"exampleupdateacsmthreatsagentrulereturnsokresponse1733330222","updateDate":1733330225000,"updater":{"name":"","handle":"frog@datadoghq.com"}}},{"id":"j8a-wic-bvi","type":"agent_rule","attributes":{"category":"Process - Activity","creationDate":1754579371000,"creator":{"name":"Datadog","handle":""},"defaultRule":true,"description":"The - LD_PRELOAD variable is populated by a link to a suspicious file directory","enabled":true,"expression":"exec.envs - in [~\"LD_PRELOAD=*/tmp/*\", ~\"LD_PRELOAD=/dev/shm/*\"]","filters":["os == - \"linux\""],"monitoring":["threat-detection.policy"],"name":"ld_preload_unusual_library_path","product_tags":["tactic:TA0004-privilege-escalation","technique:T1574-hijack-execution-flow","policy:threat-detection"],"updateDate":1754579371000,"updater":{"name":"Datadog","handle":""}}},{"id":"stq-uwx-efd","type":"agent_rule","attributes":{"category":"Process - Activity","creationDate":1715531824000,"creator":{"name":"","handle":"frog@datadoghq.com"},"defaultRule":false,"description":"My - Agent rule","enabled":true,"expression":"exec.file.name == \"sh\"","filters":["os - == \"linux\""],"monitoring":["CWS_CUSTOM-canary"],"name":"examplegetacsmthreatsagentrulereturnsokresponse1715531824","updateDate":1715531824000,"updater":{"name":"","handle":"frog@datadoghq.com"}}},{"id":"qsg-ezg-tyb","type":"agent_rule","attributes":{"category":"Process - Activity","creationDate":1746628429225,"creator":{"name":"frog","handle":"frog@datadoghq.com"},"defaultRule":false,"description":"My - Agent rule","enabled":true,"expression":"exec.file.name == \"sh\"","filters":["os - == \"linux\""],"monitoring":["CWS_CUSTOM-canary"],"name":"testcreateacsmthreatsagentrulereturnsokresponse1746628428","updateDate":1746628429225,"updater":{"name":"frog","handle":"frog@datadoghq.com"}}},{"id":"def-000-lel","type":"agent_rule","attributes":{"category":"Process - Activity","creationDate":1754579371000,"creator":{"name":"Datadog","handle":""},"defaultRule":true,"description":"Perl - executed with suspicious argument","enabled":true,"expression":"exec.file.name - == ~\"perl*\" \u0026\u0026 exec.args_flags in [\"e\"] \u0026\u0026 (exec.args - in [~\"*SOCK_STREAM*\", ~\"*sockaddr_in*\"])","filters":["os == \"linux\""],"monitoring":["threat-detection.policy"],"name":"perl_shell","product_tags":["tactic:TA0001-initial-access","technique:T1210-exploitation-of-remote-services","policy:threat-detection"],"updateDate":1754579371000,"updater":{"name":"Datadog","handle":""}}},{"id":"def-000-wqf","type":"agent_rule","attributes":{"category":"File - Activity","creationDate":1754579371000,"creator":{"name":"Datadog","handle":""},"defaultRule":true,"description":"Windows - update registry key modified","enabled":true,"expression":"set.registry.key_path - in [~\"HKEY_LOCAL_MACHINE\\SOFTWARE\\Policies\\Microsoft\\WindowsUpdate*\"]","filters":["os - == \"windows\""],"monitoring":["threat-detection.policy"],"name":"windows_update_registry_key_modified","product_tags":["tactic:TA0005-defense-evasion","technique:T1112-modify-registry","policy:threat-detection"],"updateDate":1754579371000,"updater":{"name":"Datadog","handle":""}}},{"id":"b7w-xgg-ocq","type":"agent_rule","attributes":{"category":"Process - Activity","creationDate":1717130223000,"creator":{"name":"","handle":"frog@datadoghq.com"},"defaultRule":false,"description":"Test - Agent rule","enabled":true,"expression":"exec.file.name == \"sh\"","filters":["os - == \"linux\""],"monitoring":["CWS_CUSTOM-canary"],"name":"exampleupdateacsmthreatsagentrulereturnsokresponse1717130222","updateDate":1717130226000,"updater":{"name":"","handle":"frog@datadoghq.com"}}},{"id":"def-000-oag","type":"agent_rule","attributes":{"category":"Process - Activity","creationDate":1754579371000,"creator":{"name":"Datadog","handle":""},"defaultRule":true,"description":"systemd - spawned shell","enabled":true,"expression":"exec.file.path in [ \"/bin/dash\",\n \"/usr/bin/dash\",\n \"/bin/sh\",\n \"/bin/static-sh\",\n \"/usr/bin/sh\",\n \"/bin/bash\",\n \"/usr/bin/bash\",\n \"/bin/bash-static\",\n \"/usr/bin/zsh\",\n \"/usr/bin/ash\",\n \"/usr/bin/csh\",\n \"/usr/bin/ksh\",\n \"/usr/bin/tcsh\",\n \"/usr/lib/initramfs-tools/bin/busybox\",\n \"/bin/busybox\",\n \"/usr/bin/fish\",\n \"/bin/ksh93\",\n \"/bin/rksh\",\n \"/bin/rksh93\",\n \"/bin/lksh\",\n \"/bin/mksh\",\n \"/bin/mksh-static\",\n \"/usr/bin/csharp\",\n \"/bin/posh\",\n \"/usr/bin/rc\",\n \"/bin/sash\",\n \"/usr/bin/yash\",\n \"/bin/zsh5\",\n \"/bin/zsh5-static\" - ] \u0026\u0026 process.ancestors.file.path == \"/usr/lib/systemd/systemd-executor\" - \u0026\u0026 process.parent.file.path not in [~\"/usr/bin/apt*\", \"/usr/bin/dpkg\", - \"/usr/bin/rpm\", \"/usr/bin/unattended-upgrade\", \"/usr/bin/npm\", ~\"/usr/bin/pip*\", - ~\"/usr/local/bin/pip*\", \"/usr/bin/yum\", \"/sbin/apk\", \"/usr/lib/snapd/snapd\"]","filters":["os - == \"linux\""],"monitoring":["threat-detection.policy"],"name":"systemd_spawned_shell","product_tags":["tactic:TA0002-execution","technique:T1053-scheduled-task","policy:threat-detection"],"updateDate":1754579371000,"updater":{"name":"Datadog","handle":""}}},{"id":"vma-z5w-bi9","type":"agent_rule","attributes":{"category":"Process - Activity","creationDate":1734179823000,"creator":{"name":"frog","handle":"frog@datadoghq.com"},"defaultRule":false,"description":"Test - Agent rule","enabled":true,"expression":"exec.file.name == \"sh\"","filters":["os - == \"linux\""],"monitoring":["CWS_CUSTOM-canary"],"name":"exampleupdateacsmthreatsagentrulereturnsokresponse1734179822","updateDate":1734179825000,"updater":{"name":"frog","handle":"frog@datadoghq.com"}}},{"id":"fpa-r6g-2em","type":"agent_rule","attributes":{"category":"File - Activity","creationDate":1753453274000,"creator":{"name":"Datadog","handle":""},"defaultRule":true,"description":"Critical - system binaries may have been modified","enabled":true,"expression":"(\n open.flags - \u0026 (O_CREAT|O_TRUNC|O_APPEND|O_RDWR|O_WRONLY) \u003e 0 \u0026\u0026\n open.file.path - in [ ~\"/bin/*\", ~\"/sbin/*\", ~\"/usr/bin/*\", ~\"/usr/sbin/*\", ~\"/usr/local/bin/*\", - ~\"/usr/local/sbin/*\", ~\"/boot/**\" ]\n \u0026\u0026 process.file.path + \"/sbin/apk\", \"/usr/lib/snapd/snapd\"]\n \u0026\u0026 process.file.path + != \"/usr/sbin/update-ca-certificates\"\n \u0026\u0026 process.ancestors.file.path + != \"/usr/sbin/update-ca-certificates\"\n \u0026\u0026 process.ancestors.file.path not in [~\"/usr/bin/apt*\", \"/usr/bin/dpkg\", \"/usr/bin/rpm\", \"/usr/bin/unattended-upgrade\", - \"/usr/bin/containerd\", \"/usr/local/bin/containerd\", \"/usr/bin/dockerd\", - \"/usr/bin/npm\", ~\"/usr/bin/pip*\", ~\"/usr/local/bin/pip*\"]\n \u0026\u0026 - process.ancestors.file.path not in [~\"/usr/bin/apt*\", \"/usr/bin/dpkg\", - \"/usr/bin/rpm\", \"/usr/bin/unattended-upgrade\", \"/usr/bin/npm\", ~\"/usr/bin/pip*\", - ~\"/usr/local/bin/pip*\", \"/usr/bin/yum\", \"/sbin/apk\", \"/usr/lib/snapd/snapd\"]\n)","filters":["os - == \"linux\""],"monitoring":["compliance.policy"],"name":"pci_11_5_critical_binaries_open","product_tags":["tactic:TA0005-defense-evasion","technique:T1036-masquerading","policy:compliance"],"updateDate":1753453274000,"updater":{"name":"Datadog","handle":""}}},{"id":"def-000-bgf","type":"agent_rule","attributes":{"category":"Process - Activity","creationDate":1754579371000,"creator":{"name":"Datadog","handle":""},"defaultRule":true,"description":"A - hidden file was executed in a suspicious folder","enabled":true,"expression":"exec.file.name - =~ \".*\" \u0026\u0026 exec.file.path in [~\"/home/**\", ~\"/tmp/**\", ~\"/var/tmp/**\", - ~\"/dev/shm/**\"]","filters":["os == \"linux\""],"monitoring":["threat-detection.policy"],"name":"hidden_file_executed","product_tags":["tactic:TA0005-defense-evasion","technique:T1564-hide-artifacts","policy:threat-detection"],"updateDate":1754579371000,"updater":{"name":"Datadog","handle":""}}},{"id":"4ov-ang-2gx","type":"agent_rule","attributes":{"category":"Network - Activity","creationDate":1754579371000,"creator":{"name":"Datadog","handle":""},"defaultRule":true,"description":"A + \"/usr/bin/npm\", ~\"/usr/bin/pip*\", ~\"/usr/local/bin/pip*\", \"/usr/bin/yum\", + \"/sbin/apk\", \"/usr/lib/snapd/snapd\"]\n \u0026\u0026 process.file.name + !~ \"runc*\"\n)","filters":["os == \"linux\""],"monitoring":["compliance.policy"],"name":"ssl_certificate_tampering_link","product_tags":["tactic:TA0005-defense-evasion","technique:T1553-subvert-trust-controls","policy:compliance"],"updateDate":1759956888000,"updater":{"name":"Datadog","handle":""}}},{"id":"647-nlb-uld","type":"agent_rule","attributes":{"category":"Process + Activity","creationDate":1759956888000,"creator":{"name":"Datadog","handle":""},"defaultRule":true,"description":"A + network utility (such as nmap) commonly used in intrusion attacks was executed","enabled":true,"expression":"exec.file.name + in [\"nmap\", \"masscan\", \"fping\", \"zmap\", \"zgrab\", \"zgrab2\", \"rustscan\", + \"pnscan\"] \u0026\u0026 exec.args_flags not in [\"V\", \"version\"]","filters":["os + == \"linux\""],"monitoring":["threat-detection.policy"],"name":"common_net_intrusion_util","product_tags":["tactic:TA0007-discovery","technique:T1046-network-service-discovery","policy:threat-detection"],"updateDate":1759956888000,"updater":{"name":"Datadog","handle":""}}},{"id":"def-000-cjm","type":"agent_rule","attributes":{"actions":[{"filter":"${process.correlation_key} + != \"\"","set":{"name":"parent_correlation_keys","default_value":"","append":true,"scope":"process","expression":"${process.correlation_key}","inherited":true},"disabled":false},{"set":{"name":"correlation_key","default_value":"","scope":"process","expression":"\"cgroup_${builtins.uuid4}\"","inherited":true},"disabled":false}],"category":"Process + Activity","creationDate":1759956888000,"creator":{"name":"Datadog","handle":""},"defaultRule":true,"description":"Track + execution context from cgroup write","enabled":true,"expression":"cgroup_write.pid + \u003e 0 \u0026\u0026 ${process.correlation_key} in [\"\", ~\"cgroup_*\"]","filters":["os + == \"linux\""],"monitoring":["threat-detection.policy"],"name":"execution_context_cgroup_write","product_tags":["policy:threat-detection"],"silent":true,"updateDate":1759956888000,"updater":{"name":"Datadog","handle":""}}},{"id":"dkb-9ud-0ca","type":"agent_rule","attributes":{"category":"Kernel + Activity","creationDate":1759956888000,"creator":{"name":"Datadog","handle":""},"defaultRule":true,"description":"A + container loaded a new kernel module","enabled":true,"expression":"load_module.name + != \"\" \u0026\u0026 container.id !=\"\"","filters":["os == \"linux\""],"monitoring":["threat-detection.policy"],"name":"kernel_module_load_container","product_tags":["tactic:TA0003-persistence","technique:T1547-boot-or-logon-autostart-execution","policy:threat-detection"],"updateDate":1759956888000,"updater":{"name":"Datadog","handle":""}}},{"id":"def-000-ev8","type":"agent_rule","attributes":{"category":"Process + Activity","creationDate":1759956888000,"creator":{"name":"Datadog","handle":""},"defaultRule":true,"description":"The + wrmsr program executed","enabled":true,"expression":"exec.comm == \"wrmsr\"","filters":["os + == \"linux\""],"monitoring":["threat-detection.policy"],"name":"exec_wrmsr","product_tags":["tactic:TA0040-impact","technique:T1496-resource-hijacking","policy:threat-detection"],"updateDate":1759956888000,"updater":{"name":"Datadog","handle":""}}},{"id":"4ov-ang-2gx","type":"agent_rule","attributes":{"category":"Network + Activity","creationDate":1759956888000,"creator":{"name":"Datadog","handle":""},"defaultRule":true,"description":"A DNS lookup was done for a IP check service","enabled":true,"expression":"dns.question.name in [\"icanhazip.com\", \"ip-api.com\", \"myip.opendns.com\", \"checkip.amazonaws.com\", \"whatismyip.akamai.com\"] \u0026\u0026 process.file.name != \"\"","filters":["os - == \"linux\""],"monitoring":["threat-detection.policy"],"name":"ip_check_domain","product_tags":["tactic:TA0007-discovery","technique:T1016-system-network-configuration-discovery","policy:threat-detection"],"updateDate":1754579371000,"updater":{"name":"Datadog","handle":""}}},{"id":"def-000-vez","type":"agent_rule","attributes":{"category":"File - Activity","creationDate":1754579371000,"creator":{"name":"Datadog","handle":""},"defaultRule":true,"description":"Windows - winlogon registry key modified","enabled":true,"expression":"set.registry.key_path - in [~\"HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Windows NT\\CurrentVersion\\Winlogon*\"]","filters":["os - == \"windows\""],"monitoring":["threat-detection.policy"],"name":"winlogon_registry_key_modified","product_tags":["tactic:TA0005-defense-evasion","technique:T1112-modify-registry","policy:threat-detection"],"updateDate":1754579371000,"updater":{"name":"Datadog","handle":""}}},{"id":"24l-rs9-d0x","type":"agent_rule","attributes":{"category":"Process - Activity","creationDate":1710500975000,"creator":{"name":"CI Account","handle":"9919ec9b-ebc7-49ee-8dc8-03626e717cca"},"defaultRule":false,"description":"My - Agent rule","enabled":true,"expression":"exec.file.name == \"sh\"","filters":["os - == \"linux\""],"monitoring":["CWS_CUSTOM-canary"],"name":"testtypescriptgetacsmthreatsagentrulereturnsokresponse1710500975","updateDate":1710500975000,"updater":{"name":"CI - Account","handle":"9919ec9b-ebc7-49ee-8dc8-03626e717cca"}}},{"id":"sen-ldk-nvs","type":"agent_rule","attributes":{"category":"Process - Activity","creationDate":1746635722158,"creator":{"name":"frog","handle":"frog@datadoghq.com"},"defaultRule":false,"description":"My - Agent rule","enabled":true,"expression":"exec.file.name == \"sh\"","filters":["os - == \"linux\""],"monitoring":["CWS_CUSTOM-canary"],"name":"testupdateacsmthreatsagentrulereturnsokresponse1746635721","updateDate":1746635722158,"updater":{"name":"frog","handle":"frog@datadoghq.com"}}},{"id":"def-000-myb","type":"agent_rule","attributes":{"category":"File - Activity","creationDate":1753453274000,"creator":{"name":"Datadog","handle":""},"defaultRule":true,"description":"Sudoers - policy file may have been modified without authorization","enabled":true,"expression":"(\n (link.file.path - in [\"/etc/sudoers\", ~\"/etc/sudoers.d/*\"]\n || link.file.destination.path - in [\"/etc/sudoers\", ~\"/etc/sudoers.d/*\"])\n)","filters":["os == \"linux\""],"monitoring":["compliance.policy"],"name":"sudoers_policy_modified_link","product_tags":["tactic:TA0004-privilege-escalation","technique:T1548-abuse-elevation-control-mechanism","policy:compliance"],"updateDate":1753453274000,"updater":{"name":"Datadog","handle":""}}},{"id":"4sz-cc7-ukd","type":"agent_rule","attributes":{"category":"Process - Activity","creationDate":1733560627000,"creator":{"name":"","handle":"frog@datadoghq.com"},"defaultRule":false,"description":"My - Agent rule","enabled":true,"expression":"exec.file.name == \"sh\"","filters":["os - == \"linux\""],"monitoring":["CWS_CUSTOM-canary"],"name":"examplegetacsmthreatsagentrulereturnsokresponse1733560624","updateDate":1733560627000,"updater":{"name":"","handle":"frog@datadoghq.com"}}},{"id":"xg0-u09-xir","type":"agent_rule","attributes":{"category":"Process - Activity","creationDate":1733603824000,"creator":{"name":"","handle":"frog@datadoghq.com"},"defaultRule":false,"description":"My - Agent rule","enabled":true,"expression":"exec.file.name == \"sh\"","filters":["os - == \"linux\""],"monitoring":["CWS_CUSTOM-canary"],"name":"examplegetacsmthreatsagentrulereturnsokresponse1733603824","updateDate":1733603824000,"updater":{"name":"","handle":"frog@datadoghq.com"}}},{"id":"7rw-grx-l7u","type":"agent_rule","attributes":{"category":"Process - Activity","creationDate":1726331823000,"creator":{"name":"","handle":"frog@datadoghq.com"},"defaultRule":false,"description":"My - Agent rule","enabled":true,"expression":"exec.file.name == \"sh\"","filters":["os - == \"linux\""],"monitoring":["CWS_CUSTOM-canary"],"name":"exampleupdateacsmthreatsagentrulereturnsokresponse1726331822","updateDate":1726331823000,"updater":{"name":"","handle":"frog@datadoghq.com"}}},{"id":"kfi-eog-4ml","type":"agent_rule","attributes":{"category":"Process - Activity","creationDate":1746631376325,"creator":{"name":"frog","handle":"frog@datadoghq.com"},"defaultRule":false,"description":"My - Agent rule","enabled":true,"expression":"exec.file.name == \"sh\"","filters":["os - == \"linux\""],"monitoring":["CWS_CUSTOM-canary"],"name":"testupdateacsmthreatsagentrulereturnsbadrequestresponse1746631375","updateDate":1746631376325,"updater":{"name":"frog","handle":"frog@datadoghq.com"}}},{"id":"20v-gdb-0ha","type":"agent_rule","attributes":{"category":"File - Activity","creationDate":1753453274000,"creator":{"name":"Datadog","handle":""},"defaultRule":true,"description":"A - new kernel module was added","enabled":true,"expression":"(\n (unlink.file.path - in [ ~\"/lib/modules/**\", ~\"/usr/lib/modules/**\" ])\n \u0026\u0026 process.file.path + == \"linux\""],"monitoring":["threat-detection.policy"],"name":"ip_check_domain","product_tags":["tactic:TA0007-discovery","technique:T1016-system-network-configuration-discovery","policy:threat-detection"],"updateDate":1759956888000,"updater":{"name":"Datadog","handle":""}}},{"id":"hba-kfe-1xr","type":"agent_rule","attributes":{"category":"File + Activity","creationDate":1759956888000,"creator":{"name":"Datadog","handle":""},"defaultRule":true,"description":"SSH + modified keys may have been modified","enabled":true,"expression":"(\n utimes.file.name + in [ \"authorized_keys\", \"authorized_keys2\" ] \u0026\u0026 (utimes.file.path + in [ ~\"/root/.ssh/*\", ~\"/home/*/.ssh/*\", ~\"/var/lib/*/.ssh/*\" ])\n)","filters":["os + == \"linux\""],"monitoring":["compliance.policy","threat-detection.policy"],"name":"ssh_authorized_keys_utimes","product_tags":["tactic:TA0003-persistence","technique:T1098-account-manipulation","policy:compliance","policy:threat-detection"],"updateDate":1759956888000,"updater":{"name":"Datadog","handle":""}}},{"id":"def-000-6lj","type":"agent_rule","attributes":{"category":"File + Activity","creationDate":1759956888000,"creator":{"name":"Datadog","handle":""},"defaultRule":true,"description":"windows + explorer file has been modified","enabled":true,"expression":"write.file.device_path + in [~\"\\Device\\*\\windows\\explorer.exe\"]","filters":["os == \"windows\""],"monitoring":["compliance.policy"],"name":"windows_explorer_executable_modified","product_tags":["tactic:TA0005-defense-evasion","technique:T1036-masquerading","policy:compliance"],"updateDate":1759956888000,"updater":{"name":"Datadog","handle":""}}},{"id":"def-000-j45","type":"agent_rule","attributes":{"category":"Kernel + Activity","creationDate":1759956888000,"creator":{"name":"Datadog","handle":""},"defaultRule":true,"description":"A + process is tracing privileged processes or sshd for possible credential dumping","enabled":true,"expression":"(ptrace.request + == PTRACE_PEEKTEXT || ptrace.request == PTRACE_PEEKDATA || ptrace.request + == PTRACE_PEEKUSR) \u0026\u0026 ptrace.tracee.euid == 0 \u0026\u0026 process.comm + not in [\"dlv\", \"dlv-linux-amd64\", \"strace\", \"gdb\", \"lldb-server\"]","filters":["os + == \"linux\""],"monitoring":["threat-detection.policy"],"name":"sensitive_tracing","product_tags":["tactic:TA0004-privilege-escalation","technique:T1055-process-injection","policy:threat-detection"],"updateDate":1759956888000,"updater":{"name":"Datadog","handle":""}}},{"id":"def-000-jm5","type":"agent_rule","attributes":{"actions":[{"set":{"name":"core_pattern_write_container_id","field":"container.id","scope":"container","ttl":1800000000000,"inherited":false},"disabled":false}],"category":"File + Activity","creationDate":1759956888000,"creator":{"name":"Datadog","handle":""},"defaultRule":true,"description":"Detect + any attempt to modify /proc/sys/kernel/core_pattern from a container, which + might result to escape to host when a core dump is triggered.","enabled":true,"expression":"open.file.name + == \"core_pattern\" \u0026\u0026\nopen.file.filesystem == \"proc\" \u0026\u0026\nopen.flags + \u0026 (O_CREAT|O_TRUNC|O_APPEND|O_RDWR|O_WRONLY) \u003e 0 \u0026\u0026 \ncontainer.id + != \"\"","filters":["os == \"linux\""],"monitoring":["threat-detection.policy"],"name":"core_pattern_write","product_tags":["tactic:TA0004-privilege-escalation","technique:T1611-escape-to-host","policy:threat-detection"],"updateDate":1759956888000,"updater":{"name":"Datadog","handle":""}}},{"id":"def-000-3v0","type":"agent_rule","attributes":{"actions":[{"set":{"name":"chain_exec_unlink","field":"exec.file.path","append":true,"scope":"cgroup","ttl":30000000000,"inherited":false},"disabled":false},{"set":{"name":"exec_new_file_in_cgroup","field":"exec.file.path","append":true,"scope":"cgroup","size":10000,"ttl":1800000000000,"inherited":false},"disabled":false},{"set":{"name":"correlation_key_file_path","field":"exec.file.path","scope":"cgroup","inherited":false},"disabled":false}],"category":"Process + Activity","creationDate":1759956888000,"creator":{"name":"Datadog","handle":""},"defaultRule":true,"description":"A + recently modified file was executed","enabled":true,"expression":"exec.file.change_time + \u003c 30s \u0026\u0026 cgroup.file.inode != 0 \u0026\u0026 exec.file.path + not in ${cgroup.exec_new_file_in_cgroup} \u0026\u0026 exec.file.in_upper_layer + != false \u0026\u0026 container.created_at \u003e 1m","filters":["os == \"linux\""],"monitoring":["threat-detection.policy"],"name":"exec_new_file","product_tags":["policy:threat-detection"],"updateDate":1759956888000,"updater":{"name":"Datadog","handle":""}}},{"id":"191-ty1-ede","type":"agent_rule","attributes":{"category":"File + Activity","creationDate":1759956888000,"creator":{"name":"Datadog","handle":""},"defaultRule":true,"description":"SSL + certificates may have been tampered with","enabled":true,"expression":"(\n open.flags + \u0026 (O_CREAT|O_RDWR|O_WRONLY) \u003e 0 \u0026\u0026\n (open.file.path + in [ ~\"/etc/ssl/certs/**\", ~\"/etc/pki/**\" ])\n)\n\u0026\u0026 process.file.path + != \"/usr/sbin/update-ca-certificates\"\n\u0026\u0026 process.ancestors.file.path + != \"/usr/sbin/update-ca-certificates\"\n\u0026\u0026 process.ancestors.file.path not in [~\"/usr/bin/apt*\", \"/usr/bin/dpkg\", \"/usr/bin/rpm\", \"/usr/bin/unattended-upgrade\", \"/usr/bin/npm\", ~\"/usr/bin/pip*\", ~\"/usr/local/bin/pip*\", \"/usr/bin/yum\", - \"/sbin/apk\", \"/usr/lib/snapd/snapd\"]\n \u0026\u0026 process.ancestors.file.path - not in [~\"/usr/bin/apt*\", \"/usr/bin/dpkg\", \"/usr/bin/rpm\", \"/usr/bin/unattended-upgrade\", + \"/sbin/apk\", \"/usr/lib/snapd/snapd\"]\n\u0026\u0026 process.file.name !~ + \"runc*\"","filters":["os == \"linux\""],"monitoring":["compliance.policy"],"name":"ssl_certificate_tampering_open","product_tags":["tactic:TA0005-defense-evasion","technique:T1553-subvert-trust-controls","policy:compliance"],"updateDate":1759956888000,"updater":{"name":"Datadog","handle":""}}},{"id":"9f3-haw-91q","type":"agent_rule","attributes":{"category":"File + Activity","creationDate":1759956888000,"creator":{"name":"Datadog","handle":""},"defaultRule":true,"description":"The + AWS EKS service account token was accessed","enabled":true,"expression":"open.file.path + =~ \"/var/run/secrets/eks.amazonaws.com/serviceaccount/**\" \u0026\u0026\nopen.file.name + == \"token\" \u0026\u0026\n(process.file.path not in [\"/opt/datadog-agent/embedded/bin/agent\", + \"/opt/datadog-agent/embedded/bin/system-probe\", \"/opt/datadog-agent/embedded/bin/security-agent\", + \"/opt/datadog-agent/embedded/bin/process-agent\", \"/opt/datadog-agent/embedded/bin/trace-agent\", + \"/opt/datadog-agent/bin/agent/agent\", \"/opt/datadog/apm/inject/auto_inject_runc\", + \"/usr/bin/dd-host-install\", \"/usr/bin/dd-host-container-install\", \"/usr/bin/dd-container-install\", + \"/opt/datadog-agent/bin/datadog-cluster-agent\", ~\"/opt/datadog-packages/**\", + ~\"/opt/datadog-installer/**\"] \u0026\u0026 process.parent.comm not in [\"velero\"])","filters":["os + == \"linux\""],"monitoring":["threat-detection.policy"],"name":"aws_eks_service_account_token_accessed","product_tags":["tactic:TA0006-credential-access","technique:T1552-unsecured-credentials","subtechnique:T1552.001-credentials-in-files","policy:threat-detection"],"updateDate":1759956888000,"updater":{"name":"Datadog","handle":""}}},{"id":"def-000-d1i","type":"agent_rule","attributes":{"category":"Process + Activity","creationDate":1759956888000,"creator":{"name":"Datadog","handle":""},"defaultRule":true,"description":"Process + memory was dumped using the minidump function from comsvcs.dll","enabled":true,"expression":"exec.cmdline + =~ \"*MiniDump*\" \u0026\u0026 exec.cmdline =~ \"*comsvcs*\"","filters":["os + == \"windows\""],"monitoring":["threat-detection.policy"],"name":"minidump_usage","product_tags":["tactic:TA0006-credential-access","technique:T1003-os-credential-dumping","policy:threat-detection"],"updateDate":1759956888000,"updater":{"name":"Datadog","handle":""}}},{"id":"def-000-925","type":"agent_rule","attributes":{"category":"Process + Activity","creationDate":1759956888000,"creator":{"name":"Datadog","handle":""},"defaultRule":true,"description":"A + shell with a TTY was executed in a container","enabled":true,"expression":"exec.file.path + in [ \"/bin/dash\",\n \"/usr/bin/dash\",\n \"/bin/sh\",\n \"/bin/static-sh\",\n \"/usr/bin/sh\",\n \"/bin/bash\",\n \"/usr/bin/bash\",\n \"/bin/bash-static\",\n \"/usr/bin/zsh\",\n \"/usr/bin/ash\",\n \"/usr/bin/csh\",\n \"/usr/bin/ksh\",\n \"/usr/bin/tcsh\",\n \"/usr/lib/initramfs-tools/bin/busybox\",\n \"/bin/busybox\",\n \"/usr/bin/fish\",\n \"/bin/ksh93\",\n \"/bin/rksh\",\n \"/bin/rksh93\",\n \"/bin/lksh\",\n \"/bin/mksh\",\n \"/bin/mksh-static\",\n \"/usr/bin/csharp\",\n \"/bin/posh\",\n \"/usr/bin/rc\",\n \"/bin/sash\",\n \"/usr/bin/yash\",\n \"/bin/zsh5\",\n \"/bin/zsh5-static\" + ] \u0026\u0026 process.tty_name != \"\" \u0026\u0026 process.container.id + != \"\"","filters":["os == \"linux\""],"monitoring":["threat-detection.policy"],"name":"tty_shell_in_container","product_tags":["tactic:TA0002-execution","technique:T1609-container-administration-command","policy:threat-detection"],"updateDate":1759956888000,"updater":{"name":"Datadog","handle":""}}},{"id":"91f-pyq-54k","type":"agent_rule","attributes":{"category":"File + Activity","creationDate":1759956888000,"creator":{"name":"Datadog","handle":""},"defaultRule":true,"description":"SSH + modified keys may have been modified","enabled":true,"expression":"(\n link.file.name + in [ \"authorized_keys\", \"authorized_keys2\" ] \u0026\u0026 (link.file.path + in [ ~\"/root/.ssh/*\", ~\"/home/*/.ssh/*\", ~\"/var/lib/*/.ssh/*\" ]\n || + link.file.destination.path in [ ~\"/root/.ssh/*\", ~\"/home/*/.ssh/*\", ~\"/var/lib/*/.ssh/*\" + ])\n)","filters":["os == \"linux\""],"monitoring":["compliance.policy","threat-detection.policy"],"name":"ssh_authorized_keys_link","product_tags":["tactic:TA0003-persistence","technique:T1098-account-manipulation","policy:compliance","policy:threat-detection"],"updateDate":1759956888000,"updater":{"name":"Datadog","handle":""}}},{"id":"def-000-ngk","type":"agent_rule","attributes":{"category":"Kernel + Activity","creationDate":1759956888000,"creator":{"name":"Datadog","handle":""},"defaultRule":true,"description":"A + process established a connection to ngrok","enabled":true,"expression":"connect.addr.hostname + in [~\"tunnel.*.ngrok.com\"] \u0026\u0026 connect.addr.is_public == true \u0026\u0026 + connect.addr.port in [80, 443]","filters":["os == \"linux\""],"monitoring":["threat-detection.policy"],"name":"ngrok_domain","product_tags":["tactic:TA0011-command-and-control","technique:T1102-web-service","policy:threat-detection"],"updateDate":1759956888000,"updater":{"name":"Datadog","handle":""}}},{"id":"def-000-s1m","type":"agent_rule","attributes":{"category":"File + Activity","creationDate":1759956888000,"creator":{"name":"Datadog","handle":""},"defaultRule":true,"description":"A + new static pod manifest was created in the Kubernetes manifests directory","enabled":true,"expression":"open.flags + \u0026 O_CREAT \u003e 0\n\u0026\u0026 open.file.path in [~\"/etc/kubernetes/manifests/*\"]\n\u0026\u0026 + open.file.extension in [\".yaml\", \".yml\"]\n\u0026\u0026 process.file.path + not in [\"/usr/bin/kubelet\", \"/usr/local/bin/kubelet\", \"/opt/bin/kubelet\"]","filters":["os + == \"linux\""],"monitoring":["threat-detection.policy"],"name":"static_pod_manifest_created","product_tags":["tactic:TA0003-persistence","technique:T1053-scheduled-task-or-job","technique:T1543-create-or-modify-system-process","subtechnique:T1543.005-container-service","policy:threat-detection"],"updateDate":1759956888000,"updater":{"name":"Datadog","handle":""}}},{"id":"def-000-76q","type":"agent_rule","attributes":{"category":"File + Activity","creationDate":1759956888000,"creator":{"name":"Datadog","handle":""},"defaultRule":true,"description":"Windows + cryptographic blocking policy modified","enabled":true,"expression":"set.registry.key_path + in [~\"HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Cryptography\\OID\\EncodingType + 0\\CryptSIPDllRemoveSignedDataMsg*\"]","filters":["os == \"windows\""],"monitoring":["threat-detection.policy"],"name":"windows_cryptographic_blocking_policy_registry_key_modified","product_tags":["tactic:TA0005-defense-evasion","technique:T1553-subvert-trust-controls","policy:threat-detection"],"updateDate":1759956888000,"updater":{"name":"Datadog","handle":""}}},{"id":"ehh-ypb-9pl","type":"agent_rule","attributes":{"category":"Process + Activity","creationDate":1759956888000,"creator":{"name":"Datadog","handle":""},"defaultRule":true,"description":"A + compiler was executed inside of a container","enabled":true,"expression":"(exec.comm + in [\"javac\", \"clang\", \"gcc\", \"bcc\"] || exec.file.name in [\"javac\", + \"clang\", \"gcc\", \"bcc\"] || (exec.file.name == \"go\" \u0026\u0026 exec.args + in [~\"*build*\", ~\"*run*\"])) \u0026\u0026 container.id !=\"\" \u0026\u0026 + process.ancestors.file.path != \"/usr/bin/cilium-agent\"","filters":["os == + \"linux\""],"monitoring":["best-practice.policy","threat-detection.policy"],"name":"compiler_in_container","product_tags":["tactic:TA0005-defense-evasion","technique:T1027-obfuscated-files-or-information","policy:best-practice","policy:threat-detection"],"updateDate":1759956888000,"updater":{"name":"Datadog","handle":""}}},{"id":"def-000-jed","type":"agent_rule","attributes":{"category":"File + Activity","creationDate":1759956888000,"creator":{"name":"Datadog","handle":""},"defaultRule":true,"description":"Windows + registry hives file location key modified","enabled":true,"expression":"set.registry.key_path + in [~\"HKEY_LOCAL_MACHINE\\SYSTEM\\CurrentControlSet\\Control\\hivelist*\"]","filters":["os + == \"windows\""],"monitoring":["compliance.policy"],"name":"registry_hives_file_path_key_modified","product_tags":["tactic:TA0005-defense-evasion","technique:T1112-modify-registry","policy:compliance"],"updateDate":1759956888000,"updater":{"name":"Datadog","handle":""}}},{"id":"def-000-w1z","type":"agent_rule","attributes":{"category":"File + Activity","creationDate":1759956888000,"creator":{"name":"Datadog","handle":""},"defaultRule":true,"description":"A + process cleared the system cache","enabled":true,"expression":"open.file.path + == \"/proc/sys/vm/drop_caches\"","filters":["os == \"linux\""],"monitoring":["threat-detection.policy"],"name":"drop_caches","product_tags":["tactic:TA0040-impact","technique:T1496-resource-hijacking","policy:threat-detection"],"updateDate":1759956888000,"updater":{"name":"Datadog","handle":""}}},{"id":"def-000-4xu","type":"agent_rule","attributes":{"category":"Process + Activity","creationDate":1759956888000,"creator":{"name":"Datadog","handle":""},"defaultRule":true,"description":"Kernel + modules were listed using the lsmod command","enabled":true,"expression":"exec.comm + == \"lsmod\"","filters":["os == \"linux\""],"monitoring":["threat-detection.policy"],"name":"exec_lsmod","product_tags":["tactic:TA0007-discovery","technique:T1082-system-information-discovery","policy:threat-detection"],"updateDate":1759956888000,"updater":{"name":"Datadog","handle":""}}},{"id":"def-000-h19","type":"agent_rule","attributes":{"category":"File + Activity","creationDate":1759956888000,"creator":{"name":"Datadog","handle":""},"defaultRule":true,"description":"The + container breakout CVE-2024-21626 was successful","enabled":true,"expression":"chdir.syscall.path + =~ \"/proc/self/fd/*\" \u0026\u0026 chdir.file.path == \"/sys/fs/cgroup\" + \u0026\u0026 process.file.name =~ \"runc.*\"","filters":["os == \"linux\""],"monitoring":["threat-detection.policy"],"name":"runc_leaky_fd","product_tags":["tactic:TA0004-privilege-escalation","technique:T1611-escape-to-host","policy:threat-detection"],"updateDate":1759956888000,"updater":{"name":"Datadog","handle":""}}},{"id":"def-000-4y4","type":"agent_rule","attributes":{"category":"Process + Activity","creationDate":1759956888000,"creator":{"name":"Datadog","handle":""},"defaultRule":true,"description":"A + suspicious bitsadmin command has been executed","enabled":true,"expression":"exec.file.name + == \"bitsadmin.exe\" \u0026\u0026 exec.cmdline in [~\"*addfile*\", ~\"*create*\", + ~\"*resume*\"]","filters":["os == \"windows\""],"monitoring":["threat-detection.policy"],"name":"suspicious_bitsadmin_usage","product_tags":["tactic:TA0011-command-and-control","technique:T1105-ingress-tool-transfer","policy:threat-detection"],"updateDate":1759956888000,"updater":{"name":"Datadog","handle":""}}},{"id":"m7d-vlh-3yq","type":"agent_rule","attributes":{"category":"Process + Activity","creationDate":1759956888000,"creator":{"name":"Datadog","handle":""},"defaultRule":true,"description":"Package + management was detected in a container","enabled":true,"expression":"exec.file.path + in [~\"/usr/bin/apt*\", \"/usr/bin/dpkg\", \"/usr/bin/rpm\", \"/usr/bin/unattended-upgrade\", \"/usr/bin/npm\", ~\"/usr/bin/pip*\", ~\"/usr/local/bin/pip*\", \"/usr/bin/yum\", - \"/sbin/apk\", \"/usr/lib/snapd/snapd\"] \u0026\u0026 process.ancestors.file.path - != \"/usr/bin/kmod\"\n)","filters":["os == \"linux\""],"monitoring":["compliance.policy"],"name":"kernel_module_unlink","product_tags":["tactic:TA0003-persistence","technique:T1547-boot-or-logon-autostart-execution","policy:compliance"],"updateDate":1753453274000,"updater":{"name":"Datadog","handle":""}}},{"id":"7vi-w5r-h15","type":"agent_rule","attributes":{"category":"File - Activity","creationDate":1753453274000,"creator":{"name":"Datadog","handle":""},"defaultRule":true,"description":"Critical - system binaries may have been modified","enabled":true,"expression":"(\n (chmod.file.path - in [ ~\"/bin/*\", ~\"/sbin/*\", ~\"/usr/bin/*\", ~\"/usr/sbin/*\", ~\"/usr/local/bin/*\", - ~\"/usr/local/sbin/*\", ~\"/boot/**\" ])\n \u0026\u0026 process.file.path - not in [~\"/usr/bin/apt*\", \"/usr/bin/dpkg\", \"/usr/bin/rpm\", \"/usr/bin/unattended-upgrade\", - \"/usr/bin/containerd\", \"/usr/local/bin/containerd\", \"/usr/bin/dockerd\", - \"/usr/bin/npm\", ~\"/usr/bin/pip*\", ~\"/usr/local/bin/pip*\"]\n \u0026\u0026 - process.ancestors.file.path not in [~\"/usr/bin/apt*\", \"/usr/bin/dpkg\", - \"/usr/bin/rpm\", \"/usr/bin/unattended-upgrade\", \"/usr/bin/npm\", ~\"/usr/bin/pip*\", - ~\"/usr/local/bin/pip*\", \"/usr/bin/yum\", \"/sbin/apk\", \"/usr/lib/snapd/snapd\"]\n) - \u0026\u0026 chmod.file.destination.mode != chmod.file.mode","filters":["os - == \"linux\""],"monitoring":["compliance.policy"],"name":"pci_11_5_critical_binaries_chmod","product_tags":["tactic:TA0005-defense-evasion","technique:T1036-masquerading","policy:compliance"],"updateDate":1753453274000,"updater":{"name":"Datadog","handle":""}}},{"id":"dmf-a2c-odj","type":"agent_rule","attributes":{"category":"Process - Activity","creationDate":1754579371000,"creator":{"name":"Datadog","handle":""},"defaultRule":true,"description":"A - symbolic link for shell history was created targeting /dev/null","enabled":true,"expression":"exec.comm - == \"ln\" \u0026\u0026 exec.args in [~\"*.*history*\", \"/dev/null\"]","filters":["os - == \"linux\""],"monitoring":["compliance.policy","threat-detection.policy"],"name":"shell_history_symlink","product_tags":["tactic:TA0005-defense-evasion","technique:T1070-indicator-removal","policy:threat-detection","policy:compliance"],"updateDate":1754579371000,"updater":{"name":"Datadog","handle":""}}},{"id":"def-000-2wg","type":"agent_rule","attributes":{"category":"Process - Activity","creationDate":1754579371000,"creator":{"name":"Datadog","handle":""},"defaultRule":true,"description":"find - command searching for container management socket","enabled":true,"expression":"exec.comm - == \"find\" \u0026\u0026 exec.args in [~\"*.sock*\"]","filters":["os == \"linux\""],"monitoring":["threat-detection.policy"],"name":"find_mgmt_socket","product_tags":["tactic:TA0007-discovery","technique:T1613-container-and-resource-discovery","policy:threat-detection"],"updateDate":1754579371000,"updater":{"name":"Datadog","handle":""}}},{"id":"vax-ch9-i9h","type":"agent_rule","attributes":{"category":"Process - Activity","creationDate":1746529944308,"creator":{"name":"CI Account","handle":"9919ec9b-ebc7-49ee-8dc8-03626e717cca"},"defaultRule":false,"description":"My - Agent rule","enabled":true,"expression":"exec.file.name == \"sh\"","filters":["os - == \"linux\""],"monitoring":["CWS_CUSTOM-canary"],"name":"testtypescriptgetacsmthreatsagentrulereturnsokresponse1746529944","updateDate":1746529944308,"updater":{"name":"CI - Account","handle":"9919ec9b-ebc7-49ee-8dc8-03626e717cca"}}},{"id":"7ts-208-rn4","type":"agent_rule","attributes":{"category":"Process - Activity","creationDate":1754579371000,"creator":{"name":"Datadog","handle":""},"defaultRule":true,"description":"An - AppArmor profile was modified in an interactive session","enabled":true,"expression":"exec.file.name - in [\"aa-disable\", \"aa-complain\", \"aa-audit\"] \u0026\u0026 exec.tty_name - !=\"\"","filters":["os == \"linux\""],"monitoring":["threat-detection.policy"],"name":"apparmor_modified_tty","product_tags":["tactic:TA0005-defense-evasion","technique:T1562-impair-defenses","policy:threat-detection"],"updateDate":1754579371000,"updater":{"name":"Datadog","handle":""}}},{"id":"y0s-toi-yyk","type":"agent_rule","attributes":{"category":"Process - Activity","creationDate":1746097927076,"creator":{"name":"CI Account","handle":"9919ec9b-ebc7-49ee-8dc8-03626e717cca"},"defaultRule":false,"description":"My - Agent rule","enabled":true,"expression":"exec.file.name == \"sh\"","filters":["os - == \"linux\""],"monitoring":["CWS_CUSTOM-canary"],"name":"testtypescriptupdateacsmthreatsagentrulereturnsokresponse1746097926","updateDate":1746097927076,"updater":{"name":"CI - Account","handle":"9919ec9b-ebc7-49ee-8dc8-03626e717cca"}}},{"id":"c2g-31u-jpk","type":"agent_rule","attributes":{"category":"Process - Activity","creationDate":1754579371000,"creator":{"name":"Datadog","handle":""},"defaultRule":true,"description":"An - Azure IMDS was called via a network utility","enabled":true,"expression":"exec.comm - in [\"wget\", \"curl\", \"lwp-download\"] \u0026\u0026 exec.args in [~\"*169.254.169.254/metadata/identity/oauth2/token?api-version=*\"]","filters":["os - == \"linux\""],"monitoring":["best-practice.policy","threat-detection.policy"],"name":"azure_imds","product_tags":["tactic:TA0006-credential-access","technique:T1552-unsecured-credentials","policy:best-practice","policy:threat-detection"],"updateDate":1754579371000,"updater":{"name":"Datadog","handle":""}}},{"id":"q08-c9l-rsp","type":"agent_rule","attributes":{"category":"File - Activity","creationDate":1753453274000,"creator":{"name":"Datadog","handle":""},"defaultRule":true,"description":"Sensitive - credential files were modified using a non-standard tool","enabled":true,"expression":"(\n (unlink.file.path - in [ \"/etc/shadow\", \"/etc/gshadow\" ])\n \u0026\u0026 process.file.path - not in [ \"/sbin/vipw\", \"/usr/sbin/vipw\", \"/sbin/vigr\", \"/usr/sbin/vigr\", - \"/usr/bin/containerd\", \"/usr/local/bin/containerd\", \"/usr/bin/dockerd\", - \"/usr/local/bin/dockerd\", \"/usr/sbin/groupadd\", \"/usr/sbin/useradd\", - \"/usr/sbin/usermod\", \"/usr/sbin/userdel\", \"/usr/bin/gpasswd\", \"/usr/bin/chage\", - \"/usr/sbin/chpasswd\", \"/usr/bin/passwd\" ]\n \u0026\u0026 process.ancestors.file.path + \"/sbin/apk\", \"/usr/lib/snapd/snapd\"] \u0026\u0026 container.id != \"\"","filters":["os + == \"linux\""],"monitoring":["best-practice.policy","threat-detection.policy"],"name":"package_management_in_container","product_tags":["tactic:TA0002-execution","technique:T1059-command-and-scripting-interpreter","policy:best-practice","policy:threat-detection"],"updateDate":1759956888000,"updater":{"name":"Datadog","handle":""}}},{"id":"def-000-mmo","type":"agent_rule","attributes":{"category":"File + Activity","creationDate":1759956888000,"creator":{"name":"Datadog","handle":""},"defaultRule":true,"description":"Sudoers + policy file may have been modified without authorization","enabled":true,"expression":"(open.flags + \u0026 (O_CREAT|O_TRUNC|O_APPEND|O_RDWR|O_WRONLY) \u003e 0 \u0026\u0026\n(open.file.path + in [\"/etc/sudoers\", ~\"/etc/sudoers.d/*\"])) \u0026\u0026 process.file.path not in [~\"/usr/bin/apt*\", \"/usr/bin/dpkg\", \"/usr/bin/rpm\", \"/usr/bin/unattended-upgrade\", \"/usr/bin/npm\", ~\"/usr/bin/pip*\", ~\"/usr/local/bin/pip*\", \"/usr/bin/yum\", - \"/sbin/apk\", \"/usr/lib/snapd/snapd\"]\n)","filters":["os == \"linux\""],"monitoring":["compliance.policy"],"name":"credential_modified_unlink","product_tags":["tactic:TA0006-credential-access","technique:T1003-os-credential-dumping","policy:compliance"],"updateDate":1753453274000,"updater":{"name":"Datadog","handle":""}}},{"id":"sif-d9p-wzg","type":"agent_rule","attributes":{"category":"File - Activity","creationDate":1753453274000,"creator":{"name":"Datadog","handle":""},"defaultRule":true,"description":"nsswitch - may have been modified without authorization","enabled":true,"expression":"(\n (rename.file.path - in [ \"/etc/nsswitch.conf\" ]\n || rename.file.destination.path in [ \"/etc/nsswitch.conf\" - ])\n)","filters":["os == \"linux\""],"monitoring":["compliance.policy"],"name":"nsswitch_conf_mod_rename","product_tags":["tactic:TA0003-persistence","technique:T1556-modify-authentication-process","policy:compliance"],"updateDate":1753453274000,"updater":{"name":"Datadog","handle":""}}},{"id":"wri-hx3-4n3","type":"agent_rule","attributes":{"category":"File - Activity","creationDate":1753453274000,"creator":{"name":"Datadog","handle":""},"defaultRule":true,"description":"PAM - may have been modified without authorization","enabled":true,"expression":"(\n (rename.file.path - in [ ~\"/etc/pam.d/**\", \"/etc/pam.conf\", ~\"/lib/security/*\", ~\"/usr/lib/security/*\", - ~\"/lib64/security/*\", ~\"/usr/lib64/security/*\" ]\n || rename.file.destination.path - in [ ~\"/etc/pam.d/**\", \"/etc/pam.conf\", ~\"/lib/security/*\", ~\"/usr/lib/security/*\", - ~\"/lib64/security/*\", ~\"/usr/lib64/security/*\" ])\n)","filters":["os == - \"linux\""],"monitoring":["compliance.policy"],"name":"pam_modification_rename","product_tags":["tactic:TA0003-persistence","technique:T1556-modify-authentication-process","policy:compliance"],"updateDate":1753453274000,"updater":{"name":"Datadog","handle":""}}},{"id":"def-000-ngk","type":"agent_rule","attributes":{"category":"Kernel - Activity","creationDate":1754579371000,"creator":{"name":"Datadog","handle":""},"defaultRule":true,"description":"A - process established a connection to ngrok","enabled":true,"expression":"connect.addr.hostname - in [~\"*.tunnel*.ngrok.com\"]","filters":["os == \"linux\""],"monitoring":["threat-detection.policy"],"name":"ngrok_domain","product_tags":["tactic:TA0011-command-and-control","technique:T1102-web-service","policy:threat-detection"],"updateDate":1754579371000,"updater":{"name":"Datadog","handle":""}}},{"id":"def-000-tp8","type":"agent_rule","attributes":{"category":"File - Activity","creationDate":1754579371000,"creator":{"name":"Datadog","handle":""},"defaultRule":true,"description":"A - process opened a model-specific register (MSR) configuration file","enabled":true,"expression":"open.file.path - == \"/sys/module/msr/parameters/allow_writes\" \u0026\u0026 open.flags \u0026 - O_CREAT|O_TRUNC|O_APPEND|O_RDWR|O_WRONLY \u003e 0","filters":["os == \"linux\""],"monitoring":["threat-detection.policy"],"name":"open_msr_writes","product_tags":["tactic:TA0040-impact","technique:T1496-resource-hijacking","policy:threat-detection"],"updateDate":1754579371000,"updater":{"name":"Datadog","handle":""}}},{"id":"d2g-d0v-w1l","type":"agent_rule","attributes":{"category":"Process - Activity","creationDate":1732019824000,"creator":{"name":"","handle":"frog@datadoghq.com"},"defaultRule":false,"description":"My - Agent rule","enabled":true,"expression":"exec.file.name == \"sh\"","filters":["os - == \"linux\""],"monitoring":["CWS_CUSTOM-canary"],"name":"examplegetacsmthreatsagentrulereturnsokresponse1732019824","updateDate":1732019824000,"updater":{"name":"","handle":"frog@datadoghq.com"}}},{"id":"bwn-zl7-d0k","type":"agent_rule","attributes":{"category":"Process - Activity","creationDate":1746097915502,"creator":{"name":"CI Account","handle":"9919ec9b-ebc7-49ee-8dc8-03626e717cca"},"defaultRule":false,"description":"My - Agent rule","enabled":true,"expression":"exec.file.name == \"sh\"","filters":["os - == \"linux\""],"monitoring":["CWS_CUSTOM-canary"],"name":"testtypescriptcreateacsmthreatsagentrulereturnsokresponse1746097915","updateDate":1746097915502,"updater":{"name":"CI - Account","handle":"9919ec9b-ebc7-49ee-8dc8-03626e717cca"}}},{"id":"yv4-twv-nsx","type":"agent_rule","attributes":{"category":"Process - Activity","creationDate":1746184336905,"creator":{"name":"CI Account","handle":"9919ec9b-ebc7-49ee-8dc8-03626e717cca"},"defaultRule":false,"description":"My - Agent rule","enabled":true,"expression":"exec.file.name == \"sh\"","filters":["os - == \"linux\""],"monitoring":["CWS_CUSTOM-canary"],"name":"testtypescriptgetacsmthreatsagentrulereturnsokresponse1746184336","updateDate":1746184336905,"updater":{"name":"CI - Account","handle":"9919ec9b-ebc7-49ee-8dc8-03626e717cca"}}},{"id":"z0t-qdd-lkb","type":"agent_rule","attributes":{"category":"Process - Activity","creationDate":1746630384644,"creator":{"name":"frog","handle":"frog@datadoghq.com"},"defaultRule":false,"description":"My - Agent rule","enabled":true,"expression":"exec.file.name == \"sh\"","filters":["os - == \"linux\""],"monitoring":["CWS_CUSTOM-canary"],"name":"testupdateacsmthreatsagentrulereturnsbadrequestresponse1746630384","updateDate":1746630384644,"updater":{"name":"frog","handle":"frog@datadoghq.com"}}},{"id":"def-000-6jw","type":"agent_rule","attributes":{"category":"Process - Activity","creationDate":1754579371000,"creator":{"name":"Datadog","handle":""},"defaultRule":true,"description":"Process - environment variables match cryptocurrency miner","enabled":true,"expression":"exec.envs - in [\"POOL_USER\", \"POOL_URL\", \"POOL_PASS\", \"DONATE_LEVEL\"]","filters":["os - == \"linux\""],"monitoring":["threat-detection.policy"],"name":"cryptominer_envs","product_tags":["tactic:TA0040-impact","technique:T1496-resource-hijacking","policy:threat-detection"],"updateDate":1754579371000,"updater":{"name":"Datadog","handle":""}}},{"id":"yep-euy-ttp","type":"agent_rule","attributes":{"category":"Process - Activity","creationDate":1714552623000,"creator":{"name":"","handle":"frog@datadoghq.com"},"defaultRule":false,"description":"Test - Agent rule","enabled":true,"expression":"exec.file.name == \"sh\"","filters":["os - == \"linux\""],"monitoring":["CWS_CUSTOM-canary"],"name":"exampleupdateacsmthreatsagentrulereturnsokresponse1714552623","updateDate":1714552624000,"updater":{"name":"","handle":"frog@datadoghq.com"}}},{"id":"7sd-d1r-ts5","type":"agent_rule","attributes":{"category":"Process - Activity","creationDate":1714840623000,"creator":{"name":"","handle":"frog@datadoghq.com"},"defaultRule":false,"description":"Test - Agent rule","enabled":true,"expression":"exec.file.name == \"sh\"","filters":["os - == \"linux\""],"monitoring":["CWS_CUSTOM-canary"],"name":"exampleupdateacsmthreatsagentrulereturnsokresponse1714840622","updateDate":1714840624000,"updater":{"name":"","handle":"frog@datadoghq.com"}}},{"id":"bec-cnc-wlz","type":"agent_rule","attributes":{"category":"Process - Activity","creationDate":1746631362067,"creator":{"name":"frog","handle":"frog@datadoghq.com"},"defaultRule":false,"description":"My - Agent rule","enabled":true,"expression":"exec.file.name == \"sh\"","filters":["os - == \"linux\""],"monitoring":["CWS_CUSTOM-canary"],"name":"testdeleteacsmthreatsagentrulereturnsokresponse1746631361","updateDate":1746631362067,"updater":{"name":"frog","handle":"frog@datadoghq.com"}}},{"id":"def-000-3v0","type":"agent_rule","attributes":{"actions":[{"set":{"name":"chain_exec_unlink","field":"exec.file.path","append":true,"scope":"cgroup","ttl":30000000000,"inherited":false},"disabled":false},{"set":{"name":"exec_new_file_in_cgroup","field":"exec.file.path","append":true,"scope":"cgroup","size":10000,"ttl":1800000000000,"inherited":false},"disabled":false},{"set":{"name":"correlation_key_file_path","field":"exec.file.path","scope":"cgroup","inherited":false},"disabled":false}],"category":"Process - Activity","creationDate":1754579371000,"creator":{"name":"Datadog","handle":""},"defaultRule":true,"description":"A - recently modified file was executed","enabled":true,"expression":"exec.file.change_time - \u003c 30s \u0026\u0026 cgroup.file.inode != 0 \u0026\u0026 exec.file.path - not in ${cgroup.exec_new_file_in_cgroup}","filters":["os == \"linux\""],"monitoring":["threat-detection.policy"],"name":"exec_new_file","product_tags":["policy:threat-detection"],"updateDate":1754579371000,"updater":{"name":"Datadog","handle":""}}},{"id":"def-000-d1i","type":"agent_rule","attributes":{"category":"Process - Activity","creationDate":1754579371000,"creator":{"name":"Datadog","handle":""},"defaultRule":true,"description":"Process - memory was dumped using the minidump function from comsvcs.dll","enabled":true,"expression":"exec.cmdline - =~ \"*MiniDump*\" \u0026\u0026 exec.cmdline =~ \"*comsvcs*\"","filters":["os - == \"windows\""],"monitoring":["threat-detection.policy"],"name":"minidump_usage","product_tags":["tactic:TA0006-credential-access","technique:T1003-os-credential-dumping","policy:threat-detection"],"updateDate":1754579371000,"updater":{"name":"Datadog","handle":""}}},{"id":"def-000-qn0","type":"agent_rule","attributes":{"category":"Process - Activity","creationDate":1754579371000,"creator":{"name":"Datadog","handle":""},"defaultRule":true,"description":"nsenter - used to breakout of container","enabled":true,"expression":"exec.file.name - == \"nsenter\" \u0026\u0026 exec.args_options in [\"target=1\", \"t=1\"] \u0026\u0026 - container.id != \"\"","filters":["os == \"linux\""],"monitoring":["threat-detection.policy"],"name":"nsenter_in_container","product_tags":["tactic:TA0004-privilege-escalation","technique:T1611-escape-to-host","policy:threat-detection"],"updateDate":1754579371000,"updater":{"name":"Datadog","handle":""}}},{"id":"pb3-26n-452","type":"agent_rule","attributes":{"category":"Process - Activity","creationDate":1719981423000,"creator":{"name":"","handle":"frog@datadoghq.com"},"defaultRule":false,"description":"Test - Agent rule","enabled":true,"expression":"exec.file.name == \"sh\"","filters":["os - == \"linux\""],"monitoring":["CWS_CUSTOM-canary"],"name":"exampleupdateacsmthreatsagentrulereturnsokresponse1719981422","updateDate":1719981424000,"updater":{"name":"","handle":"frog@datadoghq.com"}}},{"id":"isj-kzv-ebz","type":"agent_rule","attributes":{"category":"Process - Activity","creationDate":1746633518640,"creator":{"name":"frog","handle":"frog@datadoghq.com"},"defaultRule":false,"description":"My - Agent rule","enabled":true,"expression":"exec.file.name == \"sh\"","filters":["os - == \"linux\""],"monitoring":["CWS_CUSTOM-canary"],"name":"testcreateacsmthreatsagentrulereturnsokresponse1746633518","updateDate":1746633518640,"updater":{"name":"frog","handle":"frog@datadoghq.com"}}},{"id":"def-000-cyz","type":"agent_rule","attributes":{"category":"Process - Activity","creationDate":1754579371000,"creator":{"name":"Datadog","handle":""},"defaultRule":true,"description":"A - shell spawned from a git clone which could be exploitation of CVE-2025-48384","enabled":true,"expression":"exec.comm - in [\"dash\",\"sh\",\"static-sh\",\"sh\",\"bash\",\"bash\",\"bash-static\",\"zsh\",\"ash\",\"csh\",\"ksh\",\"tcsh\",\"busybox\",\"busybox\",\"fish\",\"ksh93\",\"rksh\",\"rksh93\",\"lksh\",\"mksh\",\"mksh-static\",\"csharp\",\"posh\",\"rc\",\"sash\",\"yash\",\"zsh5\",\"zsh5-static\"] - \u0026\u0026 process.ancestors[A].comm == \"git\" \u0026\u0026 process.ancestors[A].argv - in [\"clone\"] \u0026\u0026 process.ancestors[A].args_flags in [\"recursive\"]","filters":["os - == \"linux\""],"monitoring":["threat-detection.policy"],"name":"git_cve_2025_48384","product_tags":["tactic:TA0002-execution","technique:T1203-exploitation-for-client-execution","policy:threat-detection"],"updateDate":1754579371000,"updater":{"name":"Datadog","handle":""}}},{"id":"def-000-ibc","type":"agent_rule","attributes":{"category":"Process - Activity","creationDate":1754579371000,"creator":{"name":"Datadog","handle":""},"defaultRule":true,"description":"The - mount utility was executed in a container","enabled":true,"expression":"exec.comm - == \"mount\" \u0026\u0026 container.id != \"\"","filters":["os == \"linux\""],"monitoring":["threat-detection.policy"],"name":"mount_in_container","product_tags":["tactic:TA0004-privilege-escalation","technique:T1611-escape-to-host","policy:threat-detection"],"updateDate":1754579371000,"updater":{"name":"Datadog","handle":""}}},{"id":"def-000-6x2","type":"agent_rule","attributes":{"category":"File - Activity","creationDate":1754579371000,"creator":{"name":"Datadog","handle":""},"defaultRule":true,"description":"Service - registry runkey modified","enabled":true,"expression":"set.registry.key_path - in [~\"HKEY_LOCAL_MACHINE\\Software\\Microsoft\\Windows\\CurrentVersion\\RunServicesOnce\", - ~\"HKEY_LOCAL_MACHINE\\Software\\Microsoft\\CurrentVersion\\RunServices\"]","filters":["os - == \"windows\""],"monitoring":["threat-detection.policy"],"name":"registry_service_runkey_modified","product_tags":["tactic:TA0003-persistence","technique:T1547-boot-or-logon-autostart-execution","policy:threat-detection"],"updateDate":1754579371000,"updater":{"name":"Datadog","handle":""}}},{"id":"ybl-tp8-aab","type":"agent_rule","attributes":{"category":"Process - Activity","creationDate":1730263023000,"creator":{"name":"","handle":"frog@datadoghq.com"},"defaultRule":false,"description":"Test - Agent rule","enabled":true,"expression":"exec.file.name == \"sh\"","filters":["os - == \"linux\""],"monitoring":["CWS_CUSTOM-canary"],"name":"exampleupdateacsmthreatsagentrulereturnsokresponse1730263022","updateDate":1730263025000,"updater":{"name":"","handle":"frog@datadoghq.com"}}},{"id":"a66-2qy-xwe","type":"agent_rule","attributes":{"category":"Process - Activity","creationDate":1733128623000,"creator":{"name":"","handle":"frog@datadoghq.com"},"defaultRule":false,"description":"Test - Agent rule","enabled":true,"expression":"exec.file.name == \"sh\"","filters":["os - == \"linux\""],"monitoring":["CWS_CUSTOM-canary"],"name":"exampleupdateacsmthreatsagentrulereturnsokresponse1733128622","updateDate":1733128625000,"updater":{"name":"","handle":"frog@datadoghq.com"}}},{"id":"mq1-y7n-kf2","type":"agent_rule","attributes":{"category":"Process - Activity","creationDate":1754579371000,"creator":{"name":"Datadog","handle":""},"defaultRule":true,"description":"A + \"/sbin/apk\", \"/usr/lib/snapd/snapd\"]","filters":["os == \"linux\""],"monitoring":["compliance.policy"],"name":"sudoers_policy_modified_open","product_tags":["tactic:TA0004-privilege-escalation","technique:T1548-abuse-elevation-control-mechanism","subtechnique:T1548.001-setuid-and-setgid","subtechnique:T1548.003-sudo-and-sudo-caching","policy:compliance"],"updateDate":1759956888000,"updater":{"name":"Datadog","handle":""}}},{"id":"def-000-7m7","type":"agent_rule","attributes":{"category":"Process + Activity","creationDate":1759956888000,"creator":{"name":"Datadog","handle":""},"defaultRule":true,"description":"The + auditctl command was used to modify auditd","enabled":true,"expression":"exec.file.name + == \"auditctl\" \u0026\u0026 exec.args_flags not in [\"s\", \"l\" , \"v\"]","filters":["os + == \"linux\""],"monitoring":["threat-detection.policy"],"name":"auditctl_usage","product_tags":["tactic:TA0005-defense-evasion","technique:T1562-impair-defenses","policy:threat-detection"],"updateDate":1759956888000,"updater":{"name":"Datadog","handle":""}}},{"id":"def-000-ab6","type":"agent_rule","attributes":{"category":"Network + Activity","creationDate":1759956888000,"creator":{"name":"Datadog","handle":""},"defaultRule":true,"description":"Recently + modified file requested credentials from IMDS","enabled":true,"expression":"imds.url + =~ \"/*/meta-data/iam/security-credentials/*\" \u0026\u0026 (process.parent.file.modification_time + \u003c 120s || process.file.modification_time \u003c 30s)","filters":["os + == \"linux\""],"monitoring":["threat-detection.policy"],"name":"modified_file_requesting_imds_creds","product_tags":["tactic:TA0006-credential-access","technique:T1552-unsecured-credentials","policy:threat-detection"],"updateDate":1759956888000,"updater":{"name":"Datadog","handle":""}}},{"id":"def-000-oi1","type":"agent_rule","attributes":{"category":"Process + Activity","creationDate":1759956888000,"creator":{"name":"Datadog","handle":""},"defaultRule":true,"description":"Process + arguments indicating possible socat shell detected","enabled":true,"expression":"((exec.file.name + == \"socat\") || (exec.comm == \"socat\")) \u0026\u0026 exec.args in [~\"*/bin/bash*\", + ~\"*/bin/sh*\", ~\"*exec*\", ~\"*pty*\", ~\"*setsid*\", ~\"*stderr*\"]","filters":["os + == \"linux\""],"monitoring":["threat-detection.policy"],"name":"socat_shell","product_tags":["tactic:TA0002-execution","technique:T1059-command-and-scripting-interpreter","policy:threat-detection"],"updateDate":1759956888000,"updater":{"name":"Datadog","handle":""}}},{"id":"def-000-guo","type":"agent_rule","attributes":{"category":"Process + Activity","creationDate":1759956888000,"creator":{"name":"Datadog","handle":""},"defaultRule":true,"description":"A + process was executed matching arguments for a UAC bypass technique common + in powershell empire","enabled":true,"expression":"exec.cmdline in [~\"*-NoP + -NonI -w Hidden -c $x=$((gp HKCU:Software\\Microsoft\\Windows Update).Update)*\", + ~\"*-NoP -NonI -c $x=$((gp HKCU:Software\\Microsoft\\Windows Update).Update);*\"]","filters":["os + == \"windows\""],"monitoring":["threat-detection.policy"],"name":"powershell_empire_uac_bypass","product_tags":["tactic:TA0006-credential-access","technique:T1003-os-credential-dumping","policy:threat-detection"],"updateDate":1759956888000,"updater":{"name":"Datadog","handle":""}}},{"id":"def-000-dnj","type":"agent_rule","attributes":{"category":"Process + Activity","creationDate":1759956888000,"creator":{"name":"Datadog","handle":""},"defaultRule":true,"description":"The + AWS CLI utility was executed","enabled":true,"expression":"exec.file.name + == \"aws\"","filters":["os == \"linux\""],"monitoring":["best-practice.policy","threat-detection.policy"],"name":"aws_cli_usage","product_tags":["tactic:TA0002-execution","technique:T1651-cloud-administration-command","policy:best-practice","policy:threat-detection"],"updateDate":1759956888000,"updater":{"name":"Datadog","handle":""}}},{"id":"mqh-lgo-brj","type":"agent_rule","attributes":{"category":"File + Activity","creationDate":1759956888000,"creator":{"name":"Datadog","handle":""},"defaultRule":true,"description":"nsswitch + may have been modified without authorization","enabled":true,"expression":"(\n (chmod.file.path + in [ \"/etc/nsswitch.conf\" ])\n) \u0026\u0026 chmod.file.destination.mode + != chmod.file.mode \u0026\u0026 process.file.path not in [~\"/usr/bin/apt*\", + \"/usr/bin/dpkg\", \"/usr/bin/rpm\", \"/usr/bin/unattended-upgrade\", \"/usr/bin/containerd\", + \"/usr/local/bin/containerd\", \"/usr/bin/dockerd\", \"/usr/bin/npm\", ~\"/usr/bin/pip*\", + ~\"/usr/local/bin/pip*\"]","filters":["os == \"linux\""],"monitoring":["compliance.policy"],"name":"nsswitch_conf_mod_chmod","product_tags":["tactic:TA0003-persistence","technique:T1556-modify-authentication-process","policy:compliance"],"updateDate":1759956888000,"updater":{"name":"Datadog","handle":""}}},{"id":"mq1-y7n-kf2","type":"agent_rule","attributes":{"category":"Process + Activity","creationDate":1759956888000,"creator":{"name":"Datadog","handle":""},"defaultRule":true,"description":"A database application spawned a shell, shell utility, or HTTP utility","enabled":true,"expression":"(exec.file.path in [ \"/bin/dash\",\n \"/usr/bin/dash\",\n \"/bin/sh\",\n \"/bin/static-sh\",\n \"/usr/bin/sh\",\n \"/bin/bash\",\n \"/usr/bin/bash\",\n \"/bin/bash-static\",\n \"/usr/bin/zsh\",\n \"/usr/bin/ash\",\n \"/usr/bin/csh\",\n \"/usr/bin/ksh\",\n \"/usr/bin/tcsh\",\n \"/usr/lib/initramfs-tools/bin/busybox\",\n \"/bin/busybox\",\n \"/usr/bin/fish\",\n \"/bin/ksh93\",\n \"/bin/rksh\",\n \"/bin/rksh93\",\n \"/bin/lksh\",\n \"/bin/mksh\",\n \"/bin/mksh-static\",\n \"/usr/bin/csharp\",\n \"/bin/posh\",\n \"/usr/bin/rc\",\n \"/bin/sash\",\n \"/usr/bin/yash\",\n \"/bin/zsh5\",\n \"/bin/zsh5-static\" ] ||\n exec.comm in [\"wget\", \"curl\", \"lwp-download\"] ||\n exec.file.path @@ -1836,178 +913,74 @@ http_interactions: \u0026\u0026\nprocess.parent.file.name in [\"mysqld\", \"mongod\", \"postgres\"] \u0026\u0026\n!(process.parent.file.name == \"initdb\" \u0026\u0026\nexec.args == \"-c locale -a\") \u0026\u0026\n!(process.parent.file.name == \"postgres\" - \u0026\u0026\nexec.args == ~\"*pg_wal*\")","filters":["os == \"linux\""],"monitoring":["threat-detection.policy"],"name":"database_shell_execution","product_tags":["tactic:TA0001-initial-access","technique:T1190-exploit-public-facing-application","policy:threat-detection"],"updateDate":1754579371000,"updater":{"name":"Datadog","handle":""}}},{"id":"def-000-x9u","type":"agent_rule","attributes":{"actions":[{"filter":"${process.correlation_key} - != \"\"","set":{"name":"parent_correlation_keys","default_value":"","append":true,"scope":"process","expression":"${process.correlation_key}","inherited":true},"disabled":false},{"set":{"name":"correlation_key","default_value":"","scope":"process","expression":"\"interactive_shell_${builtins.uuid4}\"","inherited":true},"disabled":false}],"category":"Process - Activity","creationDate":1754579371000,"creator":{"name":"Datadog","handle":""},"defaultRule":true,"description":"Track - execution context from interactive shell","enabled":true,"expression":"exec.file.path - in [ \"/bin/dash\",\n \"/usr/bin/dash\",\n \"/bin/sh\",\n \"/bin/static-sh\",\n \"/usr/bin/sh\",\n \"/bin/bash\",\n \"/usr/bin/bash\",\n \"/bin/bash-static\",\n \"/usr/bin/zsh\",\n \"/usr/bin/ash\",\n \"/usr/bin/csh\",\n \"/usr/bin/ksh\",\n \"/usr/bin/tcsh\",\n \"/usr/lib/initramfs-tools/bin/busybox\",\n \"/bin/busybox\",\n \"/usr/bin/fish\",\n \"/bin/ksh93\",\n \"/bin/rksh\",\n \"/bin/rksh93\",\n \"/bin/lksh\",\n \"/bin/mksh\",\n \"/bin/mksh-static\",\n \"/usr/bin/csharp\",\n \"/bin/posh\",\n \"/usr/bin/rc\",\n \"/bin/sash\",\n \"/usr/bin/yash\",\n \"/bin/zsh5\",\n \"/bin/zsh5-static\" - ] \u0026\u0026 (process.tty_name != \"\" || exec.args_flags in [\"i\"]) \u0026\u0026 - ${process.correlation_key} in [\"\", ~\"cgroup_*\", ~\"auid_*\", ~\"service_*\", - ~\"service_new_cgroup_*\"]","filters":["os == \"linux\""],"monitoring":["threat-detection.policy"],"name":"execution_context_interactive_shell","product_tags":["policy:threat-detection"],"silent":true,"updateDate":1754579371000,"updater":{"name":"Datadog","handle":""}}},{"id":"def-000-juz","type":"agent_rule","attributes":{"category":"Process - Activity","creationDate":1754579371000,"creator":{"name":"Datadog","handle":""},"defaultRule":true,"description":"A - privileged container was created","enabled":true,"expression":"exec.file.name - != \"\" \u0026\u0026 container.id != \"\" \u0026\u0026 container.created_at - \u003c 1s \u0026\u0026 process.cap_permitted \u0026 CAP_SYS_ADMIN \u003e 0","filters":["os - == \"linux\""],"monitoring":["best-practice.policy","threat-detection.policy"],"name":"deploy_priv_container","product_tags":["tactic:TA0004-privilege-escalation","technique:T1611-escape-to-host","policy:threat-detection","policy:best-practice"],"updateDate":1754579371000,"updater":{"name":"Datadog","handle":""}}},{"id":"def-000-0fx","type":"agent_rule","attributes":{"category":"Process - Activity","creationDate":1754579371000,"creator":{"name":"Datadog","handle":""},"defaultRule":true,"description":"Shell - process spawned from print server","enabled":true,"expression":"exec.file.name - != \"\" \u0026\u0026 process.parent.file.name == \"foomatic-rip\"","filters":["os - == \"linux\""],"monitoring":["threat-detection.policy"],"name":"cups_spawned_shell","product_tags":["tactic:TA0001-initial-access","technique:T1190-exploit-public-facing-application","policy:threat-detection"],"updateDate":1754579371000,"updater":{"name":"Datadog","handle":""}}},{"id":"def-000-u7b","type":"agent_rule","attributes":{"category":"Process - Activity","creationDate":1754579371000,"creator":{"name":"Datadog","handle":""},"defaultRule":true,"description":"Known - offensive tool crackmap exec executed","enabled":true,"expression":"exec.cmdline - in [~\"*crackmapexec*\", ~\"*cme.exe*\", ~\"*cme.py*\"]","filters":["os == - \"windows\""],"monitoring":["threat-detection.policy"],"name":"crackmap_exec_executed","product_tags":["tactic:TA0006-credential-access","technique:T1003-os-credential-dumping","policy:threat-detection"],"updateDate":1754579371000,"updater":{"name":"Datadog","handle":""}}},{"id":"897-56j-4uj","type":"agent_rule","attributes":{"category":"Process - Activity","creationDate":1735907824000,"creator":{"name":"frog","handle":"frog@datadoghq.com"},"defaultRule":false,"description":"My - Agent rule","enabled":true,"expression":"exec.file.name == \"sh\"","filters":["os - == \"linux\""],"monitoring":["CWS_CUSTOM-canary"],"name":"examplegetacsmthreatsagentrulereturnsokresponse1735907823","updateDate":1735907824000,"updater":{"name":"frog","handle":"frog@datadoghq.com"}}},{"id":"269-p6y-i3p","type":"agent_rule","attributes":{"category":"Process - Activity","creationDate":1742473183000,"creator":{"name":"frog","handle":"frog@datadoghq.com"},"defaultRule":false,"description":"My - Agent rule","enabled":true,"expression":"exec.file.name == \"sh\"","filters":["os - == \"linux\""],"monitoring":["CWS_CUSTOM-canary"],"name":"examplegetacsmthreatsagentrulereturnsokresponse1742473182","updateDate":1742473183000,"updater":{"name":"frog","handle":"frog@datadoghq.com"}}},{"id":"lf1-s8g-yf7","type":"agent_rule","attributes":{"category":"Process - Activity","creationDate":1715503023000,"creator":{"name":"","handle":"frog@datadoghq.com"},"defaultRule":false,"description":"Test - Agent rule","enabled":true,"expression":"exec.file.name == \"sh\"","filters":["os - == \"linux\""],"monitoring":["CWS_CUSTOM-canary"],"name":"exampleupdateacsmthreatsagentrulereturnsokresponse1715503022","updateDate":1715503024000,"updater":{"name":"","handle":"frog@datadoghq.com"}}},{"id":"def-000-s07","type":"agent_rule","attributes":{"category":"File - Activity","creationDate":1753453274000,"creator":{"name":"Datadog","handle":""},"defaultRule":true,"description":"Sudoers + \u0026\u0026\nexec.args == ~\"*pg_wal*\")","filters":["os == \"linux\""],"monitoring":["threat-detection.policy"],"name":"database_shell_execution","product_tags":["tactic:TA0001-initial-access","technique:T1190-exploit-public-facing-application","policy:threat-detection"],"updateDate":1759956888000,"updater":{"name":"Datadog","handle":""}}},{"id":"def-000-fqm","type":"agent_rule","attributes":{"category":"Process + Activity","creationDate":1759956888000,"creator":{"name":"Datadog","handle":""},"defaultRule":true,"description":"The + whoami command was executed","enabled":true,"expression":"exec.comm == \"whoami\"","filters":["os + == \"linux\""],"monitoring":["threat-detection.policy"],"name":"exec_whoami","product_tags":["tactic:TA0007-discovery","technique:T1033-system-owner-or-user-discovery","policy:threat-detection"],"updateDate":1759956888000,"updater":{"name":"Datadog","handle":""}}},{"id":"9y1-cbb-p03","type":"agent_rule","attributes":{"category":"File + Activity","creationDate":1759956888000,"creator":{"name":"Datadog","handle":""},"defaultRule":true,"description":"SSL + certificates may have been tampered with","enabled":true,"expression":"(\n (unlink.file.path + in [ ~\"/etc/ssl/certs/**\" ])\n \u0026\u0026 process.file.path not in + [~\"/usr/bin/apt*\", \"/usr/bin/dpkg\", \"/usr/bin/rpm\", \"/usr/bin/unattended-upgrade\", + \"/usr/bin/npm\", ~\"/usr/bin/pip*\", ~\"/usr/local/bin/pip*\", \"/usr/bin/yum\", + \"/sbin/apk\", \"/usr/lib/snapd/snapd\"]\n)\n\u0026\u0026 process.file.path + != \"/usr/sbin/update-ca-certificates\"\n\u0026\u0026 process.ancestors.file.path + != \"/usr/sbin/update-ca-certificates\"\n\u0026\u0026 process.ancestors.file.path + not in [~\"/usr/bin/apt*\", \"/usr/bin/dpkg\", \"/usr/bin/rpm\", \"/usr/bin/unattended-upgrade\", + \"/usr/bin/npm\", ~\"/usr/bin/pip*\", ~\"/usr/local/bin/pip*\", \"/usr/bin/yum\", + \"/sbin/apk\", \"/usr/lib/snapd/snapd\"]\n\u0026\u0026 process.file.name !~ + \"runc*\"","filters":["os == \"linux\""],"monitoring":["compliance.policy"],"name":"ssl_certificate_tampering_unlink","product_tags":["tactic:TA0005-defense-evasion","technique:T1553-subvert-trust-controls","policy:compliance"],"updateDate":1759956888000,"updater":{"name":"Datadog","handle":""}}},{"id":"def-000-s07","type":"agent_rule","attributes":{"category":"File + Activity","creationDate":1759956888000,"creator":{"name":"Datadog","handle":""},"defaultRule":true,"description":"Sudoers policy file may have been modified without authorization","enabled":true,"expression":"(\n (utimes.file.path in [\"/etc/sudoers\", ~\"/etc/sudoers.d/*\"])\n) \u0026\u0026 process.file.path not in [~\"/usr/bin/apt*\", \"/usr/bin/dpkg\", \"/usr/bin/rpm\", \"/usr/bin/unattended-upgrade\", \"/usr/bin/containerd\", \"/usr/local/bin/containerd\", \"/usr/bin/dockerd\", \"/usr/bin/npm\", ~\"/usr/bin/pip*\", ~\"/usr/local/bin/pip*\"]","filters":["os - == \"linux\""],"monitoring":["compliance.policy"],"name":"sudoers_policy_modified_utimes","product_tags":["tactic:TA0004-privilege-escalation","technique:T1548-abuse-elevation-control-mechanism","policy:compliance"],"updateDate":1753453274000,"updater":{"name":"Datadog","handle":""}}},{"id":"t5u-qdx-650","type":"agent_rule","attributes":{"category":"File - Activity","creationDate":1754579371000,"creator":{"name":"Datadog","handle":""},"defaultRule":true,"description":"SSH - modified keys may have been modified","enabled":true,"expression":"(\n rename.file.name - in [ \"authorized_keys\", \"authorized_keys2\" ] \u0026\u0026 (rename.file.path - in [ ~\"/root/.ssh/*\", ~\"/home/*/.ssh/*\", ~\"/var/lib/*/.ssh/*\" ]\n || - rename.file.destination.path in [ ~\"/root/.ssh/*\", ~\"/home/*/.ssh/*\", - ~\"/var/lib/*/.ssh/*\" ])\n)","filters":["os == \"linux\""],"monitoring":["compliance.policy","threat-detection.policy"],"name":"ssh_authorized_keys_rename","product_tags":["tactic:TA0003-persistence","technique:T1098-account-manipulation","policy:threat-detection","policy:compliance"],"updateDate":1754579371000,"updater":{"name":"Datadog","handle":""}}},{"id":"def-000-tlf","type":"agent_rule","attributes":{"category":"File - Activity","creationDate":1753453274000,"creator":{"name":"Datadog","handle":""},"defaultRule":true,"description":"the - windows hosts file was modified","enabled":true,"expression":"write.file.device_path - in [~\"\\Device\\*\\windows\\system32\\Drivers\\etc\\hosts\"]","filters":["os - == \"windows\""],"monitoring":["compliance.policy"],"name":"windows_hosts_file_modified","product_tags":["tactic:TA0005-defense-evasion","technique:T1036-masquerading","policy:compliance"],"updateDate":1753453274000,"updater":{"name":"Datadog","handle":""}}},{"id":"def-000-beh","type":"agent_rule","attributes":{"category":"Process - Activity","creationDate":1754579371000,"creator":{"name":"Datadog","handle":""},"defaultRule":true,"description":"Dotnet_dump - was used to dump a process memory","enabled":true,"expression":"exec.cmdline - =~ \"*dotnet-dump*\" \u0026\u0026 exec.cmdline =~ \"*collect*\"","filters":["os - == \"windows\""],"monitoring":["threat-detection.policy"],"name":"dotnet_dump_execution","product_tags":["tactic:TA0009-collection","technique:T1005-data-from-local-system","policy:threat-detection"],"updateDate":1754579371000,"updater":{"name":"Datadog","handle":""}}},{"id":"4yt-ize-avz","type":"agent_rule","attributes":{"category":"Process - Activity","creationDate":1754579371000,"creator":{"name":"Datadog","handle":""},"defaultRule":true,"description":"Omiagent - spawns a privileged child process","enabled":true,"expression":"exec.uid \u003e= - 0 \u0026\u0026 process.ancestors.file.name == \"omiagent\"","filters":["os - == \"linux\""],"monitoring":["threat-detection.policy"],"name":"omigod","product_tags":["tactic:TA0002-execution","technique:T1203-exploitation-for-client-execution","policy:threat-detection"],"updateDate":1754579371000,"updater":{"name":"Datadog","handle":""}}},{"id":"nio-59w-ip8","type":"agent_rule","attributes":{"category":"Process - Activity","creationDate":1714927026000,"creator":{"name":"","handle":"frog@datadoghq.com"},"defaultRule":false,"description":"My - Agent rule","enabled":true,"expression":"exec.file.name == \"sh\"","filters":["os - == \"linux\""],"monitoring":["CWS_CUSTOM-canary"],"name":"examplecreateacsmthreatsagentrulereturnsokresponse1714927026","updateDate":1714927026000,"updater":{"name":"","handle":"frog@datadoghq.com"}}},{"id":"cvn-qsw-ibn","type":"agent_rule","attributes":{"category":"Process - Activity","creationDate":1716410225000,"creator":{"name":"","handle":"frog@datadoghq.com"},"defaultRule":false,"description":"My - Agent rule","enabled":true,"expression":"exec.file.name == \"sh\"","filters":["os - == \"linux\""],"monitoring":["CWS_CUSTOM-canary"],"name":"examplecreateacsmthreatsagentrulereturnsokresponse1716410224","updateDate":1716410225000,"updater":{"name":"","handle":"frog@datadoghq.com"}}},{"id":"mda-uab-xow","type":"agent_rule","attributes":{"category":"Process - Activity","creationDate":1723178226000,"creator":{"name":"","handle":"frog@datadoghq.com"},"defaultRule":false,"description":"My - Agent rule","enabled":true,"expression":"exec.file.name == \"sh\"","filters":["os - == \"linux\""],"monitoring":["CWS_CUSTOM-canary"],"name":"examplegetacsmthreatsagentrulereturnsokresponse1723178224","updateDate":1723178226000,"updater":{"name":"","handle":"frog@datadoghq.com"}}},{"id":"wt2-84b-uy6","type":"agent_rule","attributes":{"category":"Process - Activity","creationDate":1737433133000,"creator":{"name":"frog","handle":"frog@datadoghq.com"},"defaultRule":false,"description":"My - Agent rule","enabled":true,"expression":"exec.file.name == \"sh\"","filters":["os - == \"linux\""],"monitoring":["CWS_CUSTOM-canary"],"name":"examplegetacsmthreatsagentrulereturnsokresponse1737433133","updateDate":1737433133000,"updater":{"name":"frog","handle":"frog@datadoghq.com"}}},{"id":"tjr-ib4-gya","type":"agent_rule","attributes":{"category":"Process - Activity","creationDate":1714509423000,"creator":{"name":"","handle":"frog@datadoghq.com"},"defaultRule":false,"description":"Test - Agent rule","enabled":true,"expression":"exec.file.name == \"sh\"","filters":["os - == \"linux\""],"monitoring":["CWS_CUSTOM-canary"],"name":"exampleupdateacsmthreatsagentrulereturnsokresponse1714509423","updateDate":1714509424000,"updater":{"name":"","handle":"frog@datadoghq.com"}}},{"id":"jr3-0m8-jlj","type":"agent_rule","attributes":{"actions":[{"hash":{},"disabled":false}],"category":"Process - Activity","creationDate":1754579371000,"creator":{"name":"Datadog","handle":""},"defaultRule":true,"description":"A - process launched with arguments associated with cryptominers","enabled":true,"expression":"exec.args_options - in [~\"cpu-priority*\", ~\"donate-level*\", ~\"wallet-address*\"] || exec.args_flags - == \"randomx-1gb-pages\" || exec.args in [~\"*stratum+tcp*\", ~\"*stratum+ssl*\", - ~\"*stratum1+tcp*\", ~\"*stratum1+ssl*\", ~\"*stratum2+tcp*\", ~\"*stratum2+ssl*\", - ~\"*nicehash*\", ~\"*yespower*\"]","filters":["os == \"linux\""],"monitoring":["threat-detection.policy"],"name":"cryptominer_args","product_tags":["tactic:TA0040-impact","technique:T1496-resource-hijacking","policy:threat-detection"],"updateDate":1754579371000,"updater":{"name":"Datadog","handle":""}}},{"id":"def-000-r6p","type":"agent_rule","attributes":{"actions":[{"set":{"name":"correlation_key_file_path","field":"unlink.file.path","scope":"cgroup","inherited":false},"disabled":false}],"category":"File - Activity","creationDate":1754579371000,"creator":{"name":"Datadog","handle":""},"defaultRule":true,"description":"A - file was deleted shortly after it was executed","enabled":true,"expression":"unlink.file.path - in ${cgroup.chain_exec_unlink}","filters":["os == \"linux\""],"monitoring":["threat-detection.policy"],"name":"delete_new_process","product_tags":["tactic:TA0005-defense-evasion","technique:T1564-hide-artifacts","policy:threat-detection"],"updateDate":1754579371000,"updater":{"name":"Datadog","handle":""}}},{"id":"def-000-5ew","type":"agent_rule","attributes":{"category":"Process - Activity","creationDate":1754579371000,"creator":{"name":"Datadog","handle":""},"defaultRule":true,"description":"A - container management utility listed images","enabled":true,"expression":"exec.file.name - in [\"docker\", \"kubectl\", \"ctr\"] \u0026\u0026 exec.args in [\"image list\"]","filters":["os - == \"linux\""],"monitoring":["threat-detection.policy"],"name":"enum_images","product_tags":["tactic:TA0007-discovery","technique:T1613-container-and-resource-discovery","policy:threat-detection"],"updateDate":1754579371000,"updater":{"name":"Datadog","handle":""}}},{"id":"ujx-skx-369","type":"agent_rule","attributes":{"category":"Process - Activity","creationDate":1744258690000,"creator":{"name":"frog","handle":"frog@datadoghq.com"},"defaultRule":false,"description":"My - Agent rule","enabled":true,"expression":"exec.file.name == \"sh\"","filters":["os - == \"linux\""],"monitoring":["CWS_CUSTOM-canary"],"name":"examplecreateacsmthreatsagentrulereturnsokresponse1744258690","updateDate":1744258690000,"updater":{"name":"frog","handle":"frog@datadoghq.com"}}},{"id":"3hj-2t8-ydm","type":"agent_rule","attributes":{"category":"Process - Activity","creationDate":1729787824000,"creator":{"name":"","handle":"frog@datadoghq.com"},"defaultRule":false,"description":"My - Agent rule","enabled":true,"expression":"exec.file.name == \"sh\"","filters":["os - == \"linux\""],"monitoring":["CWS_CUSTOM-canary"],"name":"examplegetacsmthreatsagentrulereturnsokresponse1729787824","updateDate":1729787824000,"updater":{"name":"","handle":"frog@datadoghq.com"}}},{"id":"9f3-haw-91q","type":"agent_rule","attributes":{"category":"File - Activity","creationDate":1754579371000,"creator":{"name":"Datadog","handle":""},"defaultRule":true,"description":"The - AWS EKS service account token was accessed","enabled":true,"expression":"open.file.path - =~ \"/var/run/secrets/eks.amazonaws.com/serviceaccount/**\" \u0026\u0026 open.file.name - == \"token\" \u0026\u0026 process.file.path not in [\"/opt/datadog-agent/embedded/bin/agent\", - \"/opt/datadog-agent/embedded/bin/system-probe\", \"/opt/datadog-agent/embedded/bin/security-agent\", - \"/opt/datadog-agent/embedded/bin/process-agent\", \"/opt/datadog-agent/embedded/bin/trace-agent\", - \"/opt/datadog-agent/bin/agent/agent\", \"/opt/datadog/apm/inject/auto_inject_runc\", - \"/usr/bin/dd-host-install\", \"/usr/bin/dd-host-container-install\", \"/usr/bin/dd-container-install\", - \"/opt/datadog-agent/bin/datadog-cluster-agent\", ~\"/opt/datadog-packages/**\", - ~\"/opt/datadog-installer/**\"]","filters":["os == \"linux\""],"monitoring":["threat-detection.policy"],"name":"aws_eks_service_account_token_accessed","product_tags":["tactic:TA0006-credential-access","technique:T1552-unsecured-credentials","policy:threat-detection"],"updateDate":1754579371000,"updater":{"name":"Datadog","handle":""}}},{"id":"def-000-9rk","type":"agent_rule","attributes":{"category":"Process - Activity","creationDate":1754579371000,"creator":{"name":"Datadog","handle":""},"defaultRule":true,"description":"Local - account groups were enumerated after container start up","enabled":true,"expression":"exec.file.name - in [\"tcpdump\", \"tshark\"]","filters":["os == \"linux\""],"monitoring":["threat-detection.policy"],"name":"network_sniffing_tool","product_tags":["tactic:TA0007-discovery","technique:T1040-network-sniffing","policy:threat-detection"],"updateDate":1754579371000,"updater":{"name":"Datadog","handle":""}}},{"id":"wpz-bim-6rb","type":"agent_rule","attributes":{"category":"Process - Activity","creationDate":1754579371000,"creator":{"name":"Datadog","handle":""},"defaultRule":true,"description":"A - process was spawned with indicators of exploitation of CVE-2021-4034","enabled":true,"expression":"(exec.file.path - == \"/usr/bin/pkexec\" \u0026\u0026 exec.envs in [~\"*SHELL*\", ~\"*PATH*\"] - \u0026\u0026 exec.envs not in [~\"*DISPLAY*\", ~\"*DESKTOP_SESSION*\"] \u0026\u0026 - exec.uid != 0)","filters":["os == \"linux\""],"monitoring":["threat-detection.policy"],"name":"pwnkit_privilege_escalation","product_tags":["tactic:TA0004-privilege-escalation","technique:T1068-exploitation-for-privilege-escalation","policy:threat-detection"],"updateDate":1754579371000,"updater":{"name":"Datadog","handle":""}}},{"id":"vsk-ewy-s83","type":"agent_rule","attributes":{"category":"Process - Activity","creationDate":1714451823000,"creator":{"name":"","handle":"frog@datadoghq.com"},"defaultRule":false,"description":"Test - Agent rule","enabled":true,"expression":"exec.file.name == \"sh\"","filters":["os - == \"linux\""],"monitoring":["CWS_CUSTOM-canary"],"name":"exampleupdateacsmthreatsagentrulereturnsokresponse1714451823","updateDate":1714451824000,"updater":{"name":"","handle":"frog@datadoghq.com"}}},{"id":"yjj-o5q-x00","type":"agent_rule","attributes":{"category":"File - Activity","creationDate":1754579371000,"creator":{"name":"Datadog","handle":""},"defaultRule":true,"description":"A - service may have been modified without authorization","enabled":true,"expression":"(\n (utimes.file.path + == \"linux\""],"monitoring":["compliance.policy"],"name":"sudoers_policy_modified_utimes","product_tags":["tactic:TA0004-privilege-escalation","technique:T1548-abuse-elevation-control-mechanism","subtechnique:T1548.001-setuid-and-setgid","subtechnique:T1548.003-sudo-and-sudo-caching","policy:compliance"],"updateDate":1759956888000,"updater":{"name":"Datadog","handle":""}}},{"id":"def-000-6ql","type":"agent_rule","attributes":{"category":"Process + Activity","creationDate":1759956888000,"creator":{"name":"Datadog","handle":""},"defaultRule":true,"description":"memfd + object created","enabled":true,"expression":"exec.file.name =~ \"memfd*\" + \u0026\u0026 exec.file.path == \"\" \u0026\u0026 process.parent.file.path + not in [\"/usr/bin/runc\", \"/usr/sbin/runc\", \"/usr/bin/docker-runc\" , + \"/run/docker/runtime-runc/moby/*\", \"/x86_64-bottlerocket-linux-gnu/sys-root/usr/bin/runc\"] + \u0026\u0026 !(process.comm == \"dd-ipc-helper\" \u0026\u0026 exec.file.name + in [\"memfd:spawn_worker_trampoline (deleted)\", \"memfd:spawn_worker_trampoline\"])","filters":["os + == \"linux\""],"monitoring":["threat-detection.policy"],"name":"memfd_create","product_tags":["tactic:TA0005-defense-evasion","technique:T1620-reflective-code-loading","policy:threat-detection"],"updateDate":1759956888000,"updater":{"name":"Datadog","handle":""}}},{"id":"def-000-oy4","type":"agent_rule","attributes":{"category":"Process + Activity","creationDate":1759956888000,"creator":{"name":"Datadog","handle":""},"defaultRule":true,"description":"A + tool used to dump process memory has been executed","enabled":true,"expression":"exec.file.name + in [\"procmon.exe\",\"procdump.exe\"]","filters":["os == \"windows\""],"monitoring":["threat-detection.policy"],"name":"procdump_execution","product_tags":["tactic:TA0006-credential-access","technique:T1003-os-credential-dumping","policy:threat-detection"],"updateDate":1759956888000,"updater":{"name":"Datadog","handle":""}}},{"id":"wwc-6it-t7i","type":"agent_rule","attributes":{"category":"File + Activity","creationDate":1759956888000,"creator":{"name":"Datadog","handle":""},"defaultRule":true,"description":"nsswitch + may have been modified without authorization","enabled":true,"expression":"(\n (link.file.path + in [ \"/etc/nsswitch.conf\" ]\n || link.file.destination.path in [ \"/etc/nsswitch.conf\" + ])\n)","filters":["os == \"linux\""],"monitoring":["compliance.policy"],"name":"nsswitch_conf_mod_link","product_tags":["tactic:TA0003-persistence","technique:T1556-modify-authentication-process","policy:compliance"],"updateDate":1759956888000,"updater":{"name":"Datadog","handle":""}}},{"id":"7zw-qbm-y6d","type":"agent_rule","attributes":{"category":"File + Activity","creationDate":1759956888000,"creator":{"name":"Datadog","handle":""},"defaultRule":true,"description":"A + service may have been modified without authorization","enabled":true,"expression":"(\n open.flags + \u0026 (O_CREAT|O_RDWR|O_WRONLY) \u003e 0 \u0026\u0026\n (open.file.path in [ ~\"/lib/systemd/system/**\", ~\"/usr/lib/systemd/system/**\", ~\"/etc/systemd/system/**\", - ~\"/usr/local/lib/systemd/system/**\", ~\"/run/systemd/system/**\"] || utimes.file.path + ~\"/usr/local/lib/systemd/system/**\", ~\"/run/systemd/system/**\"] || open.file.path in [ ~\"/etc/systemd/user/**\", ~\"/usr/lib/systemd/user/**\", ~\"/home/*/.config/systemd/user/**\", ~\"/home/*/.local/share/systemd/user/**\", ~\"/run/systemd/user/**\"])\n \u0026\u0026 process.file.path not in [~\"/usr/bin/apt*\", \"/usr/bin/dpkg\", \"/usr/bin/rpm\", \"/usr/bin/unattended-upgrade\", \"/usr/bin/npm\", ~\"/usr/bin/pip*\", ~\"/usr/local/bin/pip*\", \"/usr/bin/yum\", \"/sbin/apk\", \"/usr/lib/snapd/snapd\"]\n)","filters":["os - == \"linux\""],"monitoring":["compliance.policy","threat-detection.policy"],"name":"systemd_modification_utimes","product_tags":["tactic:TA0002-execution","technique:T1569-system-services","policy:threat-detection","policy:compliance"],"updateDate":1754579371000,"updater":{"name":"Datadog","handle":""}}},{"id":"def-000-nin","type":"agent_rule","attributes":{"category":"Network - Activity","creationDate":1754579371000,"creator":{"name":"Datadog","handle":""},"defaultRule":true,"description":"A - DNS request was made for a chatroom domain","enabled":true,"expression":"dns.question.name - in [\"discord.com\", \"api.telegram.org\", \"cdn.discordapp.com\"]","filters":["os - == \"linux\""],"monitoring":["threat-detection.policy"],"name":"chatroom_request","product_tags":["tactic:TA0011-command-and-control","technique:T1572-protocol-tunneling","policy:threat-detection"],"updateDate":1754579371000,"updater":{"name":"Datadog","handle":""}}},{"id":"def-000-x7z","type":"agent_rule","attributes":{"category":"Process - Activity","creationDate":1754579371000,"creator":{"name":"Datadog","handle":""},"defaultRule":true,"description":"Process - executed with arguments common with Inveigh tool usage","enabled":true,"expression":"exec.cmdline - in [~\"*SpooferIP*\", ~\"*ReplyToIPs*\", ~\"*ReplyToDomains*\", ~\"*ReplyToMACs*\", - ~\"*SnifferIP*\"]","filters":["os == \"windows\""],"monitoring":["threat-detection.policy"],"name":"inveigh_tool_usage","product_tags":["tactic:TA0009-collection","technique:T1557-adversary-in-the-middle","policy:threat-detection"],"updateDate":1754579371000,"updater":{"name":"Datadog","handle":""}}},{"id":"def-000-tig","type":"agent_rule","attributes":{"category":"Process - Activity","creationDate":1754579371000,"creator":{"name":"Datadog","handle":""},"defaultRule":true,"description":"A - user was added to the sudo group","enabled":true,"expression":"exec.file.name - == \"usermod\" \u0026\u0026 (exec.args_flags in [\"aG\"] || exec.args_flags - in [\"G\"]) \u0026\u0026 exec.args_flags not in [\"r\"] \u0026\u0026 (exec.argv - == \"sudo\" || exec.argv == \"wheel\")","filters":["os == \"linux\""],"monitoring":["threat-detection.policy"],"name":"usermod_privileged_group","product_tags":["tactic:TA0004-privilege-escalation","technique:T1098-account-manipulation","policy:threat-detection"],"updateDate":1754579371000,"updater":{"name":"Datadog","handle":""}}},{"id":"ro4-rju-1vq","type":"agent_rule","attributes":{"category":"Process - Activity","creationDate":1754579371000,"creator":{"name":"Datadog","handle":""},"defaultRule":true,"description":"An - GCP IMDS was called via a network utility","enabled":true,"expression":"exec.comm - in [\"wget\", \"curl\", \"lwp-download\"] \u0026\u0026 exec.args in [~\"*metadata.google.internal/computeMetadata/v1/instance/service-accounts/default/token\", - ~\"*169.254.169.254/computeMetadata/v1/instance/service-accounts/default/token\"]","filters":["os - == \"linux\""],"monitoring":["best-practice.policy","threat-detection.policy"],"name":"gcp_imds","product_tags":["tactic:TA0006-credential-access","technique:T1552-unsecured-credentials","policy:best-practice","policy:threat-detection"],"updateDate":1754579371000,"updater":{"name":"Datadog","handle":""}}},{"id":"2dz-kyt-nme","type":"agent_rule","attributes":{"category":"File - Activity","creationDate":1753453274000,"creator":{"name":"Datadog","handle":""},"defaultRule":true,"description":"A - new kernel module was added","enabled":true,"expression":"(\n (chmod.file.path - in [ ~\"/lib/modules/**\", ~\"/usr/lib/modules/**\" ])\n \u0026\u0026 process.file.path - not in [~\"/usr/bin/apt*\", \"/usr/bin/dpkg\", \"/usr/bin/rpm\", \"/usr/bin/unattended-upgrade\", - \"/usr/bin/npm\", ~\"/usr/bin/pip*\", ~\"/usr/local/bin/pip*\", \"/usr/bin/yum\", - \"/sbin/apk\", \"/usr/lib/snapd/snapd\"]\n \u0026\u0026 process.ancestors.file.path - not in [~\"/usr/bin/apt*\", \"/usr/bin/dpkg\", \"/usr/bin/rpm\", \"/usr/bin/unattended-upgrade\", - \"/usr/bin/npm\", ~\"/usr/bin/pip*\", ~\"/usr/local/bin/pip*\", \"/usr/bin/yum\", - \"/sbin/apk\", \"/usr/lib/snapd/snapd\"] \u0026\u0026 process.ancestors.file.path - != \"/usr/bin/kmod\"\n) \u0026\u0026 chmod.file.destination.mode != chmod.file.mode","filters":["os - == \"linux\""],"monitoring":["compliance.policy"],"name":"kernel_module_chmod","product_tags":["tactic:TA0003-persistence","technique:T1547-boot-or-logon-autostart-execution","policy:compliance"],"updateDate":1753453274000,"updater":{"name":"Datadog","handle":""}}},{"id":"1ej-lz6-3iy","type":"agent_rule","attributes":{"category":"Process - Activity","creationDate":1735648624000,"creator":{"name":"frog","handle":"frog@datadoghq.com"},"defaultRule":false,"description":"My - Agent rule","enabled":true,"expression":"exec.file.name == \"sh\"","filters":["os - == \"linux\""],"monitoring":["CWS_CUSTOM-canary"],"name":"examplegetacsmthreatsagentrulereturnsokresponse1735648624","updateDate":1735648624000,"updater":{"name":"frog","handle":"frog@datadoghq.com"}}},{"id":"def-000-zp4","type":"agent_rule","attributes":{"category":"File - Activity","creationDate":1753453274000,"creator":{"name":"Datadog","handle":""},"defaultRule":true,"description":"microsoft - security essentials executable modified","enabled":true,"expression":"write.file.device_path - in [~\"\\Device\\*\\Program Files\\Microsoft Security Client\\msseces.exe\"]","filters":["os - == \"windows\""],"monitoring":["compliance.policy"],"name":"windows_security_essentials_executable_modified","product_tags":["tactic:TA0005-defense-evasion","technique:T1036-masquerading","policy:compliance"],"updateDate":1753453274000,"updater":{"name":"Datadog","handle":""}}},{"id":"3gy-keh-bpb","type":"agent_rule","attributes":{"category":"Process - Activity","creationDate":1746635700702,"creator":{"name":"frog","handle":"frog@datadoghq.com"},"defaultRule":false,"description":"My - Agent rule","enabled":true,"expression":"exec.file.name == \"sh\"","filters":["os - == \"linux\""],"monitoring":["CWS_CUSTOM-canary"],"name":"testcreateacsmthreatsagentrulereturnsokresponse1746635700","updateDate":1746635700702,"updater":{"name":"frog","handle":"frog@datadoghq.com"}}},{"id":"zvy-zhs-mba","type":"agent_rule","attributes":{"category":"Process - Activity","creationDate":1746628436281,"creator":{"name":"frog","handle":"frog@datadoghq.com"},"defaultRule":false,"description":"My - Agent rule","enabled":true,"expression":"exec.file.name == \"sh\"","filters":["os - == \"linux\""],"monitoring":["CWS_CUSTOM-canary"],"name":"testgetacsmthreatsagentrulereturnsokresponse1746628435","updateDate":1746628436281,"updater":{"name":"frog","handle":"frog@datadoghq.com"}}},{"id":"tb2-3ij-eep","type":"agent_rule","attributes":{"category":"Process - Activity","creationDate":1732667824000,"creator":{"name":"","handle":"frog@datadoghq.com"},"defaultRule":false,"description":"My - Agent rule","enabled":true,"expression":"exec.file.name == \"sh\"","filters":["os - == \"linux\""],"monitoring":["CWS_CUSTOM-canary"],"name":"examplegetacsmthreatsagentrulereturnsokresponse1732667824","updateDate":1732667824000,"updater":{"name":"","handle":"frog@datadoghq.com"}}},{"id":"es7-rhv-nra","type":"agent_rule","attributes":{"category":"Process - Activity","creationDate":1714797423000,"creator":{"name":"","handle":"frog@datadoghq.com"},"defaultRule":false,"description":"Test - Agent rule","enabled":true,"expression":"exec.file.name == \"sh\"","filters":["os - == \"linux\""],"monitoring":["CWS_CUSTOM-canary"],"name":"exampleupdateacsmthreatsagentrulereturnsokresponse1714797422","updateDate":1714797424000,"updater":{"name":"","handle":"frog@datadoghq.com"}}},{"id":"9ji-2p2-v00","type":"agent_rule","attributes":{"category":"Process - Activity","creationDate":1721248623000,"creator":{"name":"","handle":"frog@datadoghq.com"},"defaultRule":false,"description":"Test - Agent rule","enabled":true,"expression":"exec.file.name == \"sh\"","filters":["os - == \"linux\""],"monitoring":["CWS_CUSTOM-canary"],"name":"exampleupdateacsmthreatsagentrulereturnsokresponse1721248623","updateDate":1721248625000,"updater":{"name":"","handle":"frog@datadoghq.com"}}},{"id":"xiu-ghq-4zi","type":"agent_rule","attributes":{"category":"File - Activity","creationDate":1753453274000,"creator":{"name":"Datadog","handle":""},"defaultRule":true,"description":"Critical + == \"linux\""],"monitoring":["compliance.policy","threat-detection.policy"],"name":"systemd_modification_open","product_tags":["tactic:TA0002-execution","technique:T1569-system-services","policy:compliance","policy:threat-detection"],"updateDate":1759956888000,"updater":{"name":"Datadog","handle":""}}},{"id":"def-000-u7b","type":"agent_rule","attributes":{"category":"Process + Activity","creationDate":1759956888000,"creator":{"name":"Datadog","handle":""},"defaultRule":true,"description":"Known + offensive tool crackmap exec executed","enabled":true,"expression":"exec.cmdline + in [~\"*crackmapexec*\", ~\"*cme.exe*\", ~\"*cme.py*\"]","filters":["os == + \"windows\""],"monitoring":["threat-detection.policy"],"name":"crackmap_exec_executed","product_tags":["tactic:TA0006-credential-access","technique:T1003-os-credential-dumping","policy:threat-detection"],"updateDate":1759956888000,"updater":{"name":"Datadog","handle":""}}},{"id":"def-000-but","type":"agent_rule","attributes":{"category":"Process + Activity","creationDate":1759956888000,"creator":{"name":"Datadog","handle":""},"defaultRule":true,"description":"A + java process spawned a shell, shell utility, or HTTP utility","enabled":true,"expression":"(exec.file.path + in [ \"/bin/dash\",\n \"/usr/bin/dash\",\n \"/bin/sh\",\n \"/bin/static-sh\",\n \"/usr/bin/sh\",\n \"/bin/bash\",\n \"/usr/bin/bash\",\n \"/bin/bash-static\",\n \"/usr/bin/zsh\",\n \"/usr/bin/ash\",\n \"/usr/bin/csh\",\n \"/usr/bin/ksh\",\n \"/usr/bin/tcsh\",\n \"/usr/lib/initramfs-tools/bin/busybox\",\n \"/bin/busybox\",\n \"/usr/bin/fish\",\n \"/bin/ksh93\",\n \"/bin/rksh\",\n \"/bin/rksh93\",\n \"/bin/lksh\",\n \"/bin/mksh\",\n \"/bin/mksh-static\",\n \"/usr/bin/csharp\",\n \"/bin/posh\",\n \"/usr/bin/rc\",\n \"/bin/sash\",\n \"/usr/bin/yash\",\n \"/bin/zsh5\",\n \"/bin/zsh5-static\" + ] ||\n exec.comm in [\"wget\", \"curl\", \"lwp-download\"] ||\n exec.file.path + in [\"/bin/cat\",\"/bin/chgrp\",\"/bin/chmod\",\"/bin/chown\",\"/bin/cp\",\"/bin/date\",\"/bin/dd\",\"/bin/df\",\"/bin/dir\",\"/bin/echo\",\"/bin/ln\",\"/bin/ls\",\"/bin/mkdir\",\"/bin/mknod\",\"/bin/mktemp\",\"/bin/mv\",\"/bin/pwd\",\"/bin/readlink\",\"/bin/rm\",\"/bin/rmdir\",\"/bin/sleep\",\"/bin/stty\",\"/bin/sync\",\"/bin/touch\",\"/bin/uname\",\"/bin/vdir\",\"/usr/bin/arch\",\"/usr/bin/b2sum\",\"/usr/bin/base32\",\"/usr/bin/base64\",\"/usr/bin/basename\",\"/usr/bin/chcon\",\"/usr/bin/cksum\",\"/usr/bin/comm\",\"/usr/bin/csplit\",\"/usr/bin/cut\",\"/usr/bin/dircolors\",\"/usr/bin/dirname\",\"/usr/bin/du\",\"/usr/bin/env\",\"/usr/bin/expand\",\"/usr/bin/expr\",\"/usr/bin/factor\",\"/usr/bin/fmt\",\"/usr/bin/fold\",\"/usr/bin/groups\",\"/usr/bin/head\",\"/usr/bin/hostid\",\"/usr/bin/id\",\"/usr/bin/install\",\"/usr/bin/join\",\"/usr/bin/link\",\"/usr/bin/logname\",\"/usr/bin/md5sum\",\"/usr/bin/md5sum.textutils\",\"/usr/bin/mkfifo\",\"/usr/bin/nice\",\"/usr/bin/nl\",\"/usr/bin/nohup\",\"/usr/bin/nproc\",\"/usr/bin/numfmt\",\"/usr/bin/od\",\"/usr/bin/paste\",\"/usr/bin/pathchk\",\"/usr/bin/pinky\",\"/usr/bin/pr\",\"/usr/bin/printenv\",\"/usr/bin/printf\",\"/usr/bin/ptx\",\"/usr/bin/realpath\",\"/usr/bin/runcon\",\"/usr/bin/seq\",\"/usr/bin/sha1sum\",\"/usr/bin/sha224sum\",\"/usr/bin/sha256sum\",\"/usr/bin/sha384sum\",\"/usr/bin/sha512sum\",\"/usr/bin/shred\",\"/usr/bin/shuf\",\"/usr/bin/sort\",\"/usr/bin/split\",\"/usr/bin/stat\",\"/usr/bin/stdbuf\",\"/usr/bin/sum\",\"/usr/bin/tac\",\"/usr/bin/tail\",\"/usr/bin/tee\",\"/usr/bin/test\",\"/usr/bin/timeout\",\"/usr/bin/tr\",\"/usr/bin/truncate\",\"/usr/bin/tsort\",\"/usr/bin/tty\",\"/usr/bin/unexpand\",\"/usr/bin/uniq\",\"/usr/bin/unlink\",\"/usr/bin/users\",\"/usr/bin/wc\",\"/usr/bin/who\",\"/usr/bin/whoami\",\"/usr/sbin/chroot\",\"/bin/busybox\"])\n\u0026\u0026 + process.parent.file.name in [\"java\", \"jspawnhelper\"]","filters":["os == + \"linux\""],"monitoring":["threat-detection.policy"],"name":"java_shell_execution_parent","product_tags":["tactic:TA0001-initial-access","technique:T1190-exploit-public-facing-application","policy:threat-detection"],"updateDate":1759956888000,"updater":{"name":"Datadog","handle":""}}},{"id":"def-000-lc2","type":"agent_rule","attributes":{"category":"Kernel + Activity","creationDate":1759956888000,"creator":{"name":"Datadog","handle":""},"defaultRule":true,"description":"Remote + access was created using a terminal-sharing service","enabled":true,"expression":"connect.addr.hostname + in [\"ssh.tmate.io\"]","filters":["os == \"linux\""],"monitoring":["threat-detection.policy"],"name":"tmate_usage","product_tags":["tactic:TA0011-command-and-control","technique:T1219-remote-access-tools","policy:threat-detection"],"updateDate":1759956888000,"updater":{"name":"Datadog","handle":""}}},{"id":"def-000-vjv","type":"agent_rule","attributes":{"category":"Process + Activity","creationDate":1759956888000,"creator":{"name":"Datadog","handle":""},"defaultRule":true,"description":"Command + executed via WMI","enabled":true,"expression":"exec.file.name in [~\"powershell*\",\"cmd.exe\"] + \u0026\u0026 process.parent.file.name == \"WmiPrvSE.exe\"","filters":["os + == \"windows\""],"monitoring":["threat-detection.policy"],"name":"wmi_spawning_shell","product_tags":["tactic:TA0002-execution","technique:T1047-windows-management-instrumentation","policy:threat-detection"],"updateDate":1759956888000,"updater":{"name":"Datadog","handle":""}}},{"id":"xiu-ghq-4zi","type":"agent_rule","attributes":{"category":"File + Activity","creationDate":1759956888000,"creator":{"name":"Datadog","handle":""},"defaultRule":true,"description":"Critical system binaries may have been modified","enabled":true,"expression":"(\n (chown.file.path in [ ~\"/bin/*\", ~\"/sbin/*\", ~\"/usr/bin/*\", ~\"/usr/sbin/*\", ~\"/usr/local/bin/*\", ~\"/usr/local/sbin/*\", ~\"/boot/**\" ])\n \u0026\u0026 process.file.path @@ -2018,108 +991,62 @@ http_interactions: \"/usr/bin/rpm\", \"/usr/bin/unattended-upgrade\", \"/usr/bin/npm\", ~\"/usr/bin/pip*\", ~\"/usr/local/bin/pip*\", \"/usr/bin/yum\", \"/sbin/apk\", \"/usr/lib/snapd/snapd\"]\n) \u0026\u0026 (chown.file.destination.uid != chown.file.uid || chown.file.destination.gid - != chown.file.gid)","filters":["os == \"linux\""],"monitoring":["compliance.policy"],"name":"pci_11_5_critical_binaries_chown","product_tags":["tactic:TA0005-defense-evasion","technique:T1036-masquerading","policy:compliance"],"updateDate":1753453274000,"updater":{"name":"Datadog","handle":""}}},{"id":"def-000-88h","type":"agent_rule","attributes":{"category":"Process - Activity","creationDate":1754579371000,"creator":{"name":"Datadog","handle":""},"defaultRule":true,"description":"Egress - traffic allowed using iptables","enabled":true,"expression":"exec.comm == - \"iptables\" \u0026\u0026 process.args in [r\"OUTPUT.*((25[0-5]|(2[0-4]|1\\d|[1-9]|)\\d)\\.?\\b){4}.*ACCEPT\"] - \u0026\u0026 process.args not in [r\"(127\\.)|(10\\.)|(172\\.1[6-9]\\.)|(172\\.2[0-9]\\.)|(^172\\.3[0-1]\\.)|(192\\.168\\.)|(169\\.254\\.)\"]","filters":["os - == \"linux\""],"monitoring":["threat-detection.policy"],"name":"iptables_egress_allowed","product_tags":["tactic:TA0005-defense-evasion","technique:T1562-impair-defenses","policy:threat-detection"],"updateDate":1754579371000,"updater":{"name":"Datadog","handle":""}}},{"id":"mdn-0hh-uw1","type":"agent_rule","attributes":{"category":"Process - Activity","creationDate":1734050226000,"creator":{"name":"frog","handle":"frog@datadoghq.com"},"defaultRule":false,"description":"My - Agent rule","enabled":true,"expression":"exec.file.name == \"sh\"","filters":["os - == \"linux\""],"monitoring":["CWS_CUSTOM-canary"],"name":"examplegetacsmthreatsagentrulereturnsokresponse1734050223","updateDate":1734050226000,"updater":{"name":"frog","handle":"frog@datadoghq.com"}}},{"id":"krx-co0-pz2","type":"agent_rule","attributes":{"category":"Process - Activity","creationDate":1715531823000,"creator":{"name":"","handle":"frog@datadoghq.com"},"defaultRule":false,"description":"Test - Agent rule","enabled":true,"expression":"exec.file.name == \"sh\"","filters":["os - == \"linux\""],"monitoring":["CWS_CUSTOM-canary"],"name":"exampleupdateacsmthreatsagentrulereturnsokresponse1715531822","updateDate":1715531824000,"updater":{"name":"","handle":"frog@datadoghq.com"}}},{"id":"wwc-6it-t7i","type":"agent_rule","attributes":{"category":"File - Activity","creationDate":1753453274000,"creator":{"name":"Datadog","handle":""},"defaultRule":true,"description":"nsswitch - may have been modified without authorization","enabled":true,"expression":"(\n (link.file.path - in [ \"/etc/nsswitch.conf\" ]\n || link.file.destination.path in [ \"/etc/nsswitch.conf\" - ])\n)","filters":["os == \"linux\""],"monitoring":["compliance.policy"],"name":"nsswitch_conf_mod_link","product_tags":["tactic:TA0003-persistence","technique:T1556-modify-authentication-process","policy:compliance"],"updateDate":1753453274000,"updater":{"name":"Datadog","handle":""}}},{"id":"9l7-am7-hy6","type":"agent_rule","attributes":{"category":"Process - Activity","creationDate":1736986169000,"creator":{"name":"CI Account","handle":"9919ec9b-ebc7-49ee-8dc8-03626e717cca"},"defaultRule":false,"description":"My - Agent rule","enabled":true,"expression":"exec.file.name == \"sh\"","filters":["os - == \"linux\""],"monitoring":["CWS_CUSTOM-canary"],"name":"testgocreateacsmthreatsagentrulereturnsokresponse1736986169","updateDate":1736986169000,"updater":{"name":"CI - Account","handle":"9919ec9b-ebc7-49ee-8dc8-03626e717cca"}}},{"id":"def-000-6ql","type":"agent_rule","attributes":{"category":"Process - Activity","creationDate":1754579371000,"creator":{"name":"Datadog","handle":""},"defaultRule":true,"description":"memfd - object created","enabled":true,"expression":"exec.file.name =~ \"memfd*\" - \u0026\u0026 exec.file.path == \"\" \u0026\u0026 process.parent.file.path - not in [\"/usr/bin/runc\", \"/usr/sbin/runc\", \"/usr/bin/docker-runc\" , - \"/run/docker/runtime-runc/moby/*\", \"/x86_64-bottlerocket-linux-gnu/sys-root/usr/bin/runc\"] - \u0026\u0026 !(process.comm == \"dd-ipc-helper\" \u0026\u0026 exec.file.name - in [\"memfd:spawn_worker_trampoline (deleted)\", \"memfd:spawn_worker_trampoline\"])","filters":["os - == \"linux\""],"monitoring":["threat-detection.policy"],"name":"memfd_create","product_tags":["tactic:TA0005-defense-evasion","technique:T1620-reflective-code-loading","policy:threat-detection"],"updateDate":1754579371000,"updater":{"name":"Datadog","handle":""}}},{"id":"def-000-jl7","type":"agent_rule","attributes":{"category":"Process - Activity","creationDate":1754579371000,"creator":{"name":"Datadog","handle":""},"defaultRule":true,"description":"openssl - used to establish backdoor","enabled":true,"expression":"exec.comm == \"openssl\" - \u0026\u0026 exec.args =~ \"*s_client*\"","filters":["os == \"linux\""],"monitoring":["threat-detection.policy"],"name":"openssl_backdoor","product_tags":["tactic:TA0002-execution","technique:T1059-command-and-scripting-interpreter","policy:threat-detection"],"updateDate":1754579371000,"updater":{"name":"Datadog","handle":""}}},{"id":"pwu-7u7-iiq","type":"agent_rule","attributes":{"category":"Kernel - Activity","creationDate":1754579371000,"creator":{"name":"Datadog","handle":""},"defaultRule":true,"description":"A - process uses an anti-debugging technique to block debuggers","enabled":true,"expression":"ptrace.request - == PTRACE_TRACEME \u0026\u0026 process.file.name != \"\"","filters":["os == - \"linux\""],"monitoring":["threat-detection.policy"],"name":"ptrace_antidebug","product_tags":["tactic:TA0005-defense-evasion","technique:T1622-debugger-evasion","policy:threat-detection"],"updateDate":1754579371000,"updater":{"name":"Datadog","handle":""}}},{"id":"tf1-bgq-7bb","type":"agent_rule","attributes":{"category":"Process - Activity","creationDate":1714883824000,"creator":{"name":"","handle":"frog@datadoghq.com"},"defaultRule":false,"description":"My - Agent rule","enabled":true,"expression":"exec.file.name == \"sh\"","filters":["os - == \"linux\""],"monitoring":["CWS_CUSTOM-canary"],"name":"examplegetacsmthreatsagentrulereturnsokresponse1714883824","updateDate":1714883824000,"updater":{"name":"","handle":"frog@datadoghq.com"}}},{"id":"rjm-biu-bqq","type":"agent_rule","attributes":{"category":"Process - Activity","creationDate":1715272623000,"creator":{"name":"","handle":"frog@datadoghq.com"},"defaultRule":false,"description":"Test - Agent rule","enabled":true,"expression":"exec.file.name == \"sh\"","filters":["os - == \"linux\""],"monitoring":["CWS_CUSTOM-canary"],"name":"exampleupdateacsmthreatsagentrulereturnsokresponse1715272622","updateDate":1715272624000,"updater":{"name":"","handle":"frog@datadoghq.com"}}},{"id":"smg-le8-msf","type":"agent_rule","attributes":{"actions":[{"hash":{},"disabled":false}],"category":"File - Activity","creationDate":1754579371000,"creator":{"name":"Datadog","handle":""},"defaultRule":true,"description":"A - compiler wrote a suspicious file in a container","enabled":true,"expression":"open.flags - \u0026 O_CREAT \u003e 0\n\u0026\u0026 (\n (open.file.path =~ \"/tmp/**\" - \u0026\u0026 open.file.name in [~\"*.ko\", ~\".*\"])\n || open.file.path - in [~\"/var/tmp/**\", ~\"/root/**\", ~\"*/bin/*\", ~\"/usr/local/lib/**\"]\n)\n\u0026\u0026 - (process.comm in [\"javac\", \"clang\", \"gcc\", \"bcc\"] || process.ancestors.comm - in [\"javac\", \"clang\", \"gcc\", \"bcc\"] || process.file.name in [\"javac\", - \"clang\", \"gcc\", \"bcc\"] || process.ancestors.file.name in [\"javac\", - \"clang\", \"gcc\", \"bcc\"])\n\u0026\u0026 process.file.name not in [\"pip\", - ~\"python*\"]\n\u0026\u0026 container.id != \"\"","filters":["os == \"linux\""],"monitoring":["threat-detection.policy"],"name":"compile_after_delivery","product_tags":["tactic:TA0005-defense-evasion","tactic:TA0004-privilege-escalation","technique:T1027-obfuscated-files-or-information","technique:T1574-hijack-execution-flow","policy:threat-detection"],"updateDate":1754579371000,"updater":{"name":"Datadog","handle":""}}},{"id":"422-svi-03v","type":"agent_rule","attributes":{"category":"File - Activity","creationDate":1754579371000,"creator":{"name":"Datadog","handle":""},"defaultRule":true,"description":"Potential - Dirty pipe exploitation","enabled":true,"expression":"(splice.pipe_exit_flag - \u0026 PIPE_BUF_FLAG_CAN_MERGE) \u003e 0 \u0026\u0026 (process.uid != 0 \u0026\u0026 - process.gid != 0)","filters":["os == \"linux\""],"monitoring":["threat-detection.policy"],"name":"dirty_pipe_exploitation","product_tags":["tactic:TA0004-privilege-escalation","technique:T1068-exploitation-for-privilege-escalation","policy:threat-detection"],"updateDate":1754579371000,"updater":{"name":"Datadog","handle":""}}},{"id":"9of-ebc-ypn","type":"agent_rule","attributes":{"category":"Process - Activity","creationDate":1733143023000,"creator":{"name":"","handle":"frog@datadoghq.com"},"defaultRule":false,"description":"My - Agent rule","enabled":true,"expression":"exec.file.name == \"sh\"","filters":["os - == \"linux\""],"monitoring":["CWS_CUSTOM-canary"],"name":"exampleupdateacsmthreatsagentrulereturnsokresponse1733143022","updateDate":1733143023000,"updater":{"name":"","handle":"frog@datadoghq.com"}}},{"id":"ceu-3h6-qug","type":"agent_rule","attributes":{"category":"Process - Activity","creationDate":1740269813000,"creator":{"name":"frog","handle":"frog@datadoghq.com"},"defaultRule":false,"description":"Test - Agent rule","enabled":true,"expression":"exec.file.name == \"sh\"","filters":["os - == \"linux\""],"monitoring":["CWS_CUSTOM-canary"],"name":"exampleupdateacsmthreatsagentrulereturnsokresponse1740269813","updateDate":1740269814000,"updater":{"name":"frog","handle":"frog@datadoghq.com"}}},{"id":"def-000-mr5","type":"agent_rule","attributes":{"category":"File - Activity","creationDate":1754579371000,"creator":{"name":"Datadog","handle":""},"defaultRule":true,"description":"Process - hidden using mount","enabled":true,"expression":"mount.mountpoint.path in - [~\"/proc/1*\", ~\"/proc/2*\", ~\"/proc/3*\", ~\"/proc/4*\", ~\"/proc/5*\", - ~\"/proc/6*\", ~\"/proc/7*\", ~\"/proc/8*\", ~\"/proc/9*\"]","filters":["os - == \"linux\""],"monitoring":["threat-detection.policy"],"name":"mount_proc_hide","product_tags":["tactic:TA0005-defense-evasion","technique:T1564-hide-artifacts","policy:threat-detection"],"updateDate":1754579371000,"updater":{"name":"Datadog","handle":""}}},{"id":"fii-ysi-7bu","type":"agent_rule","attributes":{"category":"Process - Activity","creationDate":1715618226000,"creator":{"name":"","handle":"frog@datadoghq.com"},"defaultRule":false,"description":"My - Agent rule","enabled":true,"expression":"exec.file.name == \"sh\"","filters":["os - == \"linux\""],"monitoring":["CWS_CUSTOM-canary"],"name":"examplecreateacsmthreatsagentrulereturnsokresponse1715618224","updateDate":1715618226000,"updater":{"name":"","handle":"frog@datadoghq.com"}}},{"id":"2vn-l1s-b0y","type":"agent_rule","attributes":{"category":"Process - Activity","creationDate":1733013424000,"creator":{"name":"","handle":"frog@datadoghq.com"},"defaultRule":false,"description":"My - Agent rule","enabled":true,"expression":"exec.file.name == \"sh\"","filters":["os - == \"linux\""],"monitoring":["CWS_CUSTOM-canary"],"name":"examplegetacsmthreatsagentrulereturnsokresponse1733013424","updateDate":1733013424000,"updater":{"name":"","handle":"frog@datadoghq.com"}}},{"id":"3ay-9ve-3i3","type":"agent_rule","attributes":{"category":"Process - Activity","creationDate":1732451823000,"creator":{"name":"","handle":"frog@datadoghq.com"},"defaultRule":false,"description":"My - Agent rule","enabled":true,"expression":"exec.file.name == \"sh\"","filters":["os - == \"linux\""],"monitoring":["CWS_CUSTOM-canary"],"name":"exampleupdateacsmthreatsagentrulereturnsokresponse1732451822","updateDate":1732451823000,"updater":{"name":"","handle":"frog@datadoghq.com"}}},{"id":"clk-fln-75d","type":"agent_rule","attributes":{"category":"Process - Activity","creationDate":1746443537713,"creator":{"name":"CI Account","handle":"9919ec9b-ebc7-49ee-8dc8-03626e717cca"},"defaultRule":false,"description":"My - Agent rule","enabled":true,"expression":"exec.file.name == \"sh\"","filters":["os - == \"linux\""],"monitoring":["CWS_CUSTOM-canary"],"name":"testtypescriptupdateacsmthreatsagentrulereturnsbadrequestresponse1746443537","updateDate":1746443537713,"updater":{"name":"CI - Account","handle":"9919ec9b-ebc7-49ee-8dc8-03626e717cca"}}},{"id":"def-000-tat","type":"agent_rule","attributes":{"category":"File - Activity","creationDate":1753453274000,"creator":{"name":"Datadog","handle":""},"defaultRule":true,"description":"Windows - RPC COM debugging registry key modified","enabled":true,"expression":"set.registry.key_path - in [~\"HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Windows NT\\CurrentVersion\\Windows*\"]","filters":["os - == \"windows\""],"monitoring":["compliance.policy"],"name":"windows_com_rpc_debugging_registry_key_modified","product_tags":["tactic:TA0005-defense-evasion","technique:T1112-modify-registry","policy:compliance"],"updateDate":1753453274000,"updater":{"name":"Datadog","handle":""}}},{"id":"def-000-hc1","type":"agent_rule","attributes":{"actions":[{"filter":"${process.correlation_key} - != \"\"","set":{"name":"parent_correlation_keys","default_value":"","append":true,"scope":"process","expression":"${process.correlation_key}","inherited":true},"disabled":false},{"set":{"name":"correlation_key","default_value":"","scope":"process","expression":"\"auid_${builtins.uuid4}\"","inherited":true},"disabled":false}],"category":"Process - Activity","creationDate":1754579371000,"creator":{"name":"Datadog","handle":""},"defaultRule":true,"description":"Track - execution context from auid","enabled":true,"expression":"exec.auid \u003e= - 0 \u0026\u0026 exec.auid != AUDIT_AUID_UNSET \u0026\u0026 ${process.correlation_key} - in [\"\", ~\"cgroup_*\"]","filters":["os == \"linux\""],"monitoring":["threat-detection.policy"],"name":"execution_context_auid","product_tags":["policy:threat-detection"],"silent":true,"updateDate":1754579371000,"updater":{"name":"Datadog","handle":""}}},{"id":"def-000-y27","type":"agent_rule","attributes":{"category":"File - Activity","creationDate":1754579371000,"creator":{"name":"Datadog","handle":""},"defaultRule":true,"description":"RC - scripts modified","enabled":true,"expression":"(open.flags \u0026 (O_CREAT|O_TRUNC|O_APPEND|O_RDWR|O_WRONLY) - \u003e 0 \u0026\u0026 (open.file.path in [\"/etc/rc.common\", \"/etc/rc.local\"])) - \u0026\u0026 process.ancestors.file.path not in [~\"/usr/bin/apt*\", \"/usr/bin/dpkg\", + != chown.file.gid)","filters":["os == \"linux\""],"monitoring":["compliance.policy"],"name":"pci_11_5_critical_binaries_chown","product_tags":["tactic:TA0005-defense-evasion","technique:T1036-masquerading","policy:compliance"],"updateDate":1759956888000,"updater":{"name":"Datadog","handle":""}}},{"id":"ro4-rju-1vq","type":"agent_rule","attributes":{"category":"Process + Activity","creationDate":1759956888000,"creator":{"name":"Datadog","handle":""},"defaultRule":true,"description":"An + GCP IMDS was called via a network utility","enabled":true,"expression":"exec.comm + in [\"wget\", \"curl\", \"lwp-download\"] \u0026\u0026 exec.args in [~\"*metadata.google.internal/computeMetadata/v1/instance/service-accounts/default/token\", + ~\"*169.254.169.254/computeMetadata/v1/instance/service-accounts/default/token\"]","filters":["os + == \"linux\""],"monitoring":["best-practice.policy","threat-detection.policy"],"name":"gcp_imds","product_tags":["tactic:TA0006-credential-access","technique:T1552-unsecured-credentials","policy:best-practice","policy:threat-detection"],"updateDate":1759956888000,"updater":{"name":"Datadog","handle":""}}},{"id":"4yt-ize-avz","type":"agent_rule","attributes":{"category":"Process + Activity","creationDate":1759956888000,"creator":{"name":"Datadog","handle":""},"defaultRule":true,"description":"Omiagent + spawns a privileged child process","enabled":true,"expression":"exec.uid \u003e= + 0 \u0026\u0026 process.ancestors.file.name == \"omiagent\"","filters":["os + == \"linux\""],"monitoring":["threat-detection.policy"],"name":"omigod","product_tags":["tactic:TA0002-execution","technique:T1203-exploitation-for-client-execution","policy:threat-detection"],"updateDate":1759956888000,"updater":{"name":"Datadog","handle":""}}},{"id":"def-000-zo8","type":"agent_rule","attributes":{"category":"Process + Activity","creationDate":1759956888000,"creator":{"name":"Datadog","handle":""},"defaultRule":true,"description":"Recently + written or modified suid file has been executed","enabled":true,"expression":"((process.file.mode + \u0026 S_ISUID \u003e 0) \u0026\u0026 process.file.modification_time \u003c + 30s) \u0026\u0026 exec.file.name != \"\" \u0026\u0026 process.ancestors.file.path + not in [\"/opt/datadog-agent/embedded/bin/agent\", \"/opt/datadog-agent/embedded/bin/system-probe\", + \"/opt/datadog-agent/embedded/bin/security-agent\", \"/opt/datadog-agent/embedded/bin/process-agent\", + \"/opt/datadog-agent/embedded/bin/trace-agent\", \"/opt/datadog-agent/bin/agent/agent\", + \"/opt/datadog/apm/inject/auto_inject_runc\", \"/usr/bin/dd-host-install\", + \"/usr/bin/dd-host-container-install\", \"/usr/bin/dd-container-install\", + \"/opt/datadog-agent/bin/datadog-cluster-agent\", ~\"/opt/datadog-packages/**\", + ~\"/opt/datadog-installer/**\"]","filters":["os == \"linux\""],"monitoring":["threat-detection.policy"],"name":"suspicious_suid_execution","product_tags":["tactic:TA0004-privilege-escalation","technique:T1548-abuse-elevation-control-mechanism","subtechnique:T1548.001-setuid-and-setgid","policy:threat-detection"],"updateDate":1759956888000,"updater":{"name":"Datadog","handle":""}}},{"id":"def-000-fsq","type":"agent_rule","attributes":{"category":"Process + Activity","creationDate":1759956888000,"creator":{"name":"Datadog","handle":""},"defaultRule":true,"description":"A + cryptominer was potentially executed","enabled":true,"expression":"exec.cmdline + in [~\"*cpu-priority*\", ~\"*donate-level*\", ~\"*randomx-1gb-pages*\", ~\"*stratum+tcp*\", + ~\"*stratum+ssl*\", ~\"*stratum1+tcp*\", ~\"*stratum1+ssl*\", ~\"*stratum2+tcp*\", + ~\"*stratum2+ssl*\", ~\"*nicehash*\", ~\"*yespower*\"]","filters":["os == + \"windows\""],"monitoring":["threat-detection.policy"],"name":"windows_cryptominer_process","product_tags":["tactic:TA0040-impact","technique:T1496-resource-hijacking","policy:threat-detection"],"updateDate":1759956888000,"updater":{"name":"Datadog","handle":""}}},{"id":"pxk-42u-fga","type":"agent_rule","attributes":{"category":"File + Activity","creationDate":1759956888000,"creator":{"name":"Datadog","handle":""},"defaultRule":true,"description":"PAM + may have been modified without authorization","enabled":true,"expression":"(\n (utimes.file.path + in [ ~\"/etc/pam.d/**\", \"/etc/pam.conf\", ~\"/lib/security/*\", ~\"/usr/lib/security/*\", + ~\"/lib64/security/*\", ~\"/usr/lib64/security/*\" ])\n) \u0026\u0026 process.file.path + not in [~\"/usr/bin/apt*\", \"/usr/bin/dpkg\", \"/usr/bin/rpm\", \"/usr/bin/unattended-upgrade\", + \"/usr/bin/containerd\", \"/usr/local/bin/containerd\", \"/usr/bin/dockerd\", + \"/usr/bin/npm\", ~\"/usr/bin/pip*\", ~\"/usr/local/bin/pip*\"]","filters":["os + == \"linux\""],"monitoring":["compliance.policy"],"name":"pam_modification_utimes","product_tags":["tactic:TA0003-persistence","technique:T1556-modify-authentication-process","policy:compliance"],"updateDate":1759956888000,"updater":{"name":"Datadog","handle":""}}},{"id":"def-000-xv7","type":"agent_rule","attributes":{"category":"Process + Activity","creationDate":1759956888000,"creator":{"name":"Datadog","handle":""},"defaultRule":true,"description":"Kernel + modules were listed using the kmod command","enabled":true,"expression":"exec.comm + == \"kmod\" \u0026\u0026 exec.args in [~\"*list*\"]","filters":["os == \"linux\""],"monitoring":["threat-detection.policy"],"name":"kmod_list","product_tags":["tactic:TA0007-discovery","technique:T1082-system-information-discovery","policy:threat-detection"],"updateDate":1759956888000,"updater":{"name":"Datadog","handle":""}}},{"id":"460-gys-lqp","type":"agent_rule","attributes":{"category":"Network + Activity","creationDate":1759956888000,"creator":{"name":"Datadog","handle":""},"defaultRule":true,"description":"A + DNS lookup was done for a pastebin-like site","enabled":true,"expression":"dns.question.name + in [\"pastebin.com\", \"ghostbin.com\", \"termbin.com\", \"klgrth.io\", \"rentry.co\", + \"transfer.sh\"] \u0026\u0026 process.file.name != \"\"","filters":["os == + \"linux\""],"monitoring":["threat-detection.policy"],"name":"paste_site","product_tags":["tactic:TA0011-command-and-control","technique:T1105-ingress-tool-transfer","policy:threat-detection"],"updateDate":1759956888000,"updater":{"name":"Datadog","handle":""}}},{"id":"tlu-qlm-1ow","type":"agent_rule","attributes":{"category":"File + Activity","creationDate":1759956888000,"creator":{"name":"Datadog","handle":""},"defaultRule":true,"description":"The + runc binary was modified in a non-standard way","enabled":true,"expression":"open.file.path + in [\"/usr/bin/runc\", \"/usr/sbin/runc\", \"/usr/bin/docker-runc\"]\n\u0026\u0026 + open.flags \u0026 O_CREAT|O_TRUNC|O_APPEND|O_RDWR|O_WRONLY \u003e 0\n\u0026\u0026 + process.file.path not in [~\"/usr/bin/apt*\", \"/usr/bin/dpkg\", \"/usr/bin/rpm\", + \"/usr/bin/unattended-upgrade\", \"/usr/bin/containerd\", \"/usr/local/bin/containerd\", + \"/usr/bin/dockerd\", \"/usr/bin/npm\", ~\"/usr/bin/pip*\", ~\"/usr/local/bin/pip*\"]\n\u0026\u0026 + process.ancestors.file.path not in [~\"/usr/bin/apt*\", \"/usr/bin/dpkg\", \"/usr/bin/rpm\", \"/usr/bin/unattended-upgrade\", \"/usr/bin/npm\", ~\"/usr/bin/pip*\", ~\"/usr/local/bin/pip*\", \"/usr/bin/yum\", \"/sbin/apk\", \"/usr/lib/snapd/snapd\"]","filters":["os - == \"linux\""],"monitoring":["threat-detection.policy"],"name":"rc_scripts_modified","product_tags":["tactic:TA0003-persistence","technique:T1037-boot-or-logon-initialization-scripts","policy:threat-detection"],"updateDate":1754579371000,"updater":{"name":"Datadog","handle":""}}},{"id":"qes-e3j-s1d","type":"agent_rule","attributes":{"category":"Process - Activity","creationDate":1746443538639,"creator":{"name":"CI Account","handle":"9919ec9b-ebc7-49ee-8dc8-03626e717cca"},"defaultRule":false,"description":"My - Agent rule","enabled":true,"expression":"exec.file.name == \"sh\"","filters":["os - == \"linux\""],"monitoring":["CWS_CUSTOM-canary"],"name":"testtypescriptupdateacsmthreatsagentrulereturnsokresponse1746443538","updateDate":1746443538639,"updater":{"name":"CI - Account","handle":"9919ec9b-ebc7-49ee-8dc8-03626e717cca"}}},{"id":"lli-czr-q4y","type":"agent_rule","attributes":{"category":"File - Activity","creationDate":1753453274000,"creator":{"name":"Datadog","handle":""},"defaultRule":true,"description":"Sensitive - credential files were modified using a non-standard tool","enabled":true,"expression":"(\n (link.file.path - in [ \"/etc/shadow\", \"/etc/gshadow\" ]\n || link.file.destination.path + == \"linux\""],"monitoring":["threat-detection.policy"],"name":"runc_modification","product_tags":["tactic:TA0004-privilege-escalation","technique:T1611-escape-to-host","policy:threat-detection"],"updateDate":1759956888000,"updater":{"name":"Datadog","handle":""}}},{"id":"kv9-026-vhz","type":"agent_rule","attributes":{"category":"File + Activity","creationDate":1759956888000,"creator":{"name":"Datadog","handle":""},"defaultRule":true,"description":"Sensitive + credential files were modified using a non-standard tool","enabled":true,"expression":"(\n (utimes.file.path in [ \"/etc/shadow\", \"/etc/gshadow\" ])\n \u0026\u0026 process.file.path not in [ \"/sbin/vipw\", \"/usr/sbin/vipw\", \"/sbin/vigr\", \"/usr/sbin/vigr\", \"/usr/bin/containerd\", \"/usr/local/bin/containerd\", \"/usr/bin/dockerd\", @@ -2128,14 +1055,26 @@ http_interactions: \"/usr/sbin/chpasswd\", \"/usr/bin/passwd\" ]\n \u0026\u0026 process.ancestors.file.path not in [~\"/usr/bin/apt*\", \"/usr/bin/dpkg\", \"/usr/bin/rpm\", \"/usr/bin/unattended-upgrade\", \"/usr/bin/npm\", ~\"/usr/bin/pip*\", ~\"/usr/local/bin/pip*\", \"/usr/bin/yum\", - \"/sbin/apk\", \"/usr/lib/snapd/snapd\"]\n)","filters":["os == \"linux\""],"monitoring":["compliance.policy"],"name":"credential_modified_link","product_tags":["tactic:TA0006-credential-access","technique:T1003-os-credential-dumping","policy:compliance"],"updateDate":1753453274000,"updater":{"name":"Datadog","handle":""}}},{"id":"rpc-ji0-zfu","type":"agent_rule","attributes":{"category":"File - Activity","creationDate":1754579371000,"creator":{"name":"Datadog","handle":""},"defaultRule":true,"description":"SSH - modified keys may have been modified","enabled":true,"expression":"(\n open.flags - \u0026 (O_CREAT|O_TRUNC|O_APPEND|O_RDWR|O_WRONLY) \u003e 0 \u0026\u0026\n open.file.name - in [ \"authorized_keys\", \"authorized_keys2\" ] \u0026\u0026 (open.file.path - in [ ~\"/root/.ssh/*\", ~\"/home/*/.ssh/*\", ~\"/var/lib/*/.ssh/*\" ])\n)","filters":["os - == \"linux\""],"monitoring":["compliance.policy","threat-detection.policy"],"name":"ssh_authorized_keys_open","product_tags":["tactic:TA0003-persistence","technique:T1098-account-manipulation","policy:threat-detection","policy:compliance"],"updateDate":1754579371000,"updater":{"name":"Datadog","handle":""}}},{"id":"def-000-qt6","type":"agent_rule","attributes":{"category":"File - Activity","creationDate":1753453274000,"creator":{"name":"Datadog","handle":""},"defaultRule":true,"description":"SSL + \"/sbin/apk\", \"/usr/lib/snapd/snapd\"]\n)","filters":["os == \"linux\""],"monitoring":["compliance.policy"],"name":"credential_modified_utimes","product_tags":["tactic:TA0006-credential-access","technique:T1003-os-credential-dumping","policy:compliance"],"updateDate":1759956888000,"updater":{"name":"Datadog","handle":""}}},{"id":"4mx-n6o-mmb","type":"agent_rule","attributes":{"category":"File + Activity","creationDate":1759956888000,"creator":{"name":"Datadog","handle":""},"defaultRule":true,"description":"An + unauthorized job was added to cron scheduling","enabled":true,"expression":"(\n (utimes.file.path + in [ ~\"/var/spool/cron/**\", ~\"/etc/cron.*/**\", ~\"/etc/crontab\", ~\"/etc/crontabs/**\"])\n \u0026\u0026 + process.file.path not in [ \"/usr/bin/at\", \"/usr/bin/crontab\" ]\n)\n\u0026\u0026 + process.file.path not in [~\"/usr/bin/apt*\", \"/usr/bin/dpkg\", \"/usr/bin/rpm\", + \"/usr/bin/unattended-upgrade\", \"/usr/bin/containerd\", \"/usr/local/bin/containerd\", + \"/usr/bin/dockerd\", \"/usr/bin/npm\", ~\"/usr/bin/pip*\", ~\"/usr/local/bin/pip*\"]","filters":["os + == \"linux\""],"monitoring":["compliance.policy","threat-detection.policy"],"name":"cron_at_job_creation_utimes","product_tags":["tactic:TA0003-persistence","technique:T1053-scheduled-task-or-job","subtechnique:T1053.003-cron","policy:compliance","policy:threat-detection"],"updateDate":1759956888000,"updater":{"name":"Datadog","handle":""}}},{"id":"w7o-w48-j34","type":"agent_rule","attributes":{"category":"File + Activity","creationDate":1759956888000,"creator":{"name":"Datadog","handle":""},"defaultRule":true,"description":"PAM + may have been modified without authorization","enabled":true,"expression":"(\n open.flags + \u0026 (O_CREAT|O_TRUNC|O_APPEND|O_RDWR|O_WRONLY) \u003e 0 \u0026\u0026\n (open.file.path + in [ ~\"/etc/pam.d/**\", \"/etc/pam.conf\", ~\"/lib/security/*\", ~\"/usr/lib/security/*\", + ~\"/lib64/security/*\", ~\"/usr/lib64/security/*\" ])\n)","filters":["os == + \"linux\""],"monitoring":["compliance.policy"],"name":"pam_modification_open","product_tags":["tactic:TA0003-persistence","technique:T1556-modify-authentication-process","policy:compliance"],"updateDate":1759956888000,"updater":{"name":"Datadog","handle":""}}},{"id":"def-000-fn2","type":"agent_rule","attributes":{"category":"Process + Activity","creationDate":1759956888000,"creator":{"name":"Datadog","handle":""},"defaultRule":true,"description":"Shell + profile was modified","enabled":true,"expression":"open.file.path in [~\"/home/*/*profile\", + ~\"/home/*/*rc\"] \u0026\u0026 open.flags \u0026 ((O_CREAT|O_TRUNC|O_RDWR|O_WRONLY)) + \u003e 0","filters":["os == \"linux\""],"monitoring":["compliance.policy","threat-detection.policy"],"name":"shell_profile_modification","product_tags":["tactic:TA0003-persistence","technique:T1547-boot-or-logon-autostart-execution","policy:compliance","policy:threat-detection"],"updateDate":1759956888000,"updater":{"name":"Datadog","handle":""}}},{"id":"def-000-qt6","type":"agent_rule","attributes":{"category":"File + Activity","creationDate":1759956888000,"creator":{"name":"Datadog","handle":""},"defaultRule":true,"description":"SSL certificates may have been tampered with","enabled":true,"expression":"(\n open.flags \u0026 (O_CREAT|O_RDWR|O_WRONLY) \u003e 0 \u0026\u0026\n (open.file.path in [ ~\"/etc/ssl/certs/**\", ~\"/etc/pki/**\" ])\n)\n\u0026\u0026 process.file.path @@ -2145,134 +1084,22 @@ http_interactions: \"/usr/bin/npm\", ~\"/usr/bin/pip*\", ~\"/usr/local/bin/pip*\", \"/usr/bin/yum\", \"/sbin/apk\", \"/usr/lib/snapd/snapd\"]\n\u0026\u0026 process.file.name !~ \"runc*\"\n\u0026\u0026 container.id != \"\"\n\u0026\u0026 container.created_at - \u003e 90s","filters":["os == \"linux\""],"monitoring":["compliance.policy"],"name":"ssl_certificate_tampering_open_v2","product_tags":["tactic:TA0005-defense-evasion","technique:T1553-subvert-trust-controls","policy:compliance"],"updateDate":1753453274000,"updater":{"name":"Datadog","handle":""}}},{"id":"szu-tkm-xvx","type":"agent_rule","attributes":{"category":"Process - Activity","creationDate":1746443529377,"creator":{"name":"CI Account","handle":"9919ec9b-ebc7-49ee-8dc8-03626e717cca"},"defaultRule":false,"description":"My - Agent rule","enabled":true,"expression":"exec.file.name == \"sh\"","filters":["os - == \"linux\""],"monitoring":["CWS_CUSTOM-canary"],"name":"testtypescriptdeleteacsmthreatsagentrulereturnsokresponse1746443529","updateDate":1746443529377,"updater":{"name":"CI - Account","handle":"9919ec9b-ebc7-49ee-8dc8-03626e717cca"}}},{"id":"aw7-tup-sy0","type":"agent_rule","attributes":{"category":"Process - Activity","creationDate":1746628448155,"creator":{"name":"frog","handle":"frog@datadoghq.com"},"defaultRule":false,"description":"My - Agent rule","enabled":true,"expression":"exec.file.name == \"sh\"","filters":["os - == \"linux\""],"monitoring":["CWS_CUSTOM-canary"],"name":"testupdateacsmthreatsagentrulereturnsokresponse1746628447","updateDate":1746628448155,"updater":{"name":"frog","handle":"frog@datadoghq.com"}}},{"id":"ayv-hqe-lx8","type":"agent_rule","attributes":{"category":"File - Activity","creationDate":1753453274000,"creator":{"name":"Datadog","handle":""},"defaultRule":true,"description":"SSL - certificates may have been tampered with","enabled":true,"expression":"(\n (utimes.file.path - in [ ~\"/etc/ssl/certs/**\" ])\n \u0026\u0026 process.file.path not in - [~\"/usr/bin/apt*\", \"/usr/bin/dpkg\", \"/usr/bin/rpm\", \"/usr/bin/unattended-upgrade\", - \"/usr/bin/npm\", ~\"/usr/bin/pip*\", ~\"/usr/local/bin/pip*\", \"/usr/bin/yum\", - \"/sbin/apk\", \"/usr/lib/snapd/snapd\"]\n)\n\u0026\u0026 process.file.path - != \"/usr/sbin/update-ca-certificates\"\n\u0026\u0026 process.ancestors.file.path - != \"/usr/sbin/update-ca-certificates\"\n\u0026\u0026 process.ancestors.file.path - not in [~\"/usr/bin/apt*\", \"/usr/bin/dpkg\", \"/usr/bin/rpm\", \"/usr/bin/unattended-upgrade\", - \"/usr/bin/npm\", ~\"/usr/bin/pip*\", ~\"/usr/local/bin/pip*\", \"/usr/bin/yum\", - \"/sbin/apk\", \"/usr/lib/snapd/snapd\"]\n\u0026\u0026 process.file.name !~ - \"runc*\"","filters":["os == \"linux\""],"monitoring":["compliance.policy"],"name":"ssl_certificate_tampering_utimes","product_tags":["tactic:TA0005-defense-evasion","technique:T1553-subvert-trust-controls","policy:compliance"],"updateDate":1753453274000,"updater":{"name":"Datadog","handle":""}}},{"id":"def-000-5xt","type":"agent_rule","attributes":{"category":"File - Activity","creationDate":1754579371000,"creator":{"name":"Datadog","handle":""},"defaultRule":true,"description":"Detect - attempts to trigger a coredump after modifying /proc/sys/kernel/core_pattern.","enabled":true,"expression":"exit.cause - == COREDUMPED \u0026\u0026 container.id == ${container.core_pattern_write_container_id}","filters":["os - == \"linux\""],"monitoring":["threat-detection.policy"],"name":"coredump_triggered","product_tags":["tactic:TA0004-privilege-escalation","technique:T1611-escape-to-host","policy:threat-detection"],"updateDate":1754579371000,"updater":{"name":"Datadog","handle":""}}},{"id":"def-000-fqm","type":"agent_rule","attributes":{"category":"Process - Activity","creationDate":1754579371000,"creator":{"name":"Datadog","handle":""},"defaultRule":true,"description":"The - whoami command was executed","enabled":true,"expression":"exec.comm == \"whoami\"","filters":["os - == \"linux\""],"monitoring":["threat-detection.policy"],"name":"exec_whoami","product_tags":["tactic:TA0007-discovery","technique:T1033-system-owner-or-user-discovery","policy:threat-detection"],"updateDate":1754579371000,"updater":{"name":"Datadog","handle":""}}},{"id":"l2e-aka-bw6","type":"agent_rule","attributes":{"category":"Process - Activity","creationDate":1754579371000,"creator":{"name":"Datadog","handle":""},"defaultRule":true,"description":"The - passwd or chpasswd utility was used to modify an account password","enabled":true,"expression":"exec.file.path - in [\"/usr/bin/passwd\", \"/usr/sbin/chpasswd\"] \u0026\u0026 exec.args_flags - not in [\"S\", \"status\"]","filters":["os == \"linux\""],"monitoring":["threat-detection.policy"],"name":"passwd_execution","product_tags":["tactic:TA0003-persistence","tactic:TA0040-impact","technique:T1098-account-manipulation","technique:T1531-account-access-removal","policy:threat-detection"],"updateDate":1754579371000,"updater":{"name":"Datadog","handle":""}}},{"id":"def-000-oi1","type":"agent_rule","attributes":{"category":"Process - Activity","creationDate":1754579371000,"creator":{"name":"Datadog","handle":""},"defaultRule":true,"description":"Process - arguments indicating possible socat shell detected","enabled":true,"expression":"((exec.file.name - == \"socat\") || (exec.comm == \"socat\")) \u0026\u0026 exec.args in [~\"*/bin/bash*\", - ~\"*/bin/sh*\", ~\"*exec*\", ~\"*pty*\", ~\"*setsid*\", ~\"*stderr*\"]","filters":["os - == \"linux\""],"monitoring":["threat-detection.policy"],"name":"socat_shell","product_tags":["tactic:TA0002-execution","technique:T1059-command-and-scripting-interpreter","policy:threat-detection"],"updateDate":1754579371000,"updater":{"name":"Datadog","handle":""}}},{"id":"def-000-gqa","type":"agent_rule","attributes":{"category":"File - Activity","creationDate":1754579371000,"creator":{"name":"Datadog","handle":""},"defaultRule":true,"description":"Windows - boot registry key modified","enabled":true,"expression":"set.registry.key_path - in [~\"HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Windows NT\\CurrentVersion\\IniFileMapping\\SYSTEM.ini\\boot*\"]","filters":["os - == \"windows\""],"monitoring":["threat-detection.policy"],"name":"windows_boot_registry_key_modified","product_tags":["tactic:TA0005-defense-evasion","technique:T1112-modify-registry","policy:threat-detection"],"updateDate":1754579371000,"updater":{"name":"Datadog","handle":""}}},{"id":"veg-qf4-lgr","type":"agent_rule","attributes":{"category":"Process - Activity","creationDate":1719967025000,"creator":{"name":"","handle":"frog@datadoghq.com"},"defaultRule":false,"description":"My - Agent rule","enabled":true,"expression":"exec.file.name == \"sh\"","filters":["os - == \"linux\""],"monitoring":["CWS_CUSTOM-canary"],"name":"examplegetacsmthreatsagentrulereturnsokresponse1719967024","updateDate":1719967025000,"updater":{"name":"","handle":"frog@datadoghq.com"}}},{"id":"li0-j5t-0hv","type":"agent_rule","attributes":{"category":"Process - Activity","creationDate":1724848624000,"creator":{"name":"","handle":"frog@datadoghq.com"},"defaultRule":false,"description":"My - Agent rule","enabled":true,"expression":"exec.file.name == \"sh\"","filters":["os - == \"linux\""],"monitoring":["CWS_CUSTOM-canary"],"name":"examplegetacsmthreatsagentrulereturnsokresponse1724848624","updateDate":1724848624000,"updater":{"name":"","handle":"frog@datadoghq.com"}}},{"id":"o4r-6tp-yk0","type":"agent_rule","attributes":{"category":"Process - Activity","creationDate":1714466223000,"creator":{"name":"","handle":"frog@datadoghq.com"},"defaultRule":false,"description":"Test - Agent rule","enabled":true,"expression":"exec.file.name == \"sh\"","filters":["os - == \"linux\""],"monitoring":["CWS_CUSTOM-canary"],"name":"exampleupdateacsmthreatsagentrulereturnsokresponse1714466223","updateDate":1714466224000,"updater":{"name":"","handle":"frog@datadoghq.com"}}},{"id":"kax-qcg-qu0","type":"agent_rule","attributes":{"category":"Process - Activity","creationDate":1714581423000,"creator":{"name":"","handle":"frog@datadoghq.com"},"defaultRule":false,"description":"Test - Agent rule","enabled":true,"expression":"exec.file.name == \"sh\"","filters":["os - == \"linux\""],"monitoring":["CWS_CUSTOM-canary"],"name":"exampleupdateacsmthreatsagentrulereturnsokresponse1714581423","updateDate":1714581424000,"updater":{"name":"","handle":"frog@datadoghq.com"}}},{"id":"wnk-nli-nbp","type":"agent_rule","attributes":{"category":"File - Activity","creationDate":1754579371000,"creator":{"name":"Datadog","handle":""},"defaultRule":true,"description":"An - unauthorized job was added to cron scheduling","enabled":true,"expression":"(\n (chown.file.path - in [ ~\"/var/spool/cron/**\", ~\"/etc/cron.*/**\", ~\"/etc/crontab\", ~\"/etc/crontabs/**\"])\n \u0026\u0026 - process.file.path not in [ \"/usr/bin/at\", \"/usr/bin/crontab\" ]\n) \u0026\u0026 - (chown.file.destination.uid != chown.file.uid || chown.file.destination.gid - != chown.file.gid)\n\u0026\u0026 process.file.path not in [~\"/usr/bin/apt*\", - \"/usr/bin/dpkg\", \"/usr/bin/rpm\", \"/usr/bin/unattended-upgrade\", \"/usr/bin/containerd\", - \"/usr/local/bin/containerd\", \"/usr/bin/dockerd\", \"/usr/bin/npm\", ~\"/usr/bin/pip*\", - ~\"/usr/local/bin/pip*\"]","filters":["os == \"linux\""],"monitoring":["compliance.policy","threat-detection.policy"],"name":"cron_at_job_creation_chown","product_tags":["tactic:TA0002-execution","technique:T1053-scheduled-task-or-job","policy:threat-detection","policy:compliance"],"updateDate":1754579371000,"updater":{"name":"Datadog","handle":""}}},{"id":"def-000-m7t","type":"agent_rule","attributes":{"category":"Process - Activity","creationDate":1754579371000,"creator":{"name":"Datadog","handle":""},"defaultRule":true,"description":"The - LD_AUDIT variable is populated by a link to a suspicious file directory","enabled":true,"expression":"process.envs - in [\"LD_AUDIT\"] \u0026\u0026 \n(\n mmap.file.path in [~\"/home/*\", ~\"/tmp/*\", - ~\"/dev/shm/*\"] || \n mmap.file.in_upper_layer == true\n) \u0026\u0026\nmmap.protection - \u0026 (PROT_EXEC) \u003e 0 ","filters":["os == \"linux\""],"monitoring":["threat-detection.policy"],"name":"ld_audit_unusual_library_path","product_tags":["tactic:TA0004-privilege-escalation","technique:T1574-hijack-execution-flow","policy:threat-detection"],"updateDate":1754579371000,"updater":{"name":"Datadog","handle":""}}},{"id":"def-000-0pf","type":"agent_rule","attributes":{"category":"File - Activity","creationDate":1754579371000,"creator":{"name":"Datadog","handle":""},"defaultRule":true,"description":"A - process attempted to overwrite the container entrypoint","enabled":true,"expression":"open.file.path - == \"/proc/self/fd/1\" \u0026\u0026 open.flags \u0026 O_CREAT|O_TRUNC|O_APPEND|O_RDWR|O_WRONLY - \u003e 0 \u0026\u0026 container.id != \"\"","filters":["os == \"linux\""],"monitoring":["threat-detection.policy"],"name":"overwrite_entrypoint","product_tags":["tactic:TA0007-discovery","technique:T1613-container-and-resource-discovery","policy:threat-detection"],"updateDate":1754579371000,"updater":{"name":"Datadog","handle":""}}},{"id":"pix-a2q-opu","type":"agent_rule","attributes":{"category":"Process - Activity","creationDate":1746633525563,"creator":{"name":"frog","handle":"frog@datadoghq.com"},"defaultRule":false,"description":"My - Agent rule","enabled":true,"expression":"exec.file.name == \"sh\"","filters":["os - == \"linux\""],"monitoring":["CWS_CUSTOM-canary"],"name":"testgetacsmthreatsagentrulereturnsokresponse1746633525","updateDate":1746633525563,"updater":{"name":"frog","handle":"frog@datadoghq.com"}}},{"id":"73h-yo0-427","type":"agent_rule","attributes":{"category":"Process - Activity","creationDate":1725240870000,"creator":{"name":"CI Account","handle":"9919ec9b-ebc7-49ee-8dc8-03626e717cca"},"defaultRule":false,"description":"My - Agent rule","enabled":true,"expression":"exec.file.name == \"sh\"","filters":["os - == \"linux\""],"monitoring":["CWS_CUSTOM-canary"],"name":"testpythoncreateacsmthreatsagentrulereturnsokresponse1725240869","updateDate":1725240870000,"updater":{"name":"CI - Account","handle":"9919ec9b-ebc7-49ee-8dc8-03626e717cca"}}},{"id":"def-000-u1r","type":"agent_rule","attributes":{"category":"File - Activity","creationDate":1754579371000,"creator":{"name":"Datadog","handle":""},"defaultRule":true,"description":"A - process deleted common system log files","enabled":true,"expression":"unlink.file.path - in [\"/var/run/utmp\", \"/var/log/wtmp\", \"/var/log/btmp\", \"/var/log/lastlog\", - \"/var/log/faillog\", \"/var/log/syslog\", \"/var/log/messages\", \"/var/log/secure\", - \"/var/log/auth.log\", \"/var/log/boot.log\", \"/var/log/kern.log\"] \u0026\u0026 - process.comm not in [\"dockerd\", \"containerd\"]","filters":["os == \"linux\""],"monitoring":["threat-detection.policy"],"name":"delete_system_log","product_tags":["tactic:TA0005-defense-evasion","technique:T1070-indicator-removal","policy:threat-detection"],"updateDate":1754579371000,"updater":{"name":"Datadog","handle":""}}},{"id":"qt9-i99-q9p","type":"agent_rule","attributes":{"category":"File - Activity","creationDate":1753453274000,"creator":{"name":"Datadog","handle":""},"defaultRule":true,"description":"nsswitch - may have been modified without authorization","enabled":true,"expression":"(\n (utimes.file.path - in [ \"/etc/nsswitch.conf\" ])\n)","filters":["os == \"linux\""],"monitoring":["compliance.policy"],"name":"nsswitch_conf_mod_utimes","product_tags":["tactic:TA0003-persistence","technique:T1556-modify-authentication-process","policy:compliance"],"updateDate":1753453274000,"updater":{"name":"Datadog","handle":""}}},{"id":"ev9-rxn-om1","type":"agent_rule","attributes":{"category":"Process - Activity","creationDate":1733272623000,"creator":{"name":"","handle":"frog@datadoghq.com"},"defaultRule":false,"description":"Test - Agent rule","enabled":true,"expression":"exec.file.name == \"sh\"","filters":["os - == \"linux\""],"monitoring":["CWS_CUSTOM-canary"],"name":"exampleupdateacsmthreatsagentrulereturnsokresponse1733272622","updateDate":1733272626000,"updater":{"name":"","handle":"frog@datadoghq.com"}}},{"id":"5c8-aij-182","type":"agent_rule","attributes":{"category":"Process - Activity","creationDate":1720156180000,"creator":{"name":"","handle":"frog@datadoghq.com"},"defaultRule":false,"description":"My - Agent rule","enabled":true,"expression":"exec.file.name == \"sh\"","filters":["os - == \"linux\""],"monitoring":["CWS_CUSTOM-canary"],"name":"testrustgetacsmthreatsagentrulereturnsokresponse1720156180","updateDate":1720156180000,"updater":{"name":"","handle":"frog@datadoghq.com"}}},{"id":"krq-ced-idm","type":"agent_rule","attributes":{"category":"Process - Activity","creationDate":1746702684947,"creator":{"name":"CI Account","handle":"9919ec9b-ebc7-49ee-8dc8-03626e717cca"},"defaultRule":false,"description":"My - Agent rule","enabled":true,"expression":"exec.file.name == \"sh\"","filters":["os - == \"linux\""],"monitoring":["CWS_CUSTOM-canary"],"name":"testtypescriptgetacsmthreatsagentrulereturnsokresponse1746702684","updateDate":1746702684947,"updater":{"name":"CI - Account","handle":"9919ec9b-ebc7-49ee-8dc8-03626e717cca"}}},{"id":"def-000-cjm","type":"agent_rule","attributes":{"actions":[{"filter":"${process.correlation_key} - != \"\"","set":{"name":"parent_correlation_keys","default_value":"","append":true,"scope":"process","expression":"${process.correlation_key}","inherited":true},"disabled":false},{"set":{"name":"correlation_key","default_value":"","scope":"process","expression":"\"cgroup_${builtins.uuid4}\"","inherited":true},"disabled":false}],"category":"Process - Activity","creationDate":1754579371000,"creator":{"name":"Datadog","handle":""},"defaultRule":true,"description":"Track - execution context from cgroup write","enabled":true,"expression":"cgroup_write.pid - \u003e 0 \u0026\u0026 ${process.correlation_key} in [\"\", ~\"cgroup_*\"]","filters":["os - == \"linux\""],"monitoring":["threat-detection.policy"],"name":"execution_context_cgroup_write","product_tags":["policy:threat-detection"],"silent":true,"updateDate":1754579371000,"updater":{"name":"Datadog","handle":""}}},{"id":"def-000-7ez","type":"agent_rule","attributes":{"category":"Process - Activity","creationDate":1754579371000,"creator":{"name":"Datadog","handle":""},"defaultRule":true,"description":"Process - arguments indicating possible php shell detected","enabled":true,"expression":"exec.file.name - == \"php\" \u0026\u0026 exec.args_flags in [\"r\"] \u0026\u0026 ((exec.args - in [~\"*socket_bind*\", ~\"*socket_listen*\", ~\"*socket_accept*\", ~\"*socket_create*\", - ~\"*socket_write*\", ~\"*socket_read*\"]) || (exec.args in [~\"*/bin/bash*\", - ~\"*/bin/sh*\"]))","filters":["os == \"linux\""],"monitoring":["threat-detection.policy"],"name":"php_shell","product_tags":["tactic:TA0001-initial-access","technique:T1210-exploitation-of-remote-services","policy:threat-detection"],"updateDate":1754579371000,"updater":{"name":"Datadog","handle":""}}},{"id":"gfp-rvz-fcq","type":"agent_rule","attributes":{"category":"Process - Activity","creationDate":1746633537526,"creator":{"name":"frog","handle":"frog@datadoghq.com"},"defaultRule":false,"description":"My - Agent rule","enabled":true,"expression":"exec.file.name == \"sh\"","filters":["os - == \"linux\""],"monitoring":["CWS_CUSTOM-canary"],"name":"testupdateacsmthreatsagentrulereturnsbadrequestresponse1746633537","updateDate":1746633537526,"updater":{"name":"frog","handle":"frog@datadoghq.com"}}},{"id":"def-000-dnj","type":"agent_rule","attributes":{"category":"Process - Activity","creationDate":1754579371000,"creator":{"name":"Datadog","handle":""},"defaultRule":true,"description":"The - AWS CLI utility was executed","enabled":true,"expression":"exec.file.name - == \"aws\"","filters":["os == \"linux\""],"monitoring":["best-practice.policy","threat-detection.policy"],"name":"aws_cli_usage","product_tags":["tactic:TA0002-execution","technique:T1651-cloud-administration-command","policy:best-practice","policy:threat-detection"],"updateDate":1754579371000,"updater":{"name":"Datadog","handle":""}}},{"id":"def-000-ipl","type":"agent_rule","attributes":{"category":"Kernel - Activity","creationDate":1754579371000,"creator":{"name":"Datadog","handle":""},"defaultRule":true,"description":"A - process checked the public IP address of the host","enabled":true,"expression":"connect.addr.hostname - in [\"icanhazip.com\", \"ip-api.com\", \"myip.opendns.com\", \"checkip.amazonaws.com\", - \"whatismyip.akamai.com\"]","filters":["os == \"linux\""],"monitoring":["threat-detection.policy"],"name":"ip_lookup_domain","product_tags":["tactic:TA0007-discovery","technique:T1016-system-network-configuration-discovery","policy:threat-detection"],"updateDate":1754579371000,"updater":{"name":"Datadog","handle":""}}},{"id":"def-000-b7s","type":"agent_rule","attributes":{"category":"Network - Activity","creationDate":1754579371000,"creator":{"name":"Datadog","handle":""},"defaultRule":true,"description":"Kubernetes - DNS enumeration","enabled":true,"expression":"dns.question.name == \"any.any.svc.cluster.local\" - \u0026\u0026 dns.question.type == SRV \u0026\u0026 container.id != \"\"","filters":["os - == \"linux\""],"monitoring":["threat-detection.policy"],"name":"kubernetes_dns_enumeration","product_tags":["tactic:TA0007-discovery","technique:T1046-network-service-discovery","policy:threat-detection"],"updateDate":1754579371000,"updater":{"name":"Datadog","handle":""}}},{"id":"b68-yq9-x3q","type":"agent_rule","attributes":{"category":"Process - Activity","creationDate":1733200623000,"creator":{"name":"","handle":"frog@datadoghq.com"},"defaultRule":false,"description":"Test - Agent rule","enabled":true,"expression":"exec.file.name == \"sh\"","filters":["os - == \"linux\""],"monitoring":["CWS_CUSTOM-canary"],"name":"exampleupdateacsmthreatsagentrulereturnsokresponse1733200622","updateDate":1733200625000,"updater":{"name":"","handle":"frog@datadoghq.com"}}},{"id":"kyr-sg6-us9","type":"agent_rule","attributes":{"category":"File - Activity","creationDate":1753453274000,"creator":{"name":"Datadog","handle":""},"defaultRule":true,"description":"SSL - certificates may have been tampered with","enabled":true,"expression":"(\n (chown.file.path - in [ ~\"/etc/ssl/certs/**\", ~\"/etc/pki/**\" ])\n \u0026\u0026 process.file.path - not in [~\"/usr/bin/apt*\", \"/usr/bin/dpkg\", \"/usr/bin/rpm\", \"/usr/bin/unattended-upgrade\", + \u003e 90s","filters":["os == \"linux\""],"monitoring":["compliance.policy"],"name":"ssl_certificate_tampering_open_v2","product_tags":["tactic:TA0005-defense-evasion","technique:T1553-subvert-trust-controls","policy:compliance"],"updateDate":1759956888000,"updater":{"name":"Datadog","handle":""}}},{"id":"def-000-a41","type":"agent_rule","attributes":{"category":"Process + Activity","creationDate":1759956888000,"creator":{"name":"Datadog","handle":""},"defaultRule":true,"description":"The + base64 command was used to decode information","enabled":true,"expression":"exec.file.name + == \"base64\" \u0026\u0026 exec.args_flags in [\"d\"]","filters":["os == \"linux\""],"monitoring":["threat-detection.policy"],"name":"base64_decode","product_tags":["tactic:TA0005-defense-evasion","technique:T1140-deobfuscate-or-decode-files-or-information","policy:threat-detection"],"updateDate":1759956888000,"updater":{"name":"Datadog","handle":""}}},{"id":"lrg-avx-x1k","type":"agent_rule","attributes":{"category":"Kernel + Activity","creationDate":1759956888000,"creator":{"name":"Datadog","handle":""},"defaultRule":true,"description":"A + kernel module was loaded from memory","enabled":true,"expression":"load_module.loaded_from_memory + == true","filters":["os == \"linux\""],"monitoring":["threat-detection.policy"],"name":"kernel_module_load_from_memory","product_tags":["tactic:TA0003-persistence","technique:T1547-boot-or-logon-autostart-execution","policy:threat-detection"],"updateDate":1759956888000,"updater":{"name":"Datadog","handle":""}}},{"id":"def-000-g5v","type":"agent_rule","attributes":{"category":"Kernel + Activity","creationDate":1759956888000,"creator":{"name":"Datadog","handle":""},"defaultRule":true,"description":"A + process connected to an SSH server","enabled":true,"expression":"connect.addr.port + == 22 \u0026\u0026 (connect.addr.family == AF_INET || connect.addr.family + == AF_INET6) \u0026\u0026 connect.addr.ip not in [127.0.0.0/8, 0.0.0.0/32, + ::1/128, ::/128]","filters":["os == \"linux\""],"monitoring":["threat-detection.policy"],"name":"ssh_outbound_connection","product_tags":["tactic:TA0008-lateral-movement","technique:T1563-remote-service-session-hijacking","policy:threat-detection"],"updateDate":1759956888000,"updater":{"name":"Datadog","handle":""}}},{"id":"kyr-sg6-us9","type":"agent_rule","attributes":{"category":"File + Activity","creationDate":1759956888000,"creator":{"name":"Datadog","handle":""},"defaultRule":true,"description":"SSL + certificates may have been tampered with","enabled":true,"expression":"(\n (chown.file.path + in [ ~\"/etc/ssl/certs/**\", ~\"/etc/pki/**\" ])\n \u0026\u0026 process.file.path + not in [~\"/usr/bin/apt*\", \"/usr/bin/dpkg\", \"/usr/bin/rpm\", \"/usr/bin/unattended-upgrade\", \"/usr/bin/npm\", ~\"/usr/bin/pip*\", ~\"/usr/local/bin/pip*\", \"/usr/bin/yum\", \"/sbin/apk\", \"/usr/lib/snapd/snapd\"]\n) \u0026\u0026 (chown.file.destination.uid != chown.file.uid || chown.file.destination.gid != chown.file.gid)\n\u0026\u0026 @@ -2281,42 +1108,60 @@ http_interactions: not in [~\"/usr/bin/apt*\", \"/usr/bin/dpkg\", \"/usr/bin/rpm\", \"/usr/bin/unattended-upgrade\", \"/usr/bin/npm\", ~\"/usr/bin/pip*\", ~\"/usr/local/bin/pip*\", \"/usr/bin/yum\", \"/sbin/apk\", \"/usr/lib/snapd/snapd\"]\n\u0026\u0026 process.file.name !~ - \"runc*\"","filters":["os == \"linux\""],"monitoring":["compliance.policy"],"name":"ssl_certificate_tampering_chown","product_tags":["tactic:TA0005-defense-evasion","technique:T1553-subvert-trust-controls","policy:compliance"],"updateDate":1753453274000,"updater":{"name":"Datadog","handle":""}}},{"id":"def-000-6lj","type":"agent_rule","attributes":{"category":"File - Activity","creationDate":1753453274000,"creator":{"name":"Datadog","handle":""},"defaultRule":true,"description":"windows - explorer file has been modified","enabled":true,"expression":"write.file.device_path - in [~\"\\Device\\*\\windows\\explorer.exe\"]","filters":["os == \"windows\""],"monitoring":["compliance.policy"],"name":"windows_explorer_executable_modified","product_tags":["tactic:TA0005-defense-evasion","technique:T1036-masquerading","policy:compliance"],"updateDate":1753453274000,"updater":{"name":"Datadog","handle":""}}},{"id":"def-000-d4w","type":"agent_rule","attributes":{"category":"File - Activity","creationDate":1754579371000,"creator":{"name":"Datadog","handle":""},"defaultRule":true,"description":"A - file executed from /dev/shm/ directory","enabled":true,"expression":"exec.file.path - == ~\"/dev/shm/**\"","filters":["os == \"linux\""],"monitoring":["threat-detection.policy"],"name":"devshm_execution","product_tags":["tactic:TA0005-defense-evasion","technique:T1564-hide-artifacts","policy:threat-detection"],"updateDate":1754579371000,"updater":{"name":"Datadog","handle":""}}},{"id":"def-000-t06","type":"agent_rule","attributes":{"category":"Process - Activity","creationDate":1754579371000,"creator":{"name":"Datadog","handle":""},"defaultRule":true,"description":"find - command searching for sensitive files","enabled":true,"expression":"exec.comm - == \"find\" \u0026\u0026 exec.args in [~\"*credentials*\"]","filters":["os - == \"linux\""],"monitoring":["threat-detection.policy"],"name":"find_credentials","product_tags":["tactic:TA0006-credential-access","technique:T1552-unsecured-credentials","policy:threat-detection"],"updateDate":1754579371000,"updater":{"name":"Datadog","handle":""}}},{"id":"z2v-n54-g9a","type":"agent_rule","attributes":{"category":"Process - Activity","creationDate":1733661423000,"creator":{"name":"","handle":"frog@datadoghq.com"},"defaultRule":false,"description":"Test - Agent rule","enabled":true,"expression":"exec.file.name == \"sh\"","filters":["os - == \"linux\""],"monitoring":["CWS_CUSTOM-canary"],"name":"exampleupdateacsmthreatsagentrulereturnsokresponse1733661422","updateDate":1733661424000,"updater":{"name":"","handle":"frog@datadoghq.com"}}},{"id":"tr5-g9p-4jx","type":"agent_rule","attributes":{"category":"Process - Activity","creationDate":1734799023000,"creator":{"name":"frog","handle":"frog@datadoghq.com"},"defaultRule":false,"description":"Test - Agent rule","enabled":true,"expression":"exec.file.name == \"sh\"","filters":["os - == \"linux\""],"monitoring":["CWS_CUSTOM-canary"],"name":"exampleupdateacsmthreatsagentrulereturnsokresponse1734799023","updateDate":1734799025000,"updater":{"name":"frog","handle":"frog@datadoghq.com"}}},{"id":"cdy-cvp-oqz","type":"agent_rule","attributes":{"category":"Process - Activity","creationDate":1728617680000,"creator":{"name":"CI Account","handle":"9919ec9b-ebc7-49ee-8dc8-03626e717cca"},"defaultRule":false,"description":"My - Agent rule","enabled":true,"expression":"exec.file.name == \"sh\"","filters":["os - == \"linux\""],"monitoring":["CWS_CUSTOM-canary"],"name":"testjavacreateacsmthreatsagentrulereturnsokresponse1728617679","updateDate":1728617680000,"updater":{"name":"CI - Account","handle":"9919ec9b-ebc7-49ee-8dc8-03626e717cca"}}},{"id":"ohq-oxe-jb4","type":"agent_rule","attributes":{"category":"Process - Activity","creationDate":1726883002000,"creator":{"name":"CI Account","handle":"9919ec9b-ebc7-49ee-8dc8-03626e717cca"},"defaultRule":false,"description":"My - Agent rule","enabled":true,"expression":"exec.file.name == \"sh\"","filters":["os - == \"linux\""],"monitoring":["CWS_CUSTOM-canary"],"name":"testpythoncreateacsmthreatsagentrulereturnsokresponse1726883002","updateDate":1726883002000,"updater":{"name":"CI - Account","handle":"9919ec9b-ebc7-49ee-8dc8-03626e717cca"}}},{"id":"uor-lfz-jrm","type":"agent_rule","attributes":{"category":"Process - Activity","creationDate":1746097917859,"creator":{"name":"CI Account","handle":"9919ec9b-ebc7-49ee-8dc8-03626e717cca"},"defaultRule":false,"description":"My - Agent rule","enabled":true,"expression":"exec.file.name == \"sh\"","filters":["os - == \"linux\""],"monitoring":["CWS_CUSTOM-canary"],"name":"testtypescriptdeleteacsmthreatsagentrulereturnsokresponse1746097917","updateDate":1746097917859,"updater":{"name":"CI - Account","handle":"9919ec9b-ebc7-49ee-8dc8-03626e717cca"}}},{"id":"j7w-ifp-raw","type":"agent_rule","attributes":{"category":"Process - Activity","creationDate":1746702683438,"creator":{"name":"CI Account","handle":"9919ec9b-ebc7-49ee-8dc8-03626e717cca"},"defaultRule":false,"description":"My - Agent rule","enabled":true,"expression":"exec.file.name == \"sh\"","filters":["os - == \"linux\""],"monitoring":["CWS_CUSTOM-canary"],"name":"testtypescriptdeleteacsmthreatsagentrulereturnsokresponse1746702683","updateDate":1746702683438,"updater":{"name":"CI - Account","handle":"9919ec9b-ebc7-49ee-8dc8-03626e717cca"}}},{"id":"0yj-grp-cmx","type":"agent_rule","attributes":{"category":"File - Activity","creationDate":1753453274000,"creator":{"name":"Datadog","handle":""},"defaultRule":true,"description":"Sensitive - credential files were modified using a non-standard tool","enabled":true,"expression":"(\n (rename.file.path - in [ \"/etc/shadow\", \"/etc/gshadow\" ]\n || rename.file.destination.path + \"runc*\"","filters":["os == \"linux\""],"monitoring":["compliance.policy"],"name":"ssl_certificate_tampering_chown","product_tags":["tactic:TA0005-defense-evasion","technique:T1553-subvert-trust-controls","policy:compliance"],"updateDate":1759956888000,"updater":{"name":"Datadog","handle":""}}},{"id":"yjj-o5q-x00","type":"agent_rule","attributes":{"category":"File + Activity","creationDate":1759956888000,"creator":{"name":"Datadog","handle":""},"defaultRule":true,"description":"A + service may have been modified without authorization","enabled":true,"expression":"(\n (utimes.file.path + in [ ~\"/lib/systemd/system/**\", ~\"/usr/lib/systemd/system/**\", ~\"/etc/systemd/system/**\", + ~\"/usr/local/lib/systemd/system/**\", ~\"/run/systemd/system/**\"] || utimes.file.path + in [ ~\"/etc/systemd/user/**\", ~\"/usr/lib/systemd/user/**\", ~\"/home/*/.config/systemd/user/**\", + ~\"/home/*/.local/share/systemd/user/**\", ~\"/run/systemd/user/**\"])\n \u0026\u0026 + process.file.path not in [~\"/usr/bin/apt*\", \"/usr/bin/dpkg\", \"/usr/bin/rpm\", + \"/usr/bin/unattended-upgrade\", \"/usr/bin/npm\", ~\"/usr/bin/pip*\", ~\"/usr/local/bin/pip*\", + \"/usr/bin/yum\", \"/sbin/apk\", \"/usr/lib/snapd/snapd\"]\n)","filters":["os + == \"linux\""],"monitoring":["compliance.policy","threat-detection.policy"],"name":"systemd_modification_utimes","product_tags":["tactic:TA0002-execution","technique:T1569-system-services","policy:compliance","policy:threat-detection"],"updateDate":1759956888000,"updater":{"name":"Datadog","handle":""}}},{"id":"w0z-64n-bss","type":"agent_rule","attributes":{"category":"Process + Activity","creationDate":1759956888000,"creator":{"name":"Datadog","handle":""},"defaultRule":true,"description":"A + network utility was executed in a container","enabled":true,"expression":"(exec.comm + in [\"socat\", \"dig\", \"nslookup\", \"host\", ~\"netcat*\", ~\"nc*\", \"ncat\"] + ||\n exec.comm in [\"wget\", \"curl\", \"lwp-download\"]) \u0026\u0026\ncontainer.id + != \"\" \u0026\u0026 exec.args not in [ ~\"*localhost*\", ~\"*127.0.0.1*\", + ~\"*motd.ubuntu.com*\" ]","filters":["os == \"linux\""],"monitoring":["threat-detection.policy"],"name":"net_util_in_container","product_tags":["tactic:TA0011-command-and-control","technique:T1105-ingress-tool-transfer","policy:threat-detection"],"updateDate":1759956888000,"updater":{"name":"Datadog","handle":""}}},{"id":"def-000-o13","type":"agent_rule","attributes":{"category":"File + Activity","creationDate":1759956888000,"creator":{"name":"Datadog","handle":""},"defaultRule":true,"description":"The + configuration directory for an ssh worm","enabled":true,"expression":"open.file.path + in [~\"/root/.prng/*\", ~\"/home/*/.prng/*\", ~\"/root/.config/prng/*\", ~\"/home/*/.config/prng/*\"] + \u0026\u0026 open.flags \u0026 (O_CREAT|O_TRUNC|O_APPEND|O_RDWR|O_WRONLY) + \u003e 0","filters":["os == \"linux\""],"monitoring":["threat-detection.policy"],"name":"ssh_it_tool_config_write","product_tags":["tactic:TA0003-persistence","technique:T1098-account-manipulation","policy:threat-detection"],"updateDate":1759956888000,"updater":{"name":"Datadog","handle":""}}},{"id":"def-000-eck","type":"agent_rule","attributes":{"category":"File + Activity","creationDate":1759956888000,"creator":{"name":"Datadog","handle":""},"defaultRule":true,"description":"Dll + written to a suspicious directory","enabled":true,"expression":"create.file.name + =~ \"*.dll\" \u0026\u0026 create.file.device_path not in [~\"\\Device\\*\\Windows\\System32\\**\", + ~\"\\Device\\*\\ProgramData\\docker\\**\"] \u0026\u0026 process.file.name + != \"dockerd.exe\"","filters":["os == \"windows\""],"monitoring":["threat-detection.policy"],"name":"suspicious_dll_write","product_tags":["tactic:TA0002-execution","technique:T1609-container-administration-command","technique:T1610-deploy-container","policy:threat-detection"],"updateDate":1759956888000,"updater":{"name":"Datadog","handle":""}}},{"id":"def-000-l8e","type":"agent_rule","attributes":{"category":"File + Activity","creationDate":1759956888000,"creator":{"name":"Datadog","handle":""},"defaultRule":true,"description":"Sudoers + policy file may have been modified without authorization","enabled":true,"expression":"(\n (chown.file.path + in [\"/etc/sudoers\", ~\"/etc/sudoers.d/*\"])\n) \u0026\u0026 (chown.file.destination.uid + != chown.file.uid || chown.file.destination.gid != chown.file.gid)","filters":["os + == \"linux\""],"monitoring":["compliance.policy"],"name":"sudoers_policy_modified_chown","product_tags":["tactic:TA0004-privilege-escalation","technique:T1548-abuse-elevation-control-mechanism","subtechnique:T1548.001-setuid-and-setgid","subtechnique:T1548.003-sudo-and-sudo-caching","policy:compliance"],"updateDate":1759956888000,"updater":{"name":"Datadog","handle":""}}},{"id":"def-000-x9u","type":"agent_rule","attributes":{"actions":[{"filter":"${process.correlation_key} + != \"\"","set":{"name":"parent_correlation_keys","default_value":"","append":true,"scope":"process","expression":"${process.correlation_key}","inherited":true},"disabled":false},{"set":{"name":"correlation_key","default_value":"","scope":"process","expression":"\"interactive_shell_${builtins.uuid4}\"","inherited":true},"disabled":false}],"category":"Process + Activity","creationDate":1759956888000,"creator":{"name":"Datadog","handle":""},"defaultRule":true,"description":"Track + execution context from interactive shell","enabled":true,"expression":"exec.file.path + in [ \"/bin/dash\",\n \"/usr/bin/dash\",\n \"/bin/sh\",\n \"/bin/static-sh\",\n \"/usr/bin/sh\",\n \"/bin/bash\",\n \"/usr/bin/bash\",\n \"/bin/bash-static\",\n \"/usr/bin/zsh\",\n \"/usr/bin/ash\",\n \"/usr/bin/csh\",\n \"/usr/bin/ksh\",\n \"/usr/bin/tcsh\",\n \"/usr/lib/initramfs-tools/bin/busybox\",\n \"/bin/busybox\",\n \"/usr/bin/fish\",\n \"/bin/ksh93\",\n \"/bin/rksh\",\n \"/bin/rksh93\",\n \"/bin/lksh\",\n \"/bin/mksh\",\n \"/bin/mksh-static\",\n \"/usr/bin/csharp\",\n \"/bin/posh\",\n \"/usr/bin/rc\",\n \"/bin/sash\",\n \"/usr/bin/yash\",\n \"/bin/zsh5\",\n \"/bin/zsh5-static\" + ] \u0026\u0026 (process.tty_name != \"\" || exec.args_flags in [\"i\"]) \u0026\u0026 + ${process.correlation_key} in [\"\", ~\"cgroup_*\", ~\"auid_*\", ~\"service_*\", + ~\"service_new_cgroup_*\"]","filters":["os == \"linux\""],"monitoring":["threat-detection.policy"],"name":"execution_context_interactive_shell","product_tags":["policy:threat-detection"],"silent":true,"updateDate":1759956888000,"updater":{"name":"Datadog","handle":""}}},{"id":"jeh-18e-m9h","type":"agent_rule","attributes":{"category":"Process + Activity","creationDate":1759956888000,"creator":{"name":"Datadog","handle":""},"defaultRule":true,"description":"An + interactive shell was started inside of a container","enabled":true,"expression":"exec.file.path + in [ \"/bin/dash\",\n \"/usr/bin/dash\",\n \"/bin/sh\",\n \"/bin/static-sh\",\n \"/usr/bin/sh\",\n \"/bin/bash\",\n \"/usr/bin/bash\",\n \"/bin/bash-static\",\n \"/usr/bin/zsh\",\n \"/usr/bin/ash\",\n \"/usr/bin/csh\",\n \"/usr/bin/ksh\",\n \"/usr/bin/tcsh\",\n \"/usr/lib/initramfs-tools/bin/busybox\",\n \"/bin/busybox\",\n \"/usr/bin/fish\",\n \"/bin/ksh93\",\n \"/bin/rksh\",\n \"/bin/rksh93\",\n \"/bin/lksh\",\n \"/bin/mksh\",\n \"/bin/mksh-static\",\n \"/usr/bin/csharp\",\n \"/bin/posh\",\n \"/usr/bin/rc\",\n \"/bin/sash\",\n \"/usr/bin/yash\",\n \"/bin/zsh5\",\n \"/bin/zsh5-static\" + ] \u0026\u0026 exec.args_flags in [\"i\"] \u0026\u0026 container.id !=\"\"","filters":["os + == \"linux\""],"monitoring":["threat-detection.policy"],"name":"interactive_shell_in_container","product_tags":["tactic:TA0002-execution","technique:T1609-container-administration-command","policy:threat-detection"],"updateDate":1759956888000,"updater":{"name":"Datadog","handle":""}}},{"id":"def-000-8j2","type":"agent_rule","attributes":{"category":"Process + Activity","creationDate":1759956888000,"creator":{"name":"Datadog","handle":""},"defaultRule":true,"description":"A + web application spawned a shell or shell utility","enabled":true,"expression":"(exec.file.path + in [ \"/bin/dash\",\n \"/usr/bin/dash\",\n \"/bin/sh\",\n \"/bin/static-sh\",\n \"/usr/bin/sh\",\n \"/bin/bash\",\n \"/usr/bin/bash\",\n \"/bin/bash-static\",\n \"/usr/bin/zsh\",\n \"/usr/bin/ash\",\n \"/usr/bin/csh\",\n \"/usr/bin/ksh\",\n \"/usr/bin/tcsh\",\n \"/usr/lib/initramfs-tools/bin/busybox\",\n \"/bin/busybox\",\n \"/usr/bin/fish\",\n \"/bin/ksh93\",\n \"/bin/rksh\",\n \"/bin/rksh93\",\n \"/bin/lksh\",\n \"/bin/mksh\",\n \"/bin/mksh-static\",\n \"/usr/bin/csharp\",\n \"/bin/posh\",\n \"/usr/bin/rc\",\n \"/bin/sash\",\n \"/usr/bin/yash\",\n \"/bin/zsh5\",\n \"/bin/zsh5-static\" + ] || exec.comm in [\"wget\", \"curl\", \"lwp-download\"] || exec.file.path + in [\"/bin/cat\",\"/bin/chgrp\",\"/bin/chmod\",\"/bin/chown\",\"/bin/cp\",\"/bin/date\",\"/bin/dd\",\"/bin/df\",\"/bin/dir\",\"/bin/echo\",\"/bin/ln\",\"/bin/ls\",\"/bin/mkdir\",\"/bin/mknod\",\"/bin/mktemp\",\"/bin/mv\",\"/bin/pwd\",\"/bin/readlink\",\"/bin/rm\",\"/bin/rmdir\",\"/bin/sleep\",\"/bin/stty\",\"/bin/sync\",\"/bin/touch\",\"/bin/uname\",\"/bin/vdir\",\"/usr/bin/arch\",\"/usr/bin/b2sum\",\"/usr/bin/base32\",\"/usr/bin/base64\",\"/usr/bin/basename\",\"/usr/bin/chcon\",\"/usr/bin/cksum\",\"/usr/bin/comm\",\"/usr/bin/csplit\",\"/usr/bin/cut\",\"/usr/bin/dircolors\",\"/usr/bin/dirname\",\"/usr/bin/du\",\"/usr/bin/env\",\"/usr/bin/expand\",\"/usr/bin/expr\",\"/usr/bin/factor\",\"/usr/bin/fmt\",\"/usr/bin/fold\",\"/usr/bin/groups\",\"/usr/bin/head\",\"/usr/bin/hostid\",\"/usr/bin/id\",\"/usr/bin/install\",\"/usr/bin/join\",\"/usr/bin/link\",\"/usr/bin/logname\",\"/usr/bin/md5sum\",\"/usr/bin/md5sum.textutils\",\"/usr/bin/mkfifo\",\"/usr/bin/nice\",\"/usr/bin/nl\",\"/usr/bin/nohup\",\"/usr/bin/nproc\",\"/usr/bin/numfmt\",\"/usr/bin/od\",\"/usr/bin/paste\",\"/usr/bin/pathchk\",\"/usr/bin/pinky\",\"/usr/bin/pr\",\"/usr/bin/printenv\",\"/usr/bin/printf\",\"/usr/bin/ptx\",\"/usr/bin/realpath\",\"/usr/bin/runcon\",\"/usr/bin/seq\",\"/usr/bin/sha1sum\",\"/usr/bin/sha224sum\",\"/usr/bin/sha256sum\",\"/usr/bin/sha384sum\",\"/usr/bin/sha512sum\",\"/usr/bin/shred\",\"/usr/bin/shuf\",\"/usr/bin/sort\",\"/usr/bin/split\",\"/usr/bin/stat\",\"/usr/bin/stdbuf\",\"/usr/bin/sum\",\"/usr/bin/tac\",\"/usr/bin/tail\",\"/usr/bin/tee\",\"/usr/bin/test\",\"/usr/bin/timeout\",\"/usr/bin/tr\",\"/usr/bin/truncate\",\"/usr/bin/tsort\",\"/usr/bin/tty\",\"/usr/bin/unexpand\",\"/usr/bin/uniq\",\"/usr/bin/unlink\",\"/usr/bin/users\",\"/usr/bin/wc\",\"/usr/bin/who\",\"/usr/bin/whoami\",\"/usr/sbin/chroot\",\"/bin/busybox\"]) + \u0026\u0026\n(process.parent.file.name in [\"apache2\", \"nginx\", ~\"tomcat*\", + \"httpd\"] || process.parent.file.name =~ \"php*\")","filters":["os == \"linux\""],"monitoring":["threat-detection.policy"],"name":"potential_web_shell_parent","product_tags":["tactic:TA0002-execution","technique:T1190-exploit-public-facing-application","policy:threat-detection"],"updateDate":1759956888000,"updater":{"name":"Datadog","handle":""}}},{"id":"lli-czr-q4y","type":"agent_rule","attributes":{"category":"File + Activity","creationDate":1759956888000,"creator":{"name":"Datadog","handle":""},"defaultRule":true,"description":"Sensitive + credential files were modified using a non-standard tool","enabled":true,"expression":"(\n (link.file.path + in [ \"/etc/shadow\", \"/etc/gshadow\" ]\n || link.file.destination.path in [ \"/etc/shadow\", \"/etc/gshadow\" ])\n \u0026\u0026 process.file.path not in [ \"/sbin/vipw\", \"/usr/sbin/vipw\", \"/sbin/vigr\", \"/usr/sbin/vigr\", \"/usr/bin/containerd\", \"/usr/local/bin/containerd\", \"/usr/bin/dockerd\", @@ -2325,8 +1170,8 @@ http_interactions: \"/usr/sbin/chpasswd\", \"/usr/bin/passwd\" ]\n \u0026\u0026 process.ancestors.file.path not in [~\"/usr/bin/apt*\", \"/usr/bin/dpkg\", \"/usr/bin/rpm\", \"/usr/bin/unattended-upgrade\", \"/usr/bin/npm\", ~\"/usr/bin/pip*\", ~\"/usr/local/bin/pip*\", \"/usr/bin/yum\", - \"/sbin/apk\", \"/usr/lib/snapd/snapd\"]\n)","filters":["os == \"linux\""],"monitoring":["compliance.policy"],"name":"credential_modified_rename","product_tags":["tactic:TA0006-credential-access","technique:T1003-os-credential-dumping","policy:compliance"],"updateDate":1753453274000,"updater":{"name":"Datadog","handle":""}}},{"id":"ogb-clp-hot","type":"agent_rule","attributes":{"category":"File - Activity","creationDate":1754579371000,"creator":{"name":"Datadog","handle":""},"defaultRule":true,"description":"An + \"/sbin/apk\", \"/usr/lib/snapd/snapd\"]\n)","filters":["os == \"linux\""],"monitoring":["compliance.policy"],"name":"credential_modified_link","product_tags":["tactic:TA0006-credential-access","technique:T1003-os-credential-dumping","policy:compliance"],"updateDate":1759956888000,"updater":{"name":"Datadog","handle":""}}},{"id":"ogb-clp-hot","type":"agent_rule","attributes":{"category":"File + Activity","creationDate":1759956888000,"creator":{"name":"Datadog","handle":""},"defaultRule":true,"description":"An unauthorized job was added to cron scheduling","enabled":true,"expression":"(\n (chmod.file.path in [ ~\"/var/spool/cron/**\", ~\"/etc/cron.*/**\", ~\"/etc/crontab\", ~\"/etc/crontabs/**\"])\n \u0026\u0026 process.file.path not in [ \"/usr/bin/at\", \"/usr/bin/crontab\" ]\n) \u0026\u0026 @@ -2334,99 +1179,468 @@ http_interactions: not in [~\"/usr/bin/apt*\", \"/usr/bin/dpkg\", \"/usr/bin/rpm\", \"/usr/bin/unattended-upgrade\", \"/usr/bin/containerd\", \"/usr/local/bin/containerd\", \"/usr/bin/dockerd\", \"/usr/bin/npm\", ~\"/usr/bin/pip*\", ~\"/usr/local/bin/pip*\"]","filters":["os - == \"linux\""],"monitoring":["compliance.policy","threat-detection.policy"],"name":"cron_at_job_creation_chmod","product_tags":["tactic:TA0002-execution","technique:T1053-scheduled-task-or-job","policy:threat-detection","policy:compliance"],"updateDate":1754579371000,"updater":{"name":"Datadog","handle":""}}},{"id":"zu3-7yi-3w0","type":"agent_rule","attributes":{"category":"Process - Activity","creationDate":1714696626000,"creator":{"name":"","handle":"frog@datadoghq.com"},"defaultRule":false,"description":"My - Agent rule","enabled":true,"expression":"exec.file.name == \"sh\"","filters":["os - == \"linux\""],"monitoring":["CWS_CUSTOM-canary"],"name":"examplecreateacsmthreatsagentrulereturnsokresponse1714696624","updateDate":1714696626000,"updater":{"name":"","handle":"frog@datadoghq.com"}}},{"id":"3xd-vam-hd2","type":"agent_rule","attributes":{"category":"Process - Activity","creationDate":1730479023000,"creator":{"name":"","handle":"frog@datadoghq.com"},"defaultRule":false,"description":"Test - Agent rule","enabled":true,"expression":"exec.file.name == \"sh\"","filters":["os - == \"linux\""],"monitoring":["CWS_CUSTOM-canary"],"name":"exampleupdateacsmthreatsagentrulereturnsokresponse1730479022","updateDate":1730479024000,"updater":{"name":"","handle":"frog@datadoghq.com"}}},{"id":"def-000-mfu","type":"agent_rule","attributes":{"category":"Process - Activity","creationDate":1754579371000,"creator":{"name":"Datadog","handle":""},"defaultRule":true,"description":"A - Jupyter notebook executed a shell","enabled":true,"expression":"(exec.file.name - in [\"cat\",\"chgrp\",\"chmod\",\"chown\",\"cp\",\"date\",\"dd\",\"df\",\"dir\",\"echo\",\"ln\",\"ls\",\"mkdir\",\"mknod\",\"mktemp\",\"mv\",\"pwd\",\"readlink\",\"rm\",\"rmdir\",\"sleep\",\"stty\",\"sync\",\"touch\",\"uname\",\"vdir\",\"arch\",\"b2sum\",\"base32\",\"base64\",\"basename\",\"chcon\",\"cksum\",\"comm\",\"csplit\",\"cut\",\"dircolors\",\"dirname\",\"du\",\"env\",\"expand\",\"expr\",\"factor\",\"fmt\",\"fold\",\"groups\",\"head\",\"hostid\",\"id\",\"install\",\"join\",\"link\",\"logname\",\"md5sum\",\"textutils\",\"mkfifo\",\"nice\",\"nl\",\"nohup\",\"nproc\",\"numfmt\",\"od\",\"paste\",\"pathchk\",\"pinky\",\"pr\",\"printenv\",\"printf\",\"ptx\",\"realpath\",\"runcon\",\"seq\",\"sha1sum\",\"sha224sum\",\"sha256sum\",\"sha384sum\",\"sha512sum\",\"shred\",\"shuf\",\"sort\",\"split\",\"stat\",\"stdbuf\",\"sum\",\"tac\",\"tail\",\"tee\",\"test\",\"timeout\",\"tr\",\"truncate\",\"tsort\",\"tty\",\"unexpand\",\"uniq\",\"unlink\",\"users\",\"wc\",\"who\",\"whoami\",\"chroot\"] - || exec.file.name in [\"wget\", \"curl\", \"lwp-download\"] || exec.file.name - in [\"dash\",\"sh\",\"static-sh\",\"sh\",\"bash\",\"bash\",\"bash-static\",\"zsh\",\"ash\",\"csh\",\"ksh\",\"tcsh\",\"busybox\",\"busybox\",\"fish\",\"ksh93\",\"rksh\",\"rksh93\",\"lksh\",\"mksh\",\"mksh-static\",\"csharp\",\"posh\",\"rc\",\"sash\",\"yash\",\"zsh5\",\"zsh5-static\"]) - \u0026\u0026 process.ancestors.comm in [\"jupyter-noteboo\", \"jupyter-lab\"]","filters":["os - == \"linux\""],"monitoring":["threat-detection.policy"],"name":"jupyter_shell_execution","product_tags":["tactic:TA0001-initial-access","technique:T1190-exploit-public-facing-application","policy:threat-detection"],"updateDate":1754579371000,"updater":{"name":"Datadog","handle":""}}},{"id":"def-000-49j","type":"agent_rule","attributes":{"category":"Process - Activity","creationDate":1754579371000,"creator":{"name":"Datadog","handle":""},"defaultRule":true,"description":"A - known kubernetes pentesting tool has been executed","enabled":true,"expression":"(exec.file.name - in [ ~\"python*\" ] \u0026\u0026 (\"KubiScan.py\" in exec.argv || \"kubestriker\" - in exec.argv ) ) || exec.file.name in [ \"kubiscan\",\"kdigger\",\"kube-hunter\",\"rakkess\",\"peirates\",\"kubescape\",\"kubeaudit\",\"kube-linter\",\"stratus\",~\"botb-*\"]","filters":["os - == \"linux\""],"monitoring":["threat-detection.policy"],"name":"offensive_k8s_tool","product_tags":["tactic:TA0007-discovery","technique:T1613-container-and-resource-discovery","policy:threat-detection"],"updateDate":1754579371000,"updater":{"name":"Datadog","handle":""}}},{"id":"def-000-4y4","type":"agent_rule","attributes":{"category":"Process - Activity","creationDate":1754579371000,"creator":{"name":"Datadog","handle":""},"defaultRule":true,"description":"A - suspicious bitsadmin command has been executed","enabled":true,"expression":"exec.file.name - == \"bitsadmin.exe\" \u0026\u0026 exec.cmdline in [~\"*addfile*\", ~\"*create*\", - ~\"*resume*\"]","filters":["os == \"windows\""],"monitoring":["threat-detection.policy"],"name":"suspicious_bitsadmin_usage","product_tags":["tactic:TA0011-command-and-control","technique:T1105-ingress-tool-transfer","policy:threat-detection"],"updateDate":1754579371000,"updater":{"name":"Datadog","handle":""}}},{"id":"e7g-3t1-hpu","type":"agent_rule","attributes":{"category":"Process - Activity","creationDate":1716352624000,"creator":{"name":"","handle":"frog@datadoghq.com"},"defaultRule":false,"description":"My - Agent rule","enabled":true,"expression":"exec.file.name == \"sh\"","filters":["os - == \"linux\""],"monitoring":["CWS_CUSTOM-canary"],"name":"examplegetacsmthreatsagentrulereturnsokresponse1716352624","updateDate":1716352624000,"updater":{"name":"","handle":"frog@datadoghq.com"}}},{"id":"def-000-m9i","type":"agent_rule","attributes":{"category":"File - Activity","creationDate":1753453274000,"creator":{"name":"Datadog","handle":""},"defaultRule":true,"description":"Windows + == \"linux\""],"monitoring":["compliance.policy","threat-detection.policy"],"name":"cron_at_job_creation_chmod","product_tags":["tactic:TA0003-persistence","technique:T1053-scheduled-task-or-job","subtechnique:T1053.003-cron","policy:compliance","policy:threat-detection"],"updateDate":1759956888000,"updater":{"name":"Datadog","handle":""}}},{"id":"def-000-zp4","type":"agent_rule","attributes":{"category":"File + Activity","creationDate":1759956888000,"creator":{"name":"Datadog","handle":""},"defaultRule":true,"description":"microsoft + security essentials executable modified","enabled":true,"expression":"write.file.device_path + in [~\"\\Device\\*\\Program Files\\Microsoft Security Client\\msseces.exe\"]","filters":["os + == \"windows\""],"monitoring":["compliance.policy"],"name":"windows_security_essentials_executable_modified","product_tags":["tactic:TA0005-defense-evasion","technique:T1036-masquerading","policy:compliance"],"updateDate":1759956888000,"updater":{"name":"Datadog","handle":""}}},{"id":"def-000-m9i","type":"agent_rule","attributes":{"category":"File + Activity","creationDate":1759956888000,"creator":{"name":"Datadog","handle":""},"defaultRule":true,"description":"Windows environment variable registry key modified","enabled":true,"expression":"set.registry.key_path in [~\"HKEY_LOCAL_MACHINE\\System\\CurrentControlSet\\Control\\Session Manager\\Environment*\"]","filters":["os - == \"windows\""],"monitoring":["compliance.policy"],"name":"windows_system_enviroment_variable_registry_key_modified","product_tags":["tactic:TA0005-defense-evasion","technique:T1036-masquerading","policy:compliance"],"updateDate":1753453274000,"updater":{"name":"Datadog","handle":""}}},{"id":"def-000-nv0","type":"agent_rule","attributes":{"category":"Process - Activity","creationDate":1754579371000,"creator":{"name":"Datadog","handle":""},"defaultRule":true,"description":"The + == \"windows\""],"monitoring":["compliance.policy"],"name":"windows_system_enviroment_variable_registry_key_modified","product_tags":["tactic:TA0005-defense-evasion","technique:T1036-masquerading","policy:compliance"],"updateDate":1759956888000,"updater":{"name":"Datadog","handle":""}}},{"id":"2rq-drz-11u","type":"agent_rule","attributes":{"category":"File + Activity","creationDate":1759956888000,"creator":{"name":"Datadog","handle":""},"defaultRule":true,"description":"A + process unlinked a dynamic linker config file","enabled":true,"expression":"unlink.file.path + in [\"/etc/ld.so.preload\", \"/etc/ld.so.conf\", ~\"/etc/ld.so.conf.d/*.conf\"] + \u0026\u0026 process.file.path not in [~\"/usr/bin/apt*\", \"/usr/bin/dpkg\", + \"/usr/bin/rpm\", \"/usr/bin/unattended-upgrade\", \"/usr/bin/npm\", ~\"/usr/bin/pip*\", + ~\"/usr/local/bin/pip*\", \"/usr/bin/yum\", \"/sbin/apk\", \"/usr/lib/snapd/snapd\"]","filters":["os + == \"linux\""],"monitoring":["threat-detection.policy"],"name":"dynamic_linker_config_unlink","product_tags":["tactic:TA0004-privilege-escalation","technique:T1574-hijack-execution-flow","policy:threat-detection"],"updateDate":1759956888000,"updater":{"name":"Datadog","handle":""}}},{"id":"7y2-ihu-hm2","type":"agent_rule","attributes":{"category":"Process + Activity","creationDate":1759956888000,"creator":{"name":"Datadog","handle":""},"defaultRule":true,"description":"A + network utility was executed","enabled":true,"expression":"(exec.comm in [\"socat\", + \"dig\", \"nslookup\", \"host\", ~\"netcat*\", ~\"nc*\", \"ncat\"] ||\n exec.comm + in [\"wget\", \"curl\", \"lwp-download\"]) \u0026\u0026\ncontainer.id == \"\" + \u0026\u0026 exec.args not in [ ~\"*localhost*\", ~\"*127.0.0.1*\", ~\"*motd.ubuntu.com*\" + ]","filters":["os == \"linux\""],"monitoring":["threat-detection.policy"],"name":"net_util","product_tags":["tactic:TA0011-command-and-control","technique:T1105-ingress-tool-transfer","policy:threat-detection"],"updateDate":1759956888000,"updater":{"name":"Datadog","handle":""}}},{"id":"def-000-a65","type":"agent_rule","attributes":{"category":"Network + Activity","creationDate":1759956888000,"creator":{"name":"Datadog","handle":""},"defaultRule":true,"description":"Web + application requested IMDSv1 credentials","enabled":true,"expression":"imds.aws.is_imds_v2 + == false \u0026\u0026 imds.url =~ \"*/*/meta-data/iam/security-credentials/*\" + \u0026\u0026 (process.ancestors.file.name in [\"apache2\", \"nginx\", ~\"tomcat*\", + \"httpd\"] || process.ancestors.file.name =~ \"php*\" || process.ancestors.file.name + == \"java\")","filters":["os == \"linux\""],"monitoring":["threat-detection.policy"],"name":"webapp_imds_V1_request","product_tags":["tactic:TA0040-impact","technique:T1531-account-access-removal","policy:threat-detection"],"updateDate":1759956888000,"updater":{"name":"Datadog","handle":""}}},{"id":"rpc-ji0-zfu","type":"agent_rule","attributes":{"category":"File + Activity","creationDate":1759956888000,"creator":{"name":"Datadog","handle":""},"defaultRule":true,"description":"SSH + modified keys may have been modified","enabled":true,"expression":"(\n open.flags + \u0026 (O_CREAT|O_TRUNC|O_APPEND|O_RDWR|O_WRONLY) \u003e 0 \u0026\u0026\n open.file.name + in [ \"authorized_keys\", \"authorized_keys2\" ] \u0026\u0026 (open.file.path + in [ ~\"/root/.ssh/*\", ~\"/home/*/.ssh/*\", ~\"/var/lib/*/.ssh/*\" ])\n)","filters":["os + == \"linux\""],"monitoring":["compliance.policy","threat-detection.policy"],"name":"ssh_authorized_keys_open","product_tags":["tactic:TA0003-persistence","technique:T1098-account-manipulation","policy:compliance","policy:threat-detection"],"updateDate":1759956888000,"updater":{"name":"Datadog","handle":""}}},{"id":"o5t-b08-86p","type":"agent_rule","attributes":{"category":"File + Activity","creationDate":1759956888000,"creator":{"name":"Datadog","handle":""},"defaultRule":true,"description":"SSL + certificates may have been tampered with","enabled":true,"expression":"(\n (rename.file.path + in [ ~\"/etc/ssl/certs/**\", ~\"/etc/pki/**\" ]\n || rename.file.destination.path + in [ ~\"/etc/ssl/certs/**\", ~\"/etc/pki/**\" ])\n \u0026\u0026 process.file.path + not in [~\"/usr/bin/apt*\", \"/usr/bin/dpkg\", \"/usr/bin/rpm\", \"/usr/bin/unattended-upgrade\", + \"/usr/bin/npm\", ~\"/usr/bin/pip*\", ~\"/usr/local/bin/pip*\", \"/usr/bin/yum\", + \"/sbin/apk\", \"/usr/lib/snapd/snapd\"]\n)\n\u0026\u0026 process.file.path + != \"/usr/sbin/update-ca-certificates\"\n\u0026\u0026 process.ancestors.file.path + != \"/usr/sbin/update-ca-certificates\"\n\u0026\u0026 process.ancestors.file.path + not in [~\"/usr/bin/apt*\", \"/usr/bin/dpkg\", \"/usr/bin/rpm\", \"/usr/bin/unattended-upgrade\", + \"/usr/bin/npm\", ~\"/usr/bin/pip*\", ~\"/usr/local/bin/pip*\", \"/usr/bin/yum\", + \"/sbin/apk\", \"/usr/lib/snapd/snapd\"]\n\u0026\u0026 process.file.name !~ + \"runc*\"","filters":["os == \"linux\""],"monitoring":["compliance.policy"],"name":"ssl_certificate_tampering_rename","product_tags":["tactic:TA0005-defense-evasion","technique:T1553-subvert-trust-controls","policy:compliance"],"updateDate":1759956888000,"updater":{"name":"Datadog","handle":""}}},{"id":"def-000-nv0","type":"agent_rule","attributes":{"category":"Process + Activity","creationDate":1759956888000,"creator":{"name":"Datadog","handle":""},"defaultRule":true,"description":"The rclone utility was executed","enabled":true,"expression":"exec.file.name in [\"rclone\", \"rsync\", \"sftp\", \"ftp\", \"scp\", \"dcp\", \"rcp\"]","filters":["os - == \"linux\""],"monitoring":["threat-detection.policy"],"name":"file_sync_exfil","product_tags":["tactic:TA0010-exfiltration","technique:T1048-exfiltration-over-alternative-protocol","policy:threat-detection"],"updateDate":1754579371000,"updater":{"name":"Datadog","handle":""}}},{"id":"f5p-men-xz3","type":"agent_rule","attributes":{"category":"Process - Activity","creationDate":1735994224000,"creator":{"name":"frog","handle":"frog@datadoghq.com"},"defaultRule":false,"description":"My - Agent rule","enabled":true,"expression":"exec.file.name == \"sh\"","filters":["os - == \"linux\""],"monitoring":["CWS_CUSTOM-canary"],"name":"examplegetacsmthreatsagentrulereturnsokresponse1735994224","updateDate":1735994224000,"updater":{"name":"frog","handle":"frog@datadoghq.com"}}},{"id":"xjd-huv-ice","type":"agent_rule","attributes":{"category":"Process - Activity","creationDate":1746611612739,"creator":{"name":"frog","handle":"frog@datadoghq.com"},"defaultRule":false,"description":"My - Agent rule","enabled":true,"expression":"exec.file.name == \"sh\"","filters":["os - == \"linux\""],"monitoring":["CWS_CUSTOM-canary"],"name":"testupdateacsmthreatsagentrulereturnsokresponse1746611612","updateDate":1746611612739,"updater":{"name":"frog","handle":"frog@datadoghq.com"}}},{"id":"5t3-iiv-rv5","type":"agent_rule","attributes":{"category":"Kernel - Activity","creationDate":1754579371000,"creator":{"name":"Datadog","handle":""},"defaultRule":true,"description":"A + == \"linux\""],"monitoring":["threat-detection.policy"],"name":"file_sync_exfil","product_tags":["tactic:TA0010-exfiltration","technique:T1048-exfiltration-over-alternative-protocol","policy:threat-detection"],"updateDate":1759956888000,"updater":{"name":"Datadog","handle":""}}},{"id":"def-000-0pf","type":"agent_rule","attributes":{"category":"File + Activity","creationDate":1759956888000,"creator":{"name":"Datadog","handle":""},"defaultRule":true,"description":"A + process attempted to overwrite the container entrypoint","enabled":true,"expression":"open.file.path + == \"/proc/self/fd/1\" \u0026\u0026 open.flags \u0026 O_CREAT|O_TRUNC|O_APPEND|O_RDWR|O_WRONLY + \u003e 0 \u0026\u0026 container.id != \"\"","filters":["os == \"linux\""],"monitoring":["threat-detection.policy"],"name":"overwrite_entrypoint","product_tags":["tactic:TA0007-discovery","technique:T1613-container-and-resource-discovery","policy:threat-detection"],"updateDate":1759956888000,"updater":{"name":"Datadog","handle":""}}},{"id":"pwu-7u7-iiq","type":"agent_rule","attributes":{"category":"Kernel + Activity","creationDate":1759956888000,"creator":{"name":"Datadog","handle":""},"defaultRule":true,"description":"A + process uses an anti-debugging technique to block debuggers","enabled":true,"expression":"ptrace.request + == PTRACE_TRACEME \u0026\u0026 process.file.name != \"\"","filters":["os == + \"linux\""],"monitoring":["threat-detection.policy"],"name":"ptrace_antidebug","product_tags":["tactic:TA0005-defense-evasion","technique:T1622-debugger-evasion","policy:threat-detection"],"updateDate":1759956888000,"updater":{"name":"Datadog","handle":""}}},{"id":"def-000-dar","type":"agent_rule","attributes":{"category":"Kernel + Activity","creationDate":1759956888000,"creator":{"name":"Datadog","handle":""},"defaultRule":true,"description":"A + shell made an outbound network connection","enabled":true,"expression":"(connect.addr.family + == AF_INET || connect.addr.family == AF_INET6) \u0026\u0026 process.file.name + in [\"dash\",\"sh\",\"static-sh\",\"sh\",\"bash\",\"bash\",\"bash-static\",\"zsh\",\"ash\",\"csh\",\"ksh\",\"tcsh\",\"busybox\",\"busybox\",\"fish\",\"ksh93\",\"rksh\",\"rksh93\",\"lksh\",\"mksh\",\"mksh-static\",\"csharp\",\"posh\",\"rc\",\"sash\",\"yash\",\"zsh5\",\"zsh5-static\"] + \u0026\u0026 connect.addr.is_public == true","filters":["os == \"linux\""],"monitoring":["threat-detection.policy"],"name":"shell_net_connection","product_tags":["tactic:TA0002-execution","technique:T1059-command-and-scripting-interpreter","subtechnique:T1059.004-unix-shell","policy:threat-detection"],"updateDate":1759956888000,"updater":{"name":"Datadog","handle":""}}},{"id":"def-000-hlr","type":"agent_rule","attributes":{"category":"Process + Activity","creationDate":1759956888000,"creator":{"name":"Datadog","handle":""},"defaultRule":true,"description":"Tunneling + or port forwarding tool used","enabled":true,"expression":"((exec.comm == + \"pivotnacci\" || exec.comm == \"gost\") \u0026\u0026 process.args_flags in + [\"L\", \"C\", \"R\"]) || (exec.comm in [\"ssh\", \"sshd\"] \u0026\u0026 process.args_flags + in [\"R\", \"L\", \"D\", \"w\"] \u0026\u0026 process.args in [r\"((25[0-5]|(2[0-4]|1\\d|[1-9])\\d)\\.?\\b){4}\"] + ) || (exec.comm == \"sshuttle\" \u0026\u0026 process.args_flags in [\"r\", + \"remote\", \"l\", \"listen\"]) || (exec.comm == \"socat\" \u0026\u0026 process.args + in [r\"(TCP4-LISTEN:|SOCKS)\"]) || (exec.comm in [\"iodine\", \"iodined\", + \"dnscat\", \"hans\", \"hans-ubuntu\", \"ptunnel-ng\", \"ssf\", \"3proxy\", + \"ngrok\"] \u0026\u0026 process.parent.comm in [\"bash\", \"dash\", \"ash\", + \"sh\", \"tcsh\", \"csh\", \"zsh\", \"ksh\", \"fish\"])","filters":["os == + \"linux\""],"monitoring":["threat-detection.policy"],"name":"tunnel_traffic","product_tags":["tactic:TA0011-command-and-control","technique:T1572-protocol-tunneling","policy:threat-detection"],"updateDate":1759956888000,"updater":{"name":"Datadog","handle":""}}},{"id":"def-000-vmo","type":"agent_rule","attributes":{"category":"Process + Activity","creationDate":1759956888000,"creator":{"name":"Datadog","handle":""},"defaultRule":true,"description":"A + process was executed in an SSH session","enabled":true,"expression":"exec.comm + != \"\" \u0026\u0026 process.ancestors.file.name in [\"sshd\"] \u0026\u0026 + process.file.name != \"sshd\"","filters":["os == \"linux\""],"monitoring":["compliance.policy"],"name":"ssh_session","product_tags":["policy:compliance"],"updateDate":1759956888000,"updater":{"name":"Datadog","handle":""}}},{"id":"def-000-crv","type":"agent_rule","attributes":{"category":"File + Activity","creationDate":1759956888000,"creator":{"name":"Datadog","handle":""},"defaultRule":true,"description":"Sudoers + policy file may have been modified without authorization","enabled":true,"expression":"(\n (chmod.file.path + in [\"/etc/sudoers\", ~\"/etc/sudoers.d/*\"])\n) \u0026\u0026 chmod.file.destination.mode + != chmod.file.mode \u0026\u0026 process.ancestors.file.path not in [~\"/usr/bin/apt*\", + \"/usr/bin/dpkg\", \"/usr/bin/rpm\", \"/usr/bin/unattended-upgrade\", \"/usr/bin/npm\", + ~\"/usr/bin/pip*\", ~\"/usr/local/bin/pip*\", \"/usr/bin/yum\", \"/sbin/apk\", + \"/usr/lib/snapd/snapd\"]","filters":["os == \"linux\""],"monitoring":["compliance.policy"],"name":"sudoers_policy_modified_chmod","product_tags":["tactic:TA0004-privilege-escalation","technique:T1548-abuse-elevation-control-mechanism","subtechnique:T1548.001-setuid-and-setgid","subtechnique:T1548.003-sudo-and-sudo-caching","policy:compliance"],"updateDate":1759956888000,"updater":{"name":"Datadog","handle":""}}},{"id":"def-000-bnt","type":"agent_rule","attributes":{"actions":[{"filter":"${process.correlation_key} + != \"\"","set":{"name":"parent_correlation_keys","default_value":"","append":true,"scope":"process","expression":"${process.correlation_key}","inherited":true},"disabled":false},{"set":{"name":"correlation_key","default_value":"","scope":"process","expression":"\"cgroup_${builtins.uuid4}\"","inherited":true},"disabled":false}],"category":"Process + Activity","creationDate":1759956888000,"creator":{"name":"Datadog","handle":""},"defaultRule":true,"description":"Track + execution context from cgroup","enabled":true,"expression":"exec.cgroup.id + != process.parent.cgroup.id \u0026\u0026 ${process.correlation_key} in [\"\", + ~\"cgroup_*\"]","filters":["os == \"linux\""],"monitoring":["threat-detection.policy"],"name":"execution_context_cgroup","product_tags":["policy:threat-detection"],"silent":true,"updateDate":1759956888000,"updater":{"name":"Datadog","handle":""}}},{"id":"def-000-b7s","type":"agent_rule","attributes":{"category":"Network + Activity","creationDate":1759956888000,"creator":{"name":"Datadog","handle":""},"defaultRule":true,"description":"Kubernetes + DNS enumeration","enabled":true,"expression":"dns.question.name == \"any.any.svc.cluster.local\" + \u0026\u0026 dns.question.type == SRV \u0026\u0026 container.id != \"\"","filters":["os + == \"linux\""],"monitoring":["threat-detection.policy"],"name":"kubernetes_dns_enumeration","product_tags":["tactic:TA0007-discovery","technique:T1046-network-service-discovery","policy:threat-detection"],"updateDate":1759956888000,"updater":{"name":"Datadog","handle":""}}},{"id":"ucb-5zb-rmj","type":"agent_rule","attributes":{"category":"File + Activity","creationDate":1759956888000,"creator":{"name":"Datadog","handle":""},"defaultRule":true,"description":"A + new kernel module was added","enabled":true,"expression":"(\n (link.file.path + in [ ~\"/lib/modules/**\", ~\"/usr/lib/modules/**\", ~\"/usr/lib/modules-load.d/**\", + ~\"/etc/modules-load.d/**\", ~\"/etc/modprobe.d/**\" ]\n || link.file.destination.path + in [ ~\"/lib/modules/**\", ~\"/usr/lib/modules/**\" ])\n \u0026\u0026 process.file.path + not in [~\"/usr/bin/apt*\", \"/usr/bin/dpkg\", \"/usr/bin/rpm\", \"/usr/bin/unattended-upgrade\", + \"/usr/bin/npm\", ~\"/usr/bin/pip*\", ~\"/usr/local/bin/pip*\", \"/usr/bin/yum\", + \"/sbin/apk\", \"/usr/lib/snapd/snapd\"]\n \u0026\u0026 process.ancestors.file.path + not in [~\"/usr/bin/apt*\", \"/usr/bin/dpkg\", \"/usr/bin/rpm\", \"/usr/bin/unattended-upgrade\", + \"/usr/bin/npm\", ~\"/usr/bin/pip*\", ~\"/usr/local/bin/pip*\", \"/usr/bin/yum\", + \"/sbin/apk\", \"/usr/lib/snapd/snapd\"] \u0026\u0026 process.ancestors.file.path + != \"/usr/bin/kmod\"\n)","filters":["os == \"linux\""],"monitoring":["compliance.policy"],"name":"kernel_module_link","product_tags":["tactic:TA0003-persistence","technique:T1547-boot-or-logon-autostart-execution","policy:compliance"],"updateDate":1759956888000,"updater":{"name":"Datadog","handle":""}}},{"id":"def-000-tlf","type":"agent_rule","attributes":{"category":"File + Activity","creationDate":1759956888000,"creator":{"name":"Datadog","handle":""},"defaultRule":true,"description":"the + windows hosts file was modified","enabled":true,"expression":"write.file.device_path + in [~\"\\Device\\*\\windows\\system32\\Drivers\\etc\\hosts\"]","filters":["os + == \"windows\""],"monitoring":["compliance.policy"],"name":"windows_hosts_file_modified","product_tags":["tactic:TA0005-defense-evasion","technique:T1036-masquerading","policy:compliance"],"updateDate":1759956888000,"updater":{"name":"Datadog","handle":""}}},{"id":"5t3-iiv-rv5","type":"agent_rule","attributes":{"category":"Kernel + Activity","creationDate":1759956888000,"creator":{"name":"Datadog","handle":""},"defaultRule":true,"description":"A kernel module was loaded","enabled":true,"expression":"load_module.loaded_from_memory == false \u0026\u0026 load_module.name not in [\"nf_tables\", \"iptable_filter\", \"ip6table_filter\", \"bpfilter\", \"ip6_tables\", \"ip6table_nat\", \"nf_reject_ipv4\", \"ipt_REJECT\", \"iptable_raw\", \"udp_diag\", \"inet_diag\"] \u0026\u0026 process.ancestors.file.name not in [~\"falcon*\", \"unattended-upgrade\", \"apt.systemd.daily\", \"xtables-legacy-multi\", \"ssm-agent-worker\"]","filters":["os - == \"linux\""],"monitoring":["threat-detection.policy"],"name":"kernel_module_load","product_tags":["tactic:TA0003-persistence","tactic:TA0040-impact","tactic:TA0003-persistence","technique:T1547-boot-or-logon-autostart-execution","technique:T1496-resource-hijacking","policy:threat-detection"],"updateDate":1754579371000,"updater":{"name":"Datadog","handle":""}}},{"id":"a52-req-ghm","type":"agent_rule","attributes":{"category":"Process - Activity","creationDate":1754579371000,"creator":{"name":"Datadog","handle":""},"defaultRule":true,"description":"Exfiltration - attempt via network utility","enabled":true,"expression":"exec.comm in [\"wget\", - \"curl\", \"lwp-download\"] \u0026\u0026\nexec.args_options in [ ~\"post-file=*\", - ~\"post-data=*\", ~\"T=*\", ~\"d=@*\", ~\"upload-file=*\", ~\"F=file*\"] \u0026\u0026\nexec.args - not in [~\"*localhost*\", ~\"*127.0.0.1*\"]","filters":["os == \"linux\""],"monitoring":["threat-detection.policy"],"name":"net_util_exfiltration","product_tags":["tactic:TA0010-exfiltration","technique:T1048-exfiltration-over-alternative-protocol","policy:threat-detection"],"updateDate":1754579371000,"updater":{"name":"Datadog","handle":""}}},{"id":"bwj-n0m-ut5","type":"agent_rule","attributes":{"category":"Process - Activity","creationDate":1714653425000,"creator":{"name":"","handle":"frog@datadoghq.com"},"defaultRule":false,"description":"My - Agent rule","enabled":true,"expression":"exec.file.name == \"sh\"","filters":["os - == \"linux\""],"monitoring":["CWS_CUSTOM-canary"],"name":"examplegetacsmthreatsagentrulereturnsokresponse1714653424","updateDate":1714653425000,"updater":{"name":"","handle":"frog@datadoghq.com"}}},{"id":"xh4-cv2-cfa","type":"agent_rule","attributes":{"category":"Process - Activity","creationDate":1719031023000,"creator":{"name":"","handle":"frog@datadoghq.com"},"defaultRule":false,"description":"Test - Agent rule","enabled":true,"expression":"exec.file.name == \"sh\"","filters":["os - == \"linux\""],"monitoring":["CWS_CUSTOM-canary"],"name":"exampleupdateacsmthreatsagentrulereturnsokresponse1719031022","updateDate":1719031024000,"updater":{"name":"","handle":"frog@datadoghq.com"}}},{"id":"fry-rzn-glo","type":"agent_rule","attributes":{"category":"File - Activity","creationDate":1748012434322,"creator":{"name":"frog","handle":"frog@datadoghq.com"},"defaultRule":false,"description":"initial - description","enabled":true,"expression":"open.file.name == \"etc/shadow/password\"","filters":["os - == \"linux\""],"monitoring":["CWS_CUSTOM-canary"],"name":"obtppsoxzh","product_tags":["compliance_framework:HIPAA"],"updateDate":1748012434322,"updater":{"name":"frog","handle":"frog@datadoghq.com"}}},{"id":"ctc-pux-luh","type":"agent_rule","attributes":{"category":"Process - Activity","creationDate":1737951387000,"creator":{"name":"CI Account","handle":"9919ec9b-ebc7-49ee-8dc8-03626e717cca"},"defaultRule":false,"description":"Test - Agent rule","enabled":true,"expression":"exec.file.name == \"sh\"","filters":["os - == \"linux\""],"monitoring":["CWS_CUSTOM-canary"],"name":"testtypescriptupdateacsmthreatsagentrulereturnsokresponse1737951387","updateDate":1737951389000,"updater":{"name":"CI - Account","handle":"9919ec9b-ebc7-49ee-8dc8-03626e717cca"}}},{"id":"def-000-h1x","type":"agent_rule","attributes":{"category":"Process - Activity","creationDate":1754579371000,"creator":{"name":"Datadog","handle":""},"defaultRule":true,"description":"A - container management socket was referenced in a cURL command","enabled":true,"expression":"exec.file.name - == \"curl\" \u0026\u0026 exec.args_flags in [\"unix-socket\"] \u0026\u0026 - exec.args in [~\"*docker.sock*\", ~\"*dockershim.sock*\", ~\"*containerd.sock*\", - ~\"*crio.sock*\", ~\"*frakti.sock*\", ~\"*rktlet.sock*\"] \u0026\u0026 container.id - != \"\"","filters":["os == \"linux\""],"monitoring":["threat-detection.policy"],"name":"curl_mgmt_socket","product_tags":["tactic:TA0007-discovery","technique:T1613-container-and-resource-discovery","policy:threat-detection"],"updateDate":1754579371000,"updater":{"name":"Datadog","handle":""}}},{"id":"w0z-64n-bss","type":"agent_rule","attributes":{"category":"Process - Activity","creationDate":1754579371000,"creator":{"name":"Datadog","handle":""},"defaultRule":true,"description":"A - network utility was executed in a container","enabled":true,"expression":"(exec.comm - in [\"socat\", \"dig\", \"nslookup\", \"host\", ~\"netcat*\", ~\"nc*\", \"ncat\"] - ||\n exec.comm in [\"wget\", \"curl\", \"lwp-download\"]) \u0026\u0026\ncontainer.id - != \"\" \u0026\u0026 exec.args not in [ ~\"*localhost*\", ~\"*127.0.0.1*\", - ~\"*motd.ubuntu.com*\" ]","filters":["os == \"linux\""],"monitoring":["threat-detection.policy"],"name":"net_util_in_container","product_tags":["tactic:TA0011-command-and-control","technique:T1105-ingress-tool-transfer","policy:threat-detection"],"updateDate":1754579371000,"updater":{"name":"Datadog","handle":""}}},{"id":"def-000-fsq","type":"agent_rule","attributes":{"category":"Process - Activity","creationDate":1754579371000,"creator":{"name":"Datadog","handle":""},"defaultRule":true,"description":"A - cryptominer was potentially executed","enabled":true,"expression":"exec.cmdline - in [~\"*cpu-priority*\", ~\"*donate-level*\", ~\"*randomx-1gb-pages*\", ~\"*stratum+tcp*\", - ~\"*stratum+ssl*\", ~\"*stratum1+tcp*\", ~\"*stratum1+ssl*\", ~\"*stratum2+tcp*\", - ~\"*stratum2+ssl*\", ~\"*nicehash*\", ~\"*yespower*\"]","filters":["os == - \"windows\""],"monitoring":["threat-detection.policy"],"name":"windows_cryptominer_process","product_tags":["tactic:TA0040-impact","technique:T1496-resource-hijacking","policy:threat-detection"],"updateDate":1754579371000,"updater":{"name":"Datadog","handle":""}}},{"id":"nco-423-hiu","type":"agent_rule","attributes":{"category":"Process - Activity","creationDate":1733531824000,"creator":{"name":"","handle":"frog@datadoghq.com"},"defaultRule":false,"description":"My - Agent rule","enabled":true,"expression":"exec.file.name == \"sh\"","filters":["os - == \"linux\""],"monitoring":["CWS_CUSTOM-canary"],"name":"examplegetacsmthreatsagentrulereturnsokresponse1733531824","updateDate":1733531824000,"updater":{"name":"","handle":"frog@datadoghq.com"}}},{"id":"def-000-bus","type":"agent_rule","attributes":{"category":"File - Activity","creationDate":1754579371000,"creator":{"name":"Datadog","handle":""},"defaultRule":true,"description":"The - executable bit was added to a newly created file","enabled":true,"expression":"chmod.file.in_upper_layer - \u0026\u0026\nchmod.file.change_time \u003c 30s \u0026\u0026\ncontainer.id - != \"\" \u0026\u0026\nchmod.file.destination.mode != chmod.file.mode \u0026\u0026\nchmod.file.destination.mode - \u0026 S_IXUSR|S_IXGRP|S_IXOTH \u003e 0 \u0026\u0026\nprocess.argv in [\"+x\"]","filters":["os - == \"linux\""],"monitoring":["threat-detection.policy"],"name":"executable_bit_added","product_tags":["tactic:TA0005-defense-evasion","technique:T1222-file-and-directory-permissions-modification","policy:threat-detection"],"updateDate":1754579371000,"updater":{"name":"Datadog","handle":""}}}]}' + == \"linux\""],"monitoring":["threat-detection.policy"],"name":"kernel_module_load","product_tags":["tactic:TA0003-persistence","technique:T1547-boot-or-logon-autostart-execution","policy:threat-detection"],"updateDate":1759956888000,"updater":{"name":"Datadog","handle":""}}},{"id":"def-000-fsu","type":"agent_rule","attributes":{"category":"Process + Activity","creationDate":1759956888000,"creator":{"name":"Datadog","handle":""},"defaultRule":true,"description":"A + process is masquerading as a kernel thread by using bracket notation in its + name","enabled":true,"expression":"(exec.comm in [r\"^\\[.*\\]$\"] || exec.argv0 + in [r\"^\\[.*\\]$\"]) \u0026\u0026 (process.parent.ppid !=2 || process.args + != \"\")","filters":["os == \"linux\""],"monitoring":["threat-detection.policy"],"name":"kernel_process_masquerade","product_tags":["tactic:TA0005-defense-evasion","technique:T1036-masquerading","policy:threat-detection"],"updateDate":1759956888000,"updater":{"name":"Datadog","handle":""}}},{"id":"def-000-nip","type":"agent_rule","attributes":{"category":"Process + Activity","creationDate":1759956888000,"creator":{"name":"Datadog","handle":""},"defaultRule":true,"description":"Browser + WebDriver spawned shell","enabled":true,"expression":"process.parent.file.name + in [~\"chromedriver*\", \"geckodriver\"] \u0026\u0026 exec.file.name not in + [\"chrome\", \"google-chrome\", \"chromium\", \"firefox\"]","filters":["os + == \"linux\""],"monitoring":["threat-detection.policy"],"name":"webdriver_spawned_shell","product_tags":["tactic:TA0001-initial-access","technique:T1190-exploit-public-facing-application","policy:threat-detection"],"updateDate":1759956888000,"updater":{"name":"Datadog","handle":""}}},{"id":"mcv-y5o-zg5","type":"agent_rule","attributes":{"category":"File + Activity","creationDate":1759956888000,"creator":{"name":"Datadog","handle":""},"defaultRule":true,"description":"An + unauthorized job was added to cron scheduling","enabled":true,"expression":"(\n (link.file.path + in [ ~\"/var/spool/cron/**\", ~\"/etc/cron.*/**\", ~\"/etc/crontab\", ~\"/etc/crontabs/**\"]\n || + link.file.destination.path in [ ~\"/var/spool/cron/**\", ~\"/etc/cron.*/**\", + ~\"/etc/crontab\" ])\n \u0026\u0026 process.file.path not in [ \"/usr/bin/at\", + \"/usr/bin/crontab\" ]\n)\n\u0026\u0026 process.file.path not in [~\"/usr/bin/apt*\", + \"/usr/bin/dpkg\", \"/usr/bin/rpm\", \"/usr/bin/unattended-upgrade\", \"/usr/bin/containerd\", + \"/usr/local/bin/containerd\", \"/usr/bin/dockerd\", \"/usr/bin/npm\", ~\"/usr/bin/pip*\", + ~\"/usr/local/bin/pip*\"]","filters":["os == \"linux\""],"monitoring":["compliance.policy","threat-detection.policy"],"name":"cron_at_job_creation_link","product_tags":["tactic:TA0003-persistence","technique:T1053-scheduled-task-or-job","subtechnique:T1053.003-cron","policy:compliance","policy:threat-detection"],"updateDate":1759956888000,"updater":{"name":"Datadog","handle":""}}},{"id":"def-000-beh","type":"agent_rule","attributes":{"category":"Process + Activity","creationDate":1759956888000,"creator":{"name":"Datadog","handle":""},"defaultRule":true,"description":"Dotnet_dump + was used to dump a process memory","enabled":true,"expression":"exec.cmdline + =~ \"*dotnet-dump*\" \u0026\u0026 exec.cmdline =~ \"*collect*\"","filters":["os + == \"windows\""],"monitoring":["threat-detection.policy"],"name":"dotnet_dump_execution","product_tags":["tactic:TA0009-collection","technique:T1005-data-from-local-system","policy:threat-detection"],"updateDate":1759956888000,"updater":{"name":"Datadog","handle":""}}},{"id":"def-000-ibc","type":"agent_rule","attributes":{"category":"Process + Activity","creationDate":1759956888000,"creator":{"name":"Datadog","handle":""},"defaultRule":true,"description":"The + mount utility was executed in a container","enabled":true,"expression":"exec.comm + == \"mount\" \u0026\u0026 container.id != \"\"","filters":["os == \"linux\""],"monitoring":["threat-detection.policy"],"name":"mount_in_container","product_tags":["tactic:TA0004-privilege-escalation","technique:T1611-escape-to-host","policy:threat-detection"],"updateDate":1759956888000,"updater":{"name":"Datadog","handle":""}}},{"id":"def-000-uv8","type":"agent_rule","attributes":{"category":"Process + Activity","creationDate":1759956888000,"creator":{"name":"Datadog","handle":""},"defaultRule":true,"description":"systemctl + used to stop a service","enabled":true,"expression":"exec.file.name == \"systemctl\" + \u0026\u0026 exec.args in [~\"*stop*\"]","filters":["os == \"linux\""],"monitoring":["threat-detection.policy"],"name":"service_stop","product_tags":["tactic:TA0040-impact","technique:T1489-service-stop","policy:threat-detection"],"updateDate":1759956888000,"updater":{"name":"Datadog","handle":""}}},{"id":"def-000-5ew","type":"agent_rule","attributes":{"category":"Process + Activity","creationDate":1759956888000,"creator":{"name":"Datadog","handle":""},"defaultRule":true,"description":"A + container management utility listed images","enabled":true,"expression":"exec.file.name + in [\"docker\", \"kubectl\", \"ctr\"] \u0026\u0026 exec.args in [\"image list\"]","filters":["os + == \"linux\""],"monitoring":["threat-detection.policy"],"name":"enum_images","product_tags":["tactic:TA0007-discovery","technique:T1613-container-and-resource-discovery","policy:threat-detection"],"updateDate":1759956888000,"updater":{"name":"Datadog","handle":""}}},{"id":"def-000-6ku","type":"agent_rule","attributes":{"actions":[{"filter":"${process.correlation_key} + != \"\"","set":{"name":"parent_correlation_keys","default_value":"","append":true,"scope":"process","expression":"${process.correlation_key}","inherited":true},"disabled":false},{"set":{"name":"correlation_key","default_value":"","scope":"process","expression":"\"service_new_cgroup_${builtins.uuid4}\"","inherited":true},"disabled":false}],"category":"Process + Activity","creationDate":1759956888000,"creator":{"name":"Datadog","handle":""},"defaultRule":true,"description":"Track + execution context from new service cgroup","enabled":true,"expression":"(exec.envs + in [\"DD_SERVICE\", \"OTEL_SERVICE_NAME\"] || \"tags.datadoghq.com/service\" + in container.tags) \u0026\u0026 ${process.correlation_key} in [~\"service_*\"] + \u0026\u0026 process.cgroup.id != process.parent.cgroup.id","filters":["os + == \"linux\""],"monitoring":["threat-detection.policy"],"name":"execution_context_service_new_cgroup","product_tags":["policy:threat-detection"],"silent":true,"updateDate":1759956888000,"updater":{"name":"Datadog","handle":""}}},{"id":"def-000-88h","type":"agent_rule","attributes":{"category":"Process + Activity","creationDate":1759956888000,"creator":{"name":"Datadog","handle":""},"defaultRule":true,"description":"Egress + traffic allowed using iptables","enabled":true,"expression":"exec.comm == + \"iptables\" \u0026\u0026 process.args in [r\"OUTPUT.*((25[0-5]|(2[0-4]|1\\d|[1-9]|)\\d)\\.?\\b){4}.*ACCEPT\"] + \u0026\u0026 process.args not in [r\"(127\\.)|(10\\.)|(172\\.1[6-9]\\.)|(172\\.2[0-9]\\.)|(^172\\.3[0-1]\\.)|(192\\.168\\.)|(169\\.254\\.)\"]","filters":["os + == \"linux\""],"monitoring":["threat-detection.policy"],"name":"iptables_egress_allowed","product_tags":["tactic:TA0005-defense-evasion","technique:T1562-impair-defenses","policy:threat-detection"],"updateDate":1759956888000,"updater":{"name":"Datadog","handle":""}}},{"id":"def-000-5wh","type":"agent_rule","attributes":{"category":"Process + Activity","creationDate":1759956888000,"creator":{"name":"Datadog","handle":""},"defaultRule":true,"description":"a + SUID file was executed","enabled":true,"expression":"(setuid.euid == 0 || + setuid.uid == 0) \u0026\u0026 process.file.mode \u0026 S_ISUID \u003e 0 \u0026\u0026 + process.file.uid == 0 \u0026\u0026 process.uid != 0 \u0026\u0026 process.file.path + != \"/usr/bin/sudo\"","filters":["os == \"linux\""],"monitoring":["threat-detection.policy"],"name":"suid_file_execution","product_tags":["tactic:TA0004-privilege-escalation","technique:T1548-abuse-elevation-control-mechanism","subtechnique:T1548.001-setuid-and-setgid","policy:threat-detection"],"updateDate":1759956888000,"updater":{"name":"Datadog","handle":""}}},{"id":"def-000-rcs","type":"agent_rule","attributes":{"category":"Process + Activity","creationDate":1759956888000,"creator":{"name":"Datadog","handle":""},"defaultRule":true,"description":"A + Trufflehog process was executed","enabled":true,"expression":"exec.file.name + == \"trufflehog\"","filters":["os == \"linux\""],"monitoring":["threat-detection.policy"],"name":"trufflehog_executed","product_tags":["tactic:TA0006-credential-access","technique:T1552-unsecured-credentials","subtechnique:T1552.001-credentials-in-files","policy:threat-detection"],"updateDate":1759956888000,"updater":{"name":"Datadog","handle":""}}},{"id":"q08-c9l-rsp","type":"agent_rule","attributes":{"category":"File + Activity","creationDate":1759956888000,"creator":{"name":"Datadog","handle":""},"defaultRule":true,"description":"Sensitive + credential files were modified using a non-standard tool","enabled":true,"expression":"(\n (unlink.file.path + in [ \"/etc/shadow\", \"/etc/gshadow\" ])\n \u0026\u0026 process.file.path + not in [ \"/sbin/vipw\", \"/usr/sbin/vipw\", \"/sbin/vigr\", \"/usr/sbin/vigr\", + \"/usr/bin/containerd\", \"/usr/local/bin/containerd\", \"/usr/bin/dockerd\", + \"/usr/local/bin/dockerd\", \"/usr/sbin/groupadd\", \"/usr/sbin/useradd\", + \"/usr/sbin/usermod\", \"/usr/sbin/userdel\", \"/usr/bin/gpasswd\", \"/usr/bin/chage\", + \"/usr/sbin/chpasswd\", \"/usr/bin/passwd\" ]\n \u0026\u0026 process.ancestors.file.path + not in [~\"/usr/bin/apt*\", \"/usr/bin/dpkg\", \"/usr/bin/rpm\", \"/usr/bin/unattended-upgrade\", + \"/usr/bin/npm\", ~\"/usr/bin/pip*\", ~\"/usr/local/bin/pip*\", \"/usr/bin/yum\", + \"/sbin/apk\", \"/usr/lib/snapd/snapd\"]\n)","filters":["os == \"linux\""],"monitoring":["compliance.policy"],"name":"credential_modified_unlink","product_tags":["tactic:TA0006-credential-access","technique:T1003-os-credential-dumping","policy:compliance"],"updateDate":1759956888000,"updater":{"name":"Datadog","handle":""}}},{"id":"x7i-34j-1rv","type":"agent_rule","attributes":{"category":"File + Activity","creationDate":1759956888000,"creator":{"name":"Datadog","handle":""},"defaultRule":true,"description":"PAM + may have been modified without authorization","enabled":true,"expression":"(\n (link.file.path + in [ ~\"/etc/pam.d/**\", \"/etc/pam.conf\", ~\"/lib/security/*\", ~\"/usr/lib/security/*\", + ~\"/lib64/security/*\", ~\"/usr/lib64/security/*\"]\n || link.file.destination.path + in [ ~\"/etc/pam.d/**\", \"/etc/pam.conf\", ~\"/lib/security/*\", ~\"/usr/lib/security/*\", + ~\"/lib64/security/*\", ~\"/usr/lib64/security/*\"])\n)","filters":["os == + \"linux\""],"monitoring":["compliance.policy"],"name":"pam_modification_link","product_tags":["tactic:TA0003-persistence","technique:T1556-modify-authentication-process","policy:compliance"],"updateDate":1759956888000,"updater":{"name":"Datadog","handle":""}}},{"id":"def-000-kjt","type":"agent_rule","attributes":{"actions":[{"filter":"${process.correlation_key} + != \"\"","set":{"name":"parent_correlation_keys","default_value":"","append":true,"scope":"process","expression":"${process.correlation_key}","inherited":true},"disabled":false},{"set":{"name":"correlation_key","default_value":"","scope":"process","expression":"\"service_new_cgroup_${builtins.uuid4}\"","inherited":true},"disabled":false}],"category":"Process + Activity","creationDate":1759956888000,"creator":{"name":"Datadog","handle":""},"defaultRule":true,"description":"Track + execution context from new service cgroup write","enabled":true,"expression":"cgroup_write.pid + \u003e 0 \u0026\u0026 (process.envs in [\"DD_SERVICE\", \"OTEL_SERVICE_NAME\"] + || \"tags.datadoghq.com/service\" in container.tags) \u0026\u0026 ${process.correlation_key} + in [~\"service_*\"]","filters":["os == \"linux\""],"monitoring":["threat-detection.policy"],"name":"execution_context_service_new_cgroup_write","product_tags":["policy:threat-detection"],"silent":true,"updateDate":1759956888000,"updater":{"name":"Datadog","handle":""}}},{"id":"def-000-dpm","type":"agent_rule","attributes":{"category":"Process + Activity","creationDate":1759956888000,"creator":{"name":"Datadog","handle":""},"defaultRule":true,"description":"A + process attempted to enable writing to model-specific registers","enabled":true,"expression":"exec.comm + == \"modprobe\" \u0026\u0026 process.args =~ \"*msr*allow_writes*\"","filters":["os + == \"linux\""],"monitoring":["threat-detection.policy"],"name":"kernel_msr_write","product_tags":["tactic:TA0040-impact","technique:T1496-resource-hijacking","policy:threat-detection"],"updateDate":1759956888000,"updater":{"name":"Datadog","handle":""}}},{"id":"def-000-49j","type":"agent_rule","attributes":{"category":"Process + Activity","creationDate":1759956888000,"creator":{"name":"Datadog","handle":""},"defaultRule":true,"description":"A + known kubernetes pentesting tool has been executed","enabled":true,"expression":"(exec.file.name + in [ ~\"python*\" ] \u0026\u0026 (\"KubiScan.py\" in exec.argv || \"kubestriker\" + in exec.argv ) ) || exec.file.name in [ \"kubiscan\",\"kdigger\",\"kube-hunter\",\"rakkess\",\"peirates\",\"kubescape\",\"kubeaudit\",\"kube-linter\",\"stratus\",~\"botb-*\"]","filters":["os + == \"linux\""],"monitoring":["threat-detection.policy"],"name":"offensive_k8s_tool","product_tags":["tactic:TA0007-discovery","technique:T1613-container-and-resource-discovery","policy:threat-detection"],"updateDate":1759956888000,"updater":{"name":"Datadog","handle":""}}},{"id":"def-000-7ez","type":"agent_rule","attributes":{"category":"Process + Activity","creationDate":1759956888000,"creator":{"name":"Datadog","handle":""},"defaultRule":true,"description":"Process + arguments indicating possible php shell detected","enabled":true,"expression":"exec.file.name + == \"php\" \u0026\u0026 exec.args_flags in [\"r\"] \u0026\u0026 ((exec.args + in [~\"*socket_bind*\", ~\"*socket_listen*\", ~\"*socket_accept*\", ~\"*socket_create*\", + ~\"*socket_write*\", ~\"*socket_read*\"]) || (exec.args in [~\"*/bin/bash*\", + ~\"*/bin/sh*\"]))","filters":["os == \"linux\""],"monitoring":["threat-detection.policy"],"name":"php_shell","product_tags":["tactic:TA0001-execution","technique:T1059-command-and-scripting-interpreter","policy:threat-detection"],"updateDate":1759956888000,"updater":{"name":"Datadog","handle":""}}},{"id":"afj-5sv-2wb","type":"agent_rule","attributes":{"category":"Process + Activity","creationDate":1759956888000,"creator":{"name":"Datadog","handle":""},"defaultRule":true,"description":"A + container management utility was executed in a container","enabled":true,"expression":"exec.file.name + in [\"docker\", \"kubectl\", \"ctr\"] \u0026\u0026 container.id != \"\"","filters":["os + == \"linux\""],"monitoring":["threat-detection.policy"],"name":"suspicious_container_client","product_tags":["tactic:TA0002-execution","technique:T1609-container-administration-command","technique:T1610-deploy-container","policy:threat-detection"],"updateDate":1759956888000,"updater":{"name":"Datadog","handle":""}}},{"id":"c2g-31u-jpk","type":"agent_rule","attributes":{"category":"Process + Activity","creationDate":1759956888000,"creator":{"name":"Datadog","handle":""},"defaultRule":true,"description":"An + Azure IMDS was called via a network utility","enabled":true,"expression":"exec.comm + in [\"wget\", \"curl\", \"lwp-download\"] \u0026\u0026 exec.args in [~\"*169.254.169.254/metadata/identity/oauth2/token?api-version=*\"]","filters":["os + == \"linux\""],"monitoring":["best-practice.policy","threat-detection.policy"],"name":"azure_imds","product_tags":["tactic:TA0006-credential-access","technique:T1552-unsecured-credentials","policy:best-practice","policy:threat-detection"],"updateDate":1759956888000,"updater":{"name":"Datadog","handle":""}}},{"id":"def-000-i9x","type":"agent_rule","attributes":{"category":"File + Activity","creationDate":1759956888000,"creator":{"name":"Datadog","handle":""},"defaultRule":true,"description":"nsswitch + may have been modified without authorization","enabled":true,"expression":"(\n open.flags + \u0026 ((O_RDWR|O_WRONLY|O_CREAT)) \u003e 0 \u0026\u0026\n (open.file.path + in [ \"/etc/nsswitch.conf\" ])\n) \u0026\u0026 container.id != \"\" \u0026\u0026 + container.created_at \u003e 90s \u0026\u0026 process.file.path not in [~\"/usr/bin/apt*\", + \"/usr/bin/dpkg\", \"/usr/bin/rpm\", \"/usr/bin/unattended-upgrade\", \"/usr/bin/containerd\", + \"/usr/local/bin/containerd\", \"/usr/bin/dockerd\", \"/usr/bin/npm\", ~\"/usr/bin/pip*\", + ~\"/usr/local/bin/pip*\"]","filters":["os == \"linux\""],"monitoring":["compliance.policy"],"name":"nsswitch_conf_mod_open_v2","product_tags":["tactic:TA0003-persistence","technique:T1556-modify-authentication-process","policy:compliance"],"updateDate":1759956888000,"updater":{"name":"Datadog","handle":""}}},{"id":"def-000-bgf","type":"agent_rule","attributes":{"category":"Process + Activity","creationDate":1759956888000,"creator":{"name":"Datadog","handle":""},"defaultRule":true,"description":"A + hidden file was executed in a suspicious folder","enabled":true,"expression":"exec.file.name + =~ \".*\" \u0026\u0026 exec.file.path in [~\"/home/**\", ~\"/tmp/**\", ~\"/var/tmp/**\", + ~\"/dev/shm/**\"]","filters":["os == \"linux\""],"monitoring":["threat-detection.policy"],"name":"hidden_file_executed","product_tags":["tactic:TA0005-defense-evasion","technique:T1564-hide-artifacts","subtechnique:T1564.001-hidden-files-and-directories","policy:threat-detection"],"updateDate":1759956888000,"updater":{"name":"Datadog","handle":""}}},{"id":"def-000-vqm","type":"agent_rule","attributes":{"category":"Process + Activity","creationDate":1759956888000,"creator":{"name":"Datadog","handle":""},"defaultRule":true,"description":"A + scheduled task was created","enabled":true,"expression":"exec.cmdline in [~\"*at.exe\",~\"*schtasks*\"] + \u0026\u0026 exec.cmdline =~ \"*create*\"","filters":["os == \"windows\""],"monitoring":["threat-detection.policy"],"name":"scheduled_task_creation","product_tags":["tactic:TA0003-persistence","technique:T1053-scheduled-task-or-job","policy:threat-detection"],"updateDate":1759956888000,"updater":{"name":"Datadog","handle":""}}},{"id":"sif-d9p-wzg","type":"agent_rule","attributes":{"category":"File + Activity","creationDate":1759956888000,"creator":{"name":"Datadog","handle":""},"defaultRule":true,"description":"nsswitch + may have been modified without authorization","enabled":true,"expression":"(\n (rename.file.path + in [ \"/etc/nsswitch.conf\" ]\n || rename.file.destination.path in [ \"/etc/nsswitch.conf\" + ])\n)","filters":["os == \"linux\""],"monitoring":["compliance.policy"],"name":"nsswitch_conf_mod_rename","product_tags":["tactic:TA0003-persistence","technique:T1556-modify-authentication-process","policy:compliance"],"updateDate":1759956888000,"updater":{"name":"Datadog","handle":""}}},{"id":"def-000-mxb","type":"agent_rule","attributes":{"category":"File + Activity","creationDate":1759956888000,"creator":{"name":"Datadog","handle":""},"defaultRule":true,"description":"The + host file system was mounted in a container","enabled":true,"expression":"mount.source.path + == \"/\" \u0026\u0026 mount.fs_type != \"overlay\" \u0026\u0026 container.id + != \"\"","filters":["os == \"linux\""],"monitoring":["threat-detection.policy"],"name":"mount_host_fs","product_tags":["tactic:TA0004-privilege-escalation","technique:T1611-escape-to-host","policy:threat-detection"],"updateDate":1759956888000,"updater":{"name":"Datadog","handle":""}}},{"id":"def-000-6x2","type":"agent_rule","attributes":{"category":"File + Activity","creationDate":1759956888000,"creator":{"name":"Datadog","handle":""},"defaultRule":true,"description":"Service + registry runkey modified","enabled":true,"expression":"set.registry.key_path + in [~\"HKEY_LOCAL_MACHINE\\Software\\Microsoft\\Windows\\CurrentVersion\\RunServicesOnce\", + ~\"HKEY_LOCAL_MACHINE\\Software\\Microsoft\\CurrentVersion\\RunServices\"]","filters":["os + == \"windows\""],"monitoring":["threat-detection.policy"],"name":"registry_service_runkey_modified","product_tags":["tactic:TA0003-persistence","technique:T1547-boot-or-logon-autostart-execution","policy:threat-detection"],"updateDate":1759956888000,"updater":{"name":"Datadog","handle":""}}},{"id":"def-000-bv2","type":"agent_rule","attributes":{"category":"Process + Activity","creationDate":1759956888000,"creator":{"name":"Datadog","handle":""},"defaultRule":true,"description":"Process + matches known relay attack tool","enabled":true,"expression":"exec.file.name + in [~\"*PetitPotam*\", ~\"*RottenPotato*\", ~\"*HotPotato*\", ~\"*JuicyPotato*\", + ~\"*just_dce_*\", ~\"*Juicy Potato*\", \"rot.exe\", \"Potato.exe\", \"SpoolSample.exe\", + \"Responder.exe\", ~\"*smbrelayx*\", ~\"*smbrelayx*\", ~\"*ntlmrelayx*\", + ~\"*LocalPotato*\"] || exec.cmdline in [~\"*Invoke-Tater*\", ~\"*smbrelay*\", + ~\"*ntlmrelay*\", ~\"*cme smb*\", ~\"*ntlm:NTLMhash*\", ~\"*Invoke-PetitPotam*\"]","filters":["os + == \"windows\""],"monitoring":["threat-detection.policy"],"name":"relay_attack_tool_execution","product_tags":["tactic:TA0006-credential-access","technique:T1555-credentials-from-password-stores","policy:threat-detection"],"updateDate":1759956888000,"updater":{"name":"Datadog","handle":""}}},{"id":"wgq-lg4-tas","type":"agent_rule","attributes":{"category":"Kernel + Activity","creationDate":1759956888000,"creator":{"name":"Datadog","handle":""},"defaultRule":true,"description":"SELinux + enforcement status was disabled","enabled":true,"expression":"selinux.enforce.status + in [\"permissive\", \"disabled\"] \u0026\u0026 process.ancestors.args != ~\"*BECOME-SUCCESS*\"","filters":["os + == \"linux\""],"monitoring":["threat-detection.policy"],"name":"selinux_disable_enforcement","product_tags":["tactic:TA0005-defense-evasion","technique:T1562-impair-defenses","policy:threat-detection"],"updateDate":1759956888000,"updater":{"name":"Datadog","handle":""}}},{"id":"def-000-vez","type":"agent_rule","attributes":{"category":"File + Activity","creationDate":1759956888000,"creator":{"name":"Datadog","handle":""},"defaultRule":true,"description":"Windows + winlogon registry key modified","enabled":true,"expression":"set.registry.key_path + in [~\"HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Windows NT\\CurrentVersion\\Winlogon*\"]","filters":["os + == \"windows\""],"monitoring":["threat-detection.policy"],"name":"winlogon_registry_key_modified","product_tags":["tactic:TA0005-defense-evasion","technique:T1112-modify-registry","policy:threat-detection"],"updateDate":1759956888000,"updater":{"name":"Datadog","handle":""}}},{"id":"56y-vsb-zqu","type":"agent_rule","attributes":{"category":"File + Activity","creationDate":1759956888000,"creator":{"name":"Datadog","handle":""},"defaultRule":true,"description":"A + new kernel module was added","enabled":true,"expression":"(\n open.flags + \u0026 (O_CREAT|O_TRUNC|O_APPEND|O_RDWR|O_WRONLY) \u003e 0 \u0026\u0026\n (open.file.path + in [ ~\"/lib/modules/**\", ~\"/usr/lib/modules/**\", ~\"/usr/lib/modules-load.d/**\", + ~\"/etc/modules-load.d/**\", ~\"/etc/modprobe.d/**\" ])\n \u0026\u0026 + process.file.path not in [~\"/usr/bin/apt*\", \"/usr/bin/dpkg\", \"/usr/bin/rpm\", + \"/usr/bin/unattended-upgrade\", \"/usr/bin/npm\", ~\"/usr/bin/pip*\", ~\"/usr/local/bin/pip*\", + \"/usr/bin/yum\", \"/sbin/apk\", \"/usr/lib/snapd/snapd\"]\n \u0026\u0026 + process.ancestors.file.path not in [~\"/usr/bin/apt*\", \"/usr/bin/dpkg\", + \"/usr/bin/rpm\", \"/usr/bin/unattended-upgrade\", \"/usr/bin/npm\", ~\"/usr/bin/pip*\", + ~\"/usr/local/bin/pip*\", \"/usr/bin/yum\", \"/sbin/apk\", \"/usr/lib/snapd/snapd\"] + \u0026\u0026 process.ancestors.file.path != \"/usr/bin/kmod\"\n)","filters":["os + == \"linux\""],"monitoring":["compliance.policy"],"name":"kernel_module_open","product_tags":["tactic:TA0003-persistence","technique:T1547-boot-or-logon-autostart-execution","policy:compliance"],"updateDate":1759956888000,"updater":{"name":"Datadog","handle":""}}},{"id":"def-000-550","type":"agent_rule","attributes":{"category":"File + Activity","creationDate":1759956888000,"creator":{"name":"Datadog","handle":""},"defaultRule":true,"description":"Sudoers + policy file may have been modified without authorization","enabled":true,"expression":"(\n (rename.file.path + in [\"/etc/sudoers\", ~\"/etc/sudoers.d/*\"]\n || rename.file.destination.path + in [\"/etc/sudoers\",~\"/etc/sudoers.d/*\"])\n)","filters":["os == \"linux\""],"monitoring":["compliance.policy"],"name":"sudoers_policy_modified_rename","product_tags":["tactic:TA0004-privilege-escalation","technique:T1548-abuse-elevation-control-mechanism","subtechnique:T1548.001-setuid-and-setgid","subtechnique:T1548.003-sudo-and-sudo-caching","policy:compliance"],"updateDate":1759956888000,"updater":{"name":"Datadog","handle":""}}},{"id":"def-000-fdc","type":"agent_rule","attributes":{"actions":[{"filter":"${process.correlation_key} + != \"\"","set":{"name":"parent_correlation_keys","default_value":"","append":true,"scope":"process","expression":"${process.correlation_key}","inherited":true},"disabled":false},{"set":{"name":"correlation_key","default_value":"","scope":"process","expression":"\"service_${builtins.uuid4}\"","inherited":true},"disabled":false}],"category":"Process + Activity","creationDate":1759956888000,"creator":{"name":"Datadog","handle":""},"defaultRule":true,"description":"Track + execution context from service","enabled":true,"expression":"(exec.envs in + [\"DD_SERVICE\", \"OTEL_SERVICE_NAME\"] || \"tags.datadoghq.com/service\" + in container.tags) \u0026\u0026 ${process.correlation_key} in [\"\", ~\"cgroup_*\", + ~\"auid_*\"]","filters":["os == \"linux\""],"monitoring":["threat-detection.policy"],"name":"execution_context_service","product_tags":["policy:threat-detection"],"silent":true,"updateDate":1759956888000,"updater":{"name":"Datadog","handle":""}}},{"id":"sqi-q1z-onu","type":"agent_rule","attributes":{"category":"Process + Activity","creationDate":1759956888000,"creator":{"name":"Datadog","handle":""},"defaultRule":true,"description":"Network + utility executed with suspicious URI","enabled":true,"expression":"exec.comm + in [\"wget\", \"curl\", \"lwp-download\"] \u0026\u0026 exec.args in [~\"*.php*\", + ~\"*.jpg*\"] ","filters":["os == \"linux\""],"monitoring":["threat-detection.policy"],"name":"net_unusual_request","product_tags":["tactic:TA0011-command-and-control","technique:T1105-ingress-tool-transfer","policy:threat-detection"],"updateDate":1759956888000,"updater":{"name":"Datadog","handle":""}}},{"id":"uis-h13-41q","type":"agent_rule","attributes":{"category":"File + Activity","creationDate":1759956888000,"creator":{"name":"Datadog","handle":""},"defaultRule":true,"description":"An + unauthorized job was added to cron scheduling","enabled":true,"expression":"(\n open.flags + \u0026 (O_CREAT|O_RDWR|O_WRONLY) \u003e 0 \u0026\u0026\n (open.file.path + in [ ~\"/var/spool/cron/**\", ~\"/etc/cron.*/**\", ~\"/etc/crontab\", ~\"/etc/crontabs/**\"])\n \u0026\u0026 + process.file.path not in [ \"/usr/bin/at\", \"/usr/bin/crontab\" ]\n)\n\u0026\u0026 + process.file.path not in [~\"/usr/bin/apt*\", \"/usr/bin/dpkg\", \"/usr/bin/rpm\", + \"/usr/bin/unattended-upgrade\", \"/usr/bin/containerd\", \"/usr/local/bin/containerd\", + \"/usr/bin/dockerd\", \"/usr/bin/npm\", ~\"/usr/bin/pip*\", ~\"/usr/local/bin/pip*\"]","filters":["os + == \"linux\""],"monitoring":["compliance.policy","threat-detection.policy"],"name":"cron_at_job_creation_open","product_tags":["tactic:TA0003-persistence","technique:T1053-scheduled-task-or-job","subtechnique:T1053.003-cron","policy:compliance","policy:threat-detection"],"updateDate":1759956888000,"updater":{"name":"Datadog","handle":""}}},{"id":"xa1-b6v-n2l","type":"agent_rule","attributes":{"category":"File + Activity","creationDate":1759956888000,"creator":{"name":"Datadog","handle":""},"defaultRule":true,"description":"An + unauthorized job was added to cron scheduling","enabled":true,"expression":"(\n (rename.file.path + in [ ~\"/var/spool/cron/**\", ~\"/etc/cron.*/**\", ~\"/etc/crontab\", ~\"/etc/crontabs/**\"]\n || + rename.file.destination.path in [ ~\"/var/spool/cron/**\", ~\"/etc/cron.*/**\", + ~\"/etc/crontab\" ])\n \u0026\u0026 process.file.path not in [ \"/usr/bin/at\", + \"/usr/bin/crontab\" ]\n)\n\u0026\u0026 process.file.path not in [~\"/usr/bin/apt*\", + \"/usr/bin/dpkg\", \"/usr/bin/rpm\", \"/usr/bin/unattended-upgrade\", \"/usr/bin/containerd\", + \"/usr/local/bin/containerd\", \"/usr/bin/dockerd\", \"/usr/bin/npm\", ~\"/usr/bin/pip*\", + ~\"/usr/local/bin/pip*\"]","filters":["os == \"linux\""],"monitoring":["compliance.policy","threat-detection.policy"],"name":"cron_at_job_creation_rename","product_tags":["tactic:TA0003-persistence","technique:T1053-scheduled-task-or-job","subtechnique:T1053.006-systemd-timers","policy:compliance","policy:threat-detection"],"updateDate":1759956888000,"updater":{"name":"Datadog","handle":""}}},{"id":"def-000-y7j","type":"agent_rule","attributes":{"category":"File + Activity","creationDate":1759956888000,"creator":{"name":"Datadog","handle":""},"defaultRule":true,"description":"Critical + system binaries may have been modified","enabled":true,"expression":"(\n open.flags + \u0026 (O_CREAT|O_TRUNC|O_APPEND|O_RDWR|O_WRONLY) \u003e 0 \u0026\u0026\n open.file.path + in [ ~\"/bin/*\", ~\"/sbin/*\", ~\"/usr/bin/*\", ~\"/usr/sbin/*\", ~\"/usr/local/bin/*\", + ~\"/usr/local/sbin/*\", ~\"/boot/**\" ]\n \u0026\u0026 process.file.path + not in [~\"/usr/bin/apt*\", \"/usr/bin/dpkg\", \"/usr/bin/rpm\", \"/usr/bin/unattended-upgrade\", + \"/usr/bin/containerd\", \"/usr/local/bin/containerd\", \"/usr/bin/dockerd\", + \"/usr/bin/npm\", ~\"/usr/bin/pip*\", ~\"/usr/local/bin/pip*\"]\n \u0026\u0026 + process.ancestors.file.path not in [~\"/usr/bin/apt*\", \"/usr/bin/dpkg\", + \"/usr/bin/rpm\", \"/usr/bin/unattended-upgrade\", \"/usr/bin/npm\", ~\"/usr/bin/pip*\", + ~\"/usr/local/bin/pip*\", \"/usr/bin/yum\", \"/sbin/apk\", \"/usr/lib/snapd/snapd\"]\n) + \u0026\u0026 container.id != \"\" \u0026\u0026 container.created_at \u003e + 90s","filters":["os == \"linux\""],"monitoring":["compliance.policy"],"name":"pci_11_5_critical_binaries_open_v2","product_tags":["tactic:TA0005-defense-evasion","technique:T1036-masquerading","policy:compliance"],"updateDate":1759956888000,"updater":{"name":"Datadog","handle":""}}},{"id":"def-000-qnj","type":"agent_rule","attributes":{"category":"Kernel + Activity","creationDate":1759956888000,"creator":{"name":"Datadog","handle":""},"defaultRule":true,"description":"A + process made an outbound IRC connection","enabled":true,"expression":"connect.addr.port + == 6667 \u0026\u0026 connect.addr.is_public == true","filters":["os == \"linux\""],"monitoring":["threat-detection.policy"],"name":"irc_connection","product_tags":["tactic:TA0011-command-and-control","technique:T1071-application-layer-protocol","subtechnique:T1071.001-web-protocols","policy:threat-detection"],"updateDate":1759956888000,"updater":{"name":"Datadog","handle":""}}},{"id":"gx3-4a5-w9a","type":"agent_rule","attributes":{"category":"Kernel + Activity","creationDate":1759956888000,"creator":{"name":"Datadog","handle":""},"defaultRule":true,"description":"A + kernel module was loaded from memory inside a container","enabled":true,"expression":"load_module.loaded_from_memory + == true \u0026\u0026 container.id !=\"\"","filters":["os == \"linux\""],"monitoring":["threat-detection.policy"],"name":"kernel_module_load_from_memory_container","product_tags":["tactic:TA0003-persistence","technique:T1547-boot-or-logon-autostart-execution","policy:threat-detection"],"updateDate":1759956888000,"updater":{"name":"Datadog","handle":""}}},{"id":"3i1-zpd-ycj","type":"agent_rule","attributes":{"category":"File + Activity","creationDate":1759956888000,"creator":{"name":"Datadog","handle":""},"defaultRule":true,"description":"A + new kernel module was added","enabled":true,"expression":"(\n (rename.file.path + in [ ~\"/lib/modules/**\", ~\"/usr/lib/modules/**\" ]\n || rename.file.destination.path + in [ ~\"/lib/modules/**\", ~\"/usr/lib/modules/**\", ~\"/usr/lib/modules-load.d/**\", + ~\"/etc/modules-load.d/**\", ~\"/etc/modprobe.d/**\" ])\n \u0026\u0026 + process.file.path not in [~\"/usr/bin/apt*\", \"/usr/bin/dpkg\", \"/usr/bin/rpm\", + \"/usr/bin/unattended-upgrade\", \"/usr/bin/npm\", ~\"/usr/bin/pip*\", ~\"/usr/local/bin/pip*\", + \"/usr/bin/yum\", \"/sbin/apk\", \"/usr/lib/snapd/snapd\"]\n \u0026\u0026 + process.ancestors.file.path not in [~\"/usr/bin/apt*\", \"/usr/bin/dpkg\", + \"/usr/bin/rpm\", \"/usr/bin/unattended-upgrade\", \"/usr/bin/npm\", ~\"/usr/bin/pip*\", + ~\"/usr/local/bin/pip*\", \"/usr/bin/yum\", \"/sbin/apk\", \"/usr/lib/snapd/snapd\"] + \u0026\u0026 process.ancestors.file.path != \"/usr/bin/kmod\"\n)","filters":["os + == \"linux\""],"monitoring":["compliance.policy"],"name":"kernel_module_rename","product_tags":["tactic:TA0003-persistence","technique:T1547-boot-or-logon-autostart-execution","policy:compliance"],"updateDate":1759956888000,"updater":{"name":"Datadog","handle":""}}},{"id":"20v-gdb-0ha","type":"agent_rule","attributes":{"category":"File + Activity","creationDate":1759956888000,"creator":{"name":"Datadog","handle":""},"defaultRule":true,"description":"A + new kernel module was added","enabled":true,"expression":"(\n (unlink.file.path + in [ ~\"/lib/modules/**\", ~\"/usr/lib/modules/**\", ~\"/usr/lib/modules-load.d/**\", + ~\"/etc/modules-load.d/**\", ~\"/etc/modprobe.d/**\" ])\n \u0026\u0026 + process.file.path not in [~\"/usr/bin/apt*\", \"/usr/bin/dpkg\", \"/usr/bin/rpm\", + \"/usr/bin/unattended-upgrade\", \"/usr/bin/npm\", ~\"/usr/bin/pip*\", ~\"/usr/local/bin/pip*\", + \"/usr/bin/yum\", \"/sbin/apk\", \"/usr/lib/snapd/snapd\"]\n \u0026\u0026 + process.ancestors.file.path not in [~\"/usr/bin/apt*\", \"/usr/bin/dpkg\", + \"/usr/bin/rpm\", \"/usr/bin/unattended-upgrade\", \"/usr/bin/npm\", ~\"/usr/bin/pip*\", + ~\"/usr/local/bin/pip*\", \"/usr/bin/yum\", \"/sbin/apk\", \"/usr/lib/snapd/snapd\"] + \u0026\u0026 process.ancestors.file.path != \"/usr/bin/kmod\"\n)","filters":["os + == \"linux\""],"monitoring":["compliance.policy"],"name":"kernel_module_unlink","product_tags":["tactic:TA0003-persistence","technique:T1547-boot-or-logon-autostart-execution","policy:compliance"],"updateDate":1759956888000,"updater":{"name":"Datadog","handle":""}}},{"id":"34t-hic-8cn","type":"agent_rule","attributes":{"category":"File + Activity","creationDate":1759956888000,"creator":{"name":"Datadog","handle":""},"defaultRule":true,"description":"PAM + may have been modified without authorization","enabled":true,"expression":"(\n (chmod.file.path + in [ ~\"/etc/pam.d/**\", \"/etc/pam.conf\", ~\"/lib/security/*\", ~\"/usr/lib/security/*\", + ~\"/lib64/security/*\", ~\"/usr/lib64/security/*\"])\n) \u0026\u0026 chmod.file.destination.mode + != chmod.file.mode","filters":["os == \"linux\""],"monitoring":["compliance.policy"],"name":"pam_modification_chmod","product_tags":["tactic:TA0003-persistence","technique:T1556-modify-authentication-process","policy:compliance"],"updateDate":1759956888000,"updater":{"name":"Datadog","handle":""}}},{"id":"def-000-5xt","type":"agent_rule","attributes":{"category":"File + Activity","creationDate":1759956888000,"creator":{"name":"Datadog","handle":""},"defaultRule":true,"description":"Detect + attempts to trigger a coredump after modifying /proc/sys/kernel/core_pattern.","enabled":true,"expression":"exit.cause + == COREDUMPED \u0026\u0026 container.id == ${container.core_pattern_write_container_id}","filters":["os + == \"linux\""],"monitoring":["threat-detection.policy"],"name":"coredump_triggered","product_tags":["tactic:TA0004-privilege-escalation","technique:T1611-escape-to-host","policy:threat-detection"],"updateDate":1759956888000,"updater":{"name":"Datadog","handle":""}}},{"id":"def-000-tp8","type":"agent_rule","attributes":{"category":"File + Activity","creationDate":1759956888000,"creator":{"name":"Datadog","handle":""},"defaultRule":true,"description":"A + process opened a model-specific register (MSR) configuration file","enabled":true,"expression":"open.file.path + == \"/sys/module/msr/parameters/allow_writes\" \u0026\u0026 open.flags \u0026 + O_CREAT|O_TRUNC|O_APPEND|O_RDWR|O_WRONLY \u003e 0","filters":["os == \"linux\""],"monitoring":["threat-detection.policy"],"name":"open_msr_writes","product_tags":["tactic:TA0040-impact","technique:T1496-resource-hijacking","policy:threat-detection"],"updateDate":1759956888000,"updater":{"name":"Datadog","handle":""}}},{"id":"wnk-nli-nbp","type":"agent_rule","attributes":{"category":"File + Activity","creationDate":1759956888000,"creator":{"name":"Datadog","handle":""},"defaultRule":true,"description":"An + unauthorized job was added to cron scheduling","enabled":true,"expression":"(\n (chown.file.path + in [ ~\"/var/spool/cron/**\", ~\"/etc/cron.*/**\", ~\"/etc/crontab\", ~\"/etc/crontabs/**\"])\n \u0026\u0026 + process.file.path not in [ \"/usr/bin/at\", \"/usr/bin/crontab\" ]\n) \u0026\u0026 + (chown.file.destination.uid != chown.file.uid || chown.file.destination.gid + != chown.file.gid)\n\u0026\u0026 process.file.path not in [~\"/usr/bin/apt*\", + \"/usr/bin/dpkg\", \"/usr/bin/rpm\", \"/usr/bin/unattended-upgrade\", \"/usr/bin/containerd\", + \"/usr/local/bin/containerd\", \"/usr/bin/dockerd\", \"/usr/bin/npm\", ~\"/usr/bin/pip*\", + ~\"/usr/local/bin/pip*\"]","filters":["os == \"linux\""],"monitoring":["compliance.policy","threat-detection.policy"],"name":"cron_at_job_creation_chown","product_tags":["tactic:TA0003-persistence","technique:T1053-scheduled-task-or-job","subtechnique:T1053.003-cron","policy:compliance","policy:threat-detection"],"updateDate":1759956888000,"updater":{"name":"Datadog","handle":""}}},{"id":"94l-lhd-e33","type":"agent_rule","attributes":{"category":"File + Activity","creationDate":1759956888000,"creator":{"name":"Datadog","handle":""},"defaultRule":true,"description":"A + new kernel module was added","enabled":true,"expression":"(\n (chown.file.path + in [ ~\"/lib/modules/**\", ~\"/usr/lib/modules/**\", ~\"/usr/lib/modules-load.d/**\", + ~\"/etc/modules-load.d/**\", ~\"/etc/modprobe.d/**\" ])\n \u0026\u0026 + process.file.path not in [~\"/usr/bin/apt*\", \"/usr/bin/dpkg\", \"/usr/bin/rpm\", + \"/usr/bin/unattended-upgrade\", \"/usr/bin/npm\", ~\"/usr/bin/pip*\", ~\"/usr/local/bin/pip*\", + \"/usr/bin/yum\", \"/sbin/apk\", \"/usr/lib/snapd/snapd\"]\n \u0026\u0026 + process.ancestors.file.path not in [~\"/usr/bin/apt*\", \"/usr/bin/dpkg\", + \"/usr/bin/rpm\", \"/usr/bin/unattended-upgrade\", \"/usr/bin/npm\", ~\"/usr/bin/pip*\", + ~\"/usr/local/bin/pip*\", \"/usr/bin/yum\", \"/sbin/apk\", \"/usr/lib/snapd/snapd\"] + \u0026\u0026 process.ancestors.file.path != \"/usr/bin/kmod\"\n) \u0026\u0026 + (chown.file.destination.uid != chown.file.uid || chown.file.destination.gid + != chown.file.gid)","filters":["os == \"linux\""],"monitoring":["compliance.policy"],"name":"kernel_module_chown","product_tags":["tactic:TA0003-persistence","technique:T1547-boot-or-logon-autostart-execution","policy:compliance"],"updateDate":1759956888000,"updater":{"name":"Datadog","handle":""}}},{"id":"v5x-8l4-d6a","type":"agent_rule","attributes":{"category":"File + Activity","creationDate":1759956888000,"creator":{"name":"Datadog","handle":""},"defaultRule":true,"description":"Shell + History was Deleted","enabled":true,"expression":"open.flags \u0026 (O_CREAT|O_TRUNC|O_APPEND|O_RDWR|O_WRONLY) + \u003e 0 \u0026\u0026 open.file.name in [\".bash_history\", \".zsh_history\", + \".fish_history\", \"fish_history\", \".dash_history\", \".sh_history\"] \u0026\u0026 + open.file.path in [~\"/root/*\", ~\"/home/**\"] \u0026\u0026 process.file.name + == \"truncate\"","filters":["os == \"linux\""],"monitoring":["compliance.policy","threat-detection.policy"],"name":"shell_history_truncated","product_tags":["tactic:TA0005-defense-evasion","technique:T1070-indicator-removal","policy:compliance","policy:threat-detection"],"updateDate":1759956888000,"updater":{"name":"Datadog","handle":""}}},{"id":"def-000-9zu","type":"agent_rule","attributes":{"actions":[{"filter":"${process.correlation_key} + != \"\"","set":{"name":"parent_correlation_keys","default_value":"","append":true,"scope":"process","expression":"${process.correlation_key}","inherited":true},"disabled":false},{"set":{"name":"correlation_key","default_value":"","scope":"process","expression":"\"spawned_shell_${builtins.uuid4}\"","inherited":true},"disabled":false}],"category":"Process + Activity","creationDate":1759956888000,"creator":{"name":"Datadog","handle":""},"defaultRule":true,"description":"Track + execution context from spawned shell","enabled":true,"expression":"exec.file.path + in [ \"/bin/dash\",\n \"/usr/bin/dash\",\n \"/bin/sh\",\n \"/bin/static-sh\",\n \"/usr/bin/sh\",\n \"/bin/bash\",\n \"/usr/bin/bash\",\n \"/bin/bash-static\",\n \"/usr/bin/zsh\",\n \"/usr/bin/ash\",\n \"/usr/bin/csh\",\n \"/usr/bin/ksh\",\n \"/usr/bin/tcsh\",\n \"/usr/lib/initramfs-tools/bin/busybox\",\n \"/bin/busybox\",\n \"/usr/bin/fish\",\n \"/bin/ksh93\",\n \"/bin/rksh\",\n \"/bin/rksh93\",\n \"/bin/lksh\",\n \"/bin/mksh\",\n \"/bin/mksh-static\",\n \"/usr/bin/csharp\",\n \"/bin/posh\",\n \"/usr/bin/rc\",\n \"/bin/sash\",\n \"/usr/bin/yash\",\n \"/bin/zsh5\",\n \"/bin/zsh5-static\" + ] \u0026\u0026 (process.parent.file.name in [\"apache2\", \"nginx\", ~\"tomcat*\", + \"httpd\"] || process.parent.file.name =~ \"php*\" || process.parent.file.name + in [\"mysqld\", \"mongod\", \"postgres\"] || process.parent.file.name in [\"java\", + \"jspawnhelper\"]) \u0026\u0026 ${process.correlation_key} in [\"\", ~\"cgroup_*\", + ~\"auid_*\", ~\"service_*\", ~\"service_new_cgroup_*\"]","filters":["os == + \"linux\""],"monitoring":["threat-detection.policy"],"name":"execution_context_spawned_shell","product_tags":["policy:threat-detection"],"silent":true,"updateDate":1759956888000,"updater":{"name":"Datadog","handle":""}}},{"id":"def-000-ipl","type":"agent_rule","attributes":{"category":"Kernel + Activity","creationDate":1759956888000,"creator":{"name":"Datadog","handle":""},"defaultRule":true,"description":"A + process checked the public IP address of the host","enabled":true,"expression":"connect.addr.hostname + in [\"icanhazip.com\", \"ip-api.com\", \"myip.opendns.com\", \"checkip.amazonaws.com\", + \"whatismyip.akamai.com\"] \u0026\u0026 connect.addr.is_public == true \u0026\u0026 + connect.addr.port in [80, 443]","filters":["os == \"linux\""],"monitoring":["threat-detection.policy"],"name":"ip_lookup_domain","product_tags":["tactic:TA0007-discovery","technique:T1016-system-network-configuration-discovery","policy:threat-detection"],"updateDate":1759956888000,"updater":{"name":"Datadog","handle":""}}},{"id":"def-000-wok","type":"agent_rule","attributes":{"category":"File + Activity","creationDate":1759956888000,"creator":{"name":"Datadog","handle":""},"defaultRule":true,"description":"Device + rule created","enabled":true,"expression":"open.file.path in [~\"/etc/udev/rules.d/*\", + ~\"/lib/udev/rules.d/*\", ~\"/usr/lib/udev/rules.d/*\", ~\"/usr/local/lib/udev/rules.d/*\", + ~\"/run/udev/rules.d/*\"] \u0026\u0026 open.flags \u0026 O_CREAT \u003e 0","filters":["os + == \"linux\""],"monitoring":["threat-detection.policy"],"name":"udev_modification","product_tags":["tactic:TA0003-persistence","technique:T1546-event-triggered-execution","policy:threat-detection"],"updateDate":1759956888000,"updater":{"name":"Datadog","handle":""}}},{"id":"lkj-jnb-khe","type":"agent_rule","attributes":{"actions":[{"set":{"name":"imds_v1_usage_services","field":"process.file.name","append":true,"ttl":10000000000,"inherited":false},"disabled":false}],"category":"Network + Activity","creationDate":1759956888000,"creator":{"name":"Datadog","handle":""},"defaultRule":true,"description":"An + AWS IMDSv1 request was issued","disabled":["best-practice.policy"],"enabled":false,"expression":"imds.cloud_provider + == \"aws\" \u0026\u0026 imds.aws.is_imds_v2 == false \u0026\u0026 process.file.name + not in ${imds_v1_usage_services}","filters":["os == \"linux\""],"name":"imds_v1_usage","product_tags":["tactic:TA0006-credential-access","technique:T1552-unsecured-credentials","policy:best-practice"],"updateDate":1759956888000,"updater":{"name":"Datadog","handle":""}}},{"id":"def-000-cyz","type":"agent_rule","attributes":{"category":"Process + Activity","creationDate":1759956888000,"creator":{"name":"Datadog","handle":""},"defaultRule":true,"description":"A + shell spawned from a git clone which could be exploitation of CVE-2025-48384","enabled":true,"expression":"exec.comm + in [\"dash\",\"sh\",\"static-sh\",\"sh\",\"bash\",\"bash\",\"bash-static\",\"zsh\",\"ash\",\"csh\",\"ksh\",\"tcsh\",\"busybox\",\"busybox\",\"fish\",\"ksh93\",\"rksh\",\"rksh93\",\"lksh\",\"mksh\",\"mksh-static\",\"csharp\",\"posh\",\"rc\",\"sash\",\"yash\",\"zsh5\",\"zsh5-static\"] + \u0026\u0026 process.ancestors[A].comm == \"git\" \u0026\u0026 process.ancestors[A].argv + in [\"clone\"] \u0026\u0026 process.ancestors[A].args_flags in [\"recursive\"]","filters":["os + == \"linux\""],"monitoring":["threat-detection.policy"],"name":"git_cve_2025_48384","product_tags":["tactic:TA0002-execution","technique:T1203-exploitation-for-client-execution","policy:threat-detection"],"updateDate":1759956888000,"updater":{"name":"Datadog","handle":""}}},{"id":"def-000-qn0","type":"agent_rule","attributes":{"category":"Process + Activity","creationDate":1759956888000,"creator":{"name":"Datadog","handle":""},"defaultRule":true,"description":"nsenter + used to breakout of container","enabled":true,"expression":"exec.file.name + == \"nsenter\" \u0026\u0026 exec.args_options in [\"target=1\", \"t=1\"] \u0026\u0026 + container.id != \"\"","filters":["os == \"linux\""],"monitoring":["threat-detection.policy"],"name":"nsenter_in_container","product_tags":["tactic:TA0004-privilege-escalation","technique:T1611-escape-to-host","policy:threat-detection"],"updateDate":1759956888000,"updater":{"name":"Datadog","handle":""}}},{"id":"def-000-eho","type":"agent_rule","attributes":{"category":"File + Activity","creationDate":1759956888000,"creator":{"name":"Datadog","handle":""},"defaultRule":true,"description":"Container + escape attempted by overwriting release_agent","enabled":true,"expression":"open.file.name + == \"release_agent\" \u0026\u0026 open.file.path in [\"/tmp/**\", \"/home/**\", + \"/root/**\", \"/*\"] \u0026\u0026 open.flags \u0026 O_CREAT|O_TRUNC|O_APPEND|O_RDWR|O_WRONLY + \u003e 0","filters":["os == \"linux\""],"monitoring":["threat-detection.policy"],"name":"release_agent_escape","product_tags":["tactic:TA0004-privilege-escalation","technique:T1611-escape-to-host","policy:threat-detection"],"updateDate":1759956888000,"updater":{"name":"Datadog","handle":""}}},{"id":"def-000-qf8","type":"agent_rule","attributes":{"category":"Process + Activity","creationDate":1759956888000,"creator":{"name":"Datadog","handle":""},"defaultRule":true,"description":"sharpup + tool used for local privilege escalation","enabled":true,"expression":"exec.file.name + == \"sharpup.exe\" \u0026\u0026 exec.cmdline in [~\"*HijackablePaths*\", ~\"*UnquotedServicePath*\", + ~\"*ProcessDLLHijack*\", ~\"*ModifiableServiceBinaries*\", ~\"*ModifiableScheduledTask*\", + ~\"*DomainGPPPassword*\", ~\"*CachedGPPPassword*\"]","filters":["os == \"windows\""],"monitoring":["threat-detection.policy"],"name":"sharpup_tool_usage","product_tags":["tactic:TA0004-privilege-escalation","technique:T1068-exploitation-for-privilege-escalation","policy:threat-detection"],"updateDate":1759956888000,"updater":{"name":"Datadog","handle":""}}},{"id":"def-000-d4w","type":"agent_rule","attributes":{"category":"File + Activity","creationDate":1759956888000,"creator":{"name":"Datadog","handle":""},"defaultRule":true,"description":"A + file executed from /dev/shm/ directory","enabled":true,"expression":"exec.file.path + == ~\"/dev/shm/**\"","filters":["os == \"linux\""],"monitoring":["threat-detection.policy"],"name":"devshm_execution","product_tags":["tactic:TA0005-defense-evasion","technique:T1027-obfuscated-files-or-information","subtechnique:T1027.011-fileless-storage","policy:threat-detection"],"updateDate":1759956888000,"updater":{"name":"Datadog","handle":""}}},{"id":"2s5-ipa-ooo","type":"agent_rule","attributes":{"category":"File + Activity","creationDate":1759956888000,"creator":{"name":"Datadog","handle":""},"defaultRule":true,"description":"A + process wrote to a dynamic linker config file","enabled":true,"expression":"open.file.path + in [\"/etc/ld.so.preload\", \"/etc/ld.so.conf\", ~\"/etc/ld.so.conf.d/*.conf\"] + \u0026\u0026 open.flags \u0026 (O_CREAT|O_TRUNC|O_APPEND|O_RDWR|O_WRONLY) + \u003e 0 \u0026\u0026 process.file.path not in [~\"/usr/bin/apt*\", \"/usr/bin/dpkg\", + \"/usr/bin/rpm\", \"/usr/bin/unattended-upgrade\", \"/usr/bin/containerd\", + \"/usr/local/bin/containerd\", \"/usr/bin/dockerd\", \"/usr/bin/npm\", ~\"/usr/bin/pip*\", + ~\"/usr/local/bin/pip*\"] \u0026\u0026 process.ancestors.file.path not in + [\"/opt/datadog-agent/embedded/bin/agent\", \"/opt/datadog-agent/embedded/bin/system-probe\", + \"/opt/datadog-agent/embedded/bin/security-agent\", \"/opt/datadog-agent/embedded/bin/process-agent\", + \"/opt/datadog-agent/embedded/bin/trace-agent\", \"/opt/datadog-agent/bin/agent/agent\", + \"/opt/datadog/apm/inject/auto_inject_runc\", \"/usr/bin/dd-host-install\", + \"/usr/bin/dd-host-container-install\", \"/usr/bin/dd-container-install\", + \"/opt/datadog-agent/bin/datadog-cluster-agent\", ~\"/opt/datadog-packages/**\", + ~\"/opt/datadog-installer/**\"] \u0026\u0026 process.argv0 not in [\"runc\", + \"/usr/bin/runc\", \"/usr/sbin/runc\"]","filters":["os == \"linux\""],"monitoring":["threat-detection.policy"],"name":"dynamic_linker_config_write","product_tags":["tactic:TA0004-privilege-escalation","technique:T1574-hijack-execution-flow","policy:threat-detection"],"updateDate":1759956888000,"updater":{"name":"Datadog","handle":""}}},{"id":"def-000-ehx","type":"agent_rule","attributes":{"category":"Process + Activity","creationDate":1759956888000,"creator":{"name":"Datadog","handle":""},"defaultRule":true,"description":"The + auditd rules file was modified without using auditctl","enabled":true,"expression":"open.file.path + in [\"/etc/audit/rules.d/audit.rules\", \"/etc/audit/audit.rules\"] \u0026\u0026 + open.flags \u0026 (O_CREAT|O_TRUNC|O_APPEND|O_RDWR|O_WRONLY) \u003e 0 \u0026\u0026 + process.file.name != \"auditctl\"","filters":["os == \"linux\""],"monitoring":["threat-detection.policy"],"name":"auditd_rule_file_modified","product_tags":["tactic:TA0005-defense-evasion","technique:T1562-impair-defenses","policy:threat-detection"],"updateDate":1759956888000,"updater":{"name":"Datadog","handle":""}}}]}' headers: Content-Type: - application/json diff --git a/cassettes/features/v2/csm_threats/Get-all-Workload-Protection-policies-returns-OK-response.frozen b/cassettes/features/v2/csm_threats/Get-all-Workload-Protection-policies-returns-OK-response.frozen index c74022f8cce..4e0a5ae9a38 100644 --- a/cassettes/features/v2/csm_threats/Get-all-Workload-Protection-policies-returns-OK-response.frozen +++ b/cassettes/features/v2/csm_threats/Get-all-Workload-Protection-policies-returns-OK-response.frozen @@ -1 +1 @@ -2025-10-10T15:21:24.672Z \ No newline at end of file +2025-10-16T16:03:17.309Z \ No newline at end of file diff --git a/cassettes/features/v2/csm_threats/Get-all-Workload-Protection-policies-returns-OK-response.yml b/cassettes/features/v2/csm_threats/Get-all-Workload-Protection-policies-returns-OK-response.yml index 2dbd7b2bff9..9013b0bcd5b 100644 --- a/cassettes/features/v2/csm_threats/Get-all-Workload-Protection-policies-returns-OK-response.yml +++ b/cassettes/features/v2/csm_threats/Get-all-Workload-Protection-policies-returns-OK-response.yml @@ -1,5 +1,5 @@ http_interactions: -- recorded_at: Fri, 10 Oct 2025 15:21:24 GMT +- recorded_at: Thu, 16 Oct 2025 16:03:17 GMT request: body: null headers: @@ -10,167 +10,10 @@ http_interactions: response: body: encoding: UTF-8 - string: '{"data":[{"id":"0qm-ldp-cdh","type":"policy","attributes":{"blockingRulesCount":0,"datadogManaged":false,"description":"My - agent policy","disabledRulesCount":0,"enabled":true,"hostTagsLists":[["env:staging"]],"monitoringRulesCount":0,"name":"testtypescriptcreateaworkloadprotectionagentrulewithsetactionreturnsokresponse1759403557","pinned":false,"policyVersion":"1","ruleCount":0,"updateDate":1759403557986,"updater":{"name":"CI - Account","handle":"9919ec9b-ebc7-49ee-8dc8-03626e717cca"}}},{"id":"1fg-gur-iug","type":"policy","attributes":{"blockingRulesCount":0,"datadogManaged":false,"description":"My - agent policy","disabledRulesCount":0,"enabled":true,"hostTagsLists":[["env:staging"]],"monitoringRulesCount":0,"name":"testtypescriptcreateaworkloadprotectionagentrulewithsetactionreturnsokresponse1759921987","pinned":false,"policyVersion":"1","ruleCount":0,"updateDate":1759921988117,"updater":{"name":"CI - Account","handle":"9919ec9b-ebc7-49ee-8dc8-03626e717cca"}}},{"id":"1ur-zhi-a34","type":"policy","attributes":{"blockingRulesCount":0,"datadogManaged":false,"description":"My - agent policy","disabledRulesCount":0,"enabled":true,"hostTagsLists":[["env:staging"]],"monitoringRulesCount":0,"name":"testtypescriptupdateaworkloadprotectionpolicyreturnsokresponse1759922005","pinned":false,"policyVersion":"1","ruleCount":0,"updateDate":1759922005241,"updater":{"name":"CI - Account","handle":"9919ec9b-ebc7-49ee-8dc8-03626e717cca"}}},{"id":"2gb-saj-ohv","type":"policy","attributes":{"blockingRulesCount":0,"datadogManaged":false,"description":"My - agent policy","disabledRulesCount":0,"enabled":true,"hostTagsLists":[["env:staging"]],"monitoringRulesCount":0,"name":"testtypescriptgetaworkloadprotectionpolicyreturnsokresponse1760008346","pinned":false,"policyVersion":"1","ruleCount":0,"updateDate":1760008346802,"updater":{"name":"CI - Account","handle":"9919ec9b-ebc7-49ee-8dc8-03626e717cca"}}},{"id":"3fz-wlp-u1m","type":"policy","attributes":{"blockingRulesCount":0,"datadogManaged":false,"description":"My - agent policy","disabledRulesCount":0,"enabled":true,"hostTagsLists":[["env:staging"]],"monitoringRulesCount":0,"name":"testtypescriptupdateaworkloadprotectionagentrulereturnsbadrequestresponse1760094706","pinned":false,"policyVersion":"1","ruleCount":0,"updateDate":1760094706697,"updater":{"name":"CI - Account","handle":"9919ec9b-ebc7-49ee-8dc8-03626e717cca"}}},{"id":"4ul-ae4-a5f","type":"policy","attributes":{"blockingRulesCount":0,"datadogManaged":false,"description":"My - agent policy","disabledRulesCount":0,"enabled":true,"hostTagsLists":[["env:staging"]],"monitoringRulesCount":0,"name":"testtypescriptupdateaworkloadprotectionagentrulereturnsnotfoundresponse1759403571","pinned":false,"policyVersion":"1","ruleCount":0,"updateDate":1759403572006,"updater":{"name":"CI - Account","handle":"9919ec9b-ebc7-49ee-8dc8-03626e717cca"}}},{"id":"5eu-zrh-6qz","type":"policy","attributes":{"blockingRulesCount":0,"datadogManaged":false,"description":"My - agent policy","disabledRulesCount":0,"enabled":true,"hostTagsLists":[["env:staging"]],"monitoringRulesCount":0,"name":"testtypescriptupdateaworkloadprotectionpolicyreturnsbadrequestresponse1759490000","pinned":false,"policyVersion":"1","ruleCount":0,"updateDate":1759490000789,"updater":{"name":"CI - Account","handle":"9919ec9b-ebc7-49ee-8dc8-03626e717cca"}}},{"id":"5mk-9fs-vob","type":"policy","attributes":{"blockingRulesCount":0,"datadogManaged":false,"description":"My - agent policy","disabledRulesCount":0,"enabled":true,"hostTagsLists":[["env:staging"]],"monitoringRulesCount":0,"name":"testtypescriptupdateaworkloadprotectionpolicyreturnsbadrequestresponse1760008353","pinned":false,"policyVersion":"1","ruleCount":0,"updateDate":1760008353149,"updater":{"name":"CI - Account","handle":"9919ec9b-ebc7-49ee-8dc8-03626e717cca"}}},{"id":"61r-pdn-owk","type":"policy","attributes":{"blockingRulesCount":0,"datadogManaged":false,"description":"My - agent policy","disabledRulesCount":0,"enabled":true,"hostTagsLists":[["env:staging"]],"monitoringRulesCount":0,"name":"testtypescriptcreateaworkloadprotectionagentrulereturnsokresponse1760094693","pinned":false,"policyVersion":"1","ruleCount":0,"updateDate":1760094693430,"updater":{"name":"CI - Account","handle":"9919ec9b-ebc7-49ee-8dc8-03626e717cca"}}},{"id":"7af-oqj-hw9","type":"policy","attributes":{"blockingRulesCount":0,"datadogManaged":false,"description":"My - agent policy","disabledRulesCount":0,"enabled":true,"hostTagsLists":[["env:staging"]],"monitoringRulesCount":0,"name":"testtypescriptupdateaworkloadprotectionagentrulereturnsnotfoundresponse1760008352","pinned":false,"policyVersion":"1","ruleCount":0,"updateDate":1760008352502,"updater":{"name":"CI - Account","handle":"9919ec9b-ebc7-49ee-8dc8-03626e717cca"}}},{"id":"8dd-bbq-42y","type":"policy","attributes":{"blockingRulesCount":0,"datadogManaged":false,"description":"My - agent policy","disabledRulesCount":0,"enabled":true,"hostTagsLists":[["env:staging"]],"monitoringRulesCount":0,"name":"testtypescriptupdateaworkloadprotectionpolicyreturnsbadrequestresponse1759749059","pinned":false,"policyVersion":"1","ruleCount":0,"updateDate":1759749059897,"updater":{"name":"CI - Account","handle":"9919ec9b-ebc7-49ee-8dc8-03626e717cca"}}},{"id":"8hx-gox-gxc","type":"policy","attributes":{"blockingRulesCount":0,"datadogManaged":false,"description":"My - agent policy","disabledRulesCount":0,"enabled":true,"hostTagsLists":[["env:test"]],"monitoringRulesCount":0,"name":"my_agent_policy","pinned":false,"policyVersion":"1","ruleCount":0,"updateDate":1760094695038,"updater":{"name":"CI - Account","handle":"9919ec9b-ebc7-49ee-8dc8-03626e717cca"}}},{"id":"8ne-d1b-bqa","type":"policy","attributes":{"blockingRulesCount":0,"datadogManaged":false,"description":"My - agent policy","disabledRulesCount":0,"enabled":true,"hostTagsLists":[["env:staging"]],"monitoringRulesCount":0,"name":"testtypescriptupdateaworkloadprotectionagentrulereturnsbadrequestresponse1759489998","pinned":false,"policyVersion":"1","ruleCount":0,"updateDate":1759489999185,"updater":{"name":"CI - Account","handle":"9919ec9b-ebc7-49ee-8dc8-03626e717cca"}}},{"id":"8pd-3pm-ozt","type":"policy","attributes":{"blockingRulesCount":0,"datadogManaged":false,"description":"My - agent policy","disabledRulesCount":0,"enabled":true,"hostTagsLists":[["env:staging"]],"monitoringRulesCount":0,"name":"testtypescriptgetaworkloadprotectionpolicyreturnsokresponse1760094701","pinned":false,"policyVersion":"1","ruleCount":0,"updateDate":1760094702060,"updater":{"name":"CI - Account","handle":"9919ec9b-ebc7-49ee-8dc8-03626e717cca"}}},{"id":"9id-zf7-nsz","type":"policy","attributes":{"blockingRulesCount":0,"datadogManaged":false,"description":"My - agent policy","disabledRulesCount":0,"enabled":true,"hostTagsLists":[["env:staging"]],"monitoringRulesCount":0,"name":"testtypescriptgetaworkloadprotectionagentrulereturnsokresponse1760008345","pinned":false,"policyVersion":"1","ruleCount":0,"updateDate":1760008345581,"updater":{"name":"CI - Account","handle":"9919ec9b-ebc7-49ee-8dc8-03626e717cca"}}},{"id":"CWS_CUSTOM-canary","type":"policy","attributes":{"blockingRulesCount":0,"datadogManaged":false,"disabledRulesCount":1,"enabled":false,"monitoringRulesCount":271,"name":"Canary - Custom Policy","pinned":false,"policyVersion":"58422","ruleCount":272,"updateDate":1748012897594,"updater":{"name":"frog","handle":"frog@datadoghq.com"}}},{"id":"afj-civ-fqh","type":"policy","attributes":{"blockingRulesCount":0,"datadogManaged":false,"description":"My - agent policy","disabledRulesCount":0,"enabled":true,"hostTagsLists":[["env:staging"]],"monitoringRulesCount":0,"name":"testtypescriptdeleteaworkloadprotectionpolicyreturnsokresponse1759489986","pinned":false,"policyVersion":"1","ruleCount":0,"updateDate":1759489986782,"updater":{"name":"CI - Account","handle":"9919ec9b-ebc7-49ee-8dc8-03626e717cca"}}},{"id":"aor-qrj-scv","type":"policy","attributes":{"blockingRulesCount":0,"datadogManaged":false,"description":"My - agent policy","disabledRulesCount":0,"enabled":true,"hostTagsLists":[["env:staging"]],"monitoringRulesCount":0,"name":"testtypescriptdeleteaworkloadprotectionagentrulereturnsokresponse1760008341","pinned":false,"policyVersion":"1","ruleCount":0,"updateDate":1760008341344,"updater":{"name":"CI - Account","handle":"9919ec9b-ebc7-49ee-8dc8-03626e717cca"}}},{"id":"b4s-j9s-ox7","type":"policy","attributes":{"blockingRulesCount":0,"datadogManaged":false,"description":"My - agent policy","disabledRulesCount":0,"enabled":true,"hostTagsLists":[["env:staging"]],"monitoringRulesCount":0,"name":"testtypescriptdeleteaworkloadprotectionagentrulereturnsokresponse1760094695","pinned":false,"policyVersion":"1","ruleCount":0,"updateDate":1760094696071,"updater":{"name":"CI - Account","handle":"9919ec9b-ebc7-49ee-8dc8-03626e717cca"}}},{"id":"best-practice.policy","type":"policy","attributes":{"blockingRulesCount":0,"datadogManaged":true,"disabledRulesCount":1,"enabled":true,"monitoringRulesCount":7,"name":"Best-practice - Policy","pinned":false,"policyVersion":"1.51.0-rc3","ruleCount":8,"updateDate":1752506673000,"updater":{"name":"Datadog","handle":""},"versions":[{"Name":"1.47.0-rc2","Date":"2025-06-03T15:29:24Z"},{"Name":"1.51.0-rc3","Date":"2025-07-14T15:24:33Z"}]}},{"id":"bos-hym-c0i","type":"policy","attributes":{"blockingRulesCount":0,"datadogManaged":false,"description":"My - agent policy","disabledRulesCount":0,"enabled":true,"hostTagsLists":[["env:staging"]],"monitoringRulesCount":0,"name":"testtypescriptdeleteaworkloadprotectionpolicyreturnsokresponse1760094697","pinned":false,"policyVersion":"1","ruleCount":0,"updateDate":1760094697533,"updater":{"name":"CI - Account","handle":"9919ec9b-ebc7-49ee-8dc8-03626e717cca"}}},{"id":"bqw-jt8-7kf","type":"policy","attributes":{"blockingRulesCount":0,"datadogManaged":false,"description":"My - agent policy","disabledRulesCount":0,"enabled":true,"hostTagsLists":[["env:staging"]],"monitoringRulesCount":0,"name":"testtypescriptcreateaworkloadprotectionagentrulewithsetactionreturnsokresponse1759835455","pinned":false,"policyVersion":"1","ruleCount":0,"updateDate":1759835455739,"updater":{"name":"CI - Account","handle":"9919ec9b-ebc7-49ee-8dc8-03626e717cca"}}},{"id":"bzv-8ti-3kq","type":"policy","attributes":{"blockingRulesCount":0,"datadogManaged":false,"description":"My - agent policy","disabledRulesCount":0,"enabled":true,"hostTagsLists":[["env:staging"]],"monitoringRulesCount":0,"name":"testtypescriptdeleteaworkloadprotectionagentrulereturnsokresponse1759835457","pinned":false,"policyVersion":"1","ruleCount":0,"updateDate":1759835457099,"updater":{"name":"CI - Account","handle":"9919ec9b-ebc7-49ee-8dc8-03626e717cca"}}},{"id":"compliance.policy","type":"policy","attributes":{"blockingRulesCount":0,"datadogManaged":true,"disabledRulesCount":0,"enabled":true,"monitoringRulesCount":90,"name":"Compliance - Policy","pinned":false,"policyVersion":"1.53.0-rc4","ruleCount":90,"updateDate":1753453274000,"updater":{"name":"Datadog","handle":""},"versions":[{"Name":"1.47.0-rc2","Date":"2025-06-03T15:29:24Z"},{"Name":"1.53.0-rc4","Date":"2025-07-25T14:21:14Z"}]}},{"id":"coq-c5l-xug","type":"policy","attributes":{"blockingRulesCount":0,"datadogManaged":false,"description":"My - agent policy","disabledRulesCount":0,"enabled":true,"hostTagsLists":[["env:staging"]],"monitoringRulesCount":0,"name":"testtypescriptupdateaworkloadprotectionpolicyreturnsbadrequestresponse1760094708","pinned":false,"policyVersion":"1","ruleCount":0,"updateDate":1760094708291,"updater":{"name":"CI - Account","handle":"9919ec9b-ebc7-49ee-8dc8-03626e717cca"}}},{"id":"ctp-dsz-se5","type":"policy","attributes":{"blockingRulesCount":0,"datadogManaged":false,"description":"My - agent policy","disabledRulesCount":0,"enabled":true,"hostTagsLists":[["env:staging"]],"monitoringRulesCount":0,"name":"testtypescriptcreateaworkloadprotectionagentrulereturnsokresponse1759489982","pinned":false,"policyVersion":"1","ruleCount":0,"updateDate":1759489982758,"updater":{"name":"CI - Account","handle":"9919ec9b-ebc7-49ee-8dc8-03626e717cca"}}},{"id":"dkv-ks4-cf0","type":"policy","attributes":{"blockingRulesCount":0,"datadogManaged":false,"description":"My - agent policy","disabledRulesCount":0,"enabled":true,"hostTagsLists":[["env:staging"]],"monitoringRulesCount":0,"name":"testtypescriptdeleteaworkloadprotectionpolicyreturnsokresponse1759403561","pinned":false,"policyVersion":"1","ruleCount":0,"updateDate":1759403561834,"updater":{"name":"CI - Account","handle":"9919ec9b-ebc7-49ee-8dc8-03626e717cca"}}},{"id":"dlo-tpx-c6i","type":"policy","attributes":{"blockingRulesCount":0,"datadogManaged":false,"description":"My - agent policy","disabledRulesCount":0,"enabled":true,"hostTagsLists":[["env:staging"]],"monitoringRulesCount":0,"name":"testtypescriptcreateaworkloadprotectionagentrulereturnsbadrequestresponse1759403556","pinned":false,"policyVersion":"1","ruleCount":0,"updateDate":1759403556615,"updater":{"name":"CI - Account","handle":"9919ec9b-ebc7-49ee-8dc8-03626e717cca"}}},{"id":"drb-olr-ypa","type":"policy","attributes":{"blockingRulesCount":0,"datadogManaged":false,"description":"My - agent policy","disabledRulesCount":0,"enabled":true,"hostTagsLists":[["env:staging"]],"monitoringRulesCount":0,"name":"testtypescriptupdateaworkloadprotectionagentrulereturnsnotfoundresponse1759489999","pinned":false,"policyVersion":"1","ruleCount":0,"updateDate":1759490000070,"updater":{"name":"CI - Account","handle":"9919ec9b-ebc7-49ee-8dc8-03626e717cca"}}},{"id":"dzg-8nn-q5y","type":"policy","attributes":{"blockingRulesCount":0,"datadogManaged":false,"description":"My - agent policy","disabledRulesCount":0,"enabled":true,"hostTagsLists":[["env:staging"]],"monitoringRulesCount":0,"name":"testtypescriptupdateaworkloadprotectionpolicyreturnsokresponse1759749060","pinned":false,"policyVersion":"1","ruleCount":0,"updateDate":1759749060698,"updater":{"name":"CI - Account","handle":"9919ec9b-ebc7-49ee-8dc8-03626e717cca"}}},{"id":"eki-ric-rep","type":"policy","attributes":{"blockingRulesCount":0,"datadogManaged":false,"description":"My - agent policy","disabledRulesCount":0,"enabled":true,"hostTagsLists":[["env:staging"]],"monitoringRulesCount":0,"name":"testtypescriptgetaworkloadprotectionpolicyreturnsokresponse1759921996","pinned":false,"policyVersion":"1","ruleCount":0,"updateDate":1759921996722,"updater":{"name":"CI - Account","handle":"9919ec9b-ebc7-49ee-8dc8-03626e717cca"}}},{"id":"eti-zze-wf9","type":"policy","attributes":{"blockingRulesCount":0,"datadogManaged":false,"description":"My - agent policy","disabledRulesCount":0,"enabled":true,"hostTagsLists":[["env:staging"]],"monitoringRulesCount":0,"name":"testtypescriptcreateaworkloadprotectionagentrulereturnsokresponse1759921987","pinned":false,"policyVersion":"1","ruleCount":0,"updateDate":1759921987345,"updater":{"name":"CI - Account","handle":"9919ec9b-ebc7-49ee-8dc8-03626e717cca"}}},{"id":"exd-abb-4ag","type":"policy","attributes":{"blockingRulesCount":0,"datadogManaged":false,"description":"My - agent policy","disabledRulesCount":0,"enabled":true,"hostTagsLists":[["env:staging"]],"monitoringRulesCount":0,"name":"testtypescriptgetaworkloadprotectionpolicyreturnsokresponse1759489993","pinned":false,"policyVersion":"1","ruleCount":0,"updateDate":1759489993978,"updater":{"name":"CI - Account","handle":"9919ec9b-ebc7-49ee-8dc8-03626e717cca"}}},{"id":"fuu-xha-kon","type":"policy","attributes":{"blockingRulesCount":0,"datadogManaged":false,"description":"My - agent policy","disabledRulesCount":0,"enabled":true,"hostTagsLists":[["env:staging"]],"monitoringRulesCount":0,"name":"testtypescriptgetaworkloadprotectionagentrulereturnsokresponse1759835460","pinned":false,"policyVersion":"1","ruleCount":0,"updateDate":1759835460627,"updater":{"name":"CI - Account","handle":"9919ec9b-ebc7-49ee-8dc8-03626e717cca"}}},{"id":"fw7-twr-i4q","type":"policy","attributes":{"blockingRulesCount":0,"datadogManaged":false,"description":"My - agent policy","disabledRulesCount":0,"enabled":true,"hostTagsLists":[["env:staging"]],"monitoringRulesCount":0,"name":"testtypescriptdeleteaworkloadprotectionpolicyreturnsokresponse1759749051","pinned":false,"policyVersion":"1","ruleCount":0,"updateDate":1759749051417,"updater":{"name":"CI - Account","handle":"9919ec9b-ebc7-49ee-8dc8-03626e717cca"}}},{"id":"gpd-fh3-lx9","type":"policy","attributes":{"blockingRulesCount":0,"datadogManaged":false,"description":"My - agent policy","disabledRulesCount":0,"enabled":true,"hostTagsLists":[["env:staging"]],"monitoringRulesCount":0,"name":"testtypescriptupdateaworkloadprotectionagentrulereturnsbadrequestresponse1759403571","pinned":false,"policyVersion":"1","ruleCount":0,"updateDate":1759403571251,"updater":{"name":"CI - Account","handle":"9919ec9b-ebc7-49ee-8dc8-03626e717cca"}}},{"id":"gsv-uce-7tb","type":"policy","attributes":{"blockingRulesCount":0,"datadogManaged":false,"description":"My - agent policy","disabledRulesCount":0,"enabled":true,"hostTagsLists":[["env:staging"]],"monitoringRulesCount":0,"name":"testtypescriptcreateaworkloadprotectionagentrulewithsetactionreturnsokresponse1760094694","pinned":false,"policyVersion":"1","ruleCount":0,"updateDate":1760094694204,"updater":{"name":"CI - Account","handle":"9919ec9b-ebc7-49ee-8dc8-03626e717cca"}}},{"id":"h4c-iqu-bmb","type":"policy","attributes":{"blockingRulesCount":0,"datadogManaged":false,"description":"My - agent policy","disabledRulesCount":0,"enabled":true,"hostTagsLists":[["env:staging"]],"monitoringRulesCount":0,"name":"testtypescriptupdateaworkloadprotectionagentrulereturnsbadrequestresponse1759749058","pinned":false,"policyVersion":"1","ruleCount":0,"updateDate":1759749058798,"updater":{"name":"CI - Account","handle":"9919ec9b-ebc7-49ee-8dc8-03626e717cca"}}},{"id":"hav-jsh-x4g","type":"policy","attributes":{"blockingRulesCount":0,"datadogManaged":false,"description":"My - agent policy","disabledRulesCount":0,"enabled":true,"hostTagsLists":[["env:staging"]],"monitoringRulesCount":0,"name":"testtypescriptcreateaworkloadprotectionagentrulereturnsbadrequestresponse1759489981","pinned":false,"policyVersion":"1","ruleCount":0,"updateDate":1759489982035,"updater":{"name":"CI - Account","handle":"9919ec9b-ebc7-49ee-8dc8-03626e717cca"}}},{"id":"hc6-pw9-vyl","type":"policy","attributes":{"blockingRulesCount":0,"datadogManaged":false,"description":"My - agent policy","disabledRulesCount":0,"enabled":true,"hostTagsLists":[["env:staging"]],"monitoringRulesCount":0,"name":"testtypescriptcreateaworkloadprotectionagentrulereturnsokresponse1759835455","pinned":false,"policyVersion":"1","ruleCount":0,"updateDate":1759835455277,"updater":{"name":"CI - Account","handle":"9919ec9b-ebc7-49ee-8dc8-03626e717cca"}}},{"id":"hdv-v2h-b57","type":"policy","attributes":{"blockingRulesCount":0,"datadogManaged":false,"description":"My - agent policy","disabledRulesCount":0,"enabled":true,"hostTagsLists":[["env:staging"]],"monitoringRulesCount":0,"name":"testtypescriptdeleteaworkloadprotectionagentrulereturnsokresponse1759921990","pinned":false,"policyVersion":"1","ruleCount":0,"updateDate":1759921990318,"updater":{"name":"CI - Account","handle":"9919ec9b-ebc7-49ee-8dc8-03626e717cca"}}},{"id":"ic4-3pt-11g","type":"policy","attributes":{"blockingRulesCount":0,"datadogManaged":false,"description":"My - agent policy","disabledRulesCount":0,"enabled":true,"hostTagsLists":[["env:staging"]],"monitoringRulesCount":0,"name":"testtypescriptdeleteaworkloadprotectionagentrulereturnsokresponse1759403560","pinned":false,"policyVersion":"1","ruleCount":0,"updateDate":1759403560298,"updater":{"name":"CI - Account","handle":"9919ec9b-ebc7-49ee-8dc8-03626e717cca"}}},{"id":"ieh-pvl-oao","type":"policy","attributes":{"blockingRulesCount":0,"datadogManaged":false,"description":"My - agent policy","disabledRulesCount":0,"enabled":true,"hostTagsLists":[["env:staging"]],"monitoringRulesCount":0,"name":"testtypescriptcreateaworkloadprotectionagentrulereturnsokresponse1759403557","pinned":false,"policyVersion":"1","ruleCount":0,"updateDate":1759403557227,"updater":{"name":"CI - Account","handle":"9919ec9b-ebc7-49ee-8dc8-03626e717cca"}}},{"id":"j2v-vgf-aso","type":"policy","attributes":{"blockingRulesCount":0,"datadogManaged":false,"description":"My - agent policy","disabledRulesCount":0,"enabled":true,"hostTagsLists":[["env:staging"]],"monitoringRulesCount":0,"name":"testtypescriptupdateaworkloadprotectionagentrulereturnsnotfoundresponse1759922003","pinned":false,"policyVersion":"1","ruleCount":0,"updateDate":1759922003235,"updater":{"name":"CI - Account","handle":"9919ec9b-ebc7-49ee-8dc8-03626e717cca"}}},{"id":"j8d-3z6-sij","type":"policy","attributes":{"blockingRulesCount":0,"datadogManaged":false,"description":"My - agent policy","disabledRulesCount":0,"enabled":true,"hostTagsLists":[["env:staging"]],"monitoringRulesCount":0,"name":"testtypescriptupdateaworkloadprotectionpolicyreturnsokresponse1759403573","pinned":false,"policyVersion":"1","ruleCount":0,"updateDate":1759403573915,"updater":{"name":"CI - Account","handle":"9919ec9b-ebc7-49ee-8dc8-03626e717cca"}}},{"id":"jmy-eqd-9pe","type":"policy","attributes":{"blockingRulesCount":0,"datadogManaged":false,"description":"My - agent policy","disabledRulesCount":0,"enabled":true,"hostTagsLists":[["env:staging"]],"monitoringRulesCount":0,"name":"testtypescriptdeleteaworkloadprotectionagentrulereturnsokresponse1759489985","pinned":false,"policyVersion":"1","ruleCount":0,"updateDate":1759489985611,"updater":{"name":"CI - Account","handle":"9919ec9b-ebc7-49ee-8dc8-03626e717cca"}}},{"id":"kjg-r0g-o0o","type":"policy","attributes":{"blockingRulesCount":0,"datadogManaged":false,"description":"My - agent policy","disabledRulesCount":0,"enabled":true,"hostTagsLists":[["env:staging"]],"monitoringRulesCount":0,"name":"testtypescriptupdateaworkloadprotectionagentrulereturnsbadrequestresponse1759922002","pinned":false,"policyVersion":"1","ruleCount":0,"updateDate":1759922002498,"updater":{"name":"CI - Account","handle":"9919ec9b-ebc7-49ee-8dc8-03626e717cca"}}},{"id":"kvl-3dk-tdr","type":"policy","attributes":{"blockingRulesCount":0,"datadogManaged":false,"description":"My - agent policy","disabledRulesCount":0,"enabled":true,"hostTagsLists":[["env:staging"]],"monitoringRulesCount":0,"name":"testtypescriptgetaworkloadprotectionagentrulereturnsokresponse1759403565","pinned":false,"policyVersion":"1","ruleCount":0,"updateDate":1759403565216,"updater":{"name":"CI - Account","handle":"9919ec9b-ebc7-49ee-8dc8-03626e717cca"}}},{"id":"lav-guj-ax5","type":"policy","attributes":{"blockingRulesCount":0,"datadogManaged":false,"description":"My - agent policy","disabledRulesCount":0,"enabled":true,"hostTagsLists":[["env:staging"]],"monitoringRulesCount":0,"name":"testtypescriptgetaworkloadprotectionpolicyreturnsokresponse1759835461","pinned":false,"policyVersion":"1","ruleCount":0,"updateDate":1759835461422,"updater":{"name":"CI - Account","handle":"9919ec9b-ebc7-49ee-8dc8-03626e717cca"}}},{"id":"m4e-nsj-ebv","type":"policy","attributes":{"blockingRulesCount":0,"datadogManaged":false,"description":"My - agent policy","disabledRulesCount":0,"enabled":true,"hostTagsLists":[["env:staging"]],"monitoringRulesCount":0,"name":"testtypescriptupdateaworkloadprotectionagentrulereturnsnotfoundresponse1759749059","pinned":false,"policyVersion":"1","ruleCount":0,"updateDate":1759749059418,"updater":{"name":"CI - Account","handle":"9919ec9b-ebc7-49ee-8dc8-03626e717cca"}}},{"id":"m9x-wbv-8zz","type":"policy","attributes":{"blockingRulesCount":0,"datadogManaged":false,"description":"My - agent policy","disabledRulesCount":0,"enabled":true,"hostTagsLists":[["env:staging"]],"monitoringRulesCount":0,"name":"testtypescriptdeleteaworkloadprotectionpolicyreturnsokresponse1760008342","pinned":false,"policyVersion":"1","ruleCount":0,"updateDate":1760008342470,"updater":{"name":"CI - Account","handle":"9919ec9b-ebc7-49ee-8dc8-03626e717cca"}}},{"id":"mf0-fhj-cdf","type":"policy","attributes":{"blockingRulesCount":0,"datadogManaged":false,"description":"My - agent policy","disabledRulesCount":0,"enabled":true,"hostTagsLists":[["env:staging"]],"monitoringRulesCount":0,"name":"testtypescriptupdateaworkloadprotectionagentrulereturnsnotfoundresponse1760094707","pinned":false,"policyVersion":"1","ruleCount":0,"updateDate":1760094707394,"updater":{"name":"CI - Account","handle":"9919ec9b-ebc7-49ee-8dc8-03626e717cca"}}},{"id":"nck-dsm-imm","type":"policy","attributes":{"blockingRulesCount":0,"datadogManaged":false,"description":"My - agent policy","disabledRulesCount":0,"enabled":true,"hostTagsLists":[["env:staging"]],"monitoringRulesCount":0,"name":"testtypescriptcreateaworkloadprotectionagentrulewithsetactionreturnsokresponse1760008339","pinned":false,"policyVersion":"1","ruleCount":0,"updateDate":1760008339556,"updater":{"name":"CI - Account","handle":"9919ec9b-ebc7-49ee-8dc8-03626e717cca"}}},{"id":"nzs-doa-1ky","type":"policy","attributes":{"blockingRulesCount":0,"datadogManaged":false,"description":"My - agent policy","disabledRulesCount":0,"enabled":true,"hostTagsLists":[["env:staging"]],"monitoringRulesCount":0,"name":"testtypescriptgetaworkloadprotectionagentrulereturnsokresponse1759921995","pinned":false,"policyVersion":"1","ruleCount":0,"updateDate":1759921995444,"updater":{"name":"CI - Account","handle":"9919ec9b-ebc7-49ee-8dc8-03626e717cca"}}},{"id":"oo1-wfe-kb4","type":"policy","attributes":{"blockingRulesCount":0,"datadogManaged":false,"description":"My - agent policy","disabledRulesCount":0,"enabled":true,"hostTagsLists":[["env:staging"]],"monitoringRulesCount":0,"name":"testtypescriptcreateaworkloadprotectionagentrulereturnsbadrequestresponse1760008337","pinned":false,"policyVersion":"1","ruleCount":0,"updateDate":1760008337724,"updater":{"name":"CI - Account","handle":"9919ec9b-ebc7-49ee-8dc8-03626e717cca"}}},{"id":"p6w-rwc-iwd","type":"policy","attributes":{"blockingRulesCount":0,"datadogManaged":false,"description":"My - agent policy","disabledRulesCount":0,"enabled":true,"hostTagsLists":[["env:staging"]],"monitoringRulesCount":0,"name":"testtypescriptupdateaworkloadprotectionpolicyreturnsokresponse1759490001","pinned":false,"policyVersion":"1","ruleCount":0,"updateDate":1759490002034,"updater":{"name":"CI - Account","handle":"9919ec9b-ebc7-49ee-8dc8-03626e717cca"}}},{"id":"pgt-jx3-wnu","type":"policy","attributes":{"blockingRulesCount":0,"datadogManaged":false,"description":"My - agent policy","disabledRulesCount":0,"enabled":true,"hostTagsLists":[["env:staging"]],"monitoringRulesCount":0,"name":"testtypescriptupdateaworkloadprotectionpolicyreturnsbadrequestresponse1759835466","pinned":false,"policyVersion":"1","ruleCount":0,"updateDate":1759835466538,"updater":{"name":"CI - Account","handle":"9919ec9b-ebc7-49ee-8dc8-03626e717cca"}}},{"id":"plv-krt-ysp","type":"policy","attributes":{"blockingRulesCount":0,"datadogManaged":false,"description":"My - agent policy","disabledRulesCount":0,"enabled":true,"hostTagsLists":[["env:staging"]],"monitoringRulesCount":0,"name":"testtypescriptdeleteaworkloadprotectionpolicyreturnsokresponse1759921991","pinned":false,"policyVersion":"1","ruleCount":0,"updateDate":1759921991797,"updater":{"name":"CI - Account","handle":"9919ec9b-ebc7-49ee-8dc8-03626e717cca"}}},{"id":"py6-pbq-w5x","type":"policy","attributes":{"blockingRulesCount":0,"datadogManaged":false,"description":"My - agent policy","disabledRulesCount":0,"enabled":true,"hostTagsLists":[["env:staging"]],"monitoringRulesCount":0,"name":"testtypescriptgetaworkloadprotectionagentrulereturnsokresponse1760094700","pinned":false,"policyVersion":"1","ruleCount":0,"updateDate":1760094700657,"updater":{"name":"CI - Account","handle":"9919ec9b-ebc7-49ee-8dc8-03626e717cca"}}},{"id":"quf-26f-nei","type":"policy","attributes":{"blockingRulesCount":0,"datadogManaged":false,"description":"My - agent policy","disabledRulesCount":0,"enabled":true,"hostTagsLists":[["env:staging"]],"monitoringRulesCount":0,"name":"testtypescriptupdateaworkloadprotectionpolicyreturnsokresponse1759835467","pinned":false,"policyVersion":"1","ruleCount":0,"updateDate":1759835467806,"updater":{"name":"CI - Account","handle":"9919ec9b-ebc7-49ee-8dc8-03626e717cca"}}},{"id":"qv0-gwh-t0d","type":"policy","attributes":{"blockingRulesCount":0,"datadogManaged":false,"description":"My - agent policy","disabledRulesCount":0,"enabled":true,"hostTagsLists":[["env:staging"]],"monitoringRulesCount":0,"name":"testtypescriptgetaworkloadprotectionagentrulereturnsokresponse1759489992","pinned":false,"policyVersion":"1","ruleCount":0,"updateDate":1759489992557,"updater":{"name":"CI - Account","handle":"9919ec9b-ebc7-49ee-8dc8-03626e717cca"}}},{"id":"rdz-vx2-obu","type":"policy","attributes":{"blockingRulesCount":0,"datadogManaged":false,"description":"My - agent policy","disabledRulesCount":0,"enabled":true,"hostTagsLists":[["env:staging"]],"monitoringRulesCount":0,"name":"testtypescriptupdateaworkloadprotectionpolicyreturnsbadrequestresponse1759403572","pinned":false,"policyVersion":"1","ruleCount":0,"updateDate":1759403572677,"updater":{"name":"CI - Account","handle":"9919ec9b-ebc7-49ee-8dc8-03626e717cca"}}},{"id":"rig-pjz-aas","type":"policy","attributes":{"blockingRulesCount":0,"datadogManaged":false,"description":"My - agent policy","disabledRulesCount":0,"enabled":true,"hostTagsLists":[["env:staging"]],"monitoringRulesCount":0,"name":"testtypescriptdeleteaworkloadprotectionagentrulereturnsokresponse1759749050","pinned":false,"policyVersion":"1","ruleCount":0,"updateDate":1759749050580,"updater":{"name":"CI - Account","handle":"9919ec9b-ebc7-49ee-8dc8-03626e717cca"}}},{"id":"rl9-j23-rlg","type":"policy","attributes":{"blockingRulesCount":0,"datadogManaged":false,"description":"My - agent policy","disabledRulesCount":0,"enabled":true,"hostTagsLists":[["env:staging"]],"monitoringRulesCount":0,"name":"testtypescriptgetaworkloadprotectionagentrulereturnsokresponse1759749053","pinned":false,"policyVersion":"1","ruleCount":0,"updateDate":1759749053515,"updater":{"name":"CI - Account","handle":"9919ec9b-ebc7-49ee-8dc8-03626e717cca"}}},{"id":"ruo-9zv-ciy","type":"policy","attributes":{"blockingRulesCount":0,"datadogManaged":false,"description":"My - agent policy","disabledRulesCount":0,"enabled":true,"hostTagsLists":[["env:staging"]],"monitoringRulesCount":0,"name":"testtypescriptdeleteaworkloadprotectionpolicyreturnsokresponse1759835457","pinned":false,"policyVersion":"1","ruleCount":0,"updateDate":1759835457860,"updater":{"name":"CI - Account","handle":"9919ec9b-ebc7-49ee-8dc8-03626e717cca"}}},{"id":"s6u-r7b-aux","type":"policy","attributes":{"blockingRulesCount":0,"datadogManaged":false,"description":"My - agent policy","disabledRulesCount":0,"enabled":true,"hostTagsLists":[["env:staging"]],"monitoringRulesCount":0,"name":"testtypescriptcreateaworkloadprotectionagentrulereturnsokresponse1759749048","pinned":false,"policyVersion":"1","ruleCount":0,"updateDate":1759749048821,"updater":{"name":"CI - Account","handle":"9919ec9b-ebc7-49ee-8dc8-03626e717cca"}}},{"id":"ss5-mzk-2y7","type":"policy","attributes":{"blockingRulesCount":0,"datadogManaged":false,"description":"My - agent policy","disabledRulesCount":0,"enabled":true,"hostTagsLists":[["env:staging"]],"monitoringRulesCount":0,"name":"testtypescriptgetaworkloadprotectionpolicyreturnsokresponse1759749054","pinned":false,"policyVersion":"1","ruleCount":0,"updateDate":1759749054295,"updater":{"name":"CI - Account","handle":"9919ec9b-ebc7-49ee-8dc8-03626e717cca"}}},{"id":"swe-pri-c1b","type":"policy","attributes":{"blockingRulesCount":0,"datadogManaged":false,"description":"My - agent policy","disabledRulesCount":0,"enabled":true,"hostTagsLists":[["env:staging"]],"monitoringRulesCount":0,"name":"testtypescriptupdateaworkloadprotectionagentrulereturnsnotfoundresponse1759835465","pinned":false,"policyVersion":"1","ruleCount":0,"updateDate":1759835465933,"updater":{"name":"CI - Account","handle":"9919ec9b-ebc7-49ee-8dc8-03626e717cca"}}},{"id":"t3p-mv9-ph6","type":"policy","attributes":{"blockingRulesCount":0,"datadogManaged":false,"description":"My - agent policy","disabledRulesCount":0,"enabled":true,"hostTagsLists":[["env:staging"]],"monitoringRulesCount":0,"name":"testtypescriptcreateaworkloadprotectionagentrulereturnsbadrequestresponse1760094692","pinned":false,"policyVersion":"1","ruleCount":0,"updateDate":1760094692801,"updater":{"name":"CI - Account","handle":"9919ec9b-ebc7-49ee-8dc8-03626e717cca"}}},{"id":"threat-detection.policy","type":"policy","attributes":{"blockingRulesCount":0,"datadogManaged":true,"disabledRulesCount":0,"enabled":true,"monitoringRulesCount":188,"name":"Threat-detection - Policy","pinned":false,"policyVersion":"1.54.0-rc9","ruleCount":188,"updateDate":1754579371000,"updater":{"name":"Datadog","handle":""},"versions":[{"Name":"1.47.1-rc3","Date":"2025-06-11T18:19:50Z"},{"Name":"1.53.0-rc8","Date":"2025-07-25T14:21:14Z"},{"Name":"1.54.0-rc9","Date":"2025-08-07T15:09:31Z"}]}},{"id":"tv4-pid-5av","type":"policy","attributes":{"blockingRulesCount":0,"datadogManaged":false,"description":"My - agent policy","disabledRulesCount":0,"enabled":true,"hostTagsLists":[["env:staging"]],"monitoringRulesCount":0,"name":"testtypescriptupdateaworkloadprotectionpolicyreturnsokresponse1760008354","pinned":false,"policyVersion":"1","ruleCount":0,"updateDate":1760008354262,"updater":{"name":"CI - Account","handle":"9919ec9b-ebc7-49ee-8dc8-03626e717cca"}}},{"id":"u44-skd-fga","type":"policy","attributes":{"blockingRulesCount":0,"datadogManaged":false,"description":"My - agent policy","disabledRulesCount":0,"enabled":true,"hostTagsLists":[["env:staging"]],"monitoringRulesCount":0,"name":"testtypescriptcreateaworkloadprotectionagentrulewithsetactionreturnsokresponse1759489983","pinned":false,"policyVersion":"1","ruleCount":0,"updateDate":1759489983520,"updater":{"name":"CI - Account","handle":"9919ec9b-ebc7-49ee-8dc8-03626e717cca"}}},{"id":"vh0-exp-zlb","type":"policy","attributes":{"blockingRulesCount":0,"datadogManaged":false,"description":"My - agent policy","disabledRulesCount":0,"enabled":true,"hostTagsLists":[["env:staging"]],"monitoringRulesCount":0,"name":"testtypescriptcreateaworkloadprotectionagentrulewithsetactionreturnsokresponse1759749049","pinned":false,"policyVersion":"1","ruleCount":0,"updateDate":1759749049301,"updater":{"name":"CI - Account","handle":"9919ec9b-ebc7-49ee-8dc8-03626e717cca"}}},{"id":"w0q-xbc-gfe","type":"policy","attributes":{"blockingRulesCount":0,"datadogManaged":false,"description":"My - agent policy","disabledRulesCount":0,"enabled":true,"hostTagsLists":[["env:staging"]],"monitoringRulesCount":0,"name":"testtypescriptupdateaworkloadprotectionagentrulereturnsbadrequestresponse1759835465","pinned":false,"policyVersion":"1","ruleCount":0,"updateDate":1759835465396,"updater":{"name":"CI - Account","handle":"9919ec9b-ebc7-49ee-8dc8-03626e717cca"}}},{"id":"wbs-o5r-jsf","type":"policy","attributes":{"blockingRulesCount":0,"datadogManaged":false,"description":"My - agent policy","disabledRulesCount":0,"enabled":true,"hostTagsLists":[["env:staging"]],"monitoringRulesCount":0,"name":"testtypescriptcreateaworkloadprotectionagentrulereturnsokresponse1760008338","pinned":false,"policyVersion":"1","ruleCount":0,"updateDate":1760008338651,"updater":{"name":"CI - Account","handle":"9919ec9b-ebc7-49ee-8dc8-03626e717cca"}}},{"id":"wpz-e8h-wft","type":"policy","attributes":{"blockingRulesCount":0,"datadogManaged":false,"description":"My - agent policy","disabledRulesCount":0,"enabled":true,"hostTagsLists":[["env:staging"]],"monitoringRulesCount":0,"name":"testtypescriptcreateaworkloadprotectionagentrulereturnsbadrequestresponse1759921986","pinned":false,"policyVersion":"1","ruleCount":0,"updateDate":1759921986620,"updater":{"name":"CI - Account","handle":"9919ec9b-ebc7-49ee-8dc8-03626e717cca"}}},{"id":"wq9-liw-r3n","type":"policy","attributes":{"blockingRulesCount":0,"datadogManaged":false,"description":"My - agent policy","disabledRulesCount":0,"enabled":true,"hostTagsLists":[["env:staging"]],"monitoringRulesCount":0,"name":"testtypescriptupdateaworkloadprotectionpolicyreturnsbadrequestresponse1759922003","pinned":false,"policyVersion":"1","ruleCount":0,"updateDate":1759922003973,"updater":{"name":"CI - Account","handle":"9919ec9b-ebc7-49ee-8dc8-03626e717cca"}}},{"id":"xjb-scd-ssk","type":"policy","attributes":{"blockingRulesCount":0,"datadogManaged":false,"description":"My - agent policy","disabledRulesCount":0,"enabled":true,"hostTagsLists":[["env:staging"]],"monitoringRulesCount":0,"name":"testtypescriptupdateaworkloadprotectionagentrulereturnsbadrequestresponse1760008351","pinned":false,"policyVersion":"1","ruleCount":0,"updateDate":1760008351818,"updater":{"name":"CI - Account","handle":"9919ec9b-ebc7-49ee-8dc8-03626e717cca"}}},{"id":"yid-2ax-jdx","type":"policy","attributes":{"blockingRulesCount":0,"datadogManaged":false,"description":"My - agent policy","disabledRulesCount":0,"enabled":true,"hostTagsLists":[["env:staging"]],"monitoringRulesCount":0,"name":"testtypescriptcreateaworkloadprotectionagentrulereturnsbadrequestresponse1759749048","pinned":false,"policyVersion":"1","ruleCount":0,"updateDate":1759749048149,"updater":{"name":"CI - Account","handle":"9919ec9b-ebc7-49ee-8dc8-03626e717cca"}}},{"id":"yx3-nvm-0sf","type":"policy","attributes":{"blockingRulesCount":0,"datadogManaged":false,"description":"My - agent policy","disabledRulesCount":0,"enabled":true,"hostTagsLists":[["env:staging"]],"monitoringRulesCount":0,"name":"testtypescriptcreateaworkloadprotectionagentrulereturnsbadrequestresponse1759835454","pinned":false,"policyVersion":"1","ruleCount":0,"updateDate":1759835454464,"updater":{"name":"CI - Account","handle":"9919ec9b-ebc7-49ee-8dc8-03626e717cca"}}},{"id":"z2g-22x-8fl","type":"policy","attributes":{"blockingRulesCount":0,"datadogManaged":false,"description":"My - agent policy","disabledRulesCount":0,"enabled":true,"hostTagsLists":[["env:staging"]],"monitoringRulesCount":0,"name":"testtypescriptupdateaworkloadprotectionpolicyreturnsokresponse1760094709","pinned":false,"policyVersion":"1","ruleCount":0,"updateDate":1760094709498,"updater":{"name":"CI - Account","handle":"9919ec9b-ebc7-49ee-8dc8-03626e717cca"}}},{"id":"zal-0mi-lzp","type":"policy","attributes":{"blockingRulesCount":0,"datadogManaged":false,"description":"My - agent policy","disabledRulesCount":0,"enabled":true,"hostTagsLists":[["env:staging"]],"monitoringRulesCount":0,"name":"testtypescriptgetaworkloadprotectionpolicyreturnsokresponse1759403566","pinned":false,"policyVersion":"1","ruleCount":0,"updateDate":1759403566325,"updater":{"name":"CI - Account","handle":"9919ec9b-ebc7-49ee-8dc8-03626e717cca"}}}]}' + string: '{"data":[{"id":"best-practice.policy","type":"policy","attributes":{"blockingRulesCount":0,"datadogManaged":true,"disabledRulesCount":1,"enabled":true,"monitoringRulesCount":7,"name":"Best-practice + Policy","pinned":false,"policyVersion":"1.57.3-rc6","ruleCount":8,"updateDate":1759956888000,"updater":{"name":"Datadog","handle":""},"versions":[{"Name":"1.47.0-rc2","Date":"2025-06-03T15:29:24Z"},{"Name":"1.51.0-rc3","Date":"2025-07-14T15:24:33Z"},{"Name":"1.57.3-rc6","Date":"2025-10-08T20:54:48Z"}]}},{"id":"compliance.policy","type":"policy","attributes":{"blockingRulesCount":0,"datadogManaged":true,"disabledRulesCount":0,"enabled":true,"monitoringRulesCount":91,"name":"Compliance + Policy","pinned":false,"policyVersion":"1.57.3-rc6","ruleCount":91,"updateDate":1759956888000,"updater":{"name":"Datadog","handle":""},"versions":[{"Name":"1.47.0-rc2","Date":"2025-06-03T15:29:24Z"},{"Name":"1.53.0-rc4","Date":"2025-07-25T14:21:14Z"},{"Name":"1.57.3-rc6","Date":"2025-10-08T20:54:48Z"}]}},{"id":"threat-detection.policy","type":"policy","attributes":{"blockingRulesCount":0,"datadogManaged":true,"disabledRulesCount":0,"enabled":true,"monitoringRulesCount":196,"name":"Threat-detection + Policy","pinned":false,"policyVersion":"1.57.3-rc12","ruleCount":196,"updateDate":1759956888000,"updater":{"name":"Datadog","handle":""},"versions":[{"Name":"1.53.0-rc8","Date":"2025-07-25T14:21:14Z"},{"Name":"1.54.0-rc9","Date":"2025-08-07T15:09:31Z"},{"Name":"1.57.3-rc12","Date":"2025-10-08T20:54:48Z"}]}}]}' headers: Content-Type: - application/json diff --git a/cassettes/features/v2/csm_threats/Update-a-Workload-Protection-agent-rule-returns-Bad-Request-response.frozen b/cassettes/features/v2/csm_threats/Update-a-Workload-Protection-agent-rule-returns-Bad-Request-response.frozen index c3b0e27af6e..705d8a84035 100644 --- a/cassettes/features/v2/csm_threats/Update-a-Workload-Protection-agent-rule-returns-Bad-Request-response.frozen +++ b/cassettes/features/v2/csm_threats/Update-a-Workload-Protection-agent-rule-returns-Bad-Request-response.frozen @@ -1 +1 @@ -2025-10-10T15:21:25.356Z \ No newline at end of file +2025-10-16T16:03:17.937Z \ No newline at end of file diff --git a/cassettes/features/v2/csm_threats/Update-a-Workload-Protection-agent-rule-returns-Bad-Request-response.yml b/cassettes/features/v2/csm_threats/Update-a-Workload-Protection-agent-rule-returns-Bad-Request-response.yml index ae70a191ef2..9a571024a7b 100644 --- a/cassettes/features/v2/csm_threats/Update-a-Workload-Protection-agent-rule-returns-Bad-Request-response.yml +++ b/cassettes/features/v2/csm_threats/Update-a-Workload-Protection-agent-rule-returns-Bad-Request-response.yml @@ -1,9 +1,9 @@ http_interactions: -- recorded_at: Fri, 10 Oct 2025 15:21:25 GMT +- recorded_at: Thu, 16 Oct 2025 16:03:17 GMT request: body: encoding: UTF-8 - string: '{"data":{"attributes":{"description":"My agent policy","enabled":true,"hostTags":["env:staging"],"name":"testupdateaworkloadprotectionagentrulereturnsbadrequestresponse1760109685"},"type":"policy"}}' + string: '{"data":{"attributes":{"description":"My agent policy","enabled":true,"hostTags":["env:staging"],"name":"testupdateaworkloadprotectionagentrulereturnsbadrequestresponse1760630597"},"type":"policy"}}' headers: Accept: - application/json @@ -14,20 +14,20 @@ http_interactions: response: body: encoding: UTF-8 - string: '{"data":{"id":"ipm-pga-f7v","type":"policy","attributes":{"blockingRulesCount":0,"datadogManaged":false,"description":"My - agent policy","disabledRulesCount":1,"enabled":true,"hostTagsLists":[["env:staging"]],"monitoringRulesCount":7,"name":"testupdateaworkloadprotectionagentrulereturnsbadrequestresponse1760109685","pinned":false,"policyVersion":"1","ruleCount":8,"updateDate":1760109685700,"updater":{"name":"frog","handle":"frog@datadoghq.com"}}}}' + string: '{"data":{"id":"ukc-7bn-j0a","type":"policy","attributes":{"blockingRulesCount":0,"datadogManaged":false,"description":"My + agent policy","disabledRulesCount":1,"enabled":true,"hostTagsLists":[["env:staging"]],"monitoringRulesCount":7,"name":"testupdateaworkloadprotectionagentrulereturnsbadrequestresponse1760630597","pinned":false,"policyVersion":"1","ruleCount":8,"updateDate":1760630598323,"updater":{"name":"frog","handle":"frog@datadoghq.com"}}}}' headers: Content-Type: - application/json status: code: 200 message: OK -- recorded_at: Fri, 10 Oct 2025 15:21:25 GMT +- recorded_at: Thu, 16 Oct 2025 16:03:17 GMT request: body: encoding: UTF-8 string: '{"data":{"attributes":{"actions":[{"set":{"name":"test_set","scope":"process","value":"test_value"}},{"hash":{}}],"description":"My - Agent rule","enabled":true,"expression":"exec.file.name == \"sh\"","name":"testupdateaworkloadprotectionagentrulereturnsbadrequestresponse1760109685","policy_id":"ipm-pga-f7v","product_tags":["security:attack","technique:T1059"]},"type":"agent_rule"}}' + Agent rule","enabled":true,"expression":"exec.file.name == \"sh\"","name":"testupdateaworkloadprotectionagentrulereturnsbadrequestresponse1760630597","policy_id":"ukc-7bn-j0a","product_tags":["security:attack","technique:T1059"]},"type":"agent_rule"}}' headers: Accept: - application/json @@ -38,29 +38,29 @@ http_interactions: response: body: encoding: UTF-8 - string: '{"data":{"id":"eqm-2k6-tav","type":"agent_rule","attributes":{"actions":[{"set":{"name":"test_set","value":"test_value","scope":"process","inherited":false},"disabled":false},{"hash":{},"disabled":false}],"category":"Process - Activity","creationDate":1760109686541,"creator":{"name":"frog","handle":"frog@datadoghq.com"},"defaultRule":false,"description":"My + string: '{"data":{"id":"7uc-0ej-v14","type":"agent_rule","attributes":{"actions":[{"set":{"name":"test_set","value":"test_value","scope":"process","inherited":false},"disabled":false},{"hash":{},"disabled":false}],"category":"Process + Activity","creationDate":1760630599035,"creator":{"name":"frog","handle":"frog@datadoghq.com"},"defaultRule":false,"description":"My Agent rule","enabled":true,"expression":"exec.file.name == \"sh\"","filters":["os - == \"linux\""],"monitoring":["ipm-pga-f7v"],"name":"testupdateaworkloadprotectionagentrulereturnsbadrequestresponse1760109685","product_tags":["security:attack","technique:T1059"],"updateDate":1760109686541,"updater":{"name":"frog","handle":"frog@datadoghq.com"}}}}' + == \"linux\""],"monitoring":["ukc-7bn-j0a"],"name":"testupdateaworkloadprotectionagentrulereturnsbadrequestresponse1760630597","product_tags":["security:attack","technique:T1059"],"updateDate":1760630599035,"updater":{"name":"frog","handle":"frog@datadoghq.com"}}}}' headers: Content-Type: - application/json status: code: 200 message: OK -- recorded_at: Fri, 10 Oct 2025 15:21:25 GMT +- recorded_at: Thu, 16 Oct 2025 16:03:17 GMT request: body: encoding: UTF-8 string: '{"data":{"attributes":{"description":"My Agent rule","enabled":true,"expression":"exec.file.name - == \"sh\"","policy_id":"ipm-pga-f7v","product_tags":[]},"id":"invalid-agent-rule-id","type":"agent_rule"}}' + == \"sh\"","policy_id":"ukc-7bn-j0a","product_tags":[]},"id":"invalid-agent-rule-id","type":"agent_rule"}}' headers: Accept: - application/json Content-Type: - application/json method: PATCH - uri: https://api.datadoghq.com/api/v2/remote_config/products/cws/agent_rules/eqm-2k6-tav + uri: https://api.datadoghq.com/api/v2/remote_config/products/cws/agent_rules/7uc-0ej-v14 response: body: encoding: UTF-8 @@ -73,32 +73,14 @@ http_interactions: status: code: 400 message: Bad Request -- recorded_at: Fri, 10 Oct 2025 15:21:25 GMT +- recorded_at: Thu, 16 Oct 2025 16:03:17 GMT request: body: null headers: Accept: - '*/*' method: DELETE - uri: https://api.datadoghq.com/api/v2/remote_config/products/cws/agent_rules/eqm-2k6-tav - response: - body: - encoding: UTF-8 - string: '' - headers: - Content-Type: - - application/json - status: - code: 204 - message: No Content -- recorded_at: Fri, 10 Oct 2025 15:21:25 GMT - request: - body: null - headers: - Accept: - - '*/*' - method: DELETE - uri: https://api.datadoghq.com/api/v2/remote_config/products/cws/policy/ipm-pga-f7v + uri: https://api.datadoghq.com/api/v2/remote_config/products/cws/policy/ukc-7bn-j0a response: body: encoding: UTF-8 diff --git a/cassettes/features/v2/csm_threats/Update-a-Workload-Protection-agent-rule-returns-Not-Found-response.frozen b/cassettes/features/v2/csm_threats/Update-a-Workload-Protection-agent-rule-returns-Not-Found-response.frozen index 3b744c66e82..e372dc31760 100644 --- a/cassettes/features/v2/csm_threats/Update-a-Workload-Protection-agent-rule-returns-Not-Found-response.frozen +++ b/cassettes/features/v2/csm_threats/Update-a-Workload-Protection-agent-rule-returns-Not-Found-response.frozen @@ -1 +1 @@ -2025-10-10T15:21:29.350Z \ No newline at end of file +2025-10-16T16:03:20.725Z \ No newline at end of file diff --git a/cassettes/features/v2/csm_threats/Update-a-Workload-Protection-agent-rule-returns-Not-Found-response.yml b/cassettes/features/v2/csm_threats/Update-a-Workload-Protection-agent-rule-returns-Not-Found-response.yml index e7ddbd57878..d68ebebd395 100644 --- a/cassettes/features/v2/csm_threats/Update-a-Workload-Protection-agent-rule-returns-Not-Found-response.yml +++ b/cassettes/features/v2/csm_threats/Update-a-Workload-Protection-agent-rule-returns-Not-Found-response.yml @@ -1,9 +1,9 @@ http_interactions: -- recorded_at: Fri, 10 Oct 2025 15:21:29 GMT +- recorded_at: Thu, 16 Oct 2025 16:03:20 GMT request: body: encoding: UTF-8 - string: '{"data":{"attributes":{"description":"My agent policy","enabled":true,"hostTags":["env:staging"],"name":"testupdateaworkloadprotectionagentrulereturnsnotfoundresponse1760109689"},"type":"policy"}}' + string: '{"data":{"attributes":{"description":"My agent policy","enabled":true,"hostTags":["env:staging"],"name":"testupdateaworkloadprotectionagentrulereturnsnotfoundresponse1760630600"},"type":"policy"}}' headers: Accept: - application/json @@ -14,20 +14,20 @@ http_interactions: response: body: encoding: UTF-8 - string: '{"data":{"id":"o6h-d6x-6ed","type":"policy","attributes":{"blockingRulesCount":0,"datadogManaged":false,"description":"My - agent policy","disabledRulesCount":1,"enabled":true,"hostTagsLists":[["env:staging"]],"monitoringRulesCount":7,"name":"testupdateaworkloadprotectionagentrulereturnsnotfoundresponse1760109689","pinned":false,"policyVersion":"1","ruleCount":8,"updateDate":1760109689734,"updater":{"name":"frog","handle":"frog@datadoghq.com"}}}}' + string: '{"data":{"id":"9yd-fit-o2r","type":"policy","attributes":{"blockingRulesCount":0,"datadogManaged":false,"description":"My + agent policy","disabledRulesCount":1,"enabled":true,"hostTagsLists":[["env:staging"]],"monitoringRulesCount":7,"name":"testupdateaworkloadprotectionagentrulereturnsnotfoundresponse1760630600","pinned":false,"policyVersion":"1","ruleCount":8,"updateDate":1760630601105,"updater":{"name":"frog","handle":"frog@datadoghq.com"}}}}' headers: Content-Type: - application/json status: code: 200 message: OK -- recorded_at: Fri, 10 Oct 2025 15:21:29 GMT +- recorded_at: Thu, 16 Oct 2025 16:03:20 GMT request: body: encoding: UTF-8 string: '{"data":{"attributes":{"description":"My Agent rule","enabled":true,"expression":"exec.file.name - == \"sh\"","policy_id":"o6h-d6x-6ed","product_tags":[]},"id":"non-existent-rule-id","type":"agent_rule"}}' + == \"sh\"","policy_id":"9yd-fit-o2r","product_tags":[]},"id":"non-existent-rule-id","type":"agent_rule"}}' headers: Accept: - application/json @@ -47,14 +47,14 @@ http_interactions: status: code: 404 message: Not Found -- recorded_at: Fri, 10 Oct 2025 15:21:29 GMT +- recorded_at: Thu, 16 Oct 2025 16:03:20 GMT request: body: null headers: Accept: - '*/*' method: DELETE - uri: https://api.datadoghq.com/api/v2/remote_config/products/cws/policy/o6h-d6x-6ed + uri: https://api.datadoghq.com/api/v2/remote_config/products/cws/policy/9yd-fit-o2r response: body: encoding: UTF-8 diff --git a/cassettes/features/v2/csm_threats/Update-a-Workload-Protection-policy-returns-Bad-Request-response.frozen b/cassettes/features/v2/csm_threats/Update-a-Workload-Protection-policy-returns-Bad-Request-response.frozen index 3eeac850d22..86af16feb49 100644 --- a/cassettes/features/v2/csm_threats/Update-a-Workload-Protection-policy-returns-Bad-Request-response.frozen +++ b/cassettes/features/v2/csm_threats/Update-a-Workload-Protection-policy-returns-Bad-Request-response.frozen @@ -1 +1 @@ -2025-10-10T15:21:31.894Z \ No newline at end of file +2025-10-16T16:03:22.997Z \ No newline at end of file diff --git a/cassettes/features/v2/csm_threats/Update-a-Workload-Protection-policy-returns-Bad-Request-response.yml b/cassettes/features/v2/csm_threats/Update-a-Workload-Protection-policy-returns-Bad-Request-response.yml index 57ef1e0abb4..b7d1391b990 100644 --- a/cassettes/features/v2/csm_threats/Update-a-Workload-Protection-policy-returns-Bad-Request-response.yml +++ b/cassettes/features/v2/csm_threats/Update-a-Workload-Protection-policy-returns-Bad-Request-response.yml @@ -1,9 +1,9 @@ http_interactions: -- recorded_at: Fri, 10 Oct 2025 15:21:31 GMT +- recorded_at: Thu, 16 Oct 2025 16:03:22 GMT request: body: encoding: UTF-8 - string: '{"data":{"attributes":{"description":"My agent policy","enabled":true,"hostTags":["env:staging"],"name":"testupdateaworkloadprotectionpolicyreturnsbadrequestresponse1760109691"},"type":"policy"}}' + string: '{"data":{"attributes":{"description":"My agent policy","enabled":true,"hostTags":["env:staging"],"name":"testupdateaworkloadprotectionpolicyreturnsbadrequestresponse1760630602"},"type":"policy"}}' headers: Accept: - application/json @@ -14,26 +14,26 @@ http_interactions: response: body: encoding: UTF-8 - string: '{"data":{"id":"wun-ynf-q3m","type":"policy","attributes":{"blockingRulesCount":0,"datadogManaged":false,"description":"My - agent policy","disabledRulesCount":1,"enabled":true,"hostTagsLists":[["env:staging"]],"monitoringRulesCount":7,"name":"testupdateaworkloadprotectionpolicyreturnsbadrequestresponse1760109691","pinned":false,"policyVersion":"1","ruleCount":8,"updateDate":1760109692276,"updater":{"name":"frog","handle":"frog@datadoghq.com"}}}}' + string: '{"data":{"id":"hen-r9f-dcm","type":"policy","attributes":{"blockingRulesCount":0,"datadogManaged":false,"description":"My + agent policy","disabledRulesCount":1,"enabled":true,"hostTagsLists":[["env:staging"]],"monitoringRulesCount":7,"name":"testupdateaworkloadprotectionpolicyreturnsbadrequestresponse1760630602","pinned":false,"policyVersion":"1","ruleCount":8,"updateDate":1760630603377,"updater":{"name":"frog","handle":"frog@datadoghq.com"}}}}' headers: Content-Type: - application/json status: code: 200 message: OK -- recorded_at: Fri, 10 Oct 2025 15:21:31 GMT +- recorded_at: Thu, 16 Oct 2025 16:03:22 GMT request: body: encoding: UTF-8 - string: '{"data":{"attributes":{"description":"My agent policy","enabled":true,"hostTags":["env:test"],"hostTagsLists":[["env:test"]],"name":""},"id":"wun-ynf-q3m","type":"policy"}}' + string: '{"data":{"attributes":{"description":"My agent policy","enabled":true,"hostTags":["env:test"],"hostTagsLists":[["env:test"]],"name":""},"id":"hen-r9f-dcm","type":"policy"}}' headers: Accept: - application/json Content-Type: - application/json method: PATCH - uri: https://api.datadoghq.com/api/v2/remote_config/products/cws/policy/wun-ynf-q3m + uri: https://api.datadoghq.com/api/v2/remote_config/products/cws/policy/hen-r9f-dcm response: body: encoding: UTF-8 @@ -45,14 +45,14 @@ http_interactions: status: code: 400 message: Bad Request -- recorded_at: Fri, 10 Oct 2025 15:21:31 GMT +- recorded_at: Thu, 16 Oct 2025 16:03:22 GMT request: body: null headers: Accept: - '*/*' method: DELETE - uri: https://api.datadoghq.com/api/v2/remote_config/products/cws/policy/wun-ynf-q3m + uri: https://api.datadoghq.com/api/v2/remote_config/products/cws/policy/hen-r9f-dcm response: body: encoding: UTF-8 diff --git a/cassettes/features/v2/csm_threats/Update-a-Workload-Protection-policy-returns-Not-Found-response.frozen b/cassettes/features/v2/csm_threats/Update-a-Workload-Protection-policy-returns-Not-Found-response.frozen index 95841c391b7..90bf6d04cf5 100644 --- a/cassettes/features/v2/csm_threats/Update-a-Workload-Protection-policy-returns-Not-Found-response.frozen +++ b/cassettes/features/v2/csm_threats/Update-a-Workload-Protection-policy-returns-Not-Found-response.frozen @@ -1 +1 @@ -2025-10-10T15:21:34.620Z \ No newline at end of file +2025-10-16T16:03:25.128Z \ No newline at end of file diff --git a/cassettes/features/v2/csm_threats/Update-a-Workload-Protection-policy-returns-Not-Found-response.yml b/cassettes/features/v2/csm_threats/Update-a-Workload-Protection-policy-returns-Not-Found-response.yml index d8ce8ee1c78..49a126ccbfe 100644 --- a/cassettes/features/v2/csm_threats/Update-a-Workload-Protection-policy-returns-Not-Found-response.yml +++ b/cassettes/features/v2/csm_threats/Update-a-Workload-Protection-policy-returns-Not-Found-response.yml @@ -1,5 +1,5 @@ http_interactions: -- recorded_at: Fri, 10 Oct 2025 15:21:34 GMT +- recorded_at: Thu, 16 Oct 2025 16:03:25 GMT request: body: encoding: UTF-8 diff --git a/cassettes/features/v2/csm_threats/Update-a-Workload-Protection-policy-returns-OK-response.frozen b/cassettes/features/v2/csm_threats/Update-a-Workload-Protection-policy-returns-OK-response.frozen index e3979f2e798..26b314b8b7b 100644 --- a/cassettes/features/v2/csm_threats/Update-a-Workload-Protection-policy-returns-OK-response.frozen +++ b/cassettes/features/v2/csm_threats/Update-a-Workload-Protection-policy-returns-OK-response.frozen @@ -1 +1 @@ -2025-10-10T15:21:35.321Z \ No newline at end of file +2025-10-16T16:03:25.787Z \ No newline at end of file diff --git a/cassettes/features/v2/csm_threats/Update-a-Workload-Protection-policy-returns-OK-response.yml b/cassettes/features/v2/csm_threats/Update-a-Workload-Protection-policy-returns-OK-response.yml index 9855d706218..f1ce1e025ea 100644 --- a/cassettes/features/v2/csm_threats/Update-a-Workload-Protection-policy-returns-OK-response.yml +++ b/cassettes/features/v2/csm_threats/Update-a-Workload-Protection-policy-returns-OK-response.yml @@ -1,9 +1,9 @@ http_interactions: -- recorded_at: Fri, 10 Oct 2025 15:21:35 GMT +- recorded_at: Thu, 16 Oct 2025 16:03:25 GMT request: body: encoding: UTF-8 - string: '{"data":{"attributes":{"description":"My agent policy","enabled":true,"hostTags":["env:staging"],"name":"testupdateaworkloadprotectionpolicyreturnsokresponse1760109695"},"type":"policy"}}' + string: '{"data":{"attributes":{"description":"My agent policy","enabled":true,"hostTags":["env:staging"],"name":"testupdateaworkloadprotectionpolicyreturnsokresponse1760630605"},"type":"policy"}}' headers: Accept: - application/json @@ -14,45 +14,45 @@ http_interactions: response: body: encoding: UTF-8 - string: '{"data":{"id":"cqp-anw-jba","type":"policy","attributes":{"blockingRulesCount":0,"datadogManaged":false,"description":"My - agent policy","disabledRulesCount":1,"enabled":true,"hostTagsLists":[["env:staging"]],"monitoringRulesCount":7,"name":"testupdateaworkloadprotectionpolicyreturnsokresponse1760109695","pinned":false,"policyVersion":"1","ruleCount":8,"updateDate":1760109695685,"updater":{"name":"frog","handle":"frog@datadoghq.com"}}}}' + string: '{"data":{"id":"xar-g8b-3tf","type":"policy","attributes":{"blockingRulesCount":0,"datadogManaged":false,"description":"My + agent policy","disabledRulesCount":1,"enabled":true,"hostTagsLists":[["env:staging"]],"monitoringRulesCount":7,"name":"testupdateaworkloadprotectionpolicyreturnsokresponse1760630605","pinned":false,"policyVersion":"1","ruleCount":8,"updateDate":1760630606149,"updater":{"name":"frog","handle":"frog@datadoghq.com"}}}}' headers: Content-Type: - application/json status: code: 200 message: OK -- recorded_at: Fri, 10 Oct 2025 15:21:35 GMT +- recorded_at: Thu, 16 Oct 2025 16:03:25 GMT request: body: encoding: UTF-8 - string: '{"data":{"attributes":{"description":"Updated agent policy","enabled":true,"hostTagsLists":[["env:test"]],"name":"updated_agent_policy"},"id":"cqp-anw-jba","type":"policy"}}' + string: '{"data":{"attributes":{"description":"Updated agent policy","enabled":true,"hostTagsLists":[["env:test"]],"name":"updated_agent_policy"},"id":"xar-g8b-3tf","type":"policy"}}' headers: Accept: - application/json Content-Type: - application/json method: PATCH - uri: https://api.datadoghq.com/api/v2/remote_config/products/cws/policy/cqp-anw-jba + uri: https://api.datadoghq.com/api/v2/remote_config/products/cws/policy/xar-g8b-3tf response: body: encoding: UTF-8 - string: '{"data":{"id":"cqp-anw-jba","type":"policy","attributes":{"blockingRulesCount":0,"datadogManaged":false,"description":"Updated - agent policy","disabledRulesCount":0,"enabled":true,"hostTagsLists":[["env:test"]],"monitoringRulesCount":0,"name":"updated_agent_policy","pinned":false,"policyVersion":"2","ruleCount":0,"updateDate":1760109696865,"updater":{"name":"frog","handle":"frog@datadoghq.com"}}}}' + string: '{"data":{"id":"xar-g8b-3tf","type":"policy","attributes":{"blockingRulesCount":0,"datadogManaged":false,"description":"Updated + agent policy","disabledRulesCount":0,"enabled":true,"hostTagsLists":[["env:test"]],"monitoringRulesCount":0,"name":"updated_agent_policy","pinned":false,"policyVersion":"2","ruleCount":0,"updateDate":1760630607043,"updater":{"name":"frog","handle":"frog@datadoghq.com"}}}}' headers: Content-Type: - application/json status: code: 200 message: OK -- recorded_at: Fri, 10 Oct 2025 15:21:35 GMT +- recorded_at: Thu, 16 Oct 2025 16:03:25 GMT request: body: null headers: Accept: - '*/*' method: DELETE - uri: https://api.datadoghq.com/api/v2/remote_config/products/cws/policy/cqp-anw-jba + uri: https://api.datadoghq.com/api/v2/remote_config/products/cws/policy/xar-g8b-3tf response: body: encoding: UTF-8 diff --git a/examples/v2/csm-threats/CreateCSMThreatsAgentPolicy.rb b/examples/v2/csm-threats/CreateCSMThreatsAgentPolicy.rb index 8687d59637e..6f0670b3529 100644 --- a/examples/v2/csm-threats/CreateCSMThreatsAgentPolicy.rb +++ b/examples/v2/csm-threats/CreateCSMThreatsAgentPolicy.rb @@ -13,7 +13,7 @@ "env:test", ], ], - name: "my_agent_policy_2", + name: "examplecsmthreat", }), type: DatadogAPIClient::V2::CloudWorkloadSecurityAgentPolicyType::POLICY, }), diff --git a/features/v2/csm_threats.feature b/features/v2/csm_threats.feature index be43d01881d..5f8813b9563 100644 --- a/features/v2/csm_threats.feature +++ b/features/v2/csm_threats.feature @@ -87,14 +87,14 @@ Feature: CSM Threats @skip @team:DataDog/k9-cloud-security-platform @team:DataDog/k9-cws-backend Scenario: Create a Workload Protection policy returns "Conflict" response Given new "CreateCSMThreatsAgentPolicy" request - And body with value {"data": {"attributes": {"description": "My agent policy", "enabled": true, "hostTags": [], "name": "my_agent_policy"}, "type": "policy"}} + And body with value {"data": {"attributes": {"description": "My agent policy", "enabled": true, "hostTags": [], "name": "{{ unique_lower_alnum }}"}, "type": "policy"}} When the request is sent Then the response status is 409 Conflict @team:DataDog/k9-cloud-security-platform @team:DataDog/k9-cws-backend Scenario: Create a Workload Protection policy returns "OK" response Given new "CreateCSMThreatsAgentPolicy" request - And body with value {"data": {"attributes": {"description": "My agent policy", "enabled": true, "hostTagsLists": [["env:test"]], "name": "my_agent_policy_2"}, "type": "policy"}} + And body with value {"data": {"attributes": {"description": "My agent policy", "enabled": true, "hostTagsLists": [["env:test"]], "name": "{{ unique_lower_alnum }}"}, "type": "policy"}} When the request is sent Then the response status is 200 OK diff --git a/features/v2/undo.json b/features/v2/undo.json index 6e05ad8acd5..3e9861be8d1 100644 --- a/features/v2/undo.json +++ b/features/v2/undo.json @@ -2815,16 +2815,28 @@ }, "CreateCSMThreatsAgentRule": { "tag": "CSM Threats", - "undo": { - "operationId": "DeleteCSMThreatsAgentRule", - "parameters": [ - { - "name": "agent_rule_id", - "source": "data.id" - } - ], - "type": "unsafe" - } + "undo": [ + { + "operationId": "DeleteCSMThreatsAgentRule", + "parameters": [ + { + "name": "agent_rule_id", + "source": "data.id" + } + ], + "type": "unsafe" + }, + { + "operationId": "DeleteCSMThreatsAgentPolicy", + "parameters": [ + { + "name": "policy_id", + "source": "data.attributes.monitoring[0]" + } + ], + "type": "unsafe" + } + ] }, "DeleteCSMThreatsAgentRule": { "tag": "CSM Threats",